Stress test shows packet loss when testing with flow inspection mode and application control.

FG-3000D cluster kernel panic occurs when upgrading from 7.0.5 to 7.0.6 and later.

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

FortiLink NAC matched device is displayed in the CLI but not in the GUI under WiFi & Switch Controller > NAC Policies > View Matched Devices.

New IPsec design tunnel-id still displays the gateway as an IP address, when it should be a tunnel ID.

When upgrade firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path.

Managed FortiSwitches page incorrectly shows a warning about an unregistered FortiSwitch even though it is registered. This only impacts transferred or RMAed FortiSwitches. This is only a display issue with no impact on the FortiSwitch's operation.

Workaround: confirm the FortiSwitch registration status in the FortiCare portal.

An undefined error is displayed when changing an administrator password for the first time. Affected models: NP7 platforms.

Unable to access GUI via HA management interface of secondary unit.

When private data encryption is enabled, all passwords present in the configuration fail to load and may cause HA failures.

HA split brain scenario occurs after upgrading from 6.4.6 to 7.0.6, and HA heartbeats are lost followed by a kernel panic. Affected platforms: NP7 models.

A cluster is repeatedly out-of sync due to external files (SSLVPN_AUTH_GROUPS) when there are frequent user logins and logouts.

A few tasks are hung on issuing stat verbose on the secondary device.

After changing hyperscale firewall policies, it may take longer than expected for the policy changes to be applied to traffic. The delay occurs because the hyperscale firewall policy engine enhancements added to FortiOS 7.0.6 may cause the FortiGate to take extra time to compile firewall policy changes and generate a new policy set that can be applied to traffic by NP7 processors. The delay is affected by hyperscale policy set complexity, the total number of established sessions to be re-evaluated, and the rate of receiving new sessions.

In the FortiOS MIB files, the trap fields fgFwIppStatsGroupName and fgFwIppStatsInusePBAs have the same OID. As a result, the fgFwIppStatsInusePBAs field always returns a value of 0.

After packets go through host interface TX/RX queues, some packet buffers can still hold references to a VDOM when the host queues are idle. This causes a VDOM delete error with unregister_vf. If more packets go through the same host queues for other VDOMs, the issue should resolve by itself because those buffers holding the VDOM reference can be pushed and get freed and recycled.

Using EIF to support hairpinning does not work for NAT64 sessions.

Creating an access control list (ACL) policy on a FortiGate with NP7 processors causes the npd process to crash.

FortiGate 4200F, 4201F, 4400F, and 4401F HA1, HA2, AUX1, and AUX2 interfaces cannot be added to an LAG.

FortiGate still holds npu-log-server related configuration after removing hyperscale license.

Changes in the zone configuration are not updated by the NPD on hyperscale.

Sessions being processed by hyperscale firewall policies with hardware logging may be dropped when dynamically changing the log-processor setting from hardware to host for the hardware log sever added to the hyperscale firewall policy. To avoid dropping sessions, change the log-processor setting during quiet periods.

Hit count not ticking for implicit deny policy for hardware session in case of NAT46 and NAT64 traffic.

service-negate does not work as expected in a hyperscale deny policy.

srcaddr-negate and dstaddr-negate are not working properly for IPv6 traffic with FTS.

Output of diagnose sys npu-session list/list-full does not mention policy route information.

Diagnose command should be available to show hit_count/last_used for policy route and NPU session on hyperscale VDOM.

Get PARSE SKIP ERROR=17 NPD ERR PBR ADDRESS console error log when system boots up.

The diagnose firewall ippool list command does not show the correct output for overload type IP pools.

IPsec aggregate static route is not marked inactive if the IPsec aggregate is down.

IKE crashes after HA failover when the enforce-unique-id option is enabled.

When net-device is enabled on the hub, the tunnel interface IP is missing in the routing table.

IPsec static router gateway IP is set to the gateway of the tunnel interface when it is not specified.

An error case occurs in WAD while handling the HTTP requests for an explicit proxy policy.

Slow GUI performance in large Fabric topology with over 50 downstream devices.

Security Rating report for Rogue AP Detection and FortiCare Support checks show incorrect results.

Multiple DNS suffixes cannot be set for the SSL VPN portal.

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled.

Workaround: set the auto-asic-offload option to disable in the firewall policy.

Random LTE modem disconnections due to certain carriers getting unstable due to WWAN modem USB speed under super-speed.

After upgrading from 6.4.9 to 7.0.5, the FG-110xE's 1000M SFP interface may fail to auto-negotiate and cannot be up due to the missed auto-negotiation.

The threshold for conserve mode is lowered.

High memory usage occurs on FG-200F.

DoS policy ID cannot be moved in GUI and CLI when enabling multiple DoS policies.

When setting the speed of 1G SFP ports on FG-180xF platforms to 1000full, the interface does not come up after rebooting.

NP7 platforms may encounter a kernel panic when deleting more than two hardware switches at the same time.

FEX-40D-NAM model support was removed after upgrading to 7.0.6 or 7.0.7.

Can't find xitem. Drop the response. error appears for DHCPOFFER packets in the DHCP relay debug.

DHCP relay does not work properly with two DHCP relay servers configured.

FortiGate might enter conserve mode if disk logging is enabled and log-traffic all is set in a policy.

Kernel panic occurs due to null pointer dereference.

After updating the FSSO DC agent to version 5.0.0301, the DC agent keeps crashing on Windows 2012 R2 and 2016, which causes lsass.exe to reboot.