Resolved issues
The following issues have been fixed in version 6.4.3. To inquire about a particular bug, please contact Customer Service & Support.
Anti Virus
Bug ID |
Description |
---|---|
560044 |
Secondary device blades occasionally report critical log event |
635365 |
FortiGate enters conserve mode. |
Application Control
Bug ID |
Description |
---|---|
651019 |
For Google.Drive_File.Sharing signature, if it is set to deny in NGFW policy mode and followed by another policy with allow all, the client can still share file. |
Data Leak Prevention
Bug ID |
Description |
---|---|
616918 |
DLP cannot detect attached ZIP and PDF files when receiving emails via MAPI over HTTPS. |
DNS Filter
Bug ID |
Description |
---|---|
649985 |
Random SDNS rating timeout events on 6K/7K SLBC with FGSP. |
Explicit Proxy
Bug ID |
Description |
---|---|
644121 |
Explicit proxy error 504, DNS fails for a specific domain. |
650540 |
FortiGate sends traffic to an incorrect port using a wrong source NAT IP address. |
654211 |
When the category proxy address is applied in a proxy policy, if SOCKS traffic passes through the web proxy, when matching the SOCKS traffic with the proxy address, the WAD will crash with signal 11 at wad_url_choose_cate. Browsers may send SOCKS traffic in the background from time to time. |
660703 |
Using the HTTP explicit proxy denies access to non-HTTP traffic and displays a policy violation. |
Firewall
Bug ID |
Description |
---|---|
586764 |
Abnormal prolonged CPU spike with cmdbsvr and WAD processes when making change to large policy list (10 000+ policies). |
586995 |
Cluster VDOM policy statistics data is not correct when VFID is different for same VDOM on primary/secondary. |
609027 |
SCTP secondary path not working in ECMP context; incorrect expectation session created from auxiliary session. |
616220 |
ICMP reply packets dropped by the FortiGate. |
635074 |
Firewall policy |
643446 |
Fragmented UDP traffic is silently dropped when fragments have different ECN values. |
647410 |
|
648951 |
External threat feed entry |
650700 |
There should be an event log when there are internet service remove/merge entries. |
650867 |
Firewall does not track UDP sessions on the same port. |
656678 |
Different ciphers for SSL/HTTPS virtual servers. |
659142 |
TNS connection request limited to 500 per second when client is trying to reach database server through the firewall. |
660461 |
Configuration changes take a long time, and ipsmonitor and cmdbsrv processes go up to 100% of CPU in a large, complex configuration. |
FortiView
Bug ID |
Description |
---|---|
643198 |
Threats drilldown for Sources, Destinations, and Country/Region (1 hour, 24 hours, 7 days) gives the error, Failed to retrieve FortiView data. |
GUI
Bug ID |
Description |
---|---|
446427 |
Using the GUI to update a VDOM license fails when the new license has a lower VDOM count than the current license. |
543192 |
Source IP is not used when using the GUI to query the FortiGuard filtering service. |
547123 |
The help message for |
561889 |
When creating a firewall with an invalid subnet mask, an error is not generated. |
588159 |
When disabling Allow Endpoint Registration on the VPN Creation Wizard, the action succeeds, but the error Unable to setup VPN is incorrectly displayed. |
606814 |
When creating a profile group with an SSL/SSH profile of no-inspection, the profile group correctly displays this, but when you edit the profile, certificate-inspection is displayed. |
612066 |
GUI does not allow user to select SSL VPN tunnel when configuring Multicast routing. |
634550 |
GARP is not sent when using the GUI to move a VDOM from one virtual cluster to another. GARP is sent when using the CLI. |
638752 |
FortiGates in an HA A-P configuration may lose GUI access to the HA secondary device after a period of 8 days of inactivity, when at least one static IPv6 address is configured on an interface. |
638822 |
On Dashboard Setup page, changes made by super administrator and administrator of multiple VDOMs should be reflected in all managed VDOMs. |
645441 |
FortiAnalyzer Cloud card on the Fabric Connectors page shows a connected icon when it is not connected. |
645606 |
GUI does not allow users to select SD-WAN as a destination interface in an SSL VPN policy while CLI does. |
646327 |
Web filter profile dialog cannot load URL filter table if there are a lot of URL filters. |
649027 |
The FortiLink Interface pane incorrectly displays high CPU usage and poor health. |
650307 |
GUI does not show the configured external FortiGuard category in the SSL-SSH profile's exempt list. |
650800 |
Unable to delete multiple phase 2 selectors at the same time from the VPN IPsec tunnels dialog. |
651412 |
Unable to print user data for guest management. |
651711 |
Unable to select an address group when configuring Source IP Pools for an SSL VPN portal. |
652975 |
Cannot access FortiGate GUI over IPv6 after configuring IPv6 for the first time. |
653240 |
When refreshing the FortiGuard page, connectivity status for Web Filtering and Anti-Spam incorrectly changes from up to down. |
653422 |
When VDOM is enabled, the GUI cannot be used to edit a remote user group from within the Administrators dialog. |
654018 |
When there are more than 600 quarantined IP addresses, the Quarantine Monitor (GUI and CLI) will not properly display them. |
654186 |
The top charts of the Device Inventory Monitor dashboard are empty when the visualization is set to table view. |
654250 |
Firewall users cannot change their password via web captive portal when password renewal is enforced by the firewall policy for remote users. |
654256 |
GUI interface speed test fails when there are multiple VDOMs. |
654339 |
GUI search does not work in the interface list if DHCP client and range columns are present. |
654626 |
Unable to change the action setting of Freeware and Software Downloads using the FortiGuard Category Based Filter of the DNS filter profile. |
655255 |
FortiGuard resource retrieval delay causes GUI pages to respond slowly. Affected pages include: Firewall Policy, Settings (log and system), Explicit Proxy (web and FTP), System Global, and System CSF. |
655568 |
Users cannot deselect Administrative Access options for VLAN interfaces from the GUI; the CLI must be used. |
655891 |
Web CLI console cannot load due to |
656139 |
When editing the Interface column from the Multicast Policy page, an empty column appears when the any entry is selected from Select Entries and applied. The same occurs from the NAT64 and NAT46 policy pages. |
656429 |
Intermittent GUI process crash if a managed FortiSwitch returns a reset status. |
656974 |
|
657322 |
For AV profiles, the outbreak-prevention setting on enabled protocols is not automatically configured when enabling Use External Malware Block List. |
657545 |
Enabling the Dynamic Gateway toggle for a static route fails without warning when the configuration is incorrect. |
661582 |
Date/Time filter does not work on FortiGate Cloud logs. |
663737 |
Re-add the FortiView facets filtering bar to full screen or standalone mode. |
663818 |
When filtering log view entries by IP address range, entries higher than the upper limit of the range are shown. |
663956 |
Unable to load web CLI console for LDAP admin with a login name that contains a space. |
668646 |
FortiSwitch topology is not shown on Managed FortiSwitch page topology view. |
HA
Bug ID |
Description |
---|---|
421335 |
Get one-time hasync crash when running HA scripts for FIPS-CC. |
583059 |
In Hyper-V HA, CLI will falsely report |
637711 |
CSR on cluster primary is generating out-of-sync alerts on secondary and tertiary units. |
640327 |
Duplicate logs are created by both primary and secondary devices for IPsec VPN. |
643958 |
Inconsistent data from FFDB caused several confsyncd crashes. |
647679 |
Inconsistent values for HA cluster inside the SNMP. |
651177 |
When secondary device reboots, it adds an interface to the virtual switch. Secondary cannot synchronize after it starts, as that interface disappears in |
651674 |
Long sessions lost on new primary after HA failover. |
654341 |
The new join-in secondary chassis failed to sync, while primary chassis has 6K policies in one VDOM. |
656099 |
The mgmt interfaces are excluded for heartbeat interfaces (even if |
657376 |
VLAN interfaces are created on a different virtual cluster primary instead of the root primary do not sync. |
662893 |
HA cluster goes out of sync if SAML SSO admin logs in to the device. |
Intrusion Prevention
Bug ID |
Description |
---|---|
655371 |
Logging is intermittent for FortiGate IDS passive in one-armed sniffer mode. |
660111 |
SSL VPN web mode IPS detection with HTTP does not work, even though it works with HTTPS. |
IPsec VPN
Bug ID |
Description |
---|---|
592361 |
Cannot pass traffic over ADVPN if: |
614483 |
Add IKEv2 phase 2 initiator traffic selector narrowing for Cisco compatibility. |
638352 |
In extreme situations when thousands of tunnels are negotiating simultaneously (IKEv2), iked process gets exhausted and stuck. |
638573 |
FortiGate is not deleting the shortcut tunnel for ISPA (primary ISP) when ISPA is down. |
639806 |
User name log empty when IPsec dialup IKEv2 has client RSA certificate with empty subject. |
646012 |
DHCP over IPsec randomly works when |
647285 |
IKE HA sync IPsec SA fails on receiver when ESP null crypto algorithm is used. |
650599 |
IKE HA sync truncates phase 2 option flags after the first eight bits. |
655739 |
|
659535 |
Setting same |
660472 |
Could not locate phase 1 configuration for IPv6 dialup IPsec VPN. |
666693 |
If NAT-T IP changes, the dynamic IPsec spoke add route entry is stuck on hub. |
668554 |
Upon upgrading to FortiOS 6.4.2, a device with IPsec configured may experience IKE process crashes when any configuration change is made or an address change occurs on a dynamic interface. |
Log & Report
Bug ID |
Description |
---|---|
642941 |
For URLs over 66 characters, the FortiGate replaces remaining characters with dots (.) in |
643840 |
|
645914 |
Move |
647741 |
On FG-60F, logging and FortiCloud reporting incorrect IPv6 bandwidth usage for sessions with NPU offload. |
650325 |
miglogd crashes with signal 11. |
651581 |
FortiGate tried to connect to FortiGate Cloud with the primary IP after reboot, although the secondary IP is the source in the FortiGuard log. |
654363 |
Traffic log shows Policy violation for traffic hitting the allow policy in NGFW policy mode. |
658665 |
Cannot retrieve logs from FortiAnalyzer on non-root VDOM. |
Proxy
Bug ID |
Description |
---|---|
550350 |
Should not be able to set |
579902 |
Proxy deep inspection fails if server chooses to sign with ECDSA-SHA1. |
619707 |
When Kerberos (negotiate without NTLM) authentication method is used for web proxy user authentication, there may be a rare memory leak issue. This memory leak issue may eventually cause the FortiGate to go into conserve mode once it occurs after many users are authenticated by Kerberos repeatedly over time. |
633108 |
When FOH server is disconnected from a HTTP session, the HTTP session client port peer is not cleared. After this, the HTTP client port shutdown causes a crash because the peer port is freed. |
638039 |
Delete validation is not working for Protecting SSL Server profile. |
648831 |
WAD memory leak caused by Kerberos proxy authentication. |
653099 |
Wildcard URL filter in proxy mode with |
655356, 660857 |
Proxy deep inspection fails if server uses TLS 1.3 cookies or record padding. |
656830 |
FortiGate should be in SSL bypass mode for TLS 1.2 certificate inspection with client certificate request. |
658654 |
Cannot access specific website using proxy-based UTM with certification inspection due to delays from the server in replying to ClientHello message when a second connection from the same IP is also waiting for ClientHello. |
663088 |
Application control in Azure fails to detect and block SSH traffic with proxy inspection. |
666522, 666686 |
Proxy mode is blocking web browsing for some websites due to certificate inspection. |
Routing
Bug ID |
Description |
---|---|
585816 |
SD-WAN route selection does not use the most specific route in the routing table when selecting the egress path. |
613716 |
Local-out TCP traffic changes output interface when irrelevant interface is flapping and causes disconnections. |
639884 |
|
641050 |
Need support for SSL VPN web mode traffic to follow SD-WAN rules/policy route. |
644461 |
Unable to redistribute BGP into OSPF based on community (in VRF 0). |
649558 |
ISDB policy routes are not removed when the SD-WAN member is down. |
653096 |
PMTU calculation for VPN interfaces is not working. FortiGate ignores ICMP type 3 code 4 messages and does not update the routing cache. |
654482 |
SD-WAN route tag is removed with multiple BGP paths in place. |
655447 |
BGP prefix lifetime resets every 60 seconds when scanning BGP RIB. |
655480 |
Upgrading to FortiOS 6.4.2 breaks all SD-WAN performance SLAs that use HTTP. |
660285 |
Editing an existing route map rule to add |
660300 |
Application vwl signal 11 (segmentation fault) received when HA receives 0 bytes of data. |
660311 |
Application vwl signal 6 (aborted) received due to wrong memory allocation for SD-WAN service when creating an ADVPN shortcut. |
661769 |
SD-WAN rule disappears when an SD-WAN member experiences a dynamic change, such as during a dynamic PPPoE interface update. |
662655 |
The OSPF neighborship cannot be established; get MD5 authentication error when the wrong MD5 key is deleted after modifying the key. |
662696 |
If a session is initiated from the server side, SD-WAN application control does not work as expected. |
662845 |
HA secondary also sends SD-WAN |
663057 |
IPv6 routing does not work properly to be a dual stack. |
666829 |
Application bfdd crashes. |
668218 |
SD-WAN HTTP health check does not work for URLs longer than 35 characters. |
Security Fabric
Bug ID |
Description |
---|---|
649344 |
When viewing CSF child Dashboard > WiFi from parent FortiGate, GUI reports, Cannot read property 'spectrum_analysis' of undefined. |
652737 |
FortiGate does not send interface configuration to FortiIPAM. |
653368 |
Root FortiGate fails to load Fabric topology if HA downstream device has a trusted device in both primary and secondary FortiGates. |
660250 |
The ipamd process is causing high memory usage after a few days as the JSON was not freed. |
662128 |
Security Rating Summary trigger is not available in multi-VDOM mode. |
SSL VPN
Bug ID |
Description |
---|---|
548599 |
SSL VPN crashes on parsing some special URLs. |
613733 |
Access problem for website. |
615453 |
WebSocket using Socket.IO could not be established through SSL VPN web mode. |
620793 |
A page inside a bookmark not opening in SSL VPN web mode. |
620946 |
All sslvpnd daemons use 99.9% CPU when policy is being updated. |
630771 |
SSL VPN rewrites the URL inside the emails sent in Outlook (webmail). |
637217 |
Internal webpage, di***, is not loading in web mode. |
641379 |
Internal SharePoint 2019 website cannot be accessed in SSL VPN web portal. |
642838 |
Redirected URLs do not work in web mode for am***.com. |
645973 |
Content from internal Microsoft Dynamics CRM cr***.local portal is not loading properly in SSL VPN web mode. |
646295 |
When DNS domain is configured, requests with NTLM of host name-only bookmark could not get response from server. |
647202 |
fas crashes when using FortiToken Cloud to access SSL VPN tunnel. |
648433 |
Internal website loading issue in SSL VPN web portal for ca***.fr. |
649130 |
SSL VPN log entries display users from other VDOMs. |
651942 |
For RADIUS server, |
652060 |
BMC Remedy Mid Tier 9.1 web app is not displayed properly in SSL VPN web mode. |
652070 |
BMC Remedy Mid Tier 8.1 web application elements are not displayed properly in SSL VPN web mode. |
652762 |
SSL VPN web mode HTTPS bookmark fails to load (times out). |
652880 |
SSL VPN crashes in a scenario where a large number of groups is sent to fnbam for authentication. |
653349 |
SSL VPN web mode not working for Ec***re website. |
654534 |
SAML authentications occurring through SSL VPN web mode are not completing. |
655374 |
SSL VPN web portal bookmark not loading internal web page after login credentials are entered. |
656208 |
Users with explicit web proxy authentication lose their proxy authentication group. |
657689 |
The system allows enabling split tunnel when the SSL VPN policy is configured with destination |
657890 |
Internal website, https://*.da***.cz, is not working correctly in SSL VPN web mode due to source link error. |
658036 |
When adding an FTP link to download FortiClient and accessing it through the portal, the colon is dropped from the string. |
659234 |
FortiGate keeps replying to an ARP request for an IP address that was once assigned to an SSL VPN user, who has already disconnected and been deleted. |
659312 |
Unable to load HTTPS bookmark in Safari ( |
659481 |
Internal websites not displayed successfully in SSL VPN web portal. |
661372 |
SSL VPN incorrectly rewrites the script URL. |
661835 |
ASUS ASMB9-iKVM application shows blank page in SSL VPN web mode. |
662042 |
The https://outlook.office365.com and https://login.microsoft.com websites cannot be accessed in the SSL VPN web portal. |
663298 |
The internal website is not working properly using SSL VPN. |
663433 |
SSL VPN web mode cannot open DFS shared subdirectories, get Invalid HTTP request error as sslvpnd adds |
664121 |
SCM VPN disconnects when performing an SVN checkout. |
664804 |
User cannot use column header for data sorting (bookmark issue). |
665879 |
When sslvpn processes the HTTP/HTTPS response with content disposition, it will change the response body since the content type is HTML. |
666194 |
WALLIX Manager GUI interface is not loading through SSL VPN web mode. |
Switch Controller
Bug ID |
Description |
---|---|
649913 |
HA cluster not synchronizing when configuring an active LACP with MCLAG via FortiManager. |
652745 |
Compatibility issues with FortiGate in 6.0 branch and FortiSwitch 424E-Fiber. |
System
Bug ID |
Description |
---|---|
581496 |
FG-201E stops sending out packets and NP6lite is stuck. |
582536 |
Link monitor behavior is different between FGCP and SLBC clusters. |
585882 |
Error in log, |
594577 |
Out-of-order packets for an offloaded multicast stream. |
598464 |
Rebooting FG-1500D in 5.6.x during upgrade causes an L2 loop on the heartbeat interface and VLAN is disabled on the switch side. |
603194 |
NP multicast session remains after the kernel session is deleted. |
609660 |
NPU offloading enabled dropping traffic from IPsec VPN tunnel remote gateway. |
627236 |
TCP traffic disruption when traffic shaper takes effect with NP offloading enabled. |
627269 |
Wildcard FQDN not resolved on the secondary unit. |
630146 |
FG-100F memory configuration check. |
631132 |
Symantec connector does not work if management VDOM is not root vdom and root VDOM has no network connection. |
631296 |
Forward or local bi-directional traffic from NPU inter-VDOM links through separate VDOMs is subject to high latency. |
631689 |
FG-100F cannot forward fragmented packets between hardware switch ports. |
633827 |
Errors during fuzzy tests on FG-1500D. |
636999 |
LTE does not connect after upgrading from 6.2.3 on FG-30E-3G4G models. |
637014 |
FortiGate in LENC mode unable to pass firmware signature verification and shows as uncertified after GUI upgrade. |
637983 |
FG-100F memory configuration check fails because of wrong threshold. |
642005 |
FortiGate does not send |
642327 |
FortiGate unable to boot with kernel panic by cmdbsvr when VLAN is configured on redundant interface with non-NPU port. |
642958 |
FG-80E terminates the firewall session abruptly when the end-users download large files. |
644380 |
FG-40F/60F kernel panic if upgrading from 6.4.0 due to configuration file having a name conflict of |
645723 |
Cannot set overlap IP on global level if |
648014, 661784 |
FortiDDNS is unable to update the renewed public IP address to FortiGuard server in some error conditions. |
648083 |
cmdbsvr may crash with signal 11 (segmentation fault) when frequently changing firewall policies. |
650878 |
DHCP relay will honor the broadcast flag set to 0 (unicast) in only one VDOM at a time in a multi-VDOM environment. |
653289 |
FortiExtender virtual interface cannot get IP after rebooting the system. |
654159 |
NP6Xlite traffic not sent over the tunnel when NPU is enabled. |
654624 |
Error message shown ( |
656412 |
The interface speed setting should be kept after deleting the virtual switch. |
656504 |
Kernel panic happened on FWF-61F and FWF-40F. |
657632 |
IPv6 passes though the DNS filter with application control enabled. |
659539 |
FortiGate running 6.4.2 GA cannot validate license via FortiManager due to FortiManager hardware missing Fortinet_CA2 and Fortinet_SUBCA2001. |
662208 |
Configuration changes take a long time and cmdbsrv processes use up to 100% CPU. |
662239 |
FGR-60F-3G4G hardware switch span does not work. |
663603 |
The maximum number of IPS supported by each NTurbo load balancer should be 7 instead of 8 on FG-3300E and FG-3301E. |
663815 |
Low IPS HTTP throughput on SoC4 platforms. |
665000 |
HA LED off issue on FG-1100E/1101E models. |
Upgrade
Bug ID |
Description |
---|---|
646877 |
FortiOS allows the elimination of interfaces, although it still has a VIP reference used in firewall policies. |
656869 |
FG-100F/101F may continuously boot upon upgrading from FortiOS 6.4.0. Workaround: back up the 6.4.0 configuration, perform a clean install via TFTP of FortiOS 6.4.2, and restore the 6.4.0 configuration. |
User & Authentication
Bug ID |
Description |
---|---|
643191 |
FSSO TS-Agent is not working properly when FortiGates use NGFW policy-based mode. |
655422 |
A space after a comma within |
656118 |
Password displayed as clear text in FortiManager installation log when resetting the system admin user password via FortiManager. |
658228 |
The authd and foauthd processes may crash due to crypto functions being set twice. |
658794 |
FortiGate sent CSR certificate instead of signed certificate to FortiManager when retrieve is performed. |
659456 |
REST API authentication fails for API user with PKI group enabled due to fnbamd crash. |
662391 |
Persistent sessions for de-authenticated FSSO users. |
663399 |
|
VM
Bug ID |
Description |
---|---|
637376 |
In FG-VM64-HV, 802.1Q does not work on interfaces with DPDK enabled. |
640532 |
ESXi 6.0 gets |
645798 |
In FG-VM64-HV, |
647800 |
Merge FIPS ciphers to 6.4.3 and 7.0 trunk (visible to AWS and Azure only). |
652416 |
AWS Fabric connector always uses root VDOM even though it is not a management VDOM. |
657785 |
On FG-AWS, changing health check protocol to |
662969 |
Azure SDN connector filter count is not showing a stable value. |
663276 |
After cloning the OCI instance, the OCID does not refresh to the new OCID. |
663487 |
Should add router policy in |
664312 |
Support vfNIC driving for Broadcom 100G NIC. |
668131 |
EIP is not updating properly on FG-VM Azure. |
670166 |
FG-VM64-KVM configuration revisions lost after upgrading from 6.2.5. |
Web Filter
Bug ID |
Description |
---|---|
587018 |
Add URL flow filter counters to SNMP. |
610553 |
User browser gets URL block page instead of warning page when using HTTPS IP URL. |
650916 |
Loopback interface as source IP is not getting applied to FortiGuard web filter rating. |
654160 |
Web filter profile count decreased after upgrading to 6.4.0 on FG-100F. |
654675 |
Unable to get complete output of |
655972 |
Custom category action set to allow in web filter profile causes the URL to use the FortiGuard category rather than the custom category. |
661713 |
Global web filter profile is not applied after changes to allowed/blocked categories. |
WiFi Controller
Bug ID |
Description |
---|---|
609549 |
In the CLI, the WTP profile for |
647703 |
HTTPS server certificate is not presented when WiFi controller feature is disabled in Feature Visibility. |
655689 |
Wireless hostapd daemon crashes upon WPA3-SAE connection. |
656804 |
Spectrum analysis disable/enable command removed in CLI from |
657391 |
FG-600E has cw_acd crash with |
660991 |
FAP-U431F cannot view what channel is operating, and the override channel setting must be unset to change to a different channel. |
665766 |
Client failed to connect SSID with WPA2-Enterprise and user group authentication. |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
Bug ID |
CVE references |
---|---|
649193 |
FortiOS 6.4.3 is no longer vulnerable to the following CVE references:
|