Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Release Notes

    Home FortiWeb 8.0.4 Release Notes
    8.0.4
    8.0.4
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.9.1
    5.8.7
    5.7.3
    5.7.0
    5.6.2
    5.6.1
    5.6.0
    5.6.0
    5.6.0
    5.6.0
    5.5.7
    5.5.0
    5.5.0
    5.5.0
    5.4.0
    5.4.0
    5.4.0
    5.4.0
    5.1.0
    5.0.1
    5.0.0

    Resolved issues

    Resolved issues

    This section lists issues that have been fixed in version 8.0.4. For inquires about a particular bug, please contact Fortinet Customer Service & Support: https://support.fortinet.com

    Bug ID Description
    1251548 License activation fails with a certificate revocation error due to a server hostname mismatch during SSL connections to FortiGuard Distribution Servers (FDS). When anycast is enabled, the system intermittently fails to present the correct Server Name Indication (SNI), leading to a certificate validation failure and missing OCSP stapling data.
    1248707 A file descriptor leak triggered during directory validation causes the secondary unit in an HA cluster to lose its entire configuration. This occurred when the system incorrectly uses opendir() to check the /var/log/csv directory, eventually exceeding the file descriptor limit and preventing the configuration daemon from unzipping or restoring synchronized config files.
    1244696 RADIUS-based administrator login with FortiToken MFA fails via the GUI, redirecting users back to the login screen after a valid OTP is entered. Although system logs report a successful login, the session is not established because the authentication process lacks support for the legacy RADIUS algorithm required for certain MFA challenges, such as MS-CHAPv2.
    1243354 The event log incorrectly displays "DNS server returned answer with no data" or "V6 address not available" errors even when IPv6 is disabled. This issue occurs because the URL Access module uses a legacy DNS API that automatically requests both IPv4 and IPv6 addresses. If a domain lacks an AAAA record, the system generates a failure log despite only requiring an IPv4 address for operation.
    1239065 The CLI incorrectly rejects valid certificates during installation while the GUI accepts them. This inconsistency is caused by a buffer management error where the content buffer fails to refresh after normalizing a key. Because the system appends data to the existing buffer instead of overwriting it, the resulting malformed content causes the CLI validation to fail.

    1237875

    The ACME daemon incorrectly initiates connections to Let's Encrypt servers even when no certificates are configured. This occurs because the system fails to handle error codes when querying certificate tables across VDOMs; specifically, an unchecked -1 return value from the query API is incorrectly included in the certificate count, triggering unnecessary outbound traffic.
    1236073 Remote TACACS+ users are restricted to a maximum of 16 assigned Administrative Domains (ADOMs). This limit prevents administrators from granting access to all required domains in large-scale deployments, such as MSSP environments. While the CLI enforces this 16-entry maximum, the GUI fails to provide a corrective warning when the limit is exceeded.
    1234928 The system log generates excessive "chmod(2) is denied" warning messages for the filebeat registry path. This occurs due to strict security permission checks in version 8.0.x that prevent the filebeat process from modifying file modes. The fix enables the necessary process control (prctl) privileges for filebeat, allowing it to manage its registry files correctly and preventing the flood of resource check failure logs.
    1231926/1231821 The proxyd process crashes intermittently, causing watchdog reboots and failures in server-to-server communication behind a WAF VIP. These issues are caused by an uninitialized or invalid pointer in the Real Browser Enforcement (RBE) module. Because RBE variables are not safely null-initialized at the start of a transaction, the proxy engine may access corrupted memory or invalid pointers from previous sessions, leading to a segmentation fault.
    Previous
    Next

    Resolved issues

    Resolved issues

    This section lists issues that have been fixed in version 8.0.4. For inquires about a particular bug, please contact Fortinet Customer Service & Support: https://support.fortinet.com

    Bug ID Description
    1251548 License activation fails with a certificate revocation error due to a server hostname mismatch during SSL connections to FortiGuard Distribution Servers (FDS). When anycast is enabled, the system intermittently fails to present the correct Server Name Indication (SNI), leading to a certificate validation failure and missing OCSP stapling data.
    1248707 A file descriptor leak triggered during directory validation causes the secondary unit in an HA cluster to lose its entire configuration. This occurred when the system incorrectly uses opendir() to check the /var/log/csv directory, eventually exceeding the file descriptor limit and preventing the configuration daemon from unzipping or restoring synchronized config files.
    1244696 RADIUS-based administrator login with FortiToken MFA fails via the GUI, redirecting users back to the login screen after a valid OTP is entered. Although system logs report a successful login, the session is not established because the authentication process lacks support for the legacy RADIUS algorithm required for certain MFA challenges, such as MS-CHAPv2.
    1243354 The event log incorrectly displays "DNS server returned answer with no data" or "V6 address not available" errors even when IPv6 is disabled. This issue occurs because the URL Access module uses a legacy DNS API that automatically requests both IPv4 and IPv6 addresses. If a domain lacks an AAAA record, the system generates a failure log despite only requiring an IPv4 address for operation.
    1239065 The CLI incorrectly rejects valid certificates during installation while the GUI accepts them. This inconsistency is caused by a buffer management error where the content buffer fails to refresh after normalizing a key. Because the system appends data to the existing buffer instead of overwriting it, the resulting malformed content causes the CLI validation to fail.

    1237875

    The ACME daemon incorrectly initiates connections to Let's Encrypt servers even when no certificates are configured. This occurs because the system fails to handle error codes when querying certificate tables across VDOMs; specifically, an unchecked -1 return value from the query API is incorrectly included in the certificate count, triggering unnecessary outbound traffic.
    1236073 Remote TACACS+ users are restricted to a maximum of 16 assigned Administrative Domains (ADOMs). This limit prevents administrators from granting access to all required domains in large-scale deployments, such as MSSP environments. While the CLI enforces this 16-entry maximum, the GUI fails to provide a corrective warning when the limit is exceeded.
    1234928 The system log generates excessive "chmod(2) is denied" warning messages for the filebeat registry path. This occurs due to strict security permission checks in version 8.0.x that prevent the filebeat process from modifying file modes. The fix enables the necessary process control (prctl) privileges for filebeat, allowing it to manage its registry files correctly and preventing the flood of resource check failure logs.
    1231926/1231821 The proxyd process crashes intermittently, causing watchdog reboots and failures in server-to-server communication behind a WAF VIP. These issues are caused by an uninitialized or invalid pointer in the Real Browser Enforcement (RBE) module. Because RBE variables are not safely null-initialized at the start of a transaction, the proxy engine may access corrupted memory or invalid pointers from previous sessions, leading to a segmentation fault.
    Previous
    Next