The GUI no longer incorrectly includes the mgmt-vdom when calculating the number of VDOMs.

Running a packet capture from the GUI now works as expected.

Resolved an issue that caused the wad application to crash with a signal 11.

VLAN interfaces added to accelerated npu_vdom link interfaces can now successfully pass traffic.

Resolved multiple Security Fabric synchronization issues.

Resolved an issue that could result in multiple updated processes may be running, some with CPU usage at 99%.

Resolved an issue that could cause the confsyncd process to crash on idle FortiGate-6000s or 7000s.

Added support for the Security Fabric when operating an HA cluster in transparent mode. Because transparent mode was not supported, FPCs and FPMs on the secondary FortiGate-6000 or 7000 in an HA cluster were not able to synchronize.

EMAC-VLAN fixes.

Resolved an issue that caused proxy policy traffic hit counters on the GUI remain at 0 even though the policy is processing traffic.

Resolved an issue that prevented recording some traffic logs for DLP sessions.

Resolved an issue that caused the cmdbsvr process to crash and reduce throughput.

Resolved an issue that caused the miglogd processes to use up to 99% of CPU resources after a configuration change to a FortiGate-6000 or 7000 with a large number of firewall policies.

SNMP queries can now capture FortiGate-7000 FIM serial numbers.

Resolved an issue that could sometimes prevent SNMP polling of FIM data from working as expected.

Resolved an issue that caused FortiGate-7000F load balancing to send fragmented and non-fragmented packets from the same session to different FPMs.

Resolved an issue that incorrectly caused the status of an IPsec interface to appear as down on the GUI even though the interface is actually up and passing traffic.

The mechanism for synchronizing the FIB to FPCs or FPMs when a FPC or FPM reboots or after an HA failover is now more efficient and no longer causes errors or problems with BGP routing.

Fixed syntax errors in the FORTINET-CORE-MIB.mib FORTINET-FORTIGATE-MIB.mib files.

MAC addresses set using the macaddr interface option now persist after the FortiGate-6000 or 7000 restarts.

The FortiGate-6000 management board now shows policy hit counts for all FPCs for NGFW security policies.

Resolved an issue that could sometimes prevented FortiOS from receiving accurate chassis information, such as the chassis serial number, from the SMM.

Resolved an issue that caused routes to be lost when one phase 2 goes down in an IPsec VPN tunnel configuration that includes two phase 2 configurations.

Resolved an issue that created duplicate backup routes after an HA failover. The same issue caused proto=20 routes to be deleted before route-ttl ends and sometimes caused excess memory usage. You can use the following command to clear proto=20 routes (also called backup routes): diagnose test application chlbd 15.

Resolved an issue that could prevent Chromebook clients from communicating through L2TP IPsec tunnels.

The config system global option miglog-affinity now works as expected.

Resolved a number of related issues that could cause a FortiGate-6000 or 7000 to enter conserve mode because of high memory usage.

Resolved an issue that caused output of the diagnose debug comlog read command to be interrupted before all of the messages are displayed when running the command on an FIM or FPC.

Resolved an issue that could prevent OSPF from re-negotiating successfully after an FGCP HA failover.

Wildcard.FQDN addresses are now synchronized to all FPCs and FPMs in a single FortiGate-6000 or 7000 and to both FortiGate-6000s and 7000s in an FGCP HA configuration.

Resolved an issue that could cause OSPF adjacencies to fail after an FGCP HA failover even though the FortiGate configuration enables OSPF graceful restart.

Resolved a timing issue that could cause an FPC or FPM to become unresponsive for an extended period of time after a firmware upgrade when the configuration includes a large number of UTM profile groups.

SD-WAN health checking information is now available from all FPCs or FPMs.

IPS TLS probe requests can now be configured from the mgmt-vdom VDOM. For example, the following configuration is now supported:

config ips global

config tls-active-probe

set interface-select-method specify

set interface "mgmt1"

set vdom "mgmt-vdom"

end

Resolved an issue that caused SNMP queries to return empty values for some FPCs or FPMs.

After FortiGate-6000 FGCP HA failover, the management board of the new primary FortiGate-6000 no longer looses its wildcard FQDN cache.

Fixed syntax errors in FORTINET-CORE-MIB.mib FORTINET-FORTIGATE-MIB.mib.

Resolved an issue that may cause one or more FPCs or FPMs to become unresponsive and for the console to print error messages that include unregister_netdevice.

Resolved an issue that caused a wad application memory leak.

Resolved an SD-WAN routing issue that prevented SD-WAN load balancing from working as expected.

Management, local-out, and IPsec VPN traffic over NPU inter-VDOM links and with VLANs added to NPU inter-VDOM links works as expected.

Resolved an issue that caused the ntpd process running on an FPC to crash.

Resolved an issue that caused configuration synchronization delays for systems with very large configurations (for example: 200K filrewall policies and 256 VDOMs).

FortiOS 6.4.6 for FortiGate-6000 and 7000 series is no longer vulnerable to the following PSIRT incident number:

• CVE-2021-26109

FortiOS 6.4.6 for FortiGate-6000 and 7000 series is no longer vulnerable to the following PSIRT incident number:

• CVE-2021-36173