Producent oprogramowania Fortinet udostępnił najnowszą aktualizację produktu FortiOS do wersji 7.4.4. Dzięki tej aktualizacji poprawiono funkcjonowanie systemu w wielu kluczowych obszarach, eliminując liczne problemy i usprawniając mechanizmy bezpieczeństwa oraz wydajność. Wśród najważniejszych poprawek znalazły się naprawy błędów związanych z tworzeniem profili kontroli aplikacji za pomocą GUI lub CLI, poprawienie działania filtra DNS, który uniemożliwiał łączność internetową przy włączonym przyspieszeniu NPU oraz rozwiązanie problemu z utratą ruchu IPsec na platformie SOC4. Poniżej znajdują się szczegółowe informacje na temat rozwiązanych problemów.
Wspierane urządzenia:
FortiGate | FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-70F, FG-71F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-DSL, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100F, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG-400F, FG-401F, FG‑500E, FG-501E, FG-600E, FG-601E, FG-600F, FG-601F, FG-800D, FG‑900D, FG-900G, FG-901G, FG-1000D, FG-1000F, FG-1001F, FG-1100E, FG-1101E, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3000F, FG-3001F, FG-3100D, FG‑3200D, FG-3200F, FG-3201F, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3700F, FG-3701F, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-4800F, FG-4801F, FG-5001E, FG‑5001E1, FG-6000F, FG-7000E, FG-7000F |
FortiWiFi | FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-80F-2R-3G4G-DSL, FWF-81F-2R, FWF-81F-2R-3G4G-DSL, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE |
FortiGate VM | FG-ARM64-AWS, FG-ARM64-AZURE, FG-ARM64-GCP, FG-ARM64-KVM, FG-ARM64-OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-XEN |
FortiFirewall | FFFW-1801F, FFW-2600F, FFW-3001F, FFW-3980E, FFW-4200F, FFW-4400F, FFW-4401F, FFW-4801F, FFW-VM64, FFW-VM64-KVM |
Rozwiązane problemy:
Anti Virus
Bug ID | Description |
---|---|
948197 | Large file downloads may intermittently stall when flow-based UTM and SSL deep inspection are enabled. |
977634 | FortiOS High Security Alert block page reference URL is incorrect. |
993785 | When logged in as an administrator with Security Fabric access permissions set to none, trying to create a new antivirus profile on the Security Profiles > Antivirus page shows an error. |
Application Control
Bug ID | Description |
---|---|
934197 | Selected applications will disappear after searching or filtering for other applications in override. |
982147 | Users cannot create application control profiles using the GUI or CLI. |
Data Loss Prevention
Bug ID | Description |
---|---|
977334 | Users cannot download files more than 5MB in size using FPX when SSL deep inspection and DLP profiles are enabled. |
DNS Filter
Bug ID | Description |
---|---|
804790 | SDNS server latency increases by 15 seconds when a request times out. This increase may give a perception that this server is unreachable or has a latency value that doesn’t reflect real-world conditions. |
875072 | The DNS filter prevents web connectivity with NPU acceleration. |
Endpoint Control
Bug ID | Description |
---|---|
937462 | The Assets – FortiClient monitor widget still shows online/register vpn entry even the VPN tunnel is down. |
979811 | The ZTNA channel is not cleaned when overwriting old lls entries. |
1007809 | On FortiGate, anonpages and active(anon) pages frequently use a high amount of memory, causing FortiGate to enter into conserve mode. |
Explicit Proxy
Bug ID | Description |
---|---|
830418 | Website content does not load properly when using an explicit proxy. |
978473 | Explicit proxy policy function issues when matching external-threat feed categories. |
980752 | Applications on the BOX cannot be started through proxy. |
983897 | Traffic that should not be matching a policy is incorrectly matching an allow policy or a deny policy. |
1001700 | If explicit webproxy uses SAML authentication and the PAC file is enabled at the same time, the browser will report a too many redirects error when trying to visit any websites. |
1006362 | Debug daemon may be blocked while handling client connection and increases the GUI load time. |
1020976 | Traffic is stuck going through a web proxy policy with NTLM authentication. |
1021050 | RSSO authentication connection fails in explicit proxy policy. |
File Filter
Bug ID | Description |
---|---|
1004198 | .exe files in ZIP archives are not blocked by file-filter profiles during CIFS file transfers. |
Firewall
Bug ID | Description |
---|---|
921658 | SD-WAN IPsec egress traffic shaping is not working when traffic offloading is enabled on an NP7 unit. |
951422 | Unable to download files larger than 30MB using FortiGate AWS with AV and IPS enabled in proxy mode. |
958311 | Firewall address list may show incorrect error for an unresolved FQDN address. This is purely a GUI display issue; the FQDN address can be resolved by the FortiGate and traffic can be matched. |
966466 | On an FG-3001F NP7 device, packet loss occurs even on local-in traffic. |
969255 | On the Policy & Objects > Services page, administrators with firewall read-write permission cannot delete service entries. |
970179 | Unrelated route changes will cause the existing session to be marked dirty. |
972473 | WAD crashes when using load balancing with SSL offloading. |
973388 | TCP state of a session was not updated properly. |
976651 | On the Policy & Objects > Firewall Policy page, adding a global threat feed to a policy displays an error message – Invalid entries – and is not available to select in the Source field. |
976713 | A Hello Retry Request message is not sent from the FortiGate during an SSL offload by config firewall ssl-server . |
977641 | In transparent mode, multicast packets are not forwarded through the bridge and are dropped. |
979802 | On the Policy & Objects > Firewall Policy page, changing a policy action hides the NAT toggle, IP pool configuration field, and Security Profiles field in the GUI. |
981283 | NAT64/46 HTTP virtual server does not work as expected in the policy. |
981907 | Global Search does not return results for a full or partial IP address search. |
985057 | The set holddown-interval command description in the CLI is incorrect. |
985419 | On the Policy & Objects > Firewall Policy page, the Log violation traffic checkbox displays as being unchecked when the policy is configured and reopened for editing. This purely a GUI display issue and does impact system operation. |
987397 | When creating or editing an entry on the Policy & Objects > Virtual IPs page in the GUI, if a subnet source filter is added after an IP range source filter in the Optional Filters section, an error message – Invalid source filter IP address/subnet/range – is shown and the settings cannot be saved. |
996876 | Adding IPv6 address group memberships to a policy using FortiGate REST API does not work as expected. |
1008863 | SNAT type port-block-allocation does not work as expected in NAT64. |
1012239 | When creating a new policy using the GUI in TP mode, NAT is automatically enabled. |
FortiGate 6000 and 7000 platforms
Bug ID | Description |
---|---|
638799 | The DHCPv6 client does not work with vcluster2. |
639064 | On FortiGate 6000F models, there is no information on FPCs available for traffic matching the firewall policy with srcaddr-negate enabled. |
787604 | Transceiver information in unavailable for FPM/FIM2 ports in the GUI. |
887946 | UTM traffic is blocked by an FGSP configuration with asymmetric routing. |
910883 | The FortiGate 6000s or 7000s in an FGSP cluster may load balance FTP data sessions to different FPCs or FPMs. This can cause delays while the affected FortiGate 6000 or 7000 re-installs the sessions on the correct FPC or FPM. |
938475 | On FortiGate 7000E models, a memory usage issue occurs when multiple threads try to access VLAN group. |
940541 | A permanent MAC address is used instead of an HA virtual MAC address during automation. |
973407 | FIM installed NPU session causes the SSE to get stuck. |
978241 | FortiGate does not honor worker port partition when SNATing connections using a fixed port range IP pool. |
983236 | Under normal conditions, a FortiGate 6000 or 7000 may generate event log messages due to a known issue with a feature added to FortiOS 7.2 and 7.4. The feature is designed to create event log messages for certain DP channel traffic issues but also generates event log messages when the DP processor detects traffic anomalies that are part of normal traffic processing. This causes the event log messages to detect false positives that don’t affect normal operation.
For example, DP channel 15 RX drop detected! messages can be created when a routine problem is detected with a packet that would normally cause the DP processor to drop the packet. Similar discard message may also appear if the DP buffer is full. |
994241 | On FortiGate 7000F using FGSP and FGCP, when TCP traffic takes an asymmetric path, the TCP ACK and data packets might be dropped in NP7. |
1003879 | Incorrect SLBC traffic-related statistics may be displayed on the FortiGate 6000 or FortiGate 7000 GUI (for example, in a dashboard widgets). This can occur if an FPC or FPM is not correctly registered for statistic collection during startup. This is purely a GUI display issue and does not impact system operation. |
1013046 | On FortiGate 6000 and 7000 models, interested traffic cannot trigger the IPsec tunnel. |
1025926 | After a firmware upgrade, the configuration does not synchronize because the sdn connector password is unmatched. |
FortiView
Bug ID | Description |
---|---|
941521 | On the FortiView Web Sites page, the Category filter does not work in the Japanese GUI. |
945448 | On the Asset Vulnerability Monitor page, filtering by FortiClient user does not show any results. |
1009287 | CPU usage issue caused by ending multiple sessions using the FortiView Sessions page. |
GUI
Bug ID | Description |
---|---|
848660 | Read-only administrator may encounter a Maximum number of monitored interfaces reached error when viewing an interface bandwidth widget for an interface that does not have the monitor bandwidth feature enabled. |
896008 | The GUI-based CLI widget has display issues on wide resolution screens. |
908670 | A No language entry found for error message occurs when loading the GUI. This is purely a GUI display issue and does not impact system function. |
931486 | Unexpected behavior in httpsd when the user has a lot of FQDN addresses. |
957441 | On the Firmware & Registration page, the GUI displays a Cannot determine mkey for cmdb source entry. error message. This is purely a GUI display issue and does not impact system function. |
961796 | When administrator GUI access (HTTPS) is enabled on SD-WAN member interfaces, the GUI may not be accessible on the SD-WAN interface due to incorrect routing of the response packet. |
961797 | In a new page layout, changes made (saves or edits) in the Virtual IP page may produce a warning pop-up message on the screen. |
964386 | GUI dashboards show all the IPv6 sessions on every VDOM. |
970528 | The hsts-max-age is not enforced as set under config system global . |
972887 | The interface firewall object created automatically is not found by a firewall policy search with IP address. |
974988 | FortiGate GUI should not show a license expired notification due to an expired device-level FortiManager Cloud license if it still has a valid account-level FortiManager Cloud license (function is not affected). |
975403 | On the System > Replacement Messages page, the ? is removed from custom replacement messages. |
979508 | The Operation Technology category cannot be turned on or off from the GUI. The option to enable/disable the Operational Technology category on application control profiles when hovering the mouse over the category name is missing. |
981244 | On the FortiGate GUI, IPsec or GRE configurations are missing when using set type tunnel . |
983422 | A GTP profile cannot be applied to policy using the GUI. |
996845 | When saving a packet capture, the file name saves as a generic file name with no identifiable information. |
1006079 | When changing administrator account settings, the trusthost10 setting is duplicated. |
1013455 | On the FortiGate GUI, inter-VDOM links are not available for packet capture. |
HA
Bug ID | Description |
---|---|
956577 | For SSL VPN users, some endpoint logs are generated on the secondary HA vcluster VDOM. |
962491 | Some long lasting TCP established sessions expire on the HA secondary unit earlier than on the primary unit. |
962525 | In HA mode, FortiGate uses ha-mgmt-interface as the portal for the DNS resolver, even if this port may not able to reach the DNS server. |
962681 | In a three member A-P cluster, the dhcp lease list (execute dhcp lease-list ) might be empty on secondary units. |
964412 | The firewall does not detect that the secondary HA unit has been upgraded and returned to the cluster. |
964427 | There is a session count discrepancy when the firewall is configured without NAT. |
964828 | Enabling HA direct prevents users from changing the interface as the set-interface command is hidden in the CLI. |
970334 | The vcluster2 on a Secondary HA unit does not use session-sync-dev to synchronize sessions to FGSP peer unit. |
971075 | The last interface belonging to the non-root management VDOM is not visible when accessing the GUI using the HA management interface. |
972163 | Under heavy traffic, some sessions are not fully synchronized to the FGCP secondary unit. |
972896 | No configuration error when restoring a configuration with incorrect config firewall wildcard-fqdn custom entries, resulting in an HA-unsync status. |
974749 | TCP/SCTP sessions count mismatch in an HA pair in A-P mode. |
976024 | VXLAN traffic does not pass through after HA cluster failover. |
976160 | In a FortiGate HA, the unit periodically produces a warning message for a missing sync file. |
985237 | Output is missing from the diagnose sys ha vlan-hb-monitor command. |
1000001 | A secondary HA unit may go into conserve mode when joining an HA cluster if the FortiGate’s configuration is large. |
1004215 | Local out traffic from the primary HA unit uses the wrong interface when SNMP points to the secondary HA unit. |
Hyperscale
Bug ID | Description |
---|---|
961684 | When DoS policies are used and the system is under stress conditions, BGP might go down. |
967017 | TCP or UDP timer profiles configured using config-system npu may not work as intended. |
975264 | Hyperscale should not support threat feed addresses with the negate option. |
976972 | New primary can get stuck on failover with HTTP CC sessions. |
981918 | Hyperscale policy loses the cgn-log-server-grp setting with log mode per-mapping when the system reboots. |
994019 | Harpin traffic may not work due to a rare situation caused by a race condition. |
1016478 | When modifying existing policies with a BOA loaded configuration, NPD is not working as expected. |
1018125 | When a service or address is applied in a deny policy, traffic is still allowed to flow to that service or address. |
1024313 | The template for the netflow v9 log packets is not included in the configuration. |
Intrusion Prevention
Bug ID | Description |
---|---|
782966 | IPS sensor GUI shows All Attributes in the filter table when IPS filters with default values are selected in the CLI. |
1000223 | HTTPS connections to a Virtual IP (VIP) on TCP port 8015 are incorrectly blocked by the firewall, displaying an IPS block page even when no packet from the outside to TCP port 8015 should reach the internal VIP address. |
IPsec VPN
Bug ID | Description |
---|---|
564920 | IPsec VPN fails to connect if ftm-push is configured. |
914418 | File transfer stops after a while when offloading is enabled. |
950012 | IPsec traffic may stop for the SOC4 platform due to a rare error condition. |
950445 | After a third-party router failover, traffic traversing the IPsec tunnel is lost. |
965915 | After an HA failover, static gateway IPsec routing fails. |
966085 | IKEv2 authorization with an invalid certificate can cause tunnel status mismatch. |
968080 | Shortcut negotiation cannot trigger when traffic flows over an existing shortcut unless auto-discovery-forwarder is set on the spoke. |
968218 | When the IPsec tunnel destination MAC address is changed, tunnel traffic may stop. |
968376 | Changes to the IPsec tunnel type from a static to dialup user on the GUI does not change the actual configuration. |
974648 | Editing existing IPsec aggregate members does not update in the bundle list. |
977486 | On FortiGate, a Tunnel Mode IPsec VPN policy cannot be created using the GUI. |
978243 | Unable to send all prefixes through FortiClient using dial-up IPsec VPN split tunnel to macOS devices. |
982599 | When a NAT port is changed between two static IPsec endpoints, the new port cannot be applied on the tunnel. |
996625 | Unable to create a FortiClient dial-up VPN with certificate authentication because a peer CA certificate cannot be selected. |
998229 | Traffic loss is experienced on inter-region ADVPN tunnels after phase 2 rekey. |
999619 | The IPsec peer name check process is not working as expected when configuring static and dynamic tunnels in a certain order. |
1009732 | If there are more than 2000 dialup IPsec tunnel interfaces used in multiple FGT firewall polices, and IKE policy update may not able to complete before IKE watchdog timeout. |
Log & Report
Bug ID | Description |
---|---|
872493 | Disk logging files are cached in the kernel, causing high memory usage. |
954565 | Although there is enough disk space for logging, IPS archive full message is shown. |
957130 | When running version 7.2.3 of FortiGate, log retrieval speed from FortiAnalyzer is slow. |
960661 | FortiAnalyzer report is not available to view for the secondary unit in the HA cluster on the Log & Report > Reports page. |
967692 | The received traffic counter is not increasing when the traffic is HTTPS with webfilter. |
972087 | Logs entries are still visible in General System Events after being excluded from the disk logging filter. |
973673 | The monitor-failure-retry-period is not working as expected when the log daemon restarts the next oftp connection after a connection timeout. |
978526 | The configuration attribute cfgattr="password[*]" does not appear in the log when password-policy is enabled. |
985508 | SYN.ACK traffic is blocked when set allow-traffic-redirect is enabled. |
987261 | In the webfilter content block UTM log in proxy inspection mode, sentbyte and rcvdbyte are zero. |
996551 | The UTM Log for blocking unknown-content-encoding is shown under the utm-webfilter when a web filter profile is not applied. |
1005171 | After upgrading to version 7.0.14, the system event log generates false positives for individual ports that are not used in any configuration. |
Proxy
Bug ID | Description |
---|---|
900546 | DNS proxy may resolve with an IPv4 address, even when pref-dns-result is set to IPv6, if the IPv4 response comes first and there is no DNS cache. |
915404 | Proxyd did not account for all RFC-compliant SMTP pipelining cases. |
922093 | CPU usage issue in WAD caused by source port exhaustion when using WAN optimization. |
947814 | Too many redirects on TWPP after the second KRB keytab is configured. |
955990 | Captive portal reappears repeatedly in the browser after importing user credentials. |
965966 | An error condition occurred in WAD due to heavy HTTP video traffic when using a video filter profile with deep inspection enabled. |
1000653 | The proxy policy does not validate IP addresses in the XFF when an HTTP address is sent by AGW. |
1010718 | The proxy policy is deleted from the configuration without notification after an upgrade. |
1012965 | Deep inspection and web filter for an explicit proxy policy do not work if profile-protocol-options has additional ports for HTTP. |
1016970 | High memory usage in WAD causes FortiGate to enter into conserve mode. |
REST API
Bug ID | Description |
---|---|
964424 | REST API GET /ips/sensor/{name} adds extra space to locations , severity , protocol , os , and application field values. |
984499 | REST API query /api/v2/monitor/system/ha-peer does not return the primary attribute of an HA cluster member. |
Routing
Bug ID | Description |
---|---|
792512 | The dashboard Session widget cannot display the correct IPv6 session count per VDOM. |
924693 | On the Network > SD-WAN > SD-WAN Rules page, member interfaces that are down are incorrectly shown as up. The tooltip on the interface shows the correct status. |
935886 | SD-WAN packet duplication feature in force mode suddenly stops duplicating and starts to duplicate again once the FortiGate is rebooted. |
943333 | When SD-WAN health-check is configured, the IPv6 interface IP address of shortcut fails to be pinged. |
966681 | FortiGate cannot ping an IPv6 loopback address. |
969671 | GRE tunnel, established over a VLAN that has been created on specific interface types, may reference non-existent device indexes due to the reloading of VLANs. |
974921 | When creating or editing a rule on the Network > Routing Objects page, if the weight is set to 0 the changes are not saved. |
977215 | SD-WAN health check with state = dead moves between 100% and 0% packet loss while the state stays the same. |
977327 | DTLS with SSL VPN not working as expected on multiple ports that are within the same SD-WAN zone. |
977751 | BGP advertisement and Route-Reflector advertisement do not advertise additional routes after first table is announced and encoded. |
978204 | BFD/BGP dropping when outbandwidth is applied. |
978683 | The link-down-failover command does not bring the BGP peering down when the IPsec tunnel is brought down on the peer FortiGate. |
983172 | After traffic switching, ingress and egress ports do not follow the correct session. |
984478 | The SD-WAN Rules GUI page keeps loading. |
984612 | After upgrading from 7.2.5 and 7.2.6, management access and ZTNA Access Proxy do not work when accessed from external networks |
985539 | SD-WAN health check logs are not generated for ADVPN shortcuts. |
989840 | Issue with PIM neighborship over an IPSec tunnel with NP offload. |
1000433 | The IPv6 route with dynamic gateway enabled cannot be configured after an upgrade and reboot. |
1001556 | VXLAN does not match SD-WAN rule when a service is specified. |
1006703 | OSPF logs for neighbor status are not generated when using multiple VRFs. |
1009907 | The OSPF daemon does not function as expected causing routing to stop working after an HA cluster failover. |
1012895 | The set-regexp command does not function as expected in the extcommunity-list . |
Security Fabric
Bug ID | Description |
---|---|
789237 | Support the use of loopback IP as the source for Security Fabric connections. |
941728 | Email notifications not working as expected for automation Reboot stitch. |
956423 | In HA, the primary unit may sometimes show a blank GUI screen. |
958429 | The webhook request header does not contain Content-type: application/json when using the JSON format. This causes Microsoft Teams to reject the request. |
966740 | On the Security Fabric > Security Rating page, the format of the Unused Policies test Last Used date is incorrect. |
967842 | Error message Fail to retrieve FortiView data displays when switching from the CSF root summary page to CSF child summary page. |
968585 | The automation stitch triggered by the FortiAnalyzer event handler does not work as expected. |
968621 | Erroneous memory allocation resulting in unexpected behavior in csfd after upgrading. |
972921 | The comments are not working as expected in the threat feed list for the domain threat feed. |
984127 | FortiGate shows the wrong notification to setup an upstream device that is not a FortiGate to the Security Fabric. |
985198 | The IP address threat feed connection status indicates an Other Error. |
988526 | Address object changes from the CLI of the root FortiGate in Security Fabric are not synchronized with downstream devices. |
990703 | In certain scenarios, dynamic addresses managed by the Azure SDN connector may be removed leading to potential network interruptions. |
1003503 | Optimizing federated auto-firmware upgrade with FortiGate, FortiSwitch, and FortiAP. |
SSL VPN
Bug ID | Description |
---|---|
821240 | Erroneous memory allocation observed in SSLVPNVD caused by a rare error condition. |
905050 | Intermittent behavior in samld due to an absent crucial parameter in the SP login response may lead to SSL VPN users experiencing disconnections. |
906756 | Update SSL VPN host check logic for unsupported OS. |
951827 | SSL VPN client certificate verification failed after importing the VDOM user peer CA certificate into the global VDOM. |
979000 | FortiGate does not execute the radius disconnect request from FortiAuthenticator. |
979590 | On FortiOS, the OS checklist for SSL VPN does not include macOS Monterrey 12.7.x for host check. |
981310 | SSL VPN Web mode experiences intermittent traffic disruption due to the non-standard response of the users web server. |
987501 | On FortiGate, the GRE tunnel stops sending traffic after an upgrade. |
999378 | When the GUI tries to write a QR code for the SSL VPN configuration to the file system to send in an email, it tries to write it in a read-only folder. |
Switch Controller
Bug ID | Description |
---|---|
899414 | On the WiFi & Switch Controller > WiFi maps page Diagnostics and Tools panel, and on the WiFi & Switch Controller > FortiSwitch Clients page, the status of the LACP interface is incorrectly shown as down when it is up.
This is a GUI issue that does not affect the operations of the LACP interface. To view the correct status of the LACP interface, go to the WiFi & Switch Controller > FortiSwitch Ports page, or use the CLI. |
911232 | Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch Controller > Managed FortiSwitches. |
984404 | After upgrading the version 7.4.2, the FortiSwitch shows as not registered in the GUI. |
988335 | If a user’s network has more than 20 MAC addresses in a NAC environment, it is possible for the CAPWAP to come down. |
989015 | The SWC switch port does not have all of the speed options compared to FortiSwitch. |
1000663 | The switch-controller managed-switch ports’ configurations are getting removed after each reboot. |
System
Bug ID | Description |
---|---|
733096 | FG-100F HA secondary’s unused ports flaps from down to up, then to down. |
782710 | Traffic going through a VLAN over VXLAN is not offloaded to NP7. |
811367 | Ports 33-35 constantly show suspect messaging in the transceiver output. Affected platforms: FG-2600F and FG-2601F. |
820268 | VIP traffic access to the EMAC VLAN interface uses incorrect MAC address on NP7 platform. |
880271 | Aggregate interface (LAG) dropping traffic. |
882131 | PPPoE interface with SFP does not recover after a connectivity failure. |
882187 | FortiGate enters conserve mode in a few hours after enabling UTM on the policies. |
882862 | LAG interface members are not shutting down when the remote end interface (one member in the LAG) is down. |
883606 | FortiOS allows customers to enable or disable the INDEX extension that appends the VDOM or interface index in RFC tables. |
901721 | In a certain edge case, traffic directed towards a VLAN interface could trigger an error condition in the kernel. |
910364 | CPU usage issue in miglogd caused by constant updates to the ZTNA tags. |
912092 | FortiGate does not send ARP probe for UDP NP-offloaded sessions. |
920349 | Connectivity was lost after creating new VDOM and NPU_VLINK. |
921604 | On the FortiGate 601F, the ports (x7) have no cables attached but the link LEDs are green. |
924143 | Logs for failed login attempt lock-duration is not consistent with the configuration. |
925554 | On the Network > Interfaces page, hardware and software switches show VLAN interfaces as down instead of up. The actual status of the VLAN interface can be verified using the command line. |
929896 | Unable to configure a 9600 baud-rate on DNP3-Proxy. |
930803 | Unable to monitor DSL parameters and the get sys dsl status command shows errors. |
938449 | In the 4.19 kernel, when a neighbor’s MAC is changed, the session and IPsec tunnel cannot be flushed from the NPU. |
952284 | A FortiGate with 2G of memory enters conserve mode when a node uses 20% of the memory. |
953140 | FG-1801F silently drops forward traffic at the NP7 modules. |
954529 | The diagnose npu sniffer stop command can lead to a traffic outage. |
957135 | EMAC-VLAN interface uses two MAC addresses when it should only use an internally generated MAC address. |
960643 | IP addresses with an expired quarantine period might not be removed from quarantine. |
960707 | Egress shaping does not work on NP when applied on the WAN interface. |
962153 | A port that uses a copper-transceiver does not update the link status in real-time. |
964465 | Administrator with read-write permission for WiFi and read permission for network configuration cannot create SSIDs. |
964820 | Traffic forwarding on Dialup VPN IPSec does not work as expected when npu-offload is enabled. |
966187 | Unable to set a static ARP entry on the EMAC VLAN interface. |
968134 | FortiGate 200F experiences a performance issue due to Marvell switch HOL mode. |
968421 | IPsec experiences traffic loss when inbound-dscp-copy and npu-offload are enabled on FFW-4401F. |
971109 | FortiGate does not forward requests for some devices causing VoIP devices to not get IP addresses on the network. |
971404 | Session expiration does not get updated for offloaded traffic between a specific host range. |
974740 | FortiGate 2600F does not set 10G ports to 100G. |
974746 | Changing interface settings causes the cluster to reboot and leads to a kernel interruption. |
975496 | FortiGate 200F slow download and upload speeds when traversing from a 1G to a 10G interface. |
975895 | FortiGate locks when Configuration save mode is set to Manual and triggers a reboot. |
977231 | An error condition occurred in fgfm caused by an out-of-band management configuration. |
977740 | Transparent-mode VDOM system switch-interface and Firewall policies deleted after a power cycle. |
981685 | On the FortiGate 4400F, high CPU usage by random CPU cores in the system space. |
982200 | FortiGate enters into conserve mode due to excessive memory usage by Slabs. |
982651 | Security mode 802.1X authentication happens every hour on a hardware switch with 7.2 code. |
983102 | FortiGate uses one core causing CPU usage to go to 99%. |
984696 | Network usage is not accurately reported by the get system performance status command. |
986698 | The NP7 should use the updated MAC address from the ARP table to forward traffic to the destination server. |
988528 | With NGFW mixed traffic, the CPU usage goes to 99%. |
995395 | Typo in the set ipv6-allow-local-in-slient-drop command. |
1001498 | On FortiGate, TCP and UDP traffic cannot pass through with dos-offload enabled. |
1001601 | A kernel interruption on FortiGate prevents it from rebooting after an upgrade with a specific configuration. |
1002766 | FortiGate prevents select interface a as an option for traceroute, ssl, and telnet services. |
1003349 | CPU usage issue in WAD after upgrading from 7.4.1 to 7.4.3 when using address group member. |
1008049 | The I2C bus become stuck during an upgrade due to an error in the switch-config-init command. |
1009853 | Outgoing traffic from EMAC-VLAN uses default cos tag when traffic is not offloaded. |
1012518 | Some FortiGate models on NP6/NP6Lite/NP6xLite platforms experience unexpected behavior due to certain traffic conditions after upgrading to 7.2.8. Traffic may be interrupted momentarily. |
1015955 | On FG-140E models, an interruption occurs in the kernel after an upgrade, preventing the device to properly boot up. |
1018787 | On FortiGate, a TCAM issue prevents ports from being mapped properly. |
Upgrade
Bug ID | Description |
---|---|
925567 | When upgrading multiple firmware versions in the GUI, the Follow upgrade path option does not respect the recommended upgrade path. |
952828 | The automatic patch upgrade feature overlooks patch release with the Feature label. Consequently, a FortiGate running 7.4.2 GA does not automatically upgrade to 7.4.3 GA. |
955810 | Upgrading FortiOS is unsuccessful due to unmount shared data partition failed error. |
977281 | After the FortiGate in an HA environment is upgraded using the Fabric upgrade feature, the GUI might incorrectly show the status Downgrade to 7.2.X shortly, even though the upgrade has completed.
This is only a display issue; the Fabric upgrade will not recur unless it is manually scheduled. |
981863 | FortiGate encounters an error ftar:215 Unrecognized archive format during a firmware upgrade. |
999324 | FortiGate Pay-As-You-Go or On-demand VM versions cannot upload firmware using the System > Firmware & Registration > File Upload page. |
1017519 | Auto firmware-upgrade may run when a FortiGate is added to a FortiManager that is added behind a NAT. |
User & Authentication
Bug ID | Description |
---|---|
825561 | 2FA push for FAC token and FTC will not start the push notification process without user input on the browser. |
893475 | When using the TACACS test server button in a FortiGate environment with HA-direct interface enabled, the traffic originates from the cluster interface instead of the designated ha-direct interface. |
934096 | If AD password policy is not met, the password change is not set without a clear message to the user. |
934263 | After authentication in authorization portal, page loading stalls and the user is not redirected to set redirect-url . |
960230 | After the authentication timeout setting value is reached, the Time Left value on the Firewall User Monitor > Firewall Users > Time Left page increases to thousands of days. |
VM
Bug ID | Description |
---|---|
938382 | OpenStack Queens FortiGate VM HA heartbeat on broadcast is not working as expected. |
954962 | The Client Hello packet is delayed connecting to FortiGate proxy-based mode and certificate inspection in an AWS GWLB environment using a GENEVE interface. |
967134 | An interrupt distribution issue may cause the CPU load to not be balanced on the FG-VM cores. |
996389 | AWS SDN Connector stops processing caused by the IAM external account role missing the sts:AssumeRole value. |
998208 | The FortiGate-VM system stops after sending an image to the HA secondary during an firmware upgrade due to different Flex-VM CPU license. |
1006570 | VPN tunnels go down due to IKE authentication loss after a firmware upgrade on the VM. |
VoIP
Bug ID | Description |
---|---|
1004894 | VOIPD experiences high memory usage and enters into conserve mode. |
WAN Optimization
Bug ID | Description |
---|---|
1017543 | HTTPS over wanopt traffic cannot pass when using ssl half mode in an ssl server. |
Web Filter
Bug ID | Description |
---|---|
983759 | User internal IP address is visible on the internet through certificate. |
1002266 | Web filtering does not update rating servers if there is a FortiGuard DNS change. |
1013866 | On FortiOS, the category action change is not saved if the category number is the same as the existing entry ID. |
1004985 | The webfilter cookie override trigger process had no issue observed and an override entry was created in the FortiGate, but client access was kept blocked by the old profile and the client received a replacement message with an override link just like the initial access to trigger the override. |
WiFi Controller
Bug ID | Description |
---|---|
883021 | Is the FortiGate 100F RFC 2865 compliant and, if yes, why does the FortiGate not always re-authenticated after the Session-Timeout value? |
883938 | Flooded wireless STA traffic seen in L2 tunneled VLAN (FG-1800F). |
915715 | On a secondary FortiGate in an HA cluster, user and vlan-id values do not show up when using the diagnose wireless-controller wlac -d sta online command in the CLI. |
950379 | The diagnostics of online FortiAPs shows Link Down in the trunk port Connected Via field when the FortiAP has an LACP connection to a FortiSwitch. |
965695 | Join/leave is repeated between FortiAP 421E and FortiGate 100E at multiple sites. |
982626 | Application httpsd does not work as expected when selecting a MPSK setting in any MPSK enabled VAP using the GUI. |
983019 | HA synchronization issue with FortiAP causes connectivity flapping when managed by a secondary VM. |
994752 | Memory usage causes secondary HA note to enter conserve mode. |
998578 | On FortiGate devices running 7.4.2 or 7.4.3, managed FortiAP-W2 devices might randomly go offline. |
1001104 | Some FortiAP 231F units show join/leave behavior after the FortiGate is upgraded to 7.2.7. |
1003070 | On FortiGate, the sta count is not accurate when some wireless clients connect to APs managed by FortiGate. |
1018107 | Unable to manage FortiAP from FortiGate. |
ZTNA
Bug ID | Description |
---|---|
975342 | ZTNA TFAP access using a FQDN private server does not work if a ZTNA tag is not set on the policy. |
1020565 | Users visiting ZTNA SaaS applications on a web browser cannot reach the page and are given an error message. |
Notatki producenta: FortiOS 7.4.4 Release Notes
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie