An incorrect warning is shown for antivirus flow: Setting a proxy profile in a flow policy. Proxy features will not work.

FortiSandbox side panel statistics only shows only statistics for root/management VDOM.

Advanced Threat Protection Statistics dashboard is not increasing counters (AV).

For firewall policies using proxy-based inspection mode, some HTTP/2 sessions may be incorrectly detected as unknown applications.

DLP is not blocking VME video files.

The DLP sensor does not block EXE files.

Explicit proxy and SD-WAN fail to match a policy if the destination has multiple zones set.

Forward matching is applied to check the group name for SAML Authentication with Proxy Policy.

Post-upgrade, explicit proxy policies may mismatch when an HTTP CONNECT request or TLS SNI of a HTTPS session partially matches to a policy with deep inspection enabled.

Web proxy forward server does not convert HTTP version to the original version when sending them back to the client.

Explicit proxy policy function issues when matching external-threat feed categories.

Applications on the BOX cannot be started through proxy.

Traffic that should not be matching a policy is incorrectly matching an allow policy or a deny policy.

Moving a policy and then changing the view page will cause a blank grouping label to be displayed.

Support matching by destination port when matching a central NAT rule if the protocols are TCP, UDP, or SCTP.

When the UTM is enabled, NP7 NTurbo is not set properly, which causes the shaper to not guarantee the SIP traffic based on the class ID.

The one-time schedule pre-expiration event log button is always set to disable.

NAT64 does not recover when the interface changes.

The diffserv-copy option in the config firewall policy command cannot be configured.

SD-WAN IPsec egress traffic shaping is not working when traffic offloading is enabled on an NP7 unit.

Unable to unset http-supported-max-version to start using HTTP/2.

Session clashes occur when incoming traffic matches an expected session and undergoes SNAT, but the SNAT port is already occupied by another session.

Traffic shaping does not match the correct queue for outbound traffic when the class-id range exceeds the [2, 7] limit, which applies to egress shaping.

When using HTTP1, the TLS handshake from the proxy to the real server does not include the SNI.

Virtual wire pair interface drops all packet if the prp-port-in/prp-port-out setting is configured under system npu-setting prp on FG-101F.

Firewall address list may show incorrect error for an unresolved FQDN address. This is purely a GUI display issue; the FQDN address can be resolved by the FortiGate and traffic can be matched.

Drops in multicast traffic, caused by a change in multicast routing (PIM), may occur at the start of multicast communication after upgrading.

On the Policy & Objects > Services page, administrators with firewall read-write permission cannot delete service entries.

Unrelated route changes will cause the existing session to be marked dirty.

WAD crashes when using load balancing with SSL offloading.

TCP state of a session was not updated properly.

A Hello Retry Request message is not sent from the FortiGate during an SSL offload by config firewall ssl-server.

In transparent mode, multicast packets are not forwarded through the bridge and are dropped.

Transceiver information in unavailable for FPM/FIM2 ports in the GUI.

The IPsec ESP error log is generated with the wrong interface.

UTM traffic is blocked by an FGSP configuration with asymmetric routing.

IPv6 static route is removed from the management VDOM.

The FortiGate 6000 and 7000 platforms do not support IPsec VPN over a loopback interface or an NPU inter-VDOM link interface.

On the FortiGate 7000F platform, fragmented IPv6 ICMP traffic is not load balanced correctly when the dp-icmp-distribution-method option under config load-balance is set to dst-ip. This problem may also occur for other dp-icmp-distribution-method configurations.

The FortiGate 6000s or 7000s in an FGSP cluster may load balance FTP data sessions to different FPCs or FPMs. This can cause delays while the affected FortiGate 6000 or 7000 re-installs the sessions on the correct FPC or FPM.

IPV4 DNS/ICMP fragment traffic testing issues even when ip-reassembly diabled on the NPU.

FortiGate-7000F chassis with FIM-7941Fs cannot load balance fragmented IPv6 TCP and UDP traffic. Instead, fragmented IPv6 TCP and UDP traffic received by the FIM-7941F interfaces is sent directly to the primary FPM, bypassing the NP7 load balancers. IPv6 ICMP fragmented traffic load balancing works as expected. Load balancing fragmented IPv6 TCP and UDP traffic works as expected in FortiGate-7000F chassis with FIM-7921Fs.

Memory usage issue occurs when multiple threads try to access a VLAN group.

Statistics displayed in the Session Rate dashboard widget do not match the statistics displayed from the command line.

The Global Sessions does not match the CLI output.

CPU usage data displayed in the FortiGate 6000 GUI is actually CPU usage data for the management board. CPU usage data displayed in the FortiGate 7000 GUI is actually the CPU usage for the primary FIM.

Dashboard widgets for CPU, Memory, Session, and Session Rate show usage as 0% on root and non-root VDOMs.

On 6K and 7K platforms, the management VDOM GUI should not show the WiFi & Switch Controller menu.

In an FGCP cluster, the secondary unit cannot reply to the SNMP query while using the management IP.

When EMAC VLAN interfaces are removed spontaneously from the configuration, TCP traffic through their underlying VLAN interface fails.

During FIM failover from FIM2 to FIM1, the NP7 PLE sticks on a cache invalidation, stopping traffic.

SLBC special ports do not match the local-in policy's management path.

Graceful upgrade from 7.0.12 to 7.2.6 or 7.2.7, or from 7.0.12 to 7.4.2 or 7.4.3 will fail on the FortiGate 6501F/6500F, FortiGate 7060E with slot6 occupied, and FortiGate 7121F with slot12 occupied.

FIM installed NPU session causes the SSE to get stuck.

Read-only administrator may encounter a Maximum number of monitored interfaces reached error when viewing an interface bandwidth widget for an interface that does not have the monitor bandwidth feature enabled.

The VLAN ID cannot be changed in the GUI.

The FortiGate GUI displays only the most recent 100 entries on CRL view.

GUI pages that use the security rating fail to load on an iPhone.

When the FortiGate is in conserve mode, node process (GUI management) may not release memory properly causing entry-level devices to stay in conserve mode.

The GUI does not allow parentheses, (), to be used in the interface description.

The GUI does not show any transceiver information until running get system interface transceiver in the CLI.

When connected to the FortiGate GUI on a mobile phone, the table content on some pages like Network > Interfaces, Policy & Objects > Firewall Policy, and WiFi & Switch Controller > Managed FortiSwitches is cut off.

The firewall users widget is missing the Show all FSSO Logons button.

GUI issue when moving a policy between groups.

On the Log & Report > Forward Traffic page, the tooltip shown when hovering over a device in the Device column does not show all of the information about the device.

GUI dashboards show all the IPv6 sessions on every VDOM.

Administrators with custom permissions cannot load the Managed FortiAP page, even if they have WiFi read-write permissions.

On the Policy & Objects > Firewall Policy page, searching for automatically created addresses that have IP addresses does not show any matching results.

HA configuration synchronization packets (Ethertype 0x8893) are dropped when going through VXLAN.

When walking through the session list to change the ha_id, some dead sessions could be freed one more time.

FGCP primary-secondary cluster only uses one session-sync-dev, in spite of having multiple session-sync-dev.

The execute ha failover set <vcluster number> command only support two vclusters, even when mutiple vclusters exist.

Interfaces for the root VDOM are displayed in the GUI when different VDOM is selected on the HA secondary.

FG-200F in HA's management interface is not responding after a reboot.

Configuration is out-of sync when external feed connectors are applied to a policy.

Do not automatically enable LLDP transmission on an HA management port with LLDP reception enabled.

An error condition occurred while forwarding over a VRRP address, caused by the creation of a new VLAN.

The user.radius checksum is the same in both HA units, but the GUI shows a different checksum on the secondary and the HA status is out of sync.

Traffic is not forwarded on L2 peer to keep FGSP with an available L2 connection.

Security profiles created on the primary FortiGate in an HA environment are not visible on the secondary unit when switching between VDOMs.

Access to console and SSH is lost due to a specific configuration.

The set auto-firmware-upgrade disable setting is not synchronized between FGCP members.

Unexpected traffic flow occurs after FGSP is enabled between clusters.

Some long lasting TCP established sessions expire on the HA secondary unit earlier than on the primary unit.

In a three member A-P cluster, the dhcp lease list (execute dhcp lease-list) might be empty on secondary units.

The last interface belonging to the non-root management VDOM is not visible when accessing the GUI using the HA management interface.

Under heavy traffic, some sessions are not fully synchronized to the FGCP secondary unit.

No configuration error when restoring a configuration with incorrect config firewall wildcard-fqdn custom entries, resulting in an HA-unsync status.

TCP/SCTP sessions count mismatch in an HA pair in A-P mode.

With NAT64 HS policy, ICMP reply packets are dropped by FortiOS.

Traffic not passing across the VDOM link.

Observed TCP sessions timing out with a single hyperscale VDOM configuration after loading image from BIOS.

IPS sensor GUI shows All Attributes in the filter table when IPS filters with default values are selected in the CLI.

[?Q?ci_" sekret=] causes the parser to create a new field, "sekret=".

HTTPS traffic slows when IPS with NTurbo is used over a virtual wire pair.

High CPU usage due to the IPS engine, causing high latency on the network.

IPS logs show incorrect source and destination IP addresses and policy IDs, and the ports are zeros.

IPsec VPN fails to connect if ftm-push is configured.

Unexpected condition in IPsec engine on SoC4 platforms leads to intermittent IPsec VPN operation.

IPsec VPN between two FortiGates (100F and 60F) experiences slow throughput compared to the available underlay bandwidth.

Support IKEv2 split DNS mode-cfg (RFC 8598).

diagnose traffictest issues with dynamic IP addresses and loopback interfaces.

File transfer stops after a while when offloading is enabled.

IPsec tunnels that have external DHCP services for IP assignment have an extra selector added after upgrading to 7.0.11.

Firewall becoming unresponsive to DPD/IKE messages, causing IPsec VPNs to drop.

Incorrect traffic order in IPsec aggregate redundant member list after upgrade.

IKEv2 connection issue related to the order of policies using different user groups.

Disabling src-check (RPF) on the parent tunnel is not inherited by ADVPN shortcuts.

Inconsistency of mode-cfg between phase 1 assigned IP address and destination selector addition.

IPsec tunnels stuck on NP6XLite spoke drop the ESP packet.

After a third-party router failover, traffic traversing the IPsec tunnel is lost.

Shortcut created from parent tunnel interface does not inherit MSS value and may face fragmentation.

IPv6 firewall address IP prefix object is invisible on accessible networks in the GUI.

Authentication fails since the EAP proxy cannot get groups by the hostname of FortiGate in the NAS-ID RADIUS attribute.

IPsec traffic is unidirectional when vpn-id-ipip and offloading are enabled, and the tunnel VRF is greater than 63.

FortiGate is sending ESP packets with source MAC address of port1 HA virtual MAC address.

After an HA failover, static gateway IPsec routing fails.

IKEv2 authorization with an invalid certificate can cause tunnel status mismatch.

When the IPsec tunnel destination MAC address is changed, tunnel traffic may stop.

When a NAT port is changed between two static IPsec endpoints, the new port cannot be applied on the tunnel.

An internal error occurs on the FortiCloud Report page when a Japanese report name is too long.

When an administrator login fails, the event log shows that the login was successful.

Content disarm and reconstruction (CDR) files are not consistent in the log view.

After disabling an event under the event filter, the system events summary page still shows event logs for that event.

If Security Rating is enabled to run on schedule (every four hours), the FortiGate can unintentionally send local-out traffic to fortianalyzer.forticloud.com during the Security Rating run.

Cloud logging settings are not retained when the FortiGate language setting is Japanese.

When a GUI login fails due to exceed_limit, logged in successfully appears in the system event log.

The UUID is used instead of the external resource name in the Threat feed updated system event log.

Although there is enough disk space for logging, IPS archive full message is shown.

FortiAnalyzer report is not available to view for the secondary unit in the HA cluster on the Log & Report > Reports page.

Workaround: view the report directly in FortiAnalyzer.

Icons in logs evaluations and policies are no longer displayed.

FortiGate syslog format in reliable transport mode is not compliant with RFC 6587.

The received traffic counter is not increasing when the traffic is HTTPS with webfilter.

An error case occurs in WAD while handling the HTTP requests for an explicit proxy policy.

An error case occurs in WAD while redirecting the web filter HTTPS sessions.

Unexpected behavior in WAD when the ALPN is set to http2 in the ssl-ssh-profile.

Unexpected behavior in WAD when there are multiple LDAP servers configured on the FortiGate.

WAD daemon runs high with many child processes and is not coming down after configuring 250 CGN VDOMs.

A rare error condition occurred in WAD caused by compounded SMB2 requests.

Proxy mode inspection is slow when testing a single TCP stream from fast.com, which causes bandwidth slowness on FG-100F and FG-200F devices.

Proxyd did not account for all RFC-compliant SMTP pipelining cases.

WAD traffic to globalvideoquery.fortinet.net does not follow the FortiGuard interface-select-mode.

Inadvertent traffic disruption caused by WAD when it receives an HTTP2 data frame payload on a dead stream.

Too many redirects on TWPP after the second KRB keytab is configured.

An error case occurs in WAD when WAD gets the external authenticated users from other daemons.

Captive portal reappears repeatedly in the browser after importing user credentials.

The /firewall/vip API does not recognize custom SSL cipher suites.

API responses for PBR provides incorrect value if address groups are used in PBR.

Inconsistent handling of web filter profile actions in API transactions.

The dashboard Session widget cannot display the correct IPv6 session count per VDOM.

BGP packets are marked with DSCP CS0 instead of CS6.

On the Network > SD-WAN page, the Performance SLAs tab is slow to load when there is a large number (~4000) of VPN tunnels, and shortcut tunnels created by ADVPN.

The change of an IPv6 route does not mark sessions as dirty nor trigger a route change.

Issue with SD-WAN rule for FortiGuard.

Routing information changed log is being generated from secondary in an HA cluster.

FortiGate generates two OSPF stub entries for the same prefix after upgrading from 6.4 to 7.0.

IPv6 traffic was no longer forwarded according to route list and neighbor-cache list after upgrading from 7.2.4 to 7.2.5.

API call returns recursive next-hop for the gateway address.

Support GR helper mode (peer) for BGP.

Synchronized kernel VPNv4 routes are not used in an HA failover.

SD-WAN performance SLA tcp-connect probes clash with user sessions.

SD-WAN packet duplication feature in force mode suddenly stops duplicating and starts to duplicate again once the FortiGate is rebooted.

Status of OSPF adjacency is Loading on spokes while Full on the hub side.

When SD-WAN health-check is configured, the IPv6 interface IP address of shortcut fails to be pinged.

Locally originated type 5 and 7 LSAs' forward address value is incorrect.

Packet loss status in SD-WAN health check occur after an HA failover.

Learned BGP through routes are not withdrawn on the spoke after the EBGP neighborship is down between the hub and third party device.

IPsec traffic with vpn-id-ipip is egressing with the wrong VRF when offloading is enabled.

After HA monitored interface fails over, SD-WAN intermittently does not follow route-map-preferable.

GRE tunnel is stuck using a non-existing devindex.

When creating or editing a rule on the Network > Routing Objects page, if the weight is set to 0 the changes are not saved.

SD-WAN health check with state = dead moves between 100% and 0% packet loss while the state stays the same.

BFD/BGP dropping when outbandwidth is applied.

SD-WAN health check logs are not generated for ADVPN shortcuts.

External Connectors can cause a FortiGate internal error when the configuration name has invalid characters.

When there are over 30 downstream FortiGates in the Security Fabric, the root FortiGate's GUI may experience slowness when loading the Fabric Management page, preventing firmware upgrades using the GUI.

Advanced GCP connector does not resolve if one element does not exist.

When one of the downstream FortiGate VM's license is invalid, the root FortiGate will be automatically logged out from accessing the Firmware & Registration page.

Non-management VDOM is not allowed to set a source-ip for config system external-resource.

HTTP 400 errors observed using SDN connector to query AKS clusters if local administrator is disabled.

Security Fabric widget shows the serial number instead of the hostname for a secondary FortiGate in HA.

Renaming conflicted Fabric objects on the root FortiGate does not synchronize the changed Fabric objects to the downstream FortiGate.

In HA, the primary unit may sometimes show a blank GUI screen.

On the Security Fabric > Security Rating page, the security rating Last Ran displays incorrect values for Unused Policies.

The automation stitch triggered by the FortiAnalyzer event handler does not work as expected.

Erroneous memory allocation resulting in unexpected behavior in csfd after upgrading.

Security Fabric messages change after upgrading.

The external threat feed connection status is Unavailable in a non-VDOM enabled FortiGate.

The IP address threat feed connection status indicates an Other Error.

SSLVPNVD 11 signal failure due to attempt to read out of bounds memory.

SSL VPN stops listening on IPv6 interface after a reboot.

Destination address of SSL VPN firewall policy may be lost after upgrading when dstaddr is set to all and at least one authentication rule has a portal with split tunneling enabled.

When using RDP bookmarks in SSL web mode, some keys stopped working.

The internal website does not load completely with SSL VPN web mode.

The SSL VPN log shows users having been disconnected from SSL VPN for unknown reason.

An invalid user name entered in FortiClient could cause two factor PKI user login to crash sslvpnd after the client certificate checking passed.

Firewall policy is not allowing the all destination address with a split-tunneling portal.

SSL VPN connected/disconnected endpoint event log can be in the wrong sequence.

During a handshake when FortiClient sends a larger-than-MTU hello message, the packet is fragmented by IP layer and dropped by the FortiGate.

OS checklist for SSL VPN in FortiOS does not include macOS Sonoma 14.

FortiGate 200F experiences poor performance due to Marvell switch HOL mode.

Long DAC-type cable is added to default media type on 10G port on FG-100F.

Console printed DSL related error messages when disconnecting the managed FortiSwitch and connecting to the FortiGate again.

When changing the FortiSwitch FortiLink port status, the configuration is not applied to the FortiSwitch.

On the WiFi & Switch Controller > WiFi maps page Diagnostics and Tools panel, and on the WiFi & Switch Controller > FortiSwitch Clients page, the status of the LACP interface is incorrectly shown as down when it is up.

This is a GUI issue that does not affect the operations of the LACP interface. To view the correct status of the LACP interface, go to the WiFi & Switch Controller > FortiSwitch Ports page, or use the CLI.

FortiGate and FortiManager have different definitions for the value of poe-detection-type on S108EF platform.

The security rating shows an incorrect warning for unregistered FortiSwitches on the Managed FortiSwitches page.

Workaround: navigate to the Diagnostics & Tools pane of the FortiSwitch to see the correct registration status.

On the WiFi & Switch Controller > FortiSwitch Ports page, FortiSwitch ports that are exported to non-root VDOMs are incorrectly shown as down.

This is a GUI issue that does not affect the functioning of the exported ports. The correct port status can be seen on the port tooltip, or using the CLI.

NAC policy cannot match the MAC address with a specific VLAN. The NAC policy needs to be deleted and re-createed for it to work again.

After upgrading the version 7.4.2, the FortiSwitch shows as not registered in the GUI.

FG-100F HA secondary's unused ports flaps from down to up, then to down.

HPE does not enforce a limit on fragmented packets sent to the CPU when ip-reassembly is enabled.

On FG-200F, the Outbound bandwidth in the Bandwidth widget does not match outbandwidth setting.

Download speed issue through WAN configured with PPPoE on FortiGate.

FortiGate as DHCP relay is not showing a DHCP decline in the debugs when there is an IP conflict in the network.

Add 100G speed option for FG-180xF for ports 37, 38, 39, and 40. Upon firmware upgrade, existing port speed configurations are preserved.

Hardware csum failure message keeps repeating on Azure 7.0.8.

SNMP poll for fgExplicitProxyRequests returns 0.

SNMP OID 1.3.6.1.2.1.4.32 ipAddressPrefixTable is not available.

When configuring an 802.3ad aggregate interface with a 1 Gbps speed, the port's LED is off and traffic cannot pass through. Affected platforms: 110xE, 220xE, 330xE, 340xE, and 360xE.

Add check to skip invalid names when creating a VDOM.

Aggregate interface (LAG) dropping traffic.

PPPoE interface with SFP does not recover after a connectivity failure.

FortiGate enters conserve mode in a few hours after enabling UTM on the policies.

FortiOS allows customers to enable or disable the INDEX extension that appends the VDOM or interface index in RFC tables.

Add 100G speed option on the FortiGate 1800F.

Some sessions are still reported as offloaded when auto-asic-offload is disabled.

Interface release from cmdb and iprope keep updating when DHCP client renewal fails.

SFP interfaces that are set to 1000auto are not negotiating on the secondary device.

FortiGate does not perform a disk scan automatically when autorun-log-fsck is enabled.

CPU usage issue in miglogd caused by constant updates to the ZTNA tags.

On FG-600F, all members are up but the LACP status is showing as down after upgrading.

Degraded traffic bandwidth for download passing from 10G to 1G interfaces.

Enable auto-upgrade by default on the FortiGate 40F and 40G.

FortiGate does not send ARP probe for UDP NP-offloaded sessions.

Optimize memory usage, which causes the SLAB memory to increase, in kernel 4.19.

Fail detection function does not work properly on X1 and X2 10G ports.

Delay sending LACPDU in kernel 4.19.

For FIPS-CC mode, the strict check for basic constraints should be removed for end entity certificates.

Connectivity was lost after creating new VDOM and NPU_VLINK.

Sometimes, the configuration cannot be backed up to an FTP server.

Memory usage issue caused by repetitive log messages. Affected platforms: FG-100xF.

Review the temperature sensor for the SoC4 system.

Interactive CLI commands, like purge, cannot be cut and pasted into the console and exits the script. The purge command in a console puTTy session stops and waits for a y confirmation.

Unable to configure a 9600 baud-rate on DNP3-Proxy.

Unable to monitor DSL parameters and the get sys dsl status command shows errors.

IPv6 suffixes configured on an interface are not reflected after a reboot.

When the URL filter requests the FortiGuard (FGD) rating server address using DNS, it will try to get both A (IPv4) and AAAA (IPv6) records.

The FortiGate checksum changes and the FortiManager Backup Mode device status becomes out-of-sync.

High CPU usage might be observed on entry-level FortiGates if the cache size reaches 10% of the system memory.

ARP issue with VXLAN over IPsec and Soft Switch.

In the 4.19 kernel, when a neighbor's MAC is changed, the session and IPsec tunnel cannot be flushed from the NPU.

The virtual server http-host algorithm is redirecting requests to an unexpected server.

High CPU usage caused by DHCP packets.

FG-1100E SFP interface of port 23 and 24 with transceiver status is down after upgrading.

Loading of the Toss Bank application is delayed or gets stuck on iPhones with hyperscale CGNAT (NAT64).

Enabling vdom-dns causes the VDOM DNS certificate to be blank instead of the default value.

Buffer and description queue limitation of Marvell switch port will cause a performance limitation.

When cmdbsvr receives a request to update the version number, it also receives a copy of the query, but this copy is not freed.

FortiGate as L2TP client is not working with Cisco ASR as L2TP server.

FortiGate ports are not in a configured state after the connected switch reboots.

DNAT does not work on software switch in explicit mode.

Temperature sensor value missing for FG-180xF, FG-420xF, and FG-440xF platforms.

Unexpected reboot caused by a rare error condition for FG-VM.

Kernel TCP sessions do no timeout after receiving a legitimate RST and the system goes into conserve mode.

FortiGate is not able to resolve ARPs of few hosts due to their ARP replies not reaching the primary FPM.

Enabling NP7 offloading is causing packet drops when using a shaping profile.

Changing address object setting triggers a 30 second CPU usage spike.

The tx_collision_err counter in the FortiOS CLI keeps increasing on both 10G SFP+ X1 and X2 interfaces.

Alarm observed for high PECI temperature despite less CPU activity.

A FortiGate with 2G of memory enters conserve mode when a node uses 20% of the memory.

The diagnose npu sniffer stop command can lead to a traffic outage.

When signal 11 is sent to httpsd process using diagnose sys kill 11 <PID>, httpsd does not restart. The GUI displays a Service unavailable message. GUI access can be restored by rebooting the device.

MSS clamping is not working on VXLAN over IPsec after upgrading.

Interface LED from panel indicates the wrong status.

On FG-10xE, when using ports 13 to 16 as virtual switch LAN ports, auto speed is not supported.

FG-1101E ports with AVAGO AFBR-5710PZ transceiver failed to come up after upgrading.

FortiGate as DNS server does not resolve domains in the local database on new VDOM.

Memory usage issue occurs when multiple threads try to access a VLAN group.

High CPU usage caused by DHCP packets.

The GeoIP file should close appropriately after opening or using mmap to share memory.

An error message is shown when attempting to create a FortiExtender WAN extension interface.

An error condition occurred in the kernel caused by a rare condition while using the GRE tunnels.

IP addresses with an expired quarantine period might not be removed from quarantine.

Egress shaping does not work on NP when applied on the WAN interface.

A port that uses a copper-transceiver does not update the link status in real-time.

Multiple configuration settings are missing after restoring the VDOM.

SolarWinds unable to negotiate encryption, no matching host key type found.

Administrator with read-write permission for WiFi and read permission for network configuration cannot create SSIDs.

Unable to set a static ARP entry on the EMAC VLAN interface.

SNMP OID 1.3.6.1.2.1.4.34.1.5 ipAddressPrefix is not fully implemented.

The speed 1000auto setting on ports X1 to X4 disappears after upgrading from 7.2.5 to 7.2.6. Affected platforms: FG-40xF and FG-60xF.

FortiGate 200F experiences poor performance due to Marvell switch HOL mode.

FEC does not take effect on X5 - X8 ports when running at 25G ULL mode on FG-601F.

Session expiration does not get updated for offloaded traffic between a specific host range.

FortiGate 200F slow download and upload speeds when traversing from a 1G to a 10G interface.

An error condition occurred in fgfm caused by an out-of-band management configuration.

Transparent-mode VDOM system switch-interface and Firewall policies deleted after a power cycle.

On the FortiGate 4400F, high CPU usage by random CPU cores in the system space.

FortiGate enters into conserve mode due to excessive memory usage by Slabs.

Security mode 802.1X authentication happens every hour on a hardware switch on with 7.2 code.

The NP7 should use the updated MAC address from the ARP table to forward traffic to the destination server.

With NGFW mixed traffic, the CPU usage goes to 99%.

Typo in the set ipv6-allow-local-in-slient-drop command.

FG-3401E link is not coming up using DAC cables after upgrading.

Port channel is down after upgrading the FG-1101E.

All transparent VDOMs cannot synchronize because of switch-controller.auto-config.policy.

FortiGate receives FSSO user in the format of HOSTNAME$.

Guest administration management does not show all groups for multiple VDOMs assigned to a guest administrator account.

FortiToken mobile push with ACME gives an untrusted certificate in iOS application.

In some cases, the HA connection is removed and its memory is freed, but it is still read/written in the following process.

Password and Token concatenation for remote RADIUS users does not work as expected.

Upon expiration, the SSL certificate is removed from GUI but not from the CLI.

Issue sending activation code for FortiToken in a multi-VDOM environment with remote user authentication.

When MFA is enabled on a user and the authentication type is FortiToken, searching for a part of or the full serial number on the User & Authentication > User Definition page does not return a matching value.

On the User & Authentication > Guest Management page, the Print option does not work if the Guest User Print Template replacement message has been customized.

RADIUS accounting packet with acct-input-octets and acct-output-octets sometimes shows inconsistent behavior.

FortiGate VM HA primary loses connection when setting up secondary unit.

When send-deny-packet enabled or ident-accept disabled, sending out responding packets (such as TCP RST or ICMP) triggers a restart.

Restore operation overwrite passive configuration in AZURE A-P deployment based on SDN connector.

FortiGate VM heartbeat authentication fails during the upgrade to 7.2.4 or 7.2.5 when HA authentication and encryption is enabled.

In an Azure cluster, the NTP source-ip6 (IPv6) is synchronized while the source-ip (IPv4) is not.

OpenStack Queens FortiGate VM HA heartbeat on broadcast is not working as expected.

On a FortiGate VM on Azure, a deadlock between pci-recovery and mlx5-recovery stalls a number of mlx5-txrxq recovery tasks.

A FortiGate VM on ESXi with FGCP clustering is unable to do VLAN traffic in DPDK mode.

FortiGate cannot detect a log disk in some new Azure instances.

On a FortiGate ARM-OCI, after adding more than one network interface card and rebooting, the interface cards are not kept in order.

GCP OS log in integration issues occur in FortiGate deployment.

FG-VM64-AZURE SDN connector does not retry requests to management.azure.com if they fail.

Interfaces are brought down by azd, and traffic is disrupted until manually disabling and enabling the interfaces on the Azure VM.

An interrupt distribution issue may cause the CPU load to not be balanced on the FG-VM cores.

Unexpected behavior in awsd caused by tags with an empty value on AWS instances while adding a new AWS Fabric connector.

Unexpected reboot caused by a rare error condition for FG-VM.

After enabling DPDK on the VM, return traffic to the VLAN interface is dropped.

The Azure SDN Connector does not retrieve all of the virtual networks if the results are paginated.

Add web filter categories for artificial intelligence technology (category 100) and Cryptocurrency (category 101).

The FortiGuard category threat feed is not working as expected in proxy mode.

The strict option for sni-server-cert-check is behaving the same as if it is set to enable, and logs are not generated upon SNI mismatch with the CN or SAN.

Local rating chooses the wrong category if the URL path falsely matches to a longer local rating URL.

Web filter profile setting changes the order of FortiGuard web filter categories.

The URL local/user category rating result has only one best match category (longest URL pattern match), and other matched local/user categories cannot be chosen even if the category is configured in the profile.

Is the FortiGate 100F RFC 2865 compliant and, if yes, why does the FortiGate not always re-authenticated after the Session-Timeout value?

Flooded wireless STA traffic seen in L2 tunneled VLAN (FG-1800F).

An error condtion occured in the kernel when the FortiAP and SSID are in the same software switch.

NAS-ID is not updated immediately after modifying it in the applied RADIUS server when the wpad-process-count is set to a non-zero value.

FortiAP 431G is unable to join AC due to no response to cfg_request.

Usage of the cw_acds process increases and drops the FortiAP connection, which forces the FortiAP to restart in an FSM state when FortiAP settings are changed.

Add support for 6 GHz band for DARRP, wlac -c rf-analysis, and BG scan period.

An error condition occurred for the EAP proxy while sending the RADIUS Access-Request.

MPSK keys are not loaded completely in the wpad daemon after applying a VAP with an MPSK profile selected on a FortiAP.

CAPWAP offloading does not work with more than 12,000 VAP entries.

Wi-Fi clients failed roaming from one FortiAP to another on the bridge SSID with dynamic VLAN assignment by RADIUS-based MAC authentication.

Captive portal appears each time after a channel change or if roaming performed (Cisco ISE with FortiGate and FortiAP).

Clients connected to certain FortiAPs do not have internet access.

PMKID should be removed when an Android device is disconnected by the RADIUS CoA DM request with Acct-Session-Id.

The collected FortiGate syntax is missing channels for 11AX6.

Join/leave is repeated between FortiAP 421E and FortiGate 100E at multiple sites.

The SASE portal is unable to authorize a FortiAP if it initially connects to a secondary VM.

Unable to match first group attribute from SAML assertion for ZTNA rule.

FortiOS 7.2.8 is no longer vulnerable to the following CVE Reference:

• CVE-2023-46717

FortiOS 7.2.8 is no longer vulnerable to the following CVE Reference:

• CVE-2024-23112

FortiOS 7.2.8 is no longer vulnerable to the following CVE Reference:

• CVE-2023-44487