CDR archived files are deleted at random times and not retained.

Flow mode opens port 8008 over the AV profile that does not have HTTP scan enabled.

The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.

Authentication hard timeout is not respected for firewall users synchronized from WAD user.

Client gets 304 response if a cached object has varying headers and is expired.

Random websites are not accessible with proxy policy after upgrading to 6.4.10.

The VIP group hit count in the table (Policy & Objects > Virtual IPs) is not reflecting the correct sum of VIP members.

Unable to create a geography type address object and get a Can not be geography address when it is a member of addrgrp used by ipsec_tunnel! error.

The set sub-type ems-tag option is blocked in HA diff installation.

Inaccurate sFlow interface data reported to PRTG after upgrading to 7.0.

Virtual server aborts connection when ssl-max-version is set to tls-1.3.

Unable to add additional MAC address objects in an address group that already has 152 MAC address objects.

Making a full HTTP session is sometimes bypassed if ssl-hsts is enabled for a server-load-balance VIP.

Full cone NAT (permit-any-host enable) causes TCP session clash.

Explicit FTPS stops working with IP pool after upgrading.

FG-3000D cluster kernel panic occurs when upgrading from 7.0.5 to 7.0.6 and later.

Increased CPU usage in softIRQ after upgrading from 7.0.5 to 7.0.6.

Standard and full ISDB sizes are not configurable on FG-101F.

When a FortiGate local administrator is assigned to more than two VDOMs and tries logging in to the GUI console, they get a command parse error when entering VDOM configuration mode.

Incorrect shortcut name shown on the Network > SD-WAN > Performance SLAs page.

FortiAP icon cannot be moved once placed on the WiFi map.

Intermittent error, Failed to retrieve FortiView data, appears on real-time FortiView Sources and FortiView Destination monitor pages.

The Network > Interfaces faceplate shows two SFP interfaces, which do not exist on that FortiGate model.

On G-model profiles, changing the platform mode change from single 5G (dedicated scan enabled) to dual 5G is not taking effect.

Policy and dashboard widgets do not load when the FortiGate manages a FortiSwitch with tenant ports (exported from root to other VDOM).

Local VDOM administrator randomly sees a blank white page after logging in with the interface that belongs to the VDOM.

Unable to select addresses in FortiView monitors.

CLI console in GUI reports Connection lost. when the administrator has more than 100 VDOMs assigned.

Long lasting sessions are expired on HA secondary device with a 10G interface.

Long-lasting sessions expire on the HA secondary in large session synchronization scenarios.

set admin-restrict-local is not working for SSH.

Virtual MAC address is sent inside GARP by the secondary unit after a reboot.

Running execute ha manage 0 <remote_admin> fails and displays a Permission denied, please try again. error if the 169.254.0.0/16 local subnet is not in the trusted host list.

Communication is disrupted when HA switching is performed in an environment where the VDOM is split to accommodate two IPoE lines.

CLI deployment of a configuration to the secondary unit results in an unresponsive aggregate interface.

Static ARP entry is removed after reboot or HA failover.

The administrator password-expire calculation on the primary and secondary returns a one-second diff, and causes HA to be out-of-sync.

When adding or removing an HA monitor interface, the link failure value is not updated.

Telnet connection running ping fails during FGSP failover for virtual wire pair with VLAN traffic.

FG-500E interface stops sending IPv6 RAs after upgrading from 7.0.5 to 7.0.7.

Unable to synchronize IPsec SA between FGCP members after upgrading.

Output of diagnose sys ntp status is misleading when run on a secondary cluster member.

FG-2600F kernel panic occurs after a failover on both members of the cluster.

FGSP session-sync-dev ports do not use L2 Ethernet frames but always use UDP, which reduces the performance.

After packets go through host interface TX/RX queues, some packet buffers can still hold references to a VDOM when the host queues are idle. This causes a VDOM delete error with unregister_vf. If more packets go through the same host queues for other VDOMs, the issue should resolve by itself because those buffers holding the VDOM reference can be pushed and get freed and recycled.

IPv6 traffic continues to pass through a multi-VDOM setup, even when the static route is deleted.

IPsec server with NP offloading drops packets with an invalid SPI during rekey.

Certain packets are causing IPsec tunnel drops on NP6XLite platforms after HA failover because the packet is not checked properly.

FortiGate is unable to install SA (failed to add SA, error 22) when there is an overlap in configured selectors.

IPsec static router gateway IP is set to the gateway of the tunnel interface when it is not specified.

NP dropping packet in the incoming direction for SoC4 models.

If mode-cfg is used, a race condition can result in an IP conflict and sporadic routing problems in an ADVPN/SD-WAN network. Connectivity can only be restored by manually flushing the IPsec tunnels on affected spokes.

ESP tunnel traffic hopping from VRF.

FortiGate IPsec tunnel role could be incorrect after rebooting or upgrading, and causes negotiation to be stuck when it comes up.

IPsec phase 2 fails when both HA cluster members reboot at the same time.

IPsec tunnel does not coming up after the upgrading firmware on the branch FortiGate (FG-61E).

Phase 2 not initiating the rekey at soft limit timeout on new kernel platforms.

A deny policy with log traffic disabled is generating logs.

The miglogd process may send empty logs to other logging devices.

High memory usage from miglogd processes even without traffic.

Error condition in WAD occurs during traffic scans in proxy mode.

WAD process crashes (signal 11) with disclaimer and user authentication being applied to the web proxy.

Intermittent traffic disruption caused by race condition in WAD.

An error condition occurs in WAD while parsing certain URIs.

Improvements to WAD to optimize CPU usage when using user groups.

An error condition occurs in WAD during an AV scan submission.

In a firewall proxy policy, the SD-WAN zone assigned to interface is not checked.

An error condition occurs in WAD when the srcintf of a firewall proxy-policy is set to an SD-WAN zone.

Improvements to WAD to optimize CPU usage when using user groups.

Improvements to WAD to resolve a memory usage issue when user-info updates the FortiAP information.

The WAD process memory usage gradually increases over a few days, causing the FortiGate to enter into conserve mode.

When HA failover is performed to the other cluster member that is not able to reach the BFD neighbor, the BFD session is down as expected but the static route is present in the routing table.

No IGMP-IF for ifindex log points to multicast enabled interface.

IS-IS LSP packets do not include the checksum and the authentication key ([Checksum: [missing]], [Checksum Status: Not present] and authentication "hmac-md5 (54), message digest]).

Connected subnet in VRF other than VRF 0, gets RPF failure after HA failover

IPv6 VRRP backup is sending RA, which causes routing issues.

When the policy route has a set gateway, the FortiGate is not following the policy route to forward traffic and sends unreasonable ARP requests.

Reply traffic from the DNS proxy (DNS database) is choosing the wrong interface.

IPsec traffic sourced from a loopback interface does not follow the policy route or SD-WAN rules.

When creating a new rule on the Network > Routing Objects page, the user cannot create a route map with a rule that has multiple similar or different AS paths in the GUI.

When enabled, FEC is not effectively reducing packet loss when behind NAT.

Traffic session is processed by a different SD-WAN rule and randomly times out.

FortiGate does not add the route in the routing table when it changes for SD-WAN members.

Application VWL crash occurs after FortiManager configuration push causes an SD-WAN related outage.

SD-WAN GUI does not load, and the lnkmtd process crashes frequently.

API that registers appliances to the Fabric stopped working.

During the FortiOS initialization process, there is a small chance that other services using UDP take the specific port that caused csfd initialization to fail.

Failed to retrieve upgrade progress message appears when upgrading a FortiAP or FortiSwitch that is connected to a downstream FortiGate.

Automation stitch trigger is not working when the threshold based email alert is enabled in the configuration.

Unable to add another FortiGate to the Security Fabric after updating to the latest patch.

SSL VPN web mode cannot display certain websites that are internal bookmarks.

Authentication request of SSL VPN realm can now only be sent to user group, local user, and remote group that is mapped to that realm in the SSL VPN settings. The authentication request will not be applied to the user group and remote group of non-realm or other realms.

Unable to load GitLab through SSL VPN web portal.

Comments in front of <html> tag are not handled well in HTML file in SSL VPN web mode.

FortiGate is not sending Accounting-Request packet that contains the Interim-Update AVP when two-factor authentication is assigned to a user (defined on the FortiGate) while connecting using SSL VPN.

Unable to view PDF files in SSL VPN web mode.

Multiple DNS suffixes cannot be set for the SSL VPN portal.

VMware vCenter bookmark in not working after logging in to SSL VPN web mode.

SSL VPN web mode is unable to access EMS server.

SSL VPN stops passing traffic after some time.

A blank page displayed after logging in to the back-end server in SSL VPN web mode.

RDP over VPN SSL web mode stops work after upgrading.

OS checklist for the SSL VPN in FortiOS does not include macOS Ventura (13).

User peer feature for one group to match to multiple user peers in the authentication rules is broken.

Unable to access Synology NAS server through SSL VPN web mode.

Internal website with JavaScript is proxying some functions in SSL VPN web mode, which breaks them.

RDP over SSL VPN web mode to a Windows Server changes the time zone to GMT.

EcoStruxure Building Operations 2022 does not render using SSL VPN bookmark.

In the second authentication of RADIUS two-factor authentication, the acct-update-interval returned is 0. SSL VPN uses the second return and not send RADIUS acct-interim-update packet.

SSL VPN web mode has issue accessing specific URL, https://gt***.si***.fr.

FortiSwitches managed by FortiGate go offline intermittently and require a FortiGate reboot to recover.

Switch controller managed switch port configuration changes do not take effect on the FortiSwitch.

Inadvertent traffic disruption caused by WAD due to deadlock.

HA synchronization packets are hashed to a single queue when sync-packet-balance is enabled.

The forticron daemon is constantly being restarted.

SA is freed while its timer is still pending, which leads to a kernel crash.

When fastpath is disabled, counters in the dashboard are showing 0 bytes TX/RX for a VLAN interface configured on an LACP interface.

Incorrect values in NP7/hyperscale DoS policy anomaly logs. For packet rate-based meter log, the repeated numbers do not reflect the amount of dropped packets for a specific anomaly/attack; for the session counter meter log, the pps number is negative.

When a virtual switch member port is set to be an alternate by STP, it should not reply with ARP; otherwise, the connected device will learn the MAC address from the alternate port and send subsequent packets to the alternate port.

A member of an LAG interface is not coming up due to a different actor key.

The debug zone uses over 400 MB of RAM.

High memory usage occurs on FG-200F.

NP7 dos-offload triggers an established TCP session to have synproxy process issues.

Scheduled speed test crash is caused by adding the same object to a list twice.

Kernel panic occurs after traffic goes through IPsec VPN tunnel and EMAC VLAN interface.

LACP interfaces are flapping after upgrading to 6.4.9.

FCLF8522P2BTLFTN transceiver is not working after upgrade.

The ifLastChange SNMP OID only shows zeros.

1G copper SFP port is always up on FG-260xF.

LTE fails to connect after the firewall reboots. Multiple reboots are required to bring back connectivity.

The reply-to option in the email server settings is no longer visible in a default server configuration on FortiOS 7.2.0.

NP7 platforms may reboot unexpectedly when unable to handle kernel null pointer de-reference.

FortiGate in HA may freeze and reboot. Before the reboot, softIRQ may be seen as high. This leads to a kernel panic.

Unable to resolve sp***.saas.ap***.com on a specific VDOM.

FortiGate becomes unresponsive, and there are many WAD and forticron crashes.

When kernel debug level is set to >=KERN_INFO on NP6xLite platforms, some tuples missing debug messages may get flooded and cause the system to get stuck.

The GUI and API stopped working after loading many interfaces due to httpsd stuck in a D state (kernel I/O socket).

After rebooting the FortiGate, the MTU value on the VXLAN interface was changed.

Kernel panic and regular reboots occur on NP7 platforms, which are caused by FortiOS trying to offload a receiving ESP packet from the EMAC VLAN interface and convert to an IPv6 destination address with NAT46 NPU offloaded sessions.

Can't find xitem. Drop the response. error appears for DHCPOFFER packets in the DHCP relay debug.

NP7 platforms may encounter random kernel crash after reboot or factory reset.

Unexpected console error appears: unregister_netdevice: waiting for pim6reg1 to become free. Usage count = 3.

Console keeps displaying bcm_nl.nr_request_drop ... after the FortiGate reboots because of the cfg-save revert setting under config system global. Affected platforms: FG-10xF and FG-20xF.

FG-20xF system halts if setting cfg-save to revert under config system global and after the cfg-revert-timeout occurs.

Network device kernel null pointer is causing a kernel crash.

Issue with the server_host_key_algorithm compatibility when using SSH on SolarWinds.

Fortinet 10 GB transceiver LACP flapping when shut/no shut was performed on the interface from the switch side.

Configuring set src-check disable is not persistent in the kernel after rebooting for GRE interfaces.

False alarm of the PSU2 occurs with only one installed.

Random reboots and kernel panic on NP7 cluster when the FortiGate sends a TCP RST packet and IP options are missing in the header.

When any 10 Gigabit (SFP+) port is connected a switch, all configurations related to the 10 Gigabit ports is removed (trunks) when traffic is flowing upon boot. Affected platforms: FG-40xF, FG-60xF, FG-300xF.

The FortiGate is only offering the ssh-ed25519 algorithm for an SSH connection.

IPv6 BGP session drops when passing through a FortiGate configured with VRF.

execute ping-option interface cannot specific an interface name of a.

After a cold reboot (such as a power outage), traffic interfaces may not come up with a possible loss of VLAN configurations.

Forticron memory is leaking.

Memory corruption or incorrect memory access when processing a bad WQE.

CPSS usage goes to 99% and causes initiation issues when traffic is flowing upon boot. Affected platforms: FG-40xF, FG-60xF, FG-300xF.

FortiGate with new kernel crashes when starting debug flow.

Get zip conf file failed -1 error message when running a script configuring the FortiGate.

The endpoint-control fctems entry 0 is added after upgrading from 6.4 to 7.0.8 when the FortiGate does not have EMS server, which means the endpoint-control fctems feature was not enabled previously. This leads to a FortiManager installation failure.

When MAC-based authentication is enabled, multiple RADIUS authentication requests may be sent at the same time. This results in duplicate sessions for the same device.

Incorrect source MAC address is used in LLDP TX packet when the interface has https in allowaccess.

FortiToken purge in a VDOM clears all FortiToken statuses in the system.

Adding a local user to a group containing many users causes a delay in GUI and CLI due to cmdbsvr (high CPU).

RADIUS MAC authentication using ClearPass is intermittently using old credentials.

FortiToken activation emails should include HTTPS links to documentation instead of HTTP.

FG-81F 802.1X MAC authentication bypass (MAB) failed to authenticate Cisco AP.

IPv6 traffic triggers <interface>: hw csum failure message on CLI console.

Incorrect VMDK file size in the OVF file for hw13 and hw15.

Session is not crated over NSX imported object when traffic starts to flow.

Unable to enable FIPS cipher mode on FG-VM-ARM64-AWS.

CPU spike observed on all the cores in a GCP firewall VM.

During a same zone AWS HA failover, moving the secondary IP will cause the EIP to be in a disassociated state.

Azure auto-scale HA shows certificate error for secondary VM.

FortiOS exhibits segmentation fault on hostapd on the secondary controller configured in HA.

Connectivity loss occurs due to switch and FortiAPs (hostapd crash).

Application hostapd crash found on FG-101F.

A hostapd process crash is shown in device crash logs.

HA FortiGate encounters multiple hostapd crashes.

Hostapd segmentation fault signal 6 occurs upon HA failover.

Hostapd segmentation fault signal 11 occurs upon RF chamber setup.

Invalid wireless MAC OUI detected for a valid client on the network.

Incorrect source IP in the self-originating traffic to RADIUS server.

Wi-Fi clients on a RADIUS MAC MPSK SSID get prematurely de-authenticated by the secondary FortiGate in the HA cluster.

The EMS tag name (defined in the EMS server's Zero Trust Tagging Rules) format changed in 7.0.8 from FCTEMS<serial_number>_<tag_name> to EMS<id>_ZTNA_<tag_name>.

After upgrading, the EMS tag format was converted properly in the CLI configuration, but the WAD daemon is unable to recognize this new format, so the ZTNA traffic will not match any ZTNA policies with EMS tag name checking enabled.

FortiOS 7.0.11 is no longer vulnerable to the following CVE Reference:

• CVE-2022-42469

FortiOS 7.0.11 is no longer vulnerable to the following CVE Reference:

• CVE-2023-41675

FortiOS 7.0.11 is no longer vulnerable to the following CVE Reference:

• CVE-2023-33308

FortiOS 7.0.11 is no longer vulnerable to the following CVE Reference:

• CVE-2022-43947

FortiOS 7.0.11 is no longer vulnerable to the following CVE Reference:

• CVE-2023-33307

FortiOS 7.0.11 is no longer vulnerable to the following CVE Reference:

• CVE-2023-29175