Large file downloads take longer than expected due to a WAD process issue.

Files sent between FortiGate and FortiSandbox are dropped due to a connection issue.

On FortiGate, the av-mem-limit does not work as expected when set av-failopen pass configured due to a memory usage issue.

The incorrect percentage is displayed in the Files Uploaded Today widget to Sandbox.

MMDB and AVAI DBs are unsigned after upgrading from version 7.0.15 to version 7.2.9.

The scanunit shows error messages that do not provide enough detail when corrupt AV engine or DB events occur.

Entry-level FortiGate's with 2GB of memory encounter a memory usage issue and do not operate as expected caused by the scanunit initiating an AV engine restart.

FortiGate does not generate traffic logs for established or denied TCP sessions that lack application data.

The application control profile is missing on the GUI for FortiGate models with 2GB of memory.

When using SD-WAN load balancing, some sites are slow or inaccessible when the Application Control action is set to Allow.

Application control cannot detect Facebook as Social Media when certificate-inspection is used.

The DLP incorrectly detects a .pdf file as a .mpeg file and blocks the download.

When a DLP profile is set to MAPI, there is a slow connection between Outlook and the Exchange server.

FortiGate experiences a WAD process issue and produces a wad_find_fwdsvr_by_key error.

On FortiGate, the IPv6 real server shown as DOWN by the health check but it is considered UP in the kernel.

When the FortiGate has thousands of addresses and hundreds address groups, the GUI can take a few minutes to search for a specific address inside the address group dialog.

Reordering the DNAT policies in the central NAT causes a false hit count.

An internet interface with egress/outbound shaping encounters a performance issue with sla after rebooting.

No route is found when the FTP server connects back to FTP client in FTP active mode.

The SNMP fgIpsAnomalyDetections counter does not increase if the DoS policy is configured in a no management VDOM.

The F5 HTTP/S monitors for the web server in FortiGate do not function as expected due to HTTP 0.9 traffic.

On the Firewall Policy page, search results do not display in an expanded format.

Modifying the shaping profile, whether it is assigned to an interface or not, results in IPsec tunnels going down.

FortiGate in policy-based mode showing the incorrect policy ID in forward traffic logs.

When a VIP load balancer is configured to use an IPPool and has http-multiplex enabled, FortiGate performs SNATs using the outgoing interface instead of the IPPool.

Incorrect matching of zones and SD-WAN zones occurs where interfaces do not exist.

Incorrect checksum for fragments after QTM.

Intermittent reply traffic is not sent out of FortiGate.

On FortiGate, packets are dropped when ASIC offloading is enabled.

The firewall policy name length validation does not work with Korean characters.

On FortiOS, the Security Fabric widget does not display information on blade status.

On FortiGate 6000 FPCs and FortiGate 7000 FPMs the node process may consume large amounts of CPU resources, possibly affecting FPC or FPM performance. (You can run the diagnose sys top command from an FPC or FPM CLI to view CPU usage.) This problem may be caused by security rating result submission.

In an HA configuration, FortiGate does not respond to SNMP queries causing the device to display as being DOWN.

When applying a script to a configuration, the updated configuration is applied to the FIM but is not fully synchronized on the FPCs.

On FortiGate, IPv6 VRF routing tables appear under the new and old FPC primary units when the primary FPC slot is changed.

The secondary 7K slot 3 (FPM) has no ISDB database and will not update.

FIM encounters a split-brain scenario after rebooting.

On the Dashboard > FortiView Sessions page, closing a large number of FortiView sessions (+100) can take longer than expected and result in a CPU usage issue.

When trying to filter by device using the 1 week filter option, the User device store query error (error code: -1) error message is displayed.

On the Network > Interfaces page, the SFP port is grayed out on the faceplate diagram even though the port is working. This is purely a GUI display issue and does not affect system operation.

Workaround: View the SFP port information and status using the interface list in the CLI.

The WAN interface is accessible in the GUI under certain interface configurations even though it is not allowed in the configuration file.

The IP/Netmask column of HA management port hangs in the GUI.

On FortiOS, IPSec localid cannot be deleted using the GUI.

Catch WebSocket errors from PerMessageDeflate occur when the client abruptly closes the connection.

FortiGate Cloud still shows as Activated in the GUI, even when logged out.

On low end models, the service list is empty when selecting members for a Service Group.

In the GUI, there is no setting for the type option for the npu_vlink interface.

Rx_dropped is observed on ha1 and ha2 interfaces and randomly experiences flapping.

When bandwidth is low, the tftp backup command on the secondary unit does not work as expected when it should be able to reach the server.

The HA secondary FortiGate logical topology page shows the FAZ connected interface as FortiAnalyzer.

FortiGate encounters a memory usage issue caused by cmdbsvr and hasync.

In a vCluster configuration, traffic stops after a VDOM failover.

On FortiGate's in an HA environment, DHCP clients can not get an IPv4 address from the server with vcluster.

Static routes configured under the secondary unit's standalone-mgmt-vdom do not take effect.

The standalone-config-sync conf-member kept out-of-synchronization after an upgrade and configuration change.

FortiGate in an HA environment encounter a CPU uasge issue in hte softriq on FGSP cluster members with more than 200000 session running.

The HA secondary device sends GARP with the wrong MAC address after the vcluster is removed.

More sessions on a FGCP secondary unit than the primary unit.

Reply packets are misdirected in an asymmetric L3 FGSP configuration.

The fgsp_route_health status is incorrect when configuring a monitor-interface or link-monitor-interface with a long interface name.

FFDB signatures keep flapping on all blades except the master FIM of the primary chassis.

SNMP v3 times out in FortiGate Azure/AWS in HA setup.

The sw session and log2host netflow logs cannot be seen even though template is present. Data packet displays an error saying template not found.

FortiGate experiences a performance issue with geography-type addresses matching in NGFW policy mode.

FortiGate encounters a memory usage issue in the IPSengine when av-failopen is set to pass.

Forticron runs diagnose ips debug disable all and diagnose ips ssl debug none constantly due to a processing issue.

IPsec inserted SA's are not deleted successfully after flushing all tunnels.

When QKD dialup is enabled, IKE SA cannot establish a connection and generates an error.

FortiOS does not enable all available IPsec drivers.

If IKEv2 is selected during the VPN FortiClient Remote Access wizard setup in the GUI, the Extensible Authentication Protocol (EAP) configuration cannot be selected using the GUI.

The IPsec VPN tunnel on the branch unit does not terminate even when the remote gateway IP address becomes unavailable.

IPsec does not work as expected when the traffic path is spoke dialup to hub1, then from hub1 to another site using a site-to-site tunnel.

Throughput is limited in Site to Site VPN connections between the FW1kF and the FWVM Google Cloud platform.

IPsec tunnels are flushed when unrelated changes are made in the system.

Authentication for native iOS IPsec VPN user with FortiToken 2FA does not work as expected.

FortiGate enters into conserve mode due to IKED encountering a memory usage issue.

Unexpected behavior in IKED occurs when a peer attempts to negotiate with two different gateway profiles simultaneously.

The Phase2 SA is present in the kernel but there is no IKE Phase1 SA after an HA upgrade.

The tcp-mss setting on the tunnel interface does not take affect for IPv6 traffic.

The IPsec tunnel with FlexVPN Cisco (ASR1006 Cisco IOS XE Software, Version 17.09.05a) is down after 1 minute.

FortiGate encounters a steadily increasing IKED memory usage issue after upgrading to version 7.4.5.

In a Policy-Based NGFW, if there is no rule hit in central-snat and session never gets established, there will be no traffic log.

The GUI experiences a performance issue and reverts to the last input when multiple ports are added to a filter for destination ports.

The SSH deep-inspection with unsupported-version bypass > log information is not showing.

Some traffic logs show local-out traffic with the vdom-name.

On the Security Traffic Log > Security tab, the Details page displays data with a 1/500 log fetched prompt.

When filtering forward traffic logs using FortiAnalyzer as a source, data takes longer than expected to load and generates a memory error message.

FortiGate logs are not transferred into FortiGate Cloud Log server.

The appcat log field is not included in the IoT signature logs.

Alert email displays an error for FDS-license-expiring.

Event logs are generated with CLEAR TEXT PASSWORD when using the diagnose test authserver tacacs*... command.

FortiGate cannot connect to FortiAnalyzer due to a hostname resolution issue.

The FortiAnalyzer serial number disappears from the FortiGate configuration when the OFTP session disconnects.

An error condition is observed in the fgtlod daemon when FortiCloud uses FortiAnalyzer-Cloud for backend logging.

On the Log Viewer page, the UTM log Matching log page keeps loading under the Log Details > Security tab.

FortiGate intermittently loses the FortiAnalyzer serial number and is required to verify again the FortiAnalyzer serial number and certificate.

FortiGate encounters an issue with the WAD daemon when deep inspection and SSL exemption are enabled while visiting a server with an expired certificate.

On FortiGate, when the waps file is broken, the WAD process does not start.

FortiGate encounters a memory usage issue caused by the WAD process after an upgrade.

An HTTP2 stream issue causes an error condition in the WAD.

On FortiGate, an interruption occurs in the WAD process when in proxy-mode causing the unit to go into memory conserve mode.

Unexpected behavior is observed in the WAD user info history daemon with no data in messages, caused by erroneous memory allocation.

On FortiGate, the WAD process may not work as expected with H2 traffic when creating UTM logs.

The IP SNI check for strict sni-server-cert-check is skipped due to a WAD process issue.

The WAD process does not load a self-sign certificate when set admin-server-cert self-sign is configured in an explicit proxy.

An error condition occurs in the WAD process due to a rare error case during the SSL handshake.

On FortiGate, erroneous memory allocation is observed in the WAD process.

On FortiGate, unexpected behavior is observed in the WAD process during the HTTP session freeing.

When Proxy-mode inline IPS scanning is enabled, the botnet check within the IPS profile does not work as expected when the IPS profile is applied to a proxy-based inspection policy using certificate inspection.

The Protocol option tcp window size in a proxy policy does not work as expected.

An error occurs in the WAD process when DoH traffic is sent to a transparent proxy after enabling HTTP policy redirect, and without having a transparent proxy configured.

A wad-worker experiences a memory usage issue increase over several days.

The API Swagger doc cannot be generated due to incorrect attributes.

On FortiGate, SCTP traffic does not follow the routing table.

The VRRP primary randomly stops sending VRRP advertisement messages for a few seconds.

When creating a rule on the Network > Routing Objects page, the Prefix-list is set to 0.0.0.0 0.0.0.0 when an incorrect format is entered in the Prefix field.

The BGP neighbor range with a space in the name is ignored.

The vlan interface and IPSec tunnel interface are not displayed in the GUI after an upgrade.

FortiGate does not include the ecmp-max-paths setting in the configuration.

Creating a BGP IPv4 network prefix or neighbor in the GUI unintentionally creates an empty IPv6 network prefix.

In a hub and spoke HA configuration, SD-WAN pages take longer than expected to load in the GUI when there are a large number of spokes (~350) configured.

When creating a new static route on the Network > Static Routes page, the Priority field still displays when the Destination is switched from Subnet to Internet Service.

On FortiGate in an HA setup the secondary HA passive device generates unexpected logs.

On FortiOS, the Routes widget does not list out IPv6 routes with non-zero VRF's.

FortiGate does not generate a PIM register after stopping and starting a multicast stream.

FortiGate encounters a multicast routing issue in a VRRP environment.

On FortiOS, the secondary HA device does not display the SD-WAN Rules tab on the Network > SD-WAN page.

Packet are duplicated if the latency between SD-WAN channels differs by more than 250ms.

Routes are not displayed correctly when the BGP configuration is in a specific order.

Shortcuts are not created for ADVPN2.0 and BGP on loopback for segregated transports.

The SD-WAN probe-timeout value is reset to 60000 after rebooting.

An IGMP membership report with a 0.0.0.0 source does not work as expected in kernel 4.19.13.

During a graceful restart towards Cisco Nexus causes BGP VPNv4 routes not to enter FIB.

SD-WAN logs show the parent interface instead of the shortcut interface.

The automation email does not show the output of some commands.

After deauthorizing a downstream FortiGate from the System > Firmware & Registration page, the page may appear to be stuck to loading.

Workaround: perform a full page refresh to allow the page to load again.

Threat Feed connectors in different VDOMs cannot use the source IP when using internal interfaces.

When creating a new IPv6 address, SDN connectors cannot be added for dynamic addresses.

When optimizing a security rating, resolving an alert for one rating causes another alert to appear for another rating and the alerts cycle between both ratings continuously.

The external connector only allows users to specify the interface in the root vdom and not the vdom it is configured in.

Cannot test an automation stitch that uses the Schedule trigger from the GUI.

The Security Rating report does not show test results for downstream FortiGates when the All FortiGates view is selected.

The Threat feed loaded does not run immediately after restarting FortiGate.

With a FortiGate configured with a root-vdom and a mgmt-vdom, when an automation stitch is configured for a compromised host with IP-Ban action, the IP is banned from the mgmt-vdom.

FortiGate models with 2GB of memory that manage many extension devices (FortiSwitches and FortiAPs) may enter conserve mode due to the GUI process experiencing a memory usage issue over time.

The Duplicate Firewall Objects security rating does not work as expected, even it should be passed.

The AZURE type dynamic firewall address takes longer than normal to resolve itself, even with the correct filter value in the robot test bed.

An unauthenticated user mismatch occurs with the user.

SAML login from a Windows FortiClient is blocked when sslvpn-webmode is disabled in the config system global command.

SSL VPN SMB is inaccessible when using Web Mode.

Internal resources cannot be accessed using FortiClient after a network disruption.

Incorrect maximum values present in CLI schema files.

The OS checklist for SSL VPN in FortiOS does not include macOS Sequoia 15.0.

When trying to start and stop the FortiSwitch LED blink using the Security Fabric, the GUI shows a Failed to send command error.

The FortiSwitch registration status changes from Not registered to Failed to fetch status when it is deauthorized and then authorized.

On the WiFi & Switch Controller > SSID page, NAC policies using a Wildcard MAC Address cannot be saved using the GUI.

Workaround: use the CLI to perform the operation.

Upgrading FortiSwitch from the FortiGate GUI does not work as expected when strict and moderate tunnel modes are configured.

When editing a dynamic port policy, saved changes are not shown in the GUI.

On FortiOS, NAC policies disappear from the GUI.

The incorrect timezone is shown for the managed switch.

The interface dialog takes longer than expected to load the FortiLink interface page when there are a large number of FortiSwitch VMs (300+).

On the Firmware page, the Registration Status shows a Failed to fetch status error for an online FortiSwitch. The CLI shows that its registered.

The FortiGate switch port configuration GUI does not allow the de-selection of all values for Allowed VLANs, Security Policy, or QOS Policy.

FortiGate encounters a CPU usage issue caused in the flcfgd when receiving multiple messages from the WAD daemon.

VLAN sub interface event logs for interface status changes are inaccurate.

ACME certificates cannot be renewed manually before their expiration date.

On the NP7 platform, setting the interface configuration using set inbandwidth <x> or set outbandwidth <x> commands stops traffic flow.

FortiGate experiences packet loss when using an internal hardware switch.

FortiGate cannot communicate with ACME client and cannot generate certificate.

FortiGate 60F and 61F models may experience a memory usage issue during a FortiGuard update due to the ips-helper process. This can cause the FortiGate to go into conserve mode if there is not enough free memory.

FortiGate enters a loop cycle and generates a large number of LCAP packets when FortiGate does not receive LCAP packets from a peer device.

After a restarting FortiGate from the GUI, the auto-nego SFP port settings are not reflected in FortiGate.

When a SIM card is ejected from a FortiGate using dual SIM cards, the log message does not indicate the slot number FortiOS is switching to.

After changing the admin profile scope to global, the vdom configuration in the admin user is not consistent with the GUI.

After configuring a virtual wire pair (VWP) setting, it is not present in FortiGate after a reboot.

FortiGate experiences a CPU usage issue when dedicated-management-cpu is enabled.

The SNMP trap is not sent out when a virus is detected on the antivirus scanner.

FortiGate encounters a memory usage issue on DNS proxy, resulting in FortiGate going into conserve mode.

FortiGate does not auto negotiate to Full duplex when connecting to FortiSwitch due to a duplication error.

On FortiGate, NP7 offloaded traffic does not use the updated MAC address from the ARP table to forward traffic using a GRE tunnel.

The DNS proxy does not forward the response after upgrading FortiGate.

When the configuration changes using the SSH, a backup failed alert is generated.

FortiGate does not return an ICMP message with type unreachable and code packet too big with the vne-tunnel.

Configuration revisions are missing multiple parts of the configuration.

FortiGate 4800F model split ports do not work as expected causing issues with LACP and MRU on split ports.

On FortiGate, the snmp daemon does not work as expected resulting in the SNMP queries timing out.

FortiGate encounters an interruption in the kernel due to a NULL pointer issue.

Backing up a configuration using SFTP with the domain username does not work when characters @ and \ are in the username.

In some scenarios, when FortiGate as a DHCP client sends out DHCP-REQUEST packets, the SRC IP address is set in the IP header.

On FortiGate, IP addresses cannot be assigned within a configured IP range due to a DHCP server issue.

On FortiGate, the console displays error messages when adding Pre and Post-login banners due to a rare error condition.

FortiGate reboots after a connected HA heartbeat cable is connected, or running the diag hardware deviceinfo nic ha command.

FortiGate cannot get updates from the public FortiGuard servers in FIPS-CC mode.

The traffic shaper does not take effect on the firewall policy when traffic is offloaded to NP7 due to a traffic management issue.

Duplicate SNMP traps are sent to ha-direct enabled trap servers when two ha-mgmt-intf are configured.

In the GUI, Can not create query, check_create_cmf_query, firewall, and ippool_grp errors are displayed.

FortiOS processes packets on a non-active port of a redundant link.

The DNS server does not operate as expected with forward-only mode enabled.

A FortiGuard update can cause the system to not operate as expected if the FortiGate is already in conserve mode. Users may need to reboot the FortiGate.

FortiGate does not work as expected due to an interruption in the kernel.

On FortiGate 900 models, when the baudrate is configured, the changes are not applied and is set to 9600.

The ptp server does not work on the vlan interface.

Error messages are printed when assigning a transparent vdom to a vdom link interface.

FortiGate returns a string with a % sign for the OID 1.3.6.1.4.1.12356.101.4.8.2.1.8 (fgLinkMonitorPacketLoss).

EXPIRE dates are not displayed properly when executing the get sys fortiguard-service status command due to a formatting issue.

Inaccurate inbound and outbound traffic values on the Bandwidth widget for the EMAC VLAN interface.

An error is observed in the dnsproxy caused by the use of secondary dns-database zones.

FortiGate 80F-DSL models display the incorrect connected route.

FortiGate does not boot up after restoring a configuration file containing an invalid string format.

The source IP is not replaced as per the set fmg-source-ip after adding the device directly.

FortiGate 60F and 40F models become stuck after entering conserve mode and hbdev and console access is lost.

The DHCP relay uses the wrong interface to send DHCP offer packets to the client.

Upgrading directly from 7.2.4 or earlier versions to 7.2.9, or directly from 7.0.11 or earlier to 7.2.9 is not supported. Users must upgrade following the recommended upgrade path to avoid system hanging.

Write permission violation log observed in FortiGate in a rare case caused by the host check plugin used in FortiClient/browser side.

On FortiGate 400E models, the Link/Activity LED for the MGMT & HA port does not go out even after an exec shutdown command.

FortiWiFi 61F models experience a memory usage issue caused by the WAD daemon.

When accessing an IPv6 test site using the IPoE from an iPhone, the IPv6 connection does not work as expected.

On FortiGate, NP7 offloaded traffic does not use the MAC address of a new default gateway to forward traffic using the EMAC-VLAN interface.

Shared copper WAN1 and WAN2 ports remain down when the interface speed is set to 100full.

A CPU usage issue in the Softirq space on 40/160 CPU cores causes packets to drop.

FortiGate cannot restore the configuration file in the following sequence.

1. private-data-encryption enabled with random key, and configuration is backed up.

2. private-data-encryption disabled.

3. private-data-encryption enabled again, with new random key.

4. Restore configuration file in step 1.

After a reboot, FortiGate shows the wrong date if the date was set manually prior to the reboot.

FortiGate logs out when deleting the secondary IP configured on an interface in work space mode.

FortiGate experiences a gradual memory usage issue in the fnbamd process.

The Strict-SNI SSL Profile might block connections even if SNI and Certificate CN match.

EST http password are not encrypted properly in the configuration file.

FortiGate encounters a CPU usage issue in the authd process after a firmware upgrade.

On FortiGate, the two-factor-email-expiry setting in the config system global command is not applicable for administrators.

NTLM authentication does not work as expected after an upgrade.

CMPv2 IR does not work as expected due to server certification validation error conditions.

On the Dashboard > Firewall User Monitor page, the Search field does not display in the GUI when there are a large number (+1000) FSSO user logos.

An ACME certificate enrollment error is generated without detailed error message information.

RADIUS message authenticator checking is not optional under TLS.

Administrator authentication is bypassed when configuring the TACACS server.

FortiGate does not send a FortiToken activation code, preventing authentication.

FortiGate initiates LDAPS sessions that do not respect the ssl-min-proto-version option set under the config system global command.

For FortiGate (versions 7.2.10 and 7.4.5 and later) and FortiNAC (versions 9.2.8 and 9.4.6 and prior) integration, when testing connectivity/user credentials against FortiNAC that acts as a RADIUS server, the FortiGate GUI and CLI returns an invalid secret for the server error.

This error is expected when the FortiGate acts as the direct RADIUS client to the FortiNAC RADIUS server due to a change in how FortiGate handles RADIUS protocol in these versions. However, the end-to-end integration for the clients behind the FortiGate and FortiNAC is not impacted.

When using SCEP, the auto renewal certificate is not initiated.

The FortiGate-VM OCI may not detect an extra port attached.

The FortiGate-AWS HA secondary awsd debug result prints raw HTML content.

When FortiGate returns an ICMP TTL-EXCEEDED message, the geneve option field header is missing.

User may not be able to access FortiGate-KVM with a trial license when there are many virtio_net interfaces.

FortiGate VM performance drops when traffic passes through an inter-vdom link.

The awsd does not handle the sts error message and the dynamic firewall address list as expected.

FortiFlex does not install successfully every time after the Day0 configuration using Port2 for the internet connection.

The VLAN interface is not reachable on a FortiGate VM running KVM with Intel 10G NIC (10Gb ethernet card).

The OCI SDN connector cannot call the API to the Oracle service when an IAM role is enabled.

Inadvertent traffic disruption observed on FortiGate-VM64 caused by a deadlock in the newcli process.

The FortiGate-VM on VMware ESXi equipped with an Intel E810-XXV network interface card (NIC) using SFP28 transceivers at 25G speed is unable to pass VLAN traffic when DPDK is enabled.

The Web Application Firewall marks http/s traffic as a malformed constraint.

When a webfilter time-based quota is configured, once quota is reached, long sessions are not terminated.

WIDS data is not removed from the CLI.

The secondary AC wpad_ac encounters a memory usage issue during stress tests with simulators.

Cannot retrieve DHCP IP's from the assigned VLAN when connecting Bridge SSID with RADIUS-based MAC authentication.

On FortiGate 90G and 120G models, traffic is dropped due to the MAC address of the VAP interface being updated with the old MAC address when HA is enabled.

When upgrading more than 30 managed FortiAPs at the same time using the Managed FortiAP page, the GUI may become slow and unresponsive when selecting the firmware.

On FortiGate, the set max-clients feature does not work as expected and allows more clients to connect than the maximum value configured.

Users cannot make any changes to wtp-profile due to an issue with the REST API connection to the cmdbsvr.

On FortiGate, the Source IP shown in the system logs is not referenced anywhere in the network.

The user-group is empty after clients pass local authentication with 2FA when connecting Enterprise+User-group SSIDs.

FortiClient access to TCP-FWD with saml authentication does not redirect the loop if set ztna vip and saml SP use the same IP address.

An interruption occurs in the WAD when accessing ZTNA TCP-forwarding service through a proxy-policy with a SAML user group and h2-support is disabled on the firewall vip.

PPPoE encounters a performance issue after an upgrade.