When there are many users authenticated by an explicit proxy policy, the Firewall Users widget can take a long time to load. This issue does not impact explicit proxy functionality.

The internet-service6-custom and internet-service6-custom-group options do not work with custom IPv6 addresses.

In some cases, the explicit proxy policy list can take a long time to load due to a delay in retrieving the proxy statistics. This issue does not impact explicit proxy functionality.

Workaround: restart the WAD process, or update the number of WAD processors.

config system global
    set wad-worker-count <integer>
end

If the first firewall service object in the service list (based on the order in the command line table) has a protocol type of IP, the GUI may incorrectly modify its protocol number whenever a new firewall service of the same protocol type IP is created in the GUI.

This silent misconfiguration can result in unexpected behavior of firewall policies that use the impacted service. For example, some 6K and 7K platforms have firewall service ALL (protocol type IP) as the first service, and this can cause the ALL service to be modified unexpectedly.

Workaround: create a new service in the CLI, or move a non-IP type services to the top of the firewall service list. For example, if ALL is the first firewall service in the list:

config firewall service custom
    edit "unused"
        set tcp-portrange 1
    next
    move "unused" before "ALL"
end

Existing ARP entries are removed from all slots when an ARP query of a single slot does not respond.

IPv6 ECMP is not supported for the FG-6000F and FG-7000E platforms. IPv6 ECMP is supported for the FG-7000F platform.

UTM traffic is blocked by an FGSP configuration with asymmetric routing.

In some cases, the FortiGate 7000F platform cannot correctly reassemble fragmented packets.

Virtual clustering is not supported by FortiGate 6000 and 7000 platforms.

The FortiGate 6000 and 7000 platforms do not support EMAC VLANs.

On FortiGate 7000F platforms, NP7-offloaded UDP sessions are not affected by the udp-idle-timer option of the config system global command.

The GUI becomes unresponsive, and sometimes may work after rebooting.

Authenticated users are not synchronized to the secondary FortiGate 6000 or 7000 chassis when the secondary chassis joins a primary chassis to form an FGCP cluster.

The FortiGate 6000 and 7000 platforms do not support IPsec VPN over a loopback interface or an NPU inter-VDOM link interface.

On a FortiGate 7000F, after a new FPM becomes the primary FPM, IPsec VPN dynamic routes are not synchronized to the new primary FPM.

Workaround: reset IPsec VPN tunnels that use dynamic routing.

Sessions for IPsec dialup tunnels that are configured to be handled by a specific FPC or FPM may be incorrectly sent to a different FPC or FPM, resulting in traffic being blocked.

The FortiGate 6000s or 7000s in an FGSP cluster may load balance FTP data sessions to different FPCs or FPMs. This can cause delays while the affected FortiGate 6000 or 7000 re-installs the sessions on the correct FPC or FPM.

FortiGate 7000E IPv6 routes may not be synchronized correctly among FIMs and FPMs.

An uncertified warning appears only on the secondary chassis' FIM02 and FPMs.

Graceful upgrade from 7.0.12 to 7.2.5 fails sometimes due to the primary chassis not being switched over.

After an SNMP HA failover, the SNMP trap continues to work.

FortiGate-7000F chassis with FIM-7941Fs cannot load balance fragmented IPv6 TCP and UDP traffic. Instead, fragmented IPv6 TCP and UDP traffic received by the FIM-7941F interfaces is sent directly to the primary FPM, bypassing the NP7 load balancers. IPv6 ICMP fragmented traffic load balancing works as expected. Load balancing fragmented IPv6 TCP and UDP traffic works as expected in FortiGate-7000F chassis with FIM-7921Fs.

Graceful upgrade of a FortiGate 6000 or 7000 FGCP HA cluster is not supported when upgrading from FortiOS 7.0.12 to 7.2.5.

Upgrading the firmware of a FortiGate 6000 or 7000 FGCP HA cluster from 7.0.12 to 7.2.5 should be done during a maintenance window, since the firmware upgrade process will disrupt traffic for up to 30 minutes.

Before upgrading the firmware, disable uninterruptible-upgrade, then perform a normal firmware upgrade. During the upgrade process the FortiGates in the cluster will not allow traffic until all components (management board and FPCs or FIMs and FPMs) are upgraded and both FortiGates have restarted. This process can take up to 30 minutes.

The FortiGate may display a false alarm message TypeError [ERR_INVALID_URL]: Invalid URL in the crashlog for the node process. This error does not affect the operation of the GUI.

Read-only administrator may encounter a Maximum number of monitored interfaces reached error when viewing an interface bandwidth widget for an interface that does not have the monitor bandwidth feature enabled.

Workaround: super_admin users can enable the monitor bandwidth feature on the interface first, then the widget can work for read-only administrators.

On the View/Edit Entries slide-out pane (Policy & Objects > Internet Service Database dialog), users cannot scroll down to the end if there are over 100000 entries.

On the policy list page, all policy organization with sequence and label grouping is lost.

When private data encryption is enabled, the GUI may become unresponsive and HA may fail to synchronize the configuration.

In the System > Administrators dialog, when there are a lot of VDOMs (over 200), the dialog can take more than one minute to load the Two-factor Authentication toggle. This issue does not affect configuring other settings in the dialog.

Workaround: use the CLI to configure two-factor-authentication under config system admin.

Network > SD-WAN > SD-WAN Zones and SD-WAN Rules pages do not load if a shortcut tunnel is triggered.

Workaround: to load the Network > SD-WAN page, temporarily bring down the ADVPN shortcut tunnels, go to the Network > SD-WAN page, and bring it back up after.

When the FortiGate is in conserve mode, node process (GUI management) may not release memory properly causing entry-level devices to stay in conserve mode.

When private data encryption is enabled, all passwords present in the configuration fail to load and may cause HA failures.

After successfully changing the VLAN ID of an interface from the CLI, an error message similar to cmdb_txn_cache_data(query=log.npu-server,leve=1) failed may appear.

ECMP does not load balance IPv6 traffic between two routes in a multi-VDOM setup.

Output of diagnose sys npu-session list/list-full does not mention policy route information.

Packets drop, and different behavior occurs between devices in an HA pair with ECMP next hop.

The diagnose sys npu-session list command shows an incorrect policy ID when traffic is using an intra-zone policy.

With an enabled hyperscale license, in some cases with exception traffic (like ICMP error traverse), the FortiGate may experience unexpected disruptions when handling the exception traffic.

When viewing logs on the Log & Report > System Events page, filtering by domain\username does not display matching entries.

Workaround: use a double backslash (domain\\username) while filtering or searching by username only without the domain.

The FortiGate does not generate deallocate/allocate logs of the first IP pool when the first IP pool has been exhausted.

If Security Rating is enabled to run on schedule (every four hours), the FortiGate can unintentionally send local-out traffic to fortianalyzer.forticloud.com during the Security Rating run.

Workaround: disable on-schedule Security Rating run.

config system global
    set security-rating-run-on-schedule disable
end

An error condition occurs in WAD caused by multiple outstanding requests sent from client to server with UTM enabled.

BGP neighbor group configured with password is not working as expected.

The Network dashboard may not load if the administrator disables SD-WAN Interface under System > Feature Visibility.

Workaround: enable SD-WAN Interface under System > Feature Visibility, or remove the SD-WAN widget from the Network dashboard.

FortiClient Windows cannot be launched with SSL VPN web portal.

Destination address of SSL VPN firewall policy may be lost after upgrading when dstaddr is set to all and at least one authentication rule has a portal with split tunneling enabled.

FortiGate will intermittently stop accepting new SSL VPN connections across all VDOMs.

When a FortiSwitch port is reconfigured, the FortiGate may incorrectly retain old detected device data from the port that results in an unexpected number of detected device MACs for the port. Using diagnose switch-controller mac-cache show to check the device data can result in the Device Information column being blank on the WiFi & Switch Controller > FortiSwitch Ports page or in the Assets widget.

Workaround: disable the device retention cache to remove old device data.

config switch-controller global
    set mac-retention-period 0
end

FortiGate 200F interfaces stop passing traffic after some time.

When configuring an 802.3ad aggregate interface with a 1 Gbps speed, the port's LED is off and traffic cannot pass through. Affected platforms: 110xE, 220xE, 330xE, 340xE, and 360xE.

Optimize memory usage caused by the high volume of disk traffic logs.

When a user is logged in as a VDOM administrator with restricted access and tries to upload a certificate (System > Certificates), the Create button on the Create Certificate pane is greyed out.

Status light is not showing on the FortiGate 60F or 100F after a cold and warm reboot.

The FortiGate may display a false alarm message and subsequently initiate a reboot.

GUI is inaccessible when using a SHA1 certificate as admin-server-cert.

System goes into halt state with Error: Package validation failed... message in cases where there are no engine files in the FortiGate when the BIOS security level is set to 2.

Workaround: set the BIOS security level to 0 or 1.

High CPU usage might be observed on entry-level FortiGates if the cache size reaches 10% of the system memory.

If FGTVM was deployed in UEFI boot mode, do not downgrade to any GA version earlier than 7.2.4.

When there are extra large number of managed FortiAP devices (over 500) and large number of WiFi clients (over 5000), the Managed FortiAPs page and FortiAP Status widget can take a long time to load. This issue does not impact FortiAP operation.

The layer 3 roaming feature may not work when the wireless controller is running multiple cw_acd processes (when the value of acd-process-count is not zero).

CAPWAP tunnel traffic over tunnel SSID is dropped when offloading is enabled.

The Automatically connect to nearest saved network option does not work as expected when FWF-60E client-mode local radio loses connection.

Physical and logical topology is slow to load when there are a lot of managed FortiAP (over 50). This issue does not impact FortiAP management and operation.

Unable to create FortiAP profile in the GUI for dual-5G mode FortiAP U231F/U431F models.

Workaround: use the CLI to update the profile to dual-5G mode.