Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 7.0.1 FortiOS Release Notes
7.0.1
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2

Known issues

Known issues

The following issues have been identified in version 7.0.1. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Endpoint Control

Bug ID

Description

730767

The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.

Workaround: delete the EMS Cloud entry then add it back.

Firewall

Bug ID

Description

727790

The diagnose internet-service info command should show multiple matching entries for the same IP, port, or protocol.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

677806

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

685431

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

699508

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

707589

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

708005

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

720657

Unable to reuse link local or multicast IPv6 addresses for multiple interfaces from the GUI.

Workaround: use the CLI.

722832

When LDAP server settings involve FQDN, LDAPS, and an enabled server identity check, the following LDAP related GUI items do not work: LDAP setting dialog, LDAP credentials test, and LDAP browser.

734417

GUI incorrectly displays a warning saying there is not a valid upgrade path when upgrading firmware from 7.0.0 or 7.0.1 to 7.0.1 or 7.0.2.

735248

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

Workaround: edit the login template to disable HTTP authentication or remove the href link to googleapis.

738027

The Device Inventory widget shows no results when there are two user_info parameters.

Workaround: use the CLI to retrieve the device list.

743477

On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

745325

When creating a new (public or private) SDN connector, users are unable to specify an Update interval that contains 60, as it will automatically switch to Use Default.

745998

An IPsec phase 1 interface with a name that contains a / cannot be deleted from the GUI. The CLI must be used.

746953

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

Workaround: use the CLI.

HA

Bug ID

Description

701367

In an HA environment with multiple virtual clusters, System > HA will display statistics for Uptime, Sessions, and Throughput under virtual cluster 1. These statistics are for the entire device. Statistics are not displayed for any other virtual clusters.

IPsec VPN

Bug ID

Description

729879

Static IPsec tunnel with signature authentication method cannot be established on FIPS-CC mode FortiGate because the certificate subject verification changes to RDN bitwise comparison based.

730449

SD-WAN service traffic will be interrupted after upgrading to 7.0.1 if all of the following conditions are matched in its 6.4.x configuration:

  • Using set gateway enable in a particular SD-WAN service

  • Having mode-cfg configured

  • Not having ADVPN configured on the hub

Workaround: Before upgrading, update the hub and spoke configurations as follows:

  • On the hub, enable the exchange-interface-ip option on the dial-up phase1 interface with mode-cfg configured.

  • On the spoke, enable auto-discovery-receiver on the related phase1 interface.

740624

FortiOS 7.0 has new design for dialup VPN (no more route tree in the IPsec tunnel), so traffic might not traverse over the dialup IPsec VPN after upgrading from FortiOS 6.4.6 to 7.0.1, 7.0.2, or 7.0.3 if the server replies on the static route over the dynamic tunnel interface to route the traffic back to the client.

Workaround: configure the src-subnet on the client phase 2 interface. Then, static routes will be added by IKE on the server side (add-route enable is required).

config vpn ipsec phase2-interface
    edit <name>
        set src-subnet <x.x.x.x/x>
    next
end

761754

IPsec aggregate static route is not marked inactive if the IPsec aggregate is down.

Proxy

Bug ID

Description

724670

Crash seen in WAD user information daemon when updating user group count upon user log off.

727629

An error case occurs in WAD while handling the HTTP requests for an explicit proxy policy.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

REST API

Bug ID

Description

731136

The following API has a change in response format, which may break backward compatibility for existing integration:

POST /api/v2/monitor/system/config/restore

New format results: {'config_restored': True}

Old format results: {'restore_started': True, 'session_id': 'nTuRkV'}

Note that only the response format is changed. The actual configuration restoration operation still works as before. The integration application should handle this new response format so it can return correct response message back to the user.

Routing

Bug ID

Description

745856

The default SD-WAN route for the LTE wwan interface is not created.

Workaround: add a random gateway to the wwan member.

config system sdwan
    config members
        edit 2
            set interface "wwan"
            set gateway 10.198.58.58
            set priority 100
        next
    end
end

Security Fabric

Bug ID

Description

726831

Security rating for Local Log Disk Not Full reporting as failed for FortiGate models without log disks.

731292

Dashboard Security Fabric widget takes a long time to load in the GUI.

733511

Automation stitch trigger count does not update when target device is a downstream device.

SSL VPN

Bug ID

Description

718133

In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.

757450

SNAT is not working in SSL VPN web mode when accessing an SFTP server.

Switch Controller

Bug ID

Description

723501

When STP is enabled on a hardware switch interface, FortiLink loses its connection to FortiSwitch.

System

Bug ID

Description

644782

A large number of detected devices causes httpsd to consume resources, and causes entry-level devices to enter conserve mode.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

708228

A DNS proxy crash occurs during ssl_ctx_free.

715978

NTurbo does not work with EMAC VLAN interface.

728647

DHCP discovery dropped on virtual wire pair when UTM is enabled.

751715

Random LTE modem disconnections due to certain carriers getting unstable due to WWAN modem USB speed under super-speed.

756713

Packet loss on the LAG interface (eight ports) using SFP+/SFP28 ports in both static and active mode. Affected models: FG-110xE, FG-220xE, and FG-330xE.

User & Authentication

Bug ID

Description

750551

DST_Root_CA_X3 certificate is expired.

Workaround: see the Fortinet PSIRT blog, https://www.fortinet.com/blog/psirt-blogs/fortinet-and-expiring-lets-encrypt-certificates, for more information.

754725

After updating the FSSO DC agent to version 5.0.0301, the DC agent keeps crashing on Windows 2012 R2 and 2016, which causes lsass.exe to reboot.

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

VM

Bug ID

Description

729811

ASG synchronization is lost between secondary and primary instances if the secondary instance reboots. Affected platforms: all public cloud VMs and KVMs.

Workaround: run execute factoryreset2 on the secondary instance, and reconfigure the auto scaling group.
Previous
Next

Known issues

The following issues have been identified in version 7.0.1. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Endpoint Control

Bug ID

Description

730767

The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.

Workaround: delete the EMS Cloud entry then add it back.

Firewall

Bug ID

Description

727790

The diagnose internet-service info command should show multiple matching entries for the same IP, port, or protocol.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

677806

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

685431

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

699508

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

707589

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

708005

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

720657

Unable to reuse link local or multicast IPv6 addresses for multiple interfaces from the GUI.

Workaround: use the CLI.

722832

When LDAP server settings involve FQDN, LDAPS, and an enabled server identity check, the following LDAP related GUI items do not work: LDAP setting dialog, LDAP credentials test, and LDAP browser.

734417

GUI incorrectly displays a warning saying there is not a valid upgrade path when upgrading firmware from 7.0.0 or 7.0.1 to 7.0.1 or 7.0.2.

735248

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

Workaround: edit the login template to disable HTTP authentication or remove the href link to googleapis.

738027

The Device Inventory widget shows no results when there are two user_info parameters.

Workaround: use the CLI to retrieve the device list.

743477

On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

745325

When creating a new (public or private) SDN connector, users are unable to specify an Update interval that contains 60, as it will automatically switch to Use Default.

745998

An IPsec phase 1 interface with a name that contains a / cannot be deleted from the GUI. The CLI must be used.

746953

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

Workaround: use the CLI.

HA

Bug ID

Description

701367

In an HA environment with multiple virtual clusters, System > HA will display statistics for Uptime, Sessions, and Throughput under virtual cluster 1. These statistics are for the entire device. Statistics are not displayed for any other virtual clusters.

IPsec VPN

Bug ID

Description

729879

Static IPsec tunnel with signature authentication method cannot be established on FIPS-CC mode FortiGate because the certificate subject verification changes to RDN bitwise comparison based.

730449

SD-WAN service traffic will be interrupted after upgrading to 7.0.1 if all of the following conditions are matched in its 6.4.x configuration:

  • Using set gateway enable in a particular SD-WAN service

  • Having mode-cfg configured

  • Not having ADVPN configured on the hub

Workaround: Before upgrading, update the hub and spoke configurations as follows:

  • On the hub, enable the exchange-interface-ip option on the dial-up phase1 interface with mode-cfg configured.

  • On the spoke, enable auto-discovery-receiver on the related phase1 interface.

740624

FortiOS 7.0 has new design for dialup VPN (no more route tree in the IPsec tunnel), so traffic might not traverse over the dialup IPsec VPN after upgrading from FortiOS 6.4.6 to 7.0.1, 7.0.2, or 7.0.3 if the server replies on the static route over the dynamic tunnel interface to route the traffic back to the client.

Workaround: configure the src-subnet on the client phase 2 interface. Then, static routes will be added by IKE on the server side (add-route enable is required).

config vpn ipsec phase2-interface
    edit <name>
        set src-subnet <x.x.x.x/x>
    next
end

761754

IPsec aggregate static route is not marked inactive if the IPsec aggregate is down.

Proxy

Bug ID

Description

724670

Crash seen in WAD user information daemon when updating user group count upon user log off.

727629

An error case occurs in WAD while handling the HTTP requests for an explicit proxy policy.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

REST API

Bug ID

Description

731136

The following API has a change in response format, which may break backward compatibility for existing integration:

POST /api/v2/monitor/system/config/restore

New format results: {'config_restored': True}

Old format results: {'restore_started': True, 'session_id': 'nTuRkV'}

Note that only the response format is changed. The actual configuration restoration operation still works as before. The integration application should handle this new response format so it can return correct response message back to the user.

Routing

Bug ID

Description

745856

The default SD-WAN route for the LTE wwan interface is not created.

Workaround: add a random gateway to the wwan member.

config system sdwan
    config members
        edit 2
            set interface "wwan"
            set gateway 10.198.58.58
            set priority 100
        next
    end
end

Security Fabric

Bug ID

Description

726831

Security rating for Local Log Disk Not Full reporting as failed for FortiGate models without log disks.

731292

Dashboard Security Fabric widget takes a long time to load in the GUI.

733511

Automation stitch trigger count does not update when target device is a downstream device.

SSL VPN

Bug ID

Description

718133

In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.

757450

SNAT is not working in SSL VPN web mode when accessing an SFTP server.

Switch Controller

Bug ID

Description

723501

When STP is enabled on a hardware switch interface, FortiLink loses its connection to FortiSwitch.

System

Bug ID

Description

644782

A large number of detected devices causes httpsd to consume resources, and causes entry-level devices to enter conserve mode.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

708228

A DNS proxy crash occurs during ssl_ctx_free.

715978

NTurbo does not work with EMAC VLAN interface.

728647

DHCP discovery dropped on virtual wire pair when UTM is enabled.

751715

Random LTE modem disconnections due to certain carriers getting unstable due to WWAN modem USB speed under super-speed.

756713

Packet loss on the LAG interface (eight ports) using SFP+/SFP28 ports in both static and active mode. Affected models: FG-110xE, FG-220xE, and FG-330xE.

User & Authentication

Bug ID

Description

750551

DST_Root_CA_X3 certificate is expired.

Workaround: see the Fortinet PSIRT blog, https://www.fortinet.com/blog/psirt-blogs/fortinet-and-expiring-lets-encrypt-certificates, for more information.

754725

After updating the FSSO DC agent to version 5.0.0301, the DC agent keeps crashing on Windows 2012 R2 and 2016, which causes lsass.exe to reboot.

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

VM

Bug ID

Description

729811

ASG synchronization is lost between secondary and primary instances if the secondary instance reboots. Affected platforms: all public cloud VMs and KVMs.

Workaround: run execute factoryreset2 on the secondary instance, and reconfigure the auto scaling group.
Previous
Next