Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 6.4.13 FortiOS Release Notes
6.4.13
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2

Resolved issues

Resolved issues

The following issues have been fixed in version 6.4.13. To inquire about a particular bug, please contact Customer Service & Support.

Explicit Proxy

Bug ID

Description

794124

HTTPS websites are not accessible if certificate-inspection is set in a proxy policy.

849794

Random websites are not accessible after upgrading when using a proxy policy.

Firewall

Bug ID

Description

727809

Disabled deny firewall policy with virtual server objects cannot be enabled after a firewall reboot.

739949

In HA virtual cluster scenario, the Bytes counter on the Firewall Policy page always shows 0 B for the secondary while the Edit Policy page shows the correct Total bytes in the statistics.

808264

Stress test shows packet loss when testing with flow inspection mode and application control.

856187

Explicit FTPS stops working with IP pool after upgrading from 6.4.8 to 6.4.9.

865661

Standard and full ISDB sizes are not configurable on FG-101F.

GUI

Bug ID

Description

722358

When a FortiGate local administrator is assigned to more than two VDOMs and tries logging in to the GUI console, they get a command parse error when entering VDOM configuration mode.

748530

A gateway of 0.0.0.0 is not accepted in a policy route.

870675

CLI console in GUI reports Connection lost. when the administrator has more than 100 VDOMs assigned.

Workaround: use SSH directly or reduce the number of VDOMs.

HA

Bug ID

Description

776355

Packet loss occurs on the software switch interface when a passive device goes down.

816883

High CPU usage on secondary device, and CPU lacks the AVX feature needed to load libdpdk.so.

830879

Running execute ha manage 0 <remote_admin> fails and displays a Permission denied, please try again. error if the 169.254.0.0/16 local subnet is not in the trusted host list.

832634

HA failovers occur due to the kernel hanging on FG-100F.

853900

The administrator password-expire calculation on the primary and secondary returns a one-second diff, and causes HA to be out-of-sync.

856643

FG-500E interface stops sending IPv6 RAs after upgrading.

874823

FGSP session-sync-dev ports do not use L2 Ethernet frames but always use UDP, which reduces the performance.

906036

Secondary blade hostname and mgmt1 IP were changed after a restored configuration on the primary blade.

Intrusion Prevention

Bug ID

Description

715360

Each time an AV database update occurs (scheduled or manually triggered), the IPS engine restarts on the SLBC secondary blade.

775696

Each time an AV database update occurs (scheduled or manual), the IPS engine restarts on the SLBC secondary blade. This stops UTM analysis for sessions affected by that blade.

810783

The number of IPS sessions is higher than kernel sessions, which causes the FortiGate to enter conserve mode.

839170

Improvements to IPS engine monitor to resolve an error condition during periods of heavy traffic loads.

IPsec VPN

Bug ID

Description

765174, 775279

Certain packets are causing IPsec tunnel drops on NP6XLite platforms after HA failover because the packet is not checked properly.

788751

IPsec VPN Interface shows incorrect TX/RX counter.

805301

Enabling NPU offloading in the phase 1 settings causes a complete traffic outage after a couple of ping packets pass through.

822651

NP dropping packet in the incoming direction for SoC4 models.

840153

Unexpected dynamic selectors block traffic when set mesh-selector-type subnet is configured.

842528

Improper IKEv1 quick mode fragmentation from third-party client can cause an IKE crash.

877161

IPsec traffic failing from FortiGate with Failed to find IPsec Common error when dialup IPsec VPN tunnel has remote IP configured on the IPsec VPN interface.

892699

In an HA cluster, static routes via the IPsec tunnel interface are not inactive in the routing table when the tunnel is down.

Log & Report

Bug ID

Description

823183

FortiGates are showing Logs Queued in the GUI after a FortiAnalyzer reboot, even tough the queued logs were actually all uploaded to FortiAnalyzer and cleared when the connection restores.

873987

High memory usage from miglogd processes even without traffic.

874026

Caching a large number of service port entries causes high log daemon memory usage.

Proxy

Bug ID

Description

867614

Multiple and recurrent WAD crashes are causing platform instability and conserve mode after upgrading to 6.4.11 because the Unix stream might be null in some scenarios.

REST API

Bug ID

Description

745926

Using multiple logical AND symbols (&) on monitor API filtering causes a 502 Bad Gateway error.

Routing

Bug ID

Description

618684

When HA failover is performed to the other cluster member that is not able to reach the BFD neighbor, the BFD session is down as expected but the static route is present in the routing table.

769100

Policy routes order is changed after updating the source/destination of SD-WAN rules.

797590

GRE tunnel configured using a loopback interface is not working after changing the interface back and forth.

846107

IPv6 VRRP backup is sending RA, which causes routing issues.

860075

Traffic session is processed by a different SD-WAN rule and randomly times out.

862418

Application VWL crash occurs after FortiManager configuration push causes an SD-WAN related outage.

864626

FortiGate local traffic does not follow SD-WAN rules.

890379

After upgrading, SD-WAN is unable to fail over the traffic when one interface is down.

Security Fabric

Bug ID

Description

885810

The gcpd daemon constantly crashes (signal 11 segmentation fault).

SSL VPN

Bug ID

Description

781581

Customer internal website is not shown correctly in SSL VPN web mode.

803576

Comments in front of <html> tag are not handled well in HTML file in SSL VPN web mode.

803622

High CPU in SSL VPN once SAML is used with FortiAuthenticator and an LDAP server.

818196

SSL VPN does not work properly after reconnecting without authentication and a TX drop is found.

873995

Problem with the internal website using SSL VPN web mode.

850898

OS checklist for the SSL VPN in FortiOS does not include macOS Ventura (13).

884860

SSL VPN tunnel mode gets disconnected when SSL VPN web mode is disconnected by limit-user-logins.

Switch Controller

Bug ID

Description

798724

FortiSwitch exported ports in tenant VDOM are gone after rebooting the FortiGate.

System

Bug ID

Description

688009

Update built-in modem firmware that comes with the device in order for the SIM to be correctly identified and make LTE link work properly.

709679

Get can not set mac address(16) error message when setting a MAC address on an interface in HA that is already set.

721119

The forticron process uses high CPU.

729912

DNS proxy does not transfer the DNS query for IPv6 neighbor discovery (ND) when client devices are using random MAC addresses, so one device can configure many IPv6 addresses.

753421

Slow SNMP query performance of fgVpn2Tables OIDs when a large number of IPsec dialup tunnels are connected.

754681

The auto-script is not restarted when it is changed from HA synchronization.

766834

High memory usage caused by downloading a large CRL list.

782962

PSU alarm log and SNMP trap are added for FG-10xF and FG-8xF models.

790656

DNS fails to correctly resolve hosts using the DNS database.

796094

Egress traffic on EMAC VLAN is using base MAC address instead.

800295

NTP server has intermittent unresolvable logs after upgrading to 6.4.

815937

FCLF8522P2BTLFTN transceiver is not working after upgrade.

828070

CLI displays pipe() failed error messages when sending the sensor value to SMC.

840960

When kernel debug level is set to >=KERN_INFO on NP6xLite platforms, some tuples missing debug messages may get flooded and cause the system to get stuck.

844937

FG-3700D unexpectedly reboots after the COMLog reported a kernel panic due to an IPv6 failure to set up the master session for the expectation session under some conditions.

850430

DHCP relay does not work properly with two DHCP relay servers configured.

850683

Console keeps displaying bcm_nl.nr_request_drop ... after the FortiGate reboots because of the cfg-save revert setting under config system global. Affected platforms: FG-10xF and FG-20xF.

850688

FG-20xF system halts if setting cfg-save to revert under config system global and after the cfg-revert-timeout occurs.

855151

There may be a race condition between the CMDB initializing and the customer language file loading, which causes the customer language file to be removed after upgrading.

859795

High CPU utilization occurs when relay is enabled on VLAN, and this prevents users from getting an IP from DHCP.

868002

FortiGate is unable to resolve DNS from the DNS database for local out traffic (ICMP and access to RADIUS server).

Upgrade

Bug ID

Description

743389

The dnsfilter-profile setting was purged from all DNS server entries upon upgrading from before 6.4.4.

User & Authentication

Bug ID

Description

679016, 749694

A fnbamd crash is caused when the LDAP server is unreachable.

688065

When using the group-override-attr-type class option in a RADIUS configuration, two extra characters are added at the end of the group name.

839801

FortiToken purge in a VDOM clears all FortiToken statuses in the system.

851233

FortiToken activation emails should include HTTPS links to documentation instead of HTTP.

VM

Bug ID

Description

785929

AWS FortiGate fails to bootstrap in new region of Cape Town, South Africa (af-south-1).

VoIP

Bug ID

Description

757477

PRACK will cause voipd crashes when the following conditions are met: block-unknown is disabled in the SIP profile, the PRACK message contains SDP, and PRACK fails to find any related previous transactions (this is not a usual case).

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

843324

FortiOS 6.4.13 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-42472

854171

FortiOS 6.4.13 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-42474

858793

FortiOS 6.4.13 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-43947

887734

FortiOS 6.4.13 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-33306

894168

FortiOS 6.4.13 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-29183

896403

IPS Engine 6.00160 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-40718

898402

FortiOS 6.4.13 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-27997

918991

FortiOS 6.4.13 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-36639
Previous
Next

Resolved issues

The following issues have been fixed in version 6.4.13. To inquire about a particular bug, please contact Customer Service & Support.

Explicit Proxy

Bug ID

Description

794124

HTTPS websites are not accessible if certificate-inspection is set in a proxy policy.

849794

Random websites are not accessible after upgrading when using a proxy policy.

Firewall

Bug ID

Description

727809

Disabled deny firewall policy with virtual server objects cannot be enabled after a firewall reboot.

739949

In HA virtual cluster scenario, the Bytes counter on the Firewall Policy page always shows 0 B for the secondary while the Edit Policy page shows the correct Total bytes in the statistics.

808264

Stress test shows packet loss when testing with flow inspection mode and application control.

856187

Explicit FTPS stops working with IP pool after upgrading from 6.4.8 to 6.4.9.

865661

Standard and full ISDB sizes are not configurable on FG-101F.

GUI

Bug ID

Description

722358

When a FortiGate local administrator is assigned to more than two VDOMs and tries logging in to the GUI console, they get a command parse error when entering VDOM configuration mode.

748530

A gateway of 0.0.0.0 is not accepted in a policy route.

870675

CLI console in GUI reports Connection lost. when the administrator has more than 100 VDOMs assigned.

Workaround: use SSH directly or reduce the number of VDOMs.

HA

Bug ID

Description

776355

Packet loss occurs on the software switch interface when a passive device goes down.

816883

High CPU usage on secondary device, and CPU lacks the AVX feature needed to load libdpdk.so.

830879

Running execute ha manage 0 <remote_admin> fails and displays a Permission denied, please try again. error if the 169.254.0.0/16 local subnet is not in the trusted host list.

832634

HA failovers occur due to the kernel hanging on FG-100F.

853900

The administrator password-expire calculation on the primary and secondary returns a one-second diff, and causes HA to be out-of-sync.

856643

FG-500E interface stops sending IPv6 RAs after upgrading.

874823

FGSP session-sync-dev ports do not use L2 Ethernet frames but always use UDP, which reduces the performance.

906036

Secondary blade hostname and mgmt1 IP were changed after a restored configuration on the primary blade.

Intrusion Prevention

Bug ID

Description

715360

Each time an AV database update occurs (scheduled or manually triggered), the IPS engine restarts on the SLBC secondary blade.

775696

Each time an AV database update occurs (scheduled or manual), the IPS engine restarts on the SLBC secondary blade. This stops UTM analysis for sessions affected by that blade.

810783

The number of IPS sessions is higher than kernel sessions, which causes the FortiGate to enter conserve mode.

839170

Improvements to IPS engine monitor to resolve an error condition during periods of heavy traffic loads.

IPsec VPN

Bug ID

Description

765174, 775279

Certain packets are causing IPsec tunnel drops on NP6XLite platforms after HA failover because the packet is not checked properly.

788751

IPsec VPN Interface shows incorrect TX/RX counter.

805301

Enabling NPU offloading in the phase 1 settings causes a complete traffic outage after a couple of ping packets pass through.

822651

NP dropping packet in the incoming direction for SoC4 models.

840153

Unexpected dynamic selectors block traffic when set mesh-selector-type subnet is configured.

842528

Improper IKEv1 quick mode fragmentation from third-party client can cause an IKE crash.

877161

IPsec traffic failing from FortiGate with Failed to find IPsec Common error when dialup IPsec VPN tunnel has remote IP configured on the IPsec VPN interface.

892699

In an HA cluster, static routes via the IPsec tunnel interface are not inactive in the routing table when the tunnel is down.

Log & Report

Bug ID

Description

823183

FortiGates are showing Logs Queued in the GUI after a FortiAnalyzer reboot, even tough the queued logs were actually all uploaded to FortiAnalyzer and cleared when the connection restores.

873987

High memory usage from miglogd processes even without traffic.

874026

Caching a large number of service port entries causes high log daemon memory usage.

Proxy

Bug ID

Description

867614

Multiple and recurrent WAD crashes are causing platform instability and conserve mode after upgrading to 6.4.11 because the Unix stream might be null in some scenarios.

REST API

Bug ID

Description

745926

Using multiple logical AND symbols (&) on monitor API filtering causes a 502 Bad Gateway error.

Routing

Bug ID

Description

618684

When HA failover is performed to the other cluster member that is not able to reach the BFD neighbor, the BFD session is down as expected but the static route is present in the routing table.

769100

Policy routes order is changed after updating the source/destination of SD-WAN rules.

797590

GRE tunnel configured using a loopback interface is not working after changing the interface back and forth.

846107

IPv6 VRRP backup is sending RA, which causes routing issues.

860075

Traffic session is processed by a different SD-WAN rule and randomly times out.

862418

Application VWL crash occurs after FortiManager configuration push causes an SD-WAN related outage.

864626

FortiGate local traffic does not follow SD-WAN rules.

890379

After upgrading, SD-WAN is unable to fail over the traffic when one interface is down.

Security Fabric

Bug ID

Description

885810

The gcpd daemon constantly crashes (signal 11 segmentation fault).

SSL VPN

Bug ID

Description

781581

Customer internal website is not shown correctly in SSL VPN web mode.

803576

Comments in front of <html> tag are not handled well in HTML file in SSL VPN web mode.

803622

High CPU in SSL VPN once SAML is used with FortiAuthenticator and an LDAP server.

818196

SSL VPN does not work properly after reconnecting without authentication and a TX drop is found.

873995

Problem with the internal website using SSL VPN web mode.

850898

OS checklist for the SSL VPN in FortiOS does not include macOS Ventura (13).

884860

SSL VPN tunnel mode gets disconnected when SSL VPN web mode is disconnected by limit-user-logins.

Switch Controller

Bug ID

Description

798724

FortiSwitch exported ports in tenant VDOM are gone after rebooting the FortiGate.

System

Bug ID

Description

688009

Update built-in modem firmware that comes with the device in order for the SIM to be correctly identified and make LTE link work properly.

709679

Get can not set mac address(16) error message when setting a MAC address on an interface in HA that is already set.

721119

The forticron process uses high CPU.

729912

DNS proxy does not transfer the DNS query for IPv6 neighbor discovery (ND) when client devices are using random MAC addresses, so one device can configure many IPv6 addresses.

753421

Slow SNMP query performance of fgVpn2Tables OIDs when a large number of IPsec dialup tunnels are connected.

754681

The auto-script is not restarted when it is changed from HA synchronization.

766834

High memory usage caused by downloading a large CRL list.

782962

PSU alarm log and SNMP trap are added for FG-10xF and FG-8xF models.

790656

DNS fails to correctly resolve hosts using the DNS database.

796094

Egress traffic on EMAC VLAN is using base MAC address instead.

800295

NTP server has intermittent unresolvable logs after upgrading to 6.4.

815937

FCLF8522P2BTLFTN transceiver is not working after upgrade.

828070

CLI displays pipe() failed error messages when sending the sensor value to SMC.

840960

When kernel debug level is set to >=KERN_INFO on NP6xLite platforms, some tuples missing debug messages may get flooded and cause the system to get stuck.

844937

FG-3700D unexpectedly reboots after the COMLog reported a kernel panic due to an IPv6 failure to set up the master session for the expectation session under some conditions.

850430

DHCP relay does not work properly with two DHCP relay servers configured.

850683

Console keeps displaying bcm_nl.nr_request_drop ... after the FortiGate reboots because of the cfg-save revert setting under config system global. Affected platforms: FG-10xF and FG-20xF.

850688

FG-20xF system halts if setting cfg-save to revert under config system global and after the cfg-revert-timeout occurs.

855151

There may be a race condition between the CMDB initializing and the customer language file loading, which causes the customer language file to be removed after upgrading.

859795

High CPU utilization occurs when relay is enabled on VLAN, and this prevents users from getting an IP from DHCP.

868002

FortiGate is unable to resolve DNS from the DNS database for local out traffic (ICMP and access to RADIUS server).

Upgrade

Bug ID

Description

743389

The dnsfilter-profile setting was purged from all DNS server entries upon upgrading from before 6.4.4.

User & Authentication

Bug ID

Description

679016, 749694

A fnbamd crash is caused when the LDAP server is unreachable.

688065

When using the group-override-attr-type class option in a RADIUS configuration, two extra characters are added at the end of the group name.

839801

FortiToken purge in a VDOM clears all FortiToken statuses in the system.

851233

FortiToken activation emails should include HTTPS links to documentation instead of HTTP.

VM

Bug ID

Description

785929

AWS FortiGate fails to bootstrap in new region of Cape Town, South Africa (af-south-1).

VoIP

Bug ID

Description

757477

PRACK will cause voipd crashes when the following conditions are met: block-unknown is disabled in the SIP profile, the PRACK message contains SDP, and PRACK fails to find any related previous transactions (this is not a usual case).

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

843324

FortiOS 6.4.13 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-42472

854171

FortiOS 6.4.13 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-42474

858793

FortiOS 6.4.13 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-43947

887734

FortiOS 6.4.13 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-33306

894168

FortiOS 6.4.13 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-29183

896403

IPS Engine 6.00160 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-40718

898402

FortiOS 6.4.13 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-27997

918991

FortiOS 6.4.13 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-36639
Previous
Next