Fortinet opublikował FortiOS 7.4.2 który zawiera sporo nowych funkcjonalności wprowadzających różnorodne ulepszenia, które zwiększają elastyczność, niezawodność i możliwości zarządzania w środowisku FortiOS. Nowości to między innymi wsparcie dla NetFlow v9 w Hyperscale, opcja Enforce-seq-order dla Logów w Hyperscale, konfigurowalna metoda rozdziału tuchu dla VDOM, wsparcie dla przyspieszenia rolling AP, wspieranie TCP w Hyperscale Logging, zastosowanie Tokena FortiFlex, obsługa GUI dla AWS SDN Connector, integracja z Azure dla FortiGate VM. Więcej informacji w artykule!
Aktualizacja jest dostępna dla poniższych modeli urządzeń FortiGate:
| FortiGate | FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-70F, FG-71F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100F, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG-400F, FG-401F, FG‑500E, FG-501E, FG-600E, FG-601E, FG-600F, FG-601F, FG-800D, FG‑900D, FG-900G, FG-901G, FG-1000D, FG-1000F, FG-1001F, FG-1100E, FG-1101E, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3000F, FG-3001F, FG-3100D, FG‑3200D, FG-3200F, FG-3201F, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3700F, FG-3701F, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-4800F, FG-4801F, FG-5001E, FG‑5001E1, FG-6000F, FG-7000E, FG-7000F |
| FortiWiFi | FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE |
| FortiGate Rugged | FGR-60F, FGR-60F-3G4G, FGR-70F, FGR-70F-3G4G |
| FortiFirewall | FFW-1801F, FFW-2600F, FFW-3980E, FFW-4200F, FFW-4400F, FFW-4401F, FFW-VM64, FFW-VM64-KVM |
| FortiGate VM | FG-ARM64-AWS, FG-ARM64-AZURE, FG-ARM64-GCP, FG-ARM64-KVM, FG-ARM64-OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-XEN |
FortiGate 6000 and 7000 support
FortiOS 7.4.2 supports the following FG-6000F, FG-7000E, and FG-7000F models:
| FG-6000F | FG-6300F, FG-6301F, FG-6500F, FG-6501F |
| FG-7000E | FG-7030E, FG-7040E, FG-7060E |
| FG-7000F | FG-7081F, FG-7121F |
Poniżej przedstawiamy zmiany i ulepszenia zawarte w FortiOS 7.4.2:
- Integracja z Azure dla FortiGate VM (Numer Funkcji: 737947):
- FortiGate VM może teraz komunikować się z platformą Azure, przesyłając dane monitorowania zdrowia oraz wykonując wywołania API w ramach rozwiązania Azure vWAN.
- Obsługa GUI dla AWS SDN Connector (Numer Funkcji: 839076):
- Dodano obsługę interfejsu graficznego do konfiguracji różnych adresów zasobów AWS przy użyciu łącznika SDN AWS, co ułatwia zarządzanie danymi w chmurze AWS.
- Zastosowanie Tokena FortiFlex (Numer Funkcji: 952335):
- Teraz możliwe jest stosowanie tokenów FortiFlex za pomocą interfejsu graficznego na stronie licencji FortiGate VM, co usprawnia proces aplikacji tokenów dla nowo wdrożonych lub wygasłych instancji maszyn wirtualnych.
- Niesterowalna Metoda Rozdziału Ruchu Dla VDOM (Numer Funkcji: 814242):
- FortiGate 7000F obsługuje niestandardową metodę rozdziału ruchu dla poszczególnych VDOM, co pozwala na dostosowanie sposobu dystrybucji ruchu zgodnie z preferencjami użytkownika.
- Wsparcie dla TCP w Hyperscale Logging (Numer Funkcji: 875141):
- Hyperscale firewall policies teraz obsługują przesyłanie logów za pomocą protokołu TCP, co gwarantuje bardziej niezawodne połączenie i eliminuje ryzyko utraty logów podczas transmisji.
- Wsparcie dla Adresów Threat Feed IPv4/IPv6 w Hyperscale (Numer Funkcji: 920148):
- Adresy IPv4 lub IPv6 z listy zagrożeń mogą być teraz dodawane do polityk firewalla w hyperscale, co zwiększa możliwości monitorowania i reagowania na potencjalne zagrożenia.
- Wsparcie dla NetFlow v9 w Hyperscale (Numer Funkcji: 921750):
- Hyperscale VDOMs teraz obsługują protokół NetFlow w wersji 9 do rejestrowania sesji, co umożliwia bardziej szczegółową analizę ruchu sieciowego.
- Opcja Enforce-seq-order dla Logów w Hyperscale (Numer Funkcji: 968801):
- Dodano opcję enforce-seq-order dla logów w hyperscale, co umożliwia kontrolę nad przesyłaniem logów sesji w określonej kolejności na podstawie numeru sekwencyjnego.
- Zarządzanie FortiSwitchem poprzez HTTPS (Numer Funkcji: 834550):
- Wprowadzono możliwość zarządzania FortiSwitchem za pomocą protokołu HTTPS, co oferuje prostszą alternatywę dla bardziej skomplikowanego protokołu CAPWAP.
- Wsparcie dla RADIUS Accounting Interim Updates (Numer Funkcji: 933260):
- Dodano wsparcie dla aktualizacji RADIUS Accounting Interim w przypadku roamingu dla zabezpieczeń WPA-Enterprise, co poprawia interoperacyjność z Cisco Identity Services Engine (ISE) i zapewnia bardziej płynne doświadczenie z bezprzewodowym połączeniem.
To tylko niektóre z nowych funkcjonalności, pełna lista poniżej:
Cloud
See Public and private cloud in the New Features Guide for more information.
| Feature ID | Description |
|---|---|
| 737947 | When configuring a FortiGate VM as a network virtual appliance (NVA) as part of the Azure vWAN solution, the FortiGate can make API calls and send health metrics to Azure for integration with Azure Monitor. |
| 839076 | Add GUI support for configuring various AWS resource addresses using an AWS SDN connector. |
| 952335 | Add GUI support to apply a FortiFlex token on the FortiGate VM License page.
|
FortiGate 6000 and 7000 platforms
| Feature ID | Description |
|---|---|
| 814242 | The FortiGate 7000F platform supports setting a custom load balancing method for an individual VDOM. All of the traffic destined for that VDOM will be distributed to FPMs by the NP7 load balancers according to the following setting:
config system settings
set dp-load-distribution-method {derived | to-primary | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}
end
The default load balancing method, |
Hyperscale
| Feature ID | Description |
|---|---|
| 875141 | Support the transmission of logs using TCP. This is a significant improvement from the previous version, which only supported UDP. TCP provides a more reliable connection, ensuring no logs are lost during transmission. This is beneficial for carrier customers who require a robust and dependable logging system. |
| 920148 | IPv4 or IPv6 IP address threat feeds can be added to hyperscale firewall policies as source or destination addresses. |
| 921750 | Support NetFlow version 9 for session logging in hyperscale VDOMs. By integrating NetFlow version 9 for session logging, the hyperscale software offers users a more comprehensive and precise view of network traffic data. This leads to enhanced network monitoring, troubleshooting, and planning capabilities. |
| 968801 | Add enforce-seq-order hyperscale hardware logging option to enable or disable sending hyperscale VDOM software session logs in order by sequence number. |
LAN Edge
See LAN Edge in the New Features Guide for more information.
| Feature ID | Description |
|---|---|
| 834550 | Introduce FortiSwitch management using the HTTPS protocol. This new capability supports all the same FortiLink features, offering users a simpler alternative to the more complex CAPWAP protocol. |
| 866172 | The local radio of FortiWiFi 8xF, 6xF, and 40F models when operating in client mode and connecting with a third-party SSID can be configured in the GUI to use either WPA3 SAE or Opportunistic Wireless Encryption (OWE) security mode. |
| 866174 | When a specific Fortinet external antenna is installed, the FortiAP profiles of FAP-432F, FAP-433F, FAP-U432F, and FAP-U433F models can be configured using the optional-antenna setting by choosing from a list of supported Fortinet external antenna models. For example, for the FAP-433F:
config wireless-controller wtp-profile
edit "FAP433F"
config radio-1
set optional-antenna {none | FANT-04ABGN-0606-O-R | FANT-04ABGN-0606-P-R}
end
next
end
This setting can be configured in the GUI for supported FortiAP profile in the Radio section. Enable External antenna and select the external antenna model from the list of defined values. This setting allows antenna gains that are specific to the Fortinet external antenna model and the Wi-Fi band (2.4 GHz or 5 GHz) being used to be taken into consideration by the FortiGate wireless controller to set transmit power properly for a managed FortiAP device. |
| 933260 | Support RADIUS accounting interim updates on roaming for WPA-Enterprise security. The enhancement is specifically designed to resolve compatibility issues with Cisco’s Identity Services Engine (ISE) session stitching feature with improved interoperability between devices and networks, leading to a more seamless and secure wireless connectivity experience. This is beneficial for organizations that rely on Cisco ISE for network access control, as it ensures their security protocols align with industry standards.
config wireless-controller vap
edit <name>
set security wpa2-only-enterprise
set roaming-acct-interim-update {enable | disable}
next
end
|
| 939229 | Support the Hunting-and-Pecking (HnP) Only authentication method for WPA3-SAE SSIDs. This setting is disabled by default.
config wireless-controller vap
edit <name>
set ssid <name>
set security wpa3-sae
set pmf enable
set sae-hnp-only {enable | disable}
next
end
|
| 940562 | When a third-party external antenna is installed, the FortiAP profiles of selected models can be configured with set optional-antenna custom and set optional-antenna-gain <integer> (in dBi, 0 – 20, default = 0).
Supported FortiAP models include: FAP-432F, FAP-432FR, FAP-433F, FAP-233G, FAP-432G, FAP-433G, FAP-U432F, and FAP-U433F. For example: config wireless-controller wtp-profile
edit "FP433G"
config platform
set type 433G
end
config radio-2
set optional-antenna custom
set optional-antenna-gain "10"
end
next
end
These settings can be configured in the GUI for supported FortiAP profile in the Radio section. Enable External antenna, select Custom from the dropdown, and enter a value for External antenna gain (dB). |
| 940905 | Support WPA3 options when the radio mode is set to Fortinet’s SAM (Service Assurance Manager). This includes WPA3-SAE and WPA3 OWE. In also includes support for WPA2/WPA3-Enterprise with certificate authentication, encompassing both PEAP and EAP-TLS.
config wireless-controller wtp-profile
edit <name>
config radio-1
set mode sam
set sam-ssid <string>
set sam-security-type {wpa-enterprise |wpa3-sae | owe}
end
next
end
|
| 960883 | Support individual control of the 802.11k and 802.11v protocols. In previous FortiOS versions, these protocols were jointly controlled with the voice-enterprise option.
config wireless-controller vap
edit <name>
set 80211k {enable | disable}
set 80211v {enable | disable}
next
end
|
| 962880 | Simplify the Bonjour profile provisioning and failover mechanism.
|
| 962881 | Support hitless rolling AP upgrades. This feature smartly upgrades APs by not upgrading all APs at once. It queues some APs and considers the reachability of neighboring APs and their locations. This prevents service drops during simultaneous upgrades, ensuring uninterrupted WiFi service. |
| 963851 | Enhance CAPWAP management over NAT to provide a stability boost for Fortinet APs that operate behind a NAT device. This allows users to set the frequency of keep-alive messages, thereby improving connectivity.
config wireless-controller timers
set nat-session-keep-alive <integer>
end
|
| 967663 | Support the generation of a private key, a crucial component for SAE-PK authentication. This enhancement is significant as it offers an integrated mechanism for key generation, eliminating the need for third-party tools. This makes the FortiGate a more self-sufficient and secure system for SAE-PK authentication.
# execute wireless-controller create-sae-pk |
| 969387 | Support the automated reboot functionality for APs. This automatically reboots an AP stuck in a discovery loop, a state that disrupts network service. This smart feature reduces network downtime, and eliminates the need for manual intervention, thus saving time and resources. It ensures a resilient and seamless network experience.
config wireless-controller timers
set ap-reboot-wait-interval <integer>
set ap-reboot-wait-time <hh:mm>
set ap-reboot-wait-interval2 <integer>
end
|
Log & Report
See Logging in the New Features Guide for more information.
| Feature ID | Description |
|---|---|
| 975411 | Modify the log fields for long-lived sessions by adding three new log fields to the long-lived session log: duration delta (durationdelta), sent packet delta (sentpktdelta), and received packet delta (rcvdpktdelta). The fields enhance the granularity and accuracy of session logs, providing a more detailed view of long-lived sessions. This aids in troubleshooting and analysis. |
Network
See Network in the New Features Guide for more information.
| Feature ID | Description |
|---|---|
| 685910 | Add SoC4 driver support for the IEEE 802.1ad, which is also known as QinQ. When the OID is used up, it is forbidden to create a new QinQ interface. |
| 881823 | BGP now incorporates the advanced security measures of the TCP Authentication Option (TCP-AO). This integration bolsters the security of BGP connections and enhances the reliability of these connections, thereby contributing to the overall security of the internet.
|
| 890574 | Support port mirroring with NP7 offloaded traffic. Offloaded packets are copied to a mirroring port, which can be linked to an external device for in-depth analytics. |
| 921795 | Simplify the configuration of the FortiGate LAN extension feature by automatically configuring a VDOM link between a traffic VDOM, by default, the root VDOM and the LAN extension VDOM.
After connecting to the FortiGate Controller, the following settings are automatically configured on the FortiGate Connector:
This feature is required to support the FortiGate Secure Edge use case for FortiSASE. |
| 925668 | FortiOS can be configured with a maximum of three sFlow collectors. This also applies to multi-VDOM environments where a maximum of three sFlow collectors can be used globally and/or on a per-VDOMs basis. This feature enables up to a maximum of three unique parallel sFlow streams or transmissions per sFlow sample to three different sFlow collectors. The sFlow collector configuration can only be configured in the CLI. |
| 934273 | Support the BGP graceful restart helper-only mode. This ensures that during a FortiGate HA failover, the neighboring router that only supports BGP graceful restart helper mode retains its routes. |
| 941347 | Enhance FortiOS packet capture. If the browser is closed or refreshed, users can return at a later time to view, stop, restart, or download the capture. The number of captures that can be stored on FortiGate is determined by the device’s capabilities. REST APIs have been introduced for starting, stopping, deleting, and downloading packet captures. |
Policy & Objects
See Policy and objects in the New Features Guide for more information.
| Feature ID | Description |
|---|---|
| 875309 | Add GUI support for port block allocation (PBA) IP pools for NAT64 traffic. |
| 886571 | Support IPS inspection for multicast UDP traffic. |
| 941072 | The handling of virtual patch local-in traffic is optimized by identifying the type of traffic early based on its port number and protocol. The IPS engine will tag the local-in sessions for services, including SSL VPN and web GUI. If a tagged session does not have any vulnerability signatures for the FortiOS version, then IPS will bypass scanning the session. This optimizes performance by only scanning and dropping the sessions that are exploiting a vulnerability. |
SD-WAN
See SD-WAN in the New Features Guide for more information.
| Feature ID | Description |
|---|---|
| 884084 | Update SD-WAN with ADVPN to version 2.0 with major changes to ADVPN design and operation, namely, introducing edge discovery and path management for ADVPN spokes.
ADVPN 2.0 incorporates intelligence into the spokes to ensure shortcut tunnels, known as shortcuts, are established using underlays available on both spokes and chosen based on matching certain link health criteria. ADVPN 2.0 provides a more flexible SD-WAN solution than the original ADVPN to achieve resiliency against underlay outages or degraded underlay performance that is no longer dependent on specific BGP routing designs or mechanisms. |
| 900197 | Add IPv6 support for SD-WAN segmentation over a single overlay. This allows seamless communication between IPv6 devices within virtual routing and forwarding (VRF) overlay networks, benefiting organizations transitioning to IPv6 or operating in a dual-stack environment. |
| 936294 | Enhance the SD-WAN hub and spoke speed test feature as follows:
|
Security Profiles
See Security profiles in the New Features Guide for more information.
| Feature ID | Description |
|---|---|
| 744954 | Support Punycode encoding in the url and hostname fields in flow mode web filter UTM logs. This caters to domain names containing non-ASCII characters, such as internationalized domain names (IDNs). Is also aligns the functionality of flow and proxy modes, offering a more unified and improved user experience.
config webfilter profile
edit <name>
set web-flow-log-encoding {utf-8 | punycode}
next
end
|
| 848844 | Diameter protocol inspection is supported on the FortiGate. Key features include:
This is crucial for interfaces used to exchange information with roaming partners over the IPX network. |
| 888411 | Enhance customization and control in the video filter profile with two keyword-based filters for video titles and descriptions that offer AND’/’OR logic options. Users can prioritize configured filters, and manage all categories and channels that match the filters using the Any option. |
| 959763 | The inline IPS feature allows HTTP/HTTPS traffic to be processed directly in WAD for application control and IPS UTM features, reducing reliance on the IPS Engine. The IPS Engine is still required for non-HTTP protocols. This feature is automatically enabled for new devices, but is not enabled if upgrading from FortiOS 7.4.1 or earlier.
config ips settings
set proxy-inline-ips {enable | disable}
end
|
System
See System in the New Features Guide for more information.
| Feature ID | Description |
|---|---|
| 480717 | Add config system dedicated-mgmt to all FortiGate models with mgmt, mgmt1, and mgmt2 ports. |
| 739200 | Add GUI support to prevent FortiGates with an expired support contract from upgrading to a major or minor firmware release. |
| 925233 | Support separation of the SSHD host key and administration server certificate. This improvement introduces support for ECDSA 384 and ECDSA 256, allowing the SSHD to accommodate the most commonly used host key algorithms.
config system global
set ssh-hostkey-override {enable | disable}
set ssh-hostkey-password <password>
set ssh-hostkey <encrypted_private_key>
end
|
| 946205 | Enhance IPv6 VRRP to manage and control the VRRP states. Previously, the VRRP states would continue to be primary as long as the IPv6 VRRP destination could be reached by any route, including the default route.
config system interface
edit <name>
config ipv6
config vrrp6
edit <id>
set ignore-default-route {enable | disable}
next
end
end
next
end
|
| 954639 | Support SNMP traps for monitoring the free and freeable memory usage on FortiGates.
config system snmp sysinfo
set trap-free-memory-threshold <integer>
set trap-freeable-memory-threshold <integer>
end
|
| 964697 | Support the SNMP trap when power is restored to the power supply unit (PSU) in a FortiGate. When the PSU regains power after an outage, an SNMP trap should be triggered. This enhances the monitoring capabilities of the FortiGate. |
VPN
See IPsec and SSL VPN in the New Features Guide for more information.
| Feature ID | Description |
|---|---|
| 780297 | Rename the mdst-addr6 IKE debug filter option to mrem-addr6. |
| 879452 | Add the ability to rename their IPsec tunnels. Once a tunnel name is changed, all references to that tunnel, such as routing and policies, are automatically updated to reflect the new name. This ensures consistency and saves users the trouble of manually updating each reference.
config vpn ipsec phase1-interface
rename <string> to <string>
end
|
| 887173 | IPsec tunnels between HA members use manual keys to encrypt and authenticate, which may not be sufficient for some internal security policies. The IKE daemon has been updated to use auto-negotiation for the IPsec tunnel key, and to establish and maintain the tunnel.
config system ha
set ipsec-phase2-proposal <option>
end
|
| 905804 | Support IPsec key retrieval with a quantum key distribution (QKD) system using the ETSI standardized API. This eliminates negotiation, simplifies the process, and enhances efficiency in IPsec key management. |
| 923120 | Introduce a proprietary solution to support the encapsulation of Encapsulating Security Payload (ESP) packets within Transmission Control Protocol (TCP) headers. This allows ESP packets to be assigned a port number, which enables them to traverse over carrier networks where direct IPsec traffic is blocked or impeded by carrier-grade NAT.
The TCP port for IKE/IPsec traffic is configured in the global settings: config system settings
set ike-tcp-port <integer>
end
The phase 1 interface settings include options for ESP encapsulation: config vpn ipsec phase1-interface
edit <name>
set ike-version 2
set transport {udp | udp-fallback-tcp | tcp}
set fortinet-esp {enable | disable}
set fallback-tcp-threshold <integer>
next
end
|
ZTNA
See Zero Trust Network Access in the New Features Guide for more information.
| Feature ID | Description |
|---|---|
| 865016 | Introduce Fabric integration between the FortiGate and FortiGSLB, which allows a FortiGate to publish custom host and domain names directly to FortiGSLB. This enables external IPs on VIPs used in ZTNA server objects to be published with the host and domain names directly to FortiGSLB, where its DNS service can provide nameserver lookups for the FQDNs. |
| 897240 | The Any/All GUI selector for ZTNA tags is added back to the simple and full ZTNA policy configuration page. The setting is defaulted to Any. |
Rozwiązane problemy:
Anti Virus
| Bug ID | Description |
|---|---|
| 827497 | Unsupported file samples are submitted to FortiSandbox for analytics. |
| 845954 | Flow AV does not have a limit of how much memory it can use when buffering files for scanning. |
| 911872 | When connecting to FortiGate Cloud Sandbox, the connection status takes a long time to update and shows as unreachable. |
| 921175 | Make improvements to the AV engine when handling outbreak prevention queries. |
| 948182 | FortiSandbox side panel statistics only shows only statistics for root/management VDOM. |
| 948371 | Scanunit should no longer submit known infected files to FortiSandbox. |
| 961077 | Advanced Threat Protection Statistics dashboard is not increasing counters (AV). |
| 962261 | Send Files to FortiSandbox for Inspection AV profile setting does not work as expected. |
Application Control
| Bug ID | Description |
|---|---|
| 820481 | For firewall policies using proxy-based inspection mode, some HTTP/2 sessions may be incorrectly detected as unknown applications. |
| 952307 | FG-400F sees increased packet loss when using an application list in the policy. |
Data Leak Prevention
| Bug ID | Description |
|---|---|
| 911830 | DLP file type „AND” sensor cannot block the file when it is a DOCX file. |
| 922311 | DLP sensor cannot block MS-Office XML files, but can block MS-Office files when setting the profile type as message. |
| 926592 | Outlook cannot connect to the Exchange server once the DLP profile protocol is set to MAPI. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 782713 | Value overflow in destination interface of WAD traffic log. |
| 926178 | Post-upgrade, explicit proxy policies may mismatch when an HTTP CONNECT request or TLS SNI of a HTTPS session partially matches to a policy with deep inspection enabled. |
| 942612 | Web proxy forward server does not convert HTTP version to the original version when sending them back to the client. |
Firewall
| Bug ID | Description |
|---|---|
| 665662 | Using the append command to add entries to a policy object that mixes the use of wildcard and regular entries can result in an error to the policy during reboot. This applies to interface, address, and service policy objects. |
| 786317 | The service field in the traffic log shows the configured custom service name, even for traffic that does not match the FQDN configured in the custom service. |
| 865137 | After enabling the ssl-http-location-conversion option in the virtual server, it does not take effect. |
| 875309 | Support port block allocation (PBA) IP pools for NAT64 traffic. |
| 921658 | SD-WAN IPsec egress traffic shaping is not working when traffic offloading is enabled on an NP7 unit. |
| 924588 | Unable to access a real server using VIP with a custom cipher. |
| 925630 | Unable to unset http-supported-max-version to start using HTTP/2. |
| 929109 | Exported firewall policy is missing the negate option for source, destination, and service fields. |
| 939734 | When there are two to seven thousand addresses on the Policy & Objects > Virtual IPs page, clicking Suggestions in the Map to field makes the GUI unresponsive. |
| 940360 | FortiGate adds deleted tcp-portrange and udp-portrange after a reboot. |
| 942605 | FortiGate accepts the ha-mgmt-intf-only local-in policy from FortiManager, even though the ha-mgmt-status is not enabled. |
| 948393 | Policy lookup should not get result with policy_action: deny for non-TCP protocols and non-80/443 TCP ports. |
| 950775 | Traffic matches incorrect central SNAT rule when performing NAT46 in NGFW policy mode. |
| 950889 | Session clashes occur when incoming traffic matches an expected session and undergoes SNAT, but the SNAT port is already occupied by another session. |
| 951373 | Traffic shaping does not match the correct queue for outbound traffic when the class-id range exceeds the [2, 7] limit, which applies to egress shaping. |
| 951684 | The maximum size of the server certificate for virtual server should be displayed. |
| 952552 | When using HTTP1, the TLS handshake from the proxy to the real server does not include the SNI. |
| 952761 | BGP and other traffic is getting dropped when IPv4 and IPv6 access lists are applied. |
| 953907 | Virtual wire pair interface drops all packet if the prp-port-in/prp-port-out setting is configured under system npu-setting prp on FG-101F. |
| 953921 | GUI does not display the configured parameters for traffic shaping policies when editing a policy with an SD-WAN zone. |
| 957749 | An action=accept should not be shown in a traffic log when UDP traffic dropped by IPS. The utmaction field is also missing in this scenario. |
| 962984 | Server load balancing health monitor does not work with Patroni (PostgreSQL cluster) when content matching is configured. |
| 963071 | Drops in multicast traffic, caused by a change in multicast routing (PIM), may occur at the start of multicast communication after upgrading. |
| 967205 | Changing the destination in the policy replaces applied services with service, ALL. |
FortiGate 6000 and 7000 platforms
| Bug ID | Description |
|---|---|
| 891642 | FortiGate 6000 and 7000 platforms do not support managing FortiSwitch devices over FortiLink. |
| 892600 | IPv6 static route is removed from the management VDOM. |
| 896758 | Virtual clustering is not supported by FortiGate 6000 and 7000 platforms. |
| 905450 | SNMP walk failed to get the BGP routing information. |
| 907140 | Authenticated users are not synchronized to the secondary FortiGate 6000 or 7000 chassis when the secondary chassis joins a primary chassis to form an FGCP cluster. |
| 907695 | The FortiGate 6000 and 7000 platforms do not support IPsec VPN over a loopback interface or an NPU inter-VDOM link interface. |
| 910824 | On the FortiGate 7000F platform, fragmented IPv6 ICMP traffic is not load balanced correctly when the dp-icmp-distribution-method option under config load-balance is set to dst-ip. This problem may also occur for other dp-icmp-distribution-method configurations. |
| 914273 | SNMP query to fgVdEntSesRate returns a 0 value. |
| 937879 | FortiGate-7000F chassis with FIM-7941Fs cannot load balance fragmented IPv6 TCP and UDP traffic. Instead, fragmented IPv6 TCP and UDP traffic received by the FIM-7941F interfaces is sent directly to the primary FPM, bypassing the NP7 load balancers. IPv6 ICMP fragmented traffic load balancing works as expected. Load balancing fragmented IPv6 TCP and UDP traffic works as expected in FortiGate-7000F chassis with FIM-7921Fs. |
| 938475 | Memory usage issue occurs when multiple threads try to access a VLAN group. |
| 939119 | Statistics displayed in the Session Rate dashboard widget do not match the statistics displayed from the command line. |
| 941944 | CPU usage data displayed in the FortiGate 6000 GUI is actually CPU usage data for the management board. CPU usage data displayed in the FortiGate 7000 GUI is actually the CPU usage for the primary FIM. |
| 941971 | Dashboard widgets for CPU, Memory, Session, and Session Rate show usage as 0% on root and non-root VDOMs. |
| 946943 | On 6K and 7K platforms, the management VDOM GUI should not show the WiFi & Switch Controller menu. |
| 947570 | In an FGCP cluster, the secondary unit cannot reply to the SNMP query while using the management IP. |
| 947936 | On the FortiGate 7060E, only four of six PSUs are shown sometimes. |
| 948750 | When EMAC VLAN interfaces are removed spontaneously from the configuration, TCP traffic through their underlying VLAN interface fails. |
| 949175 | On the FortiGate 7121F, with FIM2 as the primary FIM, making FIM1 the primary causes NP7 PLE invalidation. |
| 949240 | SLBC special ports do not match the local-in policy’s management path. |
| 978241 | FortiGate does not honor worker port partition when SNATing connections using a fixed port range IP pool. |
FortiView
| Bug ID | Description |
|---|---|
| 941521 | On the FortiView Web Sites page, the Category filter does not work in the Japanese GUI. |
| 950137 | FortiView Application widget does not show data for explicit proxy traffic. |
GUI
| Bug ID | Description |
|---|---|
| 651648 | When a large number of addresses are present (over 17 thousand), searching for an object on the Policy & Objects > Addresses page takes around 20 to 30 seconds to display results. |
| 676306, 719694 | When there is a connection issue between the FortiGate and a managed FortiSwitch, unexpected behavior might occur in httpsd when navigating between Switch Controller related GUI pages. |
| 893560 | When private data encryption is enabled, the GUI may become unresponsive and HA may fail to synchronize the configuration. |
| 900818 | The GUI should not show the interface speed in the SSL VPN interface tooltip. |
| 904817 | Changing the IPv4/IPv6 version in the dropdown of one widget will also impact other Session Rate widgets. |
| 924159 | A time difference is noticed in the FortiGate GUI and command line when the GUI is refreshed or when logged in on a new tab. |
| 926410 | While creating new address from firewall policy, the address slide takes around five seconds to open up. |
| 934644 | When the FortiGate is in conserve mode, node process (GUI management) may not release memory properly causing entry-level devices to stay in conserve mode. |
| 940183 | No IP results appear when using the search bar of the Assets & Identities dashboard. |
| 940592 | Dashboard > IPsec Monitor column selections are not saved across a page refresh. |
| 941723 | An error occurred when attempting to perform interface migration from a physical interface containing a VLAN interface to an aggregate interface. |
| 943949 | The GUI does not allow parentheses, (), to be used in the interface description. |
| 945221 | The GUI does not show any transceiver information until running get system interface transceiver in the CLI. |
| 954356 | When connected to the FortiGate GUI on a mobile phone, the table content on some pages like Network > Interfaces, Policy & Objects > Firewall Policy, and WiFi & Switch Controller > Managed FortiSwitches is cut off. |
| 961796 | When administrator GUI access (HTTPS) is enabled on SD-WAN member interfaces, the GUI may not be accessible on the SD-WAN interface due to incorrect routing of the response packet. |
| 973432 | When editing an SD-WAN rule with more than one destination, some destinations are automatically removed. |
HA
| Bug ID | Description |
|---|---|
| 818432 | When private data encryption is enabled, all passwords present in the configuration fail to load and may cause HA failures. |
| 902945 | Lost management connectivity to the standby node via in-band management. |
| 904117 | When walking through the session list to change the ha_id, some dead sessions could be freed one more time. |
| 924671 | FG-200F in HA’s management interface is not responding after a reboot. |
| 925269 | Configuration is out-of sync when external feed connectors are applied to a policy. |
| 929156 | Asymmetric traffic through one of the FGSP members is allowed, even when the session is in a TCP SYN sent state. |
| 937246 | An error condition occurred while forwarding over a VRRP address, caused by the creation of a new VLAN. |
| 940400 | SCTP traffic is not forwarded back to the session owner (FGSP asymmetric traffic with IPS , NAT mode, and SCTP). |
| 942504 | Temporary network interruption occurs after disabling standalone-config-sync. |
| 946878 | When configuring an HA management interface, the GUI does not allow the same interface to be used for multiple management interfaces. |
| 949230 | Unable to send a file to a remote HA member when synchronizing a configuration. |
| 950868 | Traffic is not forwarded on L2 peer to keep FGSP with an available L2 connection. |
| 953167 | Access to console and SSH is lost due to a specific configuration. |
| 953202 | The hasync process is stuck at 99.9% on one or both cluster members after a failover. |
| 954098 | The set auto-firmware-upgrade disable setting is not synchronized between FGCP members. |
| 955555 | Unexpected traffic flow occurs after FGSP is enabled between clusters. |
| 963951 | Unable to modify the pingserver-flip-timeout once vcluster is enabled. |
| 965938 | Standalone configuration synchronization fails to synchronize because of interface subnet firewall address objects. |
Hyperscale
| Bug ID | Description |
|---|---|
| 936747 | Connections per second (CPS) performance of SIP sessions accepted by hyperscale firewall policies with EIM and EIF disabled that include overload with port block allocation (PBA) GCN IP pools is lower than expected. |
| 949188 | ICMP reply packets are dropped by FortiOS in a NAT64 hyperscale policy. |
| 950582 | Traffic not passing across the VDOM link. |
| 958066 | Observed TCP sessions timing out with a single hyperscale VDOM configuration after loading image from BIOS. |
| 975264 | Hyperscale should not support threat feed addresses with the negate option. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 916175 | Make improvements to the IPS engine when handling a rare buffer overflow case. |
| 934015 | RSH subsession timeout when IPS is enabled. |
| 949662 | Interface policy logs show the external facing IP instead of the actual source. |
| 952270 | IPS logs for VIP traffic shows external IP as a destination for some signatures. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 780297 | IKE debug log filtering functionality exhibits inaccuracies, resulting in the possibility of displaying unmatched logs when filters are set. |
| 897867 | IPsec VPN between two FortiGates (100F and 60F) experiences slow throughput compared to the available underlay bandwidth. |
| 914418 | File transfer stops after a while when offloading is enabled. |
| 922064 | Firewall becoming unresponsive to DPD/IKE messages, causing IPsec VPNs to drop. |
| 926002 | Incorrect traffic order in IPsec aggregate redundant member list after upgrade. |
| 926052 | For DHCP-over-IPsec, sometimes the client does not send a delete after the DHCP SA. |
| 930278 | Setting loopback-asymroute disable in the phase 1 configuration pushes down the loopback interface index as tunnel’s bound_if, causing traffic route lookup failure. |
| 942495 | IKEv2 connection issue related to the order of policies using different user groups. |
| 945367 | Disabling src-check (RPF) on the parent tunnel is not inherited by ADVPN shortcuts. |
| 945873 | Inconsistency of mode-cfg between phase 1 assigned IP address and destination selector addition. |
| 949086 | Policy route is not matching ESP traffic. |
| 950012 | IPsec tunnels stuck on NP6XLite spoke drop the ESP packet. |
| 950445 | After a third-party router failover, traffic traversing the IPsec tunnel is lost. |
| 951765 | Shortcut created from parent tunnel interface does not inherit MSS value and may face fragmentation. |
| 954614 | IPsec phase 2 negotiation fails with failed to create dialup instance, error 22 error message. |
| 954911 | IPv6 firewall address IP prefix object is invisible on accessible networks in the GUI. |
| 955552 | Split DNS not pushed because the split tunnel is not recognized. |
| 957412 | Authentication fails since the EAP proxy cannot get groups by the hostname of FortiGate in the NAS-ID RADIUS attribute. |
| 958516 | Acct-Output-Octets are wrapped to 32-bit on RADIUS accounting stop. |
| 960212 | IPsec traffic is unidirectional when vpn-id-ipip and offloading are enabled, and the tunnel VRF is greater than 63. |
| 961305 | FortiGate is sending ESP packets with source MAC address of port1 HA virtual MAC address. |
Log & Report
| Bug ID | Description |
|---|---|
| 850642 | Logs are not seen for traffic passing through the firewall caused by numerous simultaneous configuration changes. |
| 903841 | When an administrator login fails, the event log shows that the login was successful. |
| 905849 | The log settings disk usage graph should show the usage data in the legend’s format. |
| 920376 | Content disarm and reconstruction (CDR) files are not consistent in the log view. |
| 931924 | SSL VPN web mode login history entries are not seen when logs are being sent to FortiAnalyzer. |
| 932537 | If Security Rating is enabled to run on schedule (every four hours), the FortiGate can unintentionally send local-out traffic to fortianalyzer.forticloud.com during the Security Rating run. |
| 933650 | When the DNS server does not provide the IPv6 (AAAA record) for the NTP server FQDN, FortiGate NTP shows that the IPv6 server is unresolved -- unreachable, which is not true. |
| 938396 | The following intrusion was observed: in the alert mail refera to another field in the anomaly log. |
| 940814 | Administrators without read permissions for the threat weight feature cannot see the event log menu. |
| 945287 | Cloud logging settings are not retained when the FortiGate language setting is Japanese. |
| 949001 | The quarantine-log enable setting changed to disable after restoring a backup configuration. |
| 950768 | When a GUI login fails due to exceed_limit, logged in successfully appears in the system event log. |
| 952509 | The UUID is used instead of the external resource name in the Threat feed updated system event log. |
| 953667 | Override setting under multi-VDOM mode may cause the FortiGate to stop sending logs to FortiAnalyzer or syslog after switching to non-VDOM mode. |
| 961244 | Icons in logs evaluations and policies are no longer displayed. |
| 965247 | FortiGate syslog format in reliable transport mode is not compliant with RFC 6587. |
| 967100 | When FortiAnalyzer Cloud is chosen as log location, archived data cannot be downloaded for intrusion prevention. |
| 970412 | Virus/Botnet AV log for machine learning detection hyperlink returns Object Moved Permanently. |
Proxy
| Bug ID | Description |
|---|---|
| 790426 | An error case occurs in WAD while redirecting the web filter HTTPS sessions. |
| 806556 | Unexpected behavior in WAD when the ALPN is set to http2 in the ssl-ssh-profile. |
| 919781 | Unexpected behavior in WAD when there are multiple LDAP servers configured on the FortiGate. |
| 938502 | Original source IP is not preserved for transparent proxy rule after upgrading. |
| 940149 | Inadvertent traffic disruption caused by WAD when it receives an HTTP2 data frame payload on a dead stream. |
| 943998 | Unble to access website ( https://ec***.qu***.com/me***) when using a proxy with DPI. |
| 947359 | The newly implemented one-way server will set its port to null when closing. |
| 947814 | Too many redirects on TWPP after the second KRB keytab is configured. |
| 954104 | An error case occurs in WAD when WAD gets the external authenticated users from other daemons. |
| 955006 | SNI check is not working when set to inspect all ports. |
| 958464 | Unexpected behavior in WAD when building a debug URL. |
| 965966 | An error condition occurred in WAD due to heavy HTTP video traffic when using a video filter profile with deep inspection enabled. |
| 971489 | When cloud-communication is disabled, WAD still connects to productapi.fortinet.com. |
| 974307 | An error condition occurs in WAD while coping a file directory. |
REST API
| Bug ID | Description |
|---|---|
| 944723 | The /firewall/vip API does not recognize custom SSL cipher suites. |
| 948356 | An error condition occurs in HTTPSD when a REST API request is sent with invalid parameters. |
| 951384 | API responses for PBR provides incorrect value if address groups are used in PBR. |
| 951411 | Inconsistent handling of web filter profile actions in API transactions. |
Routing
| Bug ID | Description |
|---|---|
| 820407 | Auto-link fails if the FortiGate device initiating the FGFM connection is using an interface with a VRF not set to the default, 0. |
| 848270 | Reply traffic from the DNS proxy (DNS database) is choosing the wrong interface. |
| 894795 | MP-BGP EVPN source address shows 127.0.0.1, while the loopback interface is with a different address. |
| 897918 | When the local traffic is using SD-WAN and the reply is coming on a different interface, the reply is ignored. |
| 906896 | Make OSPFv3 update the translator role and translated Type-5 LSA when the ASBR table is updated. |
| 926525 | Routing information changed log is being generated from secondary in an HA cluster. |
| 928152 | FortiGate generates two OSPF stub entries for the same prefix after upgrading from 6.4 to 7.0. |
| 934273 | Support GR helper mode (peer) for BGP. |
| 935370 | SD-WAN performance SLA tcp-connect probes clash with user sessions. |
| 935886 | SD-WAN packet duplication feature in force mode suddenly stops duplicating and starts to duplicate again once the FortiGate is rebooted. |
| 938500 | Status of OSPF adjacency is Loading on spokes while Full on the hub side. |
| 944351 | When using the policy match tool, the Incoming Interface dropdown does not list SD-WAN member interfaces. |
| 946783 | Unable to set OSPF interface IP in the GUI. |
| 949623 | DNS over TCP does not work when interface-select-method is set to sdwan in the DNS setting, and the corresponding SD-WAN rule is restricted to the TCP protocol only. |
| 951397 | Inconsistent GUI output with unusual characters showing up in the SD-WAN rule list settings and the edit SD-WAN rule page. |
| 952543 | Reply TCP traffic for inbound local session uses a different egress interface than the originating traffic |
| 952908 | Locally originated type 5 and 7 LSAs’ forward address value is incorrect. |
| 953744 | Connected VLAN routes are getting removed after an HA failover. |
| 954100 | Packet loss status in SD-WAN health check occur after an HA failover. |
| 957049 | If the router community-list type is expanded and changed to standard, this causes a community-list error. |
| 957627 | Learned BGP through routes are not withdrawn on the spoke after the EBGP neighborship is down between the hub and third party device. |
| 963561 | When establishing an IPsec tunnel between FortiGate peers using OSPF to exchange routes, the FortiGate sends a stub LSA with a 32-bit netmask. |
| 964182 | IPsec traffic with vpn-id-ipip is egressing with the wrong VRF when offloading is enabled. |
| 965752 | After HA monitored interface fails over, SD-WAN intermittently does not follow route-map-preferable. |
Security Fabric
| Bug ID | Description |
|---|---|
| 902344 | When there are over 30 downstream FortiGates in the Security Fabric, the root FortiGate’s GUI may experience slowness when loading the Fabric Management page and prevents the user from upgrading firmware in the GUI. |
| 907819 | Advanced GCP connector does not resolve if one element does not exist. |
| 908489 | When one of the downstream FortiGate VM’s license is invalid, the root FortiGate will be automatically logged out from accessing the Firmware & Registration page. |
| 920391 | Non-management VDOM is not allowed to set a source-ip for config system external-resource. |
| 932935 | External connector to VMware 8.0 with verify certificate enabled will fail. |
| 938980 | HTTP 400 errors observed using SDN connector to query AKS clusters if local administrator is disabled. |
| 947634 | Security Fabric widget shows the serial number instead of the hostname for a secondary FortiGate in HA. |
| 950624 | Renaming conflicted Fabric objects on the root FortiGate does not synchronize the changed Fabric objects to the downstream FortiGate. |
| 958396 | The number of log IDs under one automation trigger is limited to 16. |
| 968621 | Erroneous memory allocation resulting in unexpected behavior in csfd after upgrading. |
SSL VPN
| Bug ID | Description |
|---|---|
| 879329 | Destination address of SSL VPN firewall policy may be lost after upgrading when dstaddr is set to all and at least one authentication rule has a portal with split tunneling enabled. |
| 923518 | When SSL VPN web mode is disabled, SAML external browser login requests should be blocked. |
| 930275 | Firewall policy is not allowing the all destination address with a split-tunneling portal. |
| 933985 | FortiGate as SSL VPN client does not work on NP6 and NP6XLite devices. |
| 941676 | Japanese key input does not work correctly during RDP in SSL VPN web mode. |
| 947210 | Multiple instances of *** code requested backtrace *** for SSL VPN daemon observed during a graceful upgrade (on FG-6000F). |
| 950157 | SSL VPN connected/disconnected endpoint event log can be in the wrong sequence. |
| 951827 | SSL VPN client certificate verification failed after importing the VDOM user peer CA certificate into the global VDOM. |
| 952860 | During a handshake when FortiClient sends a larger-than-MTU hello message, the packet is fragmented by IP layer and dropped by the FortiGate. |
| 957406 | OS checklist for SSL VPN in FortiOS does not include macOS Sonoma 14. |
| 958430 | If the password renew template is modified with a non-default password renew policy, FortiClient cannot read the HTML page correctly, and returns the error, Server may not be reachable. |
Switch Controller
| Bug ID | Description |
|---|---|
| 703374 | Long DAC-type cable is added to default media type on 10G port on FG-100F. |
| 816790 | Console printed DSL related error messages when disconnecting the managed FortiSwitch and connecting to the FortiGate again. |
| 818116 | When changing the FortiSwitch FortiLink port status, the configuration is not applied to the FortiSwitch. |
| 904834 | FortiGate and FortiManager have different definitions for the value of poe-detection-type on S108EF platform. |
| 911232 | The security rating shows an incorrect warning for unregistered FortiSwitches on the Managed FortiSwitches page.
Workaround: navigate to the Diagnostics & Tools pane of the FortiSwitch to see the correct registration status. |
| 931694 | Enhance FortiLink event logs for FortiGate-FortiSwitch event log translation. |
| 941673 | FortiSwitch event log displays serial number under name when CAPWAP is up or down. |
| 945779 | FortiGate CPU VM increases due to the FortiLink process. |
| 949377 | NAC policy cannot match the MAC address with a specific VLAN. The NAC policy needs to be deleted and re-createed for it to work again. |
| 953918 | FortiGate nac_segment is not showing assigned dynamic VLAN on FortiSwitch ports. |
| 961997 | Unable to get interface descriptions for the FortiLink ports by using OID 1.3.6.1.2.1.2.2.1.2. |
System
| Bug ID | Description |
|---|---|
| 656983 | MIB OID fgSysLowMemUsage returns value for devices where it is not applicable. |
| 699379 | Host protection engine (HPE) enchantments should be applied to NP6XLite platforms. |
| 713951 | Not all ports are coming up after an LAG bounce on 8 × 10 GB lag with ASR 9K. Affected platforms: FG-3960E and FG-3980E. |
| 859393 | SNMP poll for fgExplicitProxyRequests returns 0. |
| 860460 | On a redundant interface, traffic may drop with some NPU-offload enabled policies when the interface is not initialized properly. |
| 861962 | When configuring an 802.3ad aggregate setting with 1 Gbps speed, the port’s LED light is off and traffic cannot pass through. |
| 899279 | NP7 did not offload jumbo packet, but get NPU INFO: offload=9/9 in the console output. |
| 900663 | Refactor the time zone feature to use the IANA time zone database. |
| 900791 | The X1 port is always up with FCLF8522P2BTLFTN transceiver. |
| 907657 | FortiGate does not perform a disk scan automatically when autorun-log-fsck is enabled. |
| 908831 | Unable to set upstream interface without setting the delegated IAID first for IPv6 interface under delegated mode. |
| 909225 | ISP traffic is failing with the LAG interfaces on upstream switches. |
| 910651 | On FG-600F, all members are up but the LACP status is showing as down after upgrading. |
| 910700 | Ports are flapping and down on the FortiGate 3980E. |
| 910829 | Degraded traffic bandwidth for download passing from 10G to 1G interfaces. |
| 912092 | FortiGate does not send ARP probe for UDP NP-offloaded sessions. |
| 913355 | GUI and CLI time mismatch for Central America (Mexico) time zone. |
| 915585 | Optimize memory usage, which causes the SLAB memory to increase, in kernel 4.19. |
| 916493 | Fail detection function does not work properly on X1 and X2 10G ports. |
| 919901 | For FIPS-CC mode, the strict check for basic constraints should be removed for end entity certificates. |
| 921604 | The port (x7) has no cables attached, but link LEDs are on the FG- 601F. |
| 922458 | Administrator with read-only access to management permissions cannot perform a configuration backup in the GUI. |
| 924654 | MAC flapping on switch when UDP packets passthrough VWP multiple times with ASIC offload. |
| 925647 | Memory usage issue caused by repetitive log messages. Affected platforms: FG-100xF. |
| 926546 | ICMP and UDP traffic over GRE is not offloaded on NP7 platforms. |
| 926817 | Review the temperature sensor for the SoC4 system. |
| 929904 | When L3 or L4 hashing algorithm is used, traffic is not forwarded over the same aggregate member after being offloaded by NP7. |
| 930329 | LTE modem is missing after upgrading to 7.4. |
| 931299 | When the URL filter requests the FortiGuard (FGD) rating server address using DNS, it will try to get both A (IPv4) and AAAA (IPv6) records. |
| 934115 | Administrator can no longer view or edit the VPN settings in the GUI with system:none permissions. |
| 938539 | The cmdbsvr process is stuck, and is not pushing configurations made in the GUI or CLI. |
| 939110 | DHCP server on LAN interface is lost after rebooting or restoring the configuration file. |
| 939411 | Multiple spawns of hotplug process consuming high CPU resources. |
| 939935 | High CPU usage caused by DHCP packets. |
| 939947 | FG-1100E SFP interface of port 23 and 24 with transceiver status is down after upgrading. |
| 940504 | Loading of the Toss Bank application is delayed or gets stuck on iPhones with hyperscale CGNAT (NAT64). |
| 940752 | FortiGate does not allow tagged VLAN 0 packets. |
| 942502 | Unexpected behavior occurred in the kernel when creating EMAC VLAN interfaces based on an aggregate interface with the new kernel 4.1.9. |
| 942893 | When DHCP IP reservation is edited from the DHCP dashboard widget, the changes are not retained. |
| 943026 | Changes to per-IP shaper settings are not reflected on offloaded sessions in NP7 platforms. |
| 943090 | Buffer and description queue limitation of Marvell switch port will cause a performance limitation. |
| 943615 | When cmdbsvr receives a request to update the version number, it also receives a copy of the query, but this copy is not freed. |
| 943948 | FortiGate as L2TP client is not working with Cisco ASR as L2TP server. |
| 945426 | FortiGate ports are not in a configured state after the connected switch reboots. |
| 946413 | Temperature sensor value missing for FG-180xF, FG-420xF, and FG-440xF platforms. |
| 946714 | Unexpected reboot caused by a rare error condition for FG-VM. |
| 947240 | FortiGate is not able to resolve ARPs of few hosts due to their ARP replies not reaching the primary FPM. |
| 948448 | A super_admin administrator is unable to log in after restoring the VDOM configuration on the admin VDOM and rebooting the FortiGate. |
| 948460 | Enabling NP7 offloading is causing packet drops when using a shaping profile. |
| 949481 | The tx_collision_err counter in the FortiOS CLI keeps increasing on both 10G SFP+ X1 and X2 interfaces. |
| 949975 | SNMP value for OID 1.3.6.1.4.1.12356.101.12.2.2.1.5 returns the wrong value. |
| 950010 | Alarm observed for high PECI temperature despite less CPU activity. |
| 952279 | The TCP handshake is interrupted when any of the UTM profiles are enabled. |
| 953140 | FG-1801F silently drops forward traffic at the NP7 modules. |
| 954439 | SNMP does not respond if a VRF is set on the interface. |
| 955021 | When signal 11 is sent to httpsd process using diagnose sys kill 11 <PID>, httpsd does not restart. The GUI displays a Service unavailable message. GUI access can be restored by rebooting the device. |
| 955074 | MSS clamping is not working on VXLAN over IPsec after upgrading. |
| 955798 | Interface LED from panel indicates the wrong status. |
| 955998 | The traffic is dropped when auto-asic-offload is enabled and passing through a VLAN associated with a 10G redundant interface. |
| 956391 | On FG-10xE, when using ports 13 to 16 as virtual switch LAN ports, auto speed is not supported. |
| 956413 | FG-1101E ports with AVAGO AFBR-5710PZ transceiver failed to come up after upgrading. |
| 956980 | Batch lastlog does not show any errors for password-policy misconfiguration. |
| 957147 | FortiGate as DNS server does not resolve domains in the local database on new VDOM. |
| 957714 | Memory usage issue occurs when multiple threads try to access a VLAN group. |
| 957846 | High CPU usage caused by DHCP packets. |
| 958157 | The GeoIP file should close appropriately after opening or using mmap to share memory. |
| 960563 | An error condition occurred in the kernel caused by a rare condition while using the GRE tunnels. |
| 963597 | Multiple configuration settings are missing after restoring the VDOM. |
| 966761 | SNMP OID 1.3.6.1.2.1.4.34.1.5 ipAddressPrefix is not fully implemented. |
| 969230 | FEC does not take effect on X5 – X8 ports when running at 25G ULL mode on FG-601F. |
Upgrade
| Bug ID | Description |
|---|---|
| 871181 | FG-3401E link is not coming up using DAC cables after upgrading. |
| 896937 | Port channel is down after upgrading the FG-1101E. |
| 940126 | Upgrading a FGT-3401E generates BPDUs, which cause the switch to disable the port. |
User & Authentication
| Bug ID | Description |
|---|---|
| 823884 | When a search is performed on a user (User & Authentication > User Definition page), the search results highlight all the groups the user belongs to. |
| 868994 | FortiGate receives FSSO user in the format of HOSTNAME$. |
| 907169 | WPA2-Enterprise SSID should support EAP-TLS authentication for PKI users that are configured with multi-factor authentication through a RADIUS server. |
| 915998 | FortiToken mobile push with ACME gives an untrusted certificate in iOS application. |
| 932989 | In some cases, the HA connection is removed and its memory is freed, but it is still read/written in the following process. |
| 939517 | On the System > Replacement Messages page, the guest user email template cannot restore to the to default value. |
| 943087 | After creating a new guest user, the administrator cannot view the user’s password in plaintext in the GUI. |
| 946116 | On a FortiGate managed by FortiManager, when a guest administrator logs in with read-only permissions, the administrator can still create and edit the guest user. |
| 947299 | Global DH parameter does not modify the SSH connection key exchange. |
| 949699 | Administrator single sign-on login with SAML does not work after upgrading the firmware 7.4.1 due to the SAML entity-id field being incorrectly reset to being empty. |
| 955939 | PKI users should pass certificate-based authentication over WPA2-Enterprise SSID. |
| 961496 | CPU usage issue caused by signature update for device identification. |
VM
| Bug ID | Description |
|---|---|
| 903037 | A false positive SSL VPN login token error message is generated after a successful connection. |
| 932085 | In an Azure cluster, the NTP source-ip6 (IPv6) is synchronized while the source-ip (IPv4) is not. |
| 950235 | IPv6 multicast packets are triggering a hardware checksum failure error message on the console. |
| 953760 | FG-VM is unable to respond to the load balancer’s health probe correctly. |
| 956460 | FortiGate cannot detect a log disk in some new Azure instances. |
| 957886 | GCP OS log in integration issues occur in FortiGate deployment. |
| 959859 | FG-VM64-AZURE SDN connector does not retry requests to management.azure.com if they fail. |
| 965668 | Interfaces are brought down by azd, and traffic is disrupted until manually disabling and enabling the interfaces on the Azure VM. |
| 967134 | An interrupt distribution issue may cause the CPU load to not be balanced on the FG-VM cores. |
| 968740 | Unexpected behavior in awsd caused by tags with an empty value on AWS instances while adding a new AWS Fabric connector. |
| 970201 | Unexpected reboot caused by a rare error condition for FG-VM. |
WAN Optimization
| Bug ID | Description |
|---|---|
| 954541 | In WANOpt transparent mode, WAN optimization does not keep the original source address of the packets. |
Web Application Firewall
| Bug ID | Description |
|---|---|
| 939380 | User cannot set the match ALL pattern to deny traffic for the web application firewall profile in the GUI. |
Web Filter
| Bug ID | Description |
|---|---|
| 887699 | Web filter override expiry date in the GUI may be one hour off if daylight saving time (DST) is observed. |
| 923548 | Newly added local URL filter entry cannot be moved using drag-and-drop. |
| 929110 | The strict option for sni-server-cert-check is behaving the same as if it is set to enable, and logs are not generated upon SNI mismatch with the CN or SAN. |
| 945011 | URL filter IP address block is not honored by the enhanced policy lookup tool. |
| 947676 | Web filter profile setting changes the order of FortiGuard web filter categories. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 801730 | The move function in the CLI does not work for mpsk-profile and mpsk-group. |
| 883021 | Is the FortiGate 100F RFC 2865 compliant and, if yes, why does the FortiGate not always re-authenticated after the Session-Timeout value? |
| 891804 | After initial packets, FG-101F stops forwarding wired traffic over FAP-23JF LAN tunneled with a dynamic VLAN VAP. |
| 896104 | An error condtion occured in the kernel when the FortiAP and SSID are in the same software switch. |
| 938840 | Excessive MEM POOLuse_up_cnt observed on secondary unit in an HA environment. |
| 941691 | Multiple MAC addresses are on one port. |
| 944465 | On the WiFi & Switch Controller > Managed FortiAPs page of a non-management VDOM, the Register button is unavailable in the Device Registration pane. |
| 945356 | FortiOS fails to get all of the configured MAC ACL entries. |
| 946796 | The eap_proxy daemon may keep reloading randomly due to failing to bind a port. This will cause an IKE and WiFi authentication failure. |
| 949857 | Captive portal appears each time after a channel change or if roaming performed (Cisco ISE with FortiGate and FortiAP). |
| 951792 | Clients connected to certain FortiAPs do not have internet access. |
| 952889 | PMKID should be removed when an Android device is disconnected by the RADIUS CoA DM request with Acct-Session-Id. |
| 958314 | AeroScout agent is not working. |
| 967158 | WPA2-Enterprise with a Windows NPS server is not working after upgrading the firmware to FortiOS 7.4.1. |
| 973935 | On the WiFi & Switch Controller > Managed FortiAPs page, there is an error when changing from a single 5G profile to a dual 5G profile on the FortiAP 831F. |
ZTNA
| Bug ID | Description |
|---|---|
| 918279 | Traffic does not match a simple ZTNA firewall policy when the external interface configured on a ZTNA server is a member of a SD-WAN zone being used in the same ZTNA firewall policy. |
Znane problemy:
Anti Virus
| Bug ID | Description |
|---|---|
| 977634 | FortiOS High Security Alert block page reference URL is incorrect. |
Application Control
| Bug ID | Description |
|---|---|
| 934197 | Selected applications will disappear after searching or filtering for other applications in override. |
Firewall
| Bug ID | Description |
|---|---|
| 760292 | The date in the graph of Last 7 Days traffic statistics for the policy is incorrect. |
| 959065 | Once a traffic shaper is applied to a traffic shaping firewall policy, the counters should not clear when deleting or creating a traffic shaper. |
| 966466 | On an FG-3001F NP7 device, packet loss occurs even on local-in traffic. |
| 981283 | NAT64/46 HTTP virtual server does not work as expected in the policy. |
FortiGate 6000 and 7000 platforms
| Bug ID | Description |
|---|---|
| 781163 | FortiView Sources page is unable to display historical data from FortiAnalyzer due to Fail to retrieve FortiView data error. |
| 787604 | Transceiver information in unavailable for FPM/FIM2 ports in the GUI. |
| 790464 | Existing ARP entries are removed from all slots when an ARP query of a single slot does not respond. |
| 885205 | IPv6 ECMP is not supported for the FortiGate 6000F and 7000E platforms. IPv6 ECMP is supported for the FortiGate 7000F platform. |
| 887946 | UTM traffic is blocked by an FGSP configuration with asymmetric routing. |
| 910883 | The FortiGate 6000s or 7000s in an FGSP cluster may load balance FTP data sessions to different FPCs or FPMs. This can cause delays while the affected FortiGate 6000 or 7000 re-installs the sessions on the correct FPC or FPM. |
| 911244 | FortiGate 7000E IPv6 routes may not be synchronized correctly among FIMs and FPMs. |
| 969530 | Blade unexpected reboot occurs on FG-5001D. |
| 973407 | FIM installed NPU session causes the SSE to get stuck. |
GUI
| Bug ID | Description |
|---|---|
| 848660 | Read-only administrator may encounter a Maximum number of monitored interfaces reached error when viewing an interface bandwidth widget for an interface that does not have the monitor bandwidth feature enabled.
Workaround: super_admin users can enable the monitor bandwidth feature on the interface first, then the widget can work for read-only administrators. |
| 853352 | When viewing entries in slide-out pan of the Policy & Objects > Internet Service Database page, users cannot scroll down to the end if there are over 100K entries. |
| 885427 | Suggest showing the SFP status information on the faceplate of FGR-60F/60F-3G4G devices. |
| 925388 | After updating, the CMDB may not start up properly. This issue causes problems with both the GUI and CLI. |
| 931486 | Unexpected behavior in httpsd when the user has a lot of FQDN addresses. |
| 964386 | GUI dashboards show all the IPv6 sessions on every VDOM. |
| 966702 | List of security profiles it is not displayed correctly in the GUI. |
| 971790 | FortiGate models with 2 GB RAM may experience memory usage issues when users access the web GUI, due to a sudden increase in memory consumption in httpsd.
Workaround: avoid navigating to memory-intensive pages under Dashboard with multiple widgets that can cause a spike in memory consumption. Users can create custom dashboards with a single widget to reduce the concurrent load. |
| 972887 | The interface firewall object created automatically is not found by a firewall policy search with IP address. |
| 975403 | FortiGate removes the ? from custom replacement messages. |
| 979508 | The Operation Technology category cannot be turned on or off from the GUI. The option to enable/disable the Operational Technology category on application control profiles when hovering the mouse over the category name is missing.
Workaround: use the CLI to configure it. |
| 982573 | Dashboard > Assets & Identities page shows devices and interfaces from all VDOMs. |
| 983422 | A GTP profile cannot be applied to policy using the GUI.
Workaround: use the CLI to apply the GTP profile. |
HA
| Bug ID | Description |
|---|---|
| 971075 | The last interface belonging to the management VDOM (not root VDOM) is not displayed when accessing ha-mgmt-interface. |
Hyperscale
| Bug ID | Description |
|---|---|
| 817562 | NPD/LPMD cannot differentiate the different VRFs, and considers all VRFs as 0. |
| 850252 | Restoring a specific VDOM configuration from the GUI does not restore the complete configuration. |
| 896203 | The parse error, NPD-0:NPD PARSE ADDR GRP gmail.com MEMBER ERR, appears after rebooting the system. |
| 976972 | New primary can get stuck on failover with HTTP CC sessions. |
| 977376 | FG-4201F has a 10% performance drop during a CPS test case with DoS policy. |
| 981918 | Hyperscale policy loses the cgn-log-server-grp setting with log mode per-mapping when the system reboots. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 782966 | IPS sensor GUI shows All Attributes in the filter table when IPS filters with default values are selected in the CLI. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 866413 | Traffic over GRE tunnel over IPsec tunnel, or traffic over IPsec tunnel with GRE encapsulation is not offloaded on NP7-based units. |
| 897871 | GRE over IPsec does not work in transport mode. |
| 916260 | The IPsec VPN tunnel list can take more than 10 seconds to load if the FortiGate has large number of tunnels, interfaces, policies, and addresses. This is a GUI display issue and does not impact tunnel operation. |
| 944600 | CPU usage issues occurred when IPsec VPN traffic was received on the VLAN interface of an NP7 vlink. |
| 970703 | FortiGate 6K and 7K models do not support IPsec VPN over vdom-link/npu-vlink. |
Log & Report
| Bug ID | Description |
|---|---|
| 960661 | FortiAnalyzer report is not available to view for the secondary unit in the HA cluster.
Workaround: view the report directly in FortiAnalyzer. |
Proxy
| Bug ID | Description |
|---|---|
| 900546 | DNS proxy may resolve with an IPv4 address, even when pref-dns-result is set to IPv6, if the IPv4 response comes first and there is no DNS cache. |
| 910678 | CPU usage issue in WAD caused by a high number of devices being detected by the device detection feature. |
| 922093 | High CPU due to WAD process and disrupted HTTPS connections. |
| 933002 | Memory usage issue in WAD caused by a rare error condition. |
REST API
| Bug ID | Description |
|---|---|
| 964424 | REST API GET /ips/sensor/{name} adds extra space to locations, severity, protocol, os, and application field values. |
Routing
| Bug ID | Description |
|---|---|
| 903444 | The diagnose ip rtcache list command is no longer supported in the FortiOS 4.19 kernel. |
| 974921 | Configuring the Set weight on the route map to 0 in the GUI does not save this setting in the CLI configuration. |
Security Fabric
| Bug ID | Description |
|---|---|
| 948322 | After deauthorizing a downstream FortiGate from the System > Firmware & Registration page, the page may appear to be stuck to loading.
Workaround: perform a full page refresh to allow the page to load again. |
| 966740 | Security rating Last Ran displays incorrect values. |
| 968585 | The automation stitch triggered by the FortiAnalyzer event handler does not work as expected. |
| 972921 | The comments are not working as expected in the threat feed list for the domain threat feed. |
Switch Controller
| Bug ID | Description |
|---|---|
| 955550 | Unexpected behavior in cu_acd and fortilinkd is causing the CPU to handle the majority of the traffic instead of the NPU. |
System
| Bug ID | Description |
|---|---|
| 907622 | GUI is missing DDNS Domain text field box when creating a new DDNS entry. |
| 910364 | CPU usage issue in miglogd caused by constant updates to the ZTNA tags. |
| 912383 | FGR-70F and FGR-70F-3G4G failed to perform regular reboot process (using execute reboot command) with an SD card inserted. |
| 921134 | GUI is inaccessible when using a SHA1 certificate as admin-server-cert. |
| 937982 | High CPU usage might be observed on entry-level FortiGates if the cache size reaches 10% of the system memory. |
| 953692 | SNMP stops working when a second server is added. The FortiGate stops answering SNMP requests to both servers. |
| 956697 | On NP7 platforms, the FortiGate maybe reboot twice when upgrading to 7.4.2 or restoring a configuration after a factory reset or burn image. This issue does not impact FortiOS functionality. |
| 964465 | Administrator with special profile write permission to WiFi cannot create an SSID after upgrading. |
| 968618 | After the upgrade to 7.4, the NP7 L2P is dropping packets at the L2TI module. |
| 971404 | Session expiration does not get updated for offloaded traffic between a specific host range. |
| 971466 | FGR 60F faces packet loss with a Cisco switch directly connected to it. |
| 977231 | An error condition occurred in fgfm caused by an out-of-band management configuration. |
User & Authentication
| Bug ID | Description |
|---|---|
| 667150 | Improve GUI support for FortiToken Mobile push and FortiClient based two-factor user authentication, which is already supported by authd. |
| 884462 | NTLM authentication does not work with Chrome. |
| 967146 | Upon expiration, the SSL certificate is removed from GUI but not from the CLI. |
| 972391 | RADIUS group is not properly displayed as used. |
| 975689 | Unable to print with custom guest user print template. |
VM
| Bug ID | Description |
|---|---|
| 938382 | OpenStack Queens FortiGate VM HA heartbeat on broadcast is not working as expected. |
| 977110 | Interface disappears after enabling unicast-status on HA. |
| 978021 | VNI length is zero in the GENEVE header when in FTP passive mode. |
Web Filter
| Bug ID | Description |
|---|---|
| 634781 | Unable to customize replacement message for FortiGuard category in web filter profile. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 814541 | When there are extra large number of managed FortiAP devices (over 500) and large number of WiFi clients (over 5000), the Managed FortiAPs page and FortiAP Status widget can take a long time to load. This issue does not impact FortiAP operation. |
| 869978 | CAPWAP tunnel traffic over tunnel SSID is dropped when offloading is enabled. |
| 883938 | Flooded wireless STA traffic seen in L2 tunneled VLAN (FG-1800F). |
| 903922 | Physical and logical topology is slow to load when there are a lot of managed FortiAP (over 50). This issue does not impact FortiAP management and operation. |
| 949682 | Intermittent traffic disruption observed in cw_acd caused by a rare error condition. |
| 964757 | Clients randomly unable to connect to 802.1X SSID when FortiAP has a DTLS policy enabled. |
| 972093 | RADIUS accounting data usage is different between the bridge and tunnel VAP. |
ZTNA
| Bug ID | Description |
|---|---|
| 819987 | SMB drive mapping made through a ZTNA access proxy is inaccessible after rebooting. |
Notatki producenta: FortiOS 7.4.2
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
