Fortinet black logo

Hyperscale Firewall Release Notes

Home FortiGate / FortiOS 7.0.10 Hyperscale Firewall Release Notes
7.0.10
7.2.4
7.2.3
7.2.2
7.2.1
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.6
6.2.9
6.2.7
6.2.6

Known issues

Known issues

The following issues have been identified in Hyperscale firewall for FortiOS 7.0.10 Build 0450. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 7.0.10 release notes also apply to Hyperscale firewall for FortiOS 7.0.10 Build 0450.

Bug ID

Description
778794 DoS anomaly logs for NP7-offloaded DoS policy sessions incorrectly report the number of times that an anomaly was detected or blocked in the repeats field of DoS anomaly log messages.

795853

Disabling EIF and EIM in a hyperscale firewall policy actively processing traffic causes errors in the information stored in the NP7 firewall policy database. For example, the data may include incorrect VDOM IDs and IP addresses.
807476 On a FortiGate licensed for Hyperscale firewall features, using the cfg-save option of the config system global command to revert configuration changes may result in error messages displaying on the CLI. The error occurs because when packets go through host interface TX/RX queues, some packet buffers can still hold references to VDOM when the host queues are idle. If more packets go through the same host queues for other VDOMs, the issue should resolve.

810225

On FortiGates with NP7 processors, the first time you change the password of a newly created administrator from the GUI an "undefined" error message may appear.
811109

The HA1, HA2, AUX1, and AUX2 interfaces of the FortiGate-4200F, 4201F, 4400F, and 4401F cannot be added to a LAG.

826490

FortiGates with NP7 processors in an FGCP HA cluster may randomly experience a kernel crash and restart when processing IPv6 traffic.

836976

Sessions being processed by hyperscale firewall policies with hardware logging may be dropped when dynamically changing the log server log-processor mode from hardware to host for the hardware log sever added to the hyperscale firewall policy. To avoid dropping sessions, change the log-processor setting during quiet periods.

838654

In a hyperscale firewall VDOM, NAT64 and NAT46 sessions offloaded to NP7 processors that are blocked by the implicit deny policy do not increase the implicit deny policy hit count.

839958

The service-negate firewall policy option does not work as expected in a hyperscale deny policy.

841712

The config system npu option nat64-force-ipv4-packet-forwarding is not available.

842008

If background session scanning is enabled (using the background-sse-scan option of the config system npu command), after an FGCP HA failover, some sessions may not be synchronized from the primary to the secondary FortiGate.

842659

The srcaddr-negate and dstaddr-negate options do not work as expected for IPv6 FTS traffic.

843132

Access control list (ACL) policies added while a FortiGate is processing traffic may take longer than expected to become effective. During a transition period, traffic that should be blocked by the ACL policy will be allowed.

843197

The output of the diagnose sys npu-session list/list-full command does not include policy route information.

843266

Hyperscale firewall sessions that are routed by policy routes do not show information such as hit count and last used when displayed with the diagnose firewall proute list command.

843305

A message similar to PARSE SKIP ERROR=17 NPD ERR PBR ADDRESS can appear on the console error log when a FortiGate with NP7 processors starts up.

844421

Due to a hardware limitation, when overload mode IP pools are used, the per IP pool session stats are not accurate.

845781

FortiGates with NP7 processors can experience kernel panics and regular reboots caused by FortiOS trying to offload an ESP packet received at an EMAC VLAN interface that is accepted by a NAT46 firewall policy.

846520

After an FGCP HA failover, the NPD/LPMD processes may be stopped by an out of memory killer process after running mixed sessions even when the amount of memory use is not excessive.

847314

FortiGates with NP7 processors may encounter random kernel crashes after a system restart or a factory reset.

847664

FortiGates with NP7 processors may display an error message similar to mce: [Hardware Error] while starting up.
875728 877696 Error messages may appear on the console leading to a kernel panic on a FortiGate with NP7 processors when it is added to an FGCP HA cluster as the secondary FortiGate.
Previous
Next

Known issues

The following issues have been identified in Hyperscale firewall for FortiOS 7.0.10 Build 0450. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 7.0.10 release notes also apply to Hyperscale firewall for FortiOS 7.0.10 Build 0450.

Bug ID

Description
778794 DoS anomaly logs for NP7-offloaded DoS policy sessions incorrectly report the number of times that an anomaly was detected or blocked in the repeats field of DoS anomaly log messages.

795853

Disabling EIF and EIM in a hyperscale firewall policy actively processing traffic causes errors in the information stored in the NP7 firewall policy database. For example, the data may include incorrect VDOM IDs and IP addresses.
807476 On a FortiGate licensed for Hyperscale firewall features, using the cfg-save option of the config system global command to revert configuration changes may result in error messages displaying on the CLI. The error occurs because when packets go through host interface TX/RX queues, some packet buffers can still hold references to VDOM when the host queues are idle. If more packets go through the same host queues for other VDOMs, the issue should resolve.

810225

On FortiGates with NP7 processors, the first time you change the password of a newly created administrator from the GUI an "undefined" error message may appear.
811109

The HA1, HA2, AUX1, and AUX2 interfaces of the FortiGate-4200F, 4201F, 4400F, and 4401F cannot be added to a LAG.

826490

FortiGates with NP7 processors in an FGCP HA cluster may randomly experience a kernel crash and restart when processing IPv6 traffic.

836976

Sessions being processed by hyperscale firewall policies with hardware logging may be dropped when dynamically changing the log server log-processor mode from hardware to host for the hardware log sever added to the hyperscale firewall policy. To avoid dropping sessions, change the log-processor setting during quiet periods.

838654

In a hyperscale firewall VDOM, NAT64 and NAT46 sessions offloaded to NP7 processors that are blocked by the implicit deny policy do not increase the implicit deny policy hit count.

839958

The service-negate firewall policy option does not work as expected in a hyperscale deny policy.

841712

The config system npu option nat64-force-ipv4-packet-forwarding is not available.

842008

If background session scanning is enabled (using the background-sse-scan option of the config system npu command), after an FGCP HA failover, some sessions may not be synchronized from the primary to the secondary FortiGate.

842659

The srcaddr-negate and dstaddr-negate options do not work as expected for IPv6 FTS traffic.

843132

Access control list (ACL) policies added while a FortiGate is processing traffic may take longer than expected to become effective. During a transition period, traffic that should be blocked by the ACL policy will be allowed.

843197

The output of the diagnose sys npu-session list/list-full command does not include policy route information.

843266

Hyperscale firewall sessions that are routed by policy routes do not show information such as hit count and last used when displayed with the diagnose firewall proute list command.

843305

A message similar to PARSE SKIP ERROR=17 NPD ERR PBR ADDRESS can appear on the console error log when a FortiGate with NP7 processors starts up.

844421

Due to a hardware limitation, when overload mode IP pools are used, the per IP pool session stats are not accurate.

845781

FortiGates with NP7 processors can experience kernel panics and regular reboots caused by FortiOS trying to offload an ESP packet received at an EMAC VLAN interface that is accepted by a NAT46 firewall policy.

846520

After an FGCP HA failover, the NPD/LPMD processes may be stopped by an out of memory killer process after running mixed sessions even when the amount of memory use is not excessive.

847314

FortiGates with NP7 processors may encounter random kernel crashes after a system restart or a factory reset.

847664

FortiGates with NP7 processors may display an error message similar to mce: [Hardware Error] while starting up.
875728 877696 Error messages may appear on the console leading to a kernel panic on a FortiGate with NP7 processors when it is added to an FGCP HA cluster as the secondary FortiGate.
Previous
Next