FortiGate cannot connect to FortiSandboxCloud when inline content block scan mode is set to default in an antivirus profile.

On the Policy & Objects > Traffic Shaping page, when deleting or creating a shaper, the counters for the other shapers are cleared.

When the FortiGate has thousands of addresses and hundreds address groups, the GUI can take a few minutes to search for a specific address inside the address group dialog.

Workaround: User can create the address group in the CLI instead by using the exact address name. User can also perform a search in the CLI using a partial match. For example:

config firewall addrgrp
    edit address_group
        set member <pattern>?
    next
end

After a failover, ARP entries are removed from all slots when an ARP query of single slot does not respond.

IPv6 ECMP is not supported for the FortiGate 6000F and 7000E platforms. IPv6 ECMP is supported for the FortiGate 7000F platform.

FortiGate 7000E IPv6 routes may not be synchronized correctly among FIMs and FPMs.

On FortiGate 6000 models, high CPU usage by node process when navigating policy list with 7000 policies in a VDOM.

After an HA failover, there is no IPsec route in the kernel.

On FortiGate 7000, if gtp-mode is enabled and then disabled, after disabling gtp-enhanced mode and rebooting the device, traffic is disrupted on the FIM and cannot be recovered.

Workaround: downgrade to version 7.2.x or 7.4.3.

On the FortiGate 7000F platform with virtual clustering enabled and syslog logging configured, when running the diagnose log test command from a primary vcluster VDOM, some FPMs may not send log messages to the configured syslog servers.

When viewing entries in the slide-out window of the Policy & Objects > Internet Service Database page, users cannot scroll down to the end if there are over 100000 entries.

On the Network > Interfaces page, the SFP port is grayed out on the faceplate diagram even though the port is working. This is purely a GUI display issue and does not affect system operation.

Workaround: View the SFP port information and status using the interface list in the CLI.

NPD/LPMD cannot differentiate the different VRFs, and considers all VRFs as 0.

Restoring a specific VDOM configuration from the GUI does not restore the complete configuration.

FortiGate does not choose a random port when set to random mode.

FG-4201F has a 10% performance drop during a CPS test case with DoS policy.

When Hyperscale logging is enabled with multicast log, the log is not sent to servers that are configured to receive multicast logs.

After FTP traffic passes, the npu-session stat does not display the accurate amount of actual sessions on FortiGate.

Traffic over GRE tunnel over IPsec tunnel, or traffic over IPsec tunnel with GRE encapsulation is not offloaded on NP7-based units.

GRE over IPsec does not work in transport mode.

CPU usage issues occurred when IPsec VPN traffic was received on the VLAN interface of an NP7 vlink.

CPU usage issue in WAD caused by a high number of devices being detected by the device detection feature.

The diagnose ip rtcache list command is no longer supported in the FortiOS 4.19 kernel.

After deauthorizing a downstream FortiGate from the System > Firmware & Registration page, the page may appear to be stuck to loading.

Workaround: perform a full page refresh to allow the page to load again.

FortiGate experiences a CPU usage issue in the node process when there multiple administrator sessions running simultaneously on the GUI in a Security Fabric with multiple downstream devices. This may result in slow loading times for multiple GUI pages.

Workaround: Disconnect the other concurrent administrator sessions to avoid overloading node process.

In some cases, the Security Fabric topology does not load properly and displays a Failed to load Topology Results error.

FGR-70F and FGR-70F-3G4G failed to perform regular reboot process (using execute reboot command) with an SD card inserted.

On NP7 platforms, the FortiGate maybe reboot twice when upgrading to 7.4.2 or restoring a configuration after a factory reset or burn image. This issue does not impact FortiOS functionality.

FortiGate 60F and 61F models may experience a memory usage issue during a FortiGuard update due to the ips-helper process. This can cause the FortiGate to go into conserve mode if there is not enough free memory.

Workaround: User can disable CP acceleration to reduce the memory usage.

config ips global
    set cp-accel-mode none
end

On the FortiGate 90xG models, the ULL interfaces for x5 - x8 are down after being set to 25G speed.

On FortiGate 601F models, the X5 - X8 interfaces with 25G SFP28 DAC are down after upgrading to version 7.4.4 or later.

When configuring an SNMP trusted host that matches the management Admin trusted host subnet, the GUI may give an incorrect warning that the current SNMP trusted host does not match. This is purely a GUI display issue and does not impact the actual SNMP traffic.

Workaround: If the trusted host is enabled on all administrative access, make sure the SNMP host IP is included in at least one of these trusted IP/subnets.

FortiGate reboots twice after a factory reset when gtp-enchanced-mode is enabled.

After an interface role change, the updated role does not show in the le-switch member list.

On FortiGate Rugged FGR70F-3G4G models, wan1 and wan2 port mode changes to static after a factory reset.

The OPC VM does not boot up when in native mode.

FortiGates using a SOC4 platform with a virtual switch configured may continuously reboot when upgrading due to an interruption in the kernel.

The kernel 4.19 cannot concurrently reassemble IPv4 fragments for a source IP with more than 64 destination IP addresses.

FortiGate does not upgrade if private-data-encryption is enabled and the device is not rebooted.

Workaround: Reboot FortiGate after enabling private-data-encryption.

A FortiGuard update can cause the system to not operate as expected if the FortiGate is already in conserve mode. Users may need to reboot the FortiGate.

When auto-upgrade is disabled, scheduled upgrades on FortiGate are not automatically canceled. To cancel any scheduled upgrades, exec federated-upgrade cancel must be done manually.

When restoring an FortiGate, the 7.4.1 config file with deprecated Inline CASB entries displays errors messages and causes the confsyncd to not function as expected.

During a graceful upgrade, the confsync daemon and updated daemon encounter a memory usage issue, causing a race condition.

When a remote LDAP user with Two-factor Authentication enabled and Authentication type FortiToken tries to access the internet through firewall authentication, the web page does not receive the FortiToken notification or proceed to authenticate the user.

Workaround: click the Continue button on the authentication page after approving the FortiToken on the mobile device.

NTLM authentication does not work with Chrome.

VNI length is zero in the GENEVE header when in FTP passive mode.

When there are a large number of managed FortiAP devices (over 500) and a large number of WiFi clients (over 5000), the Managed FortiAPs page and FortiAP Status widget can take a long time to load. This issue does not impact FortiAP operation.

On the FortiGate 200F, CAPWAP tunnel traffic over tunnel SSID is dropped when offloading is enabled.

Physical and logical topology is slow to load when there are a lot of managed FortiAP devices (over 50). This issue does not impact FortiAP management and operation.

Intermittent traffic disruption observed in cw_acd caused by a rare error condition.

Clients randomly unable to connect to 802.1X SSID when FortiAP has a DTLS policy enabled.

RADIUS accounting data usage is different between the bridge and tunnel VAP.

SMB drive mapping made through a ZTNA access proxy is inaccessible after rebooting.

ZTNA does not allow tcp-forwarding SSH traffic to pass through.