Traffic passing through an EMAC-VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If you set the auto-asic-offload option to disable in the firewall policy, traffic flows as expected.

FortiGates with NP7 processors cannot establish protocol independent multicast v2 (PIMv2) neighbors through a hardware switch interface and also cannot pass VRRP packets.

Hyperscale firewall hardware traffic logs do not include the action field and do not indicate whether the policy action is allow or deny.

In a hyperscale firewall VDOM, fixed port range NAT does not match all of the behavior for deterministic NAT as described in RFC 7422.

Configuring the in-bandwidth interface option for a tunnel interface does limit traffic flow through the tunnel interface.

IPsec traffic that passes through a loopback interface cannot be offloaded by NP7 processors.

You may notice that excessive numbers of packets are lost through IPSec tunnels with AES256-GCM encryption.

Hardware logging log messages are not created for firewall policies with action set to deny.

You cannot change the address type of an IPv6 firewall address that has been added to a firewall address group.

Traffic is blocked by NAT64 and NAT46 policies when src-negate is enabled.

On the secondary FortiGate in an FGCP cluster, the diagnose sys npu-sessions st verbose command output shows hung tasks when an FGCP cluster is processing a large number of sessions. These messages only appear on the secondary FortiGate.

Incorrect information provided by the fgFwHsPolLastUsed MIB field.

Incorrect information provided by the fgSysNpuSes6Count MIB field.

SIP sessions that match NAT64 hyperscale firewall policies are blocked.

The diagnose sys npu-session clear command when used with the hardware session filter does not clear all of the sessions that should be cleared.

With hardware logging set to CPU logging (or host logging), FortiView session pages don't show any data in the Source interface, Destination interface, Packets, and Bytes columns.

In an FGCP cluster, trap sessions are not tagged as NP7 offloaded sessions in the secondary FortiGate session table.

IPv6 DTLS IPsec VPN wireless traffic is blocked when NP7 CAPWAP offloading is enabled.

When creating a NAT64 firewall policy in a hyperscale VDOM, you cannot select IP pools to add to the policy.

Hardware logging log messages do not include information about logged in SSO or RSSO users.

Schedules and security profiles cannot be added to hyperscale firewall policies. However, when creating or editing a firewall policy in a hyperscale firewall VDOM from the GUI the schedule option may be visible, but you can't use it to select a schedule. Also, some GUI pages that display firewall policy information may incorrectly include the schedule and security profile fields.

In hyperscale firewall VDOMs, the IP Pools Utilization and Top IP Pools by Assigned IPs widgets that appear on the Firewall > IP Pools GUI page do not show any results.

Disabling EIF and EIM in a hyperscale firewall policy actively processing traffic causes errors in the information stored in the NP7 firewall policy database. For example, the data may include incorrect VDOM IDs and IP addresses.