Resolved issues
The following issues have been fixed in version 7.2.6. To inquire about a particular bug, please contact Customer Service & Support.
Anti Spam
Bug ID |
Description |
---|---|
870052 |
Error condition in scanunitd occurs when email filter profile and proxy inspection are applied to a firewall policy. |
Anti Virus
Bug ID |
Description |
---|---|
908706 |
On the Security Profiles > AntiVirus page, a VDOM administrator with a custom administrator profile cannot create or modify an antivirus profile belonging to the VDOM. |
911332 |
When UTM status is enabled and the AV profile has no configuration, all SLL traffic is dropped and there is no WAD output. |
923883 |
The FortiGate may display an error log in the crash log due to AV delta update. In case of failure, a full successful AV update is done. |
Application Control
Bug ID |
Description |
---|---|
913529 |
The firewall policy dialog should show the no-inspection profile and the warning should be consistent with the policy list. |
939565 |
|
DNS Filter
Bug ID |
Description |
---|---|
931998 |
DNS filter flow external domain AAAA query can still check the default category but not the remote category. |
Endpoint Control
Bug ID |
Description |
---|---|
897048 |
FortiOS should support EMS 7.2.1 auth API status code changes. |
913324 |
GUI repeated calls to the EMS API, which can cause EMS to not authorize the FortiGate correctly. |
933819 |
Two FortiGates deregistered from EMS on special build 8844. |
Explicit Proxy
Bug ID |
Description |
---|---|
817582 |
When there are many users authenticated by an explicit proxy policy, the Firewall Users widget can take a long time to load. This issue does not impact explicit proxy functionality. |
859693 |
Sessions between the explicit proxy and server stay in SYN_SENT state when using IP pools in the explicit proxy policy for source NAT, even though the sessions have established. Traffic is not impacted. |
866316 |
Explicit web proxy fails to forward HTTPS request to a Squid forward server when certificate inspection is applied. |
888078 |
Enabling |
889300 |
Wrong source IP address used for packets through explicit proxy routed to a member of SD-WAN interface. |
908989 |
The Enabled On should display the listening interfaces rather than None in explicit proxy policy on the GUI. |
923302 |
Cannot send picture through web explicit proxy. |
934094 |
Some websites through explicit proxy randomly getting blocked after upgrade. |
Firewall
Bug ID |
Description |
---|---|
843554 |
If the first firewall service object in the service list (based on the order in the command line table) has a protocol type of IP, the GUI may incorrectly modify its protocol number whenever a new firewall service of the same protocol type IP is created in the GUI. This silent misconfiguration can result in unexpected behavior of firewall policies that use the impacted service. For example, some 6K and 7K platforms have firewall service ALL (protocol type IP) as the first service, and this can cause the ALL service to be modified unexpectedly. |
872312 |
Unable to add more MAC addresses once the MAC address group object for a VWP policy referenced. |
879225 |
Egress interface cannot be intermittently matched for Wake-on-LAN (broadcast) packets. |
879705 |
Traffic issues occur with virtual servers after upgrading. |
884908 |
Implicit deny policy is allowing |
895946 |
Access to some websites fails after upgrading to FortiOS 7.2.3 when the firewall policy is in flow-based inspection mode. |
909763 |
Wrong TOS field value in NetFlow report when there is no traffic. |
912089 |
Optimize CPU usage caused by a rare error condition which leads to no data being sent to the collector. |
914939 |
UDP fragments dropped due to DF being set. Only the |
926029 |
New sessions are created and evaluated after a certain number of UDP packets, even if |
927009 |
When running tests with SNAT PBA source and destination IP addresses, octets are shown in reverse order. |
928896 |
|
FortiGate 6000 and 7000 platforms
Bug ID |
Description |
---|---|
758078 |
After system synchronization, primary blades' reboot command did not take effect on the secondaries. |
888310 |
The FortiGate 6000 or 7000 front panel does not appear on the Network > Interfaces and System > HA GUI pages. |
888447 |
In some cases, the FortiGate 7000F platform cannot correctly reassemble fragmented packets. |
891430 |
The FortiGate 6000 and 7000 System Information dashboard widget incorrectly displays the management board or primary FIM serial number instead of the chassis serial number. Use |
891642 |
On the FortiGate 7000E and 7000F platforms, managed FortiSwitches will not connect to Fortilink interfaces. |
896758 |
Virtual clustering is not supported by FortiGate 6000 and 7000 platforms. |
897629 |
The FortiGate 6000 and 7000 platforms do not support EMAC VLANs. |
898191 |
Support SLBC integrated memory and disk logging in the new local logd framework. |
899905 |
Adding a FortiAnalyzer to a FortiGate 6000 or 7000 Security Fabric configuration from the FortiOS GUI is not supported. |
901695 |
On FortiGate 7000F platforms, NP7-offloaded UDP sessions are not affected by the |
905450 |
SNMP walk fails to get BGP routing information. |
906481 |
The GUI becomes unresponsive, and sometimes may work after rebooting. |
907140 |
Authenticated users are not synchronized to the secondary FortiGate 6000 or 7000 chassis when the secondary chassis joins a primary chassis to form an FGCP cluster. |
908576 |
On a FortiGate 7000F, after a new FPM becomes the primary FPM, IPsec VPN dynamic routes are not synchronized to the new primary FPM. |
908674 |
Sessions for IPsec dialup tunnels that are configured to be handled by a specific FPC or FPM may be incorrectly sent to a different FPC or FPM, resulting in traffic being blocked. |
909160 |
The FortiGate 7000E and 7000F platforms do not support GTP and PFCP load balancing. |
910095 |
FGCP session synchronization may not synchronize all sessions on FortiGate 6000 and 7000 models. |
911244 |
FortiGate 7000E IPv6 routes may not be synchronized correctly among FIMs and FPMs. |
913040 |
Multiple IP pools in SSL VPN is not supported. |
914273 |
SNMP query to fgVdEntSesRate returns a 0 value. |
918795 |
An uncertified warning appears only on the secondary chassis' FIM02 and FPMs. |
920925 |
Graceful upgrade from 7.0.12 to 7.2.5 fails sometimes due to the primary chassis not being switched over. |
921452 |
After an SNMP HA failover, the SNMP trap continues to work. |
947936 |
On the FortiGate 7060E, only four of six PSUs are shown sometimes. |
FortiView
Bug ID |
Description |
---|---|
894957 | On FortiView Websites, the real time view is always empty if disk logging is disabled. |
920241 |
GUI shows Failed to retrieve FortiView data while accessing FortiView Sources and FortiView Destination. |
950137 |
FortiView Application widget cannot show data for explicit proxy traffic. |
GUI
Bug ID |
Description |
---|---|
825598 |
The FortiGate may display a false alarm message |
863126 |
In an environment where the Security Fabric is enabled and there are more than 100 firewall object conflicts between the root and downstream FortiGates, the Firewall Object Synchronization pane does not list the details. |
892364 |
Incorrect interface is being selected in the SD-WAN Rules GUI page, but the correct one is displayed in the CLI. |
893560 |
When private data encryption is enabled, the GUI may become unresponsive and HA may fail to synchronize the configuration. |
898902 |
In the System > Administrators dialog, when there are a lot of VDOMs (over 200), the dialog can take more than one minute to load the Two-factor Authentication toggle. This issue does not affect configuring other settings in the dialog. |
903856 |
When using configuration save mode with VDOMs, the GUI still shows unsaved changes after another administrator commits their changes with SSH. |
904817 |
Changing the IPv4/IPv6 version in the dropdown of one widget will also impact other Session Rate widgets. |
907041 |
Network > SD-WAN > SD-WAN Zones and SD-WAN Rules pages do not load if a shortcut tunnel is triggered. |
919390 |
Disabling |
931004 |
FortiGate GUI issues on mobile phone's browser. |
931486 |
Unexpected behavior in httpsd when the user has a lot of FQDN addresses. |
HA
Bug ID |
Description |
---|---|
703614 |
HA secondary synchronization fails and keeps rebooting when the primary has a split port configuration. |
771316 |
Platforms in an HA environment get stuck in a reboot loop while attempting to synchronize configurations that differ in split ports. |
818432 |
When private data encryption is enabled, all passwords present in the configuration fail to load and may cause HA failures. |
870312 |
On a FortiGate HA cluster, both primary and secondary units are displayed as the Primary on the GUI top banner, and as |
875984 |
FortiGate is going to out-of-sync after changing parameters of VDOM link interfaces. |
880786 |
Running |
881337 |
Adding a VLAN interface on any VDOM causes BGP flapping and VIP connectivity issues on VDOMs in vcluster2. |
881847 |
HA interfaces flapping on FG-3401E. |
883546 |
In HA, sending lot of CLI configurations causes the creation of a VDOM on the secondary unit. |
888110 |
Unable to set the interface configured as an SD-WAN member to |
893041 |
Cannot access out-of-band IPv6 address on HA secondary unit. |
896608 |
HA cluster became out-of-sync after enabling a password policy and logging on to FortiGate. |
897865 |
When NP7 platforms enable the GTP enhanced mode it does not use uninterruptible upgrade. |
901292 |
When entering the |
902945 |
Lost management connectivity to the standby node via in-band management. |
904318 |
FortiGate sent ARP request with loopback IP address as the source address. |
906036 |
Secondary blade hostname and mgmt1 IP were changed after a restored configuration on the primary blade. |
906367 |
When upgrading a cluster of four FortiGate 2200E devices, each secondary forms a cluster with the primary only and causes an outage. |
908062 |
FortiGate VM Azure HA cluster goes out-of-sync due to dynamic firewall address type. |
916216 |
When adding a new interface, some other interfaces have the wrong virtual MAC address. |
916903, 919982, 922867 |
When an HA management interface is configured, the GUI may not show the last interface entry in |
919005 |
Heartbeat packet loss issue at random times. |
920233 |
The System > HA page is missing from the GUI on 5K models. |
931724 |
HA events not synchronizing between members, leading to unexpected HA status. |
935448 |
Hardware session synchronization is showing as out-of-sync on primary and secondary. |
942502 |
Unexpected behavior occurred in the kernel when creating EMAC VLAN interfaces based on an aggregate interface with the new kernel 4.1.9. |
946878 |
When configuring an HA management interface, the GUI does not allow the same interface to be used for multiple management interfaces. |
Hyperscale
Bug ID |
Description |
---|---|
845269 |
When editing a Hyperscale firewall policy with an overload CGN IP Pool, the GUI disables endpoint independent filtering |
854933 |
The IPv6 neighbor cache configuration is missing after executing a reboot or flush command. |
915796 |
With an enabled hyperscale license, in some cases with exception traffic (like ICMP error traverse), the FortiGate may experience unexpected disruptions when handling the exception traffic. |
919977 |
First-time HA failover after upgrading causes long service interruption to NAT44. |
920405 |
Problem with synchronizing a high amount of routes to NP7 for hyperscale firewall. |
924196 |
Device is rebooting randomly when driver processes exception packets. |
932317 |
Hyperscale firewall creates a separate session and uses a different source port for IP fragment packets. |
933063 |
LPM daemon is being killed. |
Intrusion Prevention
Bug ID |
Description |
---|---|
823583 |
Failover on clustered web application using keepalived daemon does not work seamlessly. |
842523 |
IPv6 with hardware offloading and IPS drops traffic ( |
845944 |
Firewall policy change causes high CPU spike with IPS engine. |
860315 |
Unexpected behavior in IPS engine when executing |
873975 |
Source MAC changes and the packet drops due to both sides of the session using the same source MAC address. |
874877 |
IPS engines do not release memory after stopping traffic more than one hour. |
886685 |
IPS daemon usage issue when notifying device vulnerability information to WAD. |
892302 |
Constant reloading of the external domain table is causing high CPU due to lock contention when reloading the table. |
926639 |
Constant reloading of the shared memory external domain table is causing high CPU usage due to lock contention when reloading the table. |
934015 |
RSH subsession timeout when IPS is enabled. |
968367 |
IPS engine high memory usage can cause FortiOS to go into conserve mode. |
IPsec VPN
Bug ID |
Description |
---|---|
803010 |
The |
872769 |
Proxy ARP stops working for a client connected to a dialup IPsec when the previous VPN was established and is deleted. |
883138 |
VM running FIPS cipher mode does not show AES-CBC ciphers when configuring IPsec in the GUI. |
885333 |
Forwarded broadcast traffic on ADVPN shortcut tunnel interface dropped. |
898872 |
IPsec performance drops after upgrade on AWS. |
914418 |
File transfer stops after a while when offloading is enabled. |
921691 |
In FGSP, IKE routes are not removed from the kernel when |
923150 |
Some static tunnels in multiple VDOM HA setups do not come up after a firmware upgrade or restoring the configuration. |
926048 |
Traffic through a shortcut got dropped after an HA failover. |
928774 |
IPsec VPN connection should allow % in FortiClient Connect REG_PASSWD field. |
Log & Report
Bug ID |
Description |
---|---|
831441 |
The forward traffic log show exabytes of data being sent and received from external to external IP addresses in multiple VDOMs. |
860822 |
When viewing logs on the Log & Report > System Events page, filtering by domain\username does not display matching entries. |
861893 |
In Forward Traffic logs, the Policy ID column is blank. |
865794 |
Log Viewer: filter by Date/Time does not show correct result. |
879446 |
|
893199 |
The FortiGate does not generate deallocate/allocate logs of the first IP pool when the first IP pool has been exhausted. |
902797 |
IPS alert email not being sent when IPS attack event has triggered. |
908856 |
Traffic log can show exabytes of data sent and received when generating log task is triggered from userspace. |
929338 |
Secondary FortiGate log cannot be viewed from primary FortiGate in HA. |
932817 |
Forward traffic log has unexpected symbols in the end for some logs. |
940814 |
Administrators without read permissions for the threat weight feature cannot see the event log menu. |
Proxy
Bug ID |
Description |
---|---|
783549, 902613, 921247 |
An error condition occurs in WAD caused by multiple outstanding requests sent from client to server with UTM enabled. |
820096 |
CPU usage issue in Proxyd caused by the absence of TCP Teardown. |
882182 |
Unexpected behavior in WAD due to the activation of firewall protocol options with both client and server comfort features enabled. |
883504 |
Emails are blocked when proxy-based policy with either AntiVirus or Email Filter security profiles enabled. |
897347 |
Memory usage issue caused by the WAD user info process while authenticating the LDAP users. |
898016 |
Kerberos authentication stops working after the upgrading to 7.2.3. |
899358 |
Proxy-based deep inspection connection issue occurs. |
904386 |
Unable to upload file to the application server in server-load-balance setup. |
932487 |
Memory usage issue caused by WAD while using access proxy. |
REST API
Bug ID |
Description |
---|---|
948356 |
An error condition occurs in HTTPSD when a REST API request is sent with invalid parameters. |
Routing
Bug ID |
Description |
---|---|
775752 |
|
820407 |
Auto-link fails if the FortiGate device initiating the FGFM connection is using an interface with a VRF not set to the default, 0. |
858248 |
OSPF summary address for route redistribution from static route via IPsec VPN always persists. |
858299 |
Redistributed BGP routes to the OSPF change its forward address to the tunnel ID. |
875668 |
SD-WAN SLA log information has incorrect inbound and outbound bandwidth values. |
892704 |
SD-WAN performance SLA statistics on secondary unit's GUI section are not synchronized with the primary and has stale data. |
896891 |
With ICMP asymmetric routing enabled, ICMP local-in/local-out reply packets will still only return through the original path, in order to maintain the ping SLA. |
899827 |
Speed test result is not accurate. |
900226 |
High CPU due to PIMD/NSM and multicast session not being offloaded. |
900770 |
DHCP relay fails after a period of time with SD-WAN. |
900941 |
|
907386 |
BGP neighbor group configured with password is not working as expected. |
909835 |
Search broken on SD-WAN Rules tab's Source/Destination omniselect. |
913338 |
FortiGate removing SD-WAN routes when network address is specified as the gateway of an SD-WAN member. |
914497 |
SD-WAN rules list in the GUI should show the interface members in priority order instead of alphabetical order. |
914815 |
FortiGate 40F-3G4G not adding LTE dynamic route to route table. |
922491 |
Static routes are installed on hub FortiGate with |
924598 |
The Network dashboard may not load if the administrator disables SD-WAN Interface under System > Feature Visibility. |
924940 |
When there are a lot of policies (several thousands), the interface member selection for the SD-WAN Zone dialog may take up to a minute to load. |
Security Fabric
Bug ID |
Description |
---|---|
831311 |
When using automation email action to reference the result of a previously executed automation CLI script action, there is a 16 KB size limit for the script output. |
874822 |
In a configuration with a connected FortiAP-U, the FortiAP & FortiAP-S & FortiAP-W2 & FortiAP-U Command Injection in CLI security rating test fails and suggests an upgrade to 7.0.4, even though the FortiAP is on the latest version (7.0.0). |
907819 |
Advanced GCP connector does not resolve if one element does not exists. |
912592 |
Allow comments and IP addresses to be on the same line for external IP address threat feeds. |
912917 |
Send Fabric API calls with pagination filter. |
917024 |
Unexpected behavior in Security Fabric daemon (CSFD) caused by triggering HA failover while using Security Fabric. |
918230 |
Threat feeds with name starting with "g-" are not allowed on non-VDOM FortiGate. |
922896 |
Azure SDN connector always uses HA management port for DNS resolve. This might not work on premises where the HA management port does not have a public IP address assigned. |
926202 |
Unable to authorize downstream FortiGate with the Security Fabric after upgrade. |
SSL VPN
Bug ID |
Description |
---|---|
631809 |
Configuring thousands of |
833934 |
SSL VPN fails to connect to graph.microsoft.com when doing Azure auto-login. |
843756 |
Customer bookmark (*.tr***.pt) is not accessible when using SSL VPN web mode. |
851976 |
PC cannot get IP from DHCP server due to |
856194 |
Problem loading some graphs trough SSL VPN web mode after upgrading. |
858478 |
SSL VPN DTLS tunnel is unavailable after changing the SSL VPN listening port. |
859088 |
FortiGate adds extra parenthesis and causes clicking all links to fail in SSL VPN web mode. |
868491 |
SSL VPN web mode connection to VMware vCenter 7 is not working. |
871039 |
Internal website is not displaying user-uploaded PDF files when visited through SSL VPN web mode. |
871229 |
SSL VPN web mode does not load when connecting to customer's internal site. |
872745 |
SSL VPN web mode to RDP broker leads to connection being closed. |
873516 |
FortiGate misses the closing parenthesis when running the function to rewrite the URL. |
875167 |
Webpage opened in SSL VPN web portal is not displayed correctly. |
877124 |
RDP freezes in web mode with high CPU usage of SSL VPN process. |
878833 |
Decrease in download speeds observed for SSL VPN users when over 2000 users are connected. |
880791 |
Internal website access issue with SSL VPN web portal. |
881220 |
Found bad login for SSL VPN web-based access when enabling URL obscuration. |
881268 |
Disconnecting from SSL VPN using the SSL-VPN widget does not disconnect the SSL VPN tunnel. |
884869 |
Web mode bookmark showing blank page due to JS rewrite. |
885978 |
Some buttons in URL are not working in SSL VPN web mode. |
886989 |
SSL VPN process reaches 99% CPU usage when HTTP back-end server resets the connection in the middle of a post request. |
887345 |
When a user needs to enter credentials through a pop-up window, the key events for modification key detected by SDL were ignored. |
887674 |
FortiGate will intermittently stop accepting new SSL VPN connections across all VDOMs. |
889736 |
The HPE iLO 5 web server is not able to load properly from the SSL VPN portal. |
894704 |
FortiOS check would block iOS and Android mobile devices from connecting to the SSL VPN tunnel. |
895120 |
SSL VPN web portal not loading internal web page. |
896007 |
Specific SAP feature is not working with SSL VPN web mode. |
896343 |
SSL VPN web mode is not working as expected for customer's web server. |
896396 |
SSL VPN web portal HTTP bookmark forwarded site throws Java error. |
897385 |
Internal website keeps asking for credential with SSL VPN web mode. |
897665 |
The external DHCP server is not receiving hostnames in SSL VPN and DHCP relay. |
904919 |
DHCP option 12 hostname needed for SSL VPN with external DHCP servers. |
906756 |
Update SSL VPN host check logic for unsupported OS. |
922446 |
SSL VPN service over PPPoE interface does not work as expected if the PPPoE interface is configured with config system pppoe-interface edit <name> set device <string> set username <string> set password <password> next end config vpn ssl settings set source-interface <PPPoE_interface_name> end This issue is also observed on VNE tunnel configurations. |
927475 |
SSL VPN tunnel down log message not generated when an IP address is disassociated before the old tunnel times out. |
933985 |
FortiGate as SSL VPN client does not work on NP6 and NP6XLite devices. |
Switch Controller
Bug ID |
Description |
---|---|
848632 |
Upon upgrade, the link to FortiSwitch stays down with QSFP. |
858749 |
Redirected traffic should not hit the firewall policy when |
861227 |
On the WiFi & Switch Controller > FortiSwitch Ports page, the Device Information column lists the same device multiple times. |
893405 |
One discovery one transmit buffer was allocated and was not released on connection terminations. |
894735 |
Unable to configure more than one NAC policy using the same EMS tag for different FortiSwitch groups. |
902338 |
WiFi & Switch Controller > FortiSwitch Ports page does not show VLANs exported to another tenant VDOM, which results in the VLAN being removed if saved from the GUI. |
904640 |
When a FortiSwitch port is reconfigured, the FortiGate may incorrectly retain old detected device data from the port that results in an unexpected number of detected device MACs for the port. Using |
911232 |
Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch Controller > Managed FortiSwitches. |
920231 |
FortiGate loses QoS |
936081 |
The |
941673 |
FortiSwitch event log displays serial number under name when CAPWAP is up or down. |
System
Bug ID |
Description |
---|---|
631046 |
|
656138 |
GUI shows conflicts error message when configuring a secondary IP address after |
708964 |
CPU usage issue is observed caused by reloading the system when the system has |
713951 |
Not all ports are coming up after an LAG bounce on 8 × 10 GB LAG with ASR9K. Affected platforms: FG-3960E and FG-3980E. |
820559 |
When backing up the configuration to a USB disk, if the file name is the same as specified under System > Settings > Start Up Settings > USB auto-install, an Invalid file name error is displayed. |
821000 |
QSFP and QSFP+ Fortinet transceivers are not operational on FG-3401E. |
836748 |
FG-100F fails to boot when FortiOS image binary is larger than 94 MB. |
842159 |
FortiGate 200F interfaces stop passing traffic after some time. |
845079 |
DAC cable support is unstable on the FortiGate 1101E. |
855573 |
False alarm of the PSU2 occurs with only one installed. |
862519 |
FortiGate 40F-3G4G WWAN connection unstable on Verizon Carrier. |
866437 |
CPU usage issue caused by the new Linux kernel. |
867663 |
The FEC configuration under the interface is not respected when port23 and port24 are members of an LACP and the connection is 100G. Affected platforms: FGT-340xE, FGT-360xE. |
869044 |
If the original packet was forwarded with NAT, generated ICMP error is routed back to SNAT'ed address. |
869113 |
If a device is rebooted that has an |
869305 |
SNMP multicast counters are not increasing. |
869726 |
When an IPsec tunnel is configured with a different VRF than the underlying physical interface, and traffic is offloaded, the session expires even when traffic is flowing through it. |
874292 |
|
874603 |
Dashboard loads slowly and csfd process has high CPU usage. |
879769 |
If the firewall session is in |
881060 |
Host TX dropped counter incrementing and connections failing when throughput reaches 40 Gbps. |
884023 |
When a user is logged in as a VDOM administrator with restricted access and tries to upload a certificate (System > Certificates), the Create button on the Create Certificate pane is grayed out. |
884970 |
Unbalanced throughput on LAG members with LAG enhancement feature enabled. |
885823 |
Sensor showing temperature of 0.00 Celsius. |
885837 |
Traffic dropped as the matching SessionID is being deleted from session table in 20 seconds. |
887268 |
Unable to configure |
891165 |
Auto-script causes FortiGate to repeat commands. |
892195 |
LAG interface has |
892274 |
Daylight saving time is not applied for Cairo time zone. |
893305 |
Interface could not be brought up if it was part of a virtual switch. |
894202 |
Incorrect temperature calculation appears in sensor list on FG-8xF, FWF-8xF, FG-9xE, FG-10xE, FG-20xE, and FG-14xE. |
894884 |
FSTR session ticket zero causes a memory leak. |
895967 |
FortiGate 1801F in transparent mode cannot reply to an SNMP query. |
897905 |
IPv6 addresses configured on EMAC VLAN interfaces showing FTP flag after upgrade. |
900670 |
QSFP/QSFP+ port23/port24 are down after upgrading to 7.0.11 on FG-3401E. |
903049 |
|
904414 |
Port speed 1000auto could not link up with a Cisco switch. |
904485 |
The crashlog might show a Node.JS restarted error, |
904486 |
The FortiGate may display a false alarm message and subsequently initiate a reboot. |
906074 |
On FortiGate, the WWAN connection is not always stable due to a source IP issue with the VZW. |
906964 |
DST changes not reflected for timezone 16. The dates are incorrect on the DST for this specific timezone (Santiago-Chile). |
907339 |
dnsproxy process aborts due to stack buffer overflow being detected upon function return. |
909225 |
ISP traffic is failing with the LAG interfaces on upstream switches. |
910269 |
Unexpected behavior caused by the Linux Out of Memory (OOM) killer when memory is very low. |
910273 |
Last reboot reason: power cycle after rebooting due to a kernel panic is misleading. |
910616 |
When a non-zero DSCP copied from ingress to egress packet for NAT64, the IP checksum is calculated incorrectly. |
910677 |
Transparent mode FortiGate does not reply to SYN ACK when communicating with FortiManager. |
910700 |
Ports are flapping and down on the FortiGate 3980E. |
911396 |
High system CPU and multiple daemons enter D state on the FortiGate 4401F. |
913355 |
GUI and CLI time mismatch for Central America (Mexico) time zone. |
917029 |
DNS does not respond to short name queries. |
919901 |
For FIPS-CC mode, the strict check for basic constraints should be removed for end entity certificates. |
920085 |
CPU usage issue observed in dnsproxyd caused by unused wildcard FQDN. |
922458 |
Administrator with read-only access to management permissions cannot perform a configuration backup in the GUI. |
922920 |
When performing |
922965 |
CPU usage issue observed in hasync daemon when session count is large. |
922982 |
FortiGate does not respond to ARP requests for the IP address on the WAN port when the interface is configured as EMAC. |
923364 |
System goes into halt state with |
923834 |
The DSL modem on the firewall does not work after the device starts. |
924395 |
IPv6 local-in ping6 to management interface failed when newly configured. |
924654 |
MAC flapping on switch when UDP packets passthrough VWP multiple times with ASIC offload. |
925657 |
After a manual system administrator password change, the updated |
925966 |
Running |
926035 |
On D-series FortiGates, a false alarm during system integrity check failure causes the firewall to reboot. |
926817 |
Review the temperature sensor for the SoC4 system. |
928858 |
Traffic over |
929821 |
An error condition occurred in httpsd and newcli when trying to generate a TAC report from the GUI and CLI, respectively. |
929904 |
When L3 or L4 hashing algorithm is used, traffic is not forwarded over the same aggregate member after being offloaded by NP7. |
930329 |
LTE modem is missing after upgrading. |
935562 |
NAT port is out of range, causing the PBA index to be out of range. |
937500, 969083 |
FortiOS does not accept an installation script from FortiManager when creating an extender-profile with |
937887 |
Unable to load SNMP page with SSO Admin. |
939411 |
Multiple spawns of hotplug process consuming high CPU resources. |
940571 |
Memory usage issue caused by excessive log files. |
942502 |
Kernel panic occurs when creating EMAC VLAN interfaces based on an aggregate interface with new kernel 4.1.9. |
User & Authentication
Bug ID |
Description |
---|---|
794477 |
When a user's membership in AD or port range is changed, all of the user sessions are cleared. |
850473 |
SSL VPN and firewall authentication SAML does not work when the application requires SHA-256. |
854114 |
Some embedded SSL certificates entered the |
858877 |
Dynamic address only has 100 IP addresses while FSSO group lists all 56K ACI endpoints. |
865487 |
Fortinet_GUI_Server certificate auto-regenerates every day. |
872814 |
The SAML assertion is truncated in samld when the payload size is huge. |
883006 |
Adding a new group membership to an FSSO user terminates all the user's open sessions. |
899852 |
FortiGate is sending Class(25) AVP with wrong length in RADIUS accounting when using 2FA with PUSH or external tokens. |
900591 |
When generating guest users according to the settings in the guest group, the expiration time of guest users will automatically add an extra two hours. |
901743 |
An Error condition occurs during the processing of the UDP packets when device identification is activated on an interface. |
915192 |
Device detection sometimes does not identify the correct IP addresses of devices. |
922345 |
CA bundle (CRDB) to support DigiCert second-generation (G2) full CA and intermediate CA chain. |
923164 |
EAP proxy daemon may keep reloading after updating the certificate bundle. |
936493 |
Fas daemon crashing on FortiGate. |
939517 |
On the System > Replacement Messages page, the guest user email template cannot restore to the to default value. |
943087 |
After creating a new guest user, the administrator cannot view the user's password in plaintext in the GUI. |
946116 |
On a FortiGate managed by FortiManager, when a guest administrator logs in with read-only permissions, the administrator can still create and edit the guest user. |
VM
Bug ID |
Description |
---|---|
901920 |
AWS external account list supports regional endpoints. |
913696 |
In the periodic status check of the OCI VM status, too many API calls caused a lot of 429 errors. |
916027 |
Copy of files between a physical server and Windows Server is slow. |
918818 |
Traffic drops in FortiGate HA A-A, AutoScale in Azure. |
924689 |
FortiGate VMs in an HA cluster deployed on the Hyper-V platform may get into an unresponsive state where multiple services are impacted: GUI management, CLI commands, SSL VPN sessions, DHCP assignment, traffic throughput, and reboot function. |
927323 |
Event log alert |
928952 |
VPN errors after upgrade: Malformed Packets, AUTHENTICATION_FAILED messages, and INVALID_KE_PAYLOAD. |
933003 |
FortiGate-VM KVM with MLX5 not responding to ARP in RHEL environment. |
935086 |
VLAN interface is not reachable on FortiGate-VM running on KVM with Mellanox SR-IOV interface. |
VoIP
Bug ID |
Description |
---|---|
887384 |
SIP session is dropped by ALG with |
Web Application Firewall
Bug ID |
Description |
---|---|
939380 |
User cannot set the match ALL pattern to deny traffic for the web application firewall profile in the GUI. |
Web Filter
Bug ID |
Description |
---|---|
873086 |
In a policy-based VDOM, changes are not applied when adding an external threat feed category in the URL Category field. |
887699 |
Web filter override expiry date in the GUI may be one hour off if daylight saving time (DST) is observed. |
916140 |
An error condition occurs in WAD caused by the mismatch between the SNI host and CNAME. |
WiFi Controller
Bug ID |
Description |
---|---|
814541 |
When there are extra large number of managed FortiAP devices (500+) and large number of WiFi clients (5000+), the Managed FortiAP page and FortiAP Status widget in the GUI can take a long time to load. This issue does not impact FortiAP operation. |
875382 |
When accessing the Managed FortiAP/Switch view with a large number of devices in the topology, the page would take a long time to load. |
877609 |
RADIUS CoA does not work in some cases. |
891804 |
After initial packets, FG-101F stops forwarding wired traffic over FAP-23JF LAN tunneled with a dynamic VLAN VAP. |
904349 |
Unable to create FortiAP profile in the GUI for dual-5G mode FortiAP U231F/U431F models. |
905406 |
In |
920189 |
Intermittent behavior in Hostapd caused by enabling/disabling |
921456 |
FAP-431F is deauthenticating clients after roaming when DHCP enforcement is enabled on the SSID, even when the client gets IP from DHCP. |
926676 |
Enable DFS channels on wtp-profile for FortiAP 431G and FortiAP 433G in region A/S/N(No-Brazil). |
937826 |
An error case occurs in CAPWAP when the SSID interface, which has a VLAN interface over it, is deleted. |
944465 |
On the WiFi & Switch Controller > Managed FortiAPs page of a non-management VDOM, the Register button is unavailable in the Device Registration pane. |
945356 |
FortiOS fails to get all of the configured MAC ACL entries. |
ZTNA
Bug ID |
Description |
---|---|
889994 |
After client device information is updated, the session is closed even though all information from the session still matches the policy. |
923804 |
ZTNA logs are showing the log message |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
Bug ID |
CVE references |
---|---|
854906 |
FortiOS 7.2.6 is no longer vulnerable to the following CVE Reference:
|
858921 |
FortiOS 7.2.6 is no longer vulnerable to the following CVE Reference:
|
892775 |
FortiOS 7.2.6 is no longer vulnerable to the following CVE Reference:
|
911617 |
FortiOS 7.2.6 is no longer vulnerable to the following CVE Reference:
|
919392 |
FortiOS 7.2.6 is no longer vulnerable to the following CVE Reference:
|
921606 |
FortiOS 7.2.6 is no longer vulnerable to the following CVE Reference:
|
943578 |
FortiOS 7.2.6 is no longer vulnerable to the following CVE Reference:
|