Web proxy forwarding server health check does not send user name and password.

FortiCarrier has GTP dropped packet log after configuring GTP allow list.

Sessions are marked dirty when IPsec dialup client connects/disconnects and policy routes are used.

In NAT64 scenario, ICMPv6 Packet too big message translated to ICMPv4 does not set the MTU/DF bit correctly.

When NGFW mode is set to policy mode and a security policy is configured, the Quard daemon should start when either an anti-virus, web filter, application, IPS, or DLP profile is enabled.

Security policy (NGFW mode) flow-based UTM logs are still generated when policy traffic log is disabled.

Virtual wire pair of mirror traffic on FortiOS 6.4 cannot detect IPS attacks because of failed anti-replay checks.

In NGFW mode, traffic is not passing through zone members when intra-zone traffic is allowed.

Cannot change the order of IPv4 access control list entries from FortiOS after upgrading from 6.4.1. to 6.4.3.

ISDB is empty/crashes after upgrading from 6.2.4/6.2.5 to 6.2.6.

FortiView Compromised Hosts dashboard cannot show data if FortiAnalyzer is configured using the FQDN address in the log setting. FortiAnalyzer configured with an IP address does not have this issue.

FortiView Top Traffic Shaping widget does not show data for outbound traffic if the source interface's role is WAN. Data is displayed if the source interface's role is LAN, DMZ, or undefined.

Some FortiView graphs and drilldown views show empty data due to filtering issue. Affected graphs/views: Top System Events, Top Authentication Failures, Policy View, and Compromised Host View.

On Traffic Shaping Policy list page, right-click option to show matching logs does not work.

Incorrect error message on log settings page, Connectivity issue, 0 logs queued, for FortiAnalyzer connection when the VDOM is in transparent mode with log setting override enabled.

An address created by the VPN wizard cannot save changes due to an incorrect validation check for parentheses, (), in the Comments field.

Warning message is not displayed when a user configures an interface with a static IP address that is already in use.

On SD-WAN Rules page, the GUI does not indicate which outgoing interface is active. This is due to auto-discovery VPN routing changes.

When performed from the primary FortiGate, using the GUI to change a firewall policy action from accept to deny does not disable the IP pool setting, causing the HA cluster to be out of sync. Updating the policy via the CLI does not have this issue.

Aggregated IPsec VPN interface shows as down when each member tunnel has phase 1 and phase 2 names that differ from each other.

On the System > HA page, GUI tooltip for the reserved management interface incorrectly shows the connecting IP address instead of the configured IP address.

A remote certificate in VDOM mode that has no references cannot be deleted from the GUI. Removal is possible using the CLI.

REST API, api/v2/monitor/firewall/internet-service-details, returns start_ip and end_ip in raw format instead of string format.

GUI incorrectly displays the warning, Botnet package update unavailable, AntiVirus subscription not found., when the antivirus entitlement is expiring within 30 days. The actual Botnet package update still works within the active entitlement duration.

There is no way to add a line break when using the GUI to edit the replacement message for pre_admin-disclaimer-text. One must use the CLI with the Shift + Enter keys to insert a line break.

When multiple favorite menus are configured, the new features video pops up after each GUI login, even though user previously selected Don't show again.

When editing the Poll Active Directory Server page, the configured LDAP server saved in FSSO polling is not displayed. Users must use the CLI to modify the setting.

FortiGuard DDNS setting incorrectly displays truncated unique location and empty server selection after saving changes.

When editing a DoS policy, users were able to click OK twice as there was a small delay until the dialog was saved and closed. Clicking twice would cause unwanted changes to the policy. This has been corrected as Submit buttons are now disabled while a dialog is submitting. This fix covers all policy dialogs.

After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly.

When editing phase 2 configurations, clicking Complete Section results in a red highlight around the phase 2 configuration GUI box, and users cannot click OK to save configuration changes.

Script pushed from FortiManager 6.4.2 to FortiOS 6.4.2 to add address objects and an address group only pushes the address group.

The list of firewall schedules displays time based on the browser time, even though the global time preference is set to use the FortiGate system time. The Edit Schedule page does not have this issue.

On the SSL-VPN Settings page, the option to send an SSL VPN configuration to a user for FortiClient provisioning does not support showing domain name for VPN gateway.

Log viewer should use relative timestamps for dates less than seven days old.

On Firewall Policy list, the tooltip for IP Pool incorrectly shows Port Block Allocation as being exhausted if there are expiring PBAs available to be reallocated.

Erroneous duplication error displayed when creating a phase 2 with Named IPv6 Address set to all if there is already a phase 2 entry defined with Named IPv4 Address set to all. The CLI must be used for this configuration.

When a FortiGate with VDOM and explicit proxy enabled has an access profile with packet capture set to none, administrators with this access profile are not able to create an explicit proxy policy.

The Firewall Address and Service pages cannot load on a downstream FortiGate if Fabric Synchronization is enabled, but the downstream FortiGate cannot reach the root FortiGate.

The Edit Web Filter Profile page incorrectly shows that a URL filter is configured (even though it is not) if the URL filter entry has the same name as the web filter profile in the CLI.

The HA hello-holddown value is divided by 10 in the hatalk daemon, which makes the hello-holddown time 10 times less than the configuration.

Management access not working in transparent mode cluster after upgrade.

HA cluster goes out of sync with new custom DDNS entry, and changes with respect to the ddns-key value.

Cluster is out of sync because of config vpn certificate ca after upgrade.

Incorrect direction and banned location by quarantine action for ICMP.Oversized.Packet signature in NGFW policy mode.

IPsec did not rekey when keylife expired after back-to-back HA failover.

OCVPN spoke-to-spoke communication intermittently fails with mixed topology where some spokes have two ISPs and some have one, but the hubs have two.

Unable to route traffic to a spoke VPN site from the hub FortiGate when the dialup IPsec VPN interface is dual stacked (IPv4/IPv6).

IKEv2 fragmentation-mtu option is not respected when EAP is used for authentication.

iked ignores phase 1 configuration changes due to frequent FortiExtender cmdb changes.

TFTP upload not working when application control and ASIC offload are enabled.

Kernel may crash on link event update with net-device enabled.

No log entry is generated for SSL VPN login attempts where two factor authentication challenge times out.

Traffic log shows Policy violation for traffic hitting the allow policy in NGFW policy mode.

FortiGate does not have log disk auto scan failure status log.

IPS UTM log is missing msg= and attackcontext= TLV fields because the TLV buffer is full and not sent to miglogd.

When searching for some rarely-found logs within a large volume of logs, there is a long period of time before the results are returned. During the waiting period, if any new requests arrive, the old search session cannot be cleared. There is then a risk that multiple processes exist together, which may cause performance issues.

When URLs for block/allow/external resource are processed, the system might enter conserve mode when external resources are very big.

StartTLS-SMTP traffic gets blocked by the firewall when certificate inspection (proxy mode) and the IPS sensor are enabled in a policy.

WAD crash with signal 11 (/bin/wad => wad_ui_diag_session_get).

WAD crashes with transparent web proxy when connecting to a forward server.

No WAD sessions displayed when running diagnose wad filter.

Memory leak when retrieving the thumbnailPhoto information from the LDAP server.

Proxy-based SSL certification inspection session hangs if the outbound probe connection has no routes.

An incorrect teardown logic on the WAD SSL port causes memory leak.

WAD user information daemon crashes on purging extra interfaces that exist in multiple VDOMs.

REST API /api/v2/monitor/firewall/security-policy adds UUID data for security policy statistics.

New REST API POST /api/v2/monitor/vpn/ike/clear?mkey=<gateway_name> will bring down IKE SAs tunnel the same way as diagnose vpn ike gateway clear.

In IPsec topology with hub and ~1000 spokes, hundreds of spoke tunnels are flapping, causing BGP instability for other spokes.

SD-WAN with sit-tunnel as a member creates an unwanted default route.

BGP is choosing local route that should have been removed from the BGP network table.

bgpd memory leak if running BGP on 6.2.7 and 6.4.4.

Invalid license data supplied by FortiGuard/FortiCare causes invalid warning in the Security Rating report.

When a group and a user-peer is specified in an SSL VPN authentication rule, and the same group appears in multiple rules, each group and user-peer combination can be matched independently.

Memory corruption in some DNS callback cases causes SSL VPN crash.

When sslvpn SSH times-out, a crash is observed when the SSH client is empty.

The map on the http://www.op***.org website could not be shown in SSL VPN web mode.

SSL VPN with user certificate and credential verification allows a user to connect with a certificate signed by a trusted CA that does not match the certificate chain of the configured CA in the user peer configuration.

An internal web site via SSL VPN web mode, https://***.46.19.****:10443, is unable to open.

FortiOS supports verifying client certificates with RSA-PSS series of signature algorithms, which causes problems with certain clients.

SSL VPN web mode cannot load web page https://jira.ca.ob***.com properly based on Jira application.

SSL VPN crash when updating the existing connection at the authentication stage.

Pop-up window does not load correctly when accessing internal application at https://re***.wo***.nl using SSL VPN web mode.

Customer cannot access SAP web GUI with SSL VPN bookmark.

RTA login webpage is not displaying in SSL VPN web mode.

Internal website https://po***.we***.ac.uk is not loading correctly with SSL VPN bookmark.

Custom languages do not work in SSL VPN web portals.

GUI issues on the internal Atlassian Jira web portal in SSL VPN web mode.

Customer internal website, https://va***.do***.com:21108/mne, cannot be displayed correctly in SSL VPN web mode.

SSL VPN web portal SSO credentials for alternative option are not working.

Unable to view the management GUI of PaloAlto running on 8.1.16 in SSL VPN web mode.

Internal Gridbees portal does not display in SSL VPN web mode.

SSL VPN crashed with signal 11 (segmentation fault) uri_search because of rules set for a special case.

SSL VPN web mode is not working properly for aw***.co***.com website.

Rebooting FG-1500D in 5.6.x during upgrade causes an L2 loop on the heartbeat interface and VLAN is disabled on the switch side.

Issue when packets from the same session are forwarded to each LACP member when NPx offloading is enabled.

cmdbsvr may crash with signal 11 (segmentation fault) when frequently changing firewall policies.

The diagnose geoip geoip-query command fails when fortiguard-anycast is disabled.

FG-101F crashed and rebooted when adding vlan-protocol 8021ad VLAN.

No statistics for TX and RX counters for VLAN interfaces.

When VDOM has large number of VIPs and policies, any firewall policy change causes cmdbsvr to be too busy and consume high CPU.

Fragmented UDP traffic does not assemble on the FortiGate and does not forward out.

VLAN interface created on top of a 10 GB interface is not showing the actual TX/RX counters.

httpsd crashed and *** signal 6 (Aborted) received *** appears when loading configurations through REST API with interactions.

No statistics for TX and RX counters for VLAN interfaces.

confsyncd may crash when there is an error parsing through the internet service database, but no error is returned.

Update GTP code to be compatible with newer versions (GTPv1 and GTPv2).

Packet loss occurs when traffic flow between VLAN interfaces is created under 10G LACP link.

NTurbo does not work when enabled in IPsec tunnel or with session helper.

The auto-join FortiCloud re-try timer 600 second value is too large.

When provisioning a FortiGate and FortiSwitch with enforced firmware version 6.4.2 in FortiManager, the physical port for FortiLink is down and cannot connect to FortiSwitch.

DHCP discover request is wrongly forwarded to all IPsec VPN interfaces when tunnel flipping occurs.

Bulk changes through the CLI are very slow with 24000 existing policies.

The authd and foauthd processes may crash due to crypto functions being set twice.

LDAP connectivity delays in transparent mode VDOM.

FortiGate does not send LLDP PDU when it receives LLDP packets from VoIP phones.

Log enrichment for source and destination IP with RSSO user information in logs not properly working for IPv4 with framed route attribute in RADIUS accounting.

The ssl-ocsp-source-ip setting not configurable in non-management VDOMs.

FSSO collector status is down, despite that it is reported as connected by authd in a multi-VDOM environment.

Spoke dialup IPsec VPN does not initiate connection to hub after FG-VM HA failover in Azure.

FG-VM8 does not recognize all memory allocated in Hyper-V.

Unable to import more than 50 groups from NSX-T SDN connector.

OCI HA unable to handle cross-compartment failover.

After enabling DPDK, the FG-VM license becomes invalid. After rebooting, the license becomes valid again.

Dialup IPsec tunnel from Azure may not be re-established after HA failover.

get system status output can be stuck getting the instance ID.

HA secondary VMSL license is invalid after reboot.

A hanging FortiGuard connection is not torn down in some situations.

Change URL re-evaluation link on web filter block pages to HTTPS.

YouTube channel home page on blocklist is not blocked when directed from a YouTube search result.

Replacement message pictures (FortiGuard web filter) are not displayed in Chrome.

AP country and region settings are not updating as expected.

FWF-60E hangs with looping kernel panic at WiFi driver.

Log severity for wireless events in FortiWiFi and FortiAP should be reconsidered for CAPWAP teardown.