Fortinet black logo

Hyperscale Firewall Release Notes

Home FortiGate / FortiOS 6.4.8 Hyperscale Firewall Release Notes
6.4.8
7.2.4
7.2.3
7.2.2
7.2.1
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.6
6.2.9
6.2.7
6.2.6

Known issues

Known issues

The following issues have been identified in Hyperscale firewall for FortiOS 6.4.8 Build 6165. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 6.4.8 release notes also apply to Hyperscale firewall for FortiOS 6.4.8 Build 6165.

Bug ID

Description
724085 Traffic is blocked by EMAC-VLAN interfaces when the parent interface is in another VDOM.
728602 The GUI allows you to enable EIM in an IPv4 hyperscale firewall policy with NAT enabled and with a CGN overload IP pool. But when you save the policy and re-open it, EIM is not enabled. This configuration cannot be set up from the CLI. EIM in an IPv4 hyperscale firewall policy with NAT enabled and with a CGN overload IP pool is not supported.
728605

The CLI allows you to enable EIF for an IPv4 hyperscale firewall policy with NAT enabled and with a CGN overload IP pool. This configuration cannot be set up from the GUI. EIF in an IPv4 hyperscale firewall policy with NAT enabled and with a CGN overload IP pool is not supported.

734305

When configuring an IPv4 DoS policy from the GUI in a hyperscale firewall VDOM, the source address and destination address drop-down lists include firewall addresses that are not supported for an IPv4 DoS policy. For example, the drop down lists on the GUI may include wildcard addresses, FQDN addresses, and so on. The CLI allows you to select from the supported source and destination addresses.

757417

With per-session accounting enabled on a hyperscale firewall FGCP HA cluster, when you change the configuration of a hyperscale firewall policy that is not currently accepting traffic, the hit counter for the policy increases on the secondary FortiGate.

757420

Session synchronization to the secondary FortiGate in an FGCP hyperscale firewall HA cluster may stop working, causing the secondary FortiGate to stop responding.
758364 When operating an FGCP hyperscale firewall HA cluster, enabling or disabling Endpoint Independent Filtering (EIF) in a hyperscale firewall policy on the primary FortiGate is not synchronized to the secondary FortiGate.
759154 Enabling srcaddr-negate does not block traffic if the hyperscale firewall policy includes more than one source address.
759639 Per-policy accounting hit counts that are displayed on the GUI and CLI for UDP traffic are not accurate.
760010 760234 Per-policy accounting does not display hit counts on the GUI for NAT46 and NAT64 firewall policies.
760215 Established sessions may not display hit counts after per-policy accounting is enabled.
760273 Established sessions may continue to report hit counts after per-policy accounting is disabled.
760280 Enabling or disabling per-policy accounting deletes all active sessions. So enabling or disabling per-policy accounting should only be done during a quiet period.
760560 The timestamp displayed on the GUI and CLI for the default deny policy (policy id = 0) in a hyperscale firewall VDOM is incorrect.
Previous
Next

Known issues

The following issues have been identified in Hyperscale firewall for FortiOS 6.4.8 Build 6165. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 6.4.8 release notes also apply to Hyperscale firewall for FortiOS 6.4.8 Build 6165.

Bug ID

Description
724085 Traffic is blocked by EMAC-VLAN interfaces when the parent interface is in another VDOM.
728602 The GUI allows you to enable EIM in an IPv4 hyperscale firewall policy with NAT enabled and with a CGN overload IP pool. But when you save the policy and re-open it, EIM is not enabled. This configuration cannot be set up from the CLI. EIM in an IPv4 hyperscale firewall policy with NAT enabled and with a CGN overload IP pool is not supported.
728605

The CLI allows you to enable EIF for an IPv4 hyperscale firewall policy with NAT enabled and with a CGN overload IP pool. This configuration cannot be set up from the GUI. EIF in an IPv4 hyperscale firewall policy with NAT enabled and with a CGN overload IP pool is not supported.

734305

When configuring an IPv4 DoS policy from the GUI in a hyperscale firewall VDOM, the source address and destination address drop-down lists include firewall addresses that are not supported for an IPv4 DoS policy. For example, the drop down lists on the GUI may include wildcard addresses, FQDN addresses, and so on. The CLI allows you to select from the supported source and destination addresses.

757417

With per-session accounting enabled on a hyperscale firewall FGCP HA cluster, when you change the configuration of a hyperscale firewall policy that is not currently accepting traffic, the hit counter for the policy increases on the secondary FortiGate.

757420

Session synchronization to the secondary FortiGate in an FGCP hyperscale firewall HA cluster may stop working, causing the secondary FortiGate to stop responding.
758364 When operating an FGCP hyperscale firewall HA cluster, enabling or disabling Endpoint Independent Filtering (EIF) in a hyperscale firewall policy on the primary FortiGate is not synchronized to the secondary FortiGate.
759154 Enabling srcaddr-negate does not block traffic if the hyperscale firewall policy includes more than one source address.
759639 Per-policy accounting hit counts that are displayed on the GUI and CLI for UDP traffic are not accurate.
760010 760234 Per-policy accounting does not display hit counts on the GUI for NAT46 and NAT64 firewall policies.
760215 Established sessions may not display hit counts after per-policy accounting is enabled.
760273 Established sessions may continue to report hit counts after per-policy accounting is disabled.
760280 Enabling or disabling per-policy accounting deletes all active sessions. So enabling or disabling per-policy accounting should only be done during a quiet period.
760560 The timestamp displayed on the GUI and CLI for the default deny policy (policy id = 0) in a hyperscale firewall VDOM is incorrect.
Previous
Next