Known issues
Known issues are organized into the following categories:
To inquire about a particular bug or to report a bug, please contact Fortinet Customer Service & Support.
New known issues
The following issues have been identified in version 7.4.6.
Device Manager
|
Bug ID |
Description |
|---|---|
| 1079654 |
Firewall address entries are incorrectly generated when creating a bridge/mesh-type SSID. |
| 1080940 | In an IPSEC tunnel template, deleting an IPSEC tunnel that is not the last one in the template causes the configuration of the last remaining tunnel to disappear when you revisit the template. |
| 1091441 | Managed FortiAnalyzer is not available in dropdown menu in System Template in Log Settings. |
| 1110780 |
FortiManager does not allow creating the local-in policy with SD-WAN zone. Workaround: Delete the local-in policy from policy package and use CLI template instead to add the policy. |
|
1112389 |
FortiView and Log View fail to display logs when FortiAnalyzer is configured as a managed device in FortiManager. |
| 1129574 | Unable to restrict Firmware upgrade via Admin Profile. |
FortiSwitch Manager
|
Bug ID |
Description |
|---|---|
| 1026433 | When navigating to FortiSwitch Manager > FSW VLAN > "BUILD-VLAN" and enabling the DHCP Server, the Advanced options are missing the filename field. |
| 1089719 |
Pre-provisioning on FortiManager for the FortiSwitch 110G is unavailable, as this functionality might not yet supported on the FortiOS. |
| 1097467 | There is a mismatch in the per-VDOM limit between the Managed FortiSwitch on the FortiManager and the actual FortiGate, causing a copy failure error when installing the configuration. So far, this issue has been observed on the FGT-90G. |
Others
|
Bug ID |
Description |
|---|---|
|
1089725 |
Progressively slower GUI performance caused by increasing memory usage of the "init" daemon. |
|
1103008 |
Not able to edit DNS Filter profile in FortiProxy ADOM. |
| 1111686 | FortiManager's GUI may crash with the error "Oops! Sorry, an unexpected error has occurred." when downloading a backup or accessing the "Last Script Run" option under Device Database. |
|
1113980 |
In FortiManager operating in Workspace (ALL ADOMs) mode, the Installation Preview may hang, and the GUI displays an infinite loading state. This issue is observed when multiple users initiate installations to their respective devices simultaneously while the Policy Packages (PPs) are locked. |
| 1114809 |
After upgrading the FMG using the "Upgrade Image via FortiGuard" feature, the FortiManager JSON API login may fail, leading to service disruptions. This issue is important for FortiPortal and other FortiManager API clients. Workaround: If the JSON API login failure is observed, reboot the FortiManager. |
|
1117603 |
Some compatibility issues have been encountered with FortiOS 7.4.7. Please review FortiManager 7.4.6 and FortiOS 7.4.7 compatibility issues. |
|
1126662 |
In a FortiGate HA setup running on the public cloud platform, the FortiManager attempts to install changes on static routes, which may cause routes to be deleted after an HA failover. |
Policy & Objects
|
Bug ID |
Description |
|---|---|
| 969923 | The View Mode button, which is used to check the interface in Pair View, is missing in the Firewall Policy under Policy Packages. |
|
1089894 |
The Policy Package import may hang indefinitely on a specific FortiGate VDOM due to recursive object references. |
|
1101436 |
The |
|
1106646 |
When attempting to configure a local-in policy on FortiManager using ISDB objects as the source, the following error is encountered: "Attribute 'srcaddr' MUST be set when internet-service-src-name is set". |
|
1114832 |
Any addition/modification in Application and Filter Overrides for Application profile doesn't show up in the install preview. Workaround:
|
|
1168866 |
In FortiManager under Policy & Objects > Firewall Objects > Internet Service > IP Reputation Database, most entries show “0” in the Number of Entries column, while the same entries display data on FortiGate devices. |
Services
|
Bug ID |
Description |
|---|---|
| 1116120 |
When the FortiGuard Web Filter and Email Filter services are enabled, the usage of the root filesystem ("rootfs") gradually increases until it reaches 100%. This may affect the performance of other functions on the FortiManager, and it will be more noticeable when the FortiManager is operating with a smaller memory size. Workaround: Public FortiGuard Web Filter service can be used or disable FortiGuard Web Filter and Email Filter service and delete its database by using the following commands, then reboot the FortiManager. config fmupdate service set query-antispam disable set query-antivirus disable set query-filequery disable set query-iot disable set query-iot-collection disable set query-iot-vulnerability disable set query-outbreak-prevention disable set query-webfilter disable end diagnose fmupdate fgd-del-db <Database-category-type> For example: |
System Settings
|
Bug ID |
Description |
|---|---|
|
1115464 |
When any interfaces have the serviceaccess feature enabled (fgtupdates, fclupdates, and webfilter-antispam), changing the IP address on the desired interfaces may not immediately affect the listing port for that IP. As a result, the user might not be able to access the GUI using the newly configured IP address (assuming default port 443 is being used). Workaround:
|
VPN Manager
|
Bug ID |
Description |
|---|---|
|
1084696 |
If users reopen the IPsec Tunnel template and close it without making any changes, FortiManagermight still display the following error message in the install log: "Error: VPN IPsec phase1-interface psksecret...Minimum psksecret length is 6..." |
Existing known issues
The following issues have been identified in a previous version of FortiManager and remain in FortiManager 7.4.6.
AP Manager
|
Bug ID |
Description |
|---|---|
| 1032762 | Since FortiOS 7.4.4 now supports the selection of multiple 802.11 protocols and has trimmed the band options, importing FortiOS 7.4.3 AP profiles may result in some bands and channels being un-matched or unset. |
| 1041445 | The AP attributes do not automatically update in the AP Manager. |
| 1050466 | The 802.11ax-5g AP profile is missing for all FortiAPs that support WiFi 6. |
|
1083224 |
FortiManager attempts to install 'port1-mode > bridge-to-wan' when 'Override LAN Port' is enabled and 'LAN Port Bridge' is set to 'Bridge to LAN'. |
Device Manager
|
Bug ID |
Description |
|---|---|
| 932579 | Assigning a BGP template is purging the previously existing BGP config from the target FortiGates. |
| 973365 |
FortiManager does not display the IP addresses of FortiGate interfaces configured with DHCP addressing mode. Workaround: Disable Addressing Mode from DHCP to Manual in FortiManager Device DB, then retrieve from FortiGate and IP will be updated successfully. |
| 974925 |
The NTP Server setting may not display the correct configuration. This issue might occur on managed devices running FortiOS version lower than 7.4.2. Workaround: Edit NTP server setting under CLI configuration. |
| 992550 | Unable to remove the trusted host for a FortiGate admins under the Device DB from the FortiManager's GUI. |
| 1004220 | The SD-WAN Overlay template creates route-map names that exceed the 35-character limit. |
| 1021789 | The FortiManager SD-WAN widget's health check status is not functioning as expected. |
| 1041265 | While using a Device Blueprint to apply a pre-run cli template and creating model devices via CSV import, the pre-run does not show applied in Device Manager. |
|
1063850 |
FortiManager is attempting to install a "PRIVATE KEY" with every installation, even after retrieving the config. |
| 1073479 | Install preview does not function properly. |
| 1085385 | Importing SD-WAN configuration previously completed on a FortiGate as a provisioning template in FortiManager returns "Response format error" message |
|
1086303 |
An installation error may occur when binding and installing the created VLAN interface to the software switch due to Workaround: Use a script (CLI template) on device database on FortiManager to unset " |
| 1089102 | Metadata variable value cannot be emptied (value deleted) after a value has been set via Edit Variable Mapping for a model device |
| 1090340 | Deleting at least 1 VPN IPSec tunnel from the IPSEC Templates purging other vpn phase2-interfaces which are using the same template. |
|
1099270 |
Unable to upgrade of FortiGate HA devices via Firmware Templates. |
| 1102790 | FortiManager pushes the unset auto-connect command
to config system lte-modem, where the default value is disabled on FortiOS
but still enabled on FortiManager. |
| 1103166 | Installation wizard might get stuck at 50% if the device has Jinja CLI template assigned. |
| 1103304 | OSPF passive interface settings cannot be set via Device settings > Router> OSPF. |
| 1111432 | In a BGP template Neighbor Range, set max-neighbor-num 0 is not accepted
by the GUI. |
| 1115014 | FortiManager fails to install SSID configuration in FortiGate when captive portal is enabled with error "Must set selected-usergroups". |
| 1119280 | Firmware Template assignment does not work properly. |
|
1122481 |
When a FortiGate HA failover occurs, making any configuration changes on the FortiGate HA may cause FortiManager to attempt to purge the firewall policies on the device during the installation (Install Device Settings (only)). Workaround: Always install Policy Package and Device Settings, even when only device config is changed. Review the Installation preview carefully. |
|
1124171 |
FortiManager retrieves the device configuration from the ZTP FortiGate after the image upgrade is performed, due to the 'Enforce Firmware' feature. This action erases all settings in the device database on the FortiManager side, and as a result, AutoLink installation will not be completed successfully. Workaround: config fmupdate fwm-setting set retrieve disable end |
| 1124431 | Installation failure due to 'sslvpn os check' syntax error. |
| 1126321 | When creating a VLAN with "LAN" Role, an object is created even if "Create Address Object Matching Subnet" is disabled. |
|
1136080 |
Starting from version 7.2.11, FortiGate devices use a different password type for the administrator's password field. FortiManager versions released before this change cannot verify the administrator password when installing to a FortiGate, which may result in an installation failure. |
| 1152564 | Unable to edit route-map due to the following error: "rule/2/set-priority is out of range (property: set-priority)". |
FortiSwitch Manager
|
Bug ID |
Description |
|---|---|
|
1077058 |
IPv4 allow access for VLAN interface over Per-Device Mapping cannot be set. |
|
1110598 |
Unable to add per device mapping config for FortiSwitch VLAN. Workaround: A script can be run on "Policy Package or ADOM Database". The following is an example: config fsp vlan edit "vlan200" set vlanid 200 set _dhcp-status disable config interface set ip-managed-by-fortiipam disable end config dynamic_mapping edit "FortiGate-80F-POE"-"root" set _dhcp-status disable config interface set vlanid 20 end config dhcp-server set dns-service default set ntp-service default set timezone-option default end next end next end |
Others
|
Bug ID |
Description |
|---|---|
| 1009848 | Support ISE distributed deployment: PAN/MnT Nodes up to 2, Pxgrid Nodes up to 4. |
| 1019261 |
Unable to upgrade ADOM from 7.0 to 7.2, due to the error "Do not support urlfilter-table for global scope webfilter profile". Workaround: Run the following script against the ADOM DB: config webfilter profile edit "g-default" config web unset urlfilter-table end next end |
| 1025366 | FortiManager does not support the FortiExtender SSID. |
| 1049457 | When FortiAnalyzer is added as a managed device, users may encounter an issue in the FortiManager GUI when expanding the log details. |
|
1052341 |
Not able to select Address type MAC in SD-WAN rule source address. |
|
1065593 |
Not able upgrade ADOM. |
|
1066240 |
The FortiSASE connector is supported only on FortiManager VM platforms and is not supported on FortiManager hardware models. |
| 1067460 | Unable to upgrade ADOMs from 6.0 to 6.2, due to the FortiGate's syntax changed. |
| 1081941 | When UTM-Profile gets added to a FortiProxy policy FortiManager generates invalid config. |
| 1091375 | When the install is waiting for a session, it neither updates nor completes the task. |
| 1114595 | Login authentication fail when using FortiAuthenticator with FortiToken Mobile assigned to the user. |
| 1119279 | Event log for object is generating thousands of Wifi Events. |
| 1124007 | OK button does not save the settings. Navigate to Device Manager > Device & Groups > Right click on FGT > Firmware upgrade > Schedule > Custom > Define time > Press OK. |
| 1125382 | When EMS is added as a Fabric Connector to these FortiGates from FortiManager, all devices appear under FortiManager-managed devices, but only the primary FortiGates serial number is displayed. |
| 1136765 | The PxGrid connector should support Fully Qualified Domain Names (FQDN). |
|
1142559 |
When attempting to upload the firmware image from FortiGuard, FortiManager returns the following error "Code: -1, Invalid image". This issue has primarily been observed on FortiGate hardware platforms running special build firmware versions, where the image contains an encrypted MBR—such as on the FortiGateRugged-70G-5G-Dual, FortiGateRugged-70G, FortiGateRugged-50G-5G, FortiWiFi-70G models. |
| 1160086 | Unable to upgrade ADOM from v7.2 to v7.4 due to HTTP3(QUIC) error in deep-inspection profile. |
Policy & Objects
|
Bug ID |
Description |
|---|---|
| 845022 | SDN Connector failed to import objects from VMware VSphere. |
| 968149 | Unable to export policy package to CSV. |
| 1025012 |
Configuring the SSL/SSH inspection profile may result in the following error: "The server certificate replacement mode cannot support category exemptions." Workaroud:
|
| 1030914 | Copy and paste function in GUI removes name of the policy rule and adds unwanted default security profiles (SSL-SSH no-inspection and default PROTOCOL OPTIONS). |
| 1054707 | FortiManager try to install "unset qos-policy" and installation fails. |
|
1057228 |
Importing the SDN Objects, with multiple tags, will add multiple entries listed as SDN objects; when clients add anything into the filters section, browser immediately redirects to an error page showing: "Oops! Sorry, an unexpected error has occurred" |
|
1070800 |
FortiManager is attempting to install the " |
| 1073463 | Installation is failed with error, "VIP entry cannot be moved when central-nat is disabled." |
|
1079128 |
ZTNA Server Per-Device Mapping may display a copy error failure if a new per-device mapping is created without specifying the object interface. |
|
1086603 |
Unable to create local-in policy with ISDB objects |
| 1086705 | Multicast policy table Log column shows wrong info and right-click update does not work properly. |
| 1092581 | FortiManager cannot modify rat-timeout-profile in Policy Packages. |
| 1096879 | When checking the policy package diff, FortiManager shows that the "system
replacemsg spam" entry will be deleted; however, this change is not
reflected in the install log. |
| 1097885 | Action column is missing in policy package for security policy when NGFW Mode set to policy-based. |
| 1101919 | Changes to a Virtual IP global settings are not applied when a per-device mapping exists. |
| 1108159 | IP address list for an ISDB object differ between FortiManager and managed FortiGate while both devices have installed the same ISDB definitions. |
|
1109061 |
FortiManager tries to set the inspection mode for the deny policies. |
| 1112917 | Unable to set or update a security profile group on a policy directly in the firewall or proxy policy view. |
| 1116489 | The revision history time stamps for custom profiles are all showing the same. |
| 1119299 | Installation fails due to syntax compatibility issues between FortiManager and FortiGate version 7.2.10. Specifically, the issue occurs when FortiManager attempts to unset the
servercert in the vpn ssl settings. |
| 1130475 | FortiManager starts appending an ID to the global-label associated with policies. This can cause a problem if global labels are being used to group policies together. |
| 1131552 | Import fails due to an invalid remote certificate, even though the certificate is available on the FortiGate. |
| 1134276 | Installation of "config system ddns" configuration fails. |
| 1139220 | FortiManager does not prevent users to mix ISDB and destination addresses. |
| 1142983 | In FortiManager, creating a threat feed connector and applying it to multiple VDOMs results in the same UUID being assigned across all instances. This behavior may lead to duplicate UUID issues. |
Script
|
Bug ID |
Description |
|---|---|
| 931088 |
Unable to delete VDOMs using the FortiManager script. Interfaces remain in the device database, causing the installation to fail. |
|
1085374 |
FortiManager does not support exporting the TCL scripts via CLI. |
Services
|
Bug ID |
Description |
|---|---|
| 1108706 |
When updating query service packages from the global anycast server (globalupdate.fortinet.net), medium-sized IoTS packages may encounter checksum errors. These errors can prevent the proper updating of SPAM and URL databases, potentially impacting the FortiManager's FortiGuard Services. |
| 1104925 | FortiManager in Cascade mode may fail to display accurate license information/contracts for FortiGate retrieved from the FDS server, as it is not listed in the FortiGate's authlist. |
System Settings
|
Bug ID |
Description |
|---|---|
| 1108205 | ADOM lock override does notwork even though lock-preempt has been enabled. |
| 1081463 | The encrypted backup file cannot be easily correlated with the backup details, as the date and time are not included. |
| 1121608 | Under the Dashboard > Sessions widget, the number of current sessions presented in FortiManager does not match the number of sessions in the FortiGate. |
|
1088248 |
When users perform any task, such as installing a policy, the task monitor icon that appears at the top-right of the GUI continuously shows a loading state, and users are unable to view the task progress. |
VPN Manager
|
Bug ID |
Description |
|---|---|
| 1084434 |
Unable to rename the address objects (either source and/or destination) used in Phase2 quick selectors in IPSec VPN without an installation error. |
|
1090636 |
Unable to edit VPN community due to the following error message: "vpnmgr/vpntable/: cannot be edited". |