In NGFW policy mode, sessions are not re-validated when security policies are changed.

Workaround: clear the session after policy change.

FortiGate cannot get detailed information on FortiClient vulnerabilities from FortiAnalyzer.

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. This performance issue needs a fix on both FortiOS and FortiSwitch. A fix was provided in FortiOS 7.0.1 GA and FortiSwitch 7.0.1 GA.

When logging into the GUI via FortiAuthenticator with two-factor authentication, the FortiToken Mobile push notification is not sent until the user clicks Login.

When config ha-mgmt-interfaces is configured, the GUI incorrectly shows an error when setting overlapping IP address.

GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

When editing the external connector Poll Active Directory Server from the GUI, the Users/Groups option is always an empty value, even if there is an existing group configured.

Workaround: manage the option in the CLI.

If FortiGate Cloud is not activated, users cannot edit the Log Settings page from the GUI. Affected models: FG-200F and FG-201F.

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

Items added to Favorites are lost after a logout or reboot.

After upgrading to 6.4.4, the RADIUS server with non-FortiToken two-factor authentication does not work in the GUI.

When login banner is enabled, and a user is forced to re-login to the GUI (due to password enforcement or VDOM enablement), users may see a Bad gateway error and HTTPSD crash.

Workaround: refresh the browser.

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

An IPsec phase 1 interface with a name that contains a / cannot be deleted from the GUI. The CLI must be used.

Cyrillic characters not displayed properly in local reports.

WAD process consumes memory and crashes because of a memory leak that happened due to a coding error when calling the FortiAP API. The API misbehaves when there are no FortiAP appliances in the cluster.

A coding error can cause integer overflow on crafted HTTP requests and read out-of-boundary memory. Sometimes, PCRE match crashes due to this out-of-boundary memory access.

YouTube server added new URLs (youtubei/v1/player, youtubei/v1/navigator) that caused proxy option to restrict YouTube access to not work.

WAD crashes seen in user information upon user purge and during signal handling of user information history.

For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.

Workaround: set CORS to an explicit domain.

ADVPN and SD-WAN reply direction randomly chooses ECMP path rather than following shortcut.

Return packets are not always sent back through the correct path.

OSPF neighbor cannot form with spoke in ADVPN setup if the interface has a parent link and it is a tunnel.

Traffic to FortiToken Mobile push server does not follow SD-WAN/PBR rules.

In some WAD proxy cases, the WAD local session cannot get the SYN-ACK packet.

Reply direction keeps flapping between different tunnels after unrelated FIB update.

FortiGate crashes when doing ping6 on VDOM link interface.

When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from.

FG-200E has np6lite_lacp_lifc error message when booting up a device if there are more than seven groups of LAGs configured.

Interface emac-vlan feature does not work on SoC4 platform.

Link status on peer device is not down when the admin port is down on the FG-500E.

Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface.

UDP 4500 inter-VDOM traffic is not offloaded, causing BFD/IPsec to drop.

FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, and install the policy package via FortiManager.

Unable to create MAC address-based policies in NGFW.

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

FG-VMX manager not showing all the nodes deployed.

Autoscale GCP health check is not successful (port 8443 HTTPS).

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

The security-redirect-url setting is missing when the portal-type is auth-mac.

Newly discovered and authorized FortiAP will cause HA sync issue. On the HA secondary member, if the WTP profile has a radio in monitor mode, it will be changed to AP mode and unset the band.

FWF-60F/61F and FWF-40F encounters kernel panic (LR is at capwap_find_sta_by_mac) when one managed FortiAP is authenticating WiFi clients.

Workaround: disable CAPWAP offloading, then reboot for the change to take effect.

config system npu
    set capwap-offload disable
end