Anti Spam

Bug ID Description
848593 After spam mail is detected by the email filter, the X-ASE-REPORT does not insert into the mail header of the spam mail.
857911 The Anti-Spam Block/Allow List Entrydialog page is not showing the proper Type values in the dropdown.
877613 Mark as Reject can be still chosen as an Action in an Anti-Spam Block/Allow List in the GUI.

Anti Virus

Bug ID Description
818092 CDR archived files are deleted at random times and not retained.
845960 Flow mode opens port 8008 over the AV profile that does not have HTTP scan enabled.
849020 FortiGate enters conserve mode and the console prints a fork() failed message.
851706 Nothing is displayed in the Advanced Threat Protection Statistics dashboard widget.
863461 Scanunit displays unclear warnings when AV package validation fails.
869398 FortiGate sends too many unnecessary requests to FortiSandbox and causes high resource usage.

Application Control

Bug ID Description
857632 Unable to access to some websites when application control with deep inspection is enabled.
901166 Unable to connect to any site when application control is enabled with proxy-based or certificate inspection.

Data Leak Prevention

Bug ID Description
893697 DLP is not blocking VME video files.

DNS Filter

Bug ID Description
871854 DNS UTM log still presents unknown FortiGuard category even when the DNS proxy received a rating value.
878674 Forward traffic log is generated for allowed DNS traffic if the DNS filter is enabled but the policy is set to log security events only.

Endpoint Control

Bug ID Description
861316 A system object tagging entry is hindering the FortiGate’s ability to process ZTNA tags.

Explicit Proxy

Bug ID Description
849794 Random websites are not accessible after upgrading when using a proxy policy.
865135 Multipart boundary parsing failed with CRLF before the end of boundary 1.
875736 The proxy-re-authentication-mode option has been removed in 7.2.4 and is replaced with proxy-keep-alive-mode re-authentication. The new proxy-re-authentication-time timer is associated with this re-authentication mode. There are two unresolved issues:

  • After upgrading, the previously configured proxy-auth-timeout value for the absolute re-authentication mode is not preserved in the new proxy-re-authentication-time.
  • The new proxy-re-authentication-time is currently configured in seconds, but it should be configured in minutes to be consistent with other related authentication timers (such as proxy-auth-timeout).
878713 The hit count and bytes of the implicit deny rule does not increase on the proxy policy.
880361 Transparent web proxy policy has no match if the source or destination interface is the same and member of SD-WAN.
882867 Proxy policy match resolves IP to multiple internet service application IDs.
888078 Enabling http-ip-header on virtual server changes the log produced for transparent web proxy.
901239 Multiple WAD crashes after upgrading firmware to 7.2.4.
901614 Firewall schedule does not work as expected with a proxy policy.
901627 Explicit proxy and SD-WAN issue occurs.

Firewall

Bug ID Description
719311 On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.
770541 Within the Policy & Objects menu, the firewall, DoS, and traffic shaping policy pages take around five seconds to load when the FortiGate cannot reach the FortiGuard DNS servers.
804603 An httpsd singal 6 crash occurs due to /api/v2/monitor/license/forticare-resllers.
816493 The set sub-type ems-tag option is blocked in HA diff installation.
835413 Inaccurate sFlow interface data reported to PRTG after upgrading to 7.0.
850175 When the UTM is enabled, NP7 NTurbo is not set properly, which causes the shaper to not guarantee the SIP traffic based on the class ID.
851212 After traffic flow changes to FGSP peer from owner, iprope information for synchronized sessions does not update on the peer side.
854107 NGFW VDOM incorrectly includes all interfaces belonging to the root VDOM on interface and policy related GUI pages.
856187 Explicit FTPS stops working with IP pool after upgrading.
860480 FG-3000D cluster kernel panic occurs when upgrading from 7.0.5 to 7.0.6 and later.
861990 Increased CPU usage in softirq after upgrading from 7.0.5 to 7.0.6.
864612 When the service protocol is an IP with no specific port, it is skipped to be cached and causes a protocol/port service name in the log.
865661 Standard and full ISDB sizes are not configurable on FG-101F.
872744 Packets are not matching the existing session in transparent mode.
875565 The policy or other cache lists are sometimes not freed in time. This may cause unexpected policies to be stored in the cache list.
879225 Egress interface cannot be intermittently matched for wake-on-LAN (broadcast) packets.
879705 Traffic issues occur with virtual servers after upgrading.
881572 Columns for NPU sessions are missing on the FortiView Sessions monitor page.
884578 Virtual server stops working after upgrading to 7.2.4.
884908 Implicit deny policy is allowing "icmp/0/0" traffic.
895962 Virtual server with the HTTP HOST method is crashing WAD.

FortiGate 6000 and 7000 platforms

Bug ID Description
838036 Merge FortiGate 6000 and 7000 series platforms.

FortiView

Bug ID Description
798427 The FortiSandbox PDF report query should be changed to on-demand.
838652 The FortiView Sessions monitor displays VDOM sessions from other VDOMs.
892798 WAD is crashing and CPU memory is spiking when loading FortiView.

GUI

Bug ID Description
440197 On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.
535794 Policy page should show new name/content for firewall objects after editing them from the tooltip.
677806 On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.
685431 On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.
699508 When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.
722358 When a FortiGate local administrator is assigned to more than two VDOMs and tries logging in to the GUI console, they get a command parse error when entering VDOM configuration mode.
753328 Incorrect shortcut name shown on the Network > SD-WAN > Performance SLAs page.
791367 Users should be able to perform a sniffer on a VWP member in the GUI.
821030 Security Fabric root FortiGate is unable to resolve firewall object conflicts in the GUI.
821734 Log & Report > Forward Traffic logs do not show the Policy ID if there is no Policy Name.
822991 On the Log & Report > Forward Traffic page, using the filter Result : Deny(all) does not work as expected.
827893 Security rating test for FortiCare Support fails when connected to FortiManager Cloud or FortiAnalyzer Cloud.
829736 Incorrect information is being displayed for the HA role on the System > HA page.
829773 Unable to load the Network > SD-WAN > SD-WAN Rules table sometimes due to a JavaScript error.
837048 Unable to delete the LAN interface’s addresses without switching it back to a none-LAN role.
842079 On the System > HA page, a Failed to retrieve info caution message appears when hovering over the secondary unit’s Hostname. The same issue is observed on the Dashboard > Status > Security Fabric widget.
848083 On the System > FortiGuard page, the license table shows expiry notifications for FortiGuard entitlements, which are hidden by the GUI 's Feature Visibility.
853414 Policy and dashboard widgets do not load when the FortiGate manages a FortiSwitch with tenant ports (exported from root to other VDOM).
854529 The local standalone mode in a VAP configuration is disabled when viewing or updating its settings in the GUI.
857464 The CPU and Sessions widgets report the current numbers at the wrong places for most time periods
861466 The Active Administrator Sessions widget shows the incorrect interface when accessing the firewall through the GUI.
862474 IPsec tunnel interface Bandwidth widget inbound is zero and outbound value is lower than the binding interface.
865956 Unable to copy or clone policy routes in the GUI.
866790 System > Firmware & Registration menu is not visible for administrator accounts without read-write permissions for the sysgrp-permission category.
867588 FortiCare Reseller dropdown name option needs correcting.
867802 GUI always displays Access denied error after logging in.
869138 Unable to select addresses in FortiView monitors.
869828 An httpsd crash occurs when the GUI fails to get the disk log settings from the FortiGate.
870675 CLI console in GUI reports Connection lost. when the administrator has more than 100 VDOMs assigned.
874502 An access privilege prompt is not displayed when logging in to the GUI of a FortiGate managed by a FortiManager with post-login-banner enabled. The user is logged in with read-only permissions.
880292 Global administrator backup configuration for specific VDOM contains configurations associated with only the root VDOM.
881678 GUI returns a The integer value is not within valid range error when adding a new entry in the prefix list (Network > Routing Objects).
889647 CLI console disconnects and has '/tmp/daemon_debug/node_...' crash.
890683 GUI being exposed to port 80 on the interfaces defined in the ACME settings, even if administrative access is disabled on the interface.
891895 Remote access from FortiGate Cloud GUI console displays Connection lost. Press Enter to start a new session message.
893286 On the Dashboard > Status page, the CPUMemory, and Sessions widgets always show zero data.
899434 super_admin login is logged in the console logs when remotely logging in to a FortiGate with the FortiCloud portal using a prof_admin profile.

HA

Bug ID Description
662978 Long lasting sessions are expired on HA secondary device with a 10G interface.
816904 DCE/RPC traffic is dropped when no session matches with the FGSP cluster and asynchronous traffic.
825680 TACACS authentication to secondary FortiGate fails when HA group ID is changed on a FortiGate cluster.
826790 DHCP over IPsec is not working in an FGSP cluster.
830538 FGCP FortiGates go out-of sync when the certificates used for IPsec are updated using SCEP.
830879 Running execute ha manage 0 <remote_admin> fails and displays a Permission denied, please try again. error if the 169.254.0.0/16 local subnet is not in the trusted host list.
843837 HA A-P virtual cluster information is not correctly presented in the GUI and CLI.
852308 New factory reset box failed to synchronize with primary, which was upgraded from 7.0.
856004 Telnet connection running ping fails during FGSP failover for virtual wire pair with VLAN traffic.
856643 FG-500E interface stops sending IPv6 RAs after upgrading from 7.0.5 to 7.0.7.
860497 Output of diagnose sys ntp status is misleading when run on a secondary cluster member.
861827 FortiGate uses dedicated management interface to connect to 154.52.29.102 (productapi.fortinet.com) even though ha-direct is disabled.
864226 FG-2600F kernel panic occurs after a failover on both members of the cluster.
866296 The HBDEV status is displayed as DOWN when upgrading one node of the HA cluster to 6.4.9.
868622 The session is not synchronized after HA failover by detecting monitored interface as down.
869557 Upgrading or re-uploading an image to the HA secondary node causes the OS to be un-certified.
870312 On a FortiGate HA cluster, both primary and secondary units are displayed as the Primary on the GUI top banner, and as Current HA mode in the CLI.
870367 FGCP A-P devices get out of HA synchronization periodically due to FortiTokens being added and deleted.
871636 HA configuration synchronization packets (Ethertype 0x8893) are dropped when going through VXLAN.
872431 Primary FortiGate synchronizes the changing HA command to the secondary.
873028 In HA A-A mode, authenticated users experience intermittent drops and disconnections.
873561 Several session counts of primary unit do not match.
874397 When re-enabling sync-config on the primary FGCP cluster member, it is automatically disabled on the secondary.
875984 FortiGate is going to out-of-sync after changing parameters of VDOM link interfaces.
876178 hasync crashing with signal 6 after upgrading to 7.2.3 from 7.0.7.
878173 When downloading the speed test server list, the HA cluster gets and stays out-of-sync.
880786 Running diagnose sys ha vlan-hb-monitor incorrectly shows inter-VDOM VLANs inactive.
881337 Adding a VLAN interface on any VDOM causes BGP flapping and VIP connectivity issues on VDOMs in vcluster2.
881847 HA interfaces flapping on FG-3401E.
882354 When WAN extension redundant mode is configured in HA, after a redundant switch it will makes the HA be out-of-sync.
883546 In HA, sending lot of CLI configurations causes the creation of a VDOM on the secondary unit.
885245 Unexpected failover occurs due to uptime, even if the uptime difference is less than the ha-uptime-diff-margin.
885844 HA shows as being out-of-sync after upgrading due to a checksum mismatch for endpoint-control fctems.
888110 Unable to set the interface configured as an SD-WAN member to pingserver-monitor-interface in the CLI.

Hyperscale

Bug ID Description
771857 Firewall virtual IP (VIP) features that are not supported by hyperscale firewall policies are no longer visible from the CLI or GUI when configuring firewall VIPs in a hyperscale firewall VDOM.
837270 Allowing intra-zone traffic is now supported in hyperscale firewall VDOMs. Options to block or allow intra-zone traffic are available in the GUI and CLI.
841712 On FortiGates licensed for hyperscale firewall features, the config system setting options nat46-force-ipv4-packet-forwarding and nat64-force-ipv6-packet-forwarding now also apply to NP7-offloaded traffic. The config system npu option nat46-force-ipv4-packet-forwarding has been removed.
843305 Get PARSE SKIP ERROR=17 NPD ERR PBR ADDRESS console error log when performing a system bootup.
877696 Get KTRIE invalid node related error and kernel panic on standby after adding a second device into A-P mode HA cluster.

Intrusion Prevention

Bug ID Description
696811 IPSA self test failed, disable IPSA! IPSA disabled: self test failed message appears in system event logs.
842073 High CPU usage for more than 20 minutes and cmdb deadlock after FortiGuard update.
842523 IPv6 with hardware offloading and IPS drops traffic (msg="anti-replay check fails, drop).
845944 Firewall policy change causes high CPU spike with IPS engine.
872137 Unable to pass traffic when using GRE over IPsec (IPsec in transport mode).
873975 Source MAC changes and the packet drops due to both sides of the session using the same source MAC address.
881549 Memory leak was detected due to IPS engine restart.
883600 Under config ips global, configuring set exclude-signatures none does not save to backup configuration.
891497 IPS configuration script crashes sometimes when a VDOM is deleted.

IPsec VPN

Bug ID Description
699973 IPsec aggregate shows down status on InterfacesFirewall Policy, and Static Routes configuration pages.
726326 IPsec server with NP offloading drops packets with an invalid SPI during rekey.
788751 IPsec VPN Interface shows incorrect TX/RX counter.
797342 Users cannot define an MTU value for the aggregate VPN.
798045 FortiGate is unable to install SA (failed to add SA, error 22) when there is an overlap in configured selectors.
803010 The vpn-id-ipip encapsulated IPsec tunnel with NPU offloading cannot be reached by IPv6.
812229 A random four-character peer ID is displayed in the GUI and CLI when a VPN tunnel is formed using IKEv2 if the peer ID is not configured.
828933 iked signal 11 crash occurs once when running a VPN test script.
842571 If mode-cfg is used, a race condition can result in an IP conflict and sporadic routing problems in an ADVPN/SD-WAN network. Connectivity can only be restored by manually flushing the IPsec tunnels on affected spokes.
848014 ESP tunnel traffic hopping from VRF.
852868 Issues with synchronization of the route information (using add-route option) on spokes during HA failover that connect to dialup VPN.
855705 NAT detection in shortcut tunnel sometimes goes wrong.
855772 FortiGate IPsec tunnel role could be incorrect after rebooting or upgrading, and causes negotiation to be stuck when it comes up.
858681 When upgrading from 6.4.9 to 7.0.6 or 7.0.8, the traffic is not working between the spokes on the ADVPN environment.
858697 Native IPsec iOS authentication failure using LDAP account with two-factor authentication.
858715 IPsec phase 2 fails when both HA cluster members reboot at the same time.
861195 In IPsec VPN, the fnbamd process crashes when the password and one-time password are entered in the same Password field of the VPN client.
869166 IPsec tunnel does not coming up after the upgrading firmware on the branch FortiGate (FG-61E).
873097 Phase 2 not initiating the rekey at soft limit timeout on new kernel platforms.
876795 RADIUS server will reject new authentication if a previous session is missing ACCT-STOP to terminate the session, which causes the VPN connection to fail.
882483 ADVPN spoke does not delete the BGP route entry to another spoke over IPsec when the IPsec VPN tunnel is down.
884921 Proxy DHCP is not following RFC 2132 for option 61.
885333 Forwarded broadcast traffic on ADVPN shortcut tunnel interface is dropped.
885818 If a tunnel in an IPsec aggregate is down but its DPD link is on, the IPsec aggregate interface may still forward traffic to a down tunnel causing traffic to drop.
887800 In an L2TP configuration, set enforce-ipsec enable is not working as expected after upgrading.
889602 ADVPN hub is not advertising additional paths by specific tunnels.
891462 The Peer ID field in the IPsec widget should not show a warning message that Two-factor authentication is not enabled.
892699  

In an HA cluster, static routes via the IPsec tunnel interface are not inactive in the routing table when the tunnel is down.

Log & Report

Bug ID Description
714470 The exclude-list log filter is not working as expected.
755632 Unable to view or download generated reports in the GUI if the report layout is custom.
816616 GUI logging issue for automation script that performs a backup to an external FTP server.
823183 FortiGates are showing Logs Queued in the GUI after a FortiAnalyzer reboot, even tough the queued logs were actually all uploaded to FortiAnalyzer and cleared when the connection restores.
825318 Archived Data tab is missing from intrusion prevention and application control log Details pane once log-packet is enabled.
828211 Policy ID filter is not working as expected.
829862 On the Log & Report > ZTNA Traffic page, the client’s Device ID is shown as [object Object]. The Log Details pane show the correct ID information.
836846 Packet captured by firewall policy cannot be downloaded.
838357 A deny policy with log traffic disabled is generating logs.
839601 When log pages are scrolled down, no logs are displayed after 500 lines of logs.
854604 Logs are outputted, even if FDS-license-expiring-warning is disabled.
856670 Forward traffic log doesn’t contain result and security action values for sessions denied by WAD.
857573 Log filter with negation of destination IP display all logs.
858304 When FortiGate Cloud logging is enabled, the option to display 7 days of logs is not visible on the Dashboard > FortiView pages.
858589 Unable to download more than 500 logs from the FortiGate GUI.
860141 Syslog did not update the time after daylight saving time (DST) adjustment.
860264 The miglogd process may send empty logs to other logging devices.
860459 Unable to back up logs (FG-201E).
860487 Incorrect time and time zone appear in the forward traffic log when timezone is set to 18 (GMT-3 Brasilia).
860822 When viewing logs on the Log & Report > System Events page, filtering by domain\username does not display matching entries.
861567 In A-P mode, when the link monitor fails, the event log displays a description of ha state is changed from 0 to 1.
861893 In Forward Traffic logs, the Policy ID column is blank.
863548 When searching some previous results, log_se is busy for a long time without any results.
864219 A miglogd crash occurs when creating a dynamic interface cache on an ADVPN environment.
869073 A syslogd signal 11 crash occurs once while running VPN scripts.
871142 SAML SSO administrator login with post-login banner enabled does not have a login event.
872181 On the Log & Report > Log Settings > Local Logs page, the Local reports and Historical FortiView settings cannot be enabled.
872326 FortiGate cannot retrieve logs from FortiAnalyzer Cloud. Results are shown rarely.
873987 High memory usage from miglogd processes even without traffic.
874026 Caching a large number of service port entries causes high log daemon memory usage.
879228 FortiAnalyzer override settings are not taking effect when ha-direct is enabled.
893199 Deallocate/allocate logs are lost if PBA IP pool NAT IP has been exhausted.
901545 FG-40F and FWF-61F halt after upgrading.

Proxy

Bug ID Description
707827 The video filter does not display the proper replacement message when the user redirects to a blocked video from the YouTube homepage or video recommendation list.
727629 WAD encounters signal 11 crash.
746587 WAD crashes during traffic scan in proxy mode.
766158 Video filter FortiGuard category takes precedence over allowed channel ID exception in the same category.
781613 WAD crash occurs four times on FG-61F during stress testing.
818371 WAD process crashes with some URIs.
823078 WAD user-info process randomly consumes 100% CPU of one core.
825977 WAD crash occurs on FG-101F during stress testing.
828917 WAD crash caused by linked list corruption with free group information node.
834387 In a firewall proxy policy, the SD-WAN zone assigned to interface is not checked.
835745 WAD process is crashing after upgrading to FortiOS 7.2.1.
837095 WAD daemon runs high with many child processes and is not coming down after configuring 250 CGN VDOMs.
843318 If a client sends an HTTP request for a resource which is not yet cached by the FortiGate and the request header contains Cache-Control: only-if-cached, then the WAD worker process will crash with signal 11.
850426 POP3 proxy is unable to extract the username if AUTH PLAIN or AUTH LOGIN commands were used for authentication.
853864 FortiGate out-of-band certificate check issue occurs in a proxy mode policy with SSL inspection.
854511 Unable to make API calls using Postman Runtime script after upgrading to 7.2.0.
855853 WAD crashes frequently and utilizes high CPU.
855882 Increase in WAD process memory usage after upgrading.
856235 The WAD process memory usage gradually increases over a few days, causing the FortiGate to enter into conserve mode.
857368 WAD crashed while parsing a Huffman-encoded HTTP header.
858148 Memory leak in WAD user info history daemon.
870151 WAD memory leak occurs on TCP port and HTTP tunnel session port.
870554 WAD crash occurs with explicit proxy when IPv6 is enabled.
874563 WAD has signal 11 crash when attempting to merge user information attributes.
880712 WAD crashed with signal 11.
882182 WAD crashed due to missing security profile.
885674 Unable to send logs from FortiClient to FortiAnalyzer when deep inspection is enabled on firewall policy.
886284 Application WAD signal 11 crash occurs.
898016 Kerberos authentication stops working after the upgrading to 7.2.3.
901296 WAD crash with HTTP forward request.

REST API

Bug ID Description
849273 /api/v2/monitor/system/certificate/download can still download already deleted CSR files.
864393 High CPU usage of httpsd on FG-3600E HA system.
868265 The active sessions count for a specific policy displayed in the Fortiview Sessions monitor (Active Sessions column ), on the Firewall Policy page, and in the results of diagnose sys session list (total session value) are different. The total session count indicated in the CLI is the accurate value.
892237 Unable to update monitor interface through API PUT request (get API error -37 raised).

Routing

Bug ID Description
708904 No IGMP-IF for ifindex log points to multicast enabled interface.
724468 Router policy destination address not take effect when internet-service-id is configured.
821149 Early packet drop occurs when running UTM traffic on virtual switch interface.
827565 Using set load-balance-mode weight-based in SD-WAN implicit rule does not take effect occasionally.
839784 DHCP relay packets are not being sent out of WWAN interface.
848310 IPsec traffic sourced from a loopback interface does not follow the policy route or SD-WAN rules.
850778 Spoke-to-spoke communication randomly breaks. The BGP route to reach the spoke subnet points to the main ADVPN tunnel instead of the shortcut tunnel.
850862 When creating a new rule on the Network > Routing Objects page, the user cannot create a route map with a rule that has multiple similar or different AS paths in the GUI.
852498 BGP packets are marked with DSCP CS0 instead of CS6.
852525 When enabled, FEC is not effectively reducing packet loss when behind NAT.
858248 OSPF summary address for route redistribution from static route via IPsec VPN always persists.
858299 Redistributed BGP routes to the OSPF change its forward address to the tunnel ID.
859135 Disabling the VDSL interface caused packet drops afterwards on another interface.
860075 Traffic session is processed by a different SD-WAN rule and randomly times out.
862165 FortiGate does not add the route in the routing table when it changes for SD-WAN members.
862418 Application VWL crash occurs after FortiManager configuration push causes an SD-WAN related outage.
862573 SD-WAN GUI does not load, and the lnkmtd process crashes frequently.
863318 Application forticron signal 11 (Segmentation fault) received.
863833 BGP stuck in active state due to collisions when BGP neighborship is done over VDOM link.
865914 When BSM carries multiple CRPs, PIM might use the incorrect prefix to update the mroute’s RP information.
867196 SD-WAN and IP pool setting are not working as expected when one SD-WAN member link is down.
870983 Unable to set local-as in BGP confederation configuration.
870990 Routing advertised by directly connected EBGP peer is not installed (denied due to non-connected next-hop).
874677 Sometimes an IPv6 single-hop BFD neighbor fails to come up after a system reboot.
875177 TCP/HTTP health check does not work as expected for virtual servers in active-standby mode.
875668 SD-WAN SLA log information has incorrect inbound and outbound bandwidth values.
880390 When execute speed-test-server download fails with a token parse error, it still reports Download completed.
881306 SD-WAN member shows as selected, even if the interface is down or underlying transport is down.
883918 Delay in joining (S,G) in PIM-SM.
884298 Sandbox traffic does not follow SD-WAN rules.
884372 All BGP routes in dual ADVPN redundant configuration are not getting updated to the correct WAN interface post-rollback to WAN failover.
890379 After upgrading, SD-WAN is unable to fail over the traffic when one interface is down.
893603 GUI does not show gateway IP on the routing table page if VDOM mode is transparent.
896065 ISIS cannot establish the neighborship to peers, and all peers are in INIT states.
897940 Link monitor’s probe timeout value range is not appropriate when the user decreases the minimum interval.
898549 IPv6 route to SLA IPv6 target is lost after disabling and enabling the physical interface.

Security Fabric

Bug ID Description
809106 Security Fabric widget and Fabric Connectors page do not identify FortiGates properly in HA.
819192 After adding a Fabric device widget, the device widget does not appear in the dashboard.
825291 Security rating test for FortiAnalyzer fails when connected to FortiAnalyzer Cloud.
844412 When a custom LLDP profile has auto-isl disabled, the security rating test, Lockdown LLDP Profile, fails.
848822 The FortiAP Firmware Versions and FortiSwitch Firmware Versions security rating tests fail because the firmware version on the FortiAPs and FortiSwitches is not recognized correctly.
851656 Sessions with csf_syncd_log flag in a Security Fabric are not logged.
852340 Various places in the GUI do not show the secondary HA device.
862532 Unable to load topology pages for a specific Security Fabric topology on the root and downstream FortiGates.
867313 Error triggering automation stitch message appears when the license expiry notification type is FortiGuard Web Filter.
868701 In a simple cluster, the primary unit failed to upgrade to 7.2.3.
870527 FortiGate cannot display more than 500 VMs in a GCP dynamic address.
875100 Unable to remove external resource in a certain VDOM when the external resource has no reference in that VDOM.
880011 When the Security Fabric is enabled and admin-https-redirection is enabled on a downstream FortiGate, the following GUI features do not work for the downstream FortiGate when the administrator manages the downstream FortiGate using the root FortiGate’s GUI:

  • Web console access
  • Diagnostic packet capture
  • GUI notification when a new device joins or leaves the Security Fabric
  • GUI notification if a configuration on the current page changes

These features still work for the root FortiGate’s GUI.
885810 The gcpd daemon constantly crashes (signal 11 segmentation fault).
887967 Fabric crashes when synchronizing objects with names longer than 64 characters.

SSL VPN

Bug ID Description
631809 Configuring thousands of mac-addr-check-rule in portal makes the CPU spike significantly if several hundreds of users are connecting to the FortiGate, thus causing SSL VPN packet drops.
710657 The dstaddr/dstaddr6 of an SSL VPN policy can be set to all when split tunnel mode is enabled and only the default portal is set.
746440 Link URL in SSL VPN provision template should display the plain text of the URL to improve it’s compatibility.
767086 Customer’s internal website does not load properly in SSL VPN web mode.
787768 The web-mode setting should not be enabled when the portal is mapped in an SSL VPN policy where a VIP is applied.
808107 FortiGate is not sending Accounting-Request packet that contains the Interim-Update AVP when two-factor authentication is assigned to a user (defined on the FortiGate ) while connecting using SSL VPN.
810239 Unable to view PDF files in SSL VPN web mode.
819754 Multiple DNS suffixes cannot be set for the SSL VPN portal.
822657 Internal resource pages and menus are not showing correctly in SSL VPN web mode.
828194 SSL VPN stops passing traffic after some time.
839261 SSL VPN settings are not reflecting any changes when source-address-negate is enabled in the CLI.
850898 OS checklist for the SSL VPN in FortiOS does not include macOS Ventura (13).
852652 MacOS clients bypass the host check policy.
854615 Internal web interface is not working using web mode. The page is not loading properly.
854642 Internal website with JavaScript is proxying some functions in SSL VPN web mode, which breaks them.
856194 Problem loading some graphs trough SSL VPN web mode after upgrading.
856554 SSL VPN web mode top-right dropdown button (user profile menu) does not work.
858478 SSL VPN DTLS tunnel is unavailable after changing the SSL VPN listening port.
859088 FortiGate adds extra parenthesis and causes clicking all links to fail in SSL VPN web mode.
859115 SSL VPN bookmark not accessible.
863860 RDP over SSL VPN web mode to a Windows Server changes the time zone to GMT.
864096 EcoStruxure Building Operations 2022 does not render using SSL VPN bookmark.
864417 In the second authentication of RADIUS two-factor authentication, the acct-update-interval returned is 0. SSL VPN uses the second return and not send RADIUS acct-interim-update packet.
867182 RDP/VNC host name is not encrypted when URL obscuration is enabled.
868491 SSL VPN web mode connection to VMware vCenter 7 is not working.
870061 Kernel does not delete original route after address assigned to the client changes.
871039 Internal website is not displaying user-uploaded PDF files when visited through SSL VPN web mode.
871048 RDP over VPN SSL web mode stops working after upgrading.
871229 SSL VPN web mode does not load when connecting to customer’s internal site.
872577 SSL VPN crashes are generating random disconnections (FG-5001E).
872745 SSL VPN web mode to RDP broker leads to connection being closed.
873313 SSL VPN policy is ignored if no user or user group is set and the FSSO group is set.
873516 FortiGate misses the closing parenthesis when running the function to rewrite the URL.
873995 Problem with the internal website using SSL VPN web mode.
875167 Webpage opened in SSL VPN web portal is not displayed correctly.
877124 RDP freezes in web mode with high CPU usage of SSL VPN process.
880791 Internal website access issue with SSL VPN web portal.
881220 Found bad login for SSL VPN web-bases access when enabling URL obscuration.
884051 Unable to access to Grafana tool using SSL VPN web mode (bookmark).
884860 SSL VPN tunnel mode gets disconnected when SSL VPN web mode is disconnected by limit-user-logins.
886989 SSL VPN process reaches 99% CPU usage when HTTP back-end server resets the connection in the middle of a post request.
888149 When srcaddr6 contains addrgrp6, sslvpnd crashes after dual-stack tunnel is established.
889392 SSL VPN is adding extra JS code blocking access to a website.
890876 One of the speed-connect website JavaScript files has trouble with host process.
891830 Internal website with JavaScript lacks some menus when using SSL VPN web mode.
896007 Specific SAP feature is not working with SSL VPN web mode.
896343 SSL VPN web mode is not working as expected for customer’s web server.
898889 The internal website does not load completely with SSL VPN web mode.

Switch Controller

Bug ID Description
730472 FortiSwitch enabled VLANs with VLAN and proxy ARP access have large latencies on initial ARP resolutions.
762615, 765283 FortiSwitches managed by FortiGate go offline intermittently and require a FortiGate reboot to recover.
769722 Support FortiLink to recognize a FortiSwitch based on its name and not just by serial number.
857778 Switch controller managed switch port configuration changes do not take effect on the FortiSwitch.
858113 Unable to view the Diagnostics and Tools page for FortiSwitch with limited access permissions using an administrative profile.
858749 Redirected traffic should not hit the firewall policy when allow-traffic-redirect is enabled.
870083 FortiLink interface should not permit changes of the system interface allowaccess settings.
876021 FortiLink virtually managed switch port status is not getting pushed after the FortiGate reboots.
886887 When a MAC VLAN appears on the same MCLAG trunk, continuous event logs are received on FortiGate and FortiAnalyzer.
894735 Unable to configure more than one NAC policy using the same EMS tag for different FortiSwitch groups.

System

Bug ID Description
550701 WAD daemon signal 11 causes cmdbsvr deadlock.
631046 diagnose sys logdisk smart does not work for NVMe disk models.
649729 HA synchronization packets are hashed to a single queue when sync-packet-balance is enabled.
666664 Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface.
700621 The forticron daemon is constantly being restarted.
709679 Get can not set mac address(16) error message when setting a MAC address on an interface in HA that is already set.
725048 Performance improvements for /api/v2/monitor/system/available-interfaces (phase 2).
729912 DNS proxy does not transfer the DNS query for IPv6 neighbor discovery (ND) when client devices are using random MAC addresses, so one device can configure many IPv6 addresses.
748496 Wrong IP displayed in GUI widget if FortiGuard anycast AWS is used.
763739 On FG-200F, the Outbound bandwidth in the Bandwidth widget does not match outbandwidth setting.
776646 On the Network > Interfaces page, configuring a delegated interface to obtain the IPv6 prefix from an upstream DHCPv6 server fails with an error notification (CLI internal error).
799570 High memory usage occurs on FG-200F.
805122 In FIPS-CC mode, if cfg-save is set to revert, the system will halt a configuration change or certificate purge.
810879 DoS policy ID cannot be moved in GUI and CLI when multiple DoS policies are enabled.
813607 LACP interfaces are flapping after upgrading to 6.4.9.
815937 FCLF8522P2BTLFTN transceiver is not working after upgrade.
820268 VIP traffic access to the EMAC VLAN interface uses incorrect MAC address on NP7 platform.
822333 The tab title does not show the server address when accessing RDP/VNC using SSL VPN web mode.
826490 NP7 platforms may reboot unexpectedly when unable to handle kernel null pointer de-reference.
831466 A cmdbsvr crash is observed on the FortiGate.
838933 DoS anomaly has incorrect threshold after loading a modified configuration file.
840960 When kernel debug level is set to >=KERN_INFO on NP6xLite platforms, some tuples missing debug messages may get flooded and cause the system to get stuck.
845736 After rebooting the FortiGate, the MTU value on the VXLAN interface was changed.
847314 NP7 platforms may encounter random kernel crash after reboot or factory reset.
850683 Console keeps displaying bcm_nl.nr_request_drop ... after the FortiGate reboots because of the cfg-save revert setting under config system global. Affected platforms: FG-10xF and FG-20xF.
850688 FG-20xF system halts if setting cfg-save to revert under config system global and after the cfg-revert-timeout occurs.
853144 Network device kernel null pointer is causing a kernel crash.
853794 Issue with the server_host_key_algorithm compatibility when using SSH on SolarWinds.
853811 Fortinet 10 GB transceiver LACP flapping when shut/no shut was performed on the interface from the switch side.
855573 False alarm of the PSU2 occurs with only one installed.
855775 Time zone for Kyiv, Ukraine is missing.
859717 The FortiGate is only offering the ssh-ed25519 algorithm for an SSH connection.
859795 High CPU utilization occurs when relay is enabled on VLAN, and this prevents users from getting an IP from DHCP.
861144 execute ping-option interface cannot specific an interface name of a.
861661 SNMP OID 1.3.6.1.2.1.4.32 ipAddressPrefixTable is not available.
862941 GUI displays a blank page if vdom-admin user has partial permissions.
865770 RX and TX counters are incorrect on inter-VDOM link configured with VLANs.
865966 DHCP lease list CLI format gets misaligned when the data is over 15 characters long.
867435 FG-400E-BP has crash at initXXXXXXXXXXX[1]: segfault at 3845d5a after package validation fails.
867978 Subnet overlap error occurs when configuring the same IPv4 link-local addresses on two different interfaces.
868225 After a cold reboot (such as a power outage), traffic interfaces may not come up with a possible loss of VLAN configurations.
868821 execute ssh-regen-keys should be global-level command.
869113 If a device is rebooted that has an ipsec-STS-timeout configured or the user configures the ipsec-STS-timeout before any NPU tunnel is created, NPU will send random STS messages that have an invalid tunnel index and trigger NP6XLite error messages.
869305 SNMP multicast counters are not increasing.
869599 Forticron memory is leaking.
870381 Memory corruption or incorrect memory access when processing a bad WQE.
872739 The fgfmsd process crashes since updating to 6.4.11.
874603 Dashboard loads slowly and csfd process has high CPU usage.
875868 HQIP test fails on FG-2201E.
876853 No output of execute sensor list is displayed after rebooting.
876874 The Dashboard > Status > Sensor Information widget does not load.
877039 On the Network > BGP page, creating or editing a table entry increases memory consumption of the FortiGate to 99%.
877154 FortiGate with new kernel crashes when starting debug flow.
877240 Get zip conf file failed -1 error message when running a script configuring the FortiGate.
878400 When traffic is offloaded to an NP7 source MAC, the packets sent from the EMAC VLAN interface are not correct.
879131 Unsetting the port 8888 setting in system fortiguard will set port 443, even if the protocol is UDP.
880290 NP7 is not configured properly when the ULL ports are added to LAG interface, which causes accounting on the LAG to not work.
881094 FG-3501F NP7 is dropping all traffic after it is offloaded.
882089 Unable to use ping and SSH when vne.root is not configured in local-in-policy.
882187 FortiGate enters conserve mode in a few hours after enabling UTM on the policies.
883071 Kernel panic occurs due to null pointer dereference.
884970 Unbalanced throughput on LAG members with LAG enhancement feature enabled.
887268 Unable to configure dscp-based-priority when traffic-priority dscp is configured under system global.
887772 High CPU usage after upgrade to 7.2.4, WAD crashes continuously.
891841 Unable to handle kernel NULL pointer dereference at 0000000000000000 for NP7 device; the device keeps rebooting.
892195 LAG interface has NOARP flag after interface settings change.
892274 Daylight saving time is not applied for Cairo time zone.
894884 FSTR session ticket zero causes a memory leak.
895972 FortiGate as L2TP client is not working after upgrading to 7.2.4.
897521 grep command including -f does not provide the full output.
899884 FG-3000F reboots unexpectedly with NULL pointer dereference.

Upgrade

Bug ID Description
850691 The endpoint-control fctems entry 0 is added after upgrading from 6.4 to 7.0.8 when the FortiGate does not have EMS server, which means the endpoint-control fctems feature was not enabled previously. This leads to a FortiManager installation failure.
883305 SSH public keys are lost after upgrading from Beta 1 to latest interim build, and they can no longer be configured.
892647 Static route configurations were lost upgrading from 7.0.7 to 7.2.3.
900761 FG-601E crashes randomly after upgrading to 7.0.8 and 7.0.11.

User & Authentication

Bug ID Description
705731 Chrome throttles timers, which causes the keepalive page not update correctly and results in a user timeout.
751763 When MAC-based authentication is enabled, multiple RADIUS authentication requests may be sent at the same time. This results in duplicate sessions for the same device.
768669 If an administrator login fails due to an LDAP server connection timeout, invalid password appears as the reason in the system log, which is confusing. The server connection timeout reason is added to the system event logs for a failed administrator login.
843528 RADIUS MAC authentication using ClearPass is intermittently using old credentials.
846545 LDAPS connectivity test fails with old WinAD after OpenSSL was upgraded to 3.0.2.
850473 SSL VPN and firewall authentication SAML does not work when the application requires SHA-256.
853793 FG-81F 802.1X MAC authentication bypass (MAB) failed to authenticate Cisco AP.
855898 All devices are detected as Other identified device in the Device Inventory widget.
856370 The EAP proxy worker application crashes frequently.
858961 Client’s firewall authentication session timeout is set to 900 when it passes MAC authentication bypass by ping.
859845 In some cases, the proper hostnames are not showing up when looking at APs on the FortiSwitch ports screen.
864703 ACME client fails to work with some CA servers.
865166 A cid scan crash occurs when device detections happen in a certain order.
865487 Fortinet_GUI_Server certificate auto-regenerates every day.
867225 ARP does not trigger FortiGuard device identification query.
868481 Customized guest print replacement message template for VDOM is not being used (default template being used).
873981 CMP should be supported for EC certificates.
883006 Adding a new group membership to an FSSO user terminates all the user’s open sessions.
901743 Device identification crash upon receipt of UDP with one-byte payload.

VM

Bug ID Description
740796 IPv6 traffic triggers <interface>: hw csum failure message on CLI console.
856645 Session is not crated over NSX imported object when traffic starts to flow.
859165 Unable to enable FIPS cipher mode on FG-VM-ARM64-AWS.
859589 VPNs over Oracle Cloud stop processing traffic.
860096 CPU spike observed on all the cores in a GCP firewall VM.
865772 Interface does not get turned back up after changing the MTU in the aggregate interface.
868698 During a same zone AWS HA failover, moving the secondary IP will cause the EIP to be in a disassociated state.
869359 Azure auto-scale HA shows certificate error for secondary VM.
878074 FG-ARM64-GCP and FG-ARM64-AZURE have HA synchronization issue with internal IP after failover.
881728 Kernel hangs on FG-VM64-AZURE.
881768 AWS MAC is not shown when the interface is attached immediately.
883203 FG-AWS SDN is unable to retrieve EKS cluster information, even thought its role is trusted by the EKS role.
883896 Backup virtual server not working as expected (ERR_EMPTY_RESPONSE).
885829 Azure SDN connector stopped processing when Azure returned NotFound error for VMSS interface from an AD DS-managed subscription.
890278 FG‑VM Rackspace On-Demand upgrade from 7.2.3 to 7.2.4 breaks the pay-as-you-go license, and reverts it to an evaluation license.

VoIP

Bug ID Description
757477 PRACK will cause voipd crashes when the following conditions are met: block-unknown is disabled in the SIP profile, the PRACK message contains SDP, and PRACK fails to find any related previous transactions (this is not a usual case).
887384 SIP session is dropped by ALG with media type doesn't match message.

Web Filter

Bug ID Description
766126 Block replacement page is not pushed automatically to replace the video content when using a video filter.
856793 In flow mode, URL filter configuration changes cause a spike in CPU usage of the IPS engine process.
863728 The urlfilter process causes a memory leak, even when the firewall policy not using the web filter feature.
873086 In a policy-based VDOM, changes are not applied when adding an external threat feed category in the URL Category field.
878442 FortiGuard block page image (logo) is missing when the Fortinet-Other ISDB is used.

WiFi Controller

Bug ID Description
807605 FortiOS exhibits segmentation fault on hostapd on the secondary controller configured in HA.
824441 Suggest replacing the IP Address column with MAC Address in the Collected Email widget.
825182 The 6 GHz channel lists should be updated according to the latest WiFi country region channels map.
828901 Connectivity loss occurs due to switch and FortiAPs (hostapd crash).
831736 Application hostapd crash found on FG-101F.
834644 A hostapd process crash is shown in device crash logs.
835783 CAPWAP traffic is not offloaded when re-enabling capwap-offload.
837130 Wireless client shows portal related webpage while doing MAC authentication with MAB mode.
846730 Dynamic VLAN assignment is disabled in the GUI when editing an SSID with radius mac-auth and dynamic-vlan enabled.
856038 The voice-enterprise value changed after upgrading.
856830 HA FortiGate encounters multiple hostapd crashes.
857084 Hostapd segmentation fault signal 6 occurs upon HA failover.
857140 Hostapd segmentation fault signal 11 occurs upon RF chamber setup.
857975 The cw_acd process appears to be stuck, and is sending several access requests for MAC authentication.
858653 Invalid wireless MAC OUI detected for a valid client on the network.
861552 Wireless client gets disconnect from WiFi if it is connected to a WPA2 SSID more than 12 hours.
865260 Incorrect source IP in the self-originating traffic to RADIUS server.
868022 Wi-Fi clients on a RADIUS MAC MPSK SSID get prematurely de-authenticated by the secondary FortiGate in the HA cluster.
882551 FortiWiFi fails to act as the root mesh AP, and leaf AP does not come online.
892575 MPSK SSID with mpsk-schedules stopped working after the system time was changed due to daylight saving time.

ZTNA

Bug ID Description
832508 The EMS tag name (defined in the EMS server’s Zero Trust Tagging Rules) format changed in 7.2.1 from FCTEMS<serial_number>_<tag_name> to EMS<id>_ZTNA_<tag_name>.

After upgrading from 7.2.0 to 7.2.1, the EMS tag format was converted properly in the CLI configuration, but the WAD daemon is unable to recognize this new format, so the ZTNA traffic will not match any ZTNA policies with EMS tag name checking enabled.
859421 ZTNA server (access proxy VIP) is causing all interfaces that receive ARP request to reply with their MAC address.
863057 ZTNA real server address group gets unset once the FortiGate restarts.
865316 Adding an EMS tag on the Policy & Objects > Firewall Policy edit page for a normal firewall policy forces NAT to be enabled.
875589 WAD crash observed when a client EMS tag changes.