Unsupported file samples are submitted to FortiSandbox for analytics.

Flow AV does not have a limit of how much memory it can use when buffering files for scanning.

When connecting to FortiGate Cloud Sandbox, the connection status takes a long time to update and shows as unreachable.

Make improvements to the AV engine when handling outbreak prevention queries.

Unable to delete malware threat feeds using the CLI.

FortiSandbox side panel statistics only shows only statistics for root/management VDOM.

Scanunit should no longer submit known infected files to FortiSandbox.

Advanced Threat Protection Statistics dashboard is not increasing counters (AV).

For firewall policies using proxy-based inspection mode, some HTTP/2 sessions may be incorrectly detected as unknown applications.

DLP file type "AND" sensor cannot block the file when it is a DOCX file.

DLP sensor cannot block MS-Office XML files, but can block MS-Office files when setting the profile type as message.

Value overflow in destination interface of WAD traffic log.

Post-upgrade, explicit proxy policies may mismatch when an HTTP CONNECT request or TLS SNI of a HTTPS session partially matches to a policy with deep inspection enabled.

Using the append command to add entries to a policy object that mixes the use of wildcard and regular entries can result in an error to the policy during reboot. This applies to interface, address, and service policy objects.

The service field in the traffic log shows the configured custom service name, even for traffic that does not match the FQDN configured in the custom service.

After enabling the ssl-http-location-conversion option in the virtual server, it does not take effect.

Support port block allocation (PBA) IP pools for NAT64 traffic.

SD-WAN IPsec egress traffic shaping is not working when traffic offloading is enabled on an NP7 unit.

Unable to access a real server using VIP with a custom cipher.

Unable to unset http-supported-max-version to start using HTTP/2.

Exported firewall policy is missing the negate option for source, destination, and service fields.

When there are two to seven thousand addresses on the Policy & Objects > Virtual IPs page, clicking Suggestions in the Map to field makes the GUI unresponsive.

FortiGate adds deleted tcp-portrange and udp-portrange after a reboot.

FortiGate accepts the ha-mgmt-intf-only local-in policy from FortiManager, even though the ha-mgmt-status is not enabled.

Policy lookup should not get result with policy_action: deny for non-TCP protocols and non-80/443 TCP ports.

Traffic matches incorrect central SNAT rule when performing NAT46 in NGFW policy mode.

Session clashes occur when incoming traffic matches an expected session and undergoes SNAT, but the SNAT port is already occupied by another session.

Traffic shaping does not match the correct queue for outbound traffic when the class-id range exceeds the [2, 7] limit, which applies to egress shaping.

The maximum size of the server certificate for virtual server should be displayed.

The best output route may not be found for local out DNAT traffic.

When using HTTP1, the TLS handshake from the proxy to the real server does not include the SNI.

BGP and other traffic is getting dropped when IPv4 and IPv6 access lists are applied.

Virtual wire pair interface drops all packet if the prp-port-in/prp-port-out setting is configured under system npu-setting prp on FG-101F.

GUI does not display the configured parameters for traffic shaping policies when editing a policy with an SD-WAN zone.

An action=accept should not be shown in a traffic log when UDP traffic dropped by IPS. The utmaction field is also missing in this scenario.

Server load balancing health monitor does not work with Patroni (PostgreSQL cluster) when content matching is configured.

Drops in multicast traffic, caused by a change in multicast routing (PIM), may occur at the start of multicast communication after upgrading.

The IPsec ESP error log is generated with the wrong interface.

FortiGate 6000 and 7000 platforms do not support managing FortiSwitch devices over FortiLink.

IPv6 static route is removed from the management VDOM.

Virtual clustering is not supported by FortiGate 6000 and 7000 platforms.

SNMP walk failed to get the BGP routing information.

Authenticated users are not synchronized to the secondary FortiGate 6000 or 7000 chassis when the secondary chassis joins a primary chassis to form an FGCP cluster.

The FortiGate 6000 and 7000 platforms do not support IPsec VPN over a loopback interface or an NPU inter-VDOM link interface.

On the FortiGate 7000F platform, fragmented IPv6 ICMP traffic is not load balanced correctly when the dp-icmp-distribution-method option under config load-balance is set to dst-ip. This problem may also occur for other dp-icmp-distribution-method configurations.

SNMP query to fgVdEntSesRate returns a 0 value.

FortiGate-7000F chassis with FIM-7941Fs cannot load balance fragmented IPv6 TCP and UDP traffic. Instead, fragmented IPv6 TCP and UDP traffic received by the FIM-7941F interfaces is sent directly to the primary FPM, bypassing the NP7 load balancers. IPv6 ICMP fragmented traffic load balancing works as expected. Load balancing fragmented IPv6 TCP and UDP traffic works as expected in FortiGate-7000F chassis with FIM-7921Fs.

Memory usage issue occurs when multiple threads try to access a VLAN group.

Statistics displayed in the Session Rate dashboard widget do not match the statistics displayed from the command line.

The Global Sessions does not match the CLI output.

CPU usage data displayed in the FortiGate 6000 GUI is actually CPU usage data for the management board. CPU usage data displayed in the FortiGate 7000 GUI is actually the CPU usage for the primary FIM.

Dashboard widgets for CPU, Memory, Session, and Session Rate show usage as 0% on root and non-root VDOMs.

On 6K and 7K platforms, the management VDOM GUI should not show the WiFi & Switch Controller menu.

In an FGCP cluster, the secondary unit cannot reply to the SNMP query while using the management IP.

On the FortiGate 7060E, only four of six PSUs are shown sometimes.

When EMAC VLAN interfaces are removed spontaneously from the configuration, TCP traffic through their underlying VLAN interface fails.

During FIM failover from FIM2 to FIM1, the NP7 PLE sticks on a cache invalidation, stopping traffic.

SLBC special ports do not match the local-in policy's management path.

On the FortiView Web Sites page, the Category filter does not work in the Japanese GUI.

When a large number of addresses are present (over 17 thousand), searching for an object on the Policy & Objects > Addresses page takes around 20 to 30 seconds to display results.

When there is a connection issue between the FortiGate and a managed FortiSwitch, unexpected behavior might occur in httpsd when navigating between Switch Controller related GUI pages.

When private data encryption is enabled, the GUI may become unresponsive and HA may fail to synchronize the configuration.

The GUI should not show the interface speed in the SSL VPN interface tooltip.

Changing the IPv4/IPv6 version in the dropdown of one widget will also impact other Session Rate widgets.

A time difference is noticed in the FortiGate GUI and command line when the GUI is refreshed or when logged in on a new tab.

While creating new address from firewall policy, the address slide takes around five seconds to open up.

When the FortiGate is in conserve mode, node process (GUI management) may not release memory properly causing entry-level devices to stay in conserve mode.

No IP results appear when using the search bar of the Assets & Identities dashboard.

Dashboard > IPsec Monitor column selections are not saved across a page refresh.

An error occurred when attempting to perform interface migration from a physical interface containing a VLAN interface to an aggregate interface.

The GUI does not allow parentheses, (), to be used in the interface description.

The GUI does not show any transceiver information until running get system interface transceiver in the CLI.

When connected to the FortiGate GUI on a mobile phone, the table content on some pages like Network > Interfaces, Policy & Objects > Firewall Policy, and WiFi & Switch Controller > Managed FortiSwitches is cut off.

When private data encryption is enabled, all passwords present in the configuration fail to load and may cause HA failures.

Lost management connectivity to the standby node via in-band management.

When walking through the session list to change the ha_id, some dead sessions could be freed one more time.

There is no response on ha-mgmt-interfaces after a reboot when using a VLAN interface based on hd-sw as the ha-mgmt interface.

Configuration is out-of sync when external feed connectors are applied to a policy.

Asymmetric traffic through one of the FGSP members is allowed, even when the session is in a TCP SYN sent state.

An error condition occurred while forwarding over a VRRP address, caused by the creation of a new VLAN.

SCTP traffic is not forwarded back to the session owner (FGSP asymmetric traffic with IPS , NAT mode, and SCTP).

Temporary network interruption occurs after disabling standalone-config-sync.

When configuring an HA management interface, the GUI does not allow the same interface to be used for multiple management interfaces.

Unable to send a file to a remote HA member when synchronizing a configuration.

Traffic is not forwarded on L2 peer to keep FGSP with an available L2 connection.

Access to console and SSH is lost due to a specific configuration.

The hasync process is stuck at 99.9% on one or both cluster members after a failover.

The set auto-firmware-upgrade disable setting is not synchronized between FGCP members.

Unexpected traffic flow occurs after FGSP is enabled between clusters.

A split brain condition occurs in an HA cluster when failover-hold-time is enabled.

Unable to modify the pingserver-flip-timeout once vcluster is enabled.

Connections per second (CPS) performance of SIP sessions accepted by hyperscale firewall policies with EIM and EIF disabled that include overload with port block allocation (PBA) GCN IP pools is lower than expected.

ICMP reply packets are dropped by FortiOS in a NAT64 hyperscale policy.

Traffic not passing across the VDOM link.

High CPU usage due to the IPS engine, causing high latency on the network.

Make improvements to the IPS engine when handling a rare buffer overflow case.

RSH subsession timeout when IPS is enabled.

Interface policy logs show the external facing IP instead of the actual source.

IKE debug log filtering functionality exhibits inaccuracies, resulting in the possibility of displaying unmatched logs when filters are set.

Unexpected condition in IPsec engine on SoC4 platforms leads to intermittent IPsec VPN operation.

IPsec VPN between two FortiGates (100F and 60F) experiences slow throughput compared to the available underlay bandwidth.

Firewall becoming unresponsive to DPD/IKE messages, causing IPsec VPNs to drop.

Incorrect traffic order in IPsec aggregate redundant member list after upgrade.

For DHCP-over-IPsec, sometimes the client does not send a delete after the DHCP SA.

Setting loopback-asymroute disable in the phase 1 configuration pushes down the loopback interface index as tunnel's bound_if, causing traffic route lookup failure.

IKEv2 connection issue related to the order of policies using different user groups.

Disabling src-check (RPF) on the parent tunnel is not inherited by ADVPN shortcuts.

Inconsistency of mode-cfg between phase 1 assigned IP address and destination selector addition.

Policy route is not matching ESP traffic.

After a third-party router failover, traffic traversing the IPsec tunnel is lost.

Shortcut created from parent tunnel interface does not inherit MSS value and may face fragmentation.

IPsec phase 2 negotiation fails with failed to create dialup instance, error 22 error message.

IPv6 firewall address IP prefix object is invisible on accessible networks in the GUI.

Split DNS not pushed because the split tunnel is not recognized.

Authentication fails since the EAP proxy cannot get groups by the hostname of FortiGate in the NAS-ID RADIUS attribute.

Acct-Output-Octets are wrapped to 32-bit on RADIUS accounting stop.

IPsec traffic is unidirectional when vpn-id-ipip and offloading are enabled, and the tunnel VRF is greater than 63.

Logs are not seen for traffic passing through the firewall caused by numerous simultaneous configuration changes.

When an administrator login fails, the event log shows that the login was successful.

The log settings disk usage graph should show the usage data in the legend's format.

Content disarm and reconstruction (CDR) files are not consistent in the log view.

SSL VPN web mode login history entries are not seen when logs are being sent to FortiAnalyzer.

If Security Rating is enabled to run on schedule (every four hours), the FortiGate can unintentionally send local-out traffic to fortianalyzer.forticloud.com during the Security Rating run.

When the DNS server does not provide the IPv6 (AAAA record) for the NTP server FQDN, FortiGate NTP shows that the IPv6 server is unresolved -- unreachable, which is not true.

The following intrusion was observed: in the alert mail refers to another field in the anomaly log.

Administrators without read permissions for the threat weight feature cannot see the event log menu.

Cloud logging settings are not retained when the FortiGate language setting is Japanese.

The quarantine-log enable setting changed to disable after restoring a backup configuration.

When a GUI login fails due to exceed_limit, logged in successfully appears in the system event log.

The UUID is used instead of the external resource name in the Threat feed updated system event log.

Override setting under multi-VDOM mode may cause the FortiGate to stop sending logs to FortiAnalyzer or syslog after switching to non-VDOM mode.

Icons in logs evaluations and policies are no longer displayed.

FortiGate syslog format in reliable transport mode is not compliant with RFC 6587.

When FortiAnalyzer Cloud is chosen as log location, archived data cannot be downloaded for intrusion prevention.

An error case occurs in WAD while redirecting the web filter HTTPS sessions.

Unexpected behavior in WAD when the ALPN is set to http2 in the ssl-ssh-profile.

A rare error condition occurred in WAD caused by compounded SMB2 requests.

Unexpected behavior in WAD when there are multiple LDAP servers configured on the FortiGate.

Original source IP is not preserved for transparent proxy rule after upgrading.

Inadvertent traffic disruption caused by WAD when it receives an HTTP2 data frame payload on a dead stream.

Unble to access website ( https://ec***.qu***.com/me***) when using a proxy with DPI.

The newly implemented one-way server will set its port to null when closing.

Too many redirects on TWPP after the second KRB keytab is configured.

An error case occurs in WAD when WAD gets the external authenticated users from other daemons.

SNI check is not working when set to inspect all ports.

Unexpected behavior in WAD when building a debug URL.

When cloud-communication is disabled, WAD still connects to productapi.fortinet.com.

The /firewall/vip API does not recognize custom SSL cipher suites.

An error condition occurs in HTTPSD when a REST API request is sent with invalid parameters.

API responses for PBR provides incorrect value if address groups are used in PBR.

Auto-link fails if the FortiGate device initiating the FGFM connection is using an interface with a VRF not set to the default, 0.

Reply traffic from the DNS proxy (DNS database) is choosing the wrong interface.

MP-BGP EVPN source address shows 127.0.0.1, while the loopback interface is with a different address.

When the local traffic is using SD-WAN and the reply is coming on a different interface, the reply is ignored.

Make OSPFv3 update the translator role and translated Type-5 LSA when the ASBR table is updated.

Routing information changed log is being generated from secondary in an HA cluster.

FortiGate generates two OSPF stub entries for the same prefix after upgrading from 6.4 to 7.0.

API call returns recursive next-hop for the gateway address.

Support GR helper mode (peer) for BGP.

SD-WAN performance SLA tcp-connect probes clash with user sessions.

SD-WAN packet duplication feature in force mode suddenly stops duplicating and starts to duplicate again once the FortiGate is rebooted.

Status of OSPF adjacency is Loading on spokes while Full on the hub side.

When using the policy match tool, the Incoming Interface dropdown does not list SD-WAN member interfaces.

Unable to set OSPF interface IP in the GUI.

DNS over TCP does not work when interface-select-method is set to sdwan in the DNS setting, and the corresponding SD-WAN rule is restricted to the TCP protocol only.

Inconsistent GUI output with unusual characters showing up in the SD-WAN rule list settings and the edit SD-WAN rule page.

Reply TCP traffic for inbound local session uses a different egress interface than the originating traffic

Locally originated type 5 and 7 LSAs' forward address value is incorrect.

Connected VLAN routes are getting removed after an HA failover.

Packet loss status in SD-WAN health check occur after an HA failover.

If the router community-list type is expanded and changed to standard, this causes a community-list error.

Learned BGP through routes are not withdrawn on the spoke after the EBGP neighborship is down between the hub and third party device.

When establishing an IPsec tunnel between FortiGate peers using OSPF to exchange routes, the FortiGate sends a stub LSA with a 32-bit netmask.

IPsec traffic with vpn-id-ipip is egressing with the wrong VRF when offloading is enabled.

When there are over 30 downstream FortiGates in the Security Fabric, the root FortiGate's GUI may experience slowness when loading the Fabric Management page, preventing firmware upgrades using the GUI.

Advanced GCP connector does not resolve if one element does not exist.

When one of the downstream FortiGate VM's license is invalid, the root FortiGate will be automatically logged out from accessing the Firmware & Registration page.

Non-management VDOM is not allowed to set a source-ip for config system external-resource.

External connector to VMware 8.0 with verify certificate enabled will fail.

HTTP 400 errors observed using SDN connector to query AKS clusters if local administrator is disabled.

Security Fabric widget shows the serial number instead of the hostname for a secondary FortiGate in HA.

Renaming conflicted Fabric objects on the root FortiGate does not synchronize the changed Fabric objects to the downstream FortiGate.

The number of log IDs under one automation trigger is limited to 16.

Destination address of SSL VPN firewall policy may be lost after upgrading when dstaddr is set to all and at least one authentication rule has a portal with split tunneling enabled.

When SSL VPN web mode is disabled, SAML external browser login requests should be blocked.

Firewall policy is not allowing the all destination address with a split-tunneling portal.

FortiGate as SSL VPN client does not work on NP6 and NP6XLite devices.

Japanese key input does not work correctly during RDP in SSL VPN web mode.

Multiple instances of *** code requested backtrace *** for SSL VPN daemon observed during a graceful upgrade (on FG-6000F).

SSL VPN connected/disconnected endpoint event log can be in the wrong sequence.

During a handshake when FortiClient sends a larger-than-MTU hello message, the packet is fragmented by IP layer and dropped by the FortiGate.

OS checklist for SSL VPN in FortiOS does not include macOS Sonoma 14.

Long DAC-type cable is added to default media type on 10G port on FG-100F.

Console printed DSL related error messages when disconnecting the managed FortiSwitch and connecting to the FortiGate again.

When changing the FortiSwitch FortiLink port status, the configuration is not applied to the FortiSwitch.

FortiGate and FortiManager have different definitions for the value of poe-detection-type on S108EF platform.

The security rating shows an incorrect warning for unregistered FortiSwitches on the Managed FortiSwitches page.

Workaround: navigate to the Diagnostics & Tools pane of the FortiSwitch to see the correct registration status.

Enhance FortiLink event logs for FortiGate-FortiSwitch event log translation.

FortiSwitch event log displays serial number under name when CAPWAP is up or down.

FortiGate CPU VM increases due to the FortiLink process.

NAC policy cannot match the MAC address with a specific VLAN. The NAC policy needs to be deleted and re-createed for it to work again.

FortiGate nac_segment is not showing assigned dynamic VLAN on FortiSwitch ports.

MIB OID fgSysLowMemUsage returns value for devices where it is not applicable.

Host protection engine (HPE) enchantments should be applied to NP6XLite platforms.

Not all ports are coming up after an LAG bounce on 8 × 10 GB lag with ASR 9K. Affected platforms: FG-3960E and FG-3980E.

SNMP poll for fgExplicitProxyRequests returns 0.

On a redundant interface, traffic may drop with some NPU-offload enabled policies when the interface is not initialized properly.

When configuring an 802.3ad aggregate interface with a 1 Gbps speed, the port's LED is off and traffic cannot pass through. Affected platforms: 110xE, 220xE, 330xE, 340xE, and 360xE.

SFP interfaces that are set to 1000auto are not negotiating on the secondary device.

NP7 did not offload jumbo packet, but get NPU INFO: offload=9/9 in the console output.

Refactor the time zone feature to use the IANA time zone database.

The X1 port is always up with FCLF8522P2BTLFTN transceiver.

FortiGate does not perform a disk scan automatically when autorun-log-fsck is enabled.

Unable to set upstream interface without setting the delegated IAID first for IPv6 interface under delegated mode.

ISP traffic is failing with the LAG interfaces on upstream switches.

On FG-600F, all members are up but the LACP status is showing as down after upgrading.

Ports are flapping and down on the FortiGate 3980E.

Degraded traffic bandwidth for download passing from 10G to 1G interfaces.

FortiGate does not send ARP probe for UDP NP-offloaded sessions.

GUI and CLI time mismatch for Central America (Mexico) time zone.

Optimize memory usage, which causes the SLAB memory to increase, in kernel 4.19.

Fail detection function does not work properly on X1 and X2 10G ports.

For FIPS-CC mode, the strict check for basic constraints should be removed for end entity certificates.

Administrator with read-only access to management permissions cannot perform a configuration backup in the GUI.

Sometimes, the configuration cannot be backed up to an FTP server.

MAC flapping on switch when UDP packets passthrough VWP multiple times with ASIC offload.

Memory usage issue caused by repetitive log messages. Affected platforms: FG-100xF.

ICMP and UDP traffic over GRE is not offloaded on NP7 platforms.

Review the temperature sensor for the SoC4 system.

When L3 or L4 hashing algorithm is used, traffic is not forwarded over the same aggregate member after being offloaded by NP7.

LTE modem is missing after upgrading to 7.4.

When the URL filter requests the FortiGuard (FGD) rating server address using DNS, it will try to get both A (IPv4) and AAAA (IPv6) records.

The FortiGate checksum changes and the FortiManager Backup Mode device status becomes out-of-sync.

Administrator can no longer view or edit the VPN settings in the GUI with system:none permissions.

FortiOS does not accept an installation script from FortiManager when creating an extender-profile with login-password-change is set to yes.

High CPU usage might be observed on entry-level FortiGates if the cache size reaches 10% of the system memory.

ARP issue with VXLAN over IPsec and Soft Switch.

The cmdbsvr process is stuck, and is not pushing configurations made in the GUI or CLI.

SNMP walk of the entire MIB fails when the configuration has split-port and a large number of interfaces.

DHCP server on LAN interface is lost after rebooting or restoring the configuration file.

Multiple spawns of hotplug process consuming high CPU resources.

High CPU usage caused by DHCP packets.

FG-1100E SFP interface of port 23 and 24 with transceiver status is down after upgrading.

Loading of the Toss Bank application is delayed or gets stuck on iPhones with hyperscale CGNAT (NAT64).

FortiGate does not allow tagged VLAN 0 packets.

Unexpected behavior occurred in the kernel when creating EMAC VLAN interfaces based on an aggregate interface with the new kernel 4.1.9.

When DHCP IP reservation is edited from the DHCP dashboard widget, the changes are not retained.

Changes to per-IP shaper settings are not reflected on offloaded sessions in NP7 platforms.

Buffer and description queue limitation of Marvell switch port will cause a performance limitation.

When cmdbsvr receives a request to update the version number, it also receives a copy of the query, but this copy is not freed.

FortiGate as L2TP client is not working with Cisco ASR as L2TP server.

FortiGate ports are not in a configured state after the connected switch reboots.

Temperature sensor value missing for FG-180xF, FG-420xF, and FG-440xF platforms.

Unexpected reboot caused by a rare error condition for FG-VM.

Kernel TCP sessions do no timeout after receiving a legitimate RST and the system goes into conserve mode.

FortiGate is not able to resolve ARPs of few hosts due to their ARP replies not reaching the primary FPM.

A super_admin administrator is unable to log in after restoring the VDOM configuration on the admin VDOM and rebooting the FortiGate.

Enabling NP7 offloading is causing packet drops when using a shaping profile.

The tx_collision_err counter in the FortiOS CLI keeps increasing on both 10G SFP+ X1 and X2 interfaces.

SNMP value for OID 1.3.6.1.4.1.12356.101.12.2.2.1.5 returns the wrong value.

Alarm observed for high PECI temperature despite less CPU activity.

The TCP handshake is interrupted when any of the UTM profiles are enabled.

SNMP does not respond if a VRF is set on the interface.

When signal 11 is sent to httpsd process using diagnose sys kill 11 <PID>, httpsd does not restart. The GUI displays a Service unavailable message. GUI access can be restored by rebooting the device.

MSS clamping is not working on VXLAN over IPsec after upgrading.

Interface LED from panel indicates the wrong status.

The traffic is dropped when auto-asic-offload is enabled and passing through a VLAN associated with a 10G redundant interface.

On the FortiGate 400F and 600F, the buffer and description queue limitation of the Marvell switch port causes a performance limitation.

On FG-10xE, when using ports 13 to 16 as virtual switch LAN ports, auto speed is not supported.

FG-1101E ports with AVAGO AFBR-5710PZ transceiver failed to come up after upgrading.

Batch lastlog does not show any errors for password-policy misconfiguration.

FortiGate as DNS server does not resolve domains in the local database on new VDOM.

Memory usage issue occurs when multiple threads try to access a VLAN group.

High CPU usage caused by DHCP packets.

The GeoIP file should close appropriately after opening or using mmap to share memory.

An error condition occurred in the kernel caused by a rare condition while using the GRE tunnels.

Multiple configuration settings are missing after restoring the VDOM.

SNMP OID 1.3.6.1.2.1.4.34.1.5 ipAddressPrefix is not fully implemented.

FG-3401E link is not coming up using DAC cables after upgrading.

Port channel is down after upgrading the FG-1101E.

When a search is performed on a user (User & Authentication > User Definition page), the search results highlight all the groups the user belongs to.

FortiGate receives FSSO user in the format of HOSTNAME$.

WPA2-Enterprise SSID should support EAP-TLS authentication for PKI users that are configured with multi-factor authentication through a RADIUS server.

FortiToken mobile push with ACME gives an untrusted certificate in iOS application.

In some cases, the HA connection is removed and its memory is freed, but it is still read/written in the following process.

On the System > Replacement Messages page, the guest user email template cannot restore to the to default value.

After creating a new guest user, the administrator cannot view the user's password in plaintext in the GUI.

On a FortiGate managed by FortiManager, when a guest administrator logs in with read-only permissions, the administrator can still create and edit the guest user.

Global DH parameter does not modify the SSH connection key exchange.

Administrator single sign-on login with SAML does not work after upgrading the firmware 7.4.1 due to the SAML entity-id field being incorrectly reset to being empty.

PKI users should pass certificate-based authentication over WPA2-Enterprise SSID.

A false positive SSL VPN login token error message is generated after a successful connection.

In an Azure cluster, the NTP source-ip6 (IPv6) is synchronized while the source-ip (IPv4) is not.

IPv6 multicast packets are triggering a hardware checksum failure error message on the console.

FG-VM is unable to respond to the load balancer's health probe correctly.

FortiGate cannot detect a log disk in some new Azure instances.

On a FortiGate ARM-OCI, after adding more than one network interface card and rebooting, the interface cards are not kept in order.

GCP OS log in integration issues occur in FortiGate deployment.

FG-VM64-AZURE SDN connector does not retry requests to management.azure.com if they fail.

Interfaces are brought down by azd, and traffic is disrupted until manually disabling and enabling the interfaces on the Azure VM.

Unexpected behavior in awsd caused by tags with an empty value on AWS instances while adding a new AWS Fabric connector.

Web filter override expiry date in the GUI may be one hour off if daylight saving time (DST) is observed.

Newly added local URL filter entry cannot be moved using drag-and-drop.

The strict option for sni-server-cert-check is behaving the same as if it is set to enable, and logs are not generated upon SNI mismatch with the CN or SAN.

URL filter IP address block is not honored by the enhanced policy lookup tool.

The move function in the CLI does not work for mpsk-profile and mpsk-group.

After initial packets, FG-101F stops forwarding wired traffic over FAP-23JF LAN tunneled with a dynamic VLAN VAP.

An error condtion occured in the kernel when the FortiAP and SSID are in the same software switch.

Excessive MEM POOLuse_up_cnt observed on secondary unit in an HA environment.

Managed FortiSwitch detects multiple MACs using the same IP address.

On the WiFi & Switch Controller > Managed FortiAPs page of a non-management VDOM, the Register button is unavailable in the Device Registration pane.

FortiOS fails to get all of the configured MAC ACL entries.

The eap_proxy daemon may keep reloading randomly due to failing to bind a port. This will cause an IKE and WiFi authentication failure.

Captive portal appears each time after a channel change or if roaming performed (Cisco ISE with FortiGate and FortiAP).

Clients connected to certain FortiAPs do not have internet access.

PMKID should be removed when an Android device is disconnected by the RADIUS CoA DM request with Acct-Session-Id.

AeroScout agent is not working.

WPA2-Enterprise with a Windows NPS server is not working after upgrading the firmware to FortiOS 7.4.1.

FortiOS 7.4.2 is no longer vulnerable to the following CVE Reference:

• CVE-2023-44250

FortiOS 7.4.2 is no longer vulnerable to the following CVE Reference:

• CVE-2023-46717

FortiOS 7.4.2 is no longer vulnerable to the following CVE Reference:

• CVE-2024-23112

FortiOS 7.4.2 is no longer vulnerable to the following CVE Reference:

• CVE-2023-38545

FortiOS 7.4.2 is no longer vulnerable to the following CVE Reference:

• CVE-2023-44487