If the first firewall service object in the service list (based on the order in the command line table) has a protocol type of IP, the GUI may incorrectly modify its protocol number whenever a new firewall service of the same protocol type IP is created in the GUI.

This silent misconfiguration can result in unexpected behavior of firewall policies that use the impacted service. For example, some 6K and 7K platforms have firewall service ALL (protocol type IP) as the first service, and this can cause the ALL service to be modified unexpectedly.

Workaround: create a new service in the CLI, or move a non-IP type services to the top of the firewall service list. For example, if ALL is the first firewall service in the list:

config firewall service custom
    edit "unused"
        set tcp-portrange 1
    next
    move "unused" before "ALL"
end

Access to some websites fails after upgrading to FortiOS 7.2.3 when the firewall policy is in flow-based inspection mode.

Workaround: access is possible with one of the following settings.

• Change the firewall policy inspection mode to proxy-based.
• Remove the IPS security profile from the firewall policy.
• Set tcp-mss-sender and tcp-mss-receiver in the firewall policy to 1300.
• Set tcp-mss to 1300 on the VPN tunnel interface.
• Bypass the inter-VDOM link (may work in applicable scenarios, such as if the VDOM default route points to physical interface instead of an inter-VDOM).

On the Policy & Objects > Firewall Policy page, if any of the interface names contain a space, the page does not load when Interface Pair View is selected.

Workaround: remove all space characters in interface names referenced in policies.

On a FortiGate managed by FortiManager, after upgrading to 7.4.0, the Firewall Policy list may show separate sequence grouping for each policy because the global-label is updated to be unique for each policy.

Workaround: drag and drop the policy to the correct sequence group in the GUI, or remove the global-label for each member policy in the group except for the leading policy.

• Policy 1 (global-label "group1")
• Policy 2
• Policy 3 (global-label "group2")
• Policy 4

On the Policy & Objects > Firewall Policy page, when the interface name used in a virtual wire pair is a substring of interfaces used in a firewall policy, such policies are not displayed. For example, if a virtual wire pair consists of interfaces port1 and port2, firewall policies with port10, port11, port21, port22 are not displayed.

Policy lookup should not get result with policy_action: deny for non-TCP protocols and non-80/443 TCP ports.

For local out DNAT traffic, the best output route may not be found.

Changing the destination in the policy replaces applied services with service, ALL.

After a failover, ARP entries are removed from all slots when an ARP query of single slot does not respond.

IPv6 ECMP is not supported for the FortiGate 6000F and 7000E platforms. IPv6 ECMP is supported for the FortiGate 7000F platform.

UTM traffic is blocked by an FGSP configuration with asymmetric routing.

The FortiGate 6000 or 7000 front panel does not appear on the Network > Interfaces and System > HA GUI pages.

In some cases, the FortiGate 7000F platform cannot correctly reassemble fragmented packets.

The FortiGate 7000E and 7000F platforms do not support GTP and PFCP load balancing.

The FortiGate 6000 and 7000 System Information dashboard widget incorrectly displays the management board or primary FIM serial number instead of the chassis serial number. Use get system status to view the chassis serial number.

FortiGate 6000 and 7000 platforms do not support managing FortiSwitch devices over FortiLink.

Workaround: manually set the LACP mode of the Fortilink interface to static:

config system interface
    edit fortilink
        set lacp-mode static
end

Virtual clustering is not supported by FortiGate 6000 and 7000 platforms.

The FortiGate 6000 and 7000 platforms do not support EMAC VLANs.

Adding a FortiAnalyzer to a FortiGate 6000 or 7000 Security Fabric configuration from the FortiOS GUI is not supported.

Workaround: add the FortiGate 6000 or 7000 to the FortiAnalyzer from the FortiAnalyzer GUI.

On FortiGate 7000F platforms, NP7-offloaded UDP sessions are not affected by the udp-idle-timer option of the config system global command.

Unable to select a management interface LAG to be the direct SLBC logging interface.

SNMP walk failed to get the BGP routing information.

On a FortiGate 6000 or 7000, the active worker count returned by the output of diagnose sys ha dump-by group can be incorrect after an FPC or FPM goes down.

Unable to select a management interface LAG to be the FGSP session synchronization interface.

Authenticated users are not synchronized to the secondary FortiGate 6000 or 7000 chassis when the secondary chassis joins a primary chassis to form an FGCP cluster.

The FortiGate 6000 and 7000 platforms do not support IPsec VPN over a loopback interface or an NPU inter-VDOM link interface.

On a FortiGate 7000F, after a new FPM becomes the primary FPM, IPsec VPN dynamic routes are not synchronized to the new primary FPM.

Workaround: reset IPsec VPN tunnels that use dynamic routing.

FGCP session synchronization may not synchronize all sessions on FortiGate 6000 and 7000 models.

On the FortiGate 7000F platform, fragmented IPv6 ICMP traffic is not load balanced correctly when the dp-icmp-distribution-method option under config load-balance is set to dst-ip. This problem may also occur for other dp-icmp-distribution-method configurations.

The FortiGate 6000s or 7000s in an FGSP cluster may load balance FTP data sessions to different FPCs or FPMs. This can cause delays while the affected FortiGate 6000 or 7000 re-installs the sessions on the correct FPC or FPM.

FortiGate 7000E IPv6 routes may not be synchronized correctly among FIMs and FPMs.

FortiGate 7000F chassis with FIM-7941Fs cannot load balance fragmented IPv6 TCP and UDP traffic. Instead, fragmented IPv6 TCP and UDP traffic received by the FIM-7941F interfaces is sent directly to the primary FPM, bypassing the NP7 load balancers. IPv6 ICMP fragmented traffic load balancing works as expected. Load balancing fragmented IPv6 TCP and UDP traffic works as expected in FortiGate 7000F chassis with FIM-7921Fs.

The FortiGate may display a false alarm message TypeError [ERR_INVALID_URL]: Invalid URL in the crashlog for the node process. This error does not affect the operation of the GUI.

In the System > Administrators dialog, when there are a lot of VDOMs (over 200), the dialog can take more than one minute to load the Two-factor Authentication toggle. This issue does not affect configuring other settings in the dialog.

Workaround: use the CLI to configure two-factor-authentication under config system admin.

When logged in to the GUI of a non-management VDOM and trying to complete the Migrate Config with FortiConverter step in the startup menu, the page does not update and the loading spinner is stuck.

Workaround: in the browser's URL bar, remove everything after the /prompt, log in to the FortiGate GUI with the management VDOM, and enable the Don't show again toggle on the Migrate Config with FortiConverter page in the startup menu.

After successfully changing the VLAN ID of an interface from the CLI, an error message similar to cmdb_txn_cache_data(query=log.npu-server,leve=1) failed may appear.

NPD/LPMD cannot differentiate the different VRFs, and considers all VRFs as 0.

An error condition occurs in WAD caused by multiple outstanding requests sent from the client to server with UTM enabled.

A rare error condition occurred in WAD caused by compounded SMB2 requests.

On a FortiGate that has large tables (over 1000 firewall policies, address, or other tables), security rating reports may cause the FortiGate to go into conserve mode.

FortiGate will intermittently stop accepting new SSL VPN connections across all VDOMs.

When a FortiSwitch port is reconfigured, the FortiGate may incorrectly retain old detected device data from the port that results in an unexpected number of detected device MACs for the port. Using diagnose switch-controller mac-cache show to check the device data can result in the Device Information column being blank on the WiFi & Switch Controller > FortiSwitch Ports page or in the Assets widget.

Workaround: disable the device retention cache to remove old device data.

config switch-controller global
    set mac-retention-period 0
end

FortiGate 200F interfaces stop passing traffic after some time.

When configuring an 802.3ad aggregate interface with a 1 Gbps speed, the port's LED is off and traffic cannot pass through. Affected platforms: 110xE, 220xE, 330xE, 340xE, and 360xE.

If the FortiGate is added to FortiManager using the IPv6 address and tunnel is down for some reason, the FortiGate will not reconnect to FortiManager since fmg under system central-management is not set properly.

Workaround: set fmg manually or connect from the FortiManager side.

When a user is logged in as a VDOM administrator with restricted access and tries to upload a certificate (System > Certificates), the Create button on the Create Certificate pane is grayed out.

The FortiGate may display a false alarm message and subsequently initiate a reboot.

FGR-70F and FGR-70F-3G4G failed to perform regular reboot process (using execute reboot command) with an SD card inserted.

System goes into halt state with Error: Package validation failed... message in cases where there are no engine files in the FortiGate when the BIOS security level is set to 2.

Workaround: set the BIOS security level to 0 or 1.

When a search is performed on a user (User & Authentication > User Definition page), the search results highlight all the groups the user belongs to.

When there are extra large number of managed FortiAP devices (over 500) and large number of WiFi clients (over 5000), the Managed FortiAPs page and FortiAP Status widget can take a long time to load. This issue does not impact FortiAP operation.

On the FortiGate 200F, CAPWAP tunnel traffic over tunnel SSID is dropped when offloading is enabled.

The Automatically connect to nearest saved network option does not work as expected when the FortiWiFi 60E client-mode local radio loses connection.

Physical and logical topology is slow to load when there are a lot of managed FortiAP devices (over 50). This issue does not impact FortiAP management and operation.

Unable to create FortiAP profile in the GUI for dual-5G mode FortiAP U231F/U431F models.

Workaround: use the CLI to update the profile to dual-5G mode.