Known issues

Known issues

The following issues have been identified in Hyperscale firewall for FortiOS 7.0.9 Build 0444. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 7.0.9 release notes also apply to Hyperscale firewall for FortiOS 7.0.9 Build 0444.

Bug ID	Description
724085	Traffic passing through an EMAC-VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If you set the `auto-asic-offload` option to `disable` in the firewall policy, traffic flows as expected.
763966	FGSP synchronizes NP7 sessions from all VDOMs when FGSP is configured to synchronize sessions from a hyperscale VDOM.
795853	Disabling EIF and EIM in a hyperscale firewall policy actively processing traffic causes errors in the information stored in the NP7 firewall policy database. For example, the data may include incorrect VDOM IDs and IP addresses.
807476	On a FortiGate licensed for Hyperscale firewall features, using the `cfg-save` option of the `config system global` command to revert configuration changes may result in error messages displaying on the CLI. The error occurs because when packets go through host interface TX/RX queues, some packet buffers can still hold references to VDOM when the host queues are idle. If more packets go through the same host queues for other VDOMs, the issue should resolve.
810225	On FortiGates with NP7 processors, the first time you change the password of a newly created administrator fro the GUI an "undefined" error message may appear.
811109	The HA1, HA2, AUX1, and AUX2 interfaces of the FortiGate-4200F, 4201F, 4400F, and 4401F cannot be added to a LAG.
836976	Sessions being processed by hyperscale firewall policies with hardware logging may be dropped when dynamically changing the log server `log-processor` mode from `hardware` to `host` for the hardware log sever added to the hyperscale firewall policy. To avoid dropping sessions, change the log-processor setting during quiet periods.
838654	In a hyperscale firewall VDOM, NAT64 and NAT46 sessions offloaded to NP7 processors that are blocked by the implicit deny policy do not increase the implicit deny policy hit count.
839958	The `service-negate` firewall policy option does not work as expected in a hyperscale deny policy.
841712	The `config system npu` option `nat64-force-ipv4-packet-forwarding` is not available.
842008	If background session scanning is enabled (using the `background-sse-scan` option of the `config system npu` command, after an FGCP HA failover, some sessions may not be synchronized from the primary to the secondary FortiGate.
842659	The `srcaddr-negate` and `dstaddr-negate` options do not work as expected for IPv6 FTS traffic.
843132	Access control list (ACL) policies added while a FortiGate is processing traffic may take longer than expected to become effective. During a transition period, traffic that should be blocked by the ACL policy will be allowed.
843197	The output of the `diagnose sys npu-session list/list-full` command does not include policy route information.
843266	Hyperscale firewall sessions that are routed by policy routes do not show information such as hit count and last used when displayed with the `diagnose firewall proute list` command.
843305	A message similar to PARSE SKIP ERROR=17 NPD ERR PBR ADDRESS can appear on the console error log when a FortiGate with NP7 processors starts up.
844421	Due to a hardware limitation, when overload mode IP pools are used, the per IP pool session stats are not accurate.
846520	After an FGCP HA failover, the NPD/LPMD processes may be stopped by an out of memory killer process after running mixed sessions even when the amount of memory use is not excessive.
847314	FortiGates with NP7 processors may encounter random kernel crashes after a system restart or a factory reset.
847664	FortiGates with NP7 processors may display an error message similar to `mce: [Hardware Error]` while starting up.

Known issues

Bug ID

Description

724085

Traffic passing through an EMAC-VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If you set the auto-asic-offload option to disable in the firewall policy, traffic flows as expected.

763966

FGSP synchronizes NP7 sessions from all VDOMs when FGSP is configured to synchronize sessions from a hyperscale VDOM.

795853

Disabling EIF and EIM in a hyperscale firewall policy actively processing traffic causes errors in the information stored in the NP7 firewall policy database. For example, the data may include incorrect VDOM IDs and IP addresses.

807476

On a FortiGate licensed for Hyperscale firewall features, using the cfg-save option of the config system global command to revert configuration changes may result in error messages displaying on the CLI. The error occurs because when packets go through host interface TX/RX queues, some packet buffers can still hold references to VDOM when the host queues are idle. If more packets go through the same host queues for other VDOMs, the issue should resolve.

810225

On FortiGates with NP7 processors, the first time you change the password of a newly created administrator fro the GUI an "undefined" error message may appear.

811109

The HA1, HA2, AUX1, and AUX2 interfaces of the FortiGate-4200F, 4201F, 4400F, and 4401F cannot be added to a LAG.

836976

Sessions being processed by hyperscale firewall policies with hardware logging may be dropped when dynamically changing the log server log-processor mode from hardware to host for the hardware log sever added to the hyperscale firewall policy. To avoid dropping sessions, change the log-processor setting during quiet periods.

838654

In a hyperscale firewall VDOM, NAT64 and NAT46 sessions offloaded to NP7 processors that are blocked by the implicit deny policy do not increase the implicit deny policy hit count.

839958

The service-negate firewall policy option does not work as expected in a hyperscale deny policy.

841712

The config system npu option nat64-force-ipv4-packet-forwarding is not available.

842008

If background session scanning is enabled (using the background-sse-scan option of the config system npu command, after an FGCP HA failover, some sessions may not be synchronized from the primary to the secondary FortiGate.

842659

The srcaddr-negate and dstaddr-negate options do not work as expected for IPv6 FTS traffic.

843132

Access control list (ACL) policies added while a FortiGate is processing traffic may take longer than expected to become effective. During a transition period, traffic that should be blocked by the ACL policy will be allowed.

843197

The output of the diagnose sys npu-session list/list-full command does not include policy route information.

843266

Hyperscale firewall sessions that are routed by policy routes do not show information such as hit count and last used when displayed with the diagnose firewall proute list command.

843305

A message similar to PARSE SKIP ERROR=17 NPD ERR PBR ADDRESS can appear on the console error log when a FortiGate with NP7 processors starts up.

844421

Due to a hardware limitation, when overload mode IP pools are used, the per IP pool session stats are not accurate.

846520

After an FGCP HA failover, the NPD/LPMD processes may be stopped by an out of memory killer process after running mixed sessions even when the amount of memory use is not excessive.

847314

FortiGates with NP7 processors may encounter random kernel crashes after a system restart or a factory reset.

847664

FortiGates with NP7 processors may display an error message similar to mce: [Hardware Error] while starting up.

Hyperscale Firewall Release Notes

Known issues

Known issues