Producent oprogramowania Fortinet udostępnił najnowszą aktualizację produktu FortiOS do wersji 7.2.8. Dzięki tej aktualizacji naprawiono problem z działaniem funkcji zapobiegania utracie danych (DLP), ponieważ w poprzednich wersjach nie blokowano plików takich jak VME i EXE. Ponadto wprowadzono kluczowe ulepszenia związane z izolacją ruchu między domenami wirtualnymi (VDOMs), co znacząco poprawiło bezpieczeństwo w środowiskach sieciowych z wieloma domenami. Rozwiązano również istotne problemy z niestabilnymi połączeniami VPN oraz automatycznym nawiązywaniem połączeń IPsec, co wpłynęło na poprawę niezawodności zdalnego dostępu i bezpiecznej komunikacji. Dla dokładniejszego zrozumienia wprowadzonych zmian i nowości, zachęcamy do zapoznania się z dokładnymi informacjami zawartymi w notatkach do wydania.

 

Wspierane urządzenia:

FortiGate	FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-70F, FG-71F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG-400F, FG-401F, FG‑500E, FG-501E, FG-600E, FG-601E, FG-600F, FG-601F, FG-800D, FG‑900D, FG-900G, FG-901G, FG-1000D, FG-1000F, FG-1001F, FG-1100E, FG-1101E, FG-1500D, FG-1500DT, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3000F, FG-3001F, FG-3100D, FG‑3200D, FG-3200F, FG-3201F, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3700F, FG-3701F, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-4800F, FG-4801F, FG-5001E, FG‑5001E1, FG-6000F, FG-7000E, FG-7000F
FortiWiFi	FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE
FortiGate Rugged	FGR-60F, FGR-60F-3G4G, FGR-70F, FGR-70F-3G4G
FortiFirewall	FFW-1801F, FFW-2600F, FFW-3980E, FFW-4200F, FFW-4400F, FFW-4401F, FFW-4801F, FFW-VM64, FFW-VM64-KVM
FortiGate VM	FG-ARM64-AWS, FG-ARM64-AZURE, FG-ARM64-GCP, FG-ARM64-KVM, FG-ARM64-OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN
Pay-as-you-go images	FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN

Rozwiązane problemy:

Anti Virus

Bug ID	Description
879946	An incorrect warning is shown for antivirus flow: Setting a proxy profile in a flow policy. Proxy features will not work.
948182	FortiSandbox side panel statistics only shows only statistics for root/management VDOM.
961077	Advanced Threat Protection Statistics dashboard is not increasing counters (AV).
993785	When changing the antivirus profile settings, the GUI shows an access denied error message.

Application Control

Bug ID	Description
820481	For firewall policies using proxy-based inspection mode, some HTTP/2 sessions may be incorrectly detected as unknown applications.
952307	FG-400F sees increased packet loss when using an application list in the policy.

Data Loss Prevention

Bug ID	Description
893697	DLP is not blocking VME video files.
914533	The DLP sensor does not block EXE files.
926592	Outlook cannot connect to the Exchange server once the DLP profile protocol is set to MAPI.

DNS Filter

Bug ID	Description
907365	DNS proxy caches DNS responses with only one CNAME record.

Endpoint Control

Bug ID	Description
979811	The ZTNA channel is not cleaned when overwriting old lls entries.

Explicit Proxy

Bug ID	Description
901627	Explicit proxy and SD-WAN fail to match a policy if the destination has multiple zones set.
909328	Forward matching is applied to check the group name for SAML Authentication with Proxy Policy.
926178	Post-upgrade, explicit proxy policies may mismatch when an HTTP CONNECT request or TLS SNI of a HTTPS session partially matches to a policy with deep inspection enabled.
942612	Web proxy forward server does not convert HTTP version to the original version when sending them back to the client.
978473	Explicit proxy policy function issues when matching external-threat feed categories.
980752	Applications on the BOX cannot be started through proxy.
983897	Traffic that should not be matching a policy is incorrectly matching an allow policy or a deny policy.
997787	When accessing multiple destinations, received ERR_TOO_MANY_REDIRECTION error.

Firewall

Bug ID	Description
667201	Moving a policy and then changing the view page will cause a blank grouping label to be displayed.
838535	Support matching by destination port when matching a central NAT rule if the protocols are TCP, UDP, or SCTP.
850175	When the UTM is enabled, NP7 NTurbo is not set properly, which causes the shaper to not guarantee the SIP traffic based on the class ID.
888957	The one-time schedule pre-expiration event log button is always set to disable.
898938	NAT64 does not recover when the interface changes.
907763	The diffserv-copy option in the config firewall policy command cannot be configured.
921658	SD-WAN IPsec egress traffic shaping is not working when traffic offloading is enabled on an NP7 unit.
925630	Unable to unset http-supported-max-version to start using HTTP/2.
950889	Session clashes occur when incoming traffic matches an expected session and undergoes SNAT, but the SNAT port is already occupied by another session.
951373	Traffic shaping does not match the correct queue for outbound traffic when the class-id range exceeds the [2, 7] limit, which applies to egress shaping.
952552	When using HTTP1, the TLS handshake from the proxy to the real server does not include the SNI.
953907	Virtual wire pair interface drops all packet if the prp-port-in/prp-port-out setting is configured under system npu-setting prp on FG-101F.
958311	Firewall address list may show incorrect error for an unresolved FQDN address. This is purely a GUI display issue; the FQDN address can be resolved by the FortiGate and traffic can be matched.
963071	Drops in multicast traffic, caused by a change in multicast routing (PIM), may occur at the start of multicast communication after upgrading.
969255	Firewall administrators with read-write access can create new Service entries, but cannot delete them.
970179	Unrelated route changes will cause the existing session to be marked dirty.
972473	WAD crashes when using load balancing with SSL offloading.
973388	TCP state of a session was not updated properly.
976713	A Hello Retry Request message is not sent from the FortiGate during an SSL offload by config firewall ssl-server.
977641	In transparent mode, multicast packets are not forwarded through the bridge and are dropped.
987397	When creating or editing an entry on the Policy & Objects > Virtual IPs page in the GUI, if a subnet source filter is added after an IP range source filter in the Optional Filters section, an error message – Invalid source filter IP address/subnet/range – is shown and the settings cannot be saved.

FortiGate 6000 and 7000 platforms

Bug ID	Description
787604	Transceiver information in unavailable for FPM/FIM2 ports in the GUI.
886287	The IPsec ESP error log is generated with the wrong interface.
887946	UTM traffic is blocked by an FGSP configuration with asymmetric routing.
892600	IPv6 static route is removed from the management VDOM.
907695	The FortiGate 6000 and 7000 platforms do not support IPsec VPN over a loopback interface or an NPU inter-VDOM link interface.
910824	On the FortiGate 7000F platform, fragmented IPv6 ICMP traffic is not load balanced correctly when the dp-icmp-distribution-method option under config load-balance is set to dst-ip. This problem may also occur for other dp-icmp-distribution-method configurations.
910883	The FortiGate 6000s or 7000s in an FGSP cluster may load balance FTP data sessions to different FPCs or FPMs. This can cause delays while the affected FortiGate 6000 or 7000 re-installs the sessions on the correct FPC or FPM.
933541	IPV4 DNS/ICMP fragment traffic testing issues even when ip-reassembly diabled on the NPU.
937879	FortiGate-7000F chassis with FIM-7941Fs cannot load balance fragmented IPv6 TCP and UDP traffic. Instead, fragmented IPv6 TCP and UDP traffic received by the FIM-7941F interfaces is sent directly to the primary FPM, bypassing the NP7 load balancers. IPv6 ICMP fragmented traffic load balancing works as expected. Load balancing fragmented IPv6 TCP and UDP traffic works as expected in FortiGate-7000F chassis with FIM-7921Fs.
938475	Memory usage issue occurs when multiple threads try to access a VLAN group.
939119	Statistics displayed in the Session Rate dashboard widget do not match the statistics displayed from the command line.
939171	The Global Sessions does not match the CLI output.
941944	CPU usage data displayed in the FortiGate 6000 GUI is actually CPU usage data for the management board. CPU usage data displayed in the FortiGate 7000 GUI is actually the CPU usage for the primary FIM.
941971	Dashboard widgets for CPU, Memory, Session, and Session Rate show usage as 0% on root and non-root VDOMs.
946943	On 6K and 7K platforms, the management VDOM GUI should not show the WiFi & Switch Controller menu.
947570	In an FGCP cluster, the secondary unit cannot reply to the SNMP query while using the management IP.
948750	When EMAC VLAN interfaces are removed spontaneously from the configuration, TCP traffic through their underlying VLAN interface fails.
949175	On the FortiGate 7121F, with FIM2 as the primary FIM, making FIM1 the primary causes NP7 PLE invalidation.
949240	SLBC special ports do not match the local-in policy’s management path.
954862	Graceful upgrade from 7.0.12 to 7.2.6 or 7.2.7, or from 7.0.12 to 7.4.2 or 7.4.3 will fail on the FortiGate 6501F/6500F, FortiGate 7060E with slot6 occupied, and FortiGate 7121F with slot12 occupied.
973407	FIM installed NPU session causes the SSE to get stuck.
978241	FortiGate does not honor worker port partition when SNATing connections using a fixed port range IP pool.

FortiView

Bug ID	Description
941524	On the FortiView Web Sites page, the Category filter does not work in the Japanese GUI.

GUI

Bug ID	Description
848660	Read-only administrator may encounter a Maximum number of monitored interfaces reached error when viewing an interface bandwidth widget for an interface that does not have the monitor bandwidth feature enabled.
872063	The VLAN ID cannot be changed in the GUI.
894499	The FortiGate GUI displays only the most recent 100 entries on CRL view.
930960	GUI pages that use the security rating fail to load on an iPhone.
934644	When the FortiGate is in conserve mode, node process (GUI management) may not release memory properly causing entry-level devices to stay in conserve mode.
943949	The GUI does not allow parentheses, (), to be used in the interface description.
945221	The GUI does not show any transceiver information until running get system interface transceiver in the CLI.
954356	When connected to the FortiGate GUI on a mobile phone, the table content on some pages like Network > Interfaces, Policy & Objects > Firewall Policy, and WiFi & Switch Controller > Managed FortiSwitches is cut off.
955836	The firewall users widget is missing the Show all FSSO Logons button.
961576	GUI issue when moving a policy between groups.
963028	The Forward Traffic page does not show device inventory information.
964386	GUI dashboards show all the IPv6 sessions on every VDOM.
969101	Managed FortiAP-s page is not loading for non super-admin users.
972887	The interface firewall object created automatically is not found by a firewall policy search with IP address.
975403	On the System > Replacement Messages page, the ? is removed from custom replacement messages.

HA

Bug ID	Description
871636	HA configuration synchronization packets (Ethertype 0x8893) are dropped when going through VXLAN.
904117	When walking through the session list to change the ha_id, some dead sessions could be freed one more time.
912665	FGCP primary-secondary cluster only uses one session-sync-dev, in spite of having multiple session-sync-dev.
916286	The execute ha failover set <vcluster number> command only support two vclusters, even when mutiple vclusters exist.
922435	Interfaces for the root VDOM are displayed in the GUI when different VDOM is selected on the HA secondary.
924671	FG-200F in HA’s management interface is not responding after a reboot.
925269	Configuration is out-of sync when external feed connectors are applied to a policy.
931965	Do not automatically enable LLDP transmission on an HA management port with LLDP reception enabled.
937246	An error condition occurred while forwarding over a VRRP address, caused by the creation of a new VLAN.
949352	The user.radius checksum is the same in both HA units, but the GUI shows a different checksum on the secondary and the HA status is out of sync.
950868	Traffic is not forwarded on L2 peer to keep FGSP with an available L2 connection.
951292	Newly added webfilter profiles are not visible in the GUI of the secondary HA device.
953167	Access to console and SSH is lost due to a specific configuration.
954098	The set auto-firmware-upgrade disable setting is not synchronized between FGCP members.
955555	Unexpected traffic flow occurs after FGSP is enabled between clusters.
962491	Some long lasting TCP established sessions expire on the HA secondary unit earlier than on the primary unit.
962681	In a three member A-P cluster, the dhcp lease list (execute dhcp lease-list) might be empty on secondary units.
971075	The last interface belonging to the management VDOM (not root VDOM) is not displayed when accessing ha-mgmt-interface.
972163	Under heavy traffic, some sessions are not fully synchronized to the FGCP secondary unit.
972896	No configuration error when restoring a configuration with incorrect config firewall wildcard-fqdn custom entries, resulting in an HA-unsync status.
974749	TCP/SCTP sessions count mismatch in an HA pair in A-P mode.
985237	Output is missing from the diagnose sys ha vlan-hb-monitor command.

Hyperscale

Bug ID	Description
949188	With NAT64 HS policy, ICMP reply packets are dropped by FortiOS.
950582	Traffic not passing across the VDOM link.
958066	Observed TCP sessions timing out with a single hyperscale VDOM configuration after loading image from BIOS.
984852	The HA/AUX ports are not enabled on boot up when using the NPU path option.

Intrusion Prevention

Bug ID	Description
782966	IPS sensor GUI shows All Attributes in the filter table when IPS filters with default values are selected in the CLI.
862830	[?Q?ci_" sekret=] causes the parser to create a new field, "sekret=".
882593	HTTPS traffic slows when IPS with NTurbo is used over a virtual wire pair.
907259	High CPU usage due to the IPS engine, causing high latency on the network.
923393	IPS logs show incorrect source and destination IP addresses and policy IDs, and the ports are zeros.
949662	Interface policy logs show the external facing IP instead of the actual source.

IPsec VPN

Bug ID	Description
564920	IPsec VPN fails to connect if ftm-push is configured.
852051	Unexpected condition in IPsec engine on SoC4 platforms leads to intermittent IPsec VPN operation.
897867	IPsec VPN between two FortiGates (100F and 60F) experiences slow throughput compared to the available underlay bandwidth.
898757	Support IKEv2 split DNS mode-cfg (RFC 8598).
898961	diagnose traffictest issues with dynamic IP addresses and loopback interfaces.
914418	File transfer stops after a while when offloading is enabled.
920725	IPsec tunnels that have external DHCP services for IP assignment have an extra selector added after upgrading to 7.0.11.
922064	Firewall becoming unresponsive to DPD/IKE messages, causing IPsec VPNs to drop.
926002	Incorrect traffic order in IPsec aggregate redundant member list after upgrade.
942495	IKEv2 connection issue related to the order of policies using different user groups.
945367	Disabling src-check (RPF) on the parent tunnel is not inherited by ADVPN shortcuts.
945873	Inconsistency of mode-cfg between phase 1 assigned IP address and destination selector addition.
950012	IPsec tunnels stuck on NP6XLite spoke drop the ESP packet.
950445	After a third-party router failover, traffic traversing the IPsec tunnel is lost.
951765	Shortcut created from parent tunnel interface does not inherit MSS value and may face fragmentation.
954911	IPv6 firewall address IP prefix object is invisible on accessible networks in the GUI.
957412	Authentication fails since the EAP proxy cannot get groups by the hostname of FortiGate in the NAS-ID RADIUS attribute.
960212	IPsec traffic is unidirectional when vpn-id-ipip and offloading are enabled, and the tunnel VRF is greater than 63.
961305	FortiGate is sending ESP packets with source MAC address of port1 HA virtual MAC address.
965915	After an HA failover, static gateway IPsec routing fails.
966085	IKEv2 authorization with an invalid certificate can cause tunnel status mismatch.
968218	When the IPsec tunnel destination MAC address is changed, tunnel traffic may stop.
982599	When a NAT port is changed between two static IPsec endpoints, the new port cannot be applied on the tunnel.
996625	Unable to create a FortiClient dial-up VPN with certificate authentication because a peer CA certificate cannot be selected.

Limitations

Bug ID	Description
961992	The buffer and description queue limitation of Marvell switch ports causes a performance limitation.

Log & Report

Bug ID	Description
864111	An internal error occurs on the FortiCloud Report page when a Japanese report name is too long.
903841	When an administrator login fails, the event log shows that the login was successful.
920376	Content disarm and reconstruction (CDR) files are not consistent in the log view.
929269	After disabling an event under the event filter, the system events summary page still shows event logs for that event.
932537	If Security Rating is enabled to run on schedule (every four hours), the FortiGate can unintentionally send local-out traffic to fortianalyzer.forticloud.com during the Security Rating run.
945287	Cloud logging settings are not retained when the FortiGate language setting is Japanese.
950768	When a GUI login fails due to exceed_limit, logged in successfully appears in the system event log.
952509	The UUID is used instead of the external resource name in the Threat feed updated system event log.
954565	Although there is enough disk space for logging, IPS archive full message is shown.
960661	FortiAnalyzer report is not available to view for the secondary unit in the HA cluster on the Log & Report > Reports page. Workaround: view the report directly in FortiAnalyzer.
961244	Icons in logs evaluations and policies are no longer displayed.
965247	FortiGate syslog format in reliable transport mode is not compliant with RFC 6587.
967692	The received traffic counter is not increasing when the traffic is HTTPS with webfilter.
987261	In the webfilter content block UTM log in proxy inspection mode, sentbyte and rcvdbyte are zero.

Proxy

Bug ID	Description
727629	An error case occurs in WAD while handling the HTTP requests for an explicit proxy policy.
790426	An error case occurs in WAD while redirecting the web filter HTTPS sessions.
806556	Unexpected behavior in WAD when the ALPN is set to http2 in the ssl-ssh-profile.
828917, 919781	Unexpected behavior in WAD when there are multiple LDAP servers configured on the FortiGate.
837095	WAD daemon runs high with many child processes and is not coming down after configuring 250 CGN VDOMs.
845361	A rare error condition occurred in WAD caused by compounded SMB2 requests.
863132	Proxy mode inspection is slow when testing a single TCP stream from fast.com, which causes bandwidth slowness on FG-100F and FG-200F devices.
901296	An error case occurs in WAD while handling the HTTP requests for an explicit proxy policy.
940149	Inadvertent traffic disruption caused by WAD when it receives an HTTP2 data frame payload on a dead stream.
947814	Too many redirects on TWPP after the second KRB keytab is configured.
954104	An error case occurs in WAD when WAD gets the external authenticated users from other daemons.
965966	An error condition occurred in WAD due to heavy HTTP video traffic when using a video filter profile with deep inspection enabled.
915404	Proxyd did not account for all RFC-compliant SMTP pipelining cases.
922286	WAD traffic to globalvideoquery.fortinet.net does not follow the FortiGuard interface-select-mode.
955990	Captive portal reappears repeatedly in the browser after importing user credentials.

REST API

Bug ID	Description
944723	The /firewall/vip API does not recognize custom SSL cipher suites.
951384	API responses for PBR provides incorrect value if address groups are used in PBR.
951411	Inconsistent handling of web filter profile actions in API transactions.
964424	REST API GET /ips/sensor/{name} adds extra space to locations, severity, protocol, os, and application field values.

Routing

Bug ID	Description
792512	The dashboard Session widget cannot display the correct IPv6 session count per VDOM.
852498	BGP packets are marked with DSCP CS0 instead of CS6.
888210	The GUI takes three minutes to load 4000 TWAMP health-checks.
890954	The change of an IPv6 route does not mark sessions as dirty nor trigger a route change.
897666	Issue with SD-WAN rule for FortiGuard.
926525	Routing information changed log is being generated from secondary in an HA cluster.
928152	FortiGate generates two OSPF stub entries for the same prefix after upgrading from 6.4 to 7.0.
930749	IPv6 traffic was no longer forwarded according to route list and neighbor-cache list after upgrading from 7.2.4 to 7.2.5.
932092	API call returns recursive next-hop for the gateway address.
934273	Support GR helper mode (peer) for BGP.
934803	Synchronized kernel VPNv4 routes are not used in an HA failover.
935370	SD-WAN performance SLA tcp-connect probes clash with user sessions.
935886	SD-WAN packet duplication feature in force mode suddenly stops duplicating and starts to duplicate again once the FortiGate is rebooted.
938500	Status of OSPF adjacency is Loading on spokes while Full on the hub side.
943333	When SD-WAN health-check is configured, the IPv6 interface IP address of shortcut fails to be pinged.
952908	Locally originated type 5 and 7 LSAs’ forward address value is incorrect.
954100	Packet loss status in SD-WAN health check occur after an HA failover.
957627	Learned BGP through routes are not withdrawn on the spoke after the EBGP neighborship is down between the hub and third party device.
964182	IPsec traffic with vpn-id-ipip is egressing with the wrong VRF when offloading is enabled.
965752	After HA monitored interface fails over, SD-WAN intermittently does not follow route-map-preferable.
969671	GRE tunnel is stuck using a non-existing devindex.
974921	When creating or editing a rule on the Network > Routing Objects page, if the weight is set to 0 the changes are not saved.
977215	SD-WAN health check with state = dead moves between 100% and 0% packet loss while the state stays the same.
978204	BFD/BGP dropping when outbandwidth is applied.
985539	SD-WAN health check logs are not generated for ADVPN shortcuts.
989840	Issue with PIM neighborship over an IPSec tunnel with NP offload.

Security Fabric

Bug ID	Description
876588	External Connectors can cause a FortiGate internal error when the configuration name has invalid characters.
902344	When there are over 30 downstream FortiGates in the Security Fabric, the root FortiGate’s GUI may experience slowness when loading the Fabric Management page and prevents the user from upgrading firmware in the GUI.
907819	Advanced GCP connector does not resolve if one element does not exist.
908489	When one of the downstream FortiGate VM’s license is invalid, the root FortiGate will be automatically logged out from accessing the Firmware & Registration page.
920391	Non-management VDOM is not allowed to set a source-ip for config system external-resource.
938980	HTTP 400 errors observed using SDN connector to query AKS clusters if local administrator is disabled.
947634	Security Fabric widget shows the serial number instead of the hostname for a secondary FortiGate in HA.
950624	Renaming conflicted Fabric objects on the root FortiGate does not synchronize the changed Fabric objects to the downstream FortiGate.
956423	In HA, the primary unit may sometimes show a blank GUI screen.
966740	Security rating Last Ran displays incorrect values.
968585	The automation stitch triggered by the FortiAnalyzer event handler does not work as expected.
968621	Erroneous memory allocation resulting in unexpected behavior in csfd after upgrading.
975393	Security Fabric messages change after upgrading.
976049	The external threat feed connection status is Unavailable in a non-VDOM enabled FortiGate.
980595	When there are about 40 or more extension devices connected to the Security Fabric, the Security Fabric > Fabric Connectors page is slow and unresponsive.
985198	The IP address threat feed connection status indicates an Other Error.
988526	Address object changes from the CLI of the root FortiGate in Security Fabric are not synchronized with downstream devices.

SSL VPN

Bug ID	Description
821240	SSLVPNVD 11 signal failure due to attempt to read out of bounds memory.
830068	SSL VPN stops listening on IPv6 interface after a reboot.
879329	Destination address of SSL VPN firewall policy may be lost after upgrading when dstaddr is set to all and at least one authentication rule has a portal with split tunneling enabled.
896492	When using RDP bookmarks in SSL web mode, some keys stopped working.
898889	The internal website does not load completely with SSL VPN web mode.
926612	The SSL VPN log shows users having been disconnected from SSL VPN for unknown reason.
929001	An invalid user name entered in FortiClient could cause two factor PKI user login to crash sslvpnd after the client certificate checking passed.
930275	Firewall policy is not allowing the all destination address with a split-tunneling portal.
950157	SSL VPN connected/disconnected endpoint event log can be in the wrong sequence.
952860	During a handshake when FortiClient sends a larger-than-MTU hello message, the packet is fragmented by IP layer and dropped by the FortiGate.
957406	OS checklist for SSL VPN in FortiOS does not include macOS Sonoma 14.
965482	FortiGate 200F experiences poor performance due to Marvell switch HOL mode.
981310	Multiple VPNSSL disconnections triggered by sslvpnd failure.

Switch Controller

Bug ID	Description
703374	Long DAC-type cable is added to default media type on 10G port on FG-100F.
816790	Console printed DSL related error messages when disconnecting the managed FortiSwitch and connecting to the FortiGate again.
818116	When changing the FortiSwitch FortiLink port status, the configuration is not applied to the FortiSwitch.
899414	The WiFi Maps and FortiSwitch Clients menus in the GUI show the LACP interface with red down arrows when the LACP interfaces are up.
904834	FortiGate and FortiManager have different definitions for the value of poe-detection-type on S108EF platform.
911232	The security rating shows an incorrect warning for unregistered FortiSwitches on the Managed FortiSwitches page. Workaround: navigate to the Diagnostics & Tools pane of the FortiSwitch to see the correct registration status.
937065	An exported FortiSwitch port is not correctly showing up/down status.
949377	NAC policy cannot match the MAC address with a specific VLAN. The NAC policy needs to be deleted and re-createed for it to work again.
950379	The diagnostics of online FortiAPs shows Link Down in the trunk port Connected Via field when the FortiAP has an LACP connection to a FortiSwitch.
984404	After upgrading the version 7.4.2, the FortiSwitch shows as not registered in the GUI.
989015	The SWC switch port does not have all of the speed options compared to FortiSwitch.

System

Bug ID	Description
733096	FG-100F HA secondary’s unused ports flaps from down to up, then to down.
754970	HPE does not enforce a limit on fragmented packets sent to the CPU when ip-reassembly is enabled.
763739	On FG-200F, the Outbound bandwidth in the Bandwidth widget does not match outbandwidth setting.
801481	Download speed issue through WAN configured with PPPoE on FortiGate.
828557	FortiGate as DHCP relay is not showing a DHCP decline in the debugs when there is an IP conflict in the network.
846399	Add 100G speed option for FG-180xF for ports 37, 38, 39, and 40. Upon firmware upgrade, existing port speed configurations are preserved.
855515	Hardware csum failure message keeps repeating on Azure 7.0.8.
859393	SNMP poll for fgExplicitProxyRequests returns 0.
861661	SNMP OID 1.3.6.1.2.1.4.32 ipAddressPrefixTable is not available.
861962	When configuring an 802.3ad aggregate interface with a 1 Gbps speed, the port’s LED is off and traffic cannot pass through. Affected platforms: 110xE, 220xE, 330xE, 340xE, and 360xE.
867428	Add check to skip invalid names when creating a VDOM.
880271	Aggregate interface (LAG) dropping traffic.
882131	PPPoE interface with SFP does not recover after a connectivity failure.
882187	FortiGate enters conserve mode in a few hours after enabling UTM on the policies.
883606	FortiOS allows customers to enable or disable the INDEX extension that appends the VDOM or interface index in RFC tables.
885057	Add 100G speed option on the FortiGate 1800F.
888941	Some sessions are still reported as offloaded when auto-asic-offload is disabled.
892478	Interface release from cmdb and iprope keep updating when DHCP client renewal fails.
893143	SFP interfaces that are set to 1000auto are not negotiating on the secondary device.
907657	FortiGate does not perform a disk scan automatically when autorun-log-fsck is enabled.
910364	CPU usage issue in miglogd caused by constant updates to the ZTNA tags.
910651	On FG-600F, all members are up but the LACP status is showing as down after upgrading.
910829	Degraded traffic bandwidth for download passing from 10G to 1G interfaces.
911906	Enable auto-upgrade by default on the FortiGate 40F and 40G.
912092	FortiGate does not send ARP probe for UDP NP-offloaded sessions.
915585	Optimize memory usage, which causes the SLAB memory to increase, in kernel 4.19.
916493	Fail detection function does not work properly on X1 and X2 10G ports.
917827	Delay sending LACPDU in kernel 4.19.
919901	For FIPS-CC mode, the strict check for basic constraints should be removed for end entity certificates.
920349	Connectivity was lost after creating new VDOM and NPU_VLINK.
923473	Sometimes, the configuration cannot be backed up to an FTP server.
925647	Memory usage issue caused by repetitive log messages. Affected platforms: FG-100xF.
926817	Review the temperature sensor for the SoC4 system.
929135	Interactive CLI commands, like purge, cannot be cut and pasted into the console and exits the script. The purge command in a console puTTy session stops and waits for a y confirmation.
929896	Unable to configure a 9600 baud-rate on DNP3-Proxy.
930803	Unable to monitor DSL parameters and the get sys dsl status command shows errors.
931167	IPv6 suffixes configured on an interface are not reflected after a reboot.
931299	When the URL filter requests the FortiGuard (FGD) rating server address using DNS, it will try to get both A (IPv4) and AAAA (IPv6) records.
931604	The FortiGate checksum changes and the FortiManager Backup Mode device status becomes out-of-sync.
937982	High CPU usage might be observed on entry-level FortiGates if the cache size reaches 10% of the system memory.
938174	ARP issue with VXLAN over IPsec and Soft Switch.
938449	In the 4.19 kernel, when a neighbor’s MAC is changed, the session and IPsec tunnel cannot be flushed from the NPU.
938981	The virtual server http-host algorithm is redirecting requests to an unexpected server.
939935	High CPU usage caused by DHCP packets.
939947	FG-1100E SFP interface of port 23 and 24 with transceiver status is down after upgrading.
940504	Loading of the Toss Bank application is delayed or gets stuck on iPhones with hyperscale CGNAT (NAT64).
943033	Enabling vdom-dns causes the VDOM DNS certificate to be blank instead of the default value.
943090	Buffer and description queue limitation of Marvell switch port will cause a performance limitation.
943615	When cmdbsvr receives a request to update the version number, it also receives a copy of the query, but this copy is not freed.
943948	FortiGate as L2TP client is not working with Cisco ASR as L2TP server.
945426	FortiGate ports are not in a configured state after the connected switch reboots.
945871	DNAT does not work on software switch in explicit mode.
946413	Temperature sensor value missing for FG-180xF, FG-420xF, and FG-440xF platforms.
946714	Unexpected reboot caused by a rare error condition for FG-VM.
947127	Kernel TCP sessions do no timeout after receiving a legitimate RST and the system goes into conserve mode.
947240	FortiGate is not able to resolve ARPs of few hosts due to their ARP replies not reaching the primary FPM.
948460	Enabling NP7 offloading is causing packet drops when using a shaping profile.
948490	Changing address object setting triggers a 30 second CPU usage spike.
949481	The tx_collision_err counter in the FortiOS CLI keeps increasing on both 10G SFP+ X1 and X2 interfaces.
950010	Alarm observed for high PECI temperature despite less CPU activity.
952284	A FortiGate with 2G of memory enters conserve mode when a node uses 20% of the memory.
954529	The diagnose npu sniffer stop command can lead to a traffic outage.
955021	When signal 11 is sent to httpsd process using diagnose sys kill 11 <PID>, httpsd does not restart. The GUI displays a Service unavailable message. GUI access can be restored by rebooting the device.
955074	MSS clamping is not working on VXLAN over IPsec after upgrading.
955798	Interface LED from panel indicates the wrong status.
956391	On FG-10xE, when using ports 13 to 16 as virtual switch LAN ports, auto speed is not supported.
956413	FG-1101E ports with AVAGO AFBR-5710PZ transceiver failed to come up after upgrading.
957147	FortiGate as DNS server does not resolve domains in the local database on new VDOM.
957714	Memory usage issue occurs when multiple threads try to access a VLAN group.
957846	High CPU usage caused by DHCP packets.
958157	The GeoIP file should close appropriately after opening or using mmap to share memory.
960563	An error condition occurred in the kernel caused by a rare condition while using the GRE tunnels.
960643	IP addresses with an expired quarantine period might not be removed from quarantine.
960707	Egress shaping does not work on NP when applied on the WAN interface.
962153	A port that uses a copper-transceiver does not update the link status in real-time.
963597	Multiple configuration settings are missing after restoring the VDOM.
963600	SolarWinds unable to negotiate encryption, no matching host key type found.
964465	Administrator with read-write permission for WiFi and read permission for network configuration cannot create SSIDs.
966187	Unable to set a static ARP entry on the EMAC VLAN interface.
966761	SNMP OID 1.3.6.1.2.1.4.34.1.5 ipAddressPrefix is not fully implemented.
967171	The speed 1000auto setting on ports X1 to X4 disappears after upgrading from 7.2.5 to 7.2.6. Affected platforms: FG-40xF and FG-60xF.
968134	FortiGate 200F experiences poor performance due to Marvell switch HOL mode.
969230	FEC does not take effect on X5 – X8 ports when running at 25G ULL mode on FG-601F.
971404	Session expiration does not get updated for offloaded traffic between a specific host range.
975496	FortiGate 200F slow download and upload speeds when traversing from a 1G to a 10G interface.
977231	An error condition occurred in fgfm caused by an out-of-band management configuration.
977740	Transparent-mode VDOM system switch-interface and Firewall policies deleted after a power cycle.
981685	On the FortiGate 4400F, high CPU usage by random CPU cores in the system space.
982200	FortiGate enters into conserve mode due to excessive memory usage by Slabs.
982651	Security mode 802.1X authentication happens every hour on a hardware switch on with 7.2 code.
986698	The NP7 should use the updated MAC address from the ARP table to forward traffic to the destination server.
988528	With NGFW mixed traffic, the CPU usage goes to 99%.
995395	Typo in the set ipv6-allow-local-in-slient-drop command.
995965	Ports 15 and 16 are directly connected but are unable to ping each other.

Upgrade

Bug ID	Description
871181	FG-3401E link is not coming up using DAC cables after upgrading.
896937	Port channel is down after upgrading the FG-1101E.
939011	All transparent VDOMs cannot synchronize because of switch-controller.auto-config.policy.
940126	Upgrading a FGT-3401E generates BPDUs, which cause the switch to disable the port.

User & Authentication

Bug ID	Description
868994	FortiGate receives FSSO user in the format of HOSTNAME$.
891068	Guest administration management does not show all groups for multiple VDOMs assigned to a guest administrator account.
915998	FortiToken mobile push with ACME gives an untrusted certificate in iOS application.
932989	In some cases, the HA connection is removed and its memory is freed, but it is still read/written in the following process.
934313	Password and Token concatenation for remote RADIUS users does not work as expected.
967146	Upon expiration, the SSL certificate is removed from GUI but not from the CLI.
971641	Issue sending activation code for FortiToken in a multi-VDOM environment with remote user authentication.
975299	When MFA is enabled on a user and the authentication type is FortiToken, searching for a part of or the full serial number on the User & Authentication > User Definition page does not return a matching value.
975689	Unable to print with custom guest user print template.
976338	RADIUS accounting packet with acct-input-octets and acct-output-octets sometimes shows inconsistent behavior.
1000108	Guest-management administrators cannot see or print guest user passwords in plain text; the password is masked as ENC XXXX string.

VM

Bug ID	Description
874559	FortiGate VM HA primary loses connection when setting up secondary unit.
903798	When send-deny-packet enabled or ident-accept disabled, sending out responding packets (such as TCP RST or ICMP) triggers a restart.
921168	Restore operation overwrite passive configuration in AZURE A-P deployment based on SDN connector.
930381	FortiGate VM heartbeat authentication fails during the upgrade to 7.2.4 or 7.2.5 when HA authentication and encryption is enabled.
932085	In an Azure cluster, the NTP source-ip6 (IPv6) is synchronized while the source-ip (IPv4) is not.
938382	OpenStack Queens FortiGate VM HA heartbeat on broadcast is not working as expected.
951787	On a FortiGate VM on Azure, a deadlock between pci-recovery and mlx5-recovery stalls a number of mlx5-txrxq recovery tasks.
954076	A FortiGate VM on ESXi with FGCP clustering is unable to do VLAN traffic in DPDK mode.
956460	FortiGate cannot detect a log disk in some new Azure instances.
957299	On a FortiGate ARM-OCI, after adding more than one network interface card and rebooting, the interface cards are not kept in order.
957886	GCP OS log in integration issues occur in FortiGate deployment.
959859	FG-VM64-AZURE SDN connector does not retry requests to management.azure.com if they fail.
965668	Interfaces are brought down by azd, and traffic is disrupted until manually disabling and enabling the interfaces on the Azure VM.
967134	An interrupt distribution issue may cause the CPU load to not be balanced on the FG-VM cores.
968740	Unexpected behavior in awsd caused by tags with an empty value on AWS instances while adding a new AWS Fabric connector.
970201	Unexpected reboot caused by a rare error condition for FG-VM.
977271	After enabling DPDK on the VM, return traffic to the VLAN interface is dropped.
983705	The Azure SDN Connector does not retrieve all of the virtual networks if the results are paginated.
999599	On FortiGate AWS, the IPsec configuration goes missing after an upgrade due to an inconsistent table-size.

WAN Optimization

Bug ID	Description
954541	In WANOpt transparent mode, WAN optimization does not keep the original source address of the packets.

Web Filter

Bug ID	Description
915879	Add web filter categories for artificial intelligence technology (category 100) and Cryptocurrency (category 101).
917475	The FortiGuard category threat feed is not working as expected in proxy mode.
929110	The strict option for sni-server-cert-check is behaving the same as if it is set to enable, and logs are not generated upon SNI mismatch with the CN or SAN.
941045	Local rating chooses the wrong category if the URL path falsely matches to a longer local rating URL.
947676	Web filter profile setting changes the order of FortiGuard web filter categories.
982156	The URL local/user category rating result has only one best match category (longest URL pattern match), and other matched local/user categories cannot be chosen even if the category is configured in the profile.
994749	The urlfilter fails to block TP HTTPS traffic with an IP address hostname.

WiFi Controller

Bug ID	Description
883021	Is the FortiGate 100F RFC 2865 compliant and, if yes, why does the FortiGate not always re-authenticated after the Session-Timeout value?
883938	Flooded wireless STA traffic seen in L2 tunneled VLAN (FG-1800F).
896104	An error condtion occured in the kernel when the FortiAP and SSID are in the same software switch.
900605	NAS-ID is not updated immediately after modifying it in the applied RADIUS server when the wpad-process-count is set to a non-zero value.
905789	FortiAP 431G is unable to join AC due to no response to cfg_request.
922838	Usage of the cw_acds process increases and drops the FortiAP connection, which forces the FortiAP to restart in an FSM state when FortiAP settings are changed.
923530	Add support for 6 GHz band for DARRP, wlac -c rf-analysis, and BG scan period.
926999	An error condition occurred for the EAP proxy while sending the RADIUS Access-Request.
930130	MPSK keys are not loaded completely in the wpad daemon after applying a VAP with an MPSK profile selected on a FortiAP.
931592	CAPWAP offloading does not work with more than 12,000 VAP entries.
938525	Wi-Fi clients failed roaming from one FortiAP to another on the bridge SSID with dynamic VLAN assignment by RADIUS-based MAC authentication.
949857	Captive portal appears each time after a channel change or if roaming performed (Cisco ISE with FortiGate and FortiAP).
951792	Clients connected to certain FortiAPs do not have internet access.
952889	PMKID should be removed when an Android device is disconnected by the RADIUS CoA DM request with Acct-Session-Id.
957543	The collected FortiGate syntax is missing channels for 11AX6.
965695	Join/leave is repeated between FortiAP 421E and FortiGate 100E at multiple sites.
977351	The SASE portal is unable to authorize a FortiAP if it initially connects to a secondary VM.
985265	HA setup hostapd issue during stress test.

ZTNA

Bug ID	Description
888814	Unable to match first group attribute from SAML assertion for ZTNA rule.
945016	When NAT is enabled in a firewall policy ZTNA mode, saving it in GUI will cause NAT to be disabled.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID	CVE references
956553	FortiOS 7.2.8 is no longer vulnerable to the following CVE Reference: CVE-2024-23112

Notatki producenta: FortiOS 7.2.8

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

7.2.8 Fortinet FortiOS FortiOS 7.2.8