Producent oprogramowania Fortinet udostępnił najnowszą aktualizację FortiOS dla produktu FortiGate o numerze wersji 7.0.1. W najnowszej wersji rozwiązano problem load-balancer’a w FortiGate, który działał niezgodnie z oczekiwaniami. Naprawiono także błąd IPsec, który nie działał w FG-VM po uaktualnieniu do wersji 7.0. Pojawiło się także wiele nowości oraz zmian zarówno w GUI jak i CLI. Po więcej ciekawych informacji zachęcamy do przeczytania artykułu.
Aktualnie wspierane modele:
| FortiGate | FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-81E, FG-81E-POE, FG-81F, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-201E, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG‑500E, FG-501E, FG-600E, FG-601E, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-3000D, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG-3960E, FG‑3980E, FG-5001E, FG‑5001E1 |
| FortiWiFi | FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F |
| FortiGate Rugged | FGR-60F, FGR-60F-3G4G |
| FortiGate VM | FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN |
| Pay-as-you-go images | FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN |
Co nowego w FortiOS 7.0.1:
| Bug ID | Description |
|---|---|
| 477886 | Allow ingress and egress ports to be configured so the PRP trailer is not stripped when PRP packets come in or go out.
config system npu
set prp-port-in <port>
set prp-port-out <port>
end
|
| 489956 | Add LAG implementation so each session uses the same NP6 and XAUI for ingress and egress directions to avoid fast path congestion (this setting is disabled by default).
config system npu
set lag-out-port-select {enable | disable}
end
Add algorithm in NPU driver for distribution, |
| 568534 | The DHCP snooping server access list allows servers on that list to respond to DHCP requests, while blocking requests to servers that are not on the list. The DHCP server access list feature can be enabled from the VDOM or switch level. Server lists are configured per switch VLAN interface.
VDOM level: config switch-controller global
set dhcp-server-access-list {enable | disable}
end
FortiSwitch level: config switch-controller managed-switch
edit <switch>
set dhcp-server-access-list {global | enable | disable}
next
end
Interface: config system interface
edit <interface>
config dhcp-snooping-server-list
edit <list>
set server-ip <class_ip>
next
end
next
end
|
| 669942 | In the scenario where session synchronization is down between two FGSP members that results in a split-brain situations, the IKE monitor provides a mechanism to maintain the integrity of state tables and primary/secondary roles for each gateway. It continues to provide fault tolerance by keeping track of the timestamp of the latest received traffic, and it uses the ESP sequence number jump ahead value to preserve the sequence number per gateway. Once the link is up, the cluster resolves the role and synchronizes the session and IKE data. During this process, if the IKE fails over from one unit to another, the tunnel will remain valid due to the IKE session and role being out of sync, and the ESP anti-replay detection. |
| 689139 | Add shortcuts to various locations in the GUI to help users register their FortiGate to FortiCare. This option is also added to newly authorized Fabric FortiGates. |
| 689931 | With NAC LAN segment support, the VLAN segmentation is handled by the FortiSwitch. Devices can maintain the same IP that they initially receive while onboarding. When a NAC policy is matched, the device gets placed into the appropriate VLAN by the FortiSwitch, providing segmentation from other LAN segments. |
| 690671 | Filtering PFCP traffic is supported on FortiOS Carrier. PFCP filtering is required to provide security for evolving 4G networks and upcoming 5G networks. PFCP filtering is configured similar to GTP filtering. PFCP message filters and profiles are created and applied in firewall policies. |
| 696057 | Add REST API to retrieve a list of FortiSwitch models that are supported on the FortiGate:
|
| 697340 | When indoor AP models are placed outdoors, or outdoor AP models are placed indoors, there is an option to override the indoor or outdoor flag. This enables the available channels list to reflect the region based on the AP placement. |
| 697843 | On models that have an internal switch that supports modifying the distribution algorithm, enhanced hashing can be used to help distribute traffic evenly across links on the LAG interface. The enhanced hashing algorithm is based on a 5-tuple of the IP protocol, source IP address, destination IP address, source port, and destination port. The computation method can also be specified. |
| 699006 | On a FortiCarrier, the new RAT (radio access technology) timeout profile allows users to customize the timeout values for each RAT type. This profile can be applied to GTP profiles to allow GTP tunnel timeout per RAT type (default value is 0 seconds). |
| 699205 | Add dynamic firewall address subtype, Switch Controller NAC Policy Tag. This type of address can be assigned to a NAC policy under Switch Controller Action. All device MACs discovered in the NAC policy will be added to the firewall address dynamically. |
| 699226 | Add diagnose switch-controller switch-info port-properties [<switch>] [<port>] command to display FortiSwitch port properties, such as PoE power level, connector module form factor, and speed capabilities.
# diagnose switch-controller switch-info port-properties S548DF********** Switch: S548DF********** Port: port1 PoE : 802.3af/at,30.0W Connector : RJ45 Speed : 10Mhalf/10Mfull/100Mhalf/100Mfull/1Gauto/auto |
| 699456 | Increase the generated RSA key bits from 1024 to 2048. |
| 700665 | Allow FortiAI to be used with antivirus profiles in proxy inspection mode. FortiAI inspects high-risk files and issues a verdict to the firewall based on how close a file’s features match those of malware. When enabled, FortiAI can log, block, or ignore the file based on the verdict. |
| 701033 | Support octets and MAC address formats in SNMP engine ID configuration that are defined in RFC-2571.
config system snmp sysinfo
set engine-id-type {text | hex | mac}
set engine-id <string, maximum 27 characters>
end
|
| 702665 | Add support for BGP conditional advertisement for IPv6 on the FortiGate:
config router bgp
config neighbor
edit <name>
config conditional-advertise6
edit <name>
set condition-routemap <string>
set condition-type {exist | non-exist}
next
end
next
end
end
|
| 703312 | Improve switch controller performance in large topologies. |
| 703900 | In an SD-WAN transit routing setup with Google Network Connectivity Center (NCC), you can route data and exchange border gateway protocol (BGP) routing information between two or more remote sites via GCP. |
| 704318 | Add SNMP OIDs to query FortiSwitch CPU, memory, and port status via the FortiGate. These objects are added to the FortiOS enterprise MIB 2 tables. |
| 704662 | Allow the FortiGate to use the built-in speed test functionality to dynamically populate egress bandwidth to individual dial-up tunnels from the hub. Changes include:
|
| 704819 | Using the RADIUS attribute Tunnel-Private-Group-Id, a wireless controller can now accept a VLAN name as a string, and match the VLAN sub-interface attached to a VAP interface when dynamically assigning a VLAN. Users logging into an SSID can be dynamically assigned to the proper VLAN based on the VLAN configurations on RADIUS for the particular user. |
| 706491 | On FortiClient EMS versions that support push CA certs capability, the FortiGate will push CA certificates used in SSL deep inspection to the EMS server. On the EMS server, the CA certificates can be selected in the managed endpoint profiles so they can be installed on managed endpoints. |
| 707475 | Enhancements for ZTNA logging:
|
| 707643 | Implement best route mode for SD-WAN rules, including ECMP support for the longest match and the longest match overriding the quality comparison. |
| 708358 | Passive health check for SD-WAN can be configured in the GUI from two locations:
|
| 709061 | In WiFi & Switch Controller > Managed Switch > Topology View, a new Reorder button provide users with the ability to rearrange the order that the FortiSwitches appear. |
| 709067 | Add support for RFC 5709 HMAC-SHA cryptographic authentication for OSPF:
config router key-chain
edit <name>
config key
edit <id>
set algorithm {md5 | hmac-sha1 | hmac-sha256 | hmac-sha384 | hmac-sha512}
next
end
next
end
|
| 709090 | The FortiWiFi mesh function supports obtaining Fortinet MAC OUI ranges from the FortiGuard MAC address database (MADB), so that leaf FortiAPs with new MAC OUIs can be automatically recognized and allowed. |
| 709104 | WANOpt supports SSL offloading of traffic without needing to define an SSL server. The server side FortiGate will re-sign the HTTP server’s certificate without needing to configure an SSL server (in both scenarios where an external proxy is and is not used). This enhancement also adds support for GCM cipher and ChaCha ciphers in the SSL connection. |
| 709107 | Allow FortiGate to support client certificate authentication used in mTLS communication between client and server. In this communication, clients are issued certificates by the CA. An access proxy configured on the FortiGate may use the new certificate method in the authentication scheme to identify and approve the client certificate provided by the client when it tries to connect to the access proxy. Optionally, the FortiGate may add the HTTP header X-Forwarded-Client-Cert to forward the certificate information to the server. |
| 709108 | The TCP forwarding access proxy supports communication between the client and access proxy without SSL/TLS encryption. The connection between the client and access proxy still begins with a TLS handshake. The client uses the HTTP 101 response to switch protocols and remove the HTTPS stack. Further end-to-end communication between the client and server is encapsulated in the specified TCP port, but otherwise not encrypted by the access proxy. |
| 710318 | Add security rating test in Access Control and Authentication to mitigate against the following high-priority vulnerability:
|
| 710323 | Add security rating test in Access Control and Authentication to mitigate against the following high-priority vulnerability:
|
| 710423 | When connecting to FortiAnalyzer in the Security Fabric, the FortiGate displays an Authorize button when the FortiGate has not be authorized on the FortiAnalyzer side. This opens a shortcut to log in to the FortiAnalyzer and approve the FortiGate. |
| 711868 | FortiTester can be added to the Security Fabric and authorized from the Security Fabric topology view. Once added, the FortiTester appears in the dashboard Security Fabric widget, and it can be added to the dashboard as a Fabric device widget. |
| 712102 | The REST API can retrieve dynamic information about LTE modems, such as RSSI signal strength, SIM information, data session, and usage levels from 3G and 4G FortiGates. |
| 712304 | Support new Google gVNIC interface, which offers improved performance and bandwidth and is required in some VM shapes that are tuned for optimal performance. |
| 712916 | SD-WAN zones can be applied in three new ways:
|
| 713535 | Sniffer traffic logs from the IPS engine are expanded to 64-bit variable sizes (previously 32-bit for sent/received bytes fields). |
| 713717 | The FortiGate can automatically downgrade to use TLS version 1.2 when there are no proper custom ciphers configured in TLS 1.3 in a server load-balance VIP configuration. |
| 713793 | Allow FortiGates to read the Cisco Security Group Tag (SGT) in Ethernet frames and use them as matching criteria in firewall policies. A policy can match based on the presence of an SGT, or the detection of a specific ID or IDs. This feature is available in flow mode policies for virtual wire pair policies or policies in transparent mode VDOMs. |
| 714713 | Allow SSL VPN interfaces to be used in zones. |
| 715031 | Add option in the SSL VPN web portal profile to disable the use of the copy and paste clipboard in RDP and VNC connections while using web mode. |
| 715100 | Allow FortiClient to use a browser as an external user agent to perform SAML authentication for SSL VPN tunnel mode. In prior versions, SAML authentication must be performed within the FortiClient embedded login window. A new setting is added to configure the SAML redirection port upon successful SAML authentication:
config vpn ssl settings
set saml-redirect-port <port>
end
|
| 716453 | On KVM, FortiOS can support bootstrapping using a MIME file via config drive. |
| 716683 | FIPS CC mode is now supported on OCI and GCP FortiGate VMs.
config system fips-cc
set status fips-ciphers
end
To enable this feature, all VPNs must be removed. |
| 717579 | Add command in the WTP profile to disable console login from the FortiAP:
config wireless-controller wtp-profile
edit <profile>
set console-login {enable | disable}
next
end
All managed APs using this profile will be rebooted and changes will be applied. |
| 717591 | For SSIDs in local standalone NAT mode, add the option to define up to three DNS servers to assign to wireless endpoints through DHCP. |
| 717907 | Add option in CLI to manage how long authenticated FSSO users on the FortiGate will remain on the list of authenticated FSSO users when a network connection to the collector agent is lost:
config user fsso
edit <name>
set logon-timeout <integer>
next
end
The |
| 719581 | Allow the FortiGate to use the built-in speed test functionality to dynamically populate egress bandwidth to individual dial-up tunnels from the hub. It allows the speed test results of dial-up tunnels to be cached for reuse when the tunnel is up again. |
| 720046 | Add option to toggle between enabling or disabling policy route updates when a link monitor fails. By disabling policy route updates, a link monitor failure will not cause corresponding policy based routes to be removed. |
| 720723 | The link monitor can configure multiple servers and allow each server to have its own weight setting. If the link monitor is down, it will trigger static route updates and cascade interface updates if the weight of all dead servers exceeds the monitor’s fail weight threshold. |
| 721280 | New options are added to the SSL/SSH profile to log server certificate information and TLS handshakes. New fields are added to the UTM SSL logs when these options are enabled. |
Rozwiązane problemy:
Anti Virus
| Bug ID | Description |
|---|---|
| 705591 | When av-scan is enabled on the load end box, the FortiGate CPU hits 100% for over one minute. Such high CPU might cause WAD daemon signal 6 abort during that period. |
| 706454 | When AV and sandbox submission is enabled, /tmp/cdr is not cleaned after a scan when there are multiple concurrent sessions. |
| 707186 | Scanunit crashes with signal 11 when users attach files in the Outlook Web App. |
Data Leak Prevention
| Bug ID | Description |
|---|---|
| 709845 | DLP file pattern ID is still referenced by AV profile analytics-wl-filetype after FortiSandbox is disabled. |
DNS Filter
| Bug ID | Description |
|---|---|
| 715317 | Web filter service is not start properly when DNS filter is configured in a firewall profile group. |
Endpoint Control
| Bug ID | Description |
|---|---|
| 666426 | IPsec VPN does not have FCT client IP to send to EMS if using DHCP-over-IPsec. |
| 685549 | Need to check EMSC entitlement periodically inside fcnacd. |
| 707388 | When EMS has an offline status, most of time the FortiClient de-registers from EMS and the client certificate will be empty in web browser certificate store. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 681054 | Web proxy users are disconnected due to external resource update flushing the user even if they do not have an authentication rule using the related proxy address or IP list. |
| 697566 | Explicit proxy unable to access a particular URL (https://***.my.salesforce.com) after upgrading from 5.6.12 to 6.2.7. |
| 700451 | Wrong source IP used intermittently when FortiGate has SD-WAN and is transparently proxy forwarding to explicit proxy. |
| 706078 | Unable to access SSL exempt site with authentication TP proxy because certificate inspection does not learn the forward server object. |
| 708851 | When visiting a website for the first time in Firefox, the disclaimer page is shown and the webpage loads normally. When visiting a website for a second time, Firefox may take a few minutes to show the disclaimer and then another few minutes to load the webpage. |
| 716224 | In web proxy with transparent policy, the web filter rating fails when there is no SNI or CID. |
Firewall
| Bug ID | Description |
|---|---|
| 591721 | Viewing firewall shaping policy in the GUI will unset the traffic-shaper if class-id and traffic-shaper are both configured. |
| 595949 | Any changes to the security policy table causes the hit count to reset. |
| 644225 | Challenge ACK is being dropped. |
| 645010 | Misleading GUI error when policy lookup fails due to source IP route lookup. |
| 653137 | VIP object associated with SD-WAN member interface from omni-select list of destination addresses should not be filtered out. |
| 654356 | In NGFW policy mode, sessions are not re-validated when security policies are changed. |
| 681893 | Firewall policy Last Used information is different in the CLI and GUI. |
| 694154 | Dynamic traffic shapers are not consistent in their idle time limit. |
| 696619 | FGSP synchronized UDP sessions may be blocked in NGFW policy mode when asymmetric routing is used due to a policy matching failure. Other types of traffic may also be affected (such as TCP) in the case of failover of the reply direction traffic to a different FortiGate in the FGSP cluster. |
| 705402 | Server load-balancing on FortiGate is not working as expected when the active server is down. |
| 707659 | New ISBD object is not indicated in the GUI. |
| 707854 | FortiGate is not able to resolve FQDNs without DNS suffix for firewall address objects. |
| 708159 | Firewall policy is not applied correctly when using VNE tunnel interface with policy-based IPsec VPN. |
| 709832 | When there are multiple internet services configured that match a certain IP, port, or protocol, it may cause the wrong policy to be matched. |
| 714198 | When in transparent mode with AV and IPS, the original and reply direction traffic should be redirected only one time. |
| 714647 | Proxy-based policy with AV and web filter profile will cause VIP hairpin to work abnormally. |
| 716317 | IPS user quarantine ban event is marking the sessions as dirty. |
| 717170 | TCP MSS size for local traffic is not adjusted by the firewall policy. |
| 717802 | In transparent mode, a log has an irrelevant policyid. |
| 724145 | Expiration timer of expectation session may show a negative number. |
FortiView
| Bug ID | Description |
|---|---|
| 621453 | FortiGate cannot get detailed information on FortiClient vulnerabilities from FortiAnalyzer. |
| 683654 | FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view. |
| 712580 | When viewing FortiView Sources or Destinations, some usernames in the format of <DOMAIN\username> are displayed as DOMAIN\username. The user is displayed with a \ in the CLI. |
| 722543 | FortiView does not arrange FortiGuard quota based on highest to lowest value and vice versa. |
GUI
| Bug ID | Description |
|---|---|
| 585899 | SAML auto configuration does not take admin-sport into account. |
| 589231 | Get Invalid IP/Wildcard mask. warning when editing the address object in the GUI. |
| 602397 | Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. |
| 610572 | If a guest user logs in via a WiFi portal while the administrator is actively editing the user’s account in the GUI, after the administrator clicks OK in the user edit dialog, the user’s current login session will not be subjected to the configured expiration time. The expiration time will be applied for the next login. |
| 645158 | When logging into the GUI via FortiAuthenticator with two-factor authentication, the FortiToken Mobile push notification is not sent until the user clicks Login. |
| 647431 | After removing an image name on the Replacement Messages Edit page, an image list should be displayed when hovering the mouse over the image URL link, but it is not. |
| 665597 | When set server-identity-check is enabled, Test User Credentials fails when performed on the CLI and passes when run from the GUI. The GUI implementation has been updated to match that of the CLI. |
| 674548 | When searching for a Firewall Policy, if the search keyword is found in the policy name and there are spaces adjacent to it, the search results will be displayed without the adjacent spaces. The actual policy name is not changed. |
| 674592 | When config ha-mgmt-interfaces is configured, the GUI incorrectly shows an error when setting overlapping IP address. |
| 676104 | Check mark for maximize bandwidth SD-WAN rule is not removed when member no longer meets SLA. |
| 676306 | httpsd has signal 6 and 11 crashes at cmf_query_create_child because of segfault in /api/v2/monitor/switch-controller/managed-switch/transceivers. |
| 686592 | GUI does not display statistical information on SD-WAN Performance SLA page. |
| 689392 | Port Errors counters for managed FortiSwitches show a zero when the port is actually shows errors. |
| 690666 | Enabling daylight saving time (DST) results in GUI and CLI system time differences when DST is active (end of March to end of October). |
| 691620 | Use Account Entitlement when checking for FSAC contract. |
| 695815 | When editing the external connector Poll Active Directory Server from the GUI, the Users/Groups option is always an empty value, even if there is an existing group configured. The workaround is to manage the option from the CLI. |
| 696226 | Network > Interfaces page is slow to load. |
| 696573 | Firewall policy is not visible in GUI when using set internet-service src enable. |
| 701442 | Cannot access GUI for FortiGate in FIPS-CC mode. |
| 701742 | Items added to Favorites are lost after a logout or reboot. |
| 702065 | After upgrading to 6.4.4, the RADIUS server with non-FortiToken two-factor authentication does not work in the GUI. |
| 703955 | When editing the WAF profile in the GUI, changes to the WAF default-allowed-methods are not committed. The CLI must be used. |
| 704209 | When updating the Disclaimer Page replacement message, if the message is too long, the Save button is disabled and a red warning displays the current buffer size compared to the allowed size. |
| 704503 | Routing monitor is slow to load or does not load when the user has a full routing table. |
| 704618 | When the login banner is enabled and the user is forced to log in again to the GUI (due to password change or enabling VDOMs), the user may see a Bad Gateway error. |
| 706340 | When editing a firewall policy, copying and pasting in the Comments field gives an error. |
| 706711 | When accprofile is set to fwgrp custom with all read-write permissions, some GUI menus will not be visible. Affected menu items include IP Pools, Protocol Options, Traffic Shapers, and Traffic Shaping Policy/Profile. |
| 706982 | Unable to edit interface address, get Bits of the IP address will be truncated by the subnet mask error. |
| 708121 | After a user creates or edits an SSID interface, the GUI incorrectly navigates to the interfaces list instead of SSIDs list. |
| 708211 | Administrators with VDOM scope cannot change their own password in the GUI. |
| 708467 | Cannot configure ZTNA to enable an IP or MAC filter type firewall policy to add ZTNA tag. |
| 709103 | Unable to edit interfaces in the GUI, and httpsd is spiking the CPU cores. |
| 709662 | Static route for IPsec VPN shows tunnel ID as a gateway and provides an unreachable error. |
| 710220 | Unable to download MIB files from FortiGate. |
| 710946 | Special characters not allowed in the OU field of a CSR signing request, from both the GUI and CLI. |
| 713148 | httpsd process has high CPU and memory usages, causing the unit to enter conserve mode. |
| 713580 | Non-FortiToken RADIUS two-factor authentication not working when logging into the GUI. |
| 715256 | When the Security Fabric Connection is enabled on a VPN interface, the DHCP Server section disappears from the GUI. |
| 715493 | httpsd consumes high CPU when loading a GUI page. |
| 716986 | GUI and REST API show incorrect reference count for web filter after adding and removing it from a policy. |
| 717405 | Tooltip for FortiSandbox Cloud shows status as Unreachable or not authorized. |
| 719620 | Interface page keep loading when administrator user has netgrp read-write permissions only and interface contains IPsec VPN. |
| 720006 | GUI always shows duplicate entry when trying to create a NAC dynamic address and other types of firewall addresses. |
HA
| Bug ID | Description |
|---|---|
| 659837 | The HA secondary cannot synchronize a new virtual switch configuration from the primary. |
| 670331 | Management access not working in transparent mode cluster after upgrade. |
| 678145 | GUI shows a warning icon that the cluster is out of sync although the cluster is in sync. |
| 692384 | High memory usage of hasync process on FGCP passive device. |
| 694646 | ICMP session cannot synchronize after the FortiGate where the session was first created reboots. |
| 697066 | When SLBC HA has a fast flip, there is a chance that the route will be deleted from the secondary when it changes to the primary. |
| 698732 | Copied policy set to Deny contains unneeded lines. |
| 703047 | hbdev goes up and down quickly, then the cluster keeps changing rapidly. hasync objects might access invalid cluster information that causes it to crash. |
| 703719 | hasync is busy when receiving ARP when there is a huge number of ARPs in the network. |
| 708928 | The set override disable setting changes to enabled on main virtual cluster after rebooting (flag of second virtual cluster remains disabled). |
| 709382 | Creating an aggregate interface in HA causes the VMAC resolution to fail. |
| 710236 | Heartbeat interfaces do not get updated under diagnose sys ha dump-by <group | memory> after HA hbdev configuration changes. |
| 711962 | Incorrect uptime value for HA secondary shown in the GUI. |
| 714113 | GRE configuration should not be synchronized in multi-AZ HA, but the system does not allow it to be added in the VDOM exception. |
| 714404 | Every UDP packet in the reply direction triggers the session state update synchronization, even if the session state did not change. |
| 715939 | Cluster is unstable when running interface configuration scripts. For example, when inserting many VLANs, hatalk will get a lot of intf_vd_changed events and recheck the MAC every time, which blocks hatalk from sending heartbeat packets for a long time so that the peer loses it. |
| 716216 | HA becomes out of sync when a backup device is updating the discarded duplicate BGP network table entry from the primary. |
| 717251 | In FGSP, session-sync-dev statistics of get system ha status disappear after reboot. |
| 717525 | FortiGate sends its serial number at the beginning of the file path via TFTP backup for CLI automation script or automation stitch when in the cluster. |
| 717785 | HA primary does not send anti spam and outbreak prevention license information to the secondary. |
| 721482 | CLI help text should not list FortiManager as an option for ha-direct. |
| 721720 | Performance degradation of session synchronization after upgrading. |
| 722284 | When there is a large number of VLAN interfaces (around 600), the FortiGate reports VLAN heartbeat lost on subinterface vlan error for multiple VLANs. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 680501 | Destination interfaces are set to unknown for previous ADVPN shortcuts sessions. |
| 682071 | IPS signatures are not working with VIP in proxy mode. |
| 686301 | ipshelper CPU spikes when configuration changes are made. |
| 689259 | Flow-based AV scanning does not send specific extension files to FortiSandbox. |
| 721462 | Memory usage increases up to conserve mode after upgrading IPS engine to 5.00239. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 578879, 676728 | IPsec tunnel bandwidth usage is not correct on the GUI widget and SNMP graph when NPU is doing host offloading. |
| 620907 | L2TP-over-IPsec tunnels frequently disconnect and hardly reconnect. CPU0 and CPU2 are at over 80%. |
| 642760 | Split tunnel is not working with L2TP IPsec VPN on Windows native VPN. |
| 673049 | FortiGate is not sending its external interface IP in the IKE negotiation (cloud platform). |
| 691718 | Traffic cannot pass through IPsec tunnel after FEC is enabled on server side if NAT is enabled between VPN peers. |
| 708590 | Framed IPv6 address is not used in IPsec or SSL VPN tunnels. |
| 708870 | After failover, the static tunnel interface’s remote IP static routes are missing on the new primary. |
| 708940 | When ADVPN with BGP has routing-protocol and link-down-failover enabled, establishing the ADVPN shortcut establish causes the BGP neighbor to flap and affect traffic. |
| 709850 | Duplicate IP assigned by IKE Mode Config due to static gateway being out of sync after HA flapping. The tunnel that is out of sync cannot receive the deletion from the hub and holds on to an IP that has already been released. |
| 710961 | Hub is dropping packets due to Failed to find IPsec Common after upgrading from 6.2.6 to 6.2.7. |
| 711072 | ADVPN using BGP cannot bring up second shortcut after first shortcut is established with net-device enabled. |
| 713763 | IPsec aggregate is not sending outbound ESP traffic on FortiOS 7.0. |
| 713839 | In a redundant mode IPsec aggregate, the first aggregate member is always used to output traffic even if it is down. |
| 714400 | Dynamic IKEv2 IPsec VPN fails to establish after adding new phase 2 with mismatched traffic selector. |
| 715070 | OCVPN configuration change in one member reloads the BGP configuration of all the OCVPN members. |
| 715651 | iked crashed when clients from the same peer connect to two different dynamic server configurations that are using RADIUS authentication. |
| 719655 | IPsec does not work in FG-VM after upgrading to 7.0. |
Log & Report
| Bug ID | Description |
|---|---|
| 708890 | Traffic log of ZTNA HTTPS proxy and TCP forwarding is missing policy name and FortiClient ID. |
| 710344 | Reliable syslog is sent in the wrong format when flushing the logs queued in the log daemon when working in TCP reliable mode. |
| 711946 | FortiAnalyzer cannot process the packet loss field in the log because the field has a % in it. |
| 722315 | System might generate garbage administrator log events upon session timeout. |
Proxy
| Bug ID | Description |
|---|---|
| 663088 | Application control in Azure fails to detect and block SSH traffic with proxy inspection. |
| 670339 | Proxy-based SSL out-band-probe session has local out connection. Since the local out session will not learn the router policy, it makes all outbound connections fail if there is no static router to the destination. |
| 676419 | WAD crash at wad_async_queue in FOH connect case. |
| 683844 | In cases when WAD fails to resolve a firewall policy for the session, WAD crashes at wad_ssl_proxy_can_bypass() when a missed condition check allows the session to still pass through. |
| 700073, 714109 | YouTube server added new URLs (youtubei/v1/player, youtubei/v1/navigator) that caused proxy option to restrict YouTube access to not work. |
| 700481 | Unable to authenticate to FTP server when firewall policy is set to proxy-based and AV is enabled. |
| 701513 | WAD encounters segmentation fault crash at wad_http_scan_engine__on_unblock. |
| 704323 | In IPS TCP proxy handover, the firewall policy tcp-mss-sender, tcp-mss-receiver, and interface tcp-mss settings are not used. |
| 706555 | WAD crashes at wad_ssl_port_p2s_set_server_cert. |
| 706556 | WAD crashes at wad_http_scan_safe_proc_msg. |
| 708514 | WAD crash at flush sec_profile after deleting VDOM. |
| 709623 | WAD crashes seen in user information upon user purge and during signal handling of user information history. |
| 714610 | Explicit proxy policy (ISDB and IP pool) cannot be set in the GUI or CLI. |
| 719681 | Flow control failure occurred while transferring large files when stream-scan was running, which sometimes resulted in WAD memory spike. |
| 724445 | Local TCP/853 unexpectedly open as soon any proxy mode inspection policy with UTM is enabled. |
| 726801 | When FortiGuard is updating, an external resource build might happen at the same time with other RAM consuming update operations, causing the system to enter conserve mode. |
| 728078 | Rating request does not always check cache. |
REST API
| Bug ID | Description |
|---|---|
| 597494 | REST API incorrectly returns error code 401 (authentication error) instead of 403 (authorization error) for requests that pass the authentication check but are not permitted to access the resource. |
| 710198 | /api/v2/monitor/system/available-interfaces takes over one minute for a response. |
| 713445 | For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later. |
| 714075 | When CORS is enabled for REST API administrators, POST and PUT requests with body data do not work with CORS due to the pre-flight requests being handled incorrectly. This only impacts newer browser versions that use pre-flight requests. |
Routing
| Bug ID | Description |
|---|---|
| 579884 | VRF configuration in WWAN interface has no effect after reboot. |
| 670031 | LDAP traffic that originates from the FortiGate is not following SD-WAN rule. |
| 682455 | Checkmark is not shown beside the interface currently selected by the SD-WAN rules (Network > SD-WAN Rules page). |
| 688317 | Blackhole route to the gateway of policy route makes the PBR inactive/disabled. |
| 697645 | FortiGate deletes prefix-list configuration due to concurrent administrator SSH sessions. |
| 699122 | Issues with SD-WAN zone’s availability to select it as an OSPF interface. |
| 701027 | No speed test button for PPPoE interface in GUI on Interfaces page. |
| 702463 | Security rating traffic does not follow SD-WAN rules. |
| 703782 | Traffic to FortiToken Mobile push server does not follow SD-WAN/PBR rules. |
| 705767 | SD-WAN rules are not working with route tags and VRF. |
| 706237 | ICMP Destination Host Unreachable responses are sent in reverse order. |
| 707143 | Suggest adding an option for NetFlow to use SD-WAN. |
| 707713 | Restore the change of routing code. |
| 708614 | Firewall policy rule with destination interface as virtual-wan-link cannot match traffic in some cases. |
| 710606 | Some static routes disappear from RIB/FIB after modifying or installing static routes by running a script in the GUI. |
| 712586 | SNAT sessions on the original preferred SD-WAN member will be flushed after the preferred SD-WAN member changes, so existing SNAT traffic will be interrupted. |
| 715274 | Enabling SD-WAN on interfaces with full BGP routes leads to device going into conserve mode. |
| 718950 | Local out routing does not work with PPPoE interface. |
| 719788 | Policy Routes GUI page does not show red exclamation mark when a source or destination is negated, like on Firewall Policy page. |
| 722343 | SD-WAN rule not matched with MAC address object and ISDB in policy. |
| 723550 | Load-balance service mode and maximize bandwidth (SLA) in SD-WAN rule does not work as expected in 7.0.0. |
| 723726 | BGP session drops between virtual wire pair with auto-asic-offload enabled in policy. |
| 724250 | Enabling preserve-session-route does not take effect in SD-WAN scenario. |
Security Fabric
| Bug ID | Description |
|---|---|
| 672218 | In multi-VDOM environment, when viewing logical topology under a specific VDOM view, the GUI incorrectly shows interfaces and devices from all VDOMs. |
| 685642 | Link to Login toFortiAnalyzer on Physical Topology page does not open, and FortiAnalyzer HTTPS is no longer configured on port 443. |
| 695040 | Unable to connect to vCenter using ESXi SDN connector with password containing certain characters. |
| 708172 | Automation stitch action does not work when trigger is an AV and IPS database update. |
| 714807 | Security rating two-factor authentication test shows as failed for IPsec and SSL VPN, but all users have two-factor authentication enabled. |
| 718469 | Wrong timestamp printed in the event log received in email from event triggered from email alert automation stitch. |
| 718581 | If HA management interface is configured, the Kubernetes connector fails to connect. |
| 719029 | Automation stitch action no longer understands %%log.date%% and %%log.time%% variables. |
| 722950 | Topology page is empty in robot Security Fabric setup. |
SSL VPN
| Bug ID | Description |
|---|---|
| 500664 | SSL VPN RDP bookmark not working with CVE-2018-0886. |
| 515519 | guacd uses 99% CPU when SSL VPN web portal connects to RDP server. |
| 542815 | SSL VPN web portal RDP connections to RDS session hosts fails. |
| 550819 | guacd is consuming too much memory and CPU resources during operation. |
| 586035 | The policy script-src 'self' will block the SSL VPN proxy URL. |
| 630068 | When SSL VPN SSH times out, SSH to SES will crash when SSH is empty. |
| 659581 | Google Maps and 2gis.ru page do not display the map at all in SSL VPN web portal. |
| 669707 | The jstor.org webpage is not loading via SSL VPN bookmark. |
| 671647 | Imported certificate cannot be used in IPsec tunnel only (-3: Entry not found). |
| 676333 | Unable to type accents using dead keys in RDP using Spanish keyboard layout over SSL VPN web mode in macOS. |
| 677031 | SSL VPN web mode does not rewrite playback URLs on the internal FileMaker WebDirect portal. |
| 677057 | SSL VPN firewall policy creation via CLI does not require setting user identity. |
| 677548 | In SSL VPN web mode, options pages are not shown after clicking the option tag on the left side of the webpage on an OWA server. |
| 677668 | sslvpnd crashes due to wrong application index referencing the wrong shared memory when daemons are busy. Crash found when RADIUS user uses Framed-IP. |
| 678757 | vCenter (*.be***.tld) page does not load in SSL VPN web mode. |
| 689465 | RDS redirect not working on SSL VPN web portal. |
| 693200 | Error when logging out SSL VPN bookmark website. |
| 693237 | DCE/RPC sessions are randomly dropped (no session matched). |
| 693347 | Forward traffic for SSL VPN with EMS tags dynamic address is failing apart from helper-based traffic. |
| 693519 | SSL VPN authentication fails for PKI user with LDAP. |
| 693718 | FortiClient SSL VPN users are unable to authenticate when zero-trust tag IP address is used as the host IP under limited access. |
| 694226 | SSL VPN web mode removes ant-tree components in HTML source. |
| 694346 | Report section of internal web server (https://lm***.lm***.au***.vw***/ar***/) is not accessible via the SSL VPN web portal. |
| 694671 | PDF files on internal web server, https://co***.ag***.em***.vw***:8443, are not opening in SSL VPN web portal. |
| 695404 | WALLIX personal bookmark issue in SSL VPN portal. |
| 695457 | JS error thrown when accessing HTTPS bookmark (mk***.ag***.cp***.vw***) via SSL VPN web portal. |
| 695763 | FortiClient iOS 6.4.5 has new feature that allows bypassing of 2FA for SSL VPN 2FA. The FortiGate should allow access when 2FA is skipped on FortiClient. |
| 696533 | Certain URLs are not rewritten for bookmarked HTTPS external site http://www.sz***.hu. |
| 697551 | Unable to save record on internal website https://1**.1**.8*.3*/Login.jsp via SSL VPN web mode. |
| 701119 | SSL VPN DTLS tunnel could not be established in some cases when the tunnel link is still under negotiation. Some IP packets were sent to the client, causing the client’s logic to fail. |
| 704597 | Search option on internal website, kp***.kd****.ca, not working while accessing via SSL VPN web mode. |
| 705278 | DTLS SSL VPN connection cannot be established via FortiTester. |
| 705370 | Back-end server (va***.ra***.com.ar) is not working in SSL VPN web mode. |
| 706185 | OWA user details are not showing in SSL VPN web mode. |
| 708021 | SSO authentication to FortiMail webmail is not working using SSL VPN bookmark. |
| 708639 | Idle timeout does not send log out request to IdP for SAML login on SSL VPN portal. |
| 710163 | SSL VPN stuck loading https://el***.***-data.pl when wrong credential was entered. |
| 711503 | SSL VPN web mode access to internal web server http://10.2.1.78 is broken after upgrading to 7.0.0. |
| 711690 | QNAP NAS web page hangs on loading page after entering the credentials in SSL VPN web mode. |
| 711944 | POP3 authentication failed for SSL VPN. |
| 712880 | Windows Admin Center webpage (ge***.ov***) does not load correctly in SSL VPN web mode. |
| 714604 | SSL VPN daemon may crash when connection releases. |
| 714700 | SSL VPN proxy error in web mode due to requests to loopback IP. |
| 715928 | SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash. |
| 716622 | Due to change on samld side that increases the length of the SAML attribute name to 256, SSL VPN could not correctly parse the username from the SAML response when the username attribute has a long name. |
| 717193 | Website cannot be accessed in SSL VPN web mode. |
| 717382 | Website, co***.gob.pe, is not shown properly in SSL VPN web mode. |
| 718142 | The map integrated in the public site is not visible when using SSL VPN web mode. |
| 718159 | Webpage, http://10.3.24.8/ma***, is not displaying correctly in SSL VPN web mode. |
| 718170 | SSL VPN web portal does not show thumbnails of videos for an internal JS-based web server. |
| 718262 | Traffic cannot go through SSL VPN tunnel when a second user kicks first session off. |
| 719069 | iprope records for SSL VPN policies are removed after upgrading to 7.0.0 or during the reboot. |
| 720290 | Internal webpage, https://172.3**.***.164/ce***/, is not loading in SSL VPN web mode. |
| 721427 | Unable to load NetApp OnCommand Unified Manager webpages due to reloading loop in SSL VPN web mode. |
| 724830 | FortiGate sends authentication request to all RADIUS servers instead of only those in the default realm. |
| 726576 | Internal webpage with JavaScript is not loading in SSL VPN web mode. |
| 726641 | Unable to load pi***.vi***-ga***.org in SSL VPN web mode. |
Switch Controller
| Bug ID | Description |
|---|---|
| 647817 | Configuration changes on the FortiGate not taking effect on the FortiSwitch. |
| 682430 | Entry created in NTP under interface configuration after failing to enable FortiLink interface. |
| 699533 | In FortiOS 7.0.0, the default authentication protocol for a switch controller SNMP user is SHA256, as opposed to the default SHA1 in previous versions. |
| 702942 | FortiLink trunk is not formed on FortiSwitch connecting to FortiGate. When managed switches are learned on the software switch and hardware switch, they were deleted from the CLI, and fortilinkd did not clear the states for those switches so new switches were not learned. |
| 717506 | Unable to add description on shared FortiSwitch port. |
System
| Bug ID | Description |
|---|---|
| 568399 | FG-200E has np6lite_lacp_lifc error message when booting up a device if there are more than seven groups of LAGs configured. |
| 572038 | VPN throughput dropped when FEC is enabled. |
| 613947 | Redundant interface cannot pick up traffic if one member is down. |
| 627734 | Optimize interface dialog and configuration view for /api/v2/monitor/system/available-interfaces (phase 1). |
| 651626 | A session clash is caused by the same NAT port. It happens when many sessions are created at the same time and they get the same NAT port due to the wrong port seed value. |
| 664856 | A VWP named .. can be created in the GUI, but it cannot be edited or deleted. |
| 666418 | SFP interfaces on FG-330xE do not show link light. |
| 667307 | Console prints out NP6XLITE: np6xlite_hw_ipl_rw_mem_channel timeout message on SoC4 platforms. |
| 671332 | httpsd crashed after changing VDOM for interface. |
| 674616 | VDOM list is slow to load in GUI when there are many VDOMs configured on FG-3000D. |
| 683387, 711698 | Change WWAN interface default netmask to /32 and default distance to 1. |
| 686903 | DHCP option 121 as a client not working on FortiGate. |
| 687398 | Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices. |
| 688009 | Update built-in modem firmware that comes with the device in order for the SIM to be correctly identified and make LTE link work properly. |
| 689317, 698927 | After pushing the interface configuration from FortiManager, the device index is incorrectly set to 0. |
| 690797 | Huawei E8372h-320 LTE modem does not receive IP on FG-30E. |
| 693757 | Secondary FG-5001D blades in SLBC cluster do not show updated contract dates. |
| 696550 | Mirroring of decrypted SSL traffic does not work in flow mode; if the receiving side is a VM machine, the receiver is unable to receive SSL decrypted packets. |
| 696556 | Support gtp-enhance-mode (GTP-U) on FG-3815D. |
| 696622 | FortiGate cannot get gateway from built-in LTE modem on all LTE capable FortiGate platforms. |
| 697287 | FOS 6.2.6 in FIPS mode with LB VIP and custom ciphers does not allow traffic through. |
| 698005 | In some environments, host-side DPDK affects the benchmark result. |
| 699358 | Cannot change FEC (forward error correction) on port group 13-16. |
| 699902 | SNMP query of fgFwPolTables (1.3.6.1.4.1.123456.101.5.1.2.1) causes high CPU on a specific configuration. |
| 700272 | ddnsd did not update the new IP address of dynupdate.no-ip.com, so it failed to connect to the DDNS server. |
| 700314 | ARP reply sent out by FortiGate but was not received on neighbor device. |
| 701911 | FortiGate entered conserve mode (service=kernel), possibly due to large number of log creation requests. |
| 702135 | cmdbsvr memory leak due to unreleased memory allocated by OpenSSL. |
| 703131 | Split-task VDOM does not update IPS/AV from ha-direct connected internal FortiManager. |
| 704981 | LLDP transmission fails if there are nested software switches. |
| 705878 | Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched. |
| 706131 | When processing visibility log requests and passively learning FQDNs and wildcard FQDN addresses at a high rate, the CPU usage of dnsproxy can reach 90% or higher. |
| 709513 | SD-WAN reports phantom packet loss. |
| 710807 | FGR-60F WAN1 and WAN2 fail to connect to the network due to board ID GPIO assignment being incorrect. |
| 710934 | FortiGate loses its DHCP lease, which is caused by the DHCP client interface turning into initial state (from that point dhcpcd will send out discover packets), but old IPs and router are still in the kernel, so it can reply to the ICMP request. That causes the customer’s DHCP server (a router) to fail to assign the only available IP in the pool. |
| 712203 | Memory leak happens in forticron process, if GUI REST API caching is enabled. |
| 712321 | Multiple ports flapping when a single interface is manually brought up. Affected platforms: FG-3810D and FG-3815D. |
| 712506 | 25G-capable ports do not receive any traffic. Affected platforms: FG-1100E and FG-1101E. |
| 712905 | Daylight saving time changes will not reflect for time zone 16. |
| 713324 | Command fail when running execute private-encryption-key <xxx>. |
| 714164 | SNMP times out or has slow response when SNMP queries FortiGate session table OIDs. |
| 714192 | diagnose sys bcm_intf cli "2:" and diagnose sys bcm_intf cli "ps" try to access a non-existent BCM switches, which leads to kernel panic. |
| 714256 | A softirq happened in an unprotected session read lock and caused a self-deadlock. |
| 714402 | FortiGate crashes after reboot (kernel BUG at drivers/net/macvlan.c:869). |
| 714711 | NP offloading is blocking backup traffic. |
| 714805 | FortiManager shows auto update for down port from FortiGate, but FortiGate event logs do not show any down port events when user shuts down the ha monitor dev. |
| 715043 | Guest Management page Expire column shows incorrect value for guest groups when set to expire after on first login. |
| 715048 | When there is no PRP setting in the 6.4 configuration, after upgrading from 6.4 to 7.0, kernel panic happens after enabling PRP. |
| 715571 | config match command is not available in the user group configuration within the root VDOM when split-task VDOM is used. |
| 716483 | DNS proxy is case sensitive when resolving FQDN, which may cause DNS failure in cases where local DNS forwarder is configured. |
| 717203 | When user changes a configurations in the CLI, cmdbsvr sends the auto update file to FortiManager at the same time. There is a timing issue that may cause the last command not be sent to FortiManager since cmdbsvr has finished sending it, but the last command is not yet stored in the auto update file. |
| 717791 | execute restore vmlicense tftp fails with tftp: bind: Address already in use. |
| 718322 | FortiGate sends an invalid configuration to FortiManager, which causes the FortiManager policy packages to have an unknown status. |
| 718501 | Problem resolving DNS TXT type queries with FortiGate. |
| 718571 | In cases where there are a lot of DHCP relay interfaces (such as 1000) and an interface is added or deleted, DHCP relay takes a long time to release and initialize all interfaces before it works again. |
| 721733 | IPv6 networks are not reachable shortly after FortiGate failover because an unsolicited neighbor advertisement is sent without a router flag. |
| 721789 | Account profile settings changed after firmware upgrade. |
| 722287 | The set key-outbound and set key-inbound parameters are missing for GRE tunnels under config system gre-tunnel. |
| 723491 | When ACME service is enabled on an interface, HTTPD responds to HTTP TRACE method with HTTP 200 OK. |
| 723643 | FortiGate NTP server cannot synchronize time for Linux client on IPv6. |
| 725934 | Running execute tac report or diagnose debug report via SSH leaves a tac_report* file in /tmp. |
Upgrade
| Bug ID | Description |
|---|---|
| 701571 | After upgrading from 6.4.5 to 7.0.0, all flow-based polices are switched to proxy if there is a SIP profile attached to the firewall policy. |
| 708250 | Console prints __set_clr_flag:wwan ioctl failed, flag:0x0200 errno:19 when upgrading from 6.4.5 to 7.0.0. |
| 710465 | Policy inspection mode gets changed to proxy after upgrading to 7.0.0. |
| 713724 | SD-WAN health check over IPsec interfaces no longer work if there is a specified gateway under the IPsec SD-WAN member. |
| 713878 | Under config system dns-database, the set type slave configuration in 6.4.5 does not change to set type secondary after upgrading to 7.0.0. |
| 716912 | SSH access may be lost in some cases after upgrading to 6.2.8, 6.4.6, or 7.0.0. |
User & Authentication
| Bug ID | Description |
|---|---|
| 688989 | Two-factor authentication can be bypassed with some configurations. |
| 697278 | SAML entity ID can only be entered in HTTP format, but as per standard should also support URN. |
| 698602 | LDAP query from GUI does work in non-management and non-root VDOM. |
| 698716 | RADIUS password encoding does not work. |
| 700838 | FortiOS does not prompt for token when using RADIUS and two-factor authentication to connect to IPsec IKEv2. |
| 704708 | Local CA certificate, Fortinet_CA_SSL, cannot be restored from saved configuration file after the FortiGate factory reset. |
| 707578 | If a certificate authentication job expires in fnbamd, an error is returned to caller that makes the proxy block client traffic. |
| 707868 | The authd daemon crashes due to invalid dynamic memory access when data size is over 64K. |
| 710212 | RADIUS accounting port is occasionally missing. |
| 712354 | Firewall policy does not allow multiple SAML users that reference the same SAML server. |
VM
| Bug ID | Description |
|---|---|
| 685782 | HTTPS administrative interface responds over heartbeat port on Azure FortiGate despite allowaccess settings. |
| 703457 | Password reset via Azure portal does not work in cases where the DependencyAgentLinux extension is installed. |
| 708768 | On FG-VM-AWS, secondary IPs are missing after failover event. |
| 710941 | FortiOS GUI shows Unable to connect to FortiGuard servers warning when offline license is being used. |
| 713279 | After rebooting a GCP FortiGate, it takes more than 30 to 40 minutes to come up and affects passthrough traffic during this period. |
| 714682 | GENEVE tunnel with loopback interface is not working. |
| 715750 | EIP information is not automatically updated after instance reboot. |
| 716161 | Azure HA failover encounters error when doing route failover. |
| 722227 | If GCP SDN connector is using batch API call to collect dynamic addresses and any of the individual API calls in a batch all failed, cmdbsvr daemon CPU usage will be high, which may cause the GUI to get stuck and be unable to make configuration changes. |
VoIP
| Bug ID | Description |
|---|---|
| 682983 | SIP ALG does not DNAT all IP addresses in the SIP response messages (route field). |
WAN Optimization
| Bug ID | Description |
|---|---|
| 702876 | FortiGate web cache does not work in proxy mode. |
Web Filter
| Bug ID | Description |
|---|---|
| 593203 | Cannot enter a name for the web rating override or save it due to name input error. |
| 723610 | Antiphishing LDAP domain verification is not matching credentials. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 502080 | TARGET ASSERT error in WiFi driver causes kernel panic. |
| 529727 | The configured MAC address of the VAP interface did not take effect after rebooting. |
| 662615 | FG-80F series should support a total of 96 WTP entries (48 normal). |
| 645328 | Operating channel is 0 for both of the FAP radios (FAP-421E). |
| 676689 | RADIUS traffic not matching SD-WAN rule when using wpad daemon for wireless connection. |
| 685593 | Spectrum analysis graphs only presents a portion of the data for monitor mode radio when X-Axis is MHz. |
| 693217 | Physical AP leave log messages showing reason="N/A". |
| 693973 | Captive portal/disclaimer is not shown for SSIDs not belonging to the default VRF. |
| 697058 | Unable to change AP state under rogue AP’s monitor page. |
| 698961 | FWF-60F/61F and FWF-40F encounters kernel panic (LR is at capwap_find_sta_by_mac) when one managed FortiAP is authenticating WiFi clients. |
| 699905 | FAP-421E does not come online over IPsec tunnel and shows a certificate error. |
| 703685 | VLAN-tagged CAPWAP traffic was dropped by NP6XLite FortiGate when FortiAP is connected through aggregate FortiLink FortiSwitch. |
| 709824 | Dynamic VLAN SSID traffic cannot pass through VDOM link when capwap-offload is enabled. |
| 709871 | After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0. |
| 710759 | Automation trigger for rogue AP on wire sends email alerts for rogue AP not on wire. |
| 717227 | get wireless-controller wtp-status output only shows only one AP entry. |
Znane problemy:
Application Control
| Bug ID | Description |
|---|---|
| 701926 | Stress test with application control only results in packet drops. |
Endpoint Control
| Bug ID | Description |
|---|---|
| 708545 | The WAD daemon is triggered to fetch the FortiClient information based on a ZTNA EMS tag enabled for checking in a proxy policy. It is then possible to get a ZTNA EMS tag in the firewall dynamic address and get the expected traffic control. |
| 730767 | The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.
Workaround: delete the EMS Cloud entry then add it back. |
Firewall
| Bug ID | Description |
|---|---|
| 719311 | FortiGate is partially not showing policies after upgrading from 6.2.7. |
GUI
| Bug ID | Description |
|---|---|
| 677806 | State of IPsec tunnel interfaces that do not belong to the management VDOM show up in global view. |
| 685431 | GUI policy page takes around 30 seconds to load 24K policies. |
| 699508 | Administrator logout log does not reflect the correct timeout setting if the administrator closes the browser directly. |
| 701367 | Statistics of vcluster2 are not shown in the GUI. |
| 707589 | System > Certificates list sometimes shows incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed. |
| 708947 | Policy dialogs (firewall, NAT46, NAT64, proxy) sometimes get stuck loading due to an error when generating a security rating report.
Workaround: manually re-run the security rating report from the Security Fabric > Security Rating page. |
| 714304 | Firewall policies configured in the CLI can contain special characters (<, >, (, ), #, ’, „) in the name, but these characters are invalid when configuring a policy in the GUI. |
| 720613 | Sometimes the event log is duplicated when downloaded from the GUI. |
| 720657 | Unable to set link local address in GUI. |
| 722832 | When LDAPS is configured with FQDN and a server identity check, all LDAP-related GUI pages do not work. The CLI and fnbamd are OK. |
HA
| Bug ID | Description |
|---|---|
| 694984 | Session count of UDP traffic gradually decreases on the secondary unit in a FGSP-TP cluster. |
| 695067 | When there are more than two members in a HA cluster and the HA interface is used for the heartbeat interface, some RX packet drops are observed on the HA interface. However, no apparent impact is observed on the cluster operation.
Workaround: do not use the HA interface as a heartbeat interface. |
| 717788 | FGSP has problem at failover when NTurbo or offloading is enabled (IPv4). |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 669089 | IPS profile dialog in GUI shows misleading All Attributes in the Details field for filter entries with a CVE value. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 668997 | Duplicate entry found error shown when assigning multiple dial-up IPsec tunnels with the same secondary IP in the GUI. |
| 699973 | IPsec aggregate shows as down on Interfaces, Firewall Policy, and Static Routes configuration pages. |
| 729879 | Static IPsec tunnel with signature authentication method cannot be established on FIPS-CC mode FortiGate because the certificate subject verification changes to RDN bitwise comparison based. |
| 730449 | SD-WAN service traffic will be interrupted after upgrading to 7.0.1 if all of the following conditions are matched in its 6.4.x configuration:
Workaround: Before upgrading, update the hub and spoke configurations as follows:
|
Proxy
| Bug ID | Description |
|---|---|
| 712584 | WAD memory leak causes device to go into conserve mode. |
REST API
| Bug ID | Description |
|---|---|
| 731136 | The following API has a change in response format, which may break backward compatibility for existing integration:
New format results: Old format results: Note that only the response format is changed. The actual configuration restoration operation still works as before. The integration application should handle this new response format so it can return correct response message back to the user. |
Security Fabric
| Bug ID | Description |
|---|---|
| 614691 | Slow GUI performance in large Fabric topology with over 50 downstream devices. |
| 726831 | Security rating for Local Log Disk Not Full reporting as failed for FortiGate models without log disks. |
Switch Controller
| Bug ID | Description |
|---|---|
| 723501 | When STP is enabled on a hardware switch interface, FortiLink loses its connection to FortiSwitch. |
System
| Bug ID | Description |
|---|---|
| 639861 | Support FEC (forward error correction) implementations in 10G, 25G, 40G, and 100G interfaces for FG-3400E and FG-3600E. |
| 644616 | NP6 does not update session timers for traffic IPsec tunnel if established over one pure EMAC VLAN interface. |
| 644782 | A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode. |
| 675558 | SFP port with 1G copper SFP always is up. |
| 679035 | NP6 drops, and bandwidth limited to under 10 Gbps. |
| 683299 | Port group members have different speeds after the port speed is changed using a CLI script. |
| 685674 | FortiGate did not restart after restoring backup configuration. |
| 698003 | When creating a new administrator, the administrator profile’s reference is visible in other administrator accounts from different VDOMs. |
| 706686 | LAG interface between FortiGate and Cisco switch flaps when adding/removing member interface. |
| 710635 | GUI should hide the FortiGate Setup dialog if all setup steps are complete. |
| 713835 | The BLE pin hole behavior should not be applied on FG-100F generation 1 that has no BLE built in. |
| 721487 | FortiGate often enters conserve mode due to high memory usage by httpsd process. |
User & Authentication
| Bug ID | Description |
|---|---|
| 707057 | TACACS server traffic will not go through the specific interface from the GUI irrespective of the interface set under the TAC. |
| 725056 | FSSO local poller fails after recent Microsoft Windows update ( KB5003646, KB5003638, … ). |
VM
| Bug ID | Description |
|---|---|
| 689047 | ARM64-KVM has kernel panic. |
| 721439 | Problems occur when switching between HA broadcast heartbeat to unicast heartbeat and vice versa. |
| 729811 | ASG synchronization is lost between secondary and primary instances if the secondary instance reboots. Affected platforms: all public cloud VMs and KVMs.
Workaround: run |
WAN Optimization
| Bug ID | Description |
|---|---|
| 728861 | HTTP/HTTPS traffic cannot go through when wanopt is set to manual mode and an external proxy is used.
Workaround: set |
WiFi Controller
| Bug ID | Description |
|---|---|
| 700356 | CAPWAP daemon crashing due to IoT detection. |
| 719217 | Interface Bandwidth widget should exclude bridge VAP interface (and mesh VAP interface). |
Notatki producenta: FortiOS 7.0.1
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
