Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Release Notes

Resolved issues

The resolved issues listed below may not list every bug that has been corrected with this release. For inquiries about a particular bug, please visit the Fortinet Support website.

Bug ID

Description

544691 Remote LDAP admins have no certificate bindings.

666636

Wrong group attributes indicator in RADIUS policy response table for EAP-TLS.

676321

"Allowed shell commands" label in authorization rules is misleading.

677417

FSSO user/group filter import have misleading descriptions.

700837

SMS gateway HTTP/HTTPS - Inconsistent JSON object type used for phone-number attribute.

700957

User logon is not working with FSSOMA mobility agent.

652072

LDAP user password expired, user not prompted for RSA Token code (chained Token Authentication).

683298

Agent exception error occurred when OTP is delivered by SMS.

693210

Self-registration access via HTTP is allowed.

670811

Remote SAML user import from Azure AD issues.

673303

Fine-grained menu content has misaligned pointer in SSO/General.

467883

RDP Users prompted for credentials twice and failing the second time due to token reuse (if they do not wait).

685408

Restricted admin users have view of HA settings and can attempt to change them.

584589

Align logs on the left side instead of the center.

670827

FortiGate filtering stops any users sent to FortiGate even though users are member of group/container.

649999

SAML SSO Groups - not all are imported.

682170

When a user reports lost token and tries to switch to email token authentication, the email is never sent to the user with the token.

657522

SAML authentication fails when the AD display name contains a coma (,) and the user has an admin role.

645043

GUI does not show cert UPN.

685462

Longer IPv6 address cannot be set to the FortiAuthenticator interface.

689340

Secondary unit upgrade fails.

690250

Remote SAML user import from Azure AD - Not all users imported.

676311

FortiAuthenticator-VM hangs while quiescing the virtual machine.

694599

Certificate sync does not work from primary to LB peer/nodes.

677935

Self-service portal does not work with remote LDAP user with administrator role profile, portal error: 403 Forbidden.

673151

Domain controller query status shows failed with successful queries.

680488

Gateway timed out error while creating a new user group.

666782

If local CA is selected for EAP and no EAP server certificate is present on FortiAuthenticator, radiusd keeps crashing after upgrading to 6.2.0.

632237

Remove device ID requirement when using Smart Connect.

693893

Display filter is not working correctly within the certificates section.

693920

Smart Connect user certificate generation fails due to certificate ID character limitation/autogeneration process.

701887

FortiAuthenticator Captive Portal is not providing correct redirection URL response to Apple iOS devices.

602707

Unable to add multiple alternate DNS names into certificate for user certificates.

677657

FortiAuthenticator timing out with known good SMTP server (port 587, no STARTTLS).

672750

When a user tries to access the Self-service portal, FortiAuthenticator gives the "Please enter correct credentials. Note password is case-sensitive" error randomly.

676225

RADIUS authentication with the remote RADIUS server stops working.

650215

FortiAuthenticator Windows Agent 3.0 - New RDP connection by the same user unable to finish due to blank login screen.

666880

GUI - Hide SNMP trap option for PSU monitoring for unsupported devices.

693207

LB Cluster fails to sync SAML configuration.

692994

Change in the default RADIUS authentication port makes the GUI inaccessible.

703275

Protection and warning when deleting a local CA (in the LB primary side).

673319

Admin cannot log in to approve the self-registration when group filters are set without admin user in a Guest Portal policy.

640048

FortiAuthenticator fails to load the license.

675195

Non-SMS RADIUS users unable to authenticate when the SMS gateway is down.

681102

Hitting the OpenLDAP size limit on FortiAuthenticator.

686551

Passwords of some local users on FortiAuthenticator are not expiring.

696064

LB sync deletes LB-created CA certificate but it still shows up in the UI list.

676595

Error creating RADIUS client (subnet) matching existing TACACS client (subnet).

543791

Users audit report does not update timestamps for LDAP users in the "last used" column.

697561

FortiAuthenticator 2000E missing power supply in the CLI and the GUI.

672987

After upgrading FortiAuthenticator from 5.4 to 6.x Apple devices cannot load the FortiAuthenticator captive portal via the system pop-up only.

699562

License dashboard pane is not populating.

669079

HTTPS certificate chain is inconsistent/incorrect.

668337

Allowed hosts configuration through CLI not reflected in the GUI before reboot.

663582

Unable to disable maintenance mode in a HA cluster.

692726

Certificate expiry warning sends out an email everyday.

678195

TACACS+ service unstable after receiving many authentication attempts.

698736

FortiAuthenticator HA primary API PATCH method localuser-[ID] produces a 504 gateway timeout.

685872

Change in HTML for confirmation page after a successful logout from the guest portal "Logout Success Page".

666571

"Portal was not found in the session" when registering a guest with non-ASCII characters "Umlauts".

694682

Unable to import SSO filtering LDAP group from the eDirectory.

677228

Push notifications are not working for random users after upgrading to FortiAuthenticator 6.2.0 and 6.2.1.

675545

FortiAuthenticator is not sending optional Attribute-Value pairs.

688713

Duplicate remote LDAP users are not syncing.

697598

Mobile number formatting.

684202

Recover from corrupt FTM license configurations.

683266

FortiAuthenticator Windows agent- Push not working for some clients.

710223

FortiAuthenticator Agent: SMS token code not delivered for a user set with a blank password.

601603

CLI only supports configuring interfaces port1 - port4.

601520

Recurrent log message: Portal was not found in the session, redirecting back to the entry point.

660357

FSSO FortiGate IP filter ignored when the global group prefilter is enabled.

588346

An expired certificate is delivered toward WiFi authenticated users.

685330

SAML assertion request error in the date/time format.

671345

FortiAuthenticator Windows Agent prompts for token despite an incorrect password, and then does not prompt for user credentials again.

604924

SAML SSO/Proxy metadata download fails with "invalid_xml".

630041

FortiAuthenticator FSSO - TS Agent sessions stuck at zero after server reboot until FSSOTA service is restarted.

685368

SNMP access to the LB secondary fails.

705368

Transferring reassigned tokens triggered from the previous user sends email to the existing user.

668916

Subdomain users can authenticate over FortiAuthenticator Agent installed on a workstation in the main domain without a token code.

673306

FortiAuthenticator Agent cannot initiate connection towards a secondary FortiAuthenticator for 2FA validation.

668045

On a LB node, a user certificate has the same SN in case of getting signed with synced local CA of standalone primary.

676199

Windows Agent 3.2 push notification accept fails on unlock and change password screens.

635893

Change password not working with Checkpoint VPN when 2FA is enabled.

615442

No Kerberos ticket requests (negotiate) on encrypted HTTPS traffic from FortiAuthenticator.

659402

CLI: Verify administrator password before reset default admin account.

674705

User Portal: Self-service policy cannot do MAC filtering.

666462

Lost messages from the serial port.

674673

GUI display of Power supply status is wrong.

659392

Ensure logs for push notification daemon are rotated.

693737

LB checksums not changing when local user passwords are updated.

693809

Rate limit REST API calls to authentication related endpoints.

708052

Old SAML IdP sessions not cleaned up by the expired session cleanup task.

694555

Unable to select admins from the MAC device page.

704794

Unable to delete social users.

683398

Remove "realm" field when FortiAuthenticator calls auth_post with arguments.

709726

No more pushd log after the old log is archived.

664328

HA LB status Users/User profiles keep going back to the out-of-sync status.

707708

Port over FortiOS changes to upgrade Windows Azure Agent for marketplace compatibility.

621047

rlm_facauth multi-thread support.

643334

If the MAC filter is enabled, but the configured radius attribute is missing from the packet, we deny the authentication.

605463

Update cert layout so that the subject column is usable and the "Renewable Before Expiry (days)" is sized appropriately for.

696457

Cloud initialization with CLI in config drive fails due to mandatory default password reset.

650889

XSS Vulnerability observed when editing a Replacement Message.

678484

Secure flag support in SSL/TLS HTTPS cookies to avoid cookie leaking.

690816

LDAP sync rule does not support switching between user types in admin case.

673185

FortiAuthenticator 6.0.3 generates errors in the FSSO debug log showing max TS Agent number has been reached.

690625

Wildcard for the allowed host.

665256

REST API FTC push support.

699739

HA-cluster upgrade failed in the secondary side.

702199

DB level delete cascade is missing.

659251

Add "expires_in" field to /oauth/verify_token/ response.

690640

Remote sync rules only enable password recovery by email not by security questions.

704228

Support for SHA256 usage in SAML signature method.

687350

CSR issued by Windows cannot be signed by FortiAuthenticator 6.2.x.

604224

Add a way to expand FortiAuthenticator "data drive" file system if partition size increases.

708158

Support email/SMS 2FA for FTC.

485564

Despite the kernel patch, TCP Sequence Number Approximation Based Denial of Service still exists in FortiAuthenticator for port 443.

Resolved issues

The resolved issues listed below may not list every bug that has been corrected with this release. For inquiries about a particular bug, please visit the Fortinet Support website.

Bug ID

Description

544691 Remote LDAP admins have no certificate bindings.

666636

Wrong group attributes indicator in RADIUS policy response table for EAP-TLS.

676321

"Allowed shell commands" label in authorization rules is misleading.

677417

FSSO user/group filter import have misleading descriptions.

700837

SMS gateway HTTP/HTTPS - Inconsistent JSON object type used for phone-number attribute.

700957

User logon is not working with FSSOMA mobility agent.

652072

LDAP user password expired, user not prompted for RSA Token code (chained Token Authentication).

683298

Agent exception error occurred when OTP is delivered by SMS.

693210

Self-registration access via HTTP is allowed.

670811

Remote SAML user import from Azure AD issues.

673303

Fine-grained menu content has misaligned pointer in SSO/General.

467883

RDP Users prompted for credentials twice and failing the second time due to token reuse (if they do not wait).

685408

Restricted admin users have view of HA settings and can attempt to change them.

584589

Align logs on the left side instead of the center.

670827

FortiGate filtering stops any users sent to FortiGate even though users are member of group/container.

649999

SAML SSO Groups - not all are imported.

682170

When a user reports lost token and tries to switch to email token authentication, the email is never sent to the user with the token.

657522

SAML authentication fails when the AD display name contains a coma (,) and the user has an admin role.

645043

GUI does not show cert UPN.

685462

Longer IPv6 address cannot be set to the FortiAuthenticator interface.

689340

Secondary unit upgrade fails.

690250

Remote SAML user import from Azure AD - Not all users imported.

676311

FortiAuthenticator-VM hangs while quiescing the virtual machine.

694599

Certificate sync does not work from primary to LB peer/nodes.

677935

Self-service portal does not work with remote LDAP user with administrator role profile, portal error: 403 Forbidden.

673151

Domain controller query status shows failed with successful queries.

680488

Gateway timed out error while creating a new user group.

666782

If local CA is selected for EAP and no EAP server certificate is present on FortiAuthenticator, radiusd keeps crashing after upgrading to 6.2.0.

632237

Remove device ID requirement when using Smart Connect.

693893

Display filter is not working correctly within the certificates section.

693920

Smart Connect user certificate generation fails due to certificate ID character limitation/autogeneration process.

701887

FortiAuthenticator Captive Portal is not providing correct redirection URL response to Apple iOS devices.

602707

Unable to add multiple alternate DNS names into certificate for user certificates.

677657

FortiAuthenticator timing out with known good SMTP server (port 587, no STARTTLS).

672750

When a user tries to access the Self-service portal, FortiAuthenticator gives the "Please enter correct credentials. Note password is case-sensitive" error randomly.

676225

RADIUS authentication with the remote RADIUS server stops working.

650215

FortiAuthenticator Windows Agent 3.0 - New RDP connection by the same user unable to finish due to blank login screen.

666880

GUI - Hide SNMP trap option for PSU monitoring for unsupported devices.

693207

LB Cluster fails to sync SAML configuration.

692994

Change in the default RADIUS authentication port makes the GUI inaccessible.

703275

Protection and warning when deleting a local CA (in the LB primary side).

673319

Admin cannot log in to approve the self-registration when group filters are set without admin user in a Guest Portal policy.

640048

FortiAuthenticator fails to load the license.

675195

Non-SMS RADIUS users unable to authenticate when the SMS gateway is down.

681102

Hitting the OpenLDAP size limit on FortiAuthenticator.

686551

Passwords of some local users on FortiAuthenticator are not expiring.

696064

LB sync deletes LB-created CA certificate but it still shows up in the UI list.

676595

Error creating RADIUS client (subnet) matching existing TACACS client (subnet).

543791

Users audit report does not update timestamps for LDAP users in the "last used" column.

697561

FortiAuthenticator 2000E missing power supply in the CLI and the GUI.

672987

After upgrading FortiAuthenticator from 5.4 to 6.x Apple devices cannot load the FortiAuthenticator captive portal via the system pop-up only.

699562

License dashboard pane is not populating.

669079

HTTPS certificate chain is inconsistent/incorrect.

668337

Allowed hosts configuration through CLI not reflected in the GUI before reboot.

663582

Unable to disable maintenance mode in a HA cluster.

692726

Certificate expiry warning sends out an email everyday.

678195

TACACS+ service unstable after receiving many authentication attempts.

698736

FortiAuthenticator HA primary API PATCH method localuser-[ID] produces a 504 gateway timeout.

685872

Change in HTML for confirmation page after a successful logout from the guest portal "Logout Success Page".

666571

"Portal was not found in the session" when registering a guest with non-ASCII characters "Umlauts".

694682

Unable to import SSO filtering LDAP group from the eDirectory.

677228

Push notifications are not working for random users after upgrading to FortiAuthenticator 6.2.0 and 6.2.1.

675545

FortiAuthenticator is not sending optional Attribute-Value pairs.

688713

Duplicate remote LDAP users are not syncing.

697598

Mobile number formatting.

684202

Recover from corrupt FTM license configurations.

683266

FortiAuthenticator Windows agent- Push not working for some clients.

710223

FortiAuthenticator Agent: SMS token code not delivered for a user set with a blank password.

601603

CLI only supports configuring interfaces port1 - port4.

601520

Recurrent log message: Portal was not found in the session, redirecting back to the entry point.

660357

FSSO FortiGate IP filter ignored when the global group prefilter is enabled.

588346

An expired certificate is delivered toward WiFi authenticated users.

685330

SAML assertion request error in the date/time format.

671345

FortiAuthenticator Windows Agent prompts for token despite an incorrect password, and then does not prompt for user credentials again.

604924

SAML SSO/Proxy metadata download fails with "invalid_xml".

630041

FortiAuthenticator FSSO - TS Agent sessions stuck at zero after server reboot until FSSOTA service is restarted.

685368

SNMP access to the LB secondary fails.

705368

Transferring reassigned tokens triggered from the previous user sends email to the existing user.

668916

Subdomain users can authenticate over FortiAuthenticator Agent installed on a workstation in the main domain without a token code.

673306

FortiAuthenticator Agent cannot initiate connection towards a secondary FortiAuthenticator for 2FA validation.

668045

On a LB node, a user certificate has the same SN in case of getting signed with synced local CA of standalone primary.

676199

Windows Agent 3.2 push notification accept fails on unlock and change password screens.

635893

Change password not working with Checkpoint VPN when 2FA is enabled.

615442

No Kerberos ticket requests (negotiate) on encrypted HTTPS traffic from FortiAuthenticator.

659402

CLI: Verify administrator password before reset default admin account.

674705

User Portal: Self-service policy cannot do MAC filtering.

666462

Lost messages from the serial port.

674673

GUI display of Power supply status is wrong.

659392

Ensure logs for push notification daemon are rotated.

693737

LB checksums not changing when local user passwords are updated.

693809

Rate limit REST API calls to authentication related endpoints.

708052

Old SAML IdP sessions not cleaned up by the expired session cleanup task.

694555

Unable to select admins from the MAC device page.

704794

Unable to delete social users.

683398

Remove "realm" field when FortiAuthenticator calls auth_post with arguments.

709726

No more pushd log after the old log is archived.

664328

HA LB status Users/User profiles keep going back to the out-of-sync status.

707708

Port over FortiOS changes to upgrade Windows Azure Agent for marketplace compatibility.

621047

rlm_facauth multi-thread support.

643334

If the MAC filter is enabled, but the configured radius attribute is missing from the packet, we deny the authentication.

605463

Update cert layout so that the subject column is usable and the "Renewable Before Expiry (days)" is sized appropriately for.

696457

Cloud initialization with CLI in config drive fails due to mandatory default password reset.

650889

XSS Vulnerability observed when editing a Replacement Message.

678484

Secure flag support in SSL/TLS HTTPS cookies to avoid cookie leaking.

690816

LDAP sync rule does not support switching between user types in admin case.

673185

FortiAuthenticator 6.0.3 generates errors in the FSSO debug log showing max TS Agent number has been reached.

690625

Wildcard for the allowed host.

665256

REST API FTC push support.

699739

HA-cluster upgrade failed in the secondary side.

702199

DB level delete cascade is missing.

659251

Add "expires_in" field to /oauth/verify_token/ response.

690640

Remote sync rules only enable password recovery by email not by security questions.

704228

Support for SHA256 usage in SAML signature method.

687350

CSR issued by Windows cannot be signed by FortiAuthenticator 6.2.x.

604224

Add a way to expand FortiAuthenticator "data drive" file system if partition size increases.

708158

Support email/SMS 2FA for FTC.

485564

Despite the kernel patch, TCP Sequence Number Approximation Based Denial of Service still exists in FortiAuthenticator for port 443.