Resolved issues
The following issues have been fixed in version 6.2.4. For inquires about a particular bug, please contact Customer Service & Support.
Anti Virus
Bug ID |
Description |
---|---|
557998 |
Quarantined CDR files cannot be downloaded. Encountered 404 error when clicking Archived File. |
563250 |
Shared memory does not empty out properly under /tmp. |
594696 |
Sample file eicar.exe cannot pass through SMTPS, POP3S, or IMAPS with deep inspection and flow enabled on IPv6 policy. |
Data Leak Prevention
Bug ID |
Description |
---|---|
563447 |
Cannot download DLP archived file from GUI for HTTPS, FTPS, SMTP and SMTPS. |
571171 |
Excessive false positives for credit card DLP profiles. |
574722 |
DLP blocks Gmail with deep inspection. |
591178 |
WAD fails to determine the correct file name when downloading a file from Nextcloud. |
Explicit Proxy
Bug ID |
Description |
---|---|
589166 |
EPSV does not work when using an FTP proxy. |
594580 |
FTP traffic over HTTP explicit proxy does not generate traffic logs once receiving error message. |
594598 |
Enabling proxy policies (+400) increases memory by 30% and up to 80% total. |
603707 |
The specified port configurations of |
605209 |
LDAP ignores |
Firewall
Bug ID |
Description |
---|---|
593103 |
When a policy denies traffic for a VIP and |
595044 |
Get new CLI signal 11 crash log when performing |
595790 |
Hit Count column does not work for security policy with multiple VDOMs. |
596218 |
ISDB ID is missing when configuring internet service group objects. |
598559 |
ISDB matches all objects and chooses the best one based on their weight values and the firewall policy. |
599253 |
GUI traffic shaper Bandwidth Utilization should use KBps units. |
600051 |
Cannot establish the connection to the real servers using VIP server load-balancing after upgrading to FortiOS 6.2.2. |
600644 |
IPS engine did not resolve nested address groups when parsing the address group table for NGFW security policies. |
601331 |
Virtual load-balance VIP and intermittent HTTP health check failures. |
604886 |
Session stuck in proto_state=61 only when flow-based AV is enabled in the policy. |
606834 |
Adding more than one dynamic FSSO firewall address results in GUI and CLI error. |
611840 |
Firewall policy search with decimal in the name fails in GUI. |
FortiView
Bug ID |
Description |
---|---|
592309 |
FortiView physical topology page cannot load; get Failed to get FortiView data error message. |
GUI
Bug ID |
Description |
---|---|
557786 |
GUI response is very slow when accessing IPsec Monitor (api/v2/monitor/vpn/ipsec is taking a long time). |
565309 |
Application groups improvements. |
579711 |
Cannot run Security Rating due to disk issue ( |
584314 |
NGFW mode should have a link to show all applications in the list. |
585055 |
High CPU utilization by httpsd daemon if there are too many API connections. |
585924 |
Wrong traffic shaper bandwidth unit on 32-bit platform GUI pages. |
589709 |
Status icon in Tunnel column on IPsec Tunnels page should be removed. |
593624 |
GUI behavior is different with local user using super admin profile and TACACS user using super admin profile. |
593899 |
Upgrading from build 0932 to build 1010 displays Malware Hash Threat Feed is not found or enabled error. |
598247 |
One-minute memory; CPU and Sessions widgets stopped updating after system entered and exited conserve mode. |
598725 |
Login page shows random characters when system language is not English. |
599245 |
Nessus vulnerability scan tool reported more medium level vulnerabilities for 6.2.3 compared with the 6.2.2 result. |
599284 |
|
599401 |
FortiGuard quota category details displays No matching entries found for local category. |
599612 |
GUI should allow user to create redundant IPsec tunnel over different interface to the same remote gateway. |
600120 |
Reduce the number of core used by httpsd for low-end platforms. |
601653 |
When deleting an AV profile in the GUI, there is no confirmation message prompt. |
602637 |
Block intra-zone traffic toggle button function is inverted in FortiOS 6.2.3. |
602692 |
Security Rating result for SSL VPN certificate fails when using a 384-bit elliptic curve certificate. |
603583 |
Data source is missing in child table entries in a complex type property. |
603913 |
GUI should add interface value check when creating a new zone. |
605493 |
Admin cannot log in to FortiGate GUI. |
605677 |
System goes into conserve mode when editing ISDB entries through GUI. |
606074 |
Interfaces is missing in the GUI in sections for IPv4 Policy and SSL-VPN Settings after upgrading from 6.2.2 to 6.2.3. |
606394 |
DPD setting in GUI cannot be reflected correctly when Dialup User and On Demand are set by the IPsec wizard. |
606428 |
GUI does not allow multiple IPsec tunnels with the same destination IP bound to the same interface but sourced from a different IP. |
607296 |
Firewall address page keeps loading addresses with read-write permission. |
607972 |
FortiGate enters conserve mode when accessing Amazon AWS ISDB object. |
609064 |
Revoke Token in GUI reports URL not found on server. |
610181 |
FG-OPC-ONDEMAND (FGVMPG license) shows FortiCare is not supported even though the license was registered in FortiCare. |
610573 |
When saving configuration under global interface, explicit proxy settings are removed. |
611436 |
FortiGate displays a hacked web page after selecting an IPS log. |
615085 |
Slow GUI response with httpsd intermittently consuming high CPU when GUI is accessed. |
615462 |
GUI takes 10-15 seconds to load Device Inventory, IPv4 Policy, and Interfaces pages. |
617364 |
GUI does not list AliCloud SDN address filter. |
HA
Bug ID |
Description |
---|---|
530215, 601550 |
Application |
588908 |
FG-3400E hasync reports the network is unreachable. |
596575 |
HA active-active primary unit attempts to steer HTTP and SMTP sessions to secondary unit over NPU-VLINK interfaces. |
596837 |
Deleting tunnel on primary unit via API call will not delete it from the secondary unit. |
598937 |
Local user creation causes HA to be out of sync for several minutes. |
602266 |
The configuration of the SD-WAN interface gateway IP should not sync. |
602406 |
In a FortiGate HA cluster, performance SLA (SD-WAN) information does not sync with the secondary unit. |
613714 |
HA failover takes over one minute when monitored aggregate interface goes down on primary device. |
621621 |
Ether-type HA cannot be changed. |
Intrusion Prevention
Bug ID |
Description |
---|---|
605610 |
Security Policy page is slow to load due to empty security firewall statistic returning from IPS engine. |
608501 |
IPS forwards attacks that are previously identified as dropped. |
IPsec VPN
Bug ID |
Description |
---|---|
516029 |
Remove the IPsec global lock. |
557812 |
IPsec does not support the new |
589096 |
In IPsec after HA failover, performance regression and IKESAs are lost. |
590633 |
Packet loss observed after ADVPN shortcut is created. |
594962 |
IPsec VPN IKEv2 interoperability issue when the FortiGate uses a group as P2 selectors with a non-FortiGate in a remote peer gateway. |
595810 |
Unable to reach network resources via L2TP over IPsec with WAN PPPoE connection. |
596429 |
Traffic unable to pass through for certain phase 2 selectors when there is double SA. |
597435 |
Problem establishing ADVPN shortcuts between spokes when the spoke has an additional VPN running. |
597748 |
L2TP/IPsec VPN disconnects frequently. |
599471 |
IKEv2 responder can delete static selectors when local narrowing occurs. |
602240 |
IKEv2 EAP-TLS handshake detected retransmit of client, but FortiGate does not retransmit its response. |
603090 |
The OCVPN log file was not closed or properly trimmed due to the incorrect state_refcnt. The OCVPN log file stayed open, grew extremely large, and was never trimmed. |
604334 |
L2TP disconnection when transferring large files. |
604923 |
IKE memory leak when IKEv2 certificate subject alternative name/peer ID matching occurs. |
607212 |
IKEv2 DPD is not triggered if network overlay network ID was mismatched when first configured. |
609033 |
After two HA failovers, one VPN interface member of SD-WAN cannot forward packets. |
611148 |
L2TP/IPsec does not send framed IP address in RADIUS accounting updates. |
612319 |
MTU calculation of shared dynamic phase 1 interface is too low compared to its phase 2 MTU and makes fragmentation high. |
615360 |
OCVPN secondary hub cannot register. |
622506 |
L2TP over IPsec tunnel established, but traffic cannot pass because wrong interface gets in route lookup. |
Log & Report
Bug ID |
Description |
---|---|
593557 |
Logs to syslog server configured with FQDN addresses fail when the DNS entry gets updated for the FQDN address. |
595151 |
Log filter for user name in UPN format is not consistent when the log location is set to FortiAnalyzer and local disk. |
602459 |
GUI shows 401 Unauthorized error when downloading forward traffic logs with the time stamp as the filter criterion. |
605174 |
Incorrect |
Proxy
Bug ID |
Description |
---|---|
561552 |
WAD crashed with signal 6 (MAPI/RPC). |
594829 |
FTP connection is not working with AV profile in proxy inspection mode when FTP user name contains an @. |
610466 |
Multiple WAD crash on FG-500D after upgrading from 6.2.3 ( |
REST API
Bug ID |
Description |
---|---|
599516 | When managing FortiGate via FortiGate Cloud, sometimes user only gets read-only access. |
Routing
Bug ID |
Description |
---|---|
580207 |
Policy route does not apply to local-out traffic. |
593951 |
Improve algorithm to distribute ECMP traffic for source IP-based/destination IP-based. |
597733 |
IPv6 ECMP routes cannot be synchronized correctly to HA secondary unit. |
598665 |
BGP route is in routing table but not in FIB (kernel routing table). |
599667 |
OSPF over ADVPN flapping after shortcut tunnel established. |
599884 |
Traffic not following SD-WAN rules when one of the interfaces is VLAN. |
600332 |
SD-WAN GUI page bandwidth shows 0 issues when there is traffic running. |
600830 |
SD-WAN health check reports have packet loss if response time is longer than the check interval. |
600995 |
Policy routes with large address groups containing FQDNs no longer work after upgrading to 6.2.2. |
602223 |
SD-WAN route is not added in routing table when the SD-WAN interface members are IPv4 over IPv6 IPsec. |
602679 |
Prevent BGP daemon crashing when peer breaks TCP connection. |
603063 |
Locally originated traffic on non-default VRF may follow route on VRF 0 when there are routes with the same prefix on both VRFs. |
604390 |
FortiOS 6.2.3 by default drops reply packets received from a different interface (unlike 6.2.2). |
Security Fabric
Bug ID |
Description |
---|---|
586024 |
Automation stitch cannot execute shutdown command when FortiGate enters kernel conserve mode. |
588262 |
IP address Threat Feed fabric connector not working. |
599474 |
FortiGate SDN connector not seeing all available tag name-value pairs. |
604670 |
Time zone of scheduled automation stitches will always be taken as GMT-08:00 regardless of the system's timezone configuration. |
SSL VPN
Bug ID |
Description |
---|---|
556657 |
Internal website not working through SSL VPN web mode. |
561585 |
SSL VPN does not correctly show Windows Admin center application. |
563022 |
SSL VPN LDAP group object matching only matches the first policy; is not consistent with normal firewall policy. |
582115 |
Third-party (Ultimo) web app does not load over SSL VPN web portal. |
582265 |
RDP sessions are terminated (disconnect) unexpectedly. |
587300 |
In web mode, third-party webpage stuck on loading animation; JavaScript error in console. |
587732 |
The SSL VPN web mode SSH widget is not connecting to the SSH server. |
588066 |
SSO for HTTPS fails when using "\" (backslash) with the domain\username format. |
588587 |
Different portals of SIPLAN COMPESA do not show properly in web mode. |
593367 |
SSL VPN bookmark does not load after clicking from the portal. |
593621 |
Website not fully loading through web portal bookmark; loads correctly with iPad user agent. |
595627 |
Cannot access some specific sites through SSL VPN web mode. |
596296 |
SSL VPN fails 90% when connecting with FortiClient. |
596352 |
SAML user name is not correctly recorded in logs when logging in to SSL VPN portal via SSO entry, and history cannot be shown. |
596412 |
Not possible to download PDF file after connecting to portal through SSL VPN bookmark. |
596441 |
FortiOS does not correctly re-write the Exchange OWA logoff URL when accessed via SSL VPN bookmark. |
596757 |
SSL VPN connection stuck at 95% or 98%. |
596846 |
Unable to deauthenticate FSSO user in GUI, but it works in CLI. |
597336 |
Webpage does not load properly through SSL VPN web mode (fails to show CAPTCHA). |
597566 |
Add SSL VPN SSO user logged in from SAML response. |
597634 |
In SSL VPN web mode, internal web services not working and tunnel mode is working fine. |
597658 |
Internal custom web application page running on Apache Tomcat is not displaying in SSL VPN web mode. |
598659 |
SSL VPN daemon crash. |
598660 |
Internal website is not accessible from SSL VPN as the URL is being modified. |
598850 |
SAML authentication group match does not work for SSL VPN; mismatched SAML user can also log in. |
599394 |
SSL VPN web portal bookmarks are not fully loading for Vivendi SelfService application. |
599658 |
GUI is not rendered well by SSL VPN portal when using domain and user to log in. |
599668 |
In SSL VPN web mode, page keeps loading after user authenticates into internal application. |
599671 |
In SSL VPN web mode, cannot display complete content on page, and cannot paste or type in the comments section. |
599777 |
Problem with rat***.com portal accessed via SSL VPN web mode. |
599960 |
RADIUS user and local token push cannot log in to SSL VPN portal/tunnel when the password needs to be changed. |
600029 |
Sending RADIUS accounting interim update messages with SSL VPN client framed IP are delayed. |
600103 |
Sslvpnd crashes when trying to query a DNS host name without a period (.). |
601084 |
Site in .NET framework 4.6 or 4.7 not loading in SSL VPN web mode. |
601867 |
SSL VPN web mode cannot open DFS share subdirectories, gives invalid HTTP request message. |
602392 |
Cannot access remote site using SSL VPN web mode after upgrading to FOS 6.2.2. |
602645 |
SSL VPN synology NAS web bookmark log in page does not work after upgrading to 6.2.3. |
603518 |
Internal website not working in SSL VPN web mode; cannot load ESS/MSS page. |
603779 |
Chinese characters are garbled when downloading from SMB/CIFS in SSL VPN web mode. |
603817 |
Internal website is not shown properly in SSL VPN web mode. |
603957 |
SSL VPN LDAP authentication does not work in multiple user group configurations after upgrading the firewall to 6.0.7. |
604882 |
Internal SAP website not working in SSL VPN web mode. |
605110 |
Mobile token is not required when LDAP user and LDAP group are set in SSL VPN policy together. |
605699 |
Internal HRIS website dropdown list box not loading in SSL VPN web mode. |
607413 |
SMB/CIFS bookmark name gets scrambled if it contains special characters like space, backslash, colon, etc. |
608453 |
Internal website is not accessible from SSL VPN due to some Sage X3 JS files with errors. |
610564 |
RDP over web mode SSL VPN to a Windows Server changes the time zone to GMT. |
613111 |
Traffic cannot pass through FortiGate for SSL VPN web mode if the user is a PKI peer. |
613641 |
SSL VPN web mode custom FortiClient download URL with %s causing sslvpnd to crash. |
616879 |
Traffic cannot pass through FortiGate for SSL VPN web mode if the user is a PKI peer. |
621270 |
SSL VPN user groups are corrupted in auth list when the user is a member of more than 100 groups. |
624197 |
SSL VPN web mode does not completely load the redirected corporate SSO page when accessing an internal resource. |
625338 |
sslvpnd crashing with signal 7 on get_free_idx. |
625554 |
SSL VPN connection was used when the DTLS UDP packet process failed and connection was destroyed. |
Switch Controller
Bug ID |
Description |
---|---|
517663 |
On a managed FortiSwitch already running the latest GA image, Upgrade Available is shown. |
601547 |
Unable to push user group configuration from FortiGate to FortiSwitch, and |
607707 |
Unable to push configuration changes from FortiGate to FortiSwitch. |
608231 |
LLDP policy did not download completely to the managed FortiSwitch 108Es. |
613323 |
FortiSwitch trunk configuration sync issue after FortiGate failover. |
System
Bug ID |
Description |
---|---|
436904 |
Get |
515201 |
FortiGate cannot display the script name from FortiManager. |
527459 |
SSDN address filter unable to handle space character. |
576337 |
SNMP polling stopped when FortiManager API script executed onto FortiGate. |
582498 |
Traffic can not be offloaded to both NTurbo and NP6 when DOS policy is applied on ingress/egress interface in a policy with IPS. |
585053 |
NP6 VLAN LACP-based interface RX/TX counters not increasing. |
586990 |
Customer with FG-50E getting high CPU with 6.2.1. |
589079 |
QSFP interface goes down when the |
589723 |
Wrong source IP is bound for |
590021 |
Enabling |
590423 |
FortiManager needs patch and minor number to update global database when FortiGate firmware upgrade does not trigger an auto-retrieve configuration. |
592148 |
Issue with TCP packets when traversing the virtual wire pair in transparent mode. |
592570 |
VLAN switch does not work on FG-100E. |
592827 |
FortiGate is not sending DHCP request after receiving offer. |
593426 |
Remove DST for Brazil. |
594018 |
Update daemon is locked to one resolved update server. |
594577 |
Out of order packets for an offloaded multicast stream. |
594865 |
|
595338 |
Unable to execute
|
595467 |
Invalid multicast policy created after transparent VDOM restored. |
598527 |
ISDB may cause crashes after downgrading FortiGate firmware. |
602523 |
DDNS |
602548 |
Some of the clients are not getting their IP through DHCP intermittently. |
603194 |
NP multicast session remains after the kernel session is deleted. |
603551 |
DHCPv6 relay does not work on FG-2200E. |
604462 |
xcvrd crashed with signal 11. |
604550 |
Locally-originated DHCP relay traffic on non-default VRF may follow route on VRF 0. |
604699 |
Header line that is not freed might cause system to enter conserve mode in a transparent mode deployment. |
606597 |
When changing time zone on FG-101E, get Failed to set SMC timezone message. |
607015 |
More than usual NTP client traffic caused by frequent DNS lookups and NTP sync for new servers, which happens quite often on some global NTP servers. |
607452 |
Automatically logged out of CLI when trying to configure STP due to /bin/newcli crash. |
610900 |
Low throughput on FG-2201E for traffic with ECN flag enabled. |
610903 |
SMC NTP functions are enabled on some of the models that do not support the feature. |
610976 |
Get kernel panic when creating VLAN on GENEVE interface. |
612113 |
xcvrd attaches shared memory multiple times causing huge memory consumption. |
617453 |
fgfmsd crash due to REST agent. |
621771 |
FortiGate cannot be accessed by ping/telnet/ssh/capwap in transparent VDOM. |
623113 |
FortiGate not entering A records in shadow DNS database for cross-subdomain CNAME requests. |
626785 |
FG-101F should support the same WTP size (128) as FG-100F. |
627409 |
Cannot create hardware switch on FG-100F. |
User & Device
Bug ID |
Description |
---|---|
573317 |
SSO admin with a user name over 35 characters cannot log in after the first login. |
592047 |
GUI RADIUS test fails with |
593361 |
No source IP option available for OCSP certificate checking. |
594863 |
UPN extraction does not work for particular PKI. |
596844 |
Admin GUI login makes the FortiGate unstable when there are lots of devices detected by device identification. |
602407 |
Deny log messages do not contain the username and group information. |
605206 |
FortiClient server certificate in FSSO CA uses weak public key strength of 1024 bits and certificate expiring in May 2020. |
605404 |
FortiGate does not respond to disclaimer page request when traffic hits a disclaimer-enabled policy with thousands of address objects. |
605437 |
FortiOS does not understand CMPv2 |
605950 |
RDP sessions are terminated (disconnect) unexpectedly. |
609655 |
Captive portal exemption after upgrading the device from 6.2.2 to 6.2.3. |
615513, 697304 |
The |
VM
Bug ID |
Description |
---|---|
575346 |
|
594248 |
Enabling or disabling SR-IOV under vNIC creates duplicate MAC addresses and extra interfaces on the FortiGate. |
597003 |
Unable to bypass self-signed certificates on Chrome in macOS Catalina. |
598419 |
Static routes are not in sync on FortiGate Azure. |
599430 |
FG-VM-AZURE fails to boot up due to |
600975 |
Race condition may prevent FG-VM-Azure from booting up because of deadlock when processing NETVSC offering and vPCI offering at the same time. |
601357 |
FortiGate VM Azure in HA has unsuccessful failover. |
601528 |
License validation failure log message missing when using FortiManager to validate a VM. |
603365 |
HA secondary member instance shuts down due to RAM difference after stopping/starting the cluster instances. |
603599 |
VIP in autoscale on GCP not syncing to other nodes. |
603426 |
AWS-PAYG in HA setup can lose its VM license after rebooting with certain setup. |
605103 |
E1000 network adapter will be deleted if there is a VMXNET3 network adapter. |
605435 |
API call to associate elastic IP is triggered only when the unit becomes the primary device. |
606439 |
License validation failure log message missing when using FortiManager to validate VM. |
609283 |
IP pools are synchronized in FortiGate Azure HA. |
612611 |
Very hard to download image for FG-AWSONDEMAND from FDS. |
614544 |
AWS VM sometimes could not get fdsm image list from FDS. |
622031 |
AZD keeps crashing if Azure VM contains more than 15 tags. |
VoIP
Bug ID |
Description |
---|---|
599117 |
|
601275 |
MGCP session helper does not NAT the MGCP body. |
Web Filter
Bug ID |
Description |
---|---|
551956 |
Proxy web filtering blocks innocent sites due to |
593203 |
Cannot enter a name for a web rating override and save—error message appears when entering the name. |
606965 |
Unable to allow specific YouTube channel when all other YouTube channels or videos are blocked. |
WiFi Controller
Bug ID |
Description |
---|---|
563630 |
Kernel panic observed on FWF-60E. |
594170 |
FortiAPs not shown in the GUI. |
595653 |
FortiGate in transparent mode cannot manage FortiAP devices successfully. |
599690 |
Unable to perform COA with device MAC address for 802.1x wireless connection when |
601012 |
When upgrading from 5.6.9 to 6.0.8, channels 120, 124, and 128 are no longer there for NZ country code. |
608717 |
Packet loss over CAPWAP tunneled SSID. |
615219 |
FortiGate cannot create WTP entry for FortiAP in transparent mode. |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
Bug ID |
CVE references |
---|---|
558685 |
FortiOS 6.2.4 is no longer vulnerable to the following CVE Reference:
|