On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.

Workaround: rename the custom section to unique name between IPv4 and IPv6 policies.

If the first firewall service object in the service list (based on the order in the command line table) has a protocol type of IP, the GUI may incorrectly modify its protocol number whenever a new firewall service of the same protocol type IP is created in the GUI.

This silent misconfiguration can result in unexpected behavior of firewall policies that use the impacted service. For example, some 6K and 7K platforms have firewall service ALL (protocol type IP) as the first service, and this can cause the ALL service to be modified unexpectedly.

Workaround: create a new service in the CLI, or move a non-IP type services to the top of the firewall service list. For example, if ALL is the first firewall service in the list:

config firewall service custom
    edit "unused"
        set tcp-portrange 1
    next
    move "unused" before "ALL"
end

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

When upgrading firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path.

An undefined error is displayed when changing an administrator password for the first time. Affected models: NP7 platforms.

When viewing entries in the slide-out window of the Policy & Objects > Internet Service Database page, users cannot scroll down to the end if there are over 100000 entries.

On the Network > Routing Objects page, editing a prefix list with a large number of rule entries fails with an error notification that The integer value is not within valid range.

Workaround: edit a prefix list with a large number of rule entries in the CLI.

When private data encryption is enabled, the GUI may become unresponsive and HA may fail to synchronize the configuration.

On rare occasions, the GUI may display blank pages when the user navigates from one menu to another if there is a managed FortiSwitch present.

Workaround: restart the HTTPSD process, restart the WAD process, or reboot the FortiGate.

FortiGate 4200F, 4201F, 4400F, and 4401F HA1, HA2, AUX1, and AUX2 interfaces cannot be added to an LAG.

Sessions being processed by hyperscale firewall policies with hardware logging may be dropped when dynamically changing the log-processor setting from hardware to host for the hardware log sever added to the hyperscale firewall policy. To avoid dropping sessions, change the log-processor setting during quiet periods.

Hit count not ticking for implicit deny policy for hardware session in case of NAT46 and NAT64 traffic.

service-negate does not work as expected in a hyperscale deny policy.

srcaddr-negate and dstaddr-negate are not working properly for IPv6 traffic with FTS.

Access control list (ACL) policies added to a hyperscale firewall VDOM that is processing traffic may take longer than expected to become effective. During a transition period, traffic that should be blocked by the new ACL policy will be allowed.

Output of diagnose sys npu-session list/list-full does not mention policy route information.

Diagnose command should be available to show hit_count/last_used for policy route and NPU session on hyperscale VDOM.

Get PARSE SKIP ERROR=17 NPD ERR PBR ADDRESS console error log when system boots up.

The diagnose firewall ippool list command does not show the correct output for overload type IP pools.

IPsec aggregate static route is not marked inactive if the IPsec aggregate is down.

If a tunnel in an IPsec aggregate is down but its DPD link is on, the IPsec aggregate interface may still forward traffic to a down tunnel causing traffic to drop.

Logs are not seen for traffic passing through the firewall caused by numerous simultaneous configuration changes.

Slow GUI performance in large Fabric topology with over 50 downstream devices.

Security Rating report for Rogue AP Detection and FortiCare Support checks show incorrect results.

Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface.

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled.

Workaround: set the auto-asic-offload option to disable in the firewall policy.

High memory usage caused by downloading a large CRL list.

When setting the speed of 1G SFP ports on FG-180xF platforms to 1000full, the interface does not come up after rebooting.

Console may display mce: [Hardware Error] error message after fresh image burn or reboot.

High CPU utilization occurs when relay is enabled on VLAN, and this prevents users from getting an IP from DHCP.

FortiGate might enter conserve mode if disk logging is enabled and log-traffic all is set in a policy.

Kernel panic occurs due to null pointer dereference.

When a user is logged in as a VDOM administrator with restricted access and tries to upload a certificate (System > Certificates), the Create button on the Create Certificate pane is grayed out.

QSFP/QSFP+ port23/port24 are down after upgrading to 7.0.11 on FG-3401E.

In a certain edge case, traffic directed towards a VLAN interface could trigger a kernel interruption.

After upgrading to 7.0.11, FortiOS cannot display QSFP+ transceiver information. Affected platforms: FG-110xE, FG-220xE, FG-330xE, FG-340xE, and FG-360xE.

All members are up on an FG-600F, but the LACP status is showing as down after upgrading.

Upgrading FortiOS firmware with a local file from 6.2.13, 6.4.12, 7.0.11, or 7.2.4 and earlier may fail for certain models because the image file size exceeds the upload limit. Affected models: FortiGate 6000 and 7000 series, FWF-80F-2R, and FWF-81F-2R-POE.

Workaround: upgrade the firmware using FortiGuard, or manually increase the HTTP request size limit to 200MB.

config system global
    set http-request-limit 200000000
end

When there are extra large number of managed FortiAP devices (over 500) and large number of WiFi clients (over 5000), the Managed FortiAPs page and FortiAP Status widget can take a long time to load. This issue does not impact FortiAP operation.