Fortinet white logo
Fortinet white logo

FortiOS Release Notes

Resolved issues

Resolved issues

The following issues have been fixed in version 7.0.16. To inquire about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

948371

Scanunit should no longer submit known infected files to FortiSandbox.

Data Leak Prevention

Bug ID

Description

977334 Users cannot download files more than 5MB in size using FPX when SSL deep inspection and DLP profiles are enabled.

DNS Filter

Bug ID

Description

1010464

When the DNS filter is enabled with external-ip-blocklist, the IPS Engine remains in D status for an extended period of time and the DNS session ends.

1026058

When IP is not resolved or does not exist, the DNS alters the response for the domain and results in a performance issue on the client device.

Explicit Proxy

Bug ID

Description

882867 Proxy policy match resolves IP to multiple internet service application IDs.

1014477

Files do not get uploaded on webmail applications with antivirus, app control, or IPS enabled on an explicit proxy policy.

Firewall

Bug ID

Description

935034 The clock skew tolerance is not reflected.

970179

Unrelated route changes will cause the existing session to be marked dirty.

985508

When allow-traffic-redirect is enabled, redirect traffic that ingresses and egresses from the same interface may incorrectly get dropped if the source address of the incoming packet is different from the FortiGate's interface subnet and there is no firewall policy to allow the matched traffic.

1016547

When FortiGate forwards M/C packets to an interface with egress-shaping-profile enabled, an interruption occurs in the kernel.

HA

Bug ID

Description

974749 TCP/SCTP sessions count mismatch in an HA pair in A-P mode.
1017177 A WAD processing issue causes the SNMP to not respond in an HA cluster.

1018937

In a FortiGate HA configuration, the tunnel connection to FortiManager is disrupted due to a mismatched serial number and local certificate issue.

1020982

The hasync process encounters a CPU usage issue caused by frequent attempts to get the FIB for a deleted vdom.

Intrusion Prevention

Bug ID

Description

1000223 HTTPS connections to a Virtual IP (VIP) on TCP port 8015 are incorrectly blocked by the firewall, displaying an IPS block page even when no packet from the outside to TCP port 8015 should reach the internal VIP address.

IPsec VPN

Bug ID

Description

923150 Some static tunnels in multiple VDOM HA setups do not come up after a firmware upgrade or restoring the configuration.

950445

After a third-party router failover, traffic traversing the IPsec tunnel is lost.

1001602

Using IPSec over back to back EMAC VLAN interfaces does not work as expected with NPU offload enabled.

1003830

IPsec VPN tunnel phase 2 instability after upgrading to 7.4.2 on the NP6xlite platform.

1009332

Traffic is interrupted on SPOKEs after upgrading to version 7.0.14 due to one NPU SA race condition.

1042324

The Phase1 monitor BGP remains active when the tunnel is DOWN.

Log & Report

Bug ID

Description

872493

Disk logging files are cached in the kernel, causing high memory usage.

993476

On FortiGate, the locallogd process encounters a CPU usage issue for a few minutes after a reboot or a restart.

1005171

After upgrading to version 7.0.14, the system event log generates false positives for individual ports that are not used in any configuration.

Proxy

Bug ID

Description

837568 Restricted SaaS access does not work as expected when config ssl inspect-all is enabled.

871273

When the kernel API tries to access the command buffer, the device enters D state due to a kernel interruption.

922093

CPU usage issue in WAD caused by source port exhaustion when using WAN optimization.

933502

When a forward server with proxy authorization is configured with certain traffic, a memory usage issue in the WAD process interrupts the operation of FortiGate.

949464

On FortiGate, a memory usage issue in the WAD process may cause the unit to enter into conserve mode.

979361

After an upgrade, FortiOS encounters an error condition in the application daemon wad caused by an SSL cache error.

982553

After upgrading from version 6.4.13 to version 7.0.12 or 7.0.13, FortiGate experiences a memory usage issue.

1003481

FortiGate may not work as expected due to an error condition in the daemon WAD.

1039006

Some websites cannot open subpages when the HTTP2 header value exceeds 16MB.

1048296

FortiGate experiences an HTTP2 framing error when accessing websites using proxy mode with deep inspection configured due to a frame sizing issue in the WAD process.

REST API

Bug ID

Description

859680 In an HA setup with vCluster, a CMDB API request to the primary cluster does not synchronize the configuration to the secondary cluster.

Routing

Bug ID

Description

852498 BGP packets are marked with DSCP CS0 instead of CS6.

900770

DHCP relay fails after a period of time with SD-WAN.

932092

API call returns recursive next-hop for the gateway address.

978683

The link-down-failover command does not bring the BGP peering down when the IPsec tunnel is brought down on the peer FortiGate.

989012

The ICMP_TIME_EXCEEDED packet does not follow the original ICMP path displays the incorrect traceroute from the user.

1031394

On the Network > Routing Objects page, the Set AS path on the Edit Rule pane does not allow the use of the full range AS numbers.

SSL VPN

Bug ID

Description

999378 When the GUI tries to write a QR code for the SSL VPN configuration to the file system to send in an email, it tries to write it in a read-only folder.

1003672

When RDP is accessed through SSL VPN web mode, keyboard strokes on-screen lag behind what is being typed by users.

1004633

FortiGate does not respond to ARP packets related to SSL VPN client IP addresses.

1018928

A CPU usage issue occurs in the tvc daemon when the vpn server cannot be reached.

1024837

OneLogin SAML does not work with SSL VPN after upgrading to version 7.0.15 or 7.4.3.

1048915

The SSL VPN web mode flag is determined incorrectly causing the authenticated POST request to be dropped.

1061165

SSL VPN encounters a signal 11 interruption and does not work as expected due to a word-length heap memory issue.

System

Bug ID

Description

820268 VIP traffic access to the EMAC VLAN interface uses incorrect MAC address on NP7 platform.
846399 Add 100G speed option for FG-180xF for ports 37, 38, 39, and 40. Upon firmware upgrade, existing port speed configurations are preserved.
863542 FortiGate devices configured behind a proxy may not connect to the FortiToken Mobile server, leading to errors when provisioning tokens.
872391 The session output of dia sys npu-session list shows wrong duration when the session is very long (+40 hours).
885057 Add 100G speed option on the FortiGate 1800F.

901721

In a certain edge case, traffic directed towards a VLAN interface could cause a kernel interruption.

907752 On FortiGate 1000D models, the SFP 1G port randomly experiences flapping during operation.
915585 Optimize memory usage, which causes the SLAB memory to increase, in kernel 4.19.
917827 Delay sending LACPDU in kernel 4.19.

920320,

1029447

FortiGate encounters increasing Rx_CRC_Errors on SFP ports on the NP6 platform when an Ethernet frame contains carrier extension symbols to Cisco devices.

931604 The FortiGate checksum changes and the FortiManager Backup Mode device status becomes out-of-sync.

932002

Possible infinite loop can cause FortiOS to become unresponsive until the FortiGate goes through a power cycle.

939935

High CPU usage caused by DHCP packets.

943615

When cmdbsvr receives a request to update the version number, it also receives a copy of the query, but this copy is not freed.

947398

When an EMAC VLAN interface is set up on top of a redundant interface, the kernel may encounter an error when rebooting.

954529

The diagnose npu sniffer stop command can lead to a traffic outage.

957135

EMAC VLAN interface uses two MAC addresses when it should only use an internally generated MAC address.

957846

High CPU usage caused by DHCP packets.

981433 The ipmcsensord does not work as expected when executing sensor-related commands before the high-end device sensor finishes booting up.

991925

The EMAC VLAN, with a vlanid over a physical interface and a VIP configuration, has the incorrect mac address once traffic is offloaded.

995442

FortiGate may generate a Power Redundancy Alarm error when there is no power loss. The error also does not show up in the system log.

999816 FortiGate 100 models may become unresponsive and prevent access to the GUI, requiring a reboot to regain access due to an issue with the SOC3.

1001133

After an upgrade, FortiGate receives a PSU RPS LOST traps error despite not having any RPS connected.

1001601 A kernel interruption on FortiGate prevents it from rebooting after an upgrade with a specific configuration.
1003026 On SoC3/SoC4 platforms, a kernel interruption may occur when running WAD monitoring scripts.

1004231

FortiGate loses connections to FortiManager due to a fatal unknown CA after upgrading from version 7.0.13 to 7.0.14.

1018843

When FortiGate experiences a memory usage issue and enters into conserve mode, the system file integrity check may not work as expected and cause the device to shutdown.

1025114

Insufficient free memory on entry-level Fortigate devices with 2 GB RAM may cause unexpected behavior in the IPS engine.

1033589

In a policy-based NGFW, when configuring the FSSO Agent on Windows AD External Connector, traffic is not forwarded.

1037075

On FortiGate, an interruption occurs in the kernel when running WAD process monitoring scripts.

1037393

FortiGate reboots due to the maximum buffer length difference between nTurbo and NPU HW. NPU will fragment packets which are more than 10000, but carries wrong extend info to nTurbo in the 2nd fragment.

1041457

The kernel 4.19 cannot concurrently reassemble IPv4 fragments for a source IP with more than 64 destination IP addresses.

1043205 After upgrading to 7.0.12, the FortiGate to FortiManager tunnel with a load balancer in between no longer operates as expected.

1057625

FortiGate does not work as expected due to an interruption in the kernel.

1069554

Upgrading directly from 7.2.4 or earlier versions to 7.2.9, or directly from 7.0.11 or earlier to 7.2.9 is not supported. Users must upgrade following the recommended upgrade path to avoid system hanging.

Upgrade

Bug ID

Description

925567

When upgrading multiple firmware versions in the GUI, the Follow upgrade path option does not respect the recommended upgrade path.

VM

Bug ID

Description

909368

If Azure accelerated networking is enabled, IPsec traffic cannot be redistributed using round-robin. This results in a CPU usage issue.

1006570

VPN tunnels go down due to IKE authentication loss after a firmware upgrade on the VM.

1046696

A FortiGate VM HA in Azure Cloud may intermittently go out of synchronization due to an issue in the daemon process.

1054244

FortiToken does not work as expected after moving a FortiGate-VM license to a new VM with the same serial number.

1073016

The OCI SDN connector cannot call the API to the Oracle service when an IAM role is enabled.

VoIP

Bug ID

Description

1004894

VOIPD experiences high memory usage and enters into conserve mode.

Web Filter

Bug ID

Description

1002266

Web filtering does not update rating servers if there is a FortiGuard DNS change.

WiFi Controller

Bug ID

Description

985265 HA setup hostapd issue during stress test.

989929

An kernel interruption occurs on FWF-40F/60F models when WiFi stations connect to SSID on the local radio.

1001672

FortiWiFi reboots or becomes unresponsive when connecting to SSID after upgrading to 7.0.14.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

858921

FortiOS 7.0.16 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-26207

Resolved issues

Resolved issues

The following issues have been fixed in version 7.0.16. To inquire about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

948371

Scanunit should no longer submit known infected files to FortiSandbox.

Data Leak Prevention

Bug ID

Description

977334 Users cannot download files more than 5MB in size using FPX when SSL deep inspection and DLP profiles are enabled.

DNS Filter

Bug ID

Description

1010464

When the DNS filter is enabled with external-ip-blocklist, the IPS Engine remains in D status for an extended period of time and the DNS session ends.

1026058

When IP is not resolved or does not exist, the DNS alters the response for the domain and results in a performance issue on the client device.

Explicit Proxy

Bug ID

Description

882867 Proxy policy match resolves IP to multiple internet service application IDs.

1014477

Files do not get uploaded on webmail applications with antivirus, app control, or IPS enabled on an explicit proxy policy.

Firewall

Bug ID

Description

935034 The clock skew tolerance is not reflected.

970179

Unrelated route changes will cause the existing session to be marked dirty.

985508

When allow-traffic-redirect is enabled, redirect traffic that ingresses and egresses from the same interface may incorrectly get dropped if the source address of the incoming packet is different from the FortiGate's interface subnet and there is no firewall policy to allow the matched traffic.

1016547

When FortiGate forwards M/C packets to an interface with egress-shaping-profile enabled, an interruption occurs in the kernel.

HA

Bug ID

Description

974749 TCP/SCTP sessions count mismatch in an HA pair in A-P mode.
1017177 A WAD processing issue causes the SNMP to not respond in an HA cluster.

1018937

In a FortiGate HA configuration, the tunnel connection to FortiManager is disrupted due to a mismatched serial number and local certificate issue.

1020982

The hasync process encounters a CPU usage issue caused by frequent attempts to get the FIB for a deleted vdom.

Intrusion Prevention

Bug ID

Description

1000223 HTTPS connections to a Virtual IP (VIP) on TCP port 8015 are incorrectly blocked by the firewall, displaying an IPS block page even when no packet from the outside to TCP port 8015 should reach the internal VIP address.

IPsec VPN

Bug ID

Description

923150 Some static tunnels in multiple VDOM HA setups do not come up after a firmware upgrade or restoring the configuration.

950445

After a third-party router failover, traffic traversing the IPsec tunnel is lost.

1001602

Using IPSec over back to back EMAC VLAN interfaces does not work as expected with NPU offload enabled.

1003830

IPsec VPN tunnel phase 2 instability after upgrading to 7.4.2 on the NP6xlite platform.

1009332

Traffic is interrupted on SPOKEs after upgrading to version 7.0.14 due to one NPU SA race condition.

1042324

The Phase1 monitor BGP remains active when the tunnel is DOWN.

Log & Report

Bug ID

Description

872493

Disk logging files are cached in the kernel, causing high memory usage.

993476

On FortiGate, the locallogd process encounters a CPU usage issue for a few minutes after a reboot or a restart.

1005171

After upgrading to version 7.0.14, the system event log generates false positives for individual ports that are not used in any configuration.

Proxy

Bug ID

Description

837568 Restricted SaaS access does not work as expected when config ssl inspect-all is enabled.

871273

When the kernel API tries to access the command buffer, the device enters D state due to a kernel interruption.

922093

CPU usage issue in WAD caused by source port exhaustion when using WAN optimization.

933502

When a forward server with proxy authorization is configured with certain traffic, a memory usage issue in the WAD process interrupts the operation of FortiGate.

949464

On FortiGate, a memory usage issue in the WAD process may cause the unit to enter into conserve mode.

979361

After an upgrade, FortiOS encounters an error condition in the application daemon wad caused by an SSL cache error.

982553

After upgrading from version 6.4.13 to version 7.0.12 or 7.0.13, FortiGate experiences a memory usage issue.

1003481

FortiGate may not work as expected due to an error condition in the daemon WAD.

1039006

Some websites cannot open subpages when the HTTP2 header value exceeds 16MB.

1048296

FortiGate experiences an HTTP2 framing error when accessing websites using proxy mode with deep inspection configured due to a frame sizing issue in the WAD process.

REST API

Bug ID

Description

859680 In an HA setup with vCluster, a CMDB API request to the primary cluster does not synchronize the configuration to the secondary cluster.

Routing

Bug ID

Description

852498 BGP packets are marked with DSCP CS0 instead of CS6.

900770

DHCP relay fails after a period of time with SD-WAN.

932092

API call returns recursive next-hop for the gateway address.

978683

The link-down-failover command does not bring the BGP peering down when the IPsec tunnel is brought down on the peer FortiGate.

989012

The ICMP_TIME_EXCEEDED packet does not follow the original ICMP path displays the incorrect traceroute from the user.

1031394

On the Network > Routing Objects page, the Set AS path on the Edit Rule pane does not allow the use of the full range AS numbers.

SSL VPN

Bug ID

Description

999378 When the GUI tries to write a QR code for the SSL VPN configuration to the file system to send in an email, it tries to write it in a read-only folder.

1003672

When RDP is accessed through SSL VPN web mode, keyboard strokes on-screen lag behind what is being typed by users.

1004633

FortiGate does not respond to ARP packets related to SSL VPN client IP addresses.

1018928

A CPU usage issue occurs in the tvc daemon when the vpn server cannot be reached.

1024837

OneLogin SAML does not work with SSL VPN after upgrading to version 7.0.15 or 7.4.3.

1048915

The SSL VPN web mode flag is determined incorrectly causing the authenticated POST request to be dropped.

1061165

SSL VPN encounters a signal 11 interruption and does not work as expected due to a word-length heap memory issue.

System

Bug ID

Description

820268 VIP traffic access to the EMAC VLAN interface uses incorrect MAC address on NP7 platform.
846399 Add 100G speed option for FG-180xF for ports 37, 38, 39, and 40. Upon firmware upgrade, existing port speed configurations are preserved.
863542 FortiGate devices configured behind a proxy may not connect to the FortiToken Mobile server, leading to errors when provisioning tokens.
872391 The session output of dia sys npu-session list shows wrong duration when the session is very long (+40 hours).
885057 Add 100G speed option on the FortiGate 1800F.

901721

In a certain edge case, traffic directed towards a VLAN interface could cause a kernel interruption.

907752 On FortiGate 1000D models, the SFP 1G port randomly experiences flapping during operation.
915585 Optimize memory usage, which causes the SLAB memory to increase, in kernel 4.19.
917827 Delay sending LACPDU in kernel 4.19.

920320,

1029447

FortiGate encounters increasing Rx_CRC_Errors on SFP ports on the NP6 platform when an Ethernet frame contains carrier extension symbols to Cisco devices.

931604 The FortiGate checksum changes and the FortiManager Backup Mode device status becomes out-of-sync.

932002

Possible infinite loop can cause FortiOS to become unresponsive until the FortiGate goes through a power cycle.

939935

High CPU usage caused by DHCP packets.

943615

When cmdbsvr receives a request to update the version number, it also receives a copy of the query, but this copy is not freed.

947398

When an EMAC VLAN interface is set up on top of a redundant interface, the kernel may encounter an error when rebooting.

954529

The diagnose npu sniffer stop command can lead to a traffic outage.

957135

EMAC VLAN interface uses two MAC addresses when it should only use an internally generated MAC address.

957846

High CPU usage caused by DHCP packets.

981433 The ipmcsensord does not work as expected when executing sensor-related commands before the high-end device sensor finishes booting up.

991925

The EMAC VLAN, with a vlanid over a physical interface and a VIP configuration, has the incorrect mac address once traffic is offloaded.

995442

FortiGate may generate a Power Redundancy Alarm error when there is no power loss. The error also does not show up in the system log.

999816 FortiGate 100 models may become unresponsive and prevent access to the GUI, requiring a reboot to regain access due to an issue with the SOC3.

1001133

After an upgrade, FortiGate receives a PSU RPS LOST traps error despite not having any RPS connected.

1001601 A kernel interruption on FortiGate prevents it from rebooting after an upgrade with a specific configuration.
1003026 On SoC3/SoC4 platforms, a kernel interruption may occur when running WAD monitoring scripts.

1004231

FortiGate loses connections to FortiManager due to a fatal unknown CA after upgrading from version 7.0.13 to 7.0.14.

1018843

When FortiGate experiences a memory usage issue and enters into conserve mode, the system file integrity check may not work as expected and cause the device to shutdown.

1025114

Insufficient free memory on entry-level Fortigate devices with 2 GB RAM may cause unexpected behavior in the IPS engine.

1033589

In a policy-based NGFW, when configuring the FSSO Agent on Windows AD External Connector, traffic is not forwarded.

1037075

On FortiGate, an interruption occurs in the kernel when running WAD process monitoring scripts.

1037393

FortiGate reboots due to the maximum buffer length difference between nTurbo and NPU HW. NPU will fragment packets which are more than 10000, but carries wrong extend info to nTurbo in the 2nd fragment.

1041457

The kernel 4.19 cannot concurrently reassemble IPv4 fragments for a source IP with more than 64 destination IP addresses.

1043205 After upgrading to 7.0.12, the FortiGate to FortiManager tunnel with a load balancer in between no longer operates as expected.

1057625

FortiGate does not work as expected due to an interruption in the kernel.

1069554

Upgrading directly from 7.2.4 or earlier versions to 7.2.9, or directly from 7.0.11 or earlier to 7.2.9 is not supported. Users must upgrade following the recommended upgrade path to avoid system hanging.

Upgrade

Bug ID

Description

925567

When upgrading multiple firmware versions in the GUI, the Follow upgrade path option does not respect the recommended upgrade path.

VM

Bug ID

Description

909368

If Azure accelerated networking is enabled, IPsec traffic cannot be redistributed using round-robin. This results in a CPU usage issue.

1006570

VPN tunnels go down due to IKE authentication loss after a firmware upgrade on the VM.

1046696

A FortiGate VM HA in Azure Cloud may intermittently go out of synchronization due to an issue in the daemon process.

1054244

FortiToken does not work as expected after moving a FortiGate-VM license to a new VM with the same serial number.

1073016

The OCI SDN connector cannot call the API to the Oracle service when an IAM role is enabled.

VoIP

Bug ID

Description

1004894

VOIPD experiences high memory usage and enters into conserve mode.

Web Filter

Bug ID

Description

1002266

Web filtering does not update rating servers if there is a FortiGuard DNS change.

WiFi Controller

Bug ID

Description

985265 HA setup hostapd issue during stress test.

989929

An kernel interruption occurs on FWF-40F/60F models when WiFi stations connect to SSID on the local radio.

1001672

FortiWiFi reboots or becomes unresponsive when connecting to SSID after upgrading to 7.0.14.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

858921

FortiOS 7.0.16 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-26207