Dashboard time range filter does not work.

No message to explain why the user cannot set the UI to prevention mode when all policies are in simulation mode.

Clicking on Collectors by version in Dashboard view does not lead to the Collectors Inventory view.

Device security should be N/A for disconnected devices.

A Collector may fail to install or upgrade on old Windows 7 and Server 2008 devices that cannot decrypt strong ciphers with which FortiEDR Collector is signed.

Workaround: Patch Windows with Microsoft KB that provides SHA-256 code sign support.

Some AV Products, including Windows Defender and some versions of FortiClient, require that their realtime protection be disabled in order to be installed alongside a FortiEDR Collector.

This is the result of FortiEDR registration as an antivirus (AV) in the Microsoft Security Center that was introduced in V4.0. Although there is no need for more than a single AV product to be installed on a device, FortiEDR can be smoothly installed, even if there is another AV already running. However, there are some other products whose installation fails when there are other AV products already registered.

Workaround: Disable realtime protection on the other product, or remove FortiEDR’s AV registration with Microsoft Security Centervia UI.

SAML Authentication can fail when used with Azure SSO due to exceeded time skew.

Workaround: Sign out and then sign in again to Azure so that the date and time provided to FortiEDR are refreshed.

Number of destinations under communication control is limited to 100 IP addresses.

Limited support when accessing the Manager Console with Internet Explorer, EdgeHTML and Safari 13 or above. Chromium Edge is supported, as well as Chrome, FireFox and Safari 11 and above.

Safari 11.1 on macOS malfunctions when viewing events.

A newly created API user cannot connect to the system via the API.

Workaround: Before sending API commands, a new user with the API role should log into the system at least once in order to set the user’s password.

Isolation and communication control connection denial are not supported with Oracle Linux Collectors.

Downgrading the Collector Version: When downgrading and restarting a device, the Collector does not start.

Workaround: Uninstall the Collector, reboot the device and then install the older version.

FortiEDR Connect cannot be used to run commands that are user-interactive.

Collector upgrade via custom installer requires password.

On Linux, threat hunting exclusions only work in kernel space mode, not in user space mode.

In the presence of an email filtering system and/or a mail transfer agent that modifies the URL content, the installer download URL might include space(s) or %20s in it, which are added by the system/agent. This results in a signature error message from the installer storage.

Workaround: In such cases, the URL should be amended to drop the redundant space/%20 before it can be used.

SAML authentication cannot work with different organizations that use the same SAML Azure account.

Workaround: Use different Azure accounts for different FortiEDR organizations.

Organization filter under Threat Hunting Hoster view malfunctions.

Device internal and external IP is missing from Threat Hunting events of Linux devices.

In Windows Security Center > Virus and Threat Protection, when you click "open app", end-user notification is presented instead of the FortiEDR tray app.

Linux Collector content file is large and uploads slowly to the Central Manager.

Windows security center registration is not supported with Windows servers 2019 and above.

Application Control search only works by exact match

FortiEDR Connect session may be disconnected due to inactivity of the FortiEDR Console, even though the Connect session is active.

It is not possible to redirect FortiEDR web to a URL that is different than the one provided by Fortinet.

Raw data IDs appearing in the Collector tray and Event Viewer may differ.

Application Control cannot remove multiple tags in one action.

In some network configurations, a rare issue might cause Collectors to be detected as IOT devices

Threat Hunting: The tooltip displayed when hovering might prevent access to adding a filter.

The Rest API might return a null pointer exception for missing parameters.

Workaround: Provide AllUser parameter in the request.

When switching to Threat Hunting from Event Viewer->Automated Analysis, queries malfunction when more than one device is involved

Workaround: Filter by the same Collectors directly from Threat Hunting, which brings results.

"Query Parsing Failed" in Threat hunting pops up multiple times after invalid query.

Free text query in threat hunting, when using invalid text, no error message is displayed. The query returns empty results.

Unable to filter by empty registry names in facets in Threat Hunting.

In Threat Hunting, clicking Retrieve Target File for "File Rename" events retrieves the old file name instead of the renamed one.

In a threat hunting search, if you search for "Target.Registry.Path:" AND "Registry.Path" the results will be empty

Workaround: Use either "Target.Registry.Path" or "Registry.Path" in a specific search.

Remote shell does not work on Windows XP and Windows Server 2003.

IoT filter by ״First connection=Today״ brings empty results

Failure to edit a Hoster user when a local user has the same name.

Investigation View: Incident response data is inaccurate.

Unarchiving all events in large environments might cause the Central Manager to malfunction.

Workaround: Filter events before unarchiving to reduce unarchive size.

In the Investigation View, the message is wrong in the Block address on firewall window when you click Firewall Block.

System event page default filtering is required.

In some cases, the communication control feature does not work due to unforeseen technical issues.

Workaround: Troubleshoot and upgrade the Central Manager.

LDAP authentication fails sporadically.

Some event log entries in threat hunting display logged event values in incorrect logged event fields .

IoT entries in Audit Log.

Disconnected Collectors using an old registration password that was deleted from the Console are incorrectly classified as expired (with a status of "Disconnected (Expired)" instead of "Disconnected") and are excluded from license count.

Cannot move a Collector to a different group via Rest API.

Incorrect threat hunting profile order of Fortinet pre-defined application profiles.

REST API file scan: no errors with invalid input for scanSelection.

Inventory Collectors display has a column style issue when no Collectors exist.

The "Organization" field is a mandatory field when using the File Scan Rest API when the environment includes no organizations.

Workaround: When using this API, provide the "Organization" field with the value from Administration > Licensing > Name.

REST API file scan: unclear error when "organization" is not sent in multi-tenancy setup.

Rest API UI - The description is missing information under the "Policies" tab.

REST API - Error 400 on admin/list-system-summary.

Improve "file permission change" text in Threat Hunting Exclusions display.

Added Threat Hunting columns re inaccessible unless the columns are narrowed.

Log does not contain concrete helpful errors for API.

Threat Hunting Collection Profiles - rule name and icon not aligned.

The API for moving a Collector to a high security group can be triggered even if the Collector has already been moved.

REST API File Scan - unsupported configurations should be removed.

REST API - Scan selection for full scans should be disabled.

Security events fully covered by an exception retains the full coverage indication icon even after new uncovered raw data items come in.

Missing field in Checkpoint firewall integration

Unable to reset a two-factor authentication token for LDAP users.

Failure to delete aggregations in big bulks over 20K.

Confusing error message when uploading a wrong formatted file in Application Control Manager > Upload Applications.

Ad hoc network discovery tooltip has a mistake in Japanese.

Event Viewer count changes with sort.

In Events Viewer, Triggered Rules message includes a reference to the removed Forensics tab.

Syslog is created with no audit.

No validation for SecurityExclusionRepoEntity.path in exclusions configuration.