Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 7.0.14 FortiOS Release Notes
7.0.14
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2

Resolved issues

Resolved issues

The following issues have been fixed in version 7.0.14. To inquire about a particular bug, please contact Customer Service & Support.

Application Control

Bug ID

Description

820481

For firewall policies using inspection-mode proxy, some HTTP/2 sessions may be invalidly detected as unknown application.

DNS Filter

Bug ID

Description

907365

DNS proxy caches DNS responses with only one CNAME record.

Endpoint Control

Bug ID

Description

979811

The ZTNA channel is not cleaned when overwriting old lls entries.

Explicit Proxy

Bug ID

Description

901627

Explicit proxy and SD-WAN fail to match a policy if the destination has multiple zones set.

942612

Web proxy forward server does not convert HTTP version to the original version when sending them back to the client.

978473

Explicit proxy policy function issues when matching external-threat feed categories.

Firewall

Bug ID

Description

898938

NAT64 does not recover when the interface changes.

953907

 Virtual wire pair interface drops all packet if the prp-port-in/prp-port-out setting is configured under system npu-setting prp on FG-101F.

977641

In transparent mode, multicast packets are not forwarded through the bridge and are dropped.

GUI

Bug ID

Description

848660

Read-only administrator may encounter a Maximum number of monitored interfaces reached error when viewing an interface bandwidth widget for an interface that does not have the monitor bandwidth feature enabled.

867802

GUI always displays Access denied error after logging in.

874502

A prompt to Login as ReadOnly/ReadWrite is not displayed when post-login-banner is enabled on a FortiGate managed by FortiManager.

969101

Administrators with custom permissions cannot load the Managed FortiAP page, even if they have WiFi read-write permissions.

HA

Bug ID

Description

871636

HA configuration synchronization packets (Ethertype 0x8893) are dropped when going through VXLAN.

904117

When walking through the session list to change the ha_id, some dead sessions could be freed one more time.

924671

There is no response on ha-mgmt-interfaces after a reboot when using a VLAN interface based on hd-sw as the ha-mgmt interface.

937246

An error condition occurred while forwarding over a VRRP address, caused by the creation of a new VLAN.

949352

The user.radius checksum is the same in both HA units, but the GUI shows a different checksum on the secondary and the HA status is out of sync.

962681

In a three member A-P cluster, the dhcp lease list (execute dhcp lease-list) might be empty on secondary units.

Hyperscale

Bug ID

Description

839958

service-negate does not work as expected in a hyperscale deny policy.

940511

In some cases, carrier-grade NAT is dropping traffic.

984852

The HA/AUX ports are not enabled on boot up when using the NPU path option.

Intrusion Prevention

Bug ID

Description

923393

IPS logs show incorrect source and destination IP addresses and policy IDs, and the ports are zeros.

IPsec VPN

Bug ID

Description

897867

IPsec VPN between two FortiGates (100F and 60F) experiences slow throughput compared to the available underlay bandwidth.

898961

diagnose traffictest issues with dynamic IP addresses and loopback interfaces.

914418

File transfer stops after a while when offloading is enabled.

921691

In FGSP, IKE routes are not removed from the kernel when secondary-add-ipsec-routes is disabled.

926002

Incorrect traffic order in IPsec aggregate redundant member list after upgrade.

945873

Inconsistency of mode-cfg between phase 1 assigned IP address and destination selector addition.

950012

IPsec tunnels stuck on NP6XLite spoke drop the ESP packet.

950445

After a third-party router failover, traffic traversing the IPsec tunnel is lost.

961305

FortiGate is sending ESP packets with source MAC address of port1 HA virtual MAC address.

968218

When the IPsec tunnel destination MAC address is changed, tunnel traffic may stop.

Log & Report

Bug ID

Description

940814

Administrators without read permissions for the threat weight feature cannot see the event log menu.

954565

Although there is enough disk space for logging, IPS archive full message is shown.

965247

FortiGate syslog format in reliable transport mode is not compliant with RFC 6587.

967692

The received traffic counter is not increasing when the traffic is HTTPS with webfilter.

987261

In the webfilter content block UTM log in proxy inspection mode, sentbyte and rcvdbyte are zero.

Proxy

Bug ID

Description

790426

An error case occurs in WAD while redirecting the web filter HTTPS sessions.

806556

Unexpected behavior in WAD when the ALPN is set to http2 in the ssl-ssh-profile.

828917, 919781

Unexpected behavior in WAD when there are multiple LDAP servers configured on the FortiGate.

845361

A rare error condition occurred in WAD caused by compounded SMB2 requests.

940149

Inadvertent traffic disruption caused by WAD when it receives an HTTP2 data frame payload on a dead stream.

947814

Too many redirects on TWPP after the second KRB keytab is configured.

954104

An error case occurs in WAD when WAD gets the external authenticated users from other daemons.

Routing

Bug ID

Description

781483

Incorrect BGP Originator_ID from route reflector seen on receiving spokes.

890954

The change of an IPv6 route does not mark sessions as dirty nor trigger a route change.

897666

Issue with SD-WAN rule for FortiGuard.

914815

FortiGate 40F-3G4G not adding LTE dynamic route to route table.

926525

Routing information changed log is being generated from secondary in an HA cluster.

952908

Locally originated type 5 and 7 LSAs' forward address value is incorrect.

954100

Packet loss status in SD-WAN health check occur after an HA failover.

Security Fabric

Bug ID

Description

782518

Threat feeds are showing that the connection status has not started when it should be connected.

841364

Cisco APIC SDN update times out on large datasets.

956423

In HA, the primary unit may sometimes show a blank GUI screen.

SSL VPN

Bug ID

Description

894704

FortiOS check would block iOS and Android mobile devices from connecting to the SSL VPN tunnel.

898889

The internal website does not load completely with SSL VPN web mode.

906756

Update SSL VPN host check logic for unsupported OS.

957406

OS checklist for SSL VPN in FortiOS does not include macOS Sonoma 14.

Switch Controller

Bug ID

Description

816790

Console printed DSL related error messages when disconnecting the managed FortiSwitch and connecting to the FortiGate again.

858749

Redirected traffic should not hit the firewall policy when allow-traffic-redirect is enabled.

911232

Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch Controller > Managed FortiSwitches.

937065

On the WiFi & Switch Controller > FortiSwitch Ports page, FortiSwitch ports that are exported to non-root VDOMs are incorrectly shown as down.

This is a GUI issue that does not affect the functioning of the exported ports. The correct port status can be seen on the port tooltip, or using the CLI.

System

Bug ID

Description

631046

diagnose sys logdisk smart does not work for NVMe disk models.

733096

FG-100F HA secondary's unused ports flaps from down to up, then to down.

763739

On FG-200F, the Outbound bandwidth in the Bandwidth widget does not match outbandwidth setting.

861661

SNMP OID 1.3.6.1.2.1.4.32 ipAddressPrefixTable is not available.

882187

FortiGate enters conserve mode in a few hours after enabling UTM on the policies.

888655

FortiGate queries system DNS for A <Root> and AAAA <Root> servers.

894045

Sensor information widget continuously loading.

909225

ISP traffic is failing with the LAG interfaces on upstream switches.

910700

Ports are flapping and down on the FortiGate 3980E.

912092

FortiGate does not send ARP probe for UDP NP-offloaded sessions.

916493

Fail detection function does not work properly on X1 and X2 10G ports.

919901

For FIPS-CC mode, the strict check for basic constraints should be removed for end entity certificates.

926817

Review the temperature sensor for the SoC4 system.

929904

When L3 or L4 hashing algorithm is used, traffic is not forwarded over the same aggregate member after being offloaded by NP7.

937982

High CPU usage might be observed on entry-level FortiGates if the cache size reaches 10% of the system memory.

938174

ARP issue with VXLAN over IPsec and Soft Switch.

938981

The virtual server http-host algorithm is redirecting requests to an unexpected server.

943948

FortiGate as L2TP client is not working with Cisco ASR as L2TP server.

946413

Temperature sensor value missing for FG-180xF, FG-420xF, and FG-440xF platforms.F

947240

FortiGate is not able to resolve ARPs of few hosts due to their ARP replies not reaching the primary FPM.

955074

MSS clamping is not working on VXLAN over IPsec after upgrading.

960707

Egress shaping does not work on NP when applied on the WAN interface.

962153

A port that uses a copper-transceiver does not update the link status in real-time.

963600

SolarWinds unable to negotiate encryption, no matching host key type found.

966761

SNMP OID 1.3.6.1.2.1.4.34.1.5 ipAddressPrefix is not fully implemented.

971404

Session expiration does not get updated for offloaded traffic between a specific host range.

977231

An error condition occurred in fgfm caused by an out-of-band management configuration.

User & Authentication

Bug ID

Description

837185

Automatic certificate name generation is the same for global and VDOM remote certificates, which can cause certificates to exist with the same name.

864703

ACME client fails to work with some CA servers.

868994

FortiGate receives FSSO user in the format of HOSTNAME$.

VM

Bug ID

Description

938382

OpenStack Queens FortiGate VM HA heartbeat on broadcast is not working as expected.

968740

Unexpected behavior in awsd caused by tags with an empty value on AWS instances while adding a new AWS Fabric connector.

WAN Optimization

Bug ID

Description

954541

In WANOpt transparent mode, WAN optimization does not keep the original source address of the packets.

Web Filter

Bug ID

Description

925801

Custom Images are not seen on Web Filter block replacement page for HTTP traffic in flow mode.

982156

The URL local/user category rating result has only one best match category (longest URL pattern match), and other matched local/user categories cannot be chosen even if the category is configured in the profile.

WiFi Controller

Bug ID

Description

874997

Fetching the registration status does not always work.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

956553

FortiOS 7.0.14 is no longer vulnerable to the following CVE Reference:

  • CVE-2024-23112

959918

FortiOS 7.0.14 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-38545

964415

FortiOS 7.0.14 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-44487

989429

FortiOS 7.0.14 is no longer vulnerable to the following CVE Reference:

  • CVE-2024-21762

993323

FortiOS 7.0.14 is no longer vulnerable to the following CVE Reference:

  • CVE-2024-23113
Previous
Next

Resolved issues

The following issues have been fixed in version 7.0.14. To inquire about a particular bug, please contact Customer Service & Support.

Application Control

Bug ID

Description

820481

For firewall policies using inspection-mode proxy, some HTTP/2 sessions may be invalidly detected as unknown application.

DNS Filter

Bug ID

Description

907365

DNS proxy caches DNS responses with only one CNAME record.

Endpoint Control

Bug ID

Description

979811

The ZTNA channel is not cleaned when overwriting old lls entries.

Explicit Proxy

Bug ID

Description

901627

Explicit proxy and SD-WAN fail to match a policy if the destination has multiple zones set.

942612

Web proxy forward server does not convert HTTP version to the original version when sending them back to the client.

978473

Explicit proxy policy function issues when matching external-threat feed categories.

Firewall

Bug ID

Description

898938

NAT64 does not recover when the interface changes.

953907

 Virtual wire pair interface drops all packet if the prp-port-in/prp-port-out setting is configured under system npu-setting prp on FG-101F.

977641

In transparent mode, multicast packets are not forwarded through the bridge and are dropped.

GUI

Bug ID

Description

848660

Read-only administrator may encounter a Maximum number of monitored interfaces reached error when viewing an interface bandwidth widget for an interface that does not have the monitor bandwidth feature enabled.

867802

GUI always displays Access denied error after logging in.

874502

A prompt to Login as ReadOnly/ReadWrite is not displayed when post-login-banner is enabled on a FortiGate managed by FortiManager.

969101

Administrators with custom permissions cannot load the Managed FortiAP page, even if they have WiFi read-write permissions.

HA

Bug ID

Description

871636

HA configuration synchronization packets (Ethertype 0x8893) are dropped when going through VXLAN.

904117

When walking through the session list to change the ha_id, some dead sessions could be freed one more time.

924671

There is no response on ha-mgmt-interfaces after a reboot when using a VLAN interface based on hd-sw as the ha-mgmt interface.

937246

An error condition occurred while forwarding over a VRRP address, caused by the creation of a new VLAN.

949352

The user.radius checksum is the same in both HA units, but the GUI shows a different checksum on the secondary and the HA status is out of sync.

962681

In a three member A-P cluster, the dhcp lease list (execute dhcp lease-list) might be empty on secondary units.

Hyperscale

Bug ID

Description

839958

service-negate does not work as expected in a hyperscale deny policy.

940511

In some cases, carrier-grade NAT is dropping traffic.

984852

The HA/AUX ports are not enabled on boot up when using the NPU path option.

Intrusion Prevention

Bug ID

Description

923393

IPS logs show incorrect source and destination IP addresses and policy IDs, and the ports are zeros.

IPsec VPN

Bug ID

Description

897867

IPsec VPN between two FortiGates (100F and 60F) experiences slow throughput compared to the available underlay bandwidth.

898961

diagnose traffictest issues with dynamic IP addresses and loopback interfaces.

914418

File transfer stops after a while when offloading is enabled.

921691

In FGSP, IKE routes are not removed from the kernel when secondary-add-ipsec-routes is disabled.

926002

Incorrect traffic order in IPsec aggregate redundant member list after upgrade.

945873

Inconsistency of mode-cfg between phase 1 assigned IP address and destination selector addition.

950012

IPsec tunnels stuck on NP6XLite spoke drop the ESP packet.

950445

After a third-party router failover, traffic traversing the IPsec tunnel is lost.

961305

FortiGate is sending ESP packets with source MAC address of port1 HA virtual MAC address.

968218

When the IPsec tunnel destination MAC address is changed, tunnel traffic may stop.

Log & Report

Bug ID

Description

940814

Administrators without read permissions for the threat weight feature cannot see the event log menu.

954565

Although there is enough disk space for logging, IPS archive full message is shown.

965247

FortiGate syslog format in reliable transport mode is not compliant with RFC 6587.

967692

The received traffic counter is not increasing when the traffic is HTTPS with webfilter.

987261

In the webfilter content block UTM log in proxy inspection mode, sentbyte and rcvdbyte are zero.

Proxy

Bug ID

Description

790426

An error case occurs in WAD while redirecting the web filter HTTPS sessions.

806556

Unexpected behavior in WAD when the ALPN is set to http2 in the ssl-ssh-profile.

828917, 919781

Unexpected behavior in WAD when there are multiple LDAP servers configured on the FortiGate.

845361

A rare error condition occurred in WAD caused by compounded SMB2 requests.

940149

Inadvertent traffic disruption caused by WAD when it receives an HTTP2 data frame payload on a dead stream.

947814

Too many redirects on TWPP after the second KRB keytab is configured.

954104

An error case occurs in WAD when WAD gets the external authenticated users from other daemons.

Routing

Bug ID

Description

781483

Incorrect BGP Originator_ID from route reflector seen on receiving spokes.

890954

The change of an IPv6 route does not mark sessions as dirty nor trigger a route change.

897666

Issue with SD-WAN rule for FortiGuard.

914815

FortiGate 40F-3G4G not adding LTE dynamic route to route table.

926525

Routing information changed log is being generated from secondary in an HA cluster.

952908

Locally originated type 5 and 7 LSAs' forward address value is incorrect.

954100

Packet loss status in SD-WAN health check occur after an HA failover.

Security Fabric

Bug ID

Description

782518

Threat feeds are showing that the connection status has not started when it should be connected.

841364

Cisco APIC SDN update times out on large datasets.

956423

In HA, the primary unit may sometimes show a blank GUI screen.

SSL VPN

Bug ID

Description

894704

FortiOS check would block iOS and Android mobile devices from connecting to the SSL VPN tunnel.

898889

The internal website does not load completely with SSL VPN web mode.

906756

Update SSL VPN host check logic for unsupported OS.

957406

OS checklist for SSL VPN in FortiOS does not include macOS Sonoma 14.

Switch Controller

Bug ID

Description

816790

Console printed DSL related error messages when disconnecting the managed FortiSwitch and connecting to the FortiGate again.

858749

Redirected traffic should not hit the firewall policy when allow-traffic-redirect is enabled.

911232

Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch Controller > Managed FortiSwitches.

937065

On the WiFi & Switch Controller > FortiSwitch Ports page, FortiSwitch ports that are exported to non-root VDOMs are incorrectly shown as down.

This is a GUI issue that does not affect the functioning of the exported ports. The correct port status can be seen on the port tooltip, or using the CLI.

System

Bug ID

Description

631046

diagnose sys logdisk smart does not work for NVMe disk models.

733096

FG-100F HA secondary's unused ports flaps from down to up, then to down.

763739

On FG-200F, the Outbound bandwidth in the Bandwidth widget does not match outbandwidth setting.

861661

SNMP OID 1.3.6.1.2.1.4.32 ipAddressPrefixTable is not available.

882187

FortiGate enters conserve mode in a few hours after enabling UTM on the policies.

888655

FortiGate queries system DNS for A <Root> and AAAA <Root> servers.

894045

Sensor information widget continuously loading.

909225

ISP traffic is failing with the LAG interfaces on upstream switches.

910700

Ports are flapping and down on the FortiGate 3980E.

912092

FortiGate does not send ARP probe for UDP NP-offloaded sessions.

916493

Fail detection function does not work properly on X1 and X2 10G ports.

919901

For FIPS-CC mode, the strict check for basic constraints should be removed for end entity certificates.

926817

Review the temperature sensor for the SoC4 system.

929904

When L3 or L4 hashing algorithm is used, traffic is not forwarded over the same aggregate member after being offloaded by NP7.

937982

High CPU usage might be observed on entry-level FortiGates if the cache size reaches 10% of the system memory.

938174

ARP issue with VXLAN over IPsec and Soft Switch.

938981

The virtual server http-host algorithm is redirecting requests to an unexpected server.

943948

FortiGate as L2TP client is not working with Cisco ASR as L2TP server.

946413

Temperature sensor value missing for FG-180xF, FG-420xF, and FG-440xF platforms.F

947240

FortiGate is not able to resolve ARPs of few hosts due to their ARP replies not reaching the primary FPM.

955074

MSS clamping is not working on VXLAN over IPsec after upgrading.

960707

Egress shaping does not work on NP when applied on the WAN interface.

962153

A port that uses a copper-transceiver does not update the link status in real-time.

963600

SolarWinds unable to negotiate encryption, no matching host key type found.

966761

SNMP OID 1.3.6.1.2.1.4.34.1.5 ipAddressPrefix is not fully implemented.

971404

Session expiration does not get updated for offloaded traffic between a specific host range.

977231

An error condition occurred in fgfm caused by an out-of-band management configuration.

User & Authentication

Bug ID

Description

837185

Automatic certificate name generation is the same for global and VDOM remote certificates, which can cause certificates to exist with the same name.

864703

ACME client fails to work with some CA servers.

868994

FortiGate receives FSSO user in the format of HOSTNAME$.

VM

Bug ID

Description

938382

OpenStack Queens FortiGate VM HA heartbeat on broadcast is not working as expected.

968740

Unexpected behavior in awsd caused by tags with an empty value on AWS instances while adding a new AWS Fabric connector.

WAN Optimization

Bug ID

Description

954541

In WANOpt transparent mode, WAN optimization does not keep the original source address of the packets.

Web Filter

Bug ID

Description

925801

Custom Images are not seen on Web Filter block replacement page for HTTP traffic in flow mode.

982156

The URL local/user category rating result has only one best match category (longest URL pattern match), and other matched local/user categories cannot be chosen even if the category is configured in the profile.

WiFi Controller

Bug ID

Description

874997

Fetching the registration status does not always work.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

956553

FortiOS 7.0.14 is no longer vulnerable to the following CVE Reference:

  • CVE-2024-23112

959918

FortiOS 7.0.14 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-38545

964415

FortiOS 7.0.14 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-44487

989429

FortiOS 7.0.14 is no longer vulnerable to the following CVE Reference:

  • CVE-2024-21762

993323

FortiOS 7.0.14 is no longer vulnerable to the following CVE Reference:

  • CVE-2024-23113
Previous
Next