Known issues
The following issues have been identified in version 7.2.5. To inquire about a particular bug or report a bug, please contact Customer Service & Support.
Anti Virus
Bug ID |
Description |
---|---|
908706 |
On the Security Profiles > AntiVirus page, a VDOM administrator with a custom administrator profile cannot create or modify an antivirus profile belonging to the VDOM. Workaround: set the VDOM administrator profile to super_admin. |
Explicit Proxy
Bug ID |
Description |
---|---|
817582 |
When there are many users authenticated by an explicit proxy policy, the Firewall Users widget can take a long time to load. This issue does not impact explicit proxy functionality. |
865828 |
The |
894557 |
In some cases, the explicit proxy policy list can take a long time to load due to a delay in retrieving the proxy statistics. This issue does not impact explicit proxy functionality. Workaround: restart the WAD process, or update the number of WAD processors. config system global set wad-worker-count <integer> end |
942612 |
Web proxy forward server does not convert HTTP version to the original version when sending them back to the client. |
Firewall
Bug ID |
Description |
---|---|
843554 |
If the first firewall service object in the service list (based on the order in the command line table) has a protocol type of IP, the GUI may incorrectly modify its protocol number whenever a new firewall service of the same protocol type IP is created in the GUI. This silent misconfiguration can result in unexpected behavior of firewall policies that use the impacted service. For example, some 6K and 7K platforms have firewall service ALL (protocol type IP) as the first service, and this can cause the ALL service to be modified unexpectedly. Workaround: create a new service in the CLI, or move a non-IP type services to the top of the firewall service list. For example, if config firewall service custom edit "unused" set tcp-portrange 1 next move "unused" before "ALL" end |
895946 |
Access to some websites fails after upgrading to FortiOS 7.2.3 when the firewall policy is in flow-based inspection mode. Workaround: access is possible with one of the following settings.
|
FortiGate 6000 and 7000 platforms
Bug ID |
Description |
---|---|
790464 |
Existing ARP entries are removed from all slots when an ARP query of a single slot does not respond. |
885205 |
IPv6 ECMP is not supported for the FG-6000F and FG-7000E platforms. IPv6 ECMP is supported for the FG-7000F platform. |
887946 |
UTM traffic is blocked by an FGSP configuration with asymmetric routing. |
888447 |
In some cases, the FortiGate 7000F platform cannot correctly reassemble fragmented packets. |
896758 |
Virtual clustering is not supported by FortiGate 6000 and 7000 platforms. |
897629 |
The FortiGate 6000 and 7000 platforms do not support EMAC VLANs. |
901695 |
On FortiGate 7000F platforms, NP7-offloaded UDP sessions are not affected by the |
906481 |
The GUI becomes unresponsive, and sometimes may work after rebooting. |
907140 |
Authenticated users are not synchronized to the secondary FortiGate 6000 or 7000 chassis when the secondary chassis joins a primary chassis to form an FGCP cluster. |
907695 |
The FortiGate 6000 and 7000 platforms do not support IPsec VPN over a loopback interface or an NPU inter-VDOM link interface. |
908576 |
On a FortiGate 7000F, after a new FPM becomes the primary FPM, IPsec VPN dynamic routes are not synchronized to the new primary FPM. Workaround: reset IPsec VPN tunnels that use dynamic routing. |
908674 |
Sessions for IPsec dialup tunnels that are configured to be handled by a specific FPC or FPM may be incorrectly sent to a different FPC or FPM, resulting in traffic being blocked. |
910883 |
The FortiGate 6000s or 7000s in an FGSP cluster may load balance FTP data sessions to different FPCs or FPMs. This can cause delays while the affected FortiGate 6000 or 7000 re-installs the sessions on the correct FPC or FPM. |
911244 |
FortiGate 7000E IPv6 routes may not be synchronized correctly among FIMs and FPMs. |
918795 |
An uncertified warning appears only on the secondary chassis' FIM02 and FPMs. |
920925 |
Graceful upgrade from 7.0.12 to 7.2.5 fails sometimes due to the primary chassis not being switched over. |
921452 |
After an SNMP HA failover, the SNMP trap continues to work. |
937879 |
FortiGate-7000F chassis with FIM-7941Fs cannot load balance fragmented IPv6 TCP and UDP traffic. Instead, fragmented IPv6 TCP and UDP traffic received by the FIM-7941F interfaces is sent directly to the primary FPM, bypassing the NP7 load balancers. IPv6 ICMP fragmented traffic load balancing works as expected. Load balancing fragmented IPv6 TCP and UDP traffic works as expected in FortiGate-7000F chassis with FIM-7921Fs. |
951135 |
Graceful upgrade of a FortiGate 6000 or 7000 FGCP HA cluster is not supported when upgrading from FortiOS 7.0.12 to 7.2.5. Upgrading the firmware of a FortiGate 6000 or 7000 FGCP HA cluster from 7.0.12 to 7.2.5 should be done during a maintenance window, since the firmware upgrade process will disrupt traffic for up to 30 minutes. Before upgrading the firmware, disable |
973407 |
FIM installed NPU session causes the SSE to get stuck. |
GUI
Bug ID |
Description |
---|---|
825598 |
The FortiGate may display a false alarm message |
848660 |
Read-only administrator may encounter a Maximum number of monitored interfaces reached error when viewing an interface bandwidth widget for an interface that does not have the monitor bandwidth feature enabled. Workaround: super_admin users can enable the monitor bandwidth feature on the interface first, then the widget can work for read-only administrators. |
853352 |
On the View/Edit Entries slide-out pane (Policy & Objects > Internet Service Database dialog), users cannot scroll down to the end if there are over 100000 entries. |
854180 |
On the policy list page, all policy organization with sequence and label grouping is lost. |
893560 |
When private data encryption is enabled, the GUI may become unresponsive and HA may fail to synchronize the configuration. |
898902 |
In the System > Administrators dialog, when there are a lot of VDOMs (over 200), the dialog can take more than one minute to load the Two-factor Authentication toggle. This issue does not affect configuring other settings in the dialog. Workaround: use the CLI to configure |
907041 |
Network > SD-WAN > SD-WAN Zones and SD-WAN Rules pages do not load if a shortcut tunnel is triggered. Workaround: to load the Network > SD-WAN page, temporarily bring down the ADVPN shortcut tunnels, go to the Network > SD-WAN page, and bring it back up after. |
934644 |
When the FortiGate is in conserve mode, node process (GUI management) may not release memory properly causing entry-level devices to stay in conserve mode. |
974988 |
FortiGate GUI should not show a license expired notification due to an expired device-level FortiManager Cloud license if it still has a valid account-level FortiManager Cloud license (function is not affected). |
HA
Bug ID |
Description |
---|---|
818432 |
When private data encryption is enabled, all passwords present in the configuration fail to load and may cause HA failures. |
916903, 919982, 922867 |
When an HA management interface is configured, the GUI may not show the last interface entry in Workaround: create a dummy interface to be the last entry in the config system interface edit <name> set vdom "root" set status down set type loopback set snmp-index <integer> next end |
Hyperscale
Bug ID |
Description |
---|---|
802182 |
After successfully changing the VLAN ID of an interface from the CLI, an error message similar to |
824071 |
ECMP does not load balance IPv6 traffic between two routes in a multi-VDOM setup. |
843197 |
Output of |
853258 |
Packets drop, and different behavior occurs between devices in an HA pair with ECMP next hop. |
872146 |
The |
915796 |
With an enabled hyperscale license, in some cases with exception traffic (like ICMP error traverse), the FortiGate may experience unexpected disruptions when handling the exception traffic. |
920228 |
NAT46 NPU sessions are lost and traffic drops when a HA failover occurs. |
Intrusion Prevention
Bug ID |
Description |
---|---|
926639 |
Constant reloading of the shared memory external domain table is causing high CPU usage due to lock contention when reloading the table. |
Log & Report
Bug ID |
Description |
---|---|
860822 |
When viewing logs on the Log & Report > System Events page, filtering by domain\username does not display matching entries. Workaround: use a double backslash (domain\\username) while filtering or searching by username only without the domain. |
893199 |
The FortiGate does not generate deallocate/allocate logs of the first IP pool when the first IP pool has been exhausted. |
932537 |
If Security Rating is enabled to run on schedule (every four hours), the FortiGate can unintentionally send local-out traffic to fortianalyzer.forticloud.com during the Security Rating run. Workaround: disable on-schedule Security Rating run. config system global set security-rating-run-on-schedule disable end |
960661 |
FortiAnalyzer report is not available to view for the secondary unit in the HA cluster on the Log & Report > Reports page. Workaround: view the report directly in FortiAnalyzer. |
Proxy
Bug ID |
Description |
---|---|
783549 |
An error condition occurs in WAD caused by multiple outstanding requests sent from client to server with UTM enabled. |
899358 |
Proxy-based deep inspection connection issue occurs. |
Routing
Bug ID |
Description |
---|---|
907386 |
BGP neighbor group configured with password is not working as expected. |
924598 |
The Network dashboard may not load if the administrator disables SD-WAN Interface under System > Feature Visibility. Workaround: enable SD-WAN Interface under System > Feature Visibility, or remove the SD-WAN widget from the Network dashboard. |
924940 |
When there are a lot of policies (several thousands), the interface member selection for the SD-WAN Zone dialog may take up to a minute to load. Workaround: use the CLI to configure the SD-WAN zone. |
Security Fabric
Bug ID |
Description |
---|---|
902344 |
When there are over 30 downstream FortiGates in the Security Fabric, the root FortiGate's GUI may experience slowness when loading the Fabric Management page and prevents the user from upgrading firmware in the GUI. Workaround: perform the firmware upgrade in the CLI. To perform the firmware upgrade using the GUI, temporarily disable the Security Fabric on the root FortiGate. |
SSL VPN
Bug ID |
Description |
---|---|
795381 |
FortiClient Windows cannot be launched with SSL VPN web portal. |
879329 |
Destination address of SSL VPN firewall policy may be lost after upgrading when |
887674 |
FortiGate will intermittently stop accepting new SSL VPN connections across all VDOMs. |
922446 |
SSL VPN service over PPPoE interface does not work as expected if the PPPoE interface is configured with config system pppoe-interface edit <name> set device <string> set username <string> set password <password> next end config vpn ssl settings set source-interface <PPPoE_interface_name> end This issue is also observed on VNE tunnel configurations. Workaround: configure the PPPoE interface with
|
Switch Controller
Bug ID |
Description |
---|---|
904640 |
When a FortiSwitch port is reconfigured, the FortiGate may incorrectly retain old detected device data from the port that results in an unexpected number of detected device MACs for the port. Using Workaround: disable the device retention cache to remove old device data. config switch-controller global set mac-retention-period 0 end |
911232 |
Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch Controller > Managed FortiSwitches. Workaround: select a FortiSwitch and use the Diagnostics & Tools tooltip to view the correct registration status. |
System
Bug ID |
Description |
---|---|
842159 |
FortiGate 200F interfaces stop passing traffic after some time. |
861962 |
When configuring an 802.3ad aggregate interface with a 1 Gbps speed, the port's LED is off and traffic cannot pass through. Affected platforms: 110xE, 220xE, 330xE, 340xE, and 360xE. |
882187 |
Optimize memory usage caused by the high volume of disk traffic logs. |
884023 |
When a user is logged in as a VDOM administrator with restricted access and tries to upload a certificate (System > Certificates), the Create button on the Create Certificate pane is greyed out. |
887940 |
Status light is not showing on the FortiGate 60F or 100F after a cold and warm reboot. |
904486 |
The FortiGate may display a false alarm message and subsequently initiate a reboot. |
921134 |
GUI is inaccessible when using a SHA1 certificate as |
923364 |
System goes into halt state with Workaround: set the BIOS security level to 0 or 1. |
937982 |
High CPU usage might be observed on entry-level FortiGates if the cache size reaches 10% of the system memory. |
958437 |
An error message is shown when attempting to create a FortiExtender WAN extension interface. |
User & Authentication
Bug ID |
Description |
---|---|
923164 |
EAP proxy daemon may keep reloading after updating the certificate bundle. Workaround: reboot the system. |
VM
Bug ID |
Description |
---|---|
899984 |
If FGTVM was deployed in UEFI boot mode, do not downgrade to any GA version earlier than 7.2.4. |
924689 |
FortiGate VMs in an HA cluster deployed on the Hyper-V platform may get into an unresponsive state where multiple services are impacted: GUI management, CLI commands, SSL VPN sessions, DHCP assignment, traffic throughput, and reboot function. Workaround: reboot the FortiGate VM through the hypervisor management interface. |
Web Filter
Bug ID |
Description |
---|---|
885222 |
HTTP session is logged as HTTPS in web filter when VIP is used. |
WiFi Controller
Bug ID |
Description |
---|---|
814541 |
When there are extra large number of managed FortiAP devices (over 500) and large number of WiFi clients (over 5000), the Managed FortiAPs page and FortiAP Status widget can take a long time to load. This issue does not impact FortiAP operation. |
869106 |
The layer 3 roaming feature may not work when the wireless controller is running multiple cw_acd processes (when the value of |
869978 |
CAPWAP tunnel traffic over tunnel SSID is dropped when offloading is enabled. |
873273 |
The Automatically connect to nearest saved network option does not work as expected when FWF-60E client-mode local radio loses connection. |
903922 |
Physical and logical topology is slow to load when there are a lot of managed FortiAP (over 50). This issue does not impact FortiAP management and operation. |
904349 |
Unable to create FortiAP profile in the GUI for dual-5G mode FortiAP U231F/U431F models. Workaround: use the CLI to update the profile to dual-5G mode. |
944465 |
On the WiFi & Switch Controller > Managed FortiAPs page of a non-management VDOM, the Register button is unavailable in the Device Registration pane. |
ZTNA
Bug ID |
Description |
---|---|
819987 |
SMB drive mapping made through a ZTNA access proxy is inaccessible after rebooting. |