Resolved issues
The following issues have been fixed in Hyperscale firewall for FortiOS 6.4.9 Build 1966. For inquires about a particular bug, please contact Customer Service & Support. The Resolved issues described in the FortiOS 6.4.9 release notes also apply to Hyperscale firewall for FortiOS 6.4.9 Build 1966.
|
Bug ID |
Description |
|---|---|
|
757417 |
With per-session accounting enabled on a hyperscale firewall FGCP HA cluster, when you change the configuration of a hyperscale firewall policy that is not currently accepting traffic, the hit counter for the policy no longer increases on the secondary FortiGate. |
| 758990 758364 760705 | Resolved multiple synchronization issues between FortiGates operating as hyperscale firewall in an FGCP cluster. |
| 759154 760787 | Enabling srcaddr-negate in a hyperscale firewall policy now works as expected when the policy includes more than one source address. |
|
759639 760544 771346 774481 766013 769866 |
Resolved multiple NP7 per-policy-accounting issues. |
|
760785 |
The |
| 761465 | Resolved an issue that would allow sessions to pass through the FortiGate after changing the IP pool configuration of a hyperscale firewall policy to block these sessions. This was occurring because of the time delay between installing a firewall policy change in the kernel and then adding the firewall policy change to the NP7 processor hardware policy table. This issue has been partially resolved by blocking all sessions for packets that match the IP pool that has changed for a short time to allow policy changes to be made to the NP7 processor hardware policy table. |
| 765582 | Resolved an issue for FortiGates with NP7 processors that blocked traffic from passing through the FortiGate if one of the interfaces is a Vxlan interface that is part of a software switch. |
|
768417 |
NAT64 and NAT46 hyperscale firewall policy names are now included in NP7 policy engine (NPD) firewall policy information. |
| 769856 | Resolved an issue that caused messages similar to NPD WRITE CDB_ARP_HTAB_CSR FAILED, ret -1013! to appear on the console of a FortiGate with NP7 processors. To resolve the issue, NP7 systems were upgraded to be able to handle larger numbers of ARP table entries. Related to this issue, if you use the system global CLI option arp-max-entry to change the maximum number of dynamically learned MAC addresses that can be added to the ARP table, a best practice is to restart your FortiGate to make sure the system adjusts the size of the ARP tables as expected. |
| 771221 | Resolved an issue that caused the time recorded by hardware syslog messages to be incorrect. |
| 771250 | Resolved an issue that could cause a system restart after pressing Ctrl+C from the CLI (for example, to interrupt the output of the diagnose npd policy dump command). |
|
771875 |
Resolved an issue that blocked NP7 offloaded TFTP sessions after an FGCP HA failover. |
| 772394 | The lookup option of the diagnose npd policy command has been removed. |
|
774186 |
Resolved an issue that caused hardware sessions synchronized by FGSP for a hyperscale fireweall VDOM to be synchronized in software instead of being handled by NP7 processors. |
|
774862 |
Resolved an issue that could cause traffic to be blocked after changing the destination address in a hyperscale firewall policy from a firewall virtual IP to a normal firewall address. |
|
783410 |
Resolved an issue with how the NP7 policy engine (NPD) interprets IPv6 firewall addresses that caused the npd to accept traffic with IPv6 addresses that were outsideof the subnet specified in the firewall address. |
| 797993 766661 | Resolved an issue that could cause issues such as blocked sessions or traffic shaping settings not taking affect when outbound traffic shaping is applied to sessions that are offloaded to NP7 processors by NTurbo. |
|
792875 |
Resolved issues with multicast logging that could cause FortiGates in an FGCP HA cluster to restart after changing the HA priority. |
| 800316 | Resolved an issue that prevented NP7 processors from offloading CAPWAP traffic. |