Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 7.0.13 FortiOS Release Notes
7.0.13
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2

Known issues

Known issues

The following issues have been identified in version 7.0.13. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Explicit Proxy

Bug ID

Description

942612

Web proxy forward server does not convert HTTP version to the original version when sending them back to the client.

Firewall

Bug ID

Description

843554

If the first firewall service object in the service list (based on the order in the command line table) has a protocol type of IP, the GUI may incorrectly modify its protocol number whenever a new firewall service of the same protocol type IP is created in the GUI.

This silent misconfiguration can result in unexpected behavior of firewall policies that use the impacted service. For example, some 6K and 7K platforms have firewall service ALL (protocol type IP) as the first service, and this can cause the ALL service to be modified unexpectedly.

Workaround: create a new service in the CLI, or move a non-IP type services to the top of the firewall service list. For example, if ALL is the first firewall service in the list:

config firewall service custom
    edit "unused"
        set tcp-portrange 1
    next
    move "unused" before "ALL"
end

912740

On a FortiGate managed by FortiManager, after upgrading to 7.0.13, the Firewall Policy list may show separate sequence grouping for each policy because the global-label is updated to be unique for each policy.

Workaround: drag and drop the policy to the correct sequence group in the GUI, or remove the global-label for each member policy in the group except for the leading policy.

  • Policy 1 (global-label "group1")
  • Policy 2
  • Policy 3 (global-label "group2")
  • Policy 4

951984

The best output route may not be found for local out DNAT traffic.

FortiView

Bug ID

Description

941521

On the FortiView Web Sites page, the Category filter does not work in the Japanese GUI.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

677806

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

685431

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

707589

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

708005

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

755177

When upgrading firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path.

810225

An undefined error is displayed when changing an administrator password for the first time. Affected models: NP7 platforms.

848660

Read-only administrator may encounter a Maximum number of monitored interfaces reached error when viewing an interface bandwidth widget for an interface that does not have the monitor bandwidth feature enabled.

Workaround: super_admin users can enable the monitor bandwidth feature on the interface first, then the widget can work for read-only administrators.

853352

On the View/Edit Entries slide-out pane (Policy & Objects > Internet Service Database dialog), users cannot scroll down to the end if there are over 100000 entries.

898902

In the System > Administrators dialog, when there are a lot of VDOMs (over 200), the dialog can take more than one minute to load the Two-factor Authentication toggle. This issue does not affect configuring other settings in the dialog.

Workaround: use the CLI to configure two-factor-authentication under config system admin.

974988

FortiGate GUI should not show a license expired notification due to an expired device-level FortiManager Cloud license if it still has a valid account-level FortiManager Cloud license (function is not affected).

HA

Bug ID

Description

810286

FGSP local sessions exist after rebooting an HA pair with A-P mode, and the HW SSE/session count is incorrect.

Hyperscale

Bug ID

Description

795853

VDOM ID and IP addresses in the IPL table are incorrect after disabling EIF/EIM.

811109

FortiGate 4200F, 4201F, 4400F, and 4401F HA1, HA2, AUX1, and AUX2 interfaces cannot be added to an LAG.

836976

Sessions being processed by hyperscale firewall policies with hardware logging may be dropped when dynamically changing the log-processor setting from hardware to host for the hardware log sever added to the hyperscale firewall policy. To avoid dropping sessions, change the log-processor setting during quiet periods.

838654

Hit count not ticking for implicit deny policy for hardware session in case of NAT46 and NAT64 traffic.

839958

service-negate does not work as expected in a hyperscale deny policy.

842659

srcaddr-negate and dstaddr-negate are not working properly for IPv6 traffic with FTS.

843132

Access control list (ACL) policies added to a hyperscale firewall VDOM that is processing traffic may take longer than expected to become effective. During a transition period, traffic that should be blocked by the new ACL policy will be allowed.

843197

Output of diagnose sys npu-session list/list-full does not mention policy route information.

843266

Diagnose command should be available to show hit_count/last_used for policy route and NPU session on hyperscale VDOM.

843305

Get PARSE SKIP ERROR=17 NPD ERR PBR ADDRESS console error log when system boots up.

844421

The diagnose firewall ippool list command does not show the correct output for overload type IP pools.

846520

NPD/LPMD process killed by out of memory killer after running mixed sessions and HA failover.

941784

Hardware session synchronization does not work on FG-480xF devices in hyperscale.

IPsec VPN

Bug ID

Description

761754

IPsec aggregate static route is not marked inactive if the IPsec aggregate is down.

Log & Report

Bug ID

Description

850642

Logs are not seen for traffic passing through the firewall caused by numerous simultaneous configuration changes.

965247

FortiGate syslog format in reliable transport mode is not compliant with RFC 6587.

Proxy

Bug ID

Description

790426

An error case occurs in WAD while redirecting the web filter HTTPS sessions.

828917, 919781

Unexpected behavior in WAD when there are multiple LDAP servers configured on the FortiGate.

845361

A rare error condition occurred in WAD caused by compounded SMB2 requests.

954104

An error case occurs in WAD when WAD gets the external authenticated users from other daemons.

1001497

FortiGate may enter conserve mode when posting a non or invalid HTTP date through web proxy.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

794703

Security Rating report for Rogue AP Detection and FortiCare Support checks show incorrect results.

862424

On a FortiGate that has large tables (over 1000 firewall policies, address, or other tables), security rating reports may cause the FortiGate to go into conserve mode.

System

Bug ID

Description

847664

Console may display mce: [Hardware Error] error message after fresh image burn or reboot.

861962

When configuring an 802.3ad aggregate interface with a 1 Gbps speed, the port's LED is off and traffic cannot pass through. Affected platforms: 110xE, 220xE, 330xE, 340xE, and 360xE.

882187

Optimize memory usage caused by the high volume of disk traffic logs.

901721

In a certain edge case, traffic directed towards a VLAN interface could trigger a kernel panic.

934708

The cmdbsvr could not secure the var_zone lock due to another process holding it indefinitely.

937982

High CPU usage might be observed on entry-level FortiGates if the cache size reaches 10% of the system memory.

963600

SolarWinds is unable to negotiate encryption. A Negotiation failed: no matching host key type found error message appears in the log.

User & Authentication

Bug ID

Description

765184

RADIUS authentication failover between two servers for high availability does not work as expected.

VM

Bug ID

Description

800935

ESXi VLAN interface based on LACP does not work.

Web Filter

Bug ID

Description

766126

Block replacement page is not pushed automatically to replace the video content when using a video filter.

WiFi Controller

Bug ID

Description

814541

When there are extra large number of managed FortiAP devices (over 500) and large number of WiFi clients (over 5000), the Managed FortiAPs page and FortiAP Status widget can take a long time to load. This issue does not impact FortiAP operation.

903922

Physical and logical topology is slow to load when there are a lot of managed FortiAP (over 50). This issue does not impact FortiAP management and operation.

ZTNA

Bug ID

Description

819987

SMB drive mapping made through a ZTNA access proxy is inaccessible after rebooting.

848222

ZTNA TCP forwarding is not working when a real server is configured with an FQDN address type.

An FQDN address type that can resolve public IPs is not recommended for ZTNA TCP forwarding on real servers because the defined internal DNS database zone is trying to override it at the same time. By doing so, the internal private address may not take effect after rebooting, and causes a ZTNA TCP forwarding failure due to the real server not being found.
Previous
Next

Known issues

The following issues have been identified in version 7.0.13. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Explicit Proxy

Bug ID

Description

942612

Web proxy forward server does not convert HTTP version to the original version when sending them back to the client.

Firewall

Bug ID

Description

843554

If the first firewall service object in the service list (based on the order in the command line table) has a protocol type of IP, the GUI may incorrectly modify its protocol number whenever a new firewall service of the same protocol type IP is created in the GUI.

This silent misconfiguration can result in unexpected behavior of firewall policies that use the impacted service. For example, some 6K and 7K platforms have firewall service ALL (protocol type IP) as the first service, and this can cause the ALL service to be modified unexpectedly.

Workaround: create a new service in the CLI, or move a non-IP type services to the top of the firewall service list. For example, if ALL is the first firewall service in the list:

config firewall service custom
    edit "unused"
        set tcp-portrange 1
    next
    move "unused" before "ALL"
end

912740

On a FortiGate managed by FortiManager, after upgrading to 7.0.13, the Firewall Policy list may show separate sequence grouping for each policy because the global-label is updated to be unique for each policy.

Workaround: drag and drop the policy to the correct sequence group in the GUI, or remove the global-label for each member policy in the group except for the leading policy.

  • Policy 1 (global-label "group1")
  • Policy 2
  • Policy 3 (global-label "group2")
  • Policy 4

951984

The best output route may not be found for local out DNAT traffic.

FortiView

Bug ID

Description

941521

On the FortiView Web Sites page, the Category filter does not work in the Japanese GUI.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

677806

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

685431

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

707589

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

708005

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

755177

When upgrading firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path.

810225

An undefined error is displayed when changing an administrator password for the first time. Affected models: NP7 platforms.

848660

Read-only administrator may encounter a Maximum number of monitored interfaces reached error when viewing an interface bandwidth widget for an interface that does not have the monitor bandwidth feature enabled.

Workaround: super_admin users can enable the monitor bandwidth feature on the interface first, then the widget can work for read-only administrators.

853352

On the View/Edit Entries slide-out pane (Policy & Objects > Internet Service Database dialog), users cannot scroll down to the end if there are over 100000 entries.

898902

In the System > Administrators dialog, when there are a lot of VDOMs (over 200), the dialog can take more than one minute to load the Two-factor Authentication toggle. This issue does not affect configuring other settings in the dialog.

Workaround: use the CLI to configure two-factor-authentication under config system admin.

974988

FortiGate GUI should not show a license expired notification due to an expired device-level FortiManager Cloud license if it still has a valid account-level FortiManager Cloud license (function is not affected).

HA

Bug ID

Description

810286

FGSP local sessions exist after rebooting an HA pair with A-P mode, and the HW SSE/session count is incorrect.

Hyperscale

Bug ID

Description

795853

VDOM ID and IP addresses in the IPL table are incorrect after disabling EIF/EIM.

811109

FortiGate 4200F, 4201F, 4400F, and 4401F HA1, HA2, AUX1, and AUX2 interfaces cannot be added to an LAG.

836976

Sessions being processed by hyperscale firewall policies with hardware logging may be dropped when dynamically changing the log-processor setting from hardware to host for the hardware log sever added to the hyperscale firewall policy. To avoid dropping sessions, change the log-processor setting during quiet periods.

838654

Hit count not ticking for implicit deny policy for hardware session in case of NAT46 and NAT64 traffic.

839958

service-negate does not work as expected in a hyperscale deny policy.

842659

srcaddr-negate and dstaddr-negate are not working properly for IPv6 traffic with FTS.

843132

Access control list (ACL) policies added to a hyperscale firewall VDOM that is processing traffic may take longer than expected to become effective. During a transition period, traffic that should be blocked by the new ACL policy will be allowed.

843197

Output of diagnose sys npu-session list/list-full does not mention policy route information.

843266

Diagnose command should be available to show hit_count/last_used for policy route and NPU session on hyperscale VDOM.

843305

Get PARSE SKIP ERROR=17 NPD ERR PBR ADDRESS console error log when system boots up.

844421

The diagnose firewall ippool list command does not show the correct output for overload type IP pools.

846520

NPD/LPMD process killed by out of memory killer after running mixed sessions and HA failover.

941784

Hardware session synchronization does not work on FG-480xF devices in hyperscale.

IPsec VPN

Bug ID

Description

761754

IPsec aggregate static route is not marked inactive if the IPsec aggregate is down.

Log & Report

Bug ID

Description

850642

Logs are not seen for traffic passing through the firewall caused by numerous simultaneous configuration changes.

965247

FortiGate syslog format in reliable transport mode is not compliant with RFC 6587.

Proxy

Bug ID

Description

790426

An error case occurs in WAD while redirecting the web filter HTTPS sessions.

828917, 919781

Unexpected behavior in WAD when there are multiple LDAP servers configured on the FortiGate.

845361

A rare error condition occurred in WAD caused by compounded SMB2 requests.

954104

An error case occurs in WAD when WAD gets the external authenticated users from other daemons.

1001497

FortiGate may enter conserve mode when posting a non or invalid HTTP date through web proxy.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

794703

Security Rating report for Rogue AP Detection and FortiCare Support checks show incorrect results.

862424

On a FortiGate that has large tables (over 1000 firewall policies, address, or other tables), security rating reports may cause the FortiGate to go into conserve mode.

System

Bug ID

Description

847664

Console may display mce: [Hardware Error] error message after fresh image burn or reboot.

861962

When configuring an 802.3ad aggregate interface with a 1 Gbps speed, the port's LED is off and traffic cannot pass through. Affected platforms: 110xE, 220xE, 330xE, 340xE, and 360xE.

882187

Optimize memory usage caused by the high volume of disk traffic logs.

901721

In a certain edge case, traffic directed towards a VLAN interface could trigger a kernel panic.

934708

The cmdbsvr could not secure the var_zone lock due to another process holding it indefinitely.

937982

High CPU usage might be observed on entry-level FortiGates if the cache size reaches 10% of the system memory.

963600

SolarWinds is unable to negotiate encryption. A Negotiation failed: no matching host key type found error message appears in the log.

User & Authentication

Bug ID

Description

765184

RADIUS authentication failover between two servers for high availability does not work as expected.

VM

Bug ID

Description

800935

ESXi VLAN interface based on LACP does not work.

Web Filter

Bug ID

Description

766126

Block replacement page is not pushed automatically to replace the video content when using a video filter.

WiFi Controller

Bug ID

Description

814541

When there are extra large number of managed FortiAP devices (over 500) and large number of WiFi clients (over 5000), the Managed FortiAPs page and FortiAP Status widget can take a long time to load. This issue does not impact FortiAP operation.

903922

Physical and logical topology is slow to load when there are a lot of managed FortiAP (over 50). This issue does not impact FortiAP management and operation.

ZTNA

Bug ID

Description

819987

SMB drive mapping made through a ZTNA access proxy is inaccessible after rebooting.

848222

ZTNA TCP forwarding is not working when a real server is configured with an FQDN address type.

An FQDN address type that can resolve public IPs is not recommended for ZTNA TCP forwarding on real servers because the defined internal DNS database zone is trying to override it at the same time. By doing so, the internal private address may not take effect after rebooting, and causes a ZTNA TCP forwarding failure due to the real server not being found.
Previous
Next