Resolved issues
The following issues have been fixed in version 7.4.0. To inquire about a particular bug, please contact Customer Service & Support.
Anti Spam
Bug ID |
Description |
---|---|
848593 |
After spam mail is detected by the email filter, the X-ASE-REPORT does not insert into the mail header of the spam mail. |
857911 |
The Anti-Spam Block/Allow List Entry dialog page is not showing the proper Type values in the dropdown. |
877613 |
Mark as Reject can be still chosen as an Action in an Anti-Spam Block/Allow List in the GUI. |
Anti Virus
Bug ID |
Description |
---|---|
818092 |
CDR archived files are deleted at random times and not retained. |
845960 |
Flow mode opens port 8008 over the AV profile that does not have HTTP scan enabled. |
849020 |
FortiGate enters conserve mode and the console prints a |
851706 |
Nothing is displayed in the Advanced Threat Protection Statistics dashboard widget. |
863461 |
Scanunit displays unclear warnings when AV package validation fails. |
869398 |
FortiGate sends too many unnecessary requests to FortiSandbox and causes high resource usage. |
879946 |
An incorrect warning is shown for antivirus flow: Setting a proxy profile in a flow policy. Proxy features will not work. |
Application Control
Bug ID |
Description |
---|---|
857632 |
Unable to access to some websites when application control with deep inspection is enabled. |
901166 |
Unable to connect to any site when application control is enabled with proxy-based or certificate inspection. |
Data Loss Prevention
Bug ID |
Description |
---|---|
893697 |
DLP is not blocking VME video files. |
DNS Filter
Bug ID |
Description |
---|---|
871854 |
DNS UTM log still presents unknown FortiGuard category even when the DNS proxy received a rating value. |
878674 |
Forward traffic log is generated for allowed DNS traffic if the DNS filter is enabled but the policy is set to log security events only. |
Endpoint Control
Bug ID |
Description |
---|---|
861316 |
A system object tagging entry is hindering the FortiGate's ability to process ZTNA tags. |
Explicit Proxy
Bug ID |
Description |
---|---|
849794 |
Random websites are not accessible after upgrading when using a proxy policy. |
865135 |
Multipart boundary parsing failed with CRLF before the end of boundary 1. |
865828 |
The |
875736 |
The
|
878713 |
The hit count and bytes of the implicit deny rule does not increase on the proxy policy. |
880361 |
Transparent web proxy policy has no match if the source or destination interface is the same and member of SD-WAN. |
882867 |
Proxy policy match resolves IP to multiple internet service application IDs. |
888078 |
Enabling |
901239 |
Unexpected behavior in WAD caused by deploying virtual servers in non-server pool mode. |
901614 |
Firewall schedule does not work as expected with a proxy policy. |
901627 |
Explicit proxy and SD-WAN fail to match a policy if the destination has multiple zones set. |
Firewall
Bug ID |
Description |
---|---|
719311 |
On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic. |
770541 |
Within the Policy & Objects menu, the firewall, DoS, and traffic shaping policy pages take around five seconds to load when the FortiGate cannot reach the FortiGuard DNS servers. |
804603 |
An httpsd singal 6 crash occurs due to |
816493 |
The |
835413 |
Inaccurate sFlow interface data reported to PRTG after upgrading to 7.0. |
838535 |
Support matching by destination port when matching a central NAT rule if the protocols are TCP, UDP, or SCTP. |
848058 |
NPD failed to parse zone in the source interface of a DoS/ACL policy and failed to offload. |
850175 |
When the UTM is enabled, NP7 NTurbo is not set properly, which causes the shaper to not guarantee the SIP traffic based on the class ID. |
851212 |
After traffic flow changes to FGSP peer from owner, iprope information for synchronized sessions does not update on the peer side. |
854107 |
NGFW VDOM incorrectly includes all interfaces belonging to the root VDOM on interface and policy related GUI pages. |
856187 |
Explicit FTPS stops working with IP pool after upgrading. |
860480 |
FG-3000D cluster kernel panic occurs when upgrading from 7.0.5 to 7.0.6 and later. |
861990 |
Increased CPU usage in softirq after upgrading from 7.0.5 to 7.0.6. |
864612 |
When the service protocol is an IP with no specific port, it is skipped to be cached and causes a |
865661 |
Standard and full ISDB sizes are not configurable on FG-101F. |
872744 |
Packets are not matching the existing session in transparent mode. |
875309 |
Support port block allocation (PBA) IP pools for NAT64 traffic. |
875565 |
The policy or other cache lists are sometimes not freed in time. This may cause unexpected policies to be stored in the cache list. |
879225 |
Egress interface cannot be intermittently matched for wake-on-LAN (broadcast) packets. |
879705 |
Traffic issues occur with virtual servers after upgrading. |
881572 |
Columns for NPU sessions are missing on the FortiView Sessions monitor page. |
884578 |
Unexpected behavior in WAD caused by enabling HTTP/2 while usingvirtual servers. |
884908 |
Implicit deny policy is allowing |
888957 |
The one-time schedule pre-expiration event log button is always set to disable. |
895962 |
Intermittent behavior in WAD during SSL renegotiation while using virtual servers. |
927009 |
When running tests with SNAT PBA source and destination IP addresses, octets are shown in reverse order. |
FortiGate 6000 and 7000 platforms
Bug ID |
Description |
---|---|
838036 |
Merge FortiGate 6000 and 7000 series platforms. |
898191 |
Support SLBC integrated memory and disk logging in the new local logd framework. |
FortiView
Bug ID |
Description |
---|---|
798427 |
The FortiSandbox PDF report query should be changed to on-demand. |
838652 |
The FortiView Sessions monitor displays VDOM sessions from other VDOMs. |
892798 |
Memory and CPU usage issues caused by malformed method header while using virtual servers. |
GUI
Bug ID |
Description |
---|---|
440197 |
On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly. |
535794 |
Policy page should show new name/content for firewall objects after editing them from the tooltip. |
677806 |
On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status. |
685431 |
On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies. |
699508 |
When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in. |
722358 |
When a FortiGate local administrator is assigned to more than two VDOMs and tries logging in to the GUI console, they get a command parse error when entering VDOM configuration mode. |
753328 |
Incorrect shortcut name shown on the Network > SD-WAN > Performance SLAs page. |
791367 |
Users should be able to perform a sniffer on a VWP member in the GUI. |
821030 |
Security Fabric root FortiGate is unable to resolve firewall object conflicts in the GUI. |
821734 |
Log & Report > Forward Traffic logs do not show the Policy ID if there is no Policy Name. |
822991 |
On the Log & Report > Forward Traffic page, using the filter Result : Deny(all) does not work as expected. |
827893 |
Security rating test for FortiCare Support fails when connected to FortiManager Cloud or FortiAnalyzer Cloud. |
829736 |
Incorrect information is being displayed for the HA role on the System > HA page. |
829773 |
Unable to load the Network > SD-WAN > SD-WAN Rules table sometimes due to a JavaScript error. |
837048 |
Unable to delete the LAN interface's addresses without switching it back to a none-LAN role. |
842079 |
On the System > HA page, a Failed to retrieve info caution message appears when hovering over the secondary unit's Hostname. The same issue is observed on the Dashboard > Status > Security Fabric widget. |
848083 |
On the System > FortiGuard page, the license table shows expiry notifications for FortiGuard entitlements, which are hidden by the GUI 's Feature Visibility. |
853414 |
Policy and dashboard widgets do not load when the FortiGate manages a FortiSwitch with tenant ports (exported from root to other VDOM). |
854529 |
The local standalone mode in a VAP configuration is disabled when viewing or updating its settings in the GUI. |
857464 |
The CPU and Sessions widgets report the current numbers at the wrong places for most time periods. |
861466 |
The Active Administrator Sessions widget shows the incorrect interface when accessing the firewall through the GUI. |
862474 |
IPsec tunnel interface Bandwidth widget inbound is zero and outbound value is lower than the binding interface. |
865956 |
On the Network > Policy Routes page, entries cannot be copied and pasted above or below. |
866790 |
System > Firmware & Registration menu is not visible for administrator accounts without read-write permissions for the |
867588 |
FortiCare Reseller dropdown name option needs correcting. |
867802 |
GUI always displays Access denied error after logging in. |
869138 |
Unable to select addresses in FortiView monitors. |
869828 |
An httpsd crash occurs when the GUI fails to get the disk log settings from the FortiGate. |
870675 |
CLI console in GUI reports Connection lost. when the administrator has more than 100 VDOMs assigned. |
872063 |
The VLAN ID cannot be changed in the GUI. |
874502 |
An access privilege prompt is not displayed when logging in to the GUI of a FortiGate managed by a FortiManager with |
880292 |
Global administrator backup configuration for specific VDOM contains configurations associated with only the root VDOM. |
881678 |
On the Network > Routing Objects page, editing a prefix list with a large number of rule entries fails with an error notification that The integer value is not within valid range. |
889647 |
CLI console disconnects and has |
890531 |
Node.JS boots earlier than autod, which leads to a Node.JS crash. |
890683 |
GUI being exposed to port 80 on the interfaces defined in the ACME settings, even if administrative access is disabled on the interface. |
891895 |
When remotely accessing the FortiGate from FortiGate Cloud, the web GUI console displays |
893286 |
On the Dashboard > Status page, the CPU, Memory, and Sessions widgets always show zero data. |
HA
Bug ID |
Description |
---|---|
662978 |
Long lasting sessions are expired on HA secondary device with a 10G interface. |
816904 |
DCE/RPC traffic is dropped when no session matches with the FGSP cluster and asynchronous traffic. |
825680 |
TACACS authentication to secondary FortiGate fails when HA group ID is changed on a FortiGate cluster. |
826790 |
DHCP over IPsec is not working in an FGSP cluster. |
830538 |
FGCP FortiGates go out-of sync when the certificates used for IPsec are updated using SCEP. |
830879 |
Running |
843837 |
HA A-P virtual cluster information is not correctly presented in the GUI and CLI. |
852308 |
New factory reset box failed to synchronize with primary, which was upgraded from 7.0. |
856004 |
Telnet connection running ping fails during FGSP failover for virtual wire pair with VLAN traffic. |
856643 |
FG-500E interface stops sending IPv6 RAs after upgrading from 7.0.5 to 7.0.7. |
859242 |
Unable to synchronize IPsec SA between FGCP members after upgrading. |
860497 |
Output of |
861827 |
FortiGate uses dedicated management interface to connect to 154.52.29.102 (productapi.fortinet.com) even though |
864226 |
FG-2600F kernel panic occurs after a failover on both members of the cluster. |
866296 |
The HBDEV status is displayed as |
868622 |
The session is not synchronized after HA failover by detecting monitored interface as down. |
869557 |
Upgrading or re-uploading an image to the HA secondary node causes the OS to be |
870312 |
On a FortiGate HA cluster, both primary and secondary units are displayed as the Primary on the GUI top banner, and as |
870367 |
FGCP A-P devices get out of HA synchronization periodically due to FortiTokens being added and deleted. |
871636 |
HA configuration synchronization packets (Ethertype 0x8893) are dropped when going through VXLAN. |
872431 |
Primary FortiGate synchronizes the changing HA command to the secondary. |
873028 |
In HA A-A mode, authenticated users experience intermittent drops and disconnections. |
873561 |
Several session counts of primary unit do not match. |
874397 |
When re-enabling |
874823 |
FGSP |
875984 |
FortiGate is going to out-of-sync after changing parameters of VDOM link interfaces. |
876178 |
hasync crashing with signal 6 after upgrading to 7.2.3 from 7.0.7. |
878173 |
When downloading the speed test server list, the HA cluster gets and stays out-of-sync. |
880786 |
Running |
881337 |
Adding a VLAN interface on any VDOM causes BGP flapping and VIP connectivity issues on VDOMs in vcluster2. |
881847 |
HA interfaces flapping on FG-3401E. |
882354 |
When WAN extension redundant mode is configured in HA, after a redundant switch it will makes the HA be out-of-sync. |
883546 |
In HA, sending lot of CLI configurations causes the creation of a VDOM on the secondary unit. |
885245 |
Unexpected failover occurs due to uptime, even if the uptime difference is less than the |
885844 |
HA shows as being out-of-sync after upgrading due to a checksum mismatch for |
888110 |
Unable to set the interface configured as an SD-WAN member to |
896608 |
HA cluster became out-of-sync after enabling a password policy and logging on to FortiGate. |
897865 |
When NP7 platforms enable the GTP enhanced mode it does not use uninterruptible upgrade. |
Hyperscale
Bug ID |
Description |
---|---|
771857 |
Firewall virtual IP (VIP) features that are not supported by hyperscale firewall policies are no longer visible from the CLI or GUI when configuring firewall VIPs in a hyperscale firewall VDOM. |
837270 |
Allowing intra-zone traffic is now supported in hyperscale firewall VDOMs. Options to block or allow intra-zone traffic are available in the GUI and CLI. |
841712 |
On FortiGates licensed for hyperscale firewall features, the |
843305 |
Get |
877696 |
Get KTRIE invalid node related error and kernel panic on standby after adding a second device into A-P mode HA cluster. |
Intrusion Prevention
Bug ID |
Description |
---|---|
696811 |
|
842073 |
Improvements to IPS engine to optimize CPU usage when a decrypted traffic mirror profile is applied to policies in flow mode. |
842523 |
IPv6 with hardware offloading and IPS drops traffic ( |
845944 |
Firewall policy change causes high CPU spike with IPS engine. |
872137 |
Unable to pass traffic when using GRE over IPsec (IPsec in transport mode). |
873975 |
Source MAC changes and the packet drops due to both sides of the session using the same source MAC address. |
881549 |
Memory leak was detected due to IPS engine restart. |
883600 |
Under |
891497 |
IPS configuration script crashes sometimes when a VDOM is deleted. |
IPsec VPN
Bug ID |
Description |
---|---|
699973 |
IPsec aggregate shows down status on Interfaces, Firewall Policy, and Static Routes configuration pages. |
726326 |
IPsec server with NP offloading drops packets with an invalid SPI during rekey. |
788751 |
IPsec VPN Interface shows incorrect TX/RX counter. |
797342 |
Users cannot define an MTU value for the aggregate VPN. |
798045 |
FortiGate is unable to install SA ( |
803010 |
The |
812229 |
ASCII-encoded byte code of remote gateway IP is displayed in the GUI and CLI when a VPN tunnel is formed using IKEv1 or v2 if the |
828933 |
iked signal 11 crash occurs once when running a VPN test script. |
842571 |
If |
848014 |
ESP tunnel traffic hopping from VRF. |
852868 |
Issues with synchronization of the route information (using |
855705 |
NAT detection in shortcut tunnel sometimes goes wrong. |
855772 |
FortiGate IPsec tunnel role could be incorrect after rebooting or upgrading, and causes negotiation to be stuck when it comes up. |
858681 |
When upgrading from 6.4.9 to 7.0.6 or 7.0.8, the traffic is not working between the spokes on the ADVPN environment. |
858697 |
Native IPsec iOS authentication failure using LDAP account with two-factor authentication. |
858715 |
IPsec phase 2 fails when both HA cluster members reboot at the same time. |
861195 |
In IPsec VPN, the fnbamd process crashes when the password and one-time password are entered in the same Password field of the VPN client. |
869166 |
IPsec tunnel does not coming up after the upgrading firmware on the branch FortiGate (FG-61E). |
873097 |
Phase 2 not initiating the rekey at soft limit timeout on new kernel platforms. |
876795 |
RADIUS server will reject new authentication if a previous session is missing ACCT-STOP to terminate the session, which causes the VPN connection to fail. |
882483 |
ADVPN spoke does not delete the BGP route entry to another spoke over IPsec when the IPsec VPN tunnel is down. |
884921 |
Proxy DHCP is not following RFC 2132 for option 61. |
885333 |
Forwarded broadcast traffic on ADVPN shortcut tunnel interface is dropped. |
885818 |
If a tunnel in an IPsec aggregate is down but its DPD link is on, the IPsec aggregate interface may still forward traffic to a down tunnel causing traffic to drop. |
887800 |
In an L2TP configuration, |
889602 |
ADVPN hub is not advertising additional paths by specific tunnels. |
891462 |
The Peer ID field in the IPsec widget should not show a warning message that Two-factor authentication is not enabled. |
892699 |
In an HA cluster, static routes via the IPsec tunnel interface are not inactive in the routing table when the tunnel is down. |
916260 |
The IPsec VPN tunnel list can take more than 10 seconds to load if the FortiGate has large number of tunnels, interfaces, policies, and addresses. This is a GUI display issue and does not impact tunnel operation. |
Log & Report
Bug ID |
Description |
---|---|
714470 |
The |
755632 |
Unable to view or download generated reports in the GUI if the report layout is custom. |
816616 |
GUI logging issue for automation script that performs a backup to an external FTP server. |
823183 |
FortiGates are showing Logs Queued in the GUI after a FortiAnalyzer reboot, even tough the queued logs were actually all uploaded to FortiAnalyzer and cleared when the connection restores. |
825318 |
Archived Data tab is missing from intrusion prevention and application control log Details pane once |
828211 |
Policy ID filter is not working as expected. |
829862 |
On the Log & Report > ZTNA Traffic page, the client's Device ID is shown as [object Object]. The Log Details pane show the correct ID information. |
836846 |
Packet captured by firewall policy cannot be downloaded. |
838357 |
A deny policy with log traffic disabled is generating logs. |
839601 |
When log pages are scrolled down, no logs are displayed after 500 lines of logs. |
854604 |
Logs are outputted, even if |
856670 |
Forward traffic log does not contain |
857573 |
Log filter with negation of destination IP display all logs. |
858304 |
When FortiGate Cloud logging is enabled, the option to display 7 days of logs is not visible on the Dashboard > FortiView pages. |
858589 |
Unable to download more than 500 logs from the FortiGate GUI. |
860141 |
Syslog did not update the time after daylight saving time (DST) adjustment. |
860264 |
The miglogd process may send empty logs to other logging devices. |
860459 |
Unable to back up logs (FG-201E). |
860487 |
Incorrect time and time zone appear in the forward traffic log when |
861567 |
In A-P mode, when the link monitor fails, the event log displays a description of |
861893 |
In Forward Traffic logs, the Policy ID column is blank. |
863548 |
When searching old logs on the Log & Report > Forward Traffic page and then navigating to another page, the |
864111 |
An internal error occurs on the FortiCloud Report page when a Japanese report name is too long. |
864219 |
A miglogd crash occurs when creating a dynamic interface cache on an ADVPN environment. |
869073 |
A syslogd signal 11 crash occurs once while running VPN scripts. |
871142 |
SAML SSO administrator login with post-login banner enabled does not have a login event. |
872181 |
On the Log & Report > Log Settings > Local Logs page, the Local reports and Historical FortiView settings cannot be enabled. |
872326 |
FortiGate cannot retrieve logs from FortiAnalyzer Cloud. Results are shown rarely. |
873987 |
High memory usage from miglogd processes even without traffic. |
874026 |
Caching a large number of service port entries causes high log daemon memory usage. |
879228 |
FortiAnalyzer override settings are not taking effect when |
893199 |
The FortiGate does not generate deallocate/allocate logs of the first IP pool when the first IP pool has been exhausted. |
901545 |
FG-40F and FWF-61F halt after upgrading. |
918571 |
The log_se process resource utilization is causing a network outage. |
Proxy
Bug ID |
Description |
---|---|
707827 |
The video filter does not display the proper replacement message when the user redirects to a blocked video from the YouTube homepage or video recommendation list. |
727629, 901296 |
An error case occurs in WAD while handling the HTTP requests for an explicit proxy policy. |
746587 |
Error condition in WAD occurs during traffic scans in proxy mode. |
766158 |
Video filter FortiGuard category takes precedence over allowed channel ID exception in the same category. |
781613 |
Intermittent traffic disruption caused by race condition in WAD. |
818371 |
An error condition occurs in WAD while parsing certain URIs. |
823078 |
Improvements to WAD to optimize CPU usage when using user groups. |
825977 |
An error condition occurs in WAD during an AV scan submission. |
828917 |
Unexpected behavior in WAD when there are multiple LDAP servers configured on the FortiGate. |
834387 |
In a firewall proxy policy, the SD-WAN zone assigned to interface is not checked. |
835745 |
An error condition occurs in WAD when the |
837095 |
WAD daemon runs high with many child processes and is not coming down after configuring 250 CGN VDOMs. |
850426 |
POP3 proxy is unable to extract the username if |
853864 |
FortiGate out-of-band certificate check issue occurs in a proxy mode policy with SSL inspection. |
854511 |
Unable to make API calls using Postman Runtime script after upgrading to 7.2.0. |
855853 |
Improvements to WAD to optimize CPU usage when using user groups. |
855882 |
Improvements to WAD to resolve a memory usage issue when user-info updates the FortiAP information. |
856235 |
The WAD process memory usage gradually increases over a few days, causing the FortiGate to enter into conserve mode. |
857368 |
WAD crashed while parsing a Huffman-encoded HTTP header. |
858148 |
Memory usage issue caused by the WAD |
870151 |
Memory usage issue occurs on the WAD worker in a specific scenario. |
870554 |
An error condition occurs in WAD when the |
874563 |
User information attributes can cause disruption when they are not properly merged. |
880712 |
An error condition occurs in WAD due to an improper NULL check. |
882182 |
Unexpected behavior in WAD due to the activation of firewall protocol options, with both client and server comfort features enabled. |
885674 |
Unable to send logs from FortiClient to FortiAnalyzer when deep inspection is enabled on firewall policy. |
886284 |
An error condition occurs in WAD when a task is queued in the dev-vuln daemon and the user-info daemon restarts. |
898016 |
Kerberos authentication stops working after the upgrading to 7.2.3. |
REST API
Bug ID |
Description |
---|---|
849273 |
|
864393 |
High CPU usage of httpsd on FG-3600E HA system. |
868265 |
The active sessions count for a specific policy displayed in the Fortiview Sessions monitor (Active Sessions column ), on the Firewall Policy page, and in the results of |
891135 |
In the FortiOS API, policies with a large number of service objects drop objects without an error. |
892237 |
Updating the HA monitor interface using the REST API PUT request fails and returns a -37 error. |
Remote Access
Bug ID |
Description |
---|---|
837391 |
FortiClient does not send the public IP address for SAML, resulting in 0.0.0.0 being shown in FortiOS and SASE. |
Routing
Bug ID |
Description |
---|---|
708904 |
|
724468 |
Router policy destination address not take effect when |
821149 |
Early packet drop occurs when running UTM traffic on virtual switch interface. |
827565 |
Using |
839784 |
DHCP relay packets are not being sent out of WWAN interface. |
848310 |
IPsec traffic sourced from a loopback interface does not follow the policy route or SD-WAN rules. |
850778 |
Spoke-to-spoke communication randomly breaks. The BGP route to reach the spoke subnet points to the main ADVPN tunnel instead of the shortcut tunnel. |
850862 |
When creating a new rule on the Network > Routing Objects page, the user cannot create a route map with a rule that has multiple similar or different AS paths in the GUI. |
852498 |
BGP packets are marked with DSCP CS0 instead of CS6. |
852525 |
When enabled, FEC is not effectively reducing packet loss when behind NAT. |
858248 |
OSPF summary address for route redistribution from static route via IPsec VPN always persists. |
858299 |
Redistributed BGP routes to the OSPF change its forward address to the tunnel ID. |
859135 |
Disabling the VDSL interface caused packet drops afterwards on another interface. |
860075 |
Traffic session is processed by a different SD-WAN rule and randomly times out. |
862165 |
FortiGate does not add the route in the routing table when it changes for SD-WAN members. |
862418 |
Application VWL crash occurs after FortiManager configuration push causes an SD-WAN related outage. |
862573 |
SD-WAN GUI does not load, and the lnkmtd process crashes frequently. |
863318 |
Application forticron signal 11 (Segmentation fault) received. |
863833 |
BGP stuck in active state due to collisions when BGP neighborship is done over VDOM link. |
865914 |
When BSM carries multiple CRPs, PIM might use the incorrect prefix to update the mroute's RP information. |
867196 |
SD-WAN and IP pool setting are not working as expected when one SD-WAN member link is down. |
870983 |
Unable to set |
870990 |
Routing advertised by directly connected EBGP peer is not installed ( |
874677 |
Sometimes an IPv6 single-hop BFD neighbor fails to come up after a system reboot. |
875177 |
TCP/HTTP health check does not work as expected for virtual servers in active-standby mode. |
875668 |
SD-WAN SLA log information has incorrect inbound and outbound bandwidth values. |
880390 |
When |
881306 |
SD-WAN member shows as selected, even if the interface is down or underlying transport is down. |
883918 |
Delay in joining |
884298 |
Sandbox traffic does not follow SD-WAN rules. |
884372 |
All BGP routes in dual ADVPN redundant configuration are not getting updated to the correct WAN interface post-rollback to WAN failover. |
890379 |
After upgrading, SD-WAN is unable to fail over the traffic when one interface is down. |
893603 |
GUI does not show gateway IP on the routing table page if VDOM mode is transparent. |
896065 |
ISIS cannot establish the neighborship to peers, and all peers are in INIT states. |
897940 |
Link monitor's probe timeout value range is not appropriate when the user decreases the minimum interval. |
898549 |
IPv6 route to SLA IPv6 target is lost after disabling and enabling the physical interface. |
Security Fabric
Bug ID |
Description |
---|---|
809106 |
Security Fabric widget and Fabric Connectors page do not identify FortiGates properly in HA. |
819192 |
After adding a Fabric device widget, the device widget does not appear in the dashboard. |
825291 |
Security rating test for FortiAnalyzer fails when connected to FortiAnalyzer Cloud. |
831311 |
When using automation email action to reference the result of a previously executed automation CLI script action, there is a 16 KB size limit for the script output. |
832015 |
Root FortiGate cannot finish the security rating with a large Fabric topology (more than 25 to 30 devices) because the REST API is not limited to the local network. |
844412 |
When a custom LLDP profile has |
848822 |
The FortiAP Firmware Versions and FortiSwitch Firmware Versions security rating tests fail because the firmware version on the FortiAPs and FortiSwitches is not recognized correctly. |
851656 |
Sessions with |
852340 |
Various places in the GUI do not show the secondary HA device. |
862532 |
Unable to load topology pages for a specific Security Fabric topology on the root and downstream FortiGates. |
867313 |
Error triggering automation stitch message appears when the license expiry notification type is FortiGuard Web Filter. |
868701 |
In a simple cluster, the primary unit failed to upgrade to 7.2.3. |
870527 |
FortiGate cannot display more than 500 VMs in a GCP dynamic address. |
875100 |
Unable to remove external resource in a certain VDOM when the external resource has no reference in that VDOM. |
880011 |
When the Security Fabric is enabled and
These features still work for the root FortiGate's GUI. |
885810 |
The gcpd daemon constantly crashes (signal 11 segmentation fault). |
887967 |
Fabric crashes when synchronizing objects with names longer than 64 characters. |
SSL VPN
Bug ID |
Description |
---|---|
631809 |
Configuring thousands of |
710657 |
The |
746440 |
When sending the SSL VPN settings email (VPN > SSL-VPN Settings > Send SSL-VPN Configuration), the Email template only includes a hyperlink to the configuration, which is not supported by Gmail and Fortinet email. |
767086 |
Customer's internal website does not load properly in SSL VPN web mode. |
787768 |
The |
808107 |
FortiGate is not sending Accounting-Request packet that contains the Interim-Update AVP when two-factor authentication is assigned to a user (defined on the FortiGate ) while connecting using SSL VPN. |
810239 |
Unable to view PDF files in SSL VPN web mode. |
819754 |
Multiple DNS suffixes cannot be set for the SSL VPN portal. |
822657 |
Internal resource pages and menus are not showing correctly in SSL VPN web mode. |
828194 |
SSL VPN stops passing traffic after some time. |
839261 |
On the VPN > SSL-VPN Settings page, when the This is cosmetic and does not affect on the FortiGate functionality or operation. The |
850898 |
OS checklist for the SSL VPN in FortiOS does not include macOS Ventura (13). |
852652 |
MacOS clients bypass the host check policy. |
854615 |
Internal web interface is not working using web mode. The page is not loading properly. |
854642 |
Internal website with JavaScript is proxying some functions in SSL VPN web mode, which breaks them. |
856194 |
Problem loading some graphs trough SSL VPN web mode after upgrading. |
856554 |
SSL VPN web mode top-right dropdown button (user profile menu) does not work. |
858478 |
SSL VPN DTLS tunnel is unavailable after changing the SSL VPN listening port. |
859088 |
FortiGate adds extra parenthesis and causes clicking all links to fail in SSL VPN web mode. |
859115 |
SSL VPN bookmark not accessible. |
863860 |
RDP over SSL VPN web mode to a Windows Server changes the time zone to GMT. |
864096 |
EcoStruxure Building Operations 2022 does not render using SSL VPN bookmark. |
864417 |
In the second authentication of RADIUS two-factor authentication, the |
867182 |
RDP/VNC host name is not encrypted when URL obscuration is enabled. |
868491 |
SSL VPN web mode connection to VMware vCenter 7 is not working. |
870061 |
Kernel does not delete original route after address assigned to the client changes. |
871039 |
Internal website is not displaying user-uploaded PDF files when visited through SSL VPN web mode. |
871048 |
RDP over VPN SSL web mode stops working after upgrading. |
871229 |
SSL VPN web mode does not load when connecting to customer's internal site. |
872577 |
SSL VPN crashes are generating random disconnections (FG-5001E). |
872745 |
SSL VPN web mode to RDP broker leads to connection being closed. |
873313 |
SSL VPN policy is ignored if no user or user group is set and the FSSO group is set. |
873516 |
FortiGate misses the closing parenthesis when running the function to rewrite the URL. |
873995 |
Problem with the internal website using SSL VPN web mode. |
875167 |
Webpage opened in SSL VPN web portal is not displayed correctly. |
877124 |
RDP freezes in web mode with high CPU usage of SSL VPN process. |
880791 |
Internal website access issue with SSL VPN web portal. |
881220 |
Found bad login for SSL VPN web-based access when enabling URL obscuration. |
884051 |
Unable to access to Grafana tool using SSL VPN web mode (bookmark). |
884860 |
SSL VPN tunnel mode gets disconnected when SSL VPN web mode is disconnected by |
886989 |
SSL VPN process reaches 99% CPU usage when HTTP back-end server resets the connection in the middle of a post request. |
888149 |
When |
889392 |
SSL VPN is adding extra JS code blocking access to a website. |
890876 |
One of the speed-connect website JavaScript files has trouble with host process. |
891830 |
Internal website with JavaScript lacks some menus when using SSL VPN web mode. |
894704 |
FortiOS check would block iOS and Android mobile devices from connecting to the SSL VPN tunnel. |
896007 |
Specific SAP feature is not working with SSL VPN web mode. |
896343 |
SSL VPN web mode is not working as expected for customer's web server. |
898889 |
The internal website does not load completely with SSL VPN web mode. |
Switch Controller
Bug ID |
Description |
---|---|
730472 |
FortiSwitch enabled VLANs with VLAN and proxy ARP access have large latencies on initial ARP resolutions. |
762615, 765283 |
FortiSwitches managed by FortiGate go offline intermittently and require a FortiGate reboot to recover. |
769722 |
Support FortiLink to recognize a FortiSwitch based on its name and not just by serial number. |
857778 |
Switch controller managed switch port configuration changes do not take effect on the FortiSwitch. |
858113 |
On the WiFi & Switch Controller > Managed FortiSwitches page, when an administrator with restricted access permissions is logged in, the Diagnostics and Tools page for a FortiSwitch cannot be accessed. |
858749 |
Redirected traffic should not hit the firewall policy when |
870083 |
FortiLink interface should not permit changes of the |
876021 |
FortiLink virtually managed switch port status is not getting pushed after the FortiGate reboots. |
886887 |
When a MAC VLAN appears on the same MCLAG trunk, continuous event logs are received on FortiGate and FortiAnalyzer. |
894735 |
Unable to configure more than one NAC policy using the same EMS tag for different FortiSwitch groups. |
System
Bug ID |
Description |
---|---|
550701 |
Inadvertent traffic disruption caused by WAD due to deadlock. |
631046 |
|
649729 |
HA synchronization packets are hashed to a single queue when |
666664 |
Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface. |
700621 |
The forticron daemon is constantly being restarted. |
709679 |
Get |
729912 |
DNS proxy does not transfer the DNS query for IPv6 neighbor discovery (ND) when client devices are using random MAC addresses, so one device can configure many IPv6 addresses. |
748496 |
Wrong IP displayed in GUI widget if FortiGuard anycast AWS is used. |
754970 |
HPE does not enforce a limit on fragmented packets sent to the CPU when ip-reassembly is enabled. |
763739 |
On FG-200F, the Outbound bandwidth in the Bandwidth widget does not match outbandwidth setting. |
776646 |
On the Network > Interfaces page, configuring a delegated interface to obtain the IPv6 prefix from an upstream DHCPv6 server fails with an error notification (CLI internal error). |
790595 |
Improve dnsproxy process memory management. |
799570 |
High memory usage occurs on FG-200F. |
805122 |
In FIPS-CC mode, if |
810879 |
DoS policy ID cannot be moved in GUI and CLI when multiple DoS policies are enabled. |
813607 |
LACP interfaces are flapping after upgrading to 6.4.9. |
815937 |
FCLF8522P2BTLFTN transceiver is not working after upgrade. |
820268 |
VIP traffic access to the EMAC VLAN interface uses incorrect MAC address on NP7 platform. |
822333 |
The tab title does not show the server address when accessing RDP/VNC using SSL VPN web mode. |
826490 |
NP7 platforms may reboot unexpectedly when unable to handle kernel null pointer de-reference. |
831466 |
A cmdbsvr crash is observed on the FortiGate. |
838933 |
DoS anomaly has incorrect threshold after loading a modified configuration file. |
840960 |
When kernel debug level is set to |
845736 |
After rebooting the FortiGate, the MTU value on the VXLAN interface was changed. |
846399 |
Add 100G speed option for FG-180xF for ports 37, 38, 39, and 40. Upon firmware upgrade, existing port speed configurations are preserved. |
847314 |
NP7 platforms may encounter random kernel crash after reboot or factory reset. |
850683 |
Console keeps displaying |
850688 |
FG-20xF system halts if setting |
853144 |
Network device kernel null pointer is causing a kernel crash. |
853794 |
Issue with the |
853811 |
Fortinet 10 GB transceiver LACP flapping when shut/no shut was performed on the interface from the switch side. |
855573 |
False alarm of the PSU2 occurs with only one installed. |
855775 |
Time zone for Kyiv, Ukraine is missing. |
859717 |
The FortiGate is only offering the |
859795 |
High CPU utilization occurs when relay is enabled on VLAN, and this prevents users from getting an IP from DHCP. |
861144 |
|
861661 |
SNMP OID 1.3.6.1.2.1.4.32 ipAddressPrefixTable is not available. |
862941 |
GUI displays a blank page if |
865770 |
RX and TX counters are incorrect on inter-VDOM link configured with VLANs. |
865966 |
DHCP lease list CLI format gets misaligned when the data is over 15 characters long. |
867428 |
Add check to skip invalid names when creating a VDOM. |
867435 |
FG-400E-BP has crash at |
867978 |
Subnet overlap error occurs when configuring the same IPv4 link-local addresses on two different interfaces. |
868225 |
After a cold reboot (such as a power outage), traffic interfaces may not come up with a possible loss of VLAN configurations. |
868821 |
|
869044 |
If the original packet was forwarded with NAT, generated ICMP error is routed back to SNAT'ed address. |
869113 |
If a device is rebooted that has an |
869305 |
SNMP multicast counters are not increasing. |
869599 |
Forticron memory is leaking. |
870381 |
Memory corruption or incorrect memory access when processing a bad WQE. |
872739 |
The fgfmsd process crashes since updating to 6.4.11. |
874292 |
|
874603 |
Dashboard loads slowly and csfd process has high CPU usage. |
875868 |
HQIP test fails on FG-2201E. |
876403 |
ACME auto-renewal is not performed after HA failover. |
876853 |
No output of |
877039 |
On the Network > BGP page, creating or editing a table entry increases memory consumption of the FortiGate to 99%. |
877154 |
FortiGate with new kernel crashes when starting debug flow. |
877240 |
Get |
878400 |
When traffic is offloaded to an NP7 source MAC, the packets sent from the EMAC VLAN interface are not correct. |
879131 |
Unsetting the port 8888 setting in |
880290 |
NP7 is not configured properly when the ULL ports are added to LAG interface, which causes accounting on the LAG to not work. |
881094 |
FG-3501F NP7 is dropping all traffic after it is offloaded. |
882089 |
Unable to use ping and SSH when vne.root is not configured in local-in-policy. |
883071 |
Kernel panic occurs due to null pointer dereference. |
884970 |
Unbalanced throughput on LAG members with LAG enhancement feature enabled. |
885189 |
Control the server host key algorithm in the CLI. |
887268 |
Unable to configure |
887772 |
CPU usage issue in WAD caused by checking authentication group member information. |
888941 |
Some sessions are still reported as offloaded when |
889634 |
Unable to configure IPv6 setting on system interface (FWF-81F-2R-POE). |
891165 |
Auto-script causes FortiGate to repeat commands. |
891841 |
Unable to handle kernel NULL pointer dereference at |
892195 |
LAG interface has |
892274 |
Daylight saving time is not applied for Cairo time zone. |
892478 |
Interface release from cmdb and iprope keep updating when DHCP client renewal fails. |
894884 |
FSTR session ticket zero causes a memory leak. |
895972 |
FortiGate as L2TP client is not working after upgrading to 7.2.4. |
897521 |
|
899884 |
FG-3000F reboots unexpectedly with NULL pointer dereference. |
901721 |
In a certain edge case, traffic directed towards a VLAN interface could trigger a kernal panic. |
958437 |
An error message is shown when attempting to create a FortiExtender WAN extension interface. |
Upgrade
Bug ID |
Description |
---|---|
850691 |
The |
883305 |
SSH public keys are lost after upgrading from Beta 1 to latest interim build, and they can no longer be configured. |
892647 |
Static route configurations were lost upgrading from 7.0.7 to 7.2.3. |
900761 |
FG-601E crashes randomly after upgrading to 7.0.8 and 7.0.11. |
903113 |
Upgrading FortiOS firmware with a local file from 6.2.13, 6.4.12, 7.0.11, or 7.2.4 and earlier may fail for certain models because the image file size exceeds the upload limit. Affected models: FortiGate 6000 and 7000 series, FWF-80F-2R, and FWF-81F-2R-POE. |
User & Authentication
Bug ID |
Description |
---|---|
705731 |
Chrome throttles timers, which causes the keepalive page not update correctly and results in a user timeout. |
751763 |
When MAC-based authentication is enabled, multiple RADIUS authentication requests may be sent at the same time. This results in duplicate sessions for the same device. |
768669 |
If an administrator login fails due to an LDAP server connection timeout, |
794477 |
When a user's membership in AD or port range is changed, all of the user sessions are cleared. |
843528 |
RADIUS MAC authentication using ClearPass is intermittently using old credentials. |
846545 |
LDAPS connectivity test fails with old WinAD after OpenSSL was upgraded to 3.0.2. |
850473 |
SSL VPN and firewall authentication SAML does not work when the application requires SHA-256. |
853793 |
FG-81F 802.1X MAC authentication bypass (MAB) failed to authenticate Cisco AP. |
854114 |
Some embedded SSL certificates entered the |
855898 |
All devices are detected as Other identified device in the Device Inventory widget. |
856370 |
The EAP proxy worker application crashes frequently. |
857438 |
SSL VPN group matching does not work as expected for Azure auto login. |
858877 |
Dynamic address only has 100 IP addresses while FSSO group lists all 56K ACI endpoints. |
858961 |
Client's firewall authentication session timeout is set to 900 when it passes MAC authentication bypass by ping. |
859845 |
In some cases, the proper hostnames are not showing up when looking at APs on the FortiSwitch ports screen. |
864703 |
ACME client fails to work with some CA servers. |
865166 |
A cid scan crash occurs when device detections happen in a certain order. |
865487 |
Fortinet_GUI_Server certificate auto-regenerates every day. |
867225 |
ARP does not trigger FortiGuard device identification query. |
868481 |
When the Guest User Print Template is customized in a VDOM, printing the guest user credentials from User & Authentication > Guest Management still uses the default Guest User Print Template. |
873981 |
CMP should be supported for EC certificates. |
883006 |
Adding a new group membership to an FSSO user terminates all the user's open sessions. |
901743 |
An error condition occurs during the processing of the UDP packets when device identification is activated on an interface. |
VM
Bug ID |
Description |
---|---|
740796 |
IPv6 traffic triggers |
856645 |
Session is not crated over NSX imported object when traffic starts to flow. |
859165 |
Unable to enable FIPS cipher mode on FG-VM-ARM64-AWS. |
859589 |
VPNs over Oracle Cloud stop processing traffic. |
860096 |
CPU spike observed on all the cores in a GCP firewall VM. |
865772 |
Interface does not get turned back up after changing the MTU in the aggregate interface. |
868698 |
During a same zone AWS HA failover, moving the secondary IP will cause the EIP to be in a disassociated state. |
869359 |
Azure auto-scale HA shows certificate error for secondary VM. |
874559 |
FortiGate VM HA primary loses connection when setting up secondary unit. |
878074 |
FG-ARM64-GCP and FG-ARM64-AZURE have HA synchronization issue with internal IP after failover. |
881728 |
Kernel hangs on FG-VM64-AZURE. |
881768 |
AWS MAC is not shown when the interface is attached immediately. |
883203 |
FG-AWS SDN is unable to retrieve EKS cluster information, even thought its role is trusted by the EKS role. |
883896 |
Backup virtual server not working as expected ( |
885829 |
Azure SDN connector stopped processing when Azure returned |
890278 |
FG‑VM Rackspace On-Demand upgrade from 7.2.3 to 7.2.4 breaks the pay-as-you-go license, and reverts it to an evaluation license. |
899984 |
If FGTVM was deployed in UEFI boot mode, do not downgrade to any GA version earlier than 7.2.4. |
VoIP
Bug ID |
Description |
---|---|
757477 |
PRACK will cause voipd crashes when the following conditions are met: |
887384 |
SIP session is dropped by ALG with |
Web Filter
Bug ID |
Description |
---|---|
766126 |
Block replacement page is not pushed automatically to replace the video content when using a video filter. |
856793 |
In flow mode, URL filter configuration changes cause a spike in CPU usage of the IPS engine process. |
863728 |
The urlfilter process causes a memory leak, even when the firewall policy not using the web filter feature. |
878442 |
FortiGuard block page image (logo) is missing when the |
WiFi Controller
Bug ID |
Description |
---|---|
807605 |
FortiOS exhibits segmentation fault on hostapd on the secondary controller configured in HA. |
824441 |
Suggest replacing the IP Address column with MAC Address in the Collected Email widget. |
825182 |
The 6 GHz channel lists should be updated according to the latest WiFi country region channels map. |
828901 |
Connectivity loss occurs due to switch and FortiAPs (hostapd crash). |
831736 |
Application hostapd crash found on FG-101F. |
834644 |
A hostapd process crash is shown in device crash logs. |
835783 |
CAPWAP traffic is not offloaded when re-enabling |
837130 |
Wireless client shows portal related webpage while doing MAC authentication with MAB mode. |
846730 |
Dynamic VLAN assignment is disabled in the GUI when editing an SSID with |
856038 |
The |
856830 |
HA FortiGate encounters multiple hostapd crashes. |
857084 |
Hostapd segmentation fault signal 6 occurs upon HA failover. |
857140 |
Hostapd segmentation fault signal 11 occurs upon RF chamber setup. |
857975 |
The cw_acd process appears to be stuck, and is sending several access requests for MAC authentication. |
858653 |
Invalid wireless MAC OUI detected for a valid client on the network. |
861552 |
Wireless client gets disconnect from WiFi if it is connected to a WPA2 SSID more than 12 hours. |
865260 |
Incorrect source IP in the self-originating traffic to RADIUS server. |
868022 |
Wi-Fi clients on a RADIUS MAC MPSK SSID get prematurely de-authenticated by the secondary FortiGate in the HA cluster. |
874997 |
Fetching the registration status does not always work. |
882551 |
FortiWiFi fails to act as the root mesh AP, and leaf AP does not come online. |
887829 |
Add support for G-series FortiAP models in syntax XML export files. |
891625 |
Quarantined STA connected to a long interface name VAP is not moved to quarantined VLAN 4093. |
892575 |
MPSK SSID with |
900605 |
NAS-ID is not updated immediately after modifying it in the applied RADIUS server when the |
ZTNA
Bug ID |
Description |
---|---|
832508 |
The EMS tag name (defined in the EMS server's Zero Trust Tagging Rules) format changed in 7.2.1 from After upgrading from 7.2.0 to 7.2.1, the EMS tag format was converted properly in the CLI configuration, but the WAD daemon is unable to recognize this new format, so the ZTNA traffic will not match any ZTNA policies with EMS tag name checking enabled. |
859421 |
ZTNA server (access proxy VIP) is causing all interfaces that receive ARP request to reply with their MAC address. |
863057 |
ZTNA real server address group gets unset once the FortiGate restarts. |
865316 |
Adding an EMS tag on the Policy & Objects > Firewall Policy edit page for a normal firewall policy forces NAT to be enabled. |
875589 |
An error case occurs in WAD when a client EMS tag changes. |
888814 |
Unable to match first group attribute from SAML assertion for ZTNA rule. |
945016 |
When NAT is enabled in a firewall policy ZTNA mode, saving it in GUI will cause NAT to be disabled. |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
Bug ID |
CVE references |
---|---|
858921 |
FortiOS 7.4.0 is no longer vulnerable to the following CVE Reference:
|