Anti Spam

Bug ID Description
877613 Mark as Reject can be still chosen as an Action in an Anti-Spam Block/Allow List in the GUI.

Endpoint Control

Bug ID Description
730767 The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.

Workaround: delete the EMS Cloud entry then add it back.

Explicit Proxy

Bug ID Description
817582 When there are many users authenticated by an explicit proxy policy, the Firewall Users widget can take a long time to load. This issue does not impact explicit proxy functionality.


Bug ID Description
719311 On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.

Workaround: rename the custom section to unique name between IPv4 and IPv6 policies.

843554 If the first firewall service object in the service list (based on the order in the command line table) has a protocol type of IP, the GUI may incorrectly modify its protocol number whenever a new firewall service of the same protocol type IP is created in the GUI.

This silent misconfiguration can result in unexpected behavior of firewall policies that use the impacted service. For example, some 6K and 7K platforms have firewall service ALL (protocol type IP) as the first service, and this can cause the ALL service to be modified unexpectedly.

Workaround: create a new service in the CLI, or move a non-IP type services to the top of the firewall service list. For example, if ALL is the first firewall service in the list:

config firewall service custom
    edit "unused"
        set tcp-portrange 1
    move "unused" before "ALL"
897849 Firewall Policy list may show empty sequence grouping sections if multiple policies are sharing the same global-label.

Workaround: drag and drop the policy to the correct sequence group in the GUI, or remove the global-label for each member policy in the group except for the leading policy. For example, in the configuration, policy 2 will be automatically grouped under group1 without the need of adding the same global-label.

  • Policy 1 (global-label "group")
  • Policy 2
  • Policy 3 (global-label "group2")
  • Policy 4


Bug ID Description
440197 On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.
677806 On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.
685431 On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

707589 System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.
708005 When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

755177 When upgrading firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path.
810225 An undefined error is displayed when changing an administrator password for the first time. Affected models: NP7 platforms.
853352 On the View/Edit Entries slide-out pane (Policy & Objects > Internet Service Database dialog), users cannot scroll down to the end if there are over 100000 entries.
898902 In the System > Administrators dialog, when there are a lot of VDOMs (over 200), the dialog can take more than one minute to load the Two-factor Authentication toggle. This issue does not affect configuring other settings in the dialog.

Workaround: use the CLI to configure two-factor-authentication under config system admin.


Bug ID Description
810286 FGSP local sessions exist after rebooting an HA pair with A-P mode, and the HW SSE/session count is incorrect.
818432 When private data encryption is enabled, all passwords present in the configuration fail to load and may cause HA failures.


Bug ID Description
795853 VDOM ID and IP addresses in the IPL table are incorrect after disabling EIF/EIM.
811109 FortiGate 4200F, 4201F, 4400F, and 4401F HA1, HA2, AUX1, and AUX2 interfaces cannot be added to an LAG.
836976 Sessions being processed by hyperscale firewall policies with hardware logging may be dropped when dynamically changing the log-processor setting from hardware to host for the hardware log sever added to the hyperscale firewall policy. To avoid dropping sessions, change the log-processor setting during quiet periods.
838654 Hit count not ticking for implicit deny policy for hardware session in case of NAT46 and NAT64 traffic.
839958 service-negate does not work as expected in a hyperscale deny policy.
842659 srcaddr-negate and dstaddr-negate are not working properly for IPv6 traffic with FTS.
843132 Access control list (ACL) policies added to a hyperscale firewall VDOM that is processing traffic may take longer than expected to become effective. During a transition period, traffic that should be blocked by the new ACL policy will be allowed.
843197 Output of diagnose sys npu-session list/list-full does not mention policy route information.
843266 Diagnose command should be available to show hit_count/last_used for policy route and NPU session on hyperscale VDOM.
843305 Get PARSE SKIP ERROR=17 NPD ERR PBR ADDRESS console error log when system boots up.
844421 The diagnose firewall ippool list command does not show the correct output for overload type IP pools.
846520 NPD/LPMD process killed by out of memory killer after running mixed sessions and HA failover.


Bug ID Description
761754 IPsec aggregate static route is not marked inactive if the IPsec aggregate is down.

Log & Report

Bug ID Description
850642 Logs are not seen for traffic passing through the firewall.
860822 When viewing logs on the Log & Report > System Events page, filtering by domain\username does not display matching entries.

Workaround: use a double backslash (domain\\username) while filtering or searching by username only without the domain.


Bug ID Description
836101 FortiGate is entering conserve mode due to a WAD memory leak.
837724 WAD crash occurs.

Security Fabric

Bug ID Description
614691 Slow GUI performance in large Fabric topology with over 50 downstream devices.
794703 Security Rating report for Rogue AP Detection and FortiCare Support checks show incorrect results.


Bug ID Description
847664 Console may display mce: [Hardware Error] error message after fresh image burn or reboot.
884023 When a user is logged in as a VDOM administrator with restricted access and tries to upload a certificate (System > Certificates), the Create button on the Create Certificate pane is greyed out.
900670 QSFP/QSFP+ port23/port24 are down after upgrading to 7.0.11 on FG-3401E.
903397 After upgrading to 7.0.11, FortiOS cannot display QSFP+ transceiver information. Affected platforms: FG-110xE, FG-220xE, FG-330xE, FG-340xE, and FG-360xE.

User & Authentication

Bug ID Description
765184 RADIUS authentication failover between two servers for high availability does not work as expected.

Web Filter

Bug ID Description
766126 Block replacement page is not pushed automatically to replace the video content when using a video filter.

WiFi Controller

Bug ID Description
814541 When there are extra large number of managed FortiAP devices (over 500) and large number of WiFi clients (over 5000), the Managed FortiAPs page and FortiAP Status widget can take a long time to load. This issue does not impact FortiAP operation.
904349 Unable to create FortiAP profile in the GUI for dual-5G mode FortiAP U231F/U431F models.

Workaround: use the CLI to update the profile to dual-5G mode.


Bug ID Description
848222 ZTNA TCP forwarding is not working when a real server is configured with an FQDN address type.

An FQDN address type that can resolve public IPs is not recommended for ZTNA TCP forwarding on real servers because the defined internal DNS database zone is trying to override it at the same time. By doing so, the internal private address may not take effect after rebooting, and causes a ZTNA TCP forwarding failure due to the real server not being found.