Producent rozwiązań bezpieczeństwa IT, firma Fortinet, udostępnił najnowszą aktualizację systemu operacyjnego FortiOS w wersji 7.4.9. Nowa wersja zawiera istotne poprawki, które wpływają na stabilność i niezawodność działania urządzeń FortiGate. W szczególności rozwiązano problem występujący na modelach FortiGate 100E/101E, które w określonych sytuacjach przestawały odpowiadać — niedostępny był interfejs graficzny, dostęp przez SSH oraz konsola, a odzyskanie łączności wymagało ponownego uruchomienia urządzenia. Dodatkowo poprawiono działanie komendy execute shutdown, która wcześniej mogła powodować automatyczny restart systemu po jej wykonaniu. Naprawiono również błąd występujący w modelach FortiGate 10xF, gdzie po ponownym uruchomieniu urządzenia ustawienia prędkości portów 13–20 mogły samoczynnie zmieniać się na wartość 1000full. Szczegółowe informacje na temat wszystkich zmian znajdują się w dalszej części artykułu.
Rozwiązane problemy:
Application Control
| Bug ID | Description |
|---|---|
| 1047112 | Performance degradation occurs when IoT database is enabled with Application Control. |
DNS Filter
| Bug ID | Description |
|---|---|
| 1150842 | Dynamic DNS updates are not forwarded to the DNS server according to transparent-dns-database when using a conditional DNS forwarder for the non-authoritative zone. |
| 1159583 | DNS Filter Rating Servers license not reflected in CLI for 71F when using Single FortiGuard HA license in HA cluster with logical-sn setting. |
Endpoint Control
| Bug ID | Description |
|---|---|
| 1090981 | Non-web ZTNA application configurations fail to sync with EMS after initial setup when FortiGate is connected to multiple EMS connectors. |
| 1113593 | EMS connector is getting disconnected when using a third-party certificate for verification, resulting in loss of tags and denied traffic. |
| 1142301 | ZTNA tag in „View matched endpoint” on GUI might not match backend data. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 979401 | Cannot choose IPv6 address pool in explicit proxy policy. |
| 1056600 | Unexpected behavior occurs during WAD module initialization on FortiGate devices due to improper dependency management leading to order issues or missing dependencies. |
| 1103272 | SSL certificates are misapplied when FortiGate processes requests with deny actions in proxy policies. |
| 1116834 | Authentication pop-up does not appear when accessing HTTPS websites via FortiGate with Explicit Proxy when authentication rules, webproxy-forward-server, and certificate-inspection are configured in proxy-policy. |
| 1166344 | WAD session freeze when using explicit proxy with HTTP2 enabled in VDOM UKT-Proxy. |
| 1177548 | In session-mode SAML authentication, „400 Bad Request” occurs when accessing CP address. |
| 1178564 | Intermittent policy denied issue occurs when explicit proxy policy is configured with SD-WAN zones in outgoing interface. |
Firewall
| Bug ID | Description |
|---|---|
| 1004263 | Session counters are not being updated when ASIC offload is enabled on firewall policy. FortiGate GUI is displaying incorrect information in the „Bytes” and „Last Used” columns. |
| 1088905 | Virtual server HTTP health-check is always using IP address as a host even when the full URL is configured in http-get. |
| 1116161 | Traffic shaping statistics are not provided when using QTM on NP7. |
| 1138259 | Traffic breaks when deleting a VLAN interface built upon an NPU VDOM link. |
| 1148166 | Source port translation was not permitted with traffic to UDP port 7001. |
| 1159576 | Traffic shaping fails when type is set to queuing in the shaping-profile |
| 1162875 | IPv6 traffic is blocked without sending RST packets when send-deny-packet is enabled for 4.19 kernel. |
| 1163826 | When non-TCP/UDP traffic passing through the Hyperscale VDOM, the selected SNAT IPPool can be wrong in NAT Source function call. |
| 1186615 | When modifying a policy, the „Re-enable filters” option automatically activates, and the policy not being edited is highlighted. |
| 1188448 | Traffic drop occurs when configuring virtual wire pair to inspect 802.1Q double tagged VLAN traffic. |
| 1191592 | Traffic is misrouted to the FortiGate login page when a VIP with an unresolved FQDN-mapped address is configured. |
| 1025078
1086315 |
Some customers observed memory usage increase and client session not disconnecting when using virtual server. |
FortiGate 6000 and 7000 platforms
| Bug ID | Description |
|---|---|
| 1104569 | FortiGate FPM hangs after upgrade when confsynchbd fails to release a lock due to file permission issue. |
| 1146580 | Traffic stats aggregation issue occurs when using M ports in FGSP setup. |
| 1147340 | Duplicated interface entries occur in FortiGate HA configuration merges when the same interface is processed across multiple cycles without successful resolution, causing persistent sync failures and redundant log entries. |
| 1149342 | BGP flapping occurs when concurrent IP address management causes unexpected source IP usage on outbound connections during FortiGate VDOM migrations. |
| 1159714 | Unexpected behavior observed on certain FortiGate models when configuration changes follow enabling cfg-save revert due to unresolved netdevice references in the np7 driver. |
| 1170088 | RADIUS authentication fails when connecting to secondary chassis slots 2 to 4. |
| 1171521 | In some cases, after a FortiGate 7000F chassis restart, an FPM may hang while logging in, resulting in the FPM being out of synch with the chassis. This happens because confsynchbd becomes stuck after receiving a management heartbeat from the primary FIM. The issue can occur any time the chassis restarts, including after a firmware upgrade.
Workaround: The active SMM and the primary FIM must both be in the same slot (for example, FIM1 and SMM1).
This is not a permanent fix, the issue can occur if the chassis restarts. |
| 1173230 | Traffic loss occurs when FIM on standby unit is rebooted in HA A-P setup on 7KE model. |
| 1173455 | Cluster out-of-sync when adding or deleting VDOMs with long names in HA mode. |
| 1173956 | Too many addresses included in EMA Tag entry are not properly inserted as dynamic address objects, causing traffic to fail because traffic could not properly match the related firewall policy. |
| 1181032 | Confsync out of sync occurs when configuring an ACME certificate. |
| 1183735 | Graceful upgrades lead to unintended primary claiming by FortiGate units during HA resynchronization. |
GUI
| Bug ID | Description |
|---|---|
| 1040164 | Interface X1/X2 does not display on the GUI-Network-Interface page faceplate for FortiGate-90G Gen2. |
| 1112727 | Force FortiCare/FortiCloud registration, and only allow exception from a new BIOS setting. |
| 1139922 | Cannot rename authorized FortiSwitch. |
| 1145475 | Multicast traffic dropped when adding/removing interface bandwidth widget on dashboard. |
| 1146621 | When editing an SSL VPN policy in the GUI after creating the policy in the CLI, user/group is not requested. |
| 1149411 | Increased Node.js memory usage occurs caused by errorneous memory allocation. |
| 1152464 | The DHCP reservation widget incorrectly validates based on the subnet instead of individual IP addresses. |
| 1153415 | Multiple GUI errors occur when attempting to view or refresh FMG settings on FortiGate devices managed by FortiManager. |
| 1156109 | Console prints error when logging in to the GUI with dns ssl-certificate set to Fortinet_Factory. |
| 1156219 | NAC policy deletion fails from the GUI. |
| 1160891 | Incorrect inbound traffic values appear on the bandwidth widget for EMAC VLAN interfaces when configured over physical interfaces. |
| 1162818 | Proxy policy GUI page keeps loading when using user.certificate in ZTNA proxy-policy. |
| 1170298 | Admin timeout occurs when 'admintimeout 0′ is set in the admin profile. |
| 1175241 | After performing a search in the policy list, sections cannot be collapsed, causing delays in operations. |
| 1177282 | Failure to save changes occurs when reordering NAC policies via GUI on FortiGate models after upgrade. |
| 1178020 | Administrative-access option FMG-Access is not available on the GUI when FIPS-CC mode is enabled. |
| 1179698 | GUI error when editing the IPsec tunnel. |
| 1198609 | Memory usage issues caused by Node.js forking occur when using the JIT optimizer in V8. |
HA
| Bug ID | Description |
|---|---|
| 984306 | Session synchronization fails when encryption is enabled in FGSP with IPsec VPN setup. |
| 1017177 | A WAD processing issue causes the SNMP to not respond in an HA cluster. |
| 1033083 | HA sessions are not synchronized properly, causing a high number of sessions on the primary unit, and the standby unit enters into conserve mode. |
| 1068674 | PBA logs missing during HA failover. |
| 1133589 | HA cluster fails to form when FIPS-CC is enabled. |
| 1143361 | Downtime occurs when upgrading HA cluster with HA encryption or authentication enabled. |
| 1148845 | LDAP authentication fails when ha-direct is enabled |
| 1151668 | Interface bandwidth widget does’t display HB and Managed port. |
| 1162432 | Split brain occurs when renaming IPsec phase1-interface in a HA cluster with a lot of VDOMs. |
| 1163147 | Token license activation fails when using a virtual serial number (vSN) on a new HA FortiGate. |
| 1168328 | Mgmt interface is lost when joining a device to a cluster with system dedicated-mgmt enabled. |
| 1170958 | HA status shows as 'Unknown’ when changing HA group ID. |
| 1171987 | HA not synced after modifying one-time schedule when cfg-save is manual. |
| 1172590 | An error condition occurs in FortiGate when running the diag sys ha nonhaconf command on the secondary node in an HA cluster. |
| 1178208 | VLAN HB link monitor stops working when HA Group-ID is set above 255. |
| 1179351 | FortiGate failed to load the private keys for factory certificates to fgfmd due to incorrect classification. |
| 1179821 | Intermittent connectivity loss occurs to HA secondary management IP after upgrade to v7.4.8. |
| 1191128 | Intermittent traffic disruption occurs when the secondary FortiGate is rebooting in HA mode. |
Hyperscale
| Bug ID | Description |
|---|---|
| 1153963 | System error when an IPv6 FTP client uses passive mode in NAT64 and the IPv4 FTP server responds with a non-standard response to the PASV command. |
| 1155548 | With host logging (log2host) enabled, session counts may begin to rise after a few days of operation. This rise in session count can reduce throughput and CPS performance. |
| 1159964 | Incorrect duration of hardware sessions occurs when the system is up for a long time. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 1157185 | High CPU usage occurs in IPS engine when traffic looping happens due to incorrect VRF validation in local-out path. |
| 1158024 | Packet drops and lower CPU utilization on FPC blades when using IPv6 traffic with np-accel-mode enabled and auto-asic-offload. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 1031789 | FortiClient connecting to FGT IPsec VPN with EAP-TTLS authentication does not get TFA push. |
| 1045098 | IPv6 traffic is blocked on newly configured IPsec VPN over loopback interface, and reboot needed to fix it. |
| 1057309 | Add IPsec SAML external browser support. |
| 1063528 | Incorrect MTU settings prevent fragmented packets from being properly offloaded in IPsec tunnels, causing high CPU usage on FortiGate models. |
| 1063737 | High CPU usage occurs when using IPsec tunnel with fragmented packets and UDP frame size of 1600B. |
| 1101897 | Abnormal spikes in VPN traffic sent bytes occur when counters roll back due to race conditions. |
| 1125487 | Gateway switching fails during IKE session resumption when moving from a FortiGate model without Azure AD auto-connect enabled to one with it due to missing mode communication. |
| 1127782 | Traffic is dropped by anti-spoof check when passing traffic through phase2 transport mode with GRE encap. |
| 1128662 | BGP peering fails to establish when a race condition occurs between FortiGate OS and NPU driver during IPsec SA updates for dynamic hub-to-static spoke VPNs. |
| 1133207 | Tunnel establishment fails for multiple FortiGate clients when using DHCP-over-IPSec dial-up VPNs during high concurrent connection attempts. |
| 1137665 | OSPF Hello packets cannot be received via VPN after IPsec Rekey when NAT-T is set to 'forced’. |
| 1140823 | IPsec tunnels become stuck on spoke np6xlite, causing ESP packet drops after extended operation due to improper vifid formation during multiple rekey operations. |
| 1141865 | Decrypt counters do not update when SA is offloaded. |
| 1147023 | VPN traffic halts unexpectedly on the spoke when FEC is disabled during connection cleanup after failed phase 1 negotiations, affecting dynamic tunnel handling. |
| 1149340 | Fragmented packets are not sent out on vpn-id-ipip IPsec tunnel when npu-offloading is enabled |
| 1152486 | Unable to select policy-based IPsec tunnel in the firewall policy for SD-WAN member while configuring in GUI. |
| 1153984 | Authentication error occurs when IPsec-IKEv2 tunnel is configured with FortiToken Cloud. |
| 1162740 | Multicast traffic above 1350 bytes does not flow through the IPsec aggregate tunnel when using pre-encapsulation. |
| 1167952 | Packets with payload larger than 10K and smaller than 15K are dropped when using IPsec tunnel as egress interface with nTurbo enabled |
| 1169860 | L2TPD encountered an internal error. |
| 1172040 | Returning packets take a different path when TCP transport is used with multiple default routes in the routing table. |
| 1173228 | Default route is added when no IP is available for VPN IPsec RA IKEv2. |
| 1180987 | VPN tunnels may not come up after HA failover events, causing routes via these VPN tunnels to not be added to the routing table. |
| 1190688 | High CPU usage occurs when changing firewall policies in a FortiGate device with a large number of policies. |
| 1192598 | IPsec phase1-interface option 'loopback-asymroute’ is not available for IKEv1. |
| 1195400 | Re-authentication failure occurs when using IPsec IKEv1 after upgrade. |
| 1200669 | VPN setting is deleted after device reboot when password policy is enabled and pre-shared key length meets minimum requirements. |
Log & Report
| Bug ID | Description |
|---|---|
| 998215 | Frequent API queries to add and remove objects can result in a memory usage issue on FortiGate. |
| 1005223 | Unmatched custom service name appears in traffic log when source port range is defined in custom service |
| 1074236 | FGT cannot connect to FortiAnalyzer: hostname resolution failed. |
| 1113588 | FortiGate prompts error 'Fetching data from Disk is taking longer than expected. Suggest trying a different log source or check the availability of Disk.’ when viewing logs for the last 7 days from disk or FortiAnalyzer. |
| 1116428 | Observed „Device vulnerability lookup on FortiGuard” under the system event log in high frequency. |
| 1130821 | Incomplete log entries occur when attack-context logging is enabled for attacks involving long user-agent strings. |
| 1139748 | Different logs appear when unplugging PS1 and PS2 on FortiGate. |
| 1143662 | Username truncation occurs in application logs when it exceeds 31 characters |
| 1148101 | Logs fail to appear in FortiAnalyzer, and FortiView sources are missing from the Dashboard. |
| 1182491 | Traffic logs are not displayed when loading from disk in the FortiGate GUI. |
| 1183091 | Security event logs do not load when accessing the 'Security’ tab for Forward Traffic. |
Proxy
| Bug ID | Description |
|---|---|
| 859182 | WAD encounters an error condition when configuration changes affect certificate verification processes with Crypto KXP enabled. |
| 1088822 | Traffic drop occurs when using proxy-inspection with iOS 18 and HTTP/3 enabled |
| 1107594 | Slow website loading occurs when using certificate inspection with proxy inspection-mode in HA Active-Active mode. |
| 1116771 | Add a limit on the memory used by user-device-store as a percentage of the total system memory. |
| 1118701 | Connection issues for Kentik application using http2 gRPC occur with proxy and deep inspection. |
| 1155858 | RD Gateway fails behind HTTPS Virtual Server when using WebSocket upgrade. |
| 1177929 | Memory usage issues occur in WAD when handling a large number of sessions. |
| 1183893 | Handshake failure occurs when using explicit web proxy with deep inspection to access HTTPS websites through HTTP requests. |
REST API
| Bug ID | Description |
|---|---|
| 1110811 | HTTPSD crash due to a memory leak in the libjson-c library when the monitor/virtual-wan/health-check API returns an error and response is not free correctly. |
Routing
| Bug ID | Description |
|---|---|
| 969992 | FortiGate devices may route SCTP traffic using outdated routes instead of the current optimal path when certain conditions are met. |
| 1036123 | BFD for BGP takes interface BFD config instead of multi-hop config when BFD is enabled on both OSPF and BGP. |
| 1097855 | IPv6 traffic may be sent to the wrong destination interface or route, causing connectivity issues. |
| 1112999 | High CPU utilization occurs when multicast traffic is forwarded across VxLAN from spoke to spoke. |
| 1134485 | Failed to sniff the VNE tunnel interface. |
| 1142290 | An error message appears in FortiGate when attempting to add the ssl.root interface to a route-map via the GUI. |
| 1156431 | PIM error when receiving PIM Assert with SSM enabled during HA failover. |
| 1171689 | Incorrect route selection occurs during BGP redistribution with route maps due to improper handling of parent protocol distances. |
| 1193788 | BGP TCP Auth Options key-chain is not applied to the BGP neighbor, causing the neighborship to not establish. |
SD-WAN
| Bug ID | Description |
|---|---|
| 1130683 | Shortcut isn’t triggered in certain cases due to the error „found duplicate in ike_check_update_addr_key”. |
| 1139734 | High latency occurs when a large number of established and monitored shortcuts are present on the FortiGate. |
| 1155927 | SD-WAN service events are not logged in SD-WAN events when using SD-WAN rules in standalone mode. |
| 1157493 | SD-WAN rule with multiple mac address entries only uses the first mac address when address type is mac. |
Security Fabric
| Bug ID | Description |
|---|---|
| 1012476 | Automation stitches are not synced to downstream FortiGate memory when using CSF external sync API. |
| 1149817 | Security Fabric > Physical Topology: Fortilink Tier2 switch shows directly connected to FortiGate on Security Fabric > Physical Topology page. The correct topology can be seen on the WiFi & Switch Controller > Managed FortiSwitches > Topology view. |
| 1150382 | Security profile names containing two forward slashes (//) cause the webpage to become unresponsive when attempting to edit. |
| 1166189 | When using the OCI SDN connector, dynamic IP addresses are not fetched correctly if the target compartment contains more than 100 VNICs. |
| 1170605 | FortiGate Security Fabric fails to connect with 120G Fabric root. |
| 1174762 | Security Ratings incorrectly fail for FortiAP firmware upgrades because the version check does not account for patch numbers. |
| 1180555 | Configured IP Address Threat Feed is not connected when pushed via FMG or CLI. |
SSL VPN
| Bug ID | Description |
|---|---|
| 1026102 | SSL VPN encounters a CPU usage issue in the daemon after updating the language from the GUI. |
| 1036557 | Performance degradation occurs in SSL VPN due to connection/session timeout management issues. |
| 1042164 | Memory usage issues occur when user-peer is used and user login fails in SSL VPN. |
| 1091173 | SSL VPN performance drop. |
| 1110039 | SSL VPN connection remains active when host-check-interval is set and auth-timeout expires. |
| 1124222 | Intermittent connection disruption occurs when using SSL VPN web mode to SSH to Cisco routers with authentication banners. |
| 1126825 | SSL VPN stops functioning when ssl.root interface is added to a zone used by at least one policy. |
| 1143541 | An error condition occurs in SSL VPN after receiving FortiClient UUID with empty value. |
| 1164811 | SSL VPN web mode shows Access Denied error after upgrade on 2GB models. |
Switch Controller
| Bug ID | Description |
|---|---|
| 961142 | An interface in FortiLink is flapping with an MCLAG FortiSwitch using DAC on an OPSFPP-T-05-PAB transceiver. |
| 1064814 | Random CPU spikes and for cu_acd process. |
| 1092043 | Dynamic VLAN not visible on GUI. |
| 1105000 | Aggregate FortiLink went down, and needed to manually down/up the interface. |
| 1114032 | The GUI becomes slow or unresponsive when transceiver-related API requests fail. |
| 1137213 | Extension device registration fails through GUI when FortiCare agreement acknowledgment flag is reset after updates. |
| 1138263 | FortiSwitch port configurations fail to update, and GUI-display issues occur when user-info process overloads system resources with excessive connections. |
| 1141909 | The 10G port on FortiGate-120G is not coming up when connected to a FortiSwitch S148F port using a 10G DAC cable. |
| 1144076 | High CPU usage occurs in cmdbsvr when FortiLink is enabled, and FortiLink interfaces are connected to the firewall. |
| 1146176 | config sync error on managed FSW after upgrade when „Name” field and port exported are configured on the same FSW. |
| 1148894 | Firmware update status shows as up-to-date for managed FSW when it’s actually not on FortiGate. |
| 1149256 | Renamed FSW failed to sync to secondary FGT. |
| 1155476 | Preconfigure support added for recent FortiSwitch models including FSR-216F-FPOE, FSR-112F-POE, FSR-108F, FS-110G-FPOE, and FS-124G/124G-FPOE. |
| 1155546 | Duplicate entries occur in the switch-controller managed-switch list when renaming a managed-switch. |
| 1159594 | Verified managed FSW page and related page can load properly. |
| 1173801 | High CPU usage occurs when Cu_ACD process is handling FortiSwitch event logs in FortiGate-3501F with large number of switches deployed. |
| 1174647 | FortiLink connections may not display correctly in the FortiGate GUI Topology view when using MCLAG aggregation. |
| 1183135 | Filtering by allowed VLANs fails to display expected results when using certain FOS versions. |
| 1193309 | High CPU usage occurs in cu_acd and fortilinkd processes when managing a large number of FortiSwitches after upgrade. |
System
| Bug ID | Description |
|---|---|
| 828849 | No „Diagnostics” information is available for Avago AFBR-79EBPZ Bidi transceivers on FortiGate when using the get system interface transceiver command. |
| 900936 | The fnbamd service may terminate unexpectedly due to erroneous memory handling during certificate authentication, if DNS responses include both IPv4 and IPv6 addresses and one (e.g., IPv6) is unreachable. |
| 908309 | LLDP packets not received on management interface when LLDP is enabled on certain FortiGate models. |
| 918574 | Unintended traffic sent to public servers occurs when cloud-communication and include-default-servers settings are disabled on FortiGate models. |
| 991285 | Broadcasts are unexpectedly forwarded between VxLAN peers when certain FortiGate models are configured as hubs in a Hub-Spoke topology. |
| 992323, 1056133, 1075607, 1082413, 1084898 | Traffic interrupt when traffic shaping is enabled on 9xG and 12xG. |
| 999816 | FortiGate 100E/101E become unresponsive (No GUI, SSH, console) and requires reboot to regain access. |
| 1046484 | After shutting down FortiGate using the „execute shutdown” command, the system automatically boots up again. |
| 1057094 | Disabling GRE auto-asic-offload on a FortiGate model causes traffic to be dropped due to unrecognized GRE tunnels, likely because the kernel fails to process them without proper configuration post-disabling. |
| 1061796 | Inaccurate traffic counters display for EMAC-VLAN interfaces when VLAN ID is set to 0 and traffic is offloaded to the NPU. |
| 1064241 | FortiGate 100E-series models sometimes become unresponsive. |
| 1065869 | SCTP CRC check option is not available on NP7lite platform like 91G/121G. |
| 1084819 | FGT80F/81F LACP/shared ports wan1 and wan2 are down after an upgrade or reboot due to hardware shared-port medium changes. |
| 1096537 | High CPU usage occurs when making configuration changes with a large number of policies. |
| 1099770 | NP7 drops encrypted GRE packets that have checksum bit set (1) due to invalid checksum. |
| 1102417 | Huawei LTE modem E3372 not recognized on FGT-90G. |
| 1113436 | Packets are dropped when using auto-asic-offload with 802.1AD over LACP on FortiGate due to missing MAC address assignment on QinQ lag interfaces. |
| 1120907 | High traffic load on a particular interface causes packet loss on other interfaces of the FortiGate. |
| 1121078 | TX Power levels are missing when using FTL4E1QE1CFTN QSFP+ER transceivers on FortiGate devices. |
| 1122446 | GPS location updates fail to occur when the GPS signal reception is poor on FortiGate devices. |
| 1130803 | Port13-20 speed setting changes to 1000full after FortiGate 10xF reboot. |
| 1140755 | When attempting to delete a software switch interface, it becomes permanently hidden due to an unreverted, temporary flag. |
| 1141832 | Interface inbound/outbound information is not displayed on the bandwidth widget and CLI when using VLAN interfaces with NP6 platform. |
| 1141907 | Unexpected behavior occurs when deleting IPv6 reflect session. |
| 1142785 | False SNMP alerts occur when a non-installed power supply unit is detected. |
| 1144387 | FortiGate 50G DSL fails to acquire an IP address from a DSL modem. |
| 1145397 | When editing user exemption configurations via the GUI on FortiGate devices, unexpected behavior occurs due to a mismatch between GUI and CLI data structures. |
| 1146354 | The network interface settings page fails to load on certain FortiGate models when the admin profile does not have the System > Configuration > Read/Write permission. |
| 1149508 | WAN interface goes down when share-port medium type changes to 'copper’ after upgrading FortiGate-80F-DSL |
| 1155410 | High memory consumption occurs when node.js encounters catastrophic failures and creates excessive logs. |
| 1156262 | An „Input value is invalid.” error appears when configuring the maximum number of sessions in FortiGate’s global resources. |
| 1156561 | NP7lite platforms might encounter high softirq issue and stop processing traffic after running for one month. |
| 1157490 | Temperature is out of range with unreasonably high value. |
| 1158975 | FortiGate does not establish VNE tunnel caused by a failure to commit DNS servers to the CMDB after receiving a DHCPv6 information request. |
| 1159425 | Unused power supply log appears in diagnose alertconsole list when a redundant power supply is not used. |
| 1162489 | The SFP WAN1 and WAN2 ports on the FGT-80F device remain down after a reboot when the speed is set to 100M. |
| 1163814 | Memory usage issues occur when newcli processes are not deleted after their parent sshd process died. |
| 1164174 | Configuration loss occurs when FortiGate enters conserve mode. |
| 1164761 | SFP+ direct attach cables are shown as „compliance is unspecified” by the „get system interface transceiver” command. |
| 1164836 | NTP server unable to be set with 64 digit key in FIPS-CC mode. |
| 1167426 | High CPU usage occurs in the linkmtd daemon when large traffic is present. |
| 1168786 | 100G ports turn up after reboot when administratively down on platforms with Marvell switch like FortiGate 480xF. |
| 1170282 | FortiGate HA becomes out of sync after provisioning a certificate by using ACME protocol. |
| 1170291 | WWAN interface fails to get IP address when 'auto-connect’ feature is enabled. |
| 1172295 | Key in router key-chain is not sent in auto-update to FortiManager from FortiGate when creating key-chain and key at the same time. |
| 1173177 | High CPU usage occurs when making a configuration change on FortiGate-6301F devices, causing CPU Core0 to spike on all FPC and MBD. |
| 1175221 | The 100full speed option is missing for the shared SFP ports of the FortiGateRugged-60F. |
| 1178583 | DHCP relay strips DHCP END Option (255) when relaying DHCP packets. |
| 1180084 | ZTP deployments fail on FortiGate 9xG Gen2 devices because DHCP client mode is not configured by default on interfaces a and b. |
| 1181444 | USB-Tethering fails to work on FortiGate 91G when configuring it as a WWAN connection. |
| 1193889 | Certificate error occurs when connecting to FAZ via SSH. |
Upgrade
| Bug ID | Description |
|---|---|
| 1173968 | FPMs go to dead state after upgrade. |
| 1196352 | FortiExtender configuration is removed after upgrade. |
User & Authentication
| Bug ID | Description |
|---|---|
| 1017348 | Memory usage by fsso_ldap daemon increases continuously when the LDAP server responds with „LDAP_UNWILLING_TO_PERFORM” due to an mishandled memory allocation issue. |
| 1042987 | NTLM authentication does not work after upgrade. |
| 1105305 | Guest users are not removed after their configured expiry time on certain FortiGate models. |
| 1118212 | Captive portal authentication fails after FortiToken push notification approval during RADIUS authentication with FAC for remote groups. |
| 1122979 | Custom NAS-ID not sent to RADIUS server when testing connectivity via GUI. |
| 1134368 | LDAP server becomes unreachable when 'set mfa-mode subject-identity’ is configured under the user peer settings, or ha-direct enabled with source-ip. |
| 1146635 | Fnband issue during certificate authentication when multiple DNS replies contain both IPv4 and IPv6 parts. |
| 1156903 | CLI authentication test fails when RADIUS server has require-message-authenticator setting disabled. |
| 1163152 | RADIUS stops working on secondary unit when HA secondary connects to a RADIUS server using UDP. |
| 1177318 | Factory default certificates not displaying certificate information in the CLI for FortiGate-201G models. |
| 1193697 | Emails with FortiToken codes are not sent due to an SSL error when using SMTPS port 465. |
VM
| Bug ID | Description |
|---|---|
| 1113362 | FGT_VM64_AZURE cannot establish connection with other FGTs in the Security Fabric tree. |
| 1157674 | Incorrect system time occurs when FortiGate-VM64-GCP boots up on GCP. |
| 1159433 | DPDK error when traffic reaches more than 4GBps. |
| 1161380 | License becomes invalid when system time is incorrect on FortiGate VM64-GCP devices. |
| 1172050 | Packet-rate information is missing for some interfaces when running the diagnose netlink interface packet-rate command on FortiGate-ARM64-AWS. |
| 1194713 | ARM_KVM/GCP/OCI unable to format shared data partition on ARM VMs. |
Web Filter
| Bug ID | Description |
|---|---|
| 1046300 | User input ID check doesn’t exclude its current-configured ID. |
| 1141367 | Intermittent traffic disruption occurs when using Safari browser with proxy-based inspection and certificate inspection enabled. |
| 1156789 | Web filter settings category name, block screen category name, and log category name are translated into different Japanese when using web filter profile on FortiGate. |
| 1177015 | Webfilter logs are not generated when https-replacement-message is disabled in proxy-policy with DPI |
WiFi Controller
| Bug ID | Description |
|---|---|
| 1039985 | Erroneous memory allocation observed in the CAPWAP function on NP6 and NP6XLite platforms due to a rare error case. |
| 1147416 | Samsung s22 cannot connect WPA3-SAE SSID from local-radio of FWF-70G. |
| 1161023 | Groups of WiFi clients are lost after roaming to a different AP, causing unintended behavior in network policies. |
| 1174782 | The client fails to authenticate and gets disconnected from the access point when initiating Fast BSS transition (FT) roaming with MAC authentication enabled. |
| 1177859 | When FWF local radio is in non-root VDOM, WiFi users encounter connectivity issues. |
| 1189187 | The AP profile’s auto-transmit power range adjusts unexpectedly when a single endpoint is modified. |
ZTNA
| Bug ID | Description |
|---|---|
| 1037749 | An error occurs when changing user SAML SP login/logout URL in ZTNA access. |
| 1096134 | Failed to apply updated SAML auth configuration after switching IdP from one to another until reboot. |
| 1121978 | Adding new HTTPS/HTTP ZTNA server mappings via GUI fails with a duplicate entry error, while attempting to exit after cancellation alters existing entries’ URLs. |
Notatki producenta: FortiOS 7.4.9
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie