Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Release Notes

    Home FortiWeb 8.0.0 Release Notes
    8.0.0
    8.0.4
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.9.1
    5.8.7
    5.7.3
    5.7.0
    5.6.2
    5.6.1
    5.6.0
    5.6.0
    5.6.0
    5.6.0
    5.5.7
    5.5.0
    5.5.0
    5.5.0
    5.4.0
    5.4.0
    5.4.0
    5.4.0
    5.1.0
    5.0.1
    5.0.0

    Resolved issues

    Resolved issues

    This section lists issues that have been fixed in version 8.0.0. For inquires about a particular bug, please contact Fortinet Customer Service & Support: https://support.fortinet.com

    Bug ID Description
    1180578 An authentication bypass occurred when a user accessed a different SAML-protected URL using a cookiesession3 value generated from an incomplete authentication on another URL. The session cookie was incorrectly accepted across SAML contexts.
    1180157 Known Bots detection was bypassed when a bad bot request was sent over a reused TCP connection that had previously matched a trusted Search Engine signature.
    1179686 HTTP/2 requests to create a test file on the server failed when the client received no response code. This was caused by the flow control send window not being updated if the HTTP/2 SETTINGS frame was received late in the session.
    1177524 In FortiWeb version 7.6.4, attempting to view a generated report from the GUI resulted in a “Requested URL not found” error. This occurred due to missing HTTP server configuration for the report file path.
    1173924 Favorites were missing from the left navigation bar after upgrade due to the system/admin.favorite API returning no data. This caused the Favorites section to appear empty across all supported browsers.
    1172951 False positives for SQL Injection signatures could occur during file uploads when binary files such as PDFs were scanned by the Signature Detection engine. The issue was triggered by non-printable characters in the file content, leading to unintended matches.
    1170932 FortiWeb could delay or fail to respond to HTTP HEAD requests when certain WAF signatures were enabled. The issue was caused by incorrect handling of HEAD responses with chunked transfer encoding in HTTP/1.
    1170695 High memory usage could occur on the primary device due to a memory leak in the cookie security module when the action was set to alert. The issue occurred because a custom error page was mistakenly returned during alert handling, leading to unintended memory consumption.
    1170397 FortiWeb in active-active high-volume mode continued sending gratuitous ARP for a VIP after it was removed from the traffic distribution configuration, due to stale VIP entries not being marked as inactive.
    1169907 SNMPv3 message authentication failed with USM timeliness errors, causing valid SNMP queries to be rejected. The issue was related to incorrect time handling in SNMPv3 processing.
    1168412 When an IP address was blocked via the Block IP List, the attack log incorrectly reported the OWASP category as "API5:2023 Broken Function Level Authorization" instead of "N/A". OWASP mapping for IP-based modules has been updated to reflect that these are unrelated to application-layer vulnerabilities.
    1167936 Deleting a saved log filter did not immediately remove it from the visible list in the GUI. The filter only disappeared after navigating away from the page or refreshing the browser.
    1165929 Users could be unexpectedly logged out of the GUI during an active session despite being within the configured timeout period. The issue occurred while interacting with the interface and resulted in session termination without warning.
    1165664 A memory leak occurred in proxyd, resulting in sustained high memory usage even without traffic. The issue was traced to lingering pthreads that were not properly released. Liveness checks have been added to prevent resource accumulation.
    1165044 Attack logs triggered by the "Redundant HTTP Header" rule under HTTP Protocol Constraints did not display the duplicate headers that caused the violation. Only the final instance of the repeated header was shown, making it difficult to verify the redundancy that triggered the log.
    1163664 Syslog failed to include packet data in traffic logs when disk-based traffic logging was disabled, despite packet logging being enabled in the syslog policy. This occurred because packet data generation was incorrectly tied to the disk logging setting.
    1162809 Client scoring was skipped when the action was set to "Erase & No Alert" due to a logic error that tied Client Management scoring to attack log generation instead of detection.
    1162252 The logdisk size check failed during hardware diagnostics on FortiWeb 100F, despite logging functioning correctly. This was due to the 120GB logdisk not being recognized in the hardware specification.
    1159549 Connections dropped unexpectedly due to a crash in the proxyd process caused by a memory access error during SSL context cleanup.
    1158769 HA synchronization failed after adding a Let's Encrypt certificate with a wildcard domain. The certificate was not replicated to the secondary device, causing the primary to remain in INIT state. The issue was due to missing path handling logic specific to wildcard certificates.

    1158537

    The proxyd process could crash repeatedly due to the use of an uninitialized memory value during file upload inspection, leading to service disruption. This issue was environment-specific and triggered after upgrade.

    1156928/ 1143509/ 1128127

    Dashboard widgets failed to display because the config system dashboard-widget table exceeded the maximum entry limit of 256, preventing widget loading and creation after upgrade. The limit has been increased to 1024 in the fix.
    1154598 SSO login intermittently failed on the first attempt but succeeded on the second without reauthentication. The initial failure was caused by incorrect handling of the SP certificate during the SAML handshake, leading to improper certificate validation and login rejection.

    1154085

    FortiWeb displayed a critical event log stating “DLDB is unauthorized” during FortiGuard update attempts, despite no functional impact. The log level was too severe for routine update failures, leading to unnecessary alerts.
    1150441 Certain WebShell files were not detected or blocked by the WebShell module, allowing them to be uploaded to protected servers. These files bypassed detection despite matching known patterns, indicating gaps in the module’s file inspection coverage.

    1140839

    When using the Least Connection algorithm, servers exiting Maintenance Mode could receive all new connections due to inaccurate session statistics, including negative values. This issue has been fixed by recalculating session data during policy reload.

    1140417

    HA fails to synchronize in AAH mode when an External IP connector is configured due to last-update timestamp mismatches, as primary and secondary nodes update IP lists independently.

    1133888

    When creating a custom rule through the GUI and clicking OK to save the configuration, the corresponding set signature command disappears from the CLI.
    1133642 Traffic could hang on FortiWeb due to a dead loop in the AV engine when scanning truncated gzip or bzip content with optimization enabled. The decompression buffer handling logic has been fixed.

    1133199

    The "Blocked IPs" monitor failed to display data when accessed by SSO admin users due to incorrect mkey handling in the dashboard widget API. The issue was resolved by adding logic to assign the correct mkey prefix (sso or sys) based on the user type.

    1121774

    The event log message “Source Address running low for 127.0.0.1 → 127.0.0.1” was triggered under normal conditions and did not indicate an actual port exhaustion issue. The logging behavior has been corrected to prevent false alarms.

    1115495

    IPv6 packets with VLAN tagging intermittently contain an IPv4 header, causing downstream devices to drop them. This issue is caused by an incorrect eth->h_ proto value of ETH_P_IP in the IPv6 packets.

    1113220

    Scheduled SFTP backups are not running after upgrading to version 7.4.6 due to a race condition where cron and ftp_backup start almost simultaneously. This prevents cron from reading the updated /tmp/crontab file, causing the backup to fail.

    1109804

    ESXi firmware upgrade fails due to image signature verification not being performed when FIPS mode is enabled.

    1106859

    FortiWeb failed to detect and block the EICAR test file when it was Base64-encoded before upload. The issue occurred due to limitations in Base64 content inspection. Detection logic has been improved to support Base64-encoded payloads.
    Previous
    Next

    Resolved issues

    Resolved issues

    This section lists issues that have been fixed in version 8.0.0. For inquires about a particular bug, please contact Fortinet Customer Service & Support: https://support.fortinet.com

    Bug ID Description
    1180578 An authentication bypass occurred when a user accessed a different SAML-protected URL using a cookiesession3 value generated from an incomplete authentication on another URL. The session cookie was incorrectly accepted across SAML contexts.
    1180157 Known Bots detection was bypassed when a bad bot request was sent over a reused TCP connection that had previously matched a trusted Search Engine signature.
    1179686 HTTP/2 requests to create a test file on the server failed when the client received no response code. This was caused by the flow control send window not being updated if the HTTP/2 SETTINGS frame was received late in the session.
    1177524 In FortiWeb version 7.6.4, attempting to view a generated report from the GUI resulted in a “Requested URL not found” error. This occurred due to missing HTTP server configuration for the report file path.
    1173924 Favorites were missing from the left navigation bar after upgrade due to the system/admin.favorite API returning no data. This caused the Favorites section to appear empty across all supported browsers.
    1172951 False positives for SQL Injection signatures could occur during file uploads when binary files such as PDFs were scanned by the Signature Detection engine. The issue was triggered by non-printable characters in the file content, leading to unintended matches.
    1170932 FortiWeb could delay or fail to respond to HTTP HEAD requests when certain WAF signatures were enabled. The issue was caused by incorrect handling of HEAD responses with chunked transfer encoding in HTTP/1.
    1170695 High memory usage could occur on the primary device due to a memory leak in the cookie security module when the action was set to alert. The issue occurred because a custom error page was mistakenly returned during alert handling, leading to unintended memory consumption.
    1170397 FortiWeb in active-active high-volume mode continued sending gratuitous ARP for a VIP after it was removed from the traffic distribution configuration, due to stale VIP entries not being marked as inactive.
    1169907 SNMPv3 message authentication failed with USM timeliness errors, causing valid SNMP queries to be rejected. The issue was related to incorrect time handling in SNMPv3 processing.
    1168412 When an IP address was blocked via the Block IP List, the attack log incorrectly reported the OWASP category as "API5:2023 Broken Function Level Authorization" instead of "N/A". OWASP mapping for IP-based modules has been updated to reflect that these are unrelated to application-layer vulnerabilities.
    1167936 Deleting a saved log filter did not immediately remove it from the visible list in the GUI. The filter only disappeared after navigating away from the page or refreshing the browser.
    1165929 Users could be unexpectedly logged out of the GUI during an active session despite being within the configured timeout period. The issue occurred while interacting with the interface and resulted in session termination without warning.
    1165664 A memory leak occurred in proxyd, resulting in sustained high memory usage even without traffic. The issue was traced to lingering pthreads that were not properly released. Liveness checks have been added to prevent resource accumulation.
    1165044 Attack logs triggered by the "Redundant HTTP Header" rule under HTTP Protocol Constraints did not display the duplicate headers that caused the violation. Only the final instance of the repeated header was shown, making it difficult to verify the redundancy that triggered the log.
    1163664 Syslog failed to include packet data in traffic logs when disk-based traffic logging was disabled, despite packet logging being enabled in the syslog policy. This occurred because packet data generation was incorrectly tied to the disk logging setting.
    1162809 Client scoring was skipped when the action was set to "Erase & No Alert" due to a logic error that tied Client Management scoring to attack log generation instead of detection.
    1162252 The logdisk size check failed during hardware diagnostics on FortiWeb 100F, despite logging functioning correctly. This was due to the 120GB logdisk not being recognized in the hardware specification.
    1159549 Connections dropped unexpectedly due to a crash in the proxyd process caused by a memory access error during SSL context cleanup.
    1158769 HA synchronization failed after adding a Let's Encrypt certificate with a wildcard domain. The certificate was not replicated to the secondary device, causing the primary to remain in INIT state. The issue was due to missing path handling logic specific to wildcard certificates.

    1158537

    The proxyd process could crash repeatedly due to the use of an uninitialized memory value during file upload inspection, leading to service disruption. This issue was environment-specific and triggered after upgrade.

    1156928/ 1143509/ 1128127

    Dashboard widgets failed to display because the config system dashboard-widget table exceeded the maximum entry limit of 256, preventing widget loading and creation after upgrade. The limit has been increased to 1024 in the fix.
    1154598 SSO login intermittently failed on the first attempt but succeeded on the second without reauthentication. The initial failure was caused by incorrect handling of the SP certificate during the SAML handshake, leading to improper certificate validation and login rejection.

    1154085

    FortiWeb displayed a critical event log stating “DLDB is unauthorized” during FortiGuard update attempts, despite no functional impact. The log level was too severe for routine update failures, leading to unnecessary alerts.
    1150441 Certain WebShell files were not detected or blocked by the WebShell module, allowing them to be uploaded to protected servers. These files bypassed detection despite matching known patterns, indicating gaps in the module’s file inspection coverage.

    1140839

    When using the Least Connection algorithm, servers exiting Maintenance Mode could receive all new connections due to inaccurate session statistics, including negative values. This issue has been fixed by recalculating session data during policy reload.

    1140417

    HA fails to synchronize in AAH mode when an External IP connector is configured due to last-update timestamp mismatches, as primary and secondary nodes update IP lists independently.

    1133888

    When creating a custom rule through the GUI and clicking OK to save the configuration, the corresponding set signature command disappears from the CLI.
    1133642 Traffic could hang on FortiWeb due to a dead loop in the AV engine when scanning truncated gzip or bzip content with optimization enabled. The decompression buffer handling logic has been fixed.

    1133199

    The "Blocked IPs" monitor failed to display data when accessed by SSO admin users due to incorrect mkey handling in the dashboard widget API. The issue was resolved by adding logic to assign the correct mkey prefix (sso or sys) based on the user type.

    1121774

    The event log message “Source Address running low for 127.0.0.1 → 127.0.0.1” was triggered under normal conditions and did not indicate an actual port exhaustion issue. The logging behavior has been corrected to prevent false alarms.

    1115495

    IPv6 packets with VLAN tagging intermittently contain an IPv4 header, causing downstream devices to drop them. This issue is caused by an incorrect eth->h_ proto value of ETH_P_IP in the IPv6 packets.

    1113220

    Scheduled SFTP backups are not running after upgrading to version 7.4.6 due to a race condition where cron and ftp_backup start almost simultaneously. This prevents cron from reading the updated /tmp/crontab file, causing the backup to fail.

    1109804

    ESXi firmware upgrade fails due to image signature verification not being performed when FIPS mode is enabled.

    1106859

    FortiWeb failed to detect and block the EICAR test file when it was Base64-encoded before upload. The issue occurred due to limitations in Base64 content inspection. Detection logic has been improved to support Base64-encoded payloads.
    Previous
    Next