DNS filter forwards the DNS status code 1 FormErr as status code 2 ServFail in cases where the redirect server responses have no question section.

When configuring explicit proxy with forward server, if ssl-ssh-profile is enabled in proxy-policy, WAD is unable to correctly learn the destination type correctly, so the destination port is set to 0, but the squid proxy server does not accept the request and returns an error.

SNI ssl-exempt result conflicts with CN ssl-exempt result when SNI is an IP.

Firewall with forward proxy and UTM enabled is sending TLS probe with forward proxy IP instead of real server IP.

Improve logic of removing HTTP Proxy-Authorization/Authorization header to prevent user credential leaking.

Traffic not matched by security policy when using service groups in NGFW policy mode.

Move command does not work for firewall service category.

Firewall policy dstaddr does not show virtual server available based on virtual WAN link member.

Policy with a Tor exit node as the source is not blocking traffic coming from Tor.

When a policy denies traffic for a VIP and send-deny-packet is enabled, the mappedip is used for the RST packet's source IP instead of the external IP.

The packet dropped counter is not incremented for per-ip-shaper with max-concurrent-session as the only criterion and offload disabled on the firewall policy.

Custom services name is not displayed correctly in logs with a port range of more than 3000 ports.

The number of sessions in session_count does not match the output from diagnose sys session full-stat.

Threats drilldown for Sources, Destinations, and Country/Region (1 hour, 24 hours, 7 days) gives the error, Failed to retrieve FortiView data.

Newly created deny policy incorrectly has logging disabled and can not be enabled when the CSF is enabled.

BGP configuration gets applied on the wrong VDOM if user switches VDOM selection in between operations (slow GUI).

HA warning message remains after primary device takes back control.

Warning message is not displayed when a user configures an interface with a static IP address that is already in use.

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. This performance issue needs a fix on both FortiOS and FortiSwitch. A fix was provided in FortiOS 7.0.1 and FortiSwitch 7.0.1.

Page is stuck and there is a blank message field when doing policy lookup with non-IP protocol.

On POE devices, several sections of the GUI take over 15 seconds to fully load.

Software switch members and their VLANs are not visible in the GUI interfaces list.

A user can browse HA secondary logs in the GUI, but when a user downloads these logs, it is the primary FortiGate logs instead.

GUI not displaying PoE total power budget on FOS 6.2.3.

User group not visible in GUI when editing the user with a single right-click.

Log Details under Log & Report > Events displays the wrong IP address when an administrative user logs in to the web console.

On some browser versions, the GUI displays a blank dialog when creating custom application or IPS signatures. Affected browsers: Firefox 85.0, Microsoft Edge 88.0, and Chrome 88.0.

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

On the System > HA page, when vCluster is enabled and the management VDOM is not the root VDOM, the GUI incorrectly displays management VDOM as primary VDOM.

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

On FG-VM64-AZURE, administrator is logged out every few seconds, and the following message appears in the browser: Some cookies are misusing the recommended "SameSite" attribute.

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

Workaround: use the CLI.

On the Network > SD-WAN page, the volume sent/received displayed in the charts does not match the values provided from the REST API when the RX and TX values of diagnose sys sdwan intf-sla-log exceed 2³²-1.

GUI shows user as expired after entering a comment in guest management.

When logged in as guest management administrator, the custom image shows as empty on the user information printout.

Workaround: use the regular Guest Management page.

Long lasting sessions are expired on HA secondary device with a 10G interface.

The hasync process crashed because the write buffer offset is not validated before using it.

The hasync process crashes often with signal 11 in cases when a CMDB mind map file is deleted and some processes still mind map the old file.

HA primary does not send anti-spam and outbreak prevention license information to the secondary.

In large customer configurations, some functions may time out, which causes an unexpected failover and keeps high cmdbsvr usage for a long time.

HA secondary is consistently unable to synchronize any sessions from the HA primary when the original HA primary returns.

fnbamd uses ha-mgmt-interface for certificate related DNS queries when ha-direct is enabled.

SCTP sessions are not fully synchronized between nodes in FGSP.

hasync crashes when the size of hasync statistics packets is invalid.

Firmware upgrade fails when the bandwidth between hbdev is reduced to 26 Mbps and lower (Check image file integrity error!).

FGSP cluster with UTM does not forward UDP or ICMP packets to the session owner.

HA desynchronizes after user from a read-only administrator group logs in.

Long wait and timeout when upgrading FG- 3000D HA cluster due to vluster2 being enabled.

SNMP community name with one extra character at the end stills matches when HA is enabled.

If the interface name is a number, an error occurs when that number is used as an hbdev priority.

Unable to form HA pair when HA encryption is enabled.

In some situations, the fgfmd daemon is blocked by a query to the HA secondary checksum, which causes the tunnel between the FortiManager and FortiGate to go down.

Failure in self-pinging towards the management IP.

Get invalid IP address when creating a firewall object in the CLI; it synchronized to the secondary in FGSP standalone-config-sync.

Unexpected HA failover on AWS A-P cluster when ipsec-soft-dec-async is enabled.

Traffic was blocked during the test with flow UTMs enabled.

Flow mode web filter ovrd crashes and socket leaks in IPS daemon.

Fortinet logo is missing on web filter block page in Chrome.

Low download performance occurs when SSL deep Inspection is enabled on aggregate and VLAN interfaces when nTurbo is enabled.

ADVPN shortcut cannot be established if both spokes are behind NAT.

Offloaded transit ESP is dropped in one direction until session is not deleted.

FG-40F-3G4G with WWAN DHCP interface set as L2TP client shows drops in WWAN connections and does not get the WWAN IP.

When FGCP and FGSP is configured, but the FGCP cluster is not connected, IKE will ignore the resync event to synchronize SA data to the FGSP peer.

IKE is consuming excessive memory.

Mixed traffic and UTM logs are in the event log file because the current category in the log packet header is not big enough.

Outdated report files deleted system event log keeps being generated.

Traffic log of ZTNA HTTPS proxy and TCP forwarding is missing policy name and FortiClient ID.

The default logtraffic setting (UTM) in a security policy unexpectedly generates a traffic log.

The reportd process consumes a high amount of CPU.

Logs are missing on FortiGate Cloud from the FortiGate.

FortiGate does not send WELF (WebTrends Enhanced Log Format) logs.

Traffic denied by security policy (NGFW policy-based mode) is shown as action="accept" in the traffic log.

The expected reboot log is missing.

WAD process with SoC SSL acceleration enabled consumes more memory usage over time, which may lead to conserve mode.

Workaround: disable SoC SSL acceleration under the firewall SSL settings.

In transparent proxy policy with authentication on corporate firewall, it shows Access Denied after authentication.

On some smaller models, WAD watchdog times out when there is a lot of SSL traffic.

Firewall does not handle 308 redirects properly for threat feed list.

WAD crashes when all of these conditions are met: policy is doing deep inspection, SNI in client hello is in the exempt list, server certificate CNAME is not in the exempt list.

FortiGate blocks traffic in transparent proxy policy, even if the traffic matches the proxy address.

WAD crashes with signal 11 if the client sends a client hello containing a key share that does not match the key share that the server prefers.

Proxy mode generates untagged traffic in a virtual wire pair.

Deep inspection of SMTPS and POP3S starts to fail after restoring the configuration file of another device with the same model.

Trend Micro client results in FortiGate illegal parameter SSL alert response because the Trend Micro client sent a ClientHello that includes extra data, which is declined by the FortiGate according to RFC 5246 7.4.1.2.

FortiGate is silently dropping server hello in TLS negotiation.

FortiGate cannot block a virus file when using the HTTP PATCH upload method.

Policy route does not apply to local-out traffic.

Link health monitor with HTTP/TCP echo cannot send out probe packets in the setting interval when the server is unreachable.

SD-WAN rules created using ISDB do not match/forward via the correct interface.

Application bfdd crashes.

External resource local out traffic does not follow the SD-WAN rule and specified egress interface when the interface-select-method configuration in system external-resource is changed.

One IPv6 BGP neighbor is allowed to be configured with one IPv6 address format and shows a different IPv6 address format.

High CPU on hub BGPD due to hub FortiGate being unable to maintain BGP connections with more than 1K branches when route-reflector is enabled.

When syncing a large number of service qualities, there is a chance of accessing out-of-boundary memory, which causes the VWL daemon to crash.

The default SD-WAN route for the LTE wwan interface is not created.

Workaround: add a random gateway to the wwan member.

config system sdwan
    config members
        edit 2
            set interface "wwan"
            set gateway 10.198.58.58
            set priority 100
        next
    end
end

Routing table does not reflect the new changes for the static route until the routing process is restarted when cmdbsrv and other processes take CPU resources upon every configuration change in devices with over ten thousand firewall policies.

FortiGate is sending malformed packets causing a BGP IPv6 peering flap when there is a large amount of IPv6 routes, and they cannot fit in one packet.

When policy-based routing uses a PPPoE interface, the policy route order changes after rebooting and when the link is up/down.

The set next-hop-self-rr6 enable parameter not effective.

Kernel panic crash occurs after receiving new IPv6 prefix via BGP.

Security Fabric Settings page sometimes cannot load FortiSandbox URL threat detection version despite FortiSandbox being connected.

Slow GUI performance in large Fabric topology with over 50 downstream devices.

CSF branch FortiGate cannot successfully connect/verify certificate with remote EMS server.

FortiGate firewall dynamic address resolution lost when SDN connector updates its cache.

The security rating for Admin Idle Timeout incorrectly fails for a FortiAnalyzer with less than 10 minutes.

Wrong timestamp printed in the event log received in email from event triggered from email alert automation stitch.

Log disk usage from user information history daemon is high and can restrict the use for general logging purposes.

Topology tree shows No connection or Unauthorized for FortiAnalyzer while sending log data to FortiAnalyzer.

Traffic cannot pass through FortiGate in SSL VPN web mode if the user is a PKI peer.

Important GUI pages in 6.4.0 are not rendered well by SSL VPN portal.

Local user assigned with FortiToken cannot log in to SSL VPN web/tunnel mode when password change is required.

Traffic cannot pass through FortiGate for SSL VPN web mode if the user is a PKI peer.

Split-tunnel information is not recognized by legacy FortiClient SSL VPN Linux tool.

SAML login button is lost on SSL VPN portal.

After the upgrade to 6.0.10/6.2.4/6.4.0 SSL VPN portal mapping/remote authentication is matching user into the incorrect group.

Windows FortiClient 7.0.1 cannot work with FortiOS 7.0.1 over SSL VPN when the tunnel IP is in the same subnet as one of the outgoing interfaces and NAT is not enabled.

Customer internal website (https://cm***.msc****.com/x***) cannot be rendered in SSL VPN web mode.

Logging in with SSO to FortiAnalyzer with SSL VPN web mode fails.

Web mode and tunnel mode could not reflect the VRF setting, which causes the traffic to not pass through as expected.

FQDN in firewall policy is treated case sensitive, which causes SSL VPN failure when redirecting or accessing a URL that contains capitalized characters.

SSL VPN web portal does not serve updated certificate.

Renaming the server entry configuration will break the connection between the IdP and FortiGate, which causes the SAML login for SSL VPN to not work as expected.

Punycode is not supported in SSL VPN DNS split tunneling.

SCADA portal will not fully load with SSL VPN web bookmark.

Unable to access SSL VPN bookmark in web mode.

Website is not loading in SSL VPN web mode.

Unable to load SSL VPN web portal internal webpage.

Comma character (,) is acting as delimiter in authentication session decoding when CN format is Surname, Name.

Unable to access internal SSL VPN bookmark in web mode.

After upgrading, NLA security mode for SSL VPN web portal bookmark does not work.

Cannot reach local application (dat***.btn.co.id) while using SSL VPN web mode.

VLANs on a FortiLink interface configured to use a hardware switch interface may fail to come up after upgrading or rebooting.

The extender daemon crashes on Low Encryption (LENC) FortiGates.

Low throughput on FG-2201E for traffic with ECN flag enabled.

Uninitialized variable that may potentially cause httpsd signal 6 and 11 crash issue.

Fortinet_CA is missing in FG-3400E.

The FG-800D HA LED is off when HA status is normal.

fgfmsd crash due to REST agent.

Unable to handle kernel NULL pointer dereference at 000000000000008f.

A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode.

The ipmc_sensord process is killed multiple times when the CPU or memory usage is high.

Multiple ports flapping when a single interface is manually brought up. Affected platforms: FG-3810D and FG-3815D.

Incorrect bandwidth utilization traffic widget for VLAN interface based on LACP interface.

execute restore vmlicense tftp fails with tftp: bind: Address already in use.

Verizon LTE connection is not stable, and the connection may drop after a few hours.

Unable to create a hardware switch with no member.

Unable to save configuration changes and get failed: No space left on device error on FG-61E, FG-81E, and FG-101E.

Legitimate traffic is unable to go through with NP6 synproxy enabled.

The cmdbsvr crashes when accessing an invalid firewall vip mapped IP that causes traffic to stop traversing the FortiGate.

There is no sensor trap function and related logs on SoC4 platforms.

User should be disallowed from sending an alert email from a customized address if the email security compliance check fails.

FortiGate calculates faulty FDS weight with DST enabled.

Kernel panic results in reboot due the size of inner Ethernet header and IP header not being checked properly when the SKB is received by the VXLAN interface.

On FG-100F, no event is raised for PSU failure and the diagnostic command is not available.

After restoring the VDOM configuration, Interface <VLAN> not found in the list! is present for VLANs on the aggregate interface.

Zone transfer with FortiGate as primary DNS server fails if the FortiGate has more than 241 DNS entries.

FortiGate running startup configuration is not saved on flash drive.

Hardware switch is not passing VRRP packets.

Restricted VDOM user is able to access the root VDOM.

Negative tunnel_count in diagnose firewall gtp profile list for FGSP peer.

A request is made to the remote authentication server before checking trusthost.

Any configuration changes on FG-2601F causes cmbdr crash with signal 6 and traffic to stop flowing.

Kernel panic occurs when a virtual switch with VLAN is created, and another port is configured with a trunk.

PPPoE virtual tunnel drops traffic after logon credentials are changed.

FortiOS does not understand CMPv2 grantedWithMods response.

Add GUI support for FortiToken Mobile push notification and FortiToken Cloud based on two-factor authentication, which is already supported by authd.

In the email collection captive portal, a user can click Continue without selecting the checkbox to accept the terms and disclaimer agreement.

azd keeps crashing if Azure VM contains more than 15 tags.

Multi zone HA breaks after upgrading to 6.4.0 because upgrade process does not add relevant items under VDOM exception.

Problems occur when switching between HA broadcast heartbeat to unicast heartbeat and vice versa.

The vmtoolsd and openvmtools processes are using a high amount of memory.

DHCP relay fails when VMs on different VLAN interfaces use the same transaction ID.

FortiFlex license activation failed to be applied to FortiGate VM in HA. Standalone mode is OK.

Filtering Services Availability status is down on the GUI when HTTP/80 is used for web filtering rating service.

Web filter profile count decreased after upgrading to 6.4.0 on FG-100F.

The arrp-profile table cannot be purged if no entry is in use.

FWF-60F has kernel panic and reboots by itself every few hours.

CAPWAP tunnel traffic over WPA2-Enterprise SSID is dropped when offloading is enabled on FG-1800F.