Fortinet opublikował aktualizację FortiOS do wersji 7.6.3 dla FortiGate. Lista poprawek obejmuje kluczowe problemy wpływające na działanie urządzeń. Usprawniono działanie SSL VPN — rozwiązano m.in. problem z nieprawidłowym wygasaniem sesji SAML oraz przypadki, w których FortiGate wysyłał przeterminowany certyfikat. Poprawiono również stabilność działania systemu proxy – problematyczne reguły inspekcji oraz nadmierne zużycie pamięci przez WAD zostały wyeliminowane. Dodatkowo, istotne zmiany objęły funkcjonowanie firewalli w środowiskach HA – zredukowano przypadki rozłączeń i desynchronizacji klastra.
Wspierane urządzenia:
| FortiGate | FG-40F, FG-40F-3G4G, FG-60F, FG-61F, FG-70F, FG-71F, FG-80F, FG-80F-BP, FG-80F-DSL, FG-80F-POE, FG-81F, FG-81F-POE, FG-90G, FG-91G, FG-100F, FG-101F, FG-120G, FG-121G, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG-400F, FG-401F, FG‑500E, FG-501E, FG-600E, FG-601E, FG-600F, FG-601F, FG-800D, FG‑900D, FG-900G, FG-901G, FG-1000D, FG-1000F, FG-1001F, FG-1100E, FG-1101E, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3000F, FG-3001F, FG-3100D, FG‑3200D, FG-3200F, FG-3201F, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3700F, FG-3701F, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-4800F, FG-4801F, FG-5001E, FG‑5001E1, FG-6000F, FG-7000E, FG-7000F |
| FortiWiFi | FWF-40F, FWF-40F-3G4G, FWF-60F, FWF-61F, FWF-80F-2R, FWF-80F-2R-3G4G-DSL, FWF-81F-2R, FWF-81F-2R-3G4G-DSL, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE |
| FortiGate Rugged | FGR-60F, FGR-60F-3G4G, FGR-70F, FGR-70F-3G4G |
| FortiFirewall | FFW-1801F, FFW-2600F, FFW-3001F, FFW-3501F, FFW-3980E, FFW-4200F, FFW-4400F, FFW-4401F, FFW-4801F, FFW-VM64, FFW-VM64-KVM |
| FortiGate VM | FG-ARM64-AWS, FG-ARM64-AZURE, FG-ARM64-GCP, FG-ARM64-KVM, FG-ARM64-OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-XEN |
FortiGate 6000 and 7000 support
FortiOS 7.6.3 supports the following FG-6000F, FG-7000E, and FG-7000F models:
| FG-6000F | FG-6001F, FG-6300F, FG-6301F, FG-6500F, FG-6501F |
| FG-7000E | FG-7030E, FG-7040E, FG-7060E |
| FG-7000F | FG-7081F, FG-7121F |
Rozwiązane problemy:
Agentless VPN (formerly SSL VPN web mode)
See also SSL VPN tunnel mode no longer supported.
| Bug ID | Description |
|---|---|
| 1017304 | SSL VPN web mode missing several security headers in the HTTP response. |
| 1058211 | Traffic could not go though SSL VPN tunnel when DTLS is enabled with a loopback interface as source address. |
| 1077157 | FortiGate sends out expired server certificate for a given SSL VPN realm, even when the certificate configured in virtual-host-server-cert has been updated. |
| 1083262 | FNBAMD session hangs after a massive authorization request. |
| 1036557, 1091173 | Performance degradation occurs in SSL-VPN due to connection/session timeout management issues. |
| 1093580 | SSL VPN authentication is triggered even with EMS SN check enabled. |
| 1101837 | Insufficient session expiration in SSL VPN using SAML authentication. |
| 1102362 | SSL VPN web mode missing HTTP response headers. |
| 1107663 | FortiClient 7.2.6 GA Azure auto login cannot connect after upgrade. |
| 1111135 | Log additional debug information to aid troubleshooting. |
| 1115510 | SAML metadata couldn’t be generated causing SAML authentication to fail. |
| 1126825 | SSL VPN stops functioning when ssl.root interface is added to a zone used by at least one policy. |
Anti Virus
| Bug ID | Description |
|---|---|
| 1054835 | Large file downloads take longer than expected due to a WAD process issue. |
| 1100819 | SMB traffic fails when the file server uses AES-256-GCM/CCM encryption with FortiOS. |
| 1104189 | In TP VDOM, the WAD creates the expectation session for FTP data connection if the firewall is in the proxy mode. This session does not have the outdev info. |
| 1111973 | Unable to create an AV profile on devices that have 2 GB RAM. |
Application Control
| Bug ID | Description |
|---|---|
| 1064413 | When using SD-WAN load balancing, some sites are slow or inaccessible when the Application Control action is set to Allow. |
| 1102636 | After the first DB update, only signatures in the built-in DB are loaded. |
DNS Filter
| Bug ID | Description |
|---|---|
| 1025233 | Support Encrypted Client Hello (ECH) in flow mode. |
| 1096380 | FortiGate in proxy mode sends the cached DNS response when it receives a DNS registration request. |
| 1100282 | Chrome flex OS cannot access SharePoint when using FortiGate DNS servers. |
Endpoint Control
| Bug ID | Description |
|---|---|
| 1066250 | Verification of EMS and upgrade of FGT with verified EMS should promote CA to fabric-ca. |
| 1090981 | EMS is unable to properly synchronize the FortiGate configuration for non-web ZTNA applications when FortiGate has multiple EMS units. |
| 1093786 | Expired FCEM contract generated by FortiFlex is loaded to FortiGate VM. |
| 1098350 | Sometimes the GUI >Asset FortiClient cannot display ems-tag for VPN user which make „Matched Endpoints” page missed those user. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 1114438 | Policy test feature not working on FortiProxy 7.4.5 and 7.4.6 when no wad debugs are running in the background. |
| 1115137 | Expand the proxy-auth-timeout maximum value. |
| 1116555 | Deep scanning occurs when accessing subcategories of websites with category-based proxy policies despite disabling subcategory checks. |
| 1134310 | SSL exemption not working on proxy policy when partial match occurs. |
| 1103272 | Wrong SSL certificate for block page replacement messages returns. |
| 1107762 | webproxy is not respecting the over-size limit value when system memory is large. |
Firewall
| Bug ID | Description |
|---|---|
| 723186 | GUI should not filter out mac address type from multicast policy page. |
| 946762 | On policy list, the ZTNA Tag and Secondary ZTNA Tag options does not work when multiple tags are used in the policy. |
| 993138 | Misleading logs with subtype=”ztna” appear when only virtual-server in a firewall policy. |
| 994986 | The By Sequence view in the Firewall policy list may incorrectly show a duplicate implicit deny policy in the middle of the list. This is purely a GUI display issue and does not impact policy operation.
The Interface Pair View and Sequence Grouping View do not have this issue. |
| 1025078, 1086315 | When using a virtual server, some customers observed issues of memory usage increases and client sessions not disconnecting. |
| 1025969 | Policy enforcement fails for wildcard FQDN hosts as destination targets because the address records are not added to the wildcard entry when processing a server response for an FQDN’s domain name. |
| 1038650 | On policy list, using the Clear counter and Update statistic options for a single policy should not refresh the whole policy list. |
| 1050906 | Under heavy network traffic, the Netflow session cache for sampled traffic quickly reaches the hardcoded RAM limit, causing the sFlow daemon to shut down. |
| 1055898 | HTTP/2 post without content-length is not supported in half-ssl virtual server. |
| 1066136 | Denied sessions were bidirectional and caused all traffic to be blocked. |
| 1078662 | If an interface on an NP7 platform has the set inbandwidth XXX, set outbandwidth XXX, and set egress-shaping-profile XX settings, the following issues may occur:
|
| 1081542 | On FortiGate, packets are dropped when UTM and ASIC offloading are enabled. |
| 1088507 | ICMP Echo replies sent through local-in-policy with virtual-patch enabled are routed through incorrect interfaces during traffic handling. |
| 1097628 | Firewall policy filter does not work well on source and destination columns for „all” and „ems” addresses. |
| 1098208 | After FortiGate exits conserve mode, some policies failed to install into the kernel at the same time. |
| 1101865 | Unexpected trailing characters in Netflow template 257. |
| 1102471 | Unexpected traffic hit policy in forward traffic log. |
| 1103748, 111268 | Threat feeds used as source or destination addresses in security policies may not match correctly. |
| 1104208 | NAT is incorrectly applied to traffic when a single SYN packet is sent to a VIP without an acknowledgment or reset. |
| 1106112 | Small platforms cannot remove FFDB shared memory files. |
| 1107003 | The local-in/central-snat/multiple policy dialog page should filter out member interfaces of SD-WAN from omniselect list. |
| 1108540 | Search in the Address group dialog box using a partial word match takes more than a minute. |
| 1110135 | Policy lookup for UDP protocol with FQDN not working. |
| 1111263 | tcpsock command missing PID/process name for sessions in established state. |
| 1117165 | Leaving the apn field empty in a GTP APN traffic shaping policy means that the policy will not match any traffic. Consequently, APN traffic shaping can only be applied to specific APNs.
To configure GTP APN traffic shaping: config gtp apn-shaper
edit <policy-id>
set apn [<apn-name> <apngrp-name> ...]
set rate-limit <limit>
set action {drop | reject}
set back-off-time <time>
next
end
|
| 1120749 | If session is in SYN_SENT or SYN_RECV state, and FortiGate receives a second SYN with different ISN, it will drop the second SYN. |
| 1121944 | A firewall policy allows traffic from client to server, but no policy exists for server to client. When traffic is not matched from server to client, a block session forms that blocks traffic in both directions. |
| 1136163 | The local-in-policy session TTL does not follow the service session-ttl. |
| 1139282 | VIP with set ldb-method http-host sends incorrect FQDN in ClientHello to second realserver when using HTTP2. |
FortiGate 6000 and 7000 platforms
| Bug ID | Description |
|---|---|
| 790464 | After a failover, ARP entries are removed from all slots when an ARP query of single slot does not respond. |
| 976521 | High CPU usage by the node process occurs when loading 7000 policies due to fetching all statistics in one request. |
| 998615 | When doing a GUI-packet capture on FortiGate, the through-traffic packets are not captured. |
| 1062080 | SNMP query returns an error when there is a large number of BGP routes. |
| 1078334, 1103739 | High cmdbsvr CPU usage and FTP hang issues occur during scheduled automation backup executions due to automated backups appending device serial numbers to file names. |
| 1095936 | Different sensors appear in the list of FIM1 and FIM2. |
| 1096156 | GUI unreachable due to certificates and private keys mismatches in a HA setup. |
| 1097428 | The Security Profile menu does not appear in the GUI for Global VDOM on FortiGate 6K/7K devices despite being accessible through CLI. |
| 1102413 | Session count for VDOMs incorrect in FortiGate 6K/7K devices. |
| 1102481 | Local-in remote access issues due to incorrect destination address. |
| 1105009 | The command execute load-balance slot manage X fails on FortiGate 6K/7K devices when admin-telnet is disabled and then re-enabled. |
| 1108181 | Unexpected behavior observed in the confsyncd daemon due to an erroneous memory allocation. |
| 1109415 | New SNMP MIB table for chassis sensor. |
| 1109601 | Sometimes graceful upgrade failed from 7.4.6/7.4.7 to a later GA release. |
| 1109963 | SFF-8472 diagnostic support was not recognized on SFP transceivers in FG-7941F systems. |
| 1112581 | On the FortiGate 7000F platform, after upgrading from FortiOS 7.4.7 to 7.6.2, cmdbsvr CPU usage can be at 99% on one or more FPMs for several minutes. During high CPU usage, FortiGuard packets cannot be synchronized to the affected FPM(s). |
| 1115656 | FG-6K session filter by source interface doesn’t set correct interface index. |
| 1116862 | Graceful upgrade of a FortiGate 7000E chassis to FortiOS 7.6.2 may fail for some configurations. |
| 1118004 | On a FortiGate 7000E FGCP cluster, after using the execute ha disconnect command to disconnect a chassis from the cluster, you can’t use the special management ports to connect to the FIM in slot 2 or to any of the FPMs of either chassis. You can still connect to the FIM in slot 1. |
| 1121918 | If ha-mgmt-intf is enabled, then a newly joined HA slave chassis failed to sync. |
| 1124603 | Traffic shaping causes traffic drop on FG-7000F. |
| 1130218 | Policies fail when Security Posture Tags are configured on SLBC platforms due to dynamic address sync issues outside HA mode. |
FortiView
| Bug ID | Description |
|---|---|
| 1125124 | When running more than 1 million concurrent HTTP sessions across the firewall, and trying to access session list on FortiView in the GUI, packet loss and loss of a session are observed. |
GUI
| Bug ID | Description |
|---|---|
| 919473 | Unable to move/migrate interface using „Interface Integrate” feature if there is an IPsec tunnel bound to it. |
| 1047963 | High Node.js memory usage when building FortiManager in Report Runner fails. Occurs when FortiManager has a slow connection, is unreachable from the FortiGate (because FMG is behind NAT), or the IP is incorrect. |
| 1054026 | Offline license file cannot be uploaded to FGT by GUI. |
| 1055865 | NodeJS errors when event log socket is closed. |
| 1092489 | The config system fortiguard > fortiguard-anycast setting was changed to automatically disable when the FortiGuard page is shown on GUI. |
| 1097405 | Patch schedule minutes are ignored when set through the GUI for automatic upgrades. |
| 1099309 | The FortiOS GUI fails to load topology-related pages when temporary files generated during Security Rating operations are mistakenly read by the REST API. |
| 1101932 | Phase-2 details not seen in the IPsec Monitor dashboard on FortiGate GUI. |
| 1102404 | VDOM search function does not work properly if VDOM has uppercase letters. |
| 1110382 | Admin can log in to GUI (HTTPS) with password, even when admin-https-pki-required is enabled. |
| 1110827 | GUI shows LAN interfaces that have an IP address in the network ranges 172.31.0.0/16 or 192.168.0.0/16 to be managed by IPAM, even though the feature is globally disabled. |
| 1111113 | When launching the GUI console using Jet Stream theme, the character spacing appears wider than usual. |
| 1112716 | No log output when running debug flow on GUI. |
| 1114658 | Improve Node.js health check from forticron to use IPC server in Node.js rather than HTTP server. |
| 1115684 | FortiOS GUI ignores the FortiCare Elite contract. |
| 1118810 | In the Asset Identity Center, the tooltip for IoT/OT Vulnerabilities says OT license is inactive even with full license. |
HA
| Bug ID | Description |
|---|---|
| 982081 | After changing the status to down on the ha1 and ha2 ports, setting the status back to up does not bring up the ports. |
| 1068674 | PBA logs missing during HA failover. |
| 1073514 | In HA cluster, when a FortiToken is aggregated or revoked from a local.user, cluster is out of SYNC. |
| 1085314, 1095879 | Firewall policy page takes a long time to load on the HA Primary unit due to a loop condition between BGP and NSM when other protocols’ same route is redistributed to BGP. |
| 1087924 | HA secondary unit experiences high CPU usage when frequent changes are made to CMDB on the HA primary unit. |
| 1088956, 1101490 | Duplicated logs occur in FAZ during sniffer mode operation in HA active-passive setups because both active and passive FortiGates forward L2 packets to the IPS engine, causing duplicate entries. |
| 1091189 | The passive member in an A-A HA sends traffic with the virtual mac. |
| 1091657 | SDN connector limits the API traffic flow through root VDOM or HA management VDOM. |
| 1095786 | Traffic interruption occurs when performing a manual HA failback after an initial failover in VWP setups. |
| 1098192 | Joining a FortiGate with RAID enabled in an existing cluster causes the primary to shut down due to differing RAID statuses. |
| 1100177 | In an FGSP setup, on asymmetric TCP flow during SYN/ACK packet on the other member, the TCP MSS value is not adjusted according to the firewall policy. |
| 1101456 | In a HA setup, the aggregate interface status remains up after configuring 'status down’ in FortiOS due to a race condition. |
| 1101879 | Multiple SCTP expectation sessions are created during resynchronization due to a flag allowing duplication. |
| 1104892 | Duplicate IP detected messages are seen from the Secondary Fortigate in a cluster. |
| 1105422 | „Detected Tx Unit Hang” error occurrs on the HA secondary, causing it to become out-of-sync. |
| 1107137 | The secondary FortiGate with an HA Reserved Management Interface cannot be accessed using HTTPS after upgrading from version 7.4.3. |
| 1108895 | In an FGSP cluster, enabling and disabling standalone-config-sync results in the local dev_base being deleted and synchronized with the peer, which leads to the absence of the dev_base. |
| 1108895 | In an FGSP cluster, enabling and disabling standalone-config-sync results in the local dev_base being deleted and synchronized with the peer, which leads to the absence of the dev_base. |
| 1109919 | Cluster experiences split-brain when EMAC interfaces are disabled within a zone. |
| 1110498 | Add IPv6 destination support under HA management interface configuration. |
| 1113842 | New LACP interface is not shown under diagnose sys ha standalone-peers on both FGSP members. |
| 1115190 | The SNMP value of fgVWLHealthCheckLinkState on the secondary unit should always be set to dead(1). |
| 1117725 | HA is out of sync with checksum mismatch on CA certificate on all VDOMs. |
| 1121117 | When two HA clusters are on the same subnet, the L2 session-sync packets could be received by each other, even if they are from two different HA clusters. |
| 1129088 | The sessionsync daemon experiences high CPU usage when syncing expectation sessions under heavy SCTP traffic and FGSP enablement due to inefficiencies in the dump API. |
| 1135866 | HA second unit cannot sync firewall ZTNA dynamic address with HA primary unit after primary disables EMS server. |
| 1137565 | vSN support was added in 7.2.9, 7.4.6, and 7.6.1. However FG100F/ 101F support was missed by mistake.
FG100F/ 101F does not support logical-sn. |
| 1138763 | IKE hasync loop and high memory consumption when peer address/port changes. |
Hyperscale
| Bug ID | Description |
|---|---|
| 1013892 | Unexpected behavior observed in NPD when the threat feed object attempted to update manually in the HA pair. |
| 1055443 | Add ipv4/v6-session-quota back for software sessions in hyperscale VDOM. |
| 1074547 | SNAT session drops occur when kernel sessions become dirty in hyperscale VDOM environments due to inconsistent NAT resource allocation between software and hardware sessions. |
| 1093287 | Using fixed-allocation IP Pools may cause NP7 NSS/PRP modules to become stuck, potentially disrupting traffic. Other PBA IP pools do not have this issue. |
| 1094162 | The diag sys npu-session list-brief command now includes additional values for timeout, duration, and policy-id and an improved filter that includes EIF sessions to enhance its functionality and filtering capabilities. |
| 1108263 | HA configurations are lost if hw-sess-sync-dev is configured with more interfaces than expected. (The expectation is two times the number of NP7 chips.) |
| 1114113 | The get sys ha status command does not offer detailed interface statistics for hardware session sync devices. |
| 1115761 | When handling very high traffic loads (150M 250M concurrent sessions), the system sometimes fails to free up memory, even after all sessions have been cleared and traffic has stopped. |
| 1121524 | Client could not get DHCP IP address with policy-offload-level set to full-offload. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 1040783 | FortiGate encounters CPU usage issue due to IPSEngine utilization when using an app-ctrl utm profile. |
| 1090616 | IPS does not pass channel ID/category ID from the first video in a YouTube playlist to WAD. |
| 1101633 | Child process that loads IPS database does not have CMDB permission to write to IPS table. |
| 1107445 | Remove IPS diagnose command diagnose ips cfgscript run. |
| 1113473 | When IPS generates traffic log for tunnel traffic, traffic log should include outer packet details. |
| 1121953 | IPSengine processes consume memory and can lead to the conserve mode. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 1002325 | When spoke re-authauthorization is enabled, shortcut tunnel rekey fails and goes down when SA expires. Shortcut tunnel flaps while it re-establishes again. |
| 1042465 | VPN interface error counter increases, traffic intermittent when NPU acceleration is enabled globally. |
| 1049015 | IPsec performance issue on Intel-based platforms occurs due to FortiOS not enabling all available IPsec drivers. |
| 1054440 | Incrementing TX and RX errors on VPN interface occur when NPU offload is disabled, busy CPU cores, or high burst traffic cause packet drops due to full queues on SoC3/Soc4 platforms. |
| 1057558 | Dialup and loopback-asymroute disable with multiple paths for IKE/IPsec traffic are configured. When the incoming ESP traffic changes path because of a routing change, reply traffic still egresses on the old interface, and traffic is dropped. |
| 1059778 | IPsec does not work as expected when the traffic path is from spoke dial-up to hub1, and then from hub1 to another site through a site-to-site tunnel. |
| 1060048 | Throughput is limited in Site to Site VPN connections between the FW1kF and the FWVM Google Cloud platform. |
| 1064078 | Egress shaper fails to enforce bandwidth limits on VPN ID with IPIP encapsulation IPsec interfaces due to incorrect handling of traffic forwarding across multiple network processing units. |
| 1071769 | L2TP/IPsec connection FortiGate-Windows Native VPN client breaks after the Windows client initiates the ISAKMP SA renegotiation. |
| 1073670 | Iked crash on secondary caused ipsec client reconnects. |
| 1087651 | FortiGate does not correctly utilize timeout timers for 2FA with Remote Access over FortiClient VPN IPsec (IKEv2). |
| 1094028 | Unexpected behavior observed in the IKED after configuration changes when the phase1 monitor feature is used. |
| 1103594 | ADVPN IPsec traffic over shortcuts drops during IPsec tunnel rekey. |
| 1103754 | Failed HTTP sessions occur when passing through nTurbo due to improper handling of fragmented packets. |
| 1107198 | Transparent mode, policy-based IPsec VPN, local-out traffic automatically enters VPN. |
| 1109028 | With set peertype one, the FortiGate will not accept ID_IPV4_Address as peer ID for dynamic IPsec IKEv2. |
| 1109627 | IPsec VPN match-security-posture-tag feature won’t work when FortiClient is behind NAT. |
| 1112665 | Static Route is marked inactive, but the VPN IPsec is up. |
| 1113354 | Group list is truncated because of fixed-size buffers. |
| 1116825 | Juniper device unable to establish IKEv1 tunnel with FGT. |
| 1117758 | FGT fails to negotiate encryption algorithm CHACHA20_POLY1305 against third- party client. |
| 1117910 | iked spikes to 99.9% if client sends FIN after ike tcp session is established. |
| 1120003 | FortiGate presents certificate information when accessed using IPsec VPN listening interface. |
| 1127444 | For ADVPN 2.0 shortcut negotiation, UDP hole punching for spoke behind NAT uses source port 500 instead of 4500. |
| 1136536 | SIA IPsec VPN authentication fails on FortiSASE when number of groups is greater than 150 user groups. |
| 1102547 | IPsec IKEv2 with cert based auth and eap enabled tunnel comes up even though there is a certificate validation failure. |
Log & Report
| Bug ID | Description |
|---|---|
| 864002 | Unauthenticated User mismatch with User in logs. |
| 1004103 | An Unable to fetch reports error is displayed when trying to view renamed FAZ reports. |
| 1009584 | FGT-VM64 has no crash log record and event logs for license status change from Valid to Warning. |
| 1074460 | Erroneous memory allocation results in intermittent HTTPSD disruption caused by a corrupted traffic log file. |
| 1084934 | Firewall logs show Object Object in GUI and dstintf="unknown-0" in raw logs. |
| 1087534 | When trying to load a large number of logs in Log Viewer, the page keeps loading and displays a warning message. |
| 1091064 | Forward traffic does not contain poluuid and policyname fields. |
| 1100883 | Forward Traffic log fetched from FortiGate Cloud takes a long time to load on GUI. |
| 1107571 | Some WiFi Log descriptions are inaccurate. |
| 1116428 | Observed Device vulnerability lookup on FortiGuard in high frequency under the system event log. |
| 1118089 | tmp files for log upload are not deleted even though FTP upload is complete. |
| 1119147 | Secondary device fails to generate reports at the set time. |
| 1121505 | On FG-200F, the Security Tab keeps loading on Log > Details > Security in Forward traffic Logs. |
| 1122938 | Syslog traffic uses the correct exit interface after a change in source interface but fails to update the source IP. |
| 1129448 | The body is partially missing from emails sent by alert mail. |
| 1130821 | IPS sensor log-attack-context output is both truncated and monitored with payload loss. |
Proxy
| Bug ID | Description |
|---|---|
| 958200 | Packets captured by IPS indicates HTTP/1.1 in case of HTTP/2 request. |
| 988473 | On FortiGate 61E and 81E models, a daemon WAD issue causes high memory usage. |
| 1014014 | FortiGate to IMAPs server connection is not working with TLS 1.2 because of client hello includes TLS1.3 parameter. |
| 1023054 | After an upgrade on a 2GB FortiGate device, the firewall policy does not switch from Proxy-based to Flow-based in the Inspection mode field. |
| 1051875 | The IP SNI check for strict sni-server-cert-check is skipped due to a WAD process issue. |
| 1066113 | Accessing certain websites through HTTPS fails when using inspect-all deep-inspection in proxy mode firewall policy. |
| 1096728 | An error case observed in the WAD, affecting some VIP traffic, caused by erroneous memory allocation. |
| 1107205 | FortiGate encounters a WAD memory usage issue when using a secure explicit web proxy with WAD user authentication to visit some websites. |
| 1116771 | Add a limit on the memory used by user-device-store as a percentage of the total system memory. |
| 1121171 | Large file downloads through proxy HTTP2 are slow when IPS/APP/SSL inspect-all enabled. |
| 1126253 | When VDOM configuration file is restored, it changes the no-inspection profile under ssl-ssh-profile to deep-inspection. |
| 1126385 | WAD fails to handle deep-inspection traffic under FIPS mode. |
REST API
| Bug ID | Description |
|---|---|
| 943756 | The API key remote could not be handled correctly for POST request /api/v2/cmdb/vpn.certificate/remote. |
| 1019750 | The available interfaces list is slow in configurations with many IPsec tunnel connections. |
| 1026547 | Sensor information through REST API on a FG-81F returns 404 error. |
| 1071799 | Failed to rename switch-controller managed-switch entries through the CMDB REST API. |
| 1107698 | Adding ipv6-trusthost under api-user will override ipv4-trusthost setting and allow all IPv4 soure IP addresses. |
Routing
| Bug ID | Description |
|---|---|
| 897308 | The system fib version does not match VDOM fib version in FG-1801F. |
| 1008434 | The speed-test result files are not deleted after test runs. The new test ID may collide with a previous result. In this case, the GUI may read a previously failed result and report errors. |
| 1058283 | Routing Widget is unresponsive due to high number of routes when using search to filter the routes and do route-lookup. |
| 1058700 | SD-WAN rule in load-balance mode limited to 8 active SD-WAN members. |
| 1072311 | BGP flaps occur when high L2P TPE drops are detected under heavy IPsec traffic conditions. |
| 1080449 | IPv6 prefix delegation does not add IPv6 route automatically. |
| 1082842 | The loopback interface does not appear as an outgoing option for BGP peer connections when configuring through the GUI. |
| 1084851 | When adding new static route and prefix-list using CLI, 0.0.0.0/0 takes effect, in spite of invalid format of dst and prefix. |
| 1084907 | IPv6 routes are inactive when dual stack BFD is configured. |
| 1086944 | The BGP router-id fails to reset after editing the neighbor group settings because the dialog doesn’t properly handle the reset functionality. |
| 1093215 | Users can create a BGP neighbor without configuring remote-as using CLI, and after completing BGP neighbor configuration, neighbor will remain in admin down state. |
| 1095307 | When filtering an SD-WAN rule with a member, it fails to show results for physical interfaces with Alias names. |
| 1099554 | FortiGate uses link-local IPv6 address as nexthop in VLAN network, instead of global address. |
| 1100529 | BGP Stale route not working as expected. |
| 1103212 | GUI BGP AS number with asdot/asdot+ format will silently drop the trailing 0s on ” set set-aspath” router-map config. |
| 1105064 | IPv6 traffic can’t match the correct firewall policy in certain SD-WAN cases. |
| 1108192 | Restore image from FTP server failed using SD-WAN. |
| 1108874 | SD-WAN Default_DNS performance SLA shows all participants of Default_DNS are down. |
| 1109286 | Incorrect priorities applied from Remote Health-checks. |
| 1111233 | auto-asic-offload disabled under vne-interface after upgrading from 7.4.6 to 7.6.1. |
| 1111967 | SD-WAN zone not selectable as interface in GUI for DoS policy, multicast policy, and central snat map. |
| 1113929 | Incorrect SDWAN rule is matched. fib-best-match is configured under zone. |
| 1114687 | SNMP response times out when querying SD-WAN health check. |
| 1116924 | In SD-WAN, when detect mode Prefer Passive is used, routing table is not updated in time |
| 1118891 | ADVPN shortcut is established between different transport-groups. |
| 1119119 | Inadvertent behavior observed in BGPD due to erroneous memory freeing when applying route-maps. |
| 1122021 | FortiGate disregards SD-WAN members for path selection even when they are in SLA. |
| 1128032 | Traffic fails with Fabric Overlay Orchestrator using automatic policy creation with system zones. |
| 1129698 | When FortiAnalyzer setting interface-select-method is sdwan, FortiAnalyzer connection is closed and restarted, even though SD-WAN interface doesn’t change. |
| 1133796 | IPv6 routes are stuck on kernel routing table. |
| 1138483 | link-monitor daemon drops the trailing characters when a long hostname is used for SD-WAN health-check. |
Security Fabric
| Bug ID | Description |
|---|---|
| 903922 | Physical and logical topology is slow to load when there are a lot of managed FortiAP devices (over 50). This issue does not impact FortiAP management and operation. |
| 1006397 | Granular failure details for each device in a federated upgrade are now reported, allowing users to identify individual devices with specific failure reasons during the upgrade process. |
| 1011833 | FortiGate experiences a CPU usage issue in the Node.js daemon when there multiple administrator sessions running simultaneously. |
| 1021684 | In some cases, the Security Fabric topology cannot load properly and displays a Failed to load Topology Results error. |
| 1090401 | Error messages from netxd API calls are not displayed when running as a daemon because they are printed to stderr instead of the CLI. |
| 1099235 | Scheduled triggers do not include eventtime in log entries, causing automation scripts using %%log.eventtime%% to fail and generate filenames with missing or incorrect timestamps. |
| 1101806 | Failed to trigger Security Rating Summary event automation stitch due to issue with log field ID. |
| 1111619 | The replacemsg-group in automation-action gets unset when system reboots. |
| 1113463 | FortiGate Azure connector fails to retrieve AKS information on AKS 1.29.5. |
| 1119616 | Externally maintained threat feed contains both resource FQDNs and IP address ranges/subnets. Entry such as <addr>/0x1 then matches half of all possible IPv4 address and causes network disruption. |
| 1120652 | Fabric topology with two devices on different VDOMs but behind the same router shows wrong VDOM data on tooltip. |
| 1134970 | Inconsistent DNS TTL behavior in Kubernetes API through SDN-Connector. |
Switch Controller
| Bug ID | Description |
|---|---|
| 1015992 | Cannot disable Lockdown ISL setting on FortiLink. |
| 1016034 | Lockdown ISL setting on FortiLink is enabled automatically after HA failover. |
| 1108965 | Config sync error due to dhcp-snooping-static-client. |
| 1113465 | VLAN configurations intermittently fail to assign on FSW ports when devices matching DPP policy come online, which is caused by a race condition during FSW initialization. |
| 1130242 | Partial SNMP community configuration gets pushed from the FGT to the FSW. |
| 1138333 | Increase efficiency of FortiLink configuration daemon memory usage. |
System
| Bug ID | Description |
|---|---|
| 814119 | drop-overlapped-fragment {enable | disable} does not work on NP7 platforms. |
| 932077 | Connection issue between SOC4 platform and Hirschmann GRS 105 switches since SOC4 doesn’t support certain carrier extension signals. |
| 976722 | Invalid YAML files are generated when exporting configurations containing multi-value attributes or long strings with newline characters. |
| 992323, 1056133, 1075607, 1082413, 1084898 | Traffic interrupted when traffic shaping is enabled on 9xG and 12xG. |
| 1017941 | GUI interface bandwidth shows Tetrabyte spike for Gigabyte interface.
Affected platforms: FGT-220xE and FGT-330xE |
| 1040137 | NPD skips config parsing when policy-offload-level set to disable. |
| 1040489 | Traffic using VXLAN VTEP with a loopback over an IPsec VPN is dropped when VXLAN and IPsec are configured in different VDOMs due to incorrect tunnel creation success indicators. |
| 1046484 | After shutting down FortiGate using the „execute shutdown” command, the system automatically boots up again. |
| 1069208 | If the DHCP offer contains padding when DHCP relay is used, the DHCP relay deletes the padding before relaying the packet. |
| 1075279 | Member interfaces of VWP appear in packet capture creation dialog despite being ineligible. |
| 1076883 | When the top application bandwidth feature is disabled, the GUI process still performs the initial check for application bandwidth, which may cause FortiCron to experience high CPU usage. |
| 1077562 | Hardware egress shaping doesn’t work on SOC5 when NPU offload is enabled. |
| 1078119 | Traffic is intermittently interrupted on virtual-vlan-switch on Soc5 based platforms when a multicast or broadcast packet is received. |
| 1078568 | When FortiManager adds FortiGate via serial number and is behind NAT, FortiGate cannot initiate requests to FortiManager, causing the GUI to fail in retrieving the certificate CN/SAN and resulting in an error. |
| 1079850 | HA1/HA2 ports remain down after setting status to up. Rebooting fixes the issue. |
| 1085407 | FortiGate unresponsive when default-qos-type is set to shaping. |
| 1086268 | VXLAN interface cannot be created if its underlying interface is DHCP. |
| 1087160 | NP drops traffic when VXLAN is a member of software switch in implicit mode. |
| 1087270 | Unexpected traffic increase over the FortiGate 6000 base backplane. |
| 1089143 | The time change in FOS is restored after reboot. The RTC node is not created correctly so the time change can’t be kept in RTC. |
| 1089272 | The inability to view or click the „+” sign occurs when a user is assigned an admin profile with only read access, restricting actions that require write privileges. |
| 1090372 | Cannot create more than seven access profile entries on a FortiGate 40F. |
| 1091175 | Incorrect values shows on the Interface Bandwidth monitor and SNMP. |
| 1091551 | Hardware limitation on the NP7 platform causes the following QTM related issues:
|
| 1094404 | State of peer ports of FGT ports(negotiated speed, 1G) is down after upgrade on specific FGT |
| 1095834 | Memory usage of node process continuously increases when FortiManager is configured but unreachable. |
| 1096409 | EXPIRE dates cannot be displayed properly when displaying the output of get sys fortiguard-service status. |
| 1096878 | DNS cache flushing occurs too frequently due to unnecessary interface-reload events triggered by DHCP6 packets and SLAAC updates. |
| 1099770 | NP7 drops encrypted GRE packets that have checksum bit set (1) due to invalid checksum. |
| 1101392 | Administrators can execute the command diagnose sys ha reset-uptime when the permissions of Admin Profile is set to Read. |
| 1101647 | FortiGate encounters a CPU usage issue for cmdbsvr process |
| 1102416 | Cannot push config sfp-dsl enable and vectoring under interface. |
| 1103146 | Duplicated RADIUS packets are captured by the sniffer when performing firewall authentication with a RADIUS server. |
| 1103966 | FG901G gen1/2 boxes „diag hardw test asic” got FAILED |
| 1104410 | The FortiGate-120G SFP ports fail to establish connectivity when configured with set speed 1000full due to improper auto-negotiation handling. |
| 1104966 | SNMP fgDiskCount.0 OID not returning disk count value |
| 1105989 | System global configuration lost due to port collision. |
| 1105995 | The switch MTU doesn’t set correctly on 100m speed. |
| 1109633 | The FGT prompts the user to choose a certificate during login, even no PKI admin is set. |
| 1110527 | FortiGate did not update password-expire time on the start or end of daylight savings time. |
| 1111601 | Fortiguard sends IP addresses to proxy instead of FQDNs |
| 1112376 | Unexpected behavior observed in the newcli daemon due to inconsistencies in node registration between cmdbsvr and other daemons. |
| 1113720 | Traffic could not work with Proxy-ARP over the VXLAN network (VXLAN VTEP with the loopback over IPSEC VPN configuration) |
| 1115486 | Virtual switch interface drops LLDP packets. |
| 1116922 | FortiGate encounters a memory usage issue if too many ports have LLDP reception enabled. |
| 1117435 | Add SNMP new OIDs fgAdminLoggedInTable for get sys admin list. |
| 1117527 | VXLAN interface should be brought down when underlay interface is down. |
| 1119595 | FGT doesn’t change the IP address of Fortiguard FQDN which is set in „central-management”. |
| 1120467 | No SNMP trap at power failure for DC PSU. |
| 1120907 | High traffic load on a particular interface causes packet loss on other interfaces of the FortiGate. |
| 1122306 | Typo in log-controller-update request. |
| 1123727 | Offload failed when egress shaping applied on VLAN interface on SOC5 platform. |
| 1124024 | When set append-index disable in system.snmp.sysinfo, querying per-VDOM BGPPeerTable might get incorrect results because of no updates. |
| 1125301 | FortiGate stuck after reloading configuration that contains expired user passwords. |
| 1125947 | FortiGate encounters a memory usage issue due to usage by HTTSD |
| 1126100 | Expired user passwords are stored as plaintext in configuration files when password history is enabled. |
| 1126327 | The SNMP query for fgSwPortSwitchSerialNum gives switch name as the output instead of SN. |
| 1128087 | In new version of RDP client, FortiGate drops some RDP sessions due to IPv6 extended headers. |
| 1133159 | Inbandwidth setting not respected with large number of class IDs in shaping profile. |
| 1133842 | Packet dropped with 'DCE_IVS_IGR_DIR_DROP’ over hardware switch. |
| 1142013 | Policing improvement for QTM by limiting buffer size or switching to TPE (shaping-profile mode of config). |
Upgrade
| Bug ID | Description |
|---|---|
| 1043815 | Upgrading the firmware for a large number (100+) of FortiSwitch or FortiAP devices at the same time may cause performance issues with the GUI and some devices may not upgrade. |
| 1102990 | SLBC FortiGate 5001E primary blade failed to install image, even though graceful-upgrade was disabled. |
| 1104649 | In 7.6.1 and 7.6.2, if a local-in policy, local-in-policy6, DoS policy, interface policy, multicast policy, TTL policy, or central SNAT map is used in an interface in version 7.4.5, 7.6.0, or any previous GA version that was part of the SD-WAN zone, these policies will be deleted or show empty values after upgrading to version 7.6.1 or 7.6.2. |
| 1105771 | Upgrade from 7.4.6 GA to 7.6.1 GA results in an incomplete WAD device memory list table and triggers WAD error. |
| 1106072 | The image file transfer between FortiManager and FortiGate may not work as expected when transferred by the FGFM tunnel. |
| 1110809 | Egress-shaping-profile setting lost on interface after upgrade. |
| 1114232 | When upgrading FortiGate from earlier than 7.4.1 to 7.4.1 or later, system.replacemsg.webproxy configuration is lost. |
| 1123954 | Upgrading FortiOS from 7.2.10 to 7.4.5 will automatically enable FortiGuard updates without a warning. |
| 1130861 | FG-4401F enters a reboot loop after upgrading from 7.2.9 GA to 7.4.6 GA with a large config file (more than 10K policies). |
User & Authentication
| Bug ID | Description |
|---|---|
| 1017348 | Memory usage by fsso_ldap daemon increases continuously when the LDAP server responds with „LDAP_UNWILLING_TO_PERFORM” due to an unhandled memory allocation issue. |
| 1020808 | Use new keys for certificate renewal through EST server. |
| 1025260 | Wildcard admin remote authorization password change in system GUI does not work. |
| 1043189 | Low-end FortiGate models with 2GB memory can enter conserve mode when processing large amounts (over 5000 user records) of stored user store data, when each record has a large amount of IoT vulnerability data. For example, the Users and Devices page or FortiNAC request can trigger the following API call that causes httpsd process to spike in CPU and memory:
GET request /api/v2/monitor/user/device/query |
| 1054818 | Password encryption changed for config vpn certificate local without actual certificate changes. |
| 1075207 | Errors may occur in the FNBAMD due to the presence of two wildcard-enabled remote administrators in separate VDOMs. |
| 1077636 | No SNMP trap available to detect FSSO external connected status change. |
| 1091483 | When importing local certificate, GUI displays an error, even when certificate is correctly imported. |
| 1093538 | In SAML config, after enabling „AD FS claim” (Active Directory Federated Services and rebooting, the „Attribute used to identify users” and „Attribute used to identify groups” fields are blank. |
| 1093542 | FortiGate admin user authentication with token+RADIUS fails when wildcard user is configured. |
| 1093654 | FGT uses global DNS when attempting to provision a certificate through SCEP or EST. |
| 1105305 | Guest user not removed past expiry time. |
| 1119143 | Unable to view local certificate in GUI or CLI after certificate import. |
| 1121987 | Overlapping text when viewing FSSO user login groups membership. |
| 1136244 | RSSO not working on 7.6.x with Cisco Meraki MX. |
VM
| Bug ID | Description |
|---|---|
| 999842 | Azure fails to honor seamless live migration.
In most cases, the public IP to private IP NAT fails to forward traffic from/to SD-WAN. |
| 1012000 | When unicast HA setup has a large number of interfaces, FGT Hyper-V takes a long time to boot up. |
| 1094600 | The system.virtual-wire-pair and system.vxlan do not work on cloud images (Azure, AWS, GCP). |
| 1101264 | On Azure-FGT A-P HA cluster with SDN connector v7.4.5, the failover time increased from 2-4 request timed out to 10-12. |
| 1102434 | Configuring VRF on hbdev causes FGT VM HA not to sync. |
| 1107007 | samld stops working when certificate set to Fortinet_Factory in user SAML. |
| 1107933 | GRE decapsulation tasks using a single CPU core on AWS fortigate with ena nic drivers . |
| 1107962 | Dynamic addresses are removed/added every few seconds when the OCI SDN connector fetches only the first page of API results. |
| 1109724 | Azd daemon on Azure NVA keeps consuming memory until FortiGate enters conserve mode. |
| 1113362 | FGT-VM64-AZURE cannot establish connection with other FGTs in the Security Fabric tree. |
| 1121521 | Azure SDN connector does not properly catch AKS cluster state. |
| 1121974 | Due to continuous disk logging, slab memory for dentry continuously increases in FortiGate VM. |
| 1128351 | Configuration fails to fully apply during bootstrap when the reboot function does not trigger an immediate reboot, causing cloudinit to re-run with insufficient tablespace. |
Web Filter
| Bug ID | Description |
|---|---|
| 874516, 1100819 | SMB traffic fails when the file server uses AES-256-GCM/CCM encryption with FortiOS. |
| 906603 | For newly created webfilter profile, GUI commits local and remote categories’ Allow action to Monitor. |
| 1099818 | Output of diagnose webfilter fortiguard cache dump command shows the message „Cache is not enabled”. |
| 1107456 | FG-120G webfilter.profile tablesize is incorrect. |
| 1110668 | Add an option to control webfilter.urlfilter simple-type entries match subdomains. |
| 1110850 | The value for x-forwarded-for is not properly displayed in the log on AWS environment. |
| 1118132, 1122036, 1127984 | Webfilter local category override not working after reboot in flow mode. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 823387 | Email addresses collected from the captive portal do not show up under the user column under WiFi clients. |
| 921080 | The Fortigate Hostapd does not support IPv6 address of RADIUS server. |
| 987030 | Unexpected behavior observed in the CAPWAP daemon when managing multiple APs and clients through dynamic VAP changes. |
| 1013892 | On FortiGate’s in an HA pair, the npd process do not work as expected when trying to manually update the threat feed. |
| 1030197 | For an SSID with radius-mac-auth and radius-mac-auth-usergroups in HA environment, the secondary unit is missing some information, and traffic is blocked after failover. |
| 1039985 | Erroneous memory allocation observed in the CAPWAP function on NP6 and NP6XLite platforms due to a rare error case. |
| 1080094 | Offline station data consumes excessive memory when the sta-offline-cleanup or max-sta-offline settings are not configured. |
| 1083395 | In an HA environment with FortiAPs managed by primary FortiGate, the secondary FortiGate GUI Managed FortiAP page may show the FortiAP status as offline if the FortiAP traffic is not routed through the secondary FortiGate.
This is only a GUI issue and does not impact FortiAP operation. |
| 1086128 | An error condition in CAPWAP occurred due to a rare case. |
| 1089999 | FAPs remain offline post-upgrade when using image stored on FortiGate. |
| 1094415 | VLAN pooling does not work as expected on the SSID after FGT upgrades from 7.4.1 to 7.4.5. |
| 1096961 | When using FMG to upgrade FAP, FGT did not generate AP image receive success log (ID 43618). |
| 1098727 | Enable 5GHz channels 52-64, 108, 116-128 for FAP-231G-P, 431G-P Uzbekistan. (Uzbekistan has no DFS certification process.) |
| 1100220 | External/FortiGuest MPSK COA disconnect is not functional. |
| 1101583 | Intermittent traffic disruption observed in cw_acd caused by a rare error condition. |
| 1102808 | APs disconnect from the firewall when new configurations are applied. |
| 1108726 | FortiAPs periodically lose connectivity with FortiGate (acting as WLC) due to an error case. |
| 1114144 | WSSO firewall authorization session cannot be created when FGT receives multiple group attributes, and the first group does not exist. |
| 1114311 | Packets are incorrectly routed when FAP management interface uses clear-text dtls-policy in a software switch with explicit intra-switch-policy. |
| 1123829 | Support legal firewall policy when SD-WAN/zone member interface manages FAP with dtls-policy set to ipsec-vpn. |
| 1128272 | FGT-120G PPPoE interface cannot manage teleworker FAP-231F. |
| 1130750 | Managed AP 5Ghz radio channel override value missing after changes on AP-profile. |
| 1133829 | FAP stays offline after the FGT is rebooted. |
| 1139749 | FortiGate does not honor source IP for MPSK RADIUS requests. |
ZTNA
| Bug ID | Description |
|---|---|
| 1101022 | FortiClient gets a blank page when doing SAML authentication due to the use of a stale user node. |
| 1107986 | Should be unable to select geography object in ZTNA proxy-policy. |
| 1111112 | Unable to configure more than eight mapped ports for access proxy realservers when the limit is 16. |
| 1114976 | ZTNA policy matching failed due to an accidental deletion of firewall.policy with ZTNA tags when the firewall.policy is updated. |
Notatki producenta: FortiOS 7.6.3 Release Notes
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
