Quarantined files cannot be fetched in the AV log page if the file was already quarantined under another protocol.

Secondary device blades occasionally report critical log event Scanunit initiated a virus engine/definitions update. Affected models: FG-5K, 6K, and 7K series.

Files fail to open in some CIFS setups where FortiOS cannot generate a signature.

Unknown Applications category is not present in NGFW policy-based mode.

Random SDNS rating timeout events on 6K/7K SLBC with FGSP.

Cannot pass DNS traffic through FortiGate or DNS traffic originated from FortiGate when external blocklist (threat feed) is updated.

Do not send FortiGate generated DNS response if no server response was received and redirect DNS queries time out.

DNS proxy is holding 60% memory caused by retransmitted DNS messages sent from DNS clients, which causes the FortiGate to enter conserve mode.

SDNS block portal IP information is not available in anycast mode.

EMS host tags are not synced with the FortiGate when the user connects to a tunnel mode SSID.

When using FortiClient EMS, renaming the imported CA results in an authentication error. This error does not occur if the CA is not renamed.

Percent encoding is not converted in FTP over HTTP explicit proxy.

Web proxy forward server allows empty string for monitor option when health check is enabled.

Web proxy forwarding server health check does not send user name and password.

Proxy policy destination address set to none allows all traffic.

Browsers change default SameSite cookie settings to Lax, and Kerberos authentication does not work in transparent proxy.

When configuring explicit proxy with forward server, if ssl-ssh-profile is enabled in proxy-policy, WAD is unable to correctly learn the destination type correctly, so the destination port is set to 0, but the squid proxy server does not accept the request and returns an error.

When the FortiGate is configured as an explicit proxy and AV is enabled on the proxy policy, users cannot access certain FTP sites.

Web proxy users are disconnected due to external resource update flushing the user even if they do not have an authentication rule using the related proxy address or IP list.

FSSO explicit proxy authentication appears as basic instead of FSSO.

Replacement page not returned to client when visiting HTTPS website blocked by application list through explicit web proxy.

Proxy traffic failed after modifying resource setting in external connector.

Performance issue when transferring data over FortiGate explicit proxy using fast match feature.

Do not allow match-vip in firewall policies when the action is set to accept.

Cluster VDOM policy statistics data is not correct when VFID is different for same VDOM on primary/secondary.

The captive-portal-exempt policy option does nit work for IPv6 traffic in a new firewall policy.

Firewall policy dstaddr does not show virtual server available based on virtual WAN link member.

Firewall does not track UDP sessions on the same port.

When web filter and application control are configured, blocked sessions to play.google.com remain in the session table for 3600 seconds.

TNS connection request limited to 500 per second when client is trying to reach database server through the firewall.

DSCP marking on traffic-shaper/per-ip-shaper failed to mark corresponding IPv6 packets.

Configuration changes take a long time, and ipsmonitor and cmdbsrv processes go up to 100% of CPU in a large, complex configuration.

FortiCarrier has GTP drop packet log after configuring GTP allow list.

Source NAT port reuses ports too quickly, and GCP/API fails to establish due to endpoint independence conflict.

Sessions are marked dirty when IPsec dialup client connects/disconnects and policy routes are used.

HTTP host virtual server does not work well when real server has the same IP but a different port.

In NAT64 scenario, ICMPv6 Packet too big message translated to ICMPv4 does not set the MTU/DF bit correctly.

Get internet service name configuration error on version 7.01011 when FortiGate reboots or upgrades.

Support using a zone as an external interface of a VIP.

Reputation settings in policies are not working when reputation-minimum is set and no source/destination address is set.

When NGFW mode is policy-based and the security policy is configured, the quard daemon should start when one of the following profiles is enabled: anti virus, web filter, application control, IPS, or DLP.

All ISDB groups are lost when upgrading from 6.2.5 to 6.4.2.

Security policy (NGFW mode) flow-based UTM logs are still generated when policy traffic log is disabled.

Virtual wire pair of mirror traffic on FortiOS 6.4 cannot detect IPS attacks because of failed anti-replay checks.

In firewall policies, the configuration order of NAT commands is not correct.

The src-ip in the health check should be allowed to be set to the interface IP of the current VDOM.

The central SNAT map does not work in policy-based NGFW mode.

Cannot change the order of IPv4 access control list entries from FortiOS after upgrading from 6.4.1. to 6.4.3.

ISDB is empty/crashes after upgrading from 6.2.4/6.2.5 to 6.2.6.

No hit counts on policy for DHCP broadcast packets in transparent mode.

When changing a policy and creating a firewall sniffer concurrently, there is traffic that is unrelated to the policy that is being changed and matching the implicit deny policy. Some IPv4 firewall policies were missing after the change.

Firewall schedule settings are not following daylight saving time.

In transparent mode when HA is enabled, if the packet passes through the FortiGate more than once time, the MAC address could be different from main session.

FortiView Compromised Hosts dashboard cannot show data if FortiAnalyzer is configured using the FQDN address in the log setting. FortiAnalyzer configured with an IP address does not have this issue.

Threats drilldown for Sources, Destinations, and Country/Region (1 hour, 24 hours, 7 days) gives the error, Failed to retrieve FortiView data.

FortiView Top Traffic Shaping widget does not show data for outbound traffic if the source interface's role is WAN. Data is displayed if the source interface's role is LAN, DMZ, or undefined.

Some FortiView graphs and drilldown views show empty data due to filtering issue. Affected graphs/views: Top System Events, Top Authentication Failures, Policy View, and Compromised Host View.

Some FortiView pages/widgets fail to query data from FortiAnalyzer Cloud if the local FortiAnalyzer is not enabled.

Affected pages/widgets: Compromised Hosts, FortiView Cloud Applications, FortiView VPN, FortiView Web Categories, Top Admin Logins, Top Endpoint Vulnerabilities, Top Failed Authentication, Top System Events, Top Threats, Top Threats - WAN, and Top Vulnerable Endpoint Devices.

FortiView does not display any data when FortiAnalyzer Cloud is the data source.

When using the 5 minutes time period, if the FortiGate system time is 40 to 59 second behind the browser time, no data is retrieved.

Using the GUI to update a VDOM license fails when the new license has a lower VDOM count than the current license.

Account profile permission override and RADIUS VDOM override features do not work with two-factor authentication for remote admin login via GUI. The feature still works when the admin login is via SSH.

The help message for gui-dynamic-profile-display is not correct.

On Traffic Shaping Policy list page, right-click option to show matching logs does not work.

When creating a firewall with an invalid subnet mask, an error is not generated.

Managed FortiSwitch and FortiSwitch Ports pages cannot load when there is a large number of managed FortiSwitches.

When disabling Allow Endpoint Registration on the VPN Creation Wizard, the action succeeds, but the error Unable to setup VPN is incorrectly displayed.

Incorrect error message on log settings page, Connectivity issue, 0 logs queued, for FortiAnalyzer connection when the VDOM is in transparent mode with log setting override enabled.

An address created by the VPN wizard cannot save changes due to an incorrect validation check for parentheses, (), in the Comments field.

Add support for case-insensitive inspecting the username of an email address.

Warning message is not displayed when a user configures an interface with a static IP address that is already in use.

When creating a profile group with an SSL/SSH profile of no-inspection, the profile group correctly displays this, but when you edit the profile, certificate-inspection is displayed.

GUI does not allow user to select SSL VPN tunnel when configuring Multicast routing.

GARP is not sent when using the GUI to move a VDOM from one virtual cluster to another. GARP is sent when using the CLI.

On SD-WAN Rules page, the GUI does not indicate which outgoing interface is active. This is due to auto-discovery VPN routing changes.

FortiGates in an HA A-P configuration may lose GUI access to the HA secondary device after a period of 8 days of inactivity, when at least one static IPv6 address is configured on an interface.

On Dashboard Setup page, changes made by super administrator and administrator of multiple VDOMs should be reflected in all managed VDOMs.

FortiAnalyzer Cloud card on the Fabric Connectors page shows a connected icon when it is not connected.

GUI does not allow users to select SD-WAN as a destination interface in an SSL VPN policy while CLI does.

GUI does not show the configured external FortiGuard category in the SSL-SSH profile's exempt list.

When the client browser is in a different time zone from the FortiGate, the Guest Management page displays an incorrect expiry time for guest users. The CLI returns the correct expiry.

Unable to select an address group when configuring Source IP Pools for an SSL VPN portal.

When performed from the primary FortiGate, using the GUI to change a firewall policy action from accept to deny does not disable the IP pool setting, causing the HA cluster to be out of sync. Updating the policy via the CLI does not have this issue.

Cannot access FortiGate GUI over IPv6 after configuring IPv6 for the first time.

When refreshing the FortiGuard page, connectivity status for Web Filtering and Anti-Spam incorrectly changes from up to down.

When VDOM is enabled, the GUI cannot be used to edit a remote user group from within the Administrators dialog.

When there are more than 600 quarantined IP addresses, the Quarantine Monitor (GUI and CLI) will not properly display them.

When editing CLI objects that have an mkey ending with an "/.", the page is either stuck loading, shows a JS error, or shows a notification that the entry does not exist.

The top charts of the Device Inventory Monitor dashboard are empty when the visualization is set to table view.

Firewall users cannot change their password via web captive portal when password renewal is enforced by the firewall policy for remote users.

Unable to change the action setting of Freeware and Software Downloads using the FortiGuard Category Based Filter of the DNS filter profile.

Aggregated IPsec VPN interface shows as down when each member tunnel has phase 1 and phase 2 names that differ from each other.

FortiGuard resource retrieval delay causes GUI pages to respond slowly. Affected pages include: Firewall Policy, Settings (log and system), Explicit Proxy (web and FTP), System Global, and System CSF.

Users cannot deselect Administrative Access options for VLAN interfaces from the GUI; the CLI must be used.

Web CLI console cannot load due to Connection lost if port 8080 is used (HTTP).

When editing the Interface column from the Multicast Policy page, an empty column appears when the any entry is selected from Select Entries and applied. The same occurs from the NAT64 and NAT46 policy pages.

Intermittent GUI process crash if a managed FortiSwitch returns a reset status.

After upgrading firmware, the CLI script action has a required administrator profile to restrict capabilities. This profile cannot exceed the current administrator's permissions. When configuring a stitch, an administrator can only choose a CLI script that has equal or lesser permissions that the current administrator.

On the System > HA page, GUI tooltip for the reserved management interface incorrectly shows the connecting IP address instead of the configured IP address.

ip6-mode was changed from delegated to static after the interface was edited from the GUI.

For AV profiles, the outbreak-prevention setting on enabled protocols is not automatically configured when enabling Use External Malware Block List.

Enabling the Dynamic Gateway toggle for a static route fails without warning when the configuration is incorrect.

A remote certificate in VDOM mode that has no references cannot be deleted from the GUI. Removal is possible using the CLI.

Date/Time filter does not work on FortiGate Cloud logs.

REST API, api/v2/monitor/firewall/internet-service-details returns start_ip and end_ip in raw format instead of string format.

Editing the LDAP server in the GUI removes the line set server-identity-check disable from the configuration.

Connectivity test for RADIUS server using CHAP authentication always returns failure.

Re-add the FortiView facets filtering bar to full screen or standalone mode.

When filtering log view entries by IP address range, entries higher than the upper limit of the range are shown.

Unable to load web CLI console for LDAP admin with a login name that contains a space.

GUI incorrectly displays the warning, Botnet package update unavailable, AntiVirus subscription not found., when the antivirus entitlement is expiring within 30 days. The actual botnet package update still works within the active entitlement duration.

There is no way to add a line break when using the GUI to edit the replacement message for pre_admin-disclaimer-text. One must use the CLI with the Shift + Enter keys to insert a line break.

Log Details does not resize the log columns and covers existing log columns.

When multiple favorite menus are configured, the new features video pops up after each GUI login, even though user previously selected Don't show again.

When editing the Poll Active Directory Server page, the configured LDAP server saved in FSSO polling is not displayed. Users must use the CLI to modify the setting.

Disclaimer users are not shown in the user monitor; they must be displayed in the CLI with diagnose firewall auth list.

FortiGuard DDNS setting incorrectly displays truncated unique location and empty server selection after saving changes.

FortiSwitch topology is not shown on Managed FortiSwitch page topology view.

After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly.

GUI does not redirect to the system reboot progress page after successfully restoring a configuration.

When editing phase 2 configurations, clicking Complete Section results in a red highlight around the phase 2 configuration GUI box, and users cannot click OK to save configuration changes.

Script pushed from FortiManager 6.4.2 to FortiOS 6.4.2 to add address objects and an address group only pushes the address group.

On the SD-WAN Rules page, the default implicit rule shows a destination address of Route tag: undefined.

The list of firewall schedules displays time based on the browser time, even though the global time preference is set to use the FortiGate system time. The Edit Schedule page does not have this issue.

On the SSL-VPN Settings page, the option to send an SSL VPN configuration to a user for FortiClient provisioning does not support showing domain name for VPN gateway.

Log viewer should use relative timestamps for dates less than seven days old.

In the Firewall Policy list, the tooltip for IP Pool incorrectly shows Port Block Allocation as being exhausted if there are expiring PBAs available to be reallocated.

Erroneous duplication error displayed when creating a phase 2 with Named IPv6 Address set to all if there is already a phase 2 entry defined with Named IPv4 Address set to all. The CLI must be used for this configuration.

When a FortiGate with VDOM and explicit proxy enabled has an access profile with packet capture set to none, administrators with this access profile are not able to create an explicit proxy policy.

In a FortiGate HA scenario, Fabric connectors cannot be edited from the GUI because the configuration portion is not displayed. Failed to load data. is displayed.

The Firewall Address and Service pages cannot load on a downstream FortiGate if Fabric Synchronization is enabled, but the downstream FortiGate cannot reach the root FortiGate.

On the Policy & Objects > Addresses page, users are unable to save changes when enabling or disabling Fabric Sync for SSLVPN_TUNNEL_ADDR1.

The Edit Web Filter Profile page incorrectly shows that a URL filter is configured (even though it is not) if the URL filter entry has the same name as the web filter profile in the CLI.

On some browser versions, the GUI displays a blank dialog when creating custom application or IPS signatures. Affected browsers: Firefox 85.0, Microsoft Edge 88.0, and Chrome 88.0.

When viewing Certificate Details in the GUI, the Validity Period is blank. Validity is displayed in the CLI.

Unable to delete a certificate in the GUI on the System > Certificates page.

When the FortiGate is managed by FortiManager, an administrator that selects Login Read-Only is incorrectly allowed to select Update firmware in System > Firmware, browse for an image, and install it.

After a reboot, the GUI no longer displays the tenant FortiSwitch.

Get one-time hasync crash when running HA scripts for FIPS-CC.

The HA hello-holddown value is divided by 10 in the hatalk daemon, which makes the hello-holddown time 10 times less than the configuration.

LAG does not come up after link failed signal is triggered.

When sending UDP packets, hasync code uses the wrong buffer size, which may overwrite beyond the buffer to other corrupted memory.

Inconsistent data from FFDB caused several confsyncd crashes.

HA GARP sending was delayed due to lots of transceiver reading.

Inband management IP connection breaks when failover occurs (only in virtual cluster setup).

The new join-in secondary chassis failed to sync, while primary chassis has 6K policies in one VDOM.

In an HA cluster, when a backup configuration file uses an automation stitch, the primary and secondary devices use the same file name in the script. This causes the secondary device's configuration file to overwrite the primary device's configuration file.

VLAN interfaces are created on a different virtual cluster primary instead of the root primary do not sync.

Cloning a policy from the CLI causes the HA cluster to get out of sync.

HA cluster goes out of sync if SAML SSO admin logs in to the device.

When sending UDP packets, hasync code uses the wrong buffer size so that it may overwrite beyond the buffer to other corrupted memory.

Management access not working in transparent mode cluster after upgrade.

FortiGate in standalone mode has a virtual MAC address.

HA cluster goes out of sync with new custom DDNS entry, and changes with respect to the ddns-key value.

Unable to contact TACACS+ server when using HA dedicated management interface in 6.4.3.

After two quick failovers, VPN does not work until rekey.

Cluster is out of sync because of config vpn certificate ca after upgrade.

admin-restrict-local feature does not work on management interface in HA cluster.

Virtual MAC on interface does not change when VDOM is moved back from secondary vCluster to primary vCluster.

DHCP client is not getting IP address or route for HA management Interface.

IPv6 link local address is not generated in FGCP.

Malicious certificate database is not getting updated on the secondary unit.

The interfaces on NP6 platforms are down when doing a configuration revert in HA mode.

Sessions timeout after traffic failover goes back and forth on a transparent FGSP cluster.

In some cases, IPS fails to get interface ID information that would result in IPS incorrectly dropping the session during static matching. This only affects NGFW mode.

Got exec child 210 does not reply, skip it. output after adding application control and antivirus profiles in an IPS policy.

SSL VPN web mode IPS detection with HTTP does not work, even though it works with HTTPS.

The global UTM profiles named with a g- prefix are shared between all VDOMs and logically do not belong to any VDOM. When they are changed, the ipshelper cannot always refresh its configuration because the ipshelper tries to check each VDOM profile.

IPS is constantly crashing, and ipshelper has high CPU when IPS extended database has too many rules (more than 256) sharing the same pattern. Affected models: SoC3-based FortiGates.

IPS engine reloads, or FortiGate reboots and displays CMDB __bsearch_index() duplicate value insertion errors.

TFTP upload not working when application control and ASIC offload are enabled.

ipshelper CPU spikes when configuration changes are made.

BZIP2 file including EICAR is detected in the original direction of the flow mode firewall policy even though scan-bzip2 is disabled.

Signature false positives causing outage after IPS database update.

IKED process signal 11 crash in an ADVPN and BGP scenario.

Cannot pass traffic over ADVPN if: tunnel-search is set to nexthop, net-device disable, mode-cfg enable, and add-route disable.

In extreme situations when thousands of tunnels are negotiating simultaneously (IKEv2), iked process gets exhausted and stuck.

User name log empty when IPsec dialup IKEv2 has client RSA certificate with empty subject.

IPsec did not rekey when keylife expired after back-to-back HA failover.

DHCP over IPsec randomly works when net-device is disabled.

IKE HA sync IPsec SA fails on receiver when ESP null crypto algorithm is used.

OCVPN spoke-to-spoke communication intermittently fails with mixed topology where spokes have one or two ISPs, but the hubs have two.

local-gw is replaced with primary IP on a secondary device when the secondary IP is used as a local-gw.

When the SA is about to expire, before it is removed it is not offloaded so the traffic may not go through.

NP6Lite platforms may enter conserve mode because the get/put reference count for pinfo is not reasonable. When there is an inbound SA update, the old pinfo is not freed.

Setting same phase1-interface in SD-WAN member and SD-WAN zone causes iked watchdog timeout.

Could not locate phase 1 configuration for IPv6 dialup IPsec VPN.

BGP over dynamic IPsec VPN tunnel with net-device enable not passing through traffic after rebooting.

If NAT-T IP changes, the dynamic IPsec spoke add route entry is stuck on hub.

In ADVPN with SLA mode, traffic does not switch back to the lowest cost link after its recovery.

Upon upgrading to FortiOS 7.0.0, a device with IPsec configured may experience IKE process crashes when any configuration change is made or an address change occur on a dynamic interface.

IKEv2 fragmentation-mtu option not respected when EAP is used for authentication.

Traffic cannot pass through IPsec tunnel after being offload to NPU.

FortiGate not sending its external interface IP in the IKE negotiation (Google Cloud Platform).

FortiGate to Cisco IKEv2 tunnel randomly disconnects after rekey.

Kernel panic occurs after OCVPN role changes.

iked ignores phase 1 configuration changes due to frequent FortiExtender cmdb changes.

The output of get vpn ike gateway shows proposal: unknown when using IKEv2 proposal with aesgcm and chachapoly.

Site-to-site IPsec VPN cannot establish in asymmetric routing scenario where the IPsec VPN bound interface is a loopback interface.

When trying to override the MTU for the tunnel interface, it cannot be set according to the underlying interface MTU.

ADVPN shortcut is flapping when spokes are behind one-to-one NAT.

Exchanging IPs does not work with multiple dynamic tunnels.

Creating or updating a user with two-factor authentication causes dialup VPN traffic to stop.

When multiple dialup phase 1 gateways are configured on the hub that are nearly identical, when using peer group authentication after fnbam verification, the IKE gateway could switch from one to another even if two gateways have a different network ID.

Issue establishing IPsec and L2TP tunnel with Chromebook behind NAT.

ESP errors are logged with incorrect SPI value.

Remove redundant override-setting.override attribute for logging.

Logs for local-out DNS query timeout should not be in the DNS filter UTM log category.

Move eventtime field to the beginning of the log to save performance on Splunk or other logging systems.

On FG-60F, logging and FortiCloud reporting incorrect IPv6 bandwidth usage for sessions with NPU offload.

miglogd crashes with signal 11.

No log entry is generated for SSL VPN login attempts where two factor authentication challenge times out.

Traffic log shows Policy violation for traffic hitting the allow policy in NGFW policy mode.

Cannot retrieve logs from FortiAnalyzer on non-root VDOM.

Cyrillic characters not displayed properly in local reports.

FortiGate does not have log disk auto scan failure status log.

IPS UTM log is missing msg= and attackcontext= TLV fields because the TLV buffer is full and not sent to miglogd.

Unable to configure syslog filter data size more then 512 characters.

When searching for some rarely-found logs within a large volume of logs, there is a long period of time before the results are returned. During the waiting period, if any new requests arrive, the old search session cannot be cleared. There is then a risk that multiple processes exist together, which may cause performance issues.

First TCP connection to syslog server is not stable.

Traffic logs are not forwarded correctly to syslog server in CEF format.

Traffic log missed for some UTM DLP logs.

FortiOS is truncating the group field to 35 characters in traffic logs.

In rare cases, reportd crashes when the number of items can be zero, but the pie chart is still generated successfully.

Should not be able to set inspection-mode proxy with IPS-enabled only policy.

Proxy deep inspection fails if server chooses to sign with ECDSA-SHA1.

When Kerberos (negotiate without NTLM) authentication method is used for web proxy user authentication, there may be a rare memory leak issue. This memory leak issue may eventually cause the FortiGate to go into conserve mode once it occurs after many users are authenticated by Kerberos repeatedly over time.

When CIFS profile is loaded, using MacOS (Mojave 10.14) to access Windows 2016 SMB Share causes WAD to crash.

SSO guest user group does not work in proxy policy to authenticate users.

WAD crash on reconnect bypass. With a special timing, when the server triggers error handling that results in the WAD bypassing the SSL connection, the server-side TCP port is already closed, and the wad_sched_event object is already freed.

When URLs for block/allow/external resource are processed, the system might enter conserve mode when external resources are very big.

WAD memory leak caused by Kerberos proxy authentication.

Wildcard URL filter in proxy mode with ? and * not always handled properly.

Proxy deep inspection fails if server uses TLS 1.3 cookies or record padding.

FortiGate should be in SSL bypass mode for TLS 1.2 certificate inspection with client certificate request.

Firewall policy with UTM in proxy mode breaks SSL connections in active-active cluster.

Cannot access specific website using proxy-based UTM with certification inspection due to delays from the server in replying to ClientHello message when a second connection from the same IP is also waiting for ClientHello.

If a client sends an RST to a WAD proxy, the proxy can close the connection to the server. In this case, the relatively long session expiration (which is usually 120 seconds by default) could lead to session number spikes in some tests.

WAD crash with signal 11 (/bin/wad => wad_ui_diag_session_get).

Proxy mode is blocking web browsing for some websites due to certificate inspection.

WAD crashes with transparent web proxy when connecting to a forward server.

Memory leak when retrieving the thumbnailPhoto information from the LDAP server.

Proxy-based SSL certification inspection session hangs if the outbound probe connection has no routes.

An incorrect teardown logic on the WAD SSL port causes memory leak.

Proxy deep inspection workaround needed for sites that require psk_key_exchange_modes.

WAD process consumes memory and crashes because of a memory leak that happened due to a coding error when calling the FortiAP API. The API misbehaves when there are no FortiAP appliances in the cluster.

WAD IPS crashes because task is scheduled after closing.

WAD memory leak is caused by missing a close event. The WAD receives a close event from TCP when the SSL port is blocked by the up application layer. If the SSL port input buffer does not have any data, then the close event will get ignored even if the application layer turns off blocking and the SSL port will leak.

WAD crashes at wad_client_cert_req_act_get when SSL layer configuration is cleaned up after policy matching.

Cannot access Java-based application in proxy mode.

REST API /api/v2/monitor/firewall/security-policy adds UUID data for security policy statistics.

New REST API POST /api/v2/monitor/vpn/ike/clear?mkey=<gateway_name> will bring down IKE SAs tunnel the same way as diagnose vpn ike gateway clear.

REST API unable to change status of interface when VDOMs are enabled.

BFD/BGP dropping when outbandwidth is set on interface.

VRF configuration in WWAN interface has no effect after reboot.

SD-WAN route selection does not use the most specific route in the routing table when selecting the egress path.

Local-out TCP traffic changes output interface when irrelevant interface is flapping and causes disconnections.

DHCP relay does not match the SD-WAN policy route.

Need support for SSL VPN web mode traffic to follow SD-WAN rules/policy route.

PMTU calculation for VPN interfaces is not working. FortiGate ignores ICMP type 3 code 4 messages and does not update the routing cache.

SD-WAN IPv6 route tag command is not available in the SD-WAN services.

BGP prefix lifetime resets every 60 seconds when scanning BGP RIB.

FortiGate blocks IPv6 but allows IPv4 for traffic that looks asymmetric with asymroute is disabled.

Editing an existing route map rule to add set-weight 0 results in unset set-weight behavior.

Application vwl signal 11 (segmentation fault) received when HA receives 0 bytes of data.

Application vwl signal 6 (aborted) received due to wrong memory allocation for SD-WAN service when creating an ADVPN shortcut.

SD-WAN rule disappears when an SD-WAN member experiences a dynamic change, such as during a dynamic PPPoE interface update.

OSPF is stuck in loading state when there is a large amount of OSPF interfaces.

The OSPF neighborship cannot be established; get MD5 authentication error when the wrong MD5 key is deleted after modifying the key.

If a session is initiated from the server side, SD-WAN application control does not work as expected.

HA secondary also sends SD-WAN sla-fail-log-period to FortiAnalyzer.

SD-WAN route changes and packet drops during HTTP communication, even though preserve-session-route is enabled.

The bfdd application crashes.

SD-WAN members and OIFs keep reordering despite the health check status being stable in an HA setup.

SD-WAN HTTP health check does not work for URLs longer than 35 characters.

Incorrect default timers for BFD parameters, bfd-desired-min-tx and bfd-required-min-rx.

Possible memory leak when BGP table version increases.

Router daemons get stuck after rebooting when executing get router info routing-table all.

FortiGate as first hop router sometimes does not send register messages to the RP.

In IPsec topology with hub and ~1000 spokes, hundreds of spoke tunnels are flapping, causing BGP instability for other spokes.

Only the interface IP in the management VDOM can be specified as the health check source IP.

Weight-based load-balance algorithm causes local-in reply traffic egress from wrong interface.

VRRP does not consider VRF when looking up destination in routing table.

Route maps show unset attributes after upgrading from 6.4.2.

SD-WAN with sit-tunnel as a member creates an unwanted default route.

The preserve-route is kept in session states if the route is deleted and the egress interface changes.

Email server local-out traffic should be controlled by SD-WAN services.

BGP is choosing local route that should have been removed from the BGP network table.

GRE local-out traffic is not following SD-WAN rules.

DNS local out traffic cannot match SD-WAN rule when its member is not in VRF 0.

Traffic is forwarded out to the wrong interface if an LTE interface is an SD-WAN member. The LTE interface may lose its SD-WAN flag during modem initialization.

OSPFv3 routes are missing from routing table when unsetting or setting the ASBR table.

ADVPN and SD-WAN reply direction randomly chooses ECMP path rather than following shortcut.

The traffic is sent out from an interface in the default route table when using diagnose traffictest run.

FortiGuard DDNS does not follow FortiGuard interface select method, and it does not support HA failover functionality.

set match in community string not accepting four-byte AS.

Return packets are not always sent back through the correct path.

BGP daemon consumes high CPU in ADVPN setup when disconnecting after socket writing error.

OSPF neighbor cannot form with spoke in ADVPN setup if the interface has a parent link and it is a tunnel.

hasync daemon was busy in dead loop if FD resource was used up when flushing routes from the kernel.

SD-WAN rules not working for FortiAnalyzer settings because the interface-select-method is implemented on a remote device FortiAnalyzer/FDS but not added to FortiView/log viewing API.

config aggregate-address6 is not summarizing the aggregate route.

FortiCloud activation does not honor the set interface-select-method command under config system fortiguard.

OSPF area range routes lost during HA failover.

Get iprope_in_check () check failed on policy 0, drop error on debug flow for CAPWAP/Nmap on port 5246 connecting to VRRP.

Incorrect IP address is chosen as forward address by the FortiGate while generating an OSPF type 7 LSA.

GRE configuration fails on MAP-E interface (vne.root).

Spoke is unable to ping another spoke or hub's tunnel interface IP and may have issues forming OSPF or BGP neighbors.

In some WAD proxy cases, the WAD local session cannot get the SYN-ACK packet.

Reply direction keeps flapping between different tunnels after unrelated FIB update.

FortiGate crashes when doing ping6 on VDOM link interface.

When viewing CSF child Dashboard > WiFi from parent FortiGate, GUI reports, Cannot read property 'spectrum_analysis' of undefined.

Invalid license data supplied by FortiGuard/FortiCare causes invalid warning in the Security Rating report.

FortiGate does not send interface configuration to FortiIPAM.

Root FortiGate fails to load Fabric topology if HA downstream device has a trusted device in both primary and secondary FortiGates.

The ipamd process is causing high memory usage after a few days as the JSON was not freed.

FortiAnalyzer Cloud should be taken into consideration when doing CLI check for CSF setting.

Security Rating Summary trigger is not available in multi-VDOM mode.

Automation stitch CLI scripts fail with greater than 255 characters; up to 1023 characters should be supported.

Filter lookup for Azure connector in Subnet and Virtual Network sections only shows results for VMSS instance.

Root FortiGate VDOM topology view page still shows CSF tree for all VDOMs if set to multi-VDOM mode.

Compromised host automation stitch with IP ban action in multi-VDOM setup always bans the IP in the root VDOM.

Dynamic address resolution is lost when SDN connector sends sync.callback command to the FortiGate.

FortiGate firewall dynamic address resolution lost when SDN connector updates its cache.

SSL VPN crashes on parsing some special URLs.

The policy script-src 'self' will block the SSL VPN proxy URL.

When a group and a user-peer is specified in an SSL VPN authentication rule, and the same group appears in multiple rules, each group and user-peer combination can be matched independently.

SSL VPN web mode gets error when accessing internal website at https://st***.st***.ca/.

Access problem for website.

WebSocket using Socket.IO could not be established through SSL VPN web mode.

Memory corruption in some DNS callback cases causes SSL VPN crash.

When sslvpn SSH times-out, a crash is observed when the SSH client is empty.

SSL VPN rewrites the URL inside the emails sent in Outlook (webmail).

Internal webpage, di***, is not loading in web mode.

Internal SharePoint 2019 website cannot be accessed in SSL VPN web portal.

Redirected URLs do not work in web mode for am***.com.

Content from internal Microsoft Dynamics CRM cr***.local portal is not loading properly in SSL VPN web mode.

SSL-SSH inspection profile changes to no-inspection after device reboots.

Internal website loading issue in SSL VPN web portal for ca***.fr.

SSL VPN log entries display users from other VDOMs.

BMC Remedy Mid Tier 8.1 web application elements are not displayed properly in SSL VPN web mode.

SSL VPN crashes in a scenario where a large number of groups is sent to fnbam for authentication.

SSL VPN web mode not working for Ec***re website.

SSL VPN web portal bookmark not loading internal web page after login credentials are entered.

Users with explicit web proxy authentication lose their proxy authentication group.

The map on the http://www.op***.org website could not be shown in SSL VPN web mode.

The system allows enabling split tunnel when the SSL VPN policy is configured with destination all. It is not consistent with 5.6.x and 6.0.x.

Internal website, https://*.da***.cz, is not working correctly in SSL VPN web mode due to source link error.

When adding an FTP link to download FortiClient and accessing it through the portal, the colon is dropped from the string.

FortiGate keeps replying to an ARP request for an IP address that was once assigned to an SSL VPN user, who has already disconnected and been deleted.

Unable to load HTTPS bookmark in Safari (TypeError: 'text/html').

SSL VPN disconnects all connections after adding new address to IP pool.

Internal websites not displayed successfully in SSL VPN web portal.

https://mo***.be site is non-accessible in SSL VPN web mode.

SSL VPN incorrectly rewrites the script URL.

ASUS ASMB9-iKVM application shows blank page in SSL VPN web mode.

The https://outlook.office365.com and https://login.microsoft.com websites cannot be accessed in the SSL VPN web portal.

SSL VPN web mode has problem accessing some pages on FortiAnalyzer 6.2.

The internal website is not working properly using SSL VPN.

SSL VPN web mode cannot open DFS shared subdirectories, get Invalid HTTP request error as sslvpnd adds NT.

SSL VPN with user certificate and credential verification allows a user to connect with a certificate signed by a trusted CA that does not match the certificate chain of the configured CA in the user peer configuration.

SCM VPN disconnects when performing an SVN checkout.

SSL VPN host check validation not working for SAML user.

User cannot use column header for data sorting (bookmark issue).

SDT application can no longer load secondary menu elements in SSL VPN web mode.

Occasionally, 2FA SSL VPN users are unable to log in when two remote authentication servers with the same IP are used.

When sslvpn processes the HTTP/HTTPS response with content disposition, it will change the response body since the content type is HTML.

WALLIX Manager GUI interface is not loading through SSL VPN web mode.

An internal web site via SSL VPN web mode, https://***.46.19.****:10443, is unable to open.

FortiOS supports verifying client certificates with RSA-PSS series of signature algorithms, which causes problems with certain clients.

Policy check cache should include user or group information.

SSL VPN web mode authentication problem when accessing li***.com.

Unable to load a video in SSL VPN web mode.

HTTPS access to ERP Sage X3 through web mode fails.

Cannot view TIFF files in SSL VPN web mode.

SSL VPN web mode cannot load web page https://jira.ca.ob***.com properly based on Jira application.

There are potential cases where the UDP redirect port is used by other parts of the system, which causes SSL VPN to restart.

Split tunneling is not adding FQDN addresses to the routes.

The jstor.org webpage is not loading via SSL VPN bookmark.

SSL VPN crash when updating the existing connection at the authentication stage.

Internal website, http://si***.ar, does not load a report over SSL VPN web portal.

Internal application server/website bookmark (https://***.***.***.***:****/nexgen/) not working in SSL VPN web mode.

Internal website, http://gd***.local/share/page?pt=login, log in page does not load in SSL VPN web mode.

sslvpnd segmentation fault crash due to old DNS entries in cache that cannot be released if the same results were added into the cache but in a different order.

Pop-up window does not load correctly when accessing internal application at https://re***.wo***.nl using SSL VPN web mode.

Customer cannot access SAP web GUI with SSL VPN bookmark.

RTA login webpage is not displaying in SSL VPN web mode.

JSON parse error returned SSL VPN web mode for website https://bi***.u***.cat/az.php.

When matching multiple SSL VPN firewall policies, SSL VPN checks the group list from bottom to top, and the user is mapped to the incorrect portal.

Internal website https://po***.we***.ac.uk is not loading correctly with SSL VPN bookmark.

SSL VPN web mode is unable to open some webpages on the internal site, https://vi***.se, portal.

set banned-cipher command does not work for TLS 1.3.

Ciphers with ARIA, AESCCM, and CHACHA cannot be banned for SSL VPN.

Custom languages do not work in SSL VPN web portals.

In SSL VPN web mode, options pages are not shown after clicking the option tag on the left side of the webpage on an OWA server.

GUI issues on the internal Atlassian Jira web portal in SSL VPN web mode.

Customer internal website, https://va***.do***.com:21108/mne, cannot be displayed correctly in SSL VPN web mode.

SSL VPN web portal SSO credentials for alternative option are not working.

Unable to view the management GUI of PaloAlto running on 8.1.16 in SSL VPN web mode.

Customized replacement messages for SSL VPN login page sometimes cannot be parsed correctly, causing the FortiToken authentication page to not appear.

Website https://we***.p*.cz is not working in SSL VPN web mode.

Unable to access OWA web server on mobile device in SSL VPN web mode.

Internal SolarWinds Orion platform's webpages have issue in SSL VPN web mode.

Unable to access sc***.com in SSL VPN web mode.

Internal Gridbees portal does not display in SSL VPN web mode.

Bookmark to web server http://hc***.hi***.st***.es/ is redirected to a direct URL and web socket fails to establish in SSL VPN web mode.

Internal ADB Epicentro portal has issue in SSL VPN web mode.

SSL VPN bookmark fails to authenticate user through single sign-on for internal website login.

SSL VPN crashed with signal 11 (segmentation fault) uri_search because of rules set for a special case.

Specific content in portal.ag***.com cannot be shown in SSL VPN web mode.

SSL VPN web mode is not working properly for aw***.co***.com website.

After SSL VPN proxy rewrite, some Salto JS files could not run.

When accessing an application in SSL VPN web mode (Sage HR), images fail to load for http://S-***.ro***.de/mp***/.

SSL VPN bookmarked website shows empty page after logging in to SSL VPN gateway https://vd***.vi***.com.

An internal web site, http://ar***.ar***.be***.it/, is unable to load PDF document in SSL VPN web mode.

When a client is connected to SSL VPN and has an internet outage for more then 15 seconds, the client fails to reconnect.

SharePoint links (su***.com) not working properly on webpage launched by SSL VPN web portal.

Unable to display the data in SSL VPN web mode on innovaphone PBX link.

Access through web portal to an Opengear Lighthouse server does not load the login page properly.

SSO login for the bookmark to access FortiAnalyzer GUI does not work.

Certificate authentication does not check PKI users in the expected order.

Unable to load webpage, https://ax.***.on***.sp***.com/namespaces/, in SSLVPN web mode.

Get Entry not found error when editing address object members that contain interface-subnet address objects.

VPN logs do not show any bandwidth utilization in SSL web tunnel statistics when only using RDP.

Report section of internal web server (https://lm***.lm***.au***.vw***/ar***/) is not accessible via the SSL VPN web portal.

PDF files on internal web server, https://co***.ag***.em***.vw***:8443, are not opening in SSL VPN web portal.

SAML login failure when a user belongs to multiple groups associated with multiple VPN realms.

In SSL VPN web mode, redirection inside bookmark re***.ce***.fi***br keeps loading.

Tunnel IP pool leak when DTLS tunnel user session is deleted due to timeout (idle or authentication).

Public website, https://www.we***.org/****.html, does not run normally in SSL VPN web mode.

SharePoint server (de***.sc***.gov.sa) is not working on web-based VPN.

SSL VPN web mode cannot access https://em***.login.***.oraclecloud.com/.

SSL VPN policy matching problem when a local user has the same name as a pure remote user.

SSL VPN web mode fails to access to https://www.we***.org.

SSL VPN web mode has problem accessing iDRAC9 server.

Unexpected group to portal matching priority with SAML authentication.

CMS URLs incorrectly rewritten by SSL VPN proxy in web mode.

SSL VPN web mode has problem accessing https://mf***.sa***.com.sa/Login.aspx?url=Default.aspx.

OS check for SSL VPN tunnel is not working on macOS Big Sur; the connection is rejected when the action is set to allow.

PatientFocus has style issues in SSL VPN web mode.

HA cluster not synchronizing when configuring an active LACP with MCLAG via FortiManager.

flcfg crashes while configuring FortiSwitches through FortiLink.

LLDP updates from FortiSwitch can cause flcfgd to leak memory.

Unable to de-authorize FortiSwitch, or assign VLAN on FortiSwitch port on a tenant VDOM.

L3 managed FortiSwitch configuration synchronization error due to the empty string parameter in ptp-policy on managed port configuration.

disable-discovery of a FortiSwitch on one VDOM should not make the FortiSwitch disconnect from another VDOM.

A limit is needed to prevent changes to default-virtual-switch-vlan in the tenant VDOM if there already are leased FortiSwitch ports.

When managed switch PTP policy and settings configuration was pushed as part of initial FortiLink configuration, the FortiLink connection is in an error state.

EHP drops for units with no NP service module.

EHP drop improvement for units with no NP service module.

Read-only administrators should be able to run diagnose sniffer packet command.

VPN throughput dropped when FEC is enabled.

3DES and SHA1 should not be included in strong crypto list.

Link monitor behavior is different between FGCP and SLBC clusters.

Error in log, msg="Interface 12345678001-ext:64 not found in the list!", while creating a long name VDOM in FG-SVM.

Rebooting FG-1500D in 5.6.x during upgrade causes an L2 loop on the heartbeat interface and VLAN is disabled on the switch side.

HQIP loopback test failed with configured software switch.

DoS log counters are inaccurate (policy counters, event log entries, packet counts).

newcli daemon crash due to FortiToken Mobile user token activation email processing.

TCP traffic disruption when traffic shaper takes effect with NP offloading enabled.

Issue when packets from the same session are forwarded to each LACP member when NPx offloading is enabled.

Support FortiManager when private-data-encryption is enabled in FortiOS.

Symantec connector does not work if management VDOM is not root vdom and root VDOM has no network connection.

FG-100F cannot forward fragmented packets between hardware switch ports.

Errors during fuzzy tests on FG-1500D.

STP does not work in transparent mode.

NP6 SSE drops after a couple of hours in a stability test.

LTE does not connect after upgrading from 6.2.3 on FG-30E-3G4G models.

FortiGate does not send service-account-id to FortiManager via fgfm tunnel when FortiCloud is activated directly on the FortiGate.

get system interface transceiver port1 should return RX power and TX power for all Ch0[1-4] with a 0 value or N/A when the admin port is down on one side and the link status is down.

FG-40F/60F kernel panic if upgrading from 6.4.0 due to configuration file having a name conflict of fortilink as both aggregate interface and virtual switch name.

LACP failed to process traffic after adding new QSFP interfaces as LACP members even when the LACP status is up.

FortiDDNS is unable to update the renewed public IP address to FortiGuard server in some error conditions.

cmdbsvr may crash with signal 11 (segmentation fault) when frequently changing firewall policies.

Link status on peer device is not down when the admin port is down on the FG-500E.

Flow-based inspection with virtual wire pair causes MAC to flap.

The diagnose geoip geoip-query command fails when fortiguard-anycast is disabled.

SSL local certificate can not be imported via CMDB API (api/v2/cmdb/vpn.certificate/local) due to certificate data handling in CMF plugin (vpn.certificate/local).

FG-101F crashed and rebooted when adding vlan-protocol 8021ad VLAN.

Fix interface-based traffic shaping performance degradation issue by enabling NP offloading.

Get application cmdbsvr signal 11 crash log several times.

No statistics for TX and RX counters for VLAN interfaces.

NP6Xlite traffic not sent over the tunnel when NPU is enabled.

FortiGate sends incorrect static route updates to FortiManager when using dedicated management interface.

Unable to sniff LLDP frames on management and TFTP ports.

Curaçao is not listed in the database when registering the FortiGate via the dashboard.

MIB OID fgSysLowMemUsage returns value for devices where it is not applicable.

ARM-based platforms do not have sensor readings included in SNMP MIBs.

IPv6 passes though the DNS filter with application control enabled.

FortiGate running 7.0.0 cannot validate license via FortiManager due to FortiManager hardware missing Fortinet_CA2 and Fortinet_SUBCA2001.

When a PPPoE interface is enabled, it overwrites the LAN address object that was created.

The sflowd process has high CPU usage when application control is enabled.

Another application VWL signal 6 (Aborted) received appears.

FGR-60F-3G4G hardware switch span does not work.

Policy package push from FortiManager fails the first time, and succeeds the second time if it is blank or has no changes.

Asynchronous SDK call may take a long time and cause HA A-P to have Kernel panic - not syncing error.

Offloaded traffic from IPsec crossing the NPU VDOM link is dropped.

The maximum number of IPS supported by each NTurbo load balancer should be 7 instead of 8 on FG-3300E and FG-3301E.

Low IPS HTTP throughput on SoC4 platforms.

Fortinet Factory certificate key integrity check failed in diagnose hardware certificate command.

No filename setting on BOOTP response when option 67 is set on the DHCP server.

snmpd crashes when sorting a list-based ARP table if it has about 50,000 or more entries.

Kernel crash caused race condition on vlif accessing.

HA LED off issue on FG-1100E/1101E models.

When VDOM has large number of VIPs and policies, any firewall policy change causes cmdbsvr to be too busy and consume high CPU.

Fragmented UDP traffic does not assemble on the FortiGate and does not forward out.

Empty firewall objects after pushing several policy deletes.

High CPU on L2TP process caused by loop.

diagnose sys csum command shows wrong hash on SOC4 appliances (FG- 60F, FG-61F, FG-100F and FG-101F).

In FIPS mode, ssh-cbc-cipher is disabled, but the FortiGate still responds with CBC cipher.

FortiGate local-out system DNS traffic for host names lookup continuously generates timeout DNS log if the primary server cannot resolve them.

VLAN interface created on top of a 10 GB interface is not showing the actual TX/RX counters.

httpsd crashed and *** signal 6 (Aborted) received *** appears when loading configurations through REST API with interactions.

Space character in table name causes FortiManager retrieve to fail.

NP6lite SoC3 adapter drops packets after handed from kernel.

Offloaded traffic passing through two VDOMs connected with EMAC-VLANs is sometimes dropped.

No statistics for TX and RX counters for VLAN interfaces.

confsyncd may crash when there is an error parsing through the internet service database, but no error is returned.

It takes a long time to set the member of a firewall address group when the member size is large. In the GUI, cmdbsvr memory usage goes to 100%. In the CLI, newcli memory usage goes to 100%.

Update GTP code to be compatible with newer versions (GTPv1 and GTPv2).

Packet loss occurs when traffic flow between VLAN interfaces is created under 10G LACP link.

NTurbo does not work when enabled in IPsec tunnel or with session helper.

If cfg-save is set to manual (under config system global), it causes problems with the queries made when parsing the internet service database.

Link status on peer device is not down when the admin port is down on the FortiGate.

LTE DHCP IP addressing not installed in the routing table.

CMDB may crash during boot up when querying VPN SSL settings.

UDP 4500 inter-VDOM traffic not offloaded, causing BFD/IPsec to drop.

High memory issue is caused by heavy traffic on the VDOM link.

The auto-join FortiCloud re-try timer 600 second value is too large.

Read-only administrator with packet capture read-write permission cannot run diagnose sniffer command.

L2TP with status set to enable should be configured before EIP and SIP.

FortiManager CLI script for 2FA FortiToken mobile push does not trigger activation code email.

Get Failed on update FortiGuardDDNS error for fortiddns when secondary device becomes primary device in an HA cluster.

When changing the interface speed, some checking is skipped if it is set from FortiManager.

Failed to parse execute restore config properly when the command is from a FortiManager script.

Add diagnose debug traffic {interface | peek | history} command to debug interface bandwidth traffic.

Configuration attribute field in system event logs has length limitation.

GeoIP6 address causes policy to not install properly in the kernel.

DHCP discover request is wrongly forwarded to all IPsec VPN interfaces when tunnel flipping occurs.

Rebooting device causes interface mode to change from static to DHCP.

After reboot, get global.system.interface.npu0_vlink0 config error when VDOM is in transparent mode.

Configuration backup is possible via SCP with expired administrator password.

IPv6 health check cannot send probe packets even if the IPv6 gateway is configured under configure members view.

Traffic was stopped because PBA IP pool has the wrong relationship information.

Egress interface-based traffic shaping is not applied if the session is processed by NTurbo.

dnsproxy process crashes with signal 11.

Bulk changes through the CLI are very slow with 24000 existing policies.

After upgrading from 6.4.2 to 6.4.4, some configurations moved to another VDOM.

Sometimes a VWL service adds a child without a parent, leading to a signal 6 (Aborted) crash received at cmf_query_ses_update_child.

No hardware switch function is available on FG-300E.

Application lted signal 11 crash on FWF-40F-3G4G.

The newcli process crashes or shows an error when creating a VIP with the same external interface IP but a different source address filter.

When an <entry name> is on the same line as config <setting> <setting> <entry name>, it is not handled properly to send to FortiManager.

allow-subnet-overlap setting not honored in NAT64 prefix configuration.

If an updated FFDB package is found, crash may happen at init_ffdb_map if it is called when ffdb_map or ffdb_app is already in the process of being parsed, especially in HA.

port1 physical status is down. Affected models: FG-110xE, FG-220xE, FG-330xE, FG-340xE, FG-360xE, and FG-390xE.

Cloning a firewall policy may cause cmdbsvr to crash.

FortiExtender VLAN interface cannot get updated LTE IP.

NPU6 is not able to support WCCP traffic offloading. NTurbo driver received packet, which included additional IPv4 header and WCCP header. NTurbo is unable to process this kind of packets so it dropped.

HA secondary device keeps printing unregister_netdevice: waiting for vd2-1_0 to become free. Usage count = 1.

The OID structure was changed in 6.2.5; however, the MIB definitions for fgVpnTunEntry did not change and is causing errors.

SNMP NULL hit counter for implicit deny policy (policy ID 0) is not sent.

When running execute speed-test command, it shows all VLAN and SSL interfaces from other VDOMs.

SNMP query for firewall policy statistics in non-root VDOM returns a 0.

Running diagnose hardware test network on FWF-60F needs cable setup adjustment.

802.1x wiredap does not correctly process the TagID in the Tunnel-Private-Group-ID attribute.

FG-100F/101F may continuously boot upon upgrading from FortiOS 6.4.0.

Unable to create MAC address-based policies in NGFW mode.

FortiToken Mobile push notification not working with dynamic WAN IP service provider.

FortiGate local FSSO agent replaces user login with same username and IP, which causes traffic sessions to be removed.

radius-vdom-override and accprofile-override do not work when administrator has 2FA enabled.

The authd and foauthd processes may crash due to crypto functions being set twice.

FortiGate sent CSR certificate instead of signed certificate to FortiManager when retrieve is performed.

REST API authentication fails for API user with PKI group enabled due to fnbamd crash.

Persistent sessions for de-authenticated FSSO users.

Wildcard LDAP users created on FortiToken Cloud have the first character of the username removed.

interface-select-method not working for RADIUS configuration.

The authd process truncates user names to a length of 35 characters (this breaks RADIUS accounting and logging for very long user names).

Log enrichment for source and destination IP with RSSO user information in logs not properly working for IPv4 with framed route attribute in RADIUS accounting.

The authd process gets stuck with high CPU due to slow route lookup when the routing table is big. FSSO stops processing new authentication events.

The authd process may crash if the FSSO server connection is disconnected.

LDAP connectivity delays in transparent mode VDOM.

FortiGate does not send LLDP PDU when it receives LLDP packets from VoIP phones.

Group filter for diagnose firewall auth command does not work and displays other groups/users.

The ssl-ocsp-source-ip setting not configurable in non-management VDOMs.

FSSO collector status is down, despite that it is reported as connected by authd in a multi-VDOM environment.

The radiusd process has a stale state after cluster members reboot.

When multiple authentication methods are used in SSL VPN, authentication session terminates when RADIUS authentication enters error mode even when other methods like LDAP are queued.

FortiGate is unable to verify the CA chain of the FSSO server if the chain is not directly rooted to FSSO endpoint.

FortiGate is unable to parse IPv6 RADIUS accounting packet (Parse error: IP6 Prefix).

FortiTokens get activated by secondary node, causing token to be in an error state and token user assignment to fail.

Policy-based authentication fails when the destination URL contains query parameters.

Remote RADIUS administrators are unable to login to HA units using the HA management interface IP address in a multi-VDOM environment.

OCSP verification fails with Can't convert OCSP rsp error after upgrading.

FortiToken mobile activation is controlled by SD-WAN services, instead of honoring set interface-select-method command under config system fortiguard.

Unable to deploy FG-VM image on AWS with additional HDD(st1) disk type.

Spoke dialup IPsec VPN does not initiate connection to hub after FG-VM HA failover in Azure.

SSL VPN performance problem on OCI due to driver.

FG-VM8 does not recognize all memory allocated in Hyper-V.

Merge FIPS ciphers to 6.4.3 and 7.0 trunk (visible to AWS and Azure only).

FG-VMX service manager enters conserve mode; cmdbsvr has high memory utilization.

Add logging for successful AWS HA failover actions.

On FG-AWS, changing health check protocol to tcp-connect causes kernel panic and reboot.

Slow route change for HA failover in GCP cloud.

Azure SDN connector filter count is not showing a stable value.

After cloning the OCI instance, the OCID does not refresh to the new OCID.

Should add router policy in vdom-exception list.

Support vfNIC driving for Broadcom 100G NIC.

EIP is not updating properly on FG-VM Azure.

Unable to import more than 50 groups from NSX-T SDN connector.

Hot adding multiple CPUs at once to Xen-flavored VMs can result in a kernel panic crash.

FG-VM64-KVM configuration revisions lost after upgrading from 6.2.5.

FG-VM64-AZURE-PAYG license/serial number get lost after downgrading to 6.2.6 from 6.4.3.

Azure SDN connector does not offer all service tags.

OCI HA unable to handle cross-compartment failover.

Dialup IPsec tunnel from Azure may not be re-established after HA failover.

get system status output can be stuck getting the instance ID.

Random dvfilterd crashes with signal 6.

Hardware checksum failure encountered on Azure FG-VM.

Azure route table is not using the proper subscription ID during failover.

EIP is not updating properly with execute update-eip command in Azure with standard SKU public IP in some Canadian regions, like CanadaCentral and CanadaEast.

Azure SDN connector gets an empty IP list when the REST API call fails, which results in IPsec connection being interrupted until the next SDN connector update succeeds (one-minute interval).

Bootstrap does not work with FG-VM on Azure Stack.

FG-VM kernel panicked and reboot after sending through IPv6 traffic.

User browser gets URL block page instead of warning page when using HTTPS IP URL.

Unable to get complete output of diagnose test application ipsufd 1.

Custom category action set to allow in web filter profile causes the URL to use the FortiGuard category rather than the custom category.

Global web filter profile is not applied after changes to allowed/blocked categories.

Change URL re-evaluation link on web filter block pages to HTTPS.

YouTube channel home page on blocklist is not blocked when directed from a YouTube search result.

Replacement message pictures (FortiGuard web filter) are not displayed in Chrome.

Safe search URL option is not working while the original query in Google Images has the same parameter name.

WiFi maps do not synchronize to HA FortiGate.

In the CLI, the WTP profile for radio-2 802.11ac and 80 MHz channels does not match the syntax collection files.

Bridge captive portal SSID has a new portal-type option, external-macauth, to support external Cisco ISE authentication.

AP country and region settings are not updating as expected.

Dynamic VLAN on SSID cannot pass traffic through FG-100F/101F and FG-60F/61F when offloading is enabled.

FWF-60E hangs with looping kernel panic at WiFi driver.

Client traffic was dropped by CAPWAP offloading when it connected from a mesh leaf Forti-AP managed by a FWF-61F local radio.

HTTPS server certificate is not presented when WiFi controller feature is disabled in Feature Visibility.

The status of the VAP interface changed from down to up after rebooting.

Spectrum analysis disable/enable command removed in CLI from wtp-profile and causing a bottleneck for APs, such as FAP-222C/223C at 100% CPU.

FG-600E has cw_acd crash with *** signal 8 (Floating point exception) received *** in 6.2.4.

FAP-U431F cannot view what channel is operating, and the override channel setting must be unset to change to a different channel.

The security-redirect-url setting is missing when the portal-type is auth-mac.

Client failed to connect SSID with WPA2-Enterprise and user group authentication.

Log severity for wireless events in FortiWiFi and FortiAP should be reconsidered for CAPWAP teardown.

CAPWAP tunnel traffic is dropped when offloading is enabled (with FAP managed by a VLAN interface).

CAPWAP traffic drops on FG-300E when FortiAP is managed by VLAN interface.

The cw_acd crashes after upgrading to 6.4.3 at cwAcLocal.

cw_acd crash with *** signal 8 (Floating point exception) received *** after upgrading to 6.4.3.

Newly discovered and authorized FortiAP will cause HA sync issue. On the HA secondary member, if the WTP profile has a radio in monitor mode, it will be changed to AP mode and unset the band.

The current Fortinet_Wifi certificate will expire on 2021-02-11.

Clients failing to authenticate to SSID due to MPSK client limit being reached when the actual connected clients are below the limit.

Wireless country setting option needs to remove sanctioned countries and add missing countries.

Wireless default WTP profile not synchronized between FWF-61E with HA A-A mode.

FortiOS 7.0.0 is no longer vulnerable to the following CVE Reference:

• CVE-2021-26092