Firma Fortinet zaprezentowała najnowszy update dla wersji FortiOS 7.6.4 zawierająca poprawki zabezpieczeń oraz funkcji mogących mieć wpływ na ogólne działanie urządzeń. Spośród wielu zmian, które dotknęły VPN IPsec warto zwrócić uwagę na naprawę błędów uwierzytelnienia występujących podczas konfiguracji Tunelu IPSEC z wykorzystaniem FortiToken Cloud czy też ogólną poprawę stabilizacji ich działania na urządzeniach z NP7. Naprawione zostały również błędy dotyczące interfejsu SD-WAN w którym mogło dochodzić do nieoczekiwanego przekazywania ruchu innym członkiem grupy SD-WAN. Więcej informacji możesz znaleźć w artykule poniżej.
Wspierane urządzenia:
Supported models
FortiOS 7.6.4 supports the following models.
| FortiGate | FG-40F, FG-40F-3G4G, FG-50G, FG-50G-5G, FG-50G-SFP, FG-50G-DSL, FG-50G-SFP-POE, FG-51G, FG-51G-5G, FG-51G-SFP-POE, FG-60F, FG-61F, FG-70F, FG-70G, FG-70G-POE, FG-71F, FG-71G, FG-71G-POE, FG-80F, FG-80F-BP, FG-80F-DSL, FG-80F-POE, FG-81F, FG-81F-POE, FG-90G, FG-91G, FG-100F, FG-101F, FG-120G, FG-121G, FG-200E, FG-200F, FG-200G, FG-201E, FG-201F, FG-201G, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG-400F, FG-401F, FG‑500E, FG-501E, FG-600E, FG-601E, FG-600F, FG-601F, FG-800D, FG‑900D, FG-900G, FG-901G, FG-1000D, FG-1000F, FG-1001F, FG-1100E, FG-1101E, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3000F, FG-3001F, FG-3100D, FG‑3200D, FG-3200F, FG-3201F, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3700F, FG-3701F, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-4800F, FG-4801F, FG-5001E, FG‑5001E1, FG-6000F, FG-7000E, FG-7000F |
| FortiWiFi | FWF-40F, FWF-40F-3G4G, FWF-50G, FWF-50G-5G, FWF-50G-SFP, FWF-50G-DSL, FWF-51G, FWF-60F, FWF-61F, FWF-70G, FWF-70G-POE, FWF-71G, FWF-80F-2R, FWF-80F-2R-3G4G-DSL, FWF-81F-2R, FWF-81F-2R-3G4G-DSL, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE |
| FortiGate Rugged | FGR-50G-5G, FGR-60F, FGR-60F-3G4G, FGR-70F, FGR-70G, FGR-70G-5G-Dual, FGR-70F-3G4G |
| FortiFirewall | FFW-1801F, FFW-2600F, FFW-3001F, FFW-3501F, FFW-3980E, FFW-4200F, FFW-4400F, FFW-4401F, FFW-4801F, FFW-VM64, FFW-VM64-KVM |
| FortiGate VM | FG-ARM64-AWS, FG-ARM64-AZURE, FG-ARM64-GCP, FG-ARM64-KVM, FG-ARM64-OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-XEN |
FortiGate 6000 and 7000 support
FortiOS 7.6.4 supports the following FG-6000F, FG-7000E, and FG-7000F models:
| FG-6000F | FG-6001F, FG-6300F, FG-6301F, FG-6500F, FG-6501F |
| FG-7000E | FG-7030E, FG-7040E, FG-7060E |
| FG-7000F | FG-7081F, FG-7121F |
Rozwiązane problemy:
Agentless VPN (formerly SSL VPN web mode)
| Bug ID | Description |
|---|---|
| 1115577 | Add customization support for the SSL-VPN header replacement message. |
| 1134189 | Connection refused occurs when using custom landing page in agentless VPN portal on FortiGate. |
| 1143541 | An error condition occurs in sslvpn after receiving FortiClient UUID with an empty value. |
Anti Spam
| Bug ID | Description |
|---|---|
| 1098623 | A closing character „>” of HTML tag is missing in replacement message of antispam URL spam submission text when FortiGate processes spam emails. |
Anti Virus
| Bug ID | Description |
|---|---|
| 1080003 | FGT memory gradually increases when FGT Flow AV Profile is inspecting TCP 6200 traffic with outbreak prevention enabled. |
Application Control
| Bug ID | Description |
|---|---|
| 1118703 | Web traffic designated as blocked is allowed due to the config entry priority in the application control profile. |
| 1136103 | App categories fail to display in NGFW mode due to undefined object causing JavaScript TypeError during app category data access. |
DNS Filter
| Bug ID | Description |
|---|---|
| 1134108 | The IPS engine memory usage increases rapidly when a flow-based policy uses an external Threat Feed with over 1M domain entries, causing device unresponsiveness. |
| 1144986 | DNS service disruption occurs when FortiGate is deployed as a DNS proxy with DNS filtering enabled and an unreachable SDNS server is preferred. |
| 1150842 | Dynamic DNS updates are not forwarded to the DNS server according to transparent-dns-database when using a conditional DNS forwarder for the non-authoritative zone. |
Endpoint Control
| Bug ID | Description |
|---|---|
| 1142301 | ZTNA tag in „View matched endpoint” on GUI might not match backend data. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 1034891 | Web application using SAML IDP authentication in POST method via SWG on FortiGate gets a 303 response and the payload in the post request gets discarded. |
| 1096263 | Intermittent 504 errors occur when an IPv6 HTTP request followed by an IPv4 request in the same pipeline goes through explicit proxy with outgoing-ip. |
| 1116834 | Authentication pop-up does not appear when accessing HTTPS websites through FortiGate with Explicit Proxy when authentication rules, webproxy-forward-server, and certificate-inspection are configured in proxy-policy. |
| 1136596 | Incorrect status display occurs when editing proxy policies for hard/software switches on some FortiGate models. |
| 1139784 | Machine account is treated as NULL user in Kerberos and fails to authenticate via Kerberos. |
| 1144818 | Download failure occurs when accessing https://7-zip.de for domain objects.githubusercontent.com. |
Firewall
| Bug ID | Description |
|---|---|
| 1004263 | Session counters are not being updated when ASIC offload is enabled on firewall policy. FortiGate GUI is displaying incorrect information in the „Bytes” and „Last Used” columns. |
| 1057080 | On the Firewall Policy page, search results do not display in an expanded format. |
| 1108236 | Incorrect logs are displayed when viewing matching logs for an implicit deny policy due to an invalid filter operator. |
| 1114635 | Not able to filter address object by CIDR notation. |
| 1131860 | A two to three minute delay occurs when enforcing policy changes to existing or new traffic due to linear duplicate address checks during iprope updates. |
| 1140803 | With interface policy configured with IPS enabled, UDP port 4500 traffic is not offloaded due to incorrect session flag f02 after ICMP unreachable packet is received. |
| 1142813 | Filtering by comments fails when quick-editing firewall policies in the Firewall Policy page. |
| 1148161 | Erroneous MAC address is used on SOC4 platforms when traffic offloads EMAC-VLAN to VLAN traffic to NPU |
| 1148166 | Source port translation was not permitted with traffic to UDP port 7001. |
| 1155687 | DNAT incorrect in later FTP data packets, and FTP data session gets reset when FTP server responds with public IP in PASV mode. |
| 1158137 | Traffic is blocked when UTM and Nturbo are enabled in firewall policy for np7lite platforms. |
| 1160083 | Expected session using its parent session’s policy ID in the session list is confusing and makes policy match look wrong. |
| 1162875 | IPv6 traffic is blocked without sending RST packets when send-deny-packet is enabled for 4.19 kernel. |
FortiGate 6000 and 7000 platforms
| Bug ID | Description |
|---|---|
| 1014826 | SLBC does not function as expected with IPsec over TCP enabled. |
| 1060864 | Ports fail to establish or exhibit CRC/input errors when 100G QSFP28 LR transceivers are used with FIM-7920E and Cisco ASR in specific setups. |
| 1103810 | 100G SFPs are experiencing compatibility issues with the 7060E at Turkcell. |
| 1113805 | Firewall policy statistics reset after reboot on FGT-6k devices caused by improper persistence of aggregated data. |
| 1117663 | Unexpected behavior in the bcm.user process after a factory reset can sometimes prevent the FPMs from booting up. |
| 1131541 | SSL VPN load balance settings remain active in FortiOS configurations where SSL VPN tunnel mode has been removed. |
| 1135891 | The PSU status incorrectly shows as „Critically High” on the GUI dashboard widget. |
| 1147340 | Duplicated interface entries occur in FortiGate HA configuration merges when the same interface is processed across multiple cycles without successful resolution, causing persistent sync failures and redundant log entries. |
| 1149342 | BGP flapping occurs when concurrent IP address management causes unexpected source IP usage on outbound connections during FortiGate VDOM migrations. |
| 1153360 | Counter values fail to match totals and may overflow during continuous clearing in certain FortiGate models. |
| 1159714 | Unexpected behavior observed on certain FortiGate models when configuration changes follow enabling „cfg-save revert” due to unresolved netdevice references in the np7 driver. |
| 1170210 | FGT Wireless controller Wifi client cannot ping GW/FGT interface. Pass through traffic works fine. |
| 1171521 | In some cases, after a FortiGate 7000F chassis restart, an FPM may hang while logging in, resulting in the FPM being out of synch with the chassis. This happens because confsynchbd becomes stuck after receiving a management heartbeat from the primary FIM.
The issue can occur any time the chassis restarts, including after a firmware upgrade. |
| 1172922 | SDN dynamic address synchronization flaps or fails when SDN connectors are frequently enabled and disabled. |
| 1183735 | Graceful upgrade from 7.2.10/11 to 7.4.9 build 2812 fails because HA secondary cannot take HA primary. |
FortiView
| Bug ID | Description |
|---|---|
| 1133164 | Subnet filtering fails for firewall users due to partial API support. |
| 1138980 | Read-only profile admin user tries to change FortiView source time range , and it is logged as edit by system admin in system events. |
| 1139219 | The Quarantine widget experiences delays when loading the complete IP list. |
| 1141357 | Session counts beyond a certain limit are not displayed on FortiView, device icons are missing from FortiView pages, and quarantine actions do not reflect in the Log Viewer. |
GUI
| Bug ID | Description |
|---|---|
| 264694 | When a firewall user logs in via the GUI using RADIUS with FortiToken, no accounting request is generated. |
| 853352 | When viewing entries in slide-out window of the Policy & Objects > Internet Service Database page, users cannot scroll down to the end if there are over 100K entries. |
| 919473 | Network > Interfaces: When there is an IPsec tunnel bound to an interface, Interface Integrate for that interface fails. |
| 1126162 | Hostname pop-up window shows „failed to retrieve info” error in System > HA page. |
| 1129254 | Unexpected behavior occurs when attempting to save L2TP dialup tunnel configurations using SD-WAN members on some FortiGate models. |
| 1130636 | The FortiConverter window reappears after closing even when Don’t show again is selected. |
| 1131500 | Some bandwidth interface widget not show historical information. |
| 1137821 | Failed to open CLI console from downstream FGT GUI with error „Connection lost.” with SAML SSO admin login. |
| 1138359 | Can’t open CLI console when logging in with SSO account. |
| 1139922 | Cannot rename authorized FortiSwitch. |
| 1140317 | FAP/FSW registration status appears vacant on Firmware & Registration page. |
| 1143611 | User/groups objects disappear after editing firewall policy. |
| 1145475 | Multicast traffic dropped when add/remove interface bandwidth widget on dashboard. |
| 1146621 | When editing an SSL VPN policy in the GUI after creating the policy in the CLI, user/group is not requested. |
| 1148930 | Exported FSW ports to tenant VDOM are not displayed on the GUI when the tenant VDOM has a FortiLink, causing virtual switches to be filtered out due to the lack of a fsw-wan1-peer attribute. |
| 1150591 | Node.js encounters an error when attempting to read the property from a null value, causing unintended behavior on some FortiGate models. |
| 1151414 | Unable to connect to FortiSwitch CLI via Diagnostics and Tools. |
| 1152464 | DHCP reservation from DHCP monitor page checks DHCP IP range instead of subnet/netmask. |
| 1153294 | Custom HTML content does not render correctly on login pages when configured through the FortiGate web interface or CLI. |
| 1154487 | GUI page times out when never timeout option is enabled for the admin profile. |
HA
| Bug ID | Description |
|---|---|
| 794395 | The secondary unit in an HA cluster would display messages indicating that external resources were not in sync, despite the resources being correctly synchronized. |
| 1017177 | A WAD processing issue causes the SNMP to not respond in a HA cluster. |
| 1080655 | HA synchronization fails after configuration changes on FortiGate devices due to improper handling of a hasync flag in the fgfmd daemon. |
| 1126274 | VDOM is created unexpectedly when changing VRRP priorities on multiple interfaces if standalone-config-sync is enabled. |
| 1133589 | HA cluster fails to form when FIPS-CC is enabled. |
| 1135008 | When link monitor fail, initial HA cluster failover doesn’t happen immediately until pingserver-flip-timeout expires. |
| 1136097 | HA state may become out of sync due to a race condition caused by missing local-in ipropes. |
| 1141528 | High CPU usage occurs when FortiGate secondary unit is started in Azure vWAN SD-WAN NGFW with Dynamic rerouting. |
| 1143361 | Downtime occurs when upgrading HA cluster with HA encryption or authentication enabled. |
| 1143791 | The heartbeat interface default route is lost and HA fails to sync when changing the interface mtu-override option. |
| 1151668 | Interface bandwidth widget doesn’t display HB and Managed port. |
| 1162432 | Split brain occurs when renaming IPsec phase1-interface in a with a lot of VDOMs. |
| 1172590 | An error condition occurs in FortiGate when running the diag sys ha nonhaconf command on the secondary node in an HA cluster. |
| 1179351 | FortiGate failed to load the private keys for factory certificates to fgfmd due to incorrect classification |
Hyperscale
| Bug ID | Description |
|---|---|
| 1089281 | With FG-480xF/FFW-480xF using npu-group other than „0” with log2host with around ~1M CPS could result in NP chip getting stuck. |
| 1155548 | With host logging (log2host) enabled, session counts may begin to rise after a few days of operation. This rise in session count can reduce throughput and CPS performance. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 1117043 | Fatal errors occur when the IPS engine sends requests with zero-length data segments to IPSA.
This issue only affects physical FortiGate models with the following IPS engine versions:
To determine the IPS Engine versions, use the command: get sys fortiguard-service status | grep 'IPS/FlowAV Engine' |
| 1122188 | Internal diagnostic commands fail or delay when ipsmonitor processes each request sequentially due to sequential forwarding to IPS daemon processes. |
| 1149760 | Inline-IPS fails to match sensor locations for the „Web.Server.Password.File.Access” signature because it incorrectly reverses traffic direction definitions. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 979591 | Changes to IPsec phase1 fragmentation settings do not take effect immediately when made on dynamic configurations. |
| 995912 | VPN tunnels exhibit instability following an upgrade, with processes stuck during NP7 debugging due to improper prioritization of certain packets. |
| 1063528 | Incorrect MTU settings prevent fragmented packets from being properly offloaded in IPsec tunnels, causing high CPU usage on FortiGate models. |
| 1068626 | SOC4 platform IPsec traffic is unexpectedly stopped because of IPsec outbound hung. |
| 1101897 | Abnormal spikes in VPN traffic sent bytes occur when counters roll back due to race conditions. |
| 1128662 | BGP peering fails to establish when a race condition occurs between FortiGate OS and NPU driver during IPsec SA updates for dynamic hub-to-static spoke VPNs. |
| 1133207 | Tunnel establishment fails for multiple FortiGate clients when using DHCP-over-IPSec dial-up VPNs during high concurrent connection attempts. |
| 1135490 | Static route towards remote side of IPsec tunnel becomes inactive when tunnel IP address is configured. |
| 1140823 | IPsec tunnels become stuck on spoke np6xlite, causing ESP packet drops after extended operation due to improper vifid formation during multiple rekey operations. |
| 1145219 | IPsec tunnels drop unexpectedly during rekeying when using certificate authentication with multiple dialup gateways and peer-initiated SA_INIT requests. |
| 1145391 | IPsec VPN tunnel fails to establish when QKD is required. |
| 1145411 | Changing the ip-fragmentation setting on dynamic IPsec phase1 does not take effect immediately after modification due to an issue with the change handler function in certain FortiOS builds. |
| 1147023 | VPN traffic halts unexpectedly on the spoke when FEC is disabled during connection cleanup after failed phase 1 negotiations, affecting dynamic tunnel handling. |
| 1152486 | Unable to select policy-based IPsec tunnel in the firewall policy for SD-WAN member while configuring in GUI. |
| 1153363 | Intermittent disruption occurs on ipv6 route lookup when configuring IPsec with FIPS-CC enabled. |
| 1153984 | Authentication error occurs when IPSEC-IKEv2 tunnel is configured with FortiToken Cloud. |
| 1162270 | Secondary IPsec tunnel cannot come up after primary tunnel is down and config change when „set monitor” is configured under phase1. |
Log & Report
| Bug ID | Description |
|---|---|
| 611460 | On FortiOS, the Log & Report > Forward Traffic page does not completely load the entire log when the log exceeds 200MB. |
| 1087235 | Only last 24 hours of Forward traffic log are been downloaded while trying to download logs from the last 7 days. |
| 1100945 | The „Resolve Unknown Applications” feature in the GUI Log Viewer is not functioning as intended. |
| 1113588 | FortiGate prompts error „Fetching data from Disk is taking longer than expected. Suggest trying a different log source or check the availability of Disk.” when viewing logs for the last 7 days from disk or FortiAnalyzer. |
| 1116108 | Intra-zone Local logs are missing when intrazone allow is enabled. |
| 1141436 | FortiGate device enabled with FIPS-CC mode sends an incorrect build number (0523) to FortiGate Cloud. |
| 1141733 | Traffic interruptions occur when revisiting the forward traffic log page during searches with applied filters. |
| 1142836 | Broadcast traffic is logged when local-in-deny-broadcast setting is disabled. |
| 1148101 | Logs fail to appear in FortiAnalyzer, and FortiView sources are missing from the Dashboard on a specific FortiGate model. |
| 1151300 | Logs are not displayed in FortiGate CLI when using free-style filter with timestamp and FortiAnalyzer as data source. |
Proxy
| Bug ID | Description |
|---|---|
| 859182 | WAD encounters an error condition when configuration changes affect certificate verification processes with Crypto KXP enabled. |
| 1107594 | Slow website loading occurs when using certificate inspection with proxy inspection-mode in HA active-active mode. |
| 1118701 | Connection issues for Kentik application using http2 gRPC occur with proxy and deep inspection. |
| 1124557 | An error condition occurs in WAD when wad-restart-mode is set to time and wad-restart-start-time / wad-restart-end-time are configured. |
| 1141948 | Certificate inspection profiles differ across VDOMs when importing policy packages from FMG, caused by inconsistent default values for unsupported-ssl-version in certificate-inspection profiles between different FOS releases. |
| 1144571 | TLS handshake fails when Client Hello is split across two packets in proxy-mode, and the packet length is less than 256 bytes. |
| 1146601 | With proxy inline-ips, a memory leak occurs on the WAD daemon, leading to conserve mode. |
| 1155170 | Memory usage increases unexpectedly during high load when processing WAD-related tasks. |
| 1159963 | Expired server certificates are issued when Deep Inspection is enabled due to improper handling of certificate cache renewals. |
Routing
| Bug ID | Description |
|---|---|
| 1097939 | Console prints out „/bin/cmdbsvr…node=system.health-check-fortiguard.name” error messages when restoring a config. |
| 1142290 | An error message appears in FortiGate when attempting to add the ssl.root interface to a route-map via the GUI. |
| 1142955 | High CPU usage occurs when link monitor daemon fetches session counts on every interface during REST API calls. |
| 1147497 | Slow performance and network issues when surfing to Internet from GRE tunnels. |
| 1150878 | The IPoE tunnel interface cannot be selected in the Interface Bandwidth widget. |
| 1152976 | Spokes using remote-as-filter with 4-byte ASN cannot establish BGP neighborship. |
| 1165424 | The behaviour of the command diagnose ip router bgp <module> <enable | disable> is incorrect. Turning on debugging for one of the modules turns on debugging for all modules. |
| 1171689 | Incorrect route selection occurs during BGP redistribution with route maps due to improper handling of parent protocol distances. |
SD-WAN
| Bug ID | Description |
|---|---|
| 1147720 | Traffic forwards to the unexpected egress interface when duplicate SD-WAN rules exist in the proute list in the case that priority-zone in sdwan service has only one sdwan member |
| 1147727 | Encapsulated traffic of GRE tunnel interface over VNE tunnel egressed wrong interface after reboot |
| 1153992 | Event log used wrong reason that packetloss over the threshold when SLA fails due to consecutive probes failed |
| 1159877 | Hash-mode remains visible when SD-WAN service mode is changed to priority. |
Security Fabric
| Bug ID | Description |
|---|---|
| 1085248 | FortiGate encounters CPU and memory usage issue when loading 20 large external threat feeds (100K entries each). |
| 1117104 | Scheduled automation incorrectly triggers reschedule after reboot when using specific time zones and NTP configurations. |
| 1145138 | Automation stitch fails to shut down a specific port on the secondary FortiGate during HA failover due to incorrect script environment settings. |
| 1149817 | Security Fabric > Physical Topology: FortiLink Tier 2 switch shows directly connected to FortiGate on Security Fabric > Physical Topology page.
The correct topology can be seen on the WiFi & Switch Controller > Managed FortiSwitches > Topology view. |
| 1150382 | Security profile names containing two forward slashes (//) cause the webpage to become unresponsive when attempting to edit. |
| 1166189 | When using the OCI SDN connector, dynamic IP addresses are not fetched correctly if the target compartment contains more than 100 VNICs. |
Switch Controller
| Bug ID | Description |
|---|---|
| 961142 | An interface in FortiLink is flapping with an MCLAG FortiSwitch using DAC on an OPSFPP-T-05-PAB transceiver. |
| 1114032 | The GUI becomes slow or unresponsive when transceiver-related API requests fail. |
| 1135460 | Health status becomes unknown after renaming a switch in the switch controller on some FortiGate models. |
| 1137075 | In the WiFi & Switch Controller > Managed FortiSwitches page, the Topology view shows the link between FortiSwitch units with a dotted line instead of a solid line. |
| 1137213 | FSW/FAP/FEX registration to FortiCloud is failing via FortiGate GUI. |
| 1138263 | FortiSwitch port configurations fail to update and GUI display issues occur when user-info process overloads system resources with excessive connections. |
| 1138430 | On Switch controller, increase managed-switch.switch-id to more than 16 characters. |
System
| Bug ID | Description |
|---|---|
| 900936 | The fnbamdservice may terminate unexpectedly due to erroneous memory handling during certificate authentication, if DNS responses include both IPv4 and IPv6 addresses and one (for example, IPv6) is unreachable. |
| 908309 | LLDP packets not received on management interface when LLDP is enabled on certain FortiGate models. |
| 973034 | LACPDU packet drops occur when FortiGate fails to reliably send required packets due to incorrect npu_tc assignment for hi-priority traffic. |
| 992323, 1056133, 1075607, 1082413, 1084898, 0992323 | Traffic interrupted when traffic shaping is enabled on 9xG and 12xG. |
| 996863 | Automatic firmware updates email alert after every reboot of FortiGate. |
| 1029459 | sflowd error condition occurs when sflow sampling is enabled without a collector configured. |
| 1048684 | The FortiGate Internet Service Database (ISDB) update mechanism fails on a 100E FortiGate model due to insufficient memory allocation. |
| 1057094 | Disabling GRE auto-asic-offload on a FortiGate model causes traffic to be dropped due to unrecognized GRE tunnels, likely because the kernel fails to process them without proper configuration post-disabling. |
| 1071229 | Ping reply packets are dropped after two successful requests when using VXLAN over IPsec on FortiGate. |
| 1082891 | FortiGate reboots immediately after changing ull-port-mode to 25G without a confirmation prompt. |
| 1095801 | Error „Fail to del default npu-vlink setup” is shown when changing the hostname. |
| 1096384 | Warn user when restoring config from a different firmware version. |
| 1099770 | NP7 drops encrypted GRE packets that have Checksum bit set (1) due to invalid checksum. |
| 1107270 | Communication over VXLAN is lost after upgrade on NP7 platform. |
| 1113436 | Packets are dropped when using auto-asic-offload with 802.1AD over LACP on FortiGate due to missing MAC address assignment on QinQ lag interfaces. |
| 1114298 | FortiGate Cloud remote login triggers 2 admin login events (1 successful and 1 unsuccessful for PKI admin). |
| 1117005 | CPU spikes and management access issues occur on certain FortiGate models post-upgrade when IPsec Phase 1 NPU-offload is enabled during maintenance. |
| 1121522 | Memory leak in slab causes the system to enter memory conserve mode. The issue occurs due to out-of-order log packets and incomplete session scrubbing, resulting in residual entries in the log2host table. |
| 1121548 | Enabling „device-identification” also gets endpoint information even though intermediate router exists on FG and endpoints. |
| 1122741 | Two duplicate FGFM sessions could be triggered when connecting to FortiGate Cloud. The first FGFM session that enters in GET_IP state kills the other FGFM session, which schedules an FGFM session restart two minutes later. |
| 1130803 | Port13-20 speed setting changes to 1000full after FortiGate 10xF reboot. |
| 1132414 | When connecting port5-14 on 3201F with third-party switches using optical transceivers, the 1gig link is down. |
| 1133575 | The 100M speed option is not available for wan1 and wan2 interfaces during configuration in certain FortiGate models. |
| 1137218 | VXLAN traffic uses primary IP address instead of secondary IP address when configured vxlan remote-ip with secondary IP. |
| 1138155 | DNS (TCP853) fails until idle timeout when link monitor failover occurs in dual internet connection. |
| 1140755 | When attempting to delete a software switch interface, it becomes permanently hidden due to an unreverted temporary flag. |
| 1141907 | Unexpected behavior occurs when deleting IPv6 reflect session. |
| 1142591 | Unexpected behavior occurs when high load IP fragment traffic is sent through an IPsec tunnel with vpn-id-ipip encapsulation and offloading enabled. |
| 1142782 | GRE tunnel traffic is limited when sessions share same local/remote IPs, causing them to be assigned to single CPU core. |
| 1142805 | Cannot set source IP for FortiGuard when a non-root VDOM is set. |
| 1146354 | The network interface settings page fails to load on certain FortiGate models when the admin profile does not have the System > Configuration > Read/Write permission. |
| 1148843 | Unstable LTE 4G connection occurs when using IPv6. |
| 1151313 | On NP7 models, gtp tunnel list counters don’t increase when restoring configuration file with „gtp-enhanced-mode enable”. |
| 1152059 | Device information is not detected when device-detection is enabled. |
| 1152638 | FGT still sends reset packet when drops TCP SYN packets with ident-accept enable on wwan interface after reboot. |
| 1153004 | APN profile not updating when configuring Verizon APN. |
| 1154158 | DHCP issue occurs when configuring hardware switch interface in A-P HA mode. |
| 1156561 | NP7lite platforms might encounter high softirq issue and stop processing traffic after running for one month. |
| 1157490 | Temperature is out of range with unreasonably high value. |
| 1160215 | An error condition occurs in snmpd on FortiGate-VM64-AZURE approximately every 1.5 hours. |
| 1163814 | Memory usage issues occur when newcli processes are not deleted after their parent sshd process died. |
| 1167426 | High CPU usage occurs in the linkmtd daemon when large traffic is present. |
| 1168786 | 100G ports turn up after reboot when administratively down on platforms with Marvell switch, such as FortiGate 480xF. |
User & Authentication
| Bug ID | Description |
|---|---|
| 1118212 | Captive portal authentication fails after FortiToken push notification approval during radius authentication with FAC for remote groups. |
| 1122979 | Custom NAS-ID not sent to RADIUS server when testing connectivity via GUI. |
| 1124183 | Guest user sessions persist in the FortiGate authentication list despite manual expiry, enabling continued network access. |
| 1137727 | Delays in SSH login verification occur on some FortiGate models when hashing passwords, and immediate failure messages are returned for invalid usernames. |
| 1156903 | CLI authentication test fails when RADIUS server has require-message-authenticator setting disabled. |
VM
| Bug ID | Description |
|---|---|
| 1125437 | The „set distance” option under interface configured as DHCP client doesn’t work on VM. |
| 1146370 | AWS bootstrap is unable to parse IAM role profile properly due to the length. |
| 1146634 | IfLinkUpDown SNMP trap is not triggered on FGT_VM64_KVM using the virtio driver when an interface is brought up or down. |
| 1157674 | Incorrect system time occurs when FortiGate-VM64-GCP boots up on GCP. |
WAN Optimization
| Bug ID | Description |
|---|---|
| 1160444 | Global config wanopt content-delivery-network-rule is deleted when restoring VDOM config. |
Web Filter
| Bug ID | Description |
|---|---|
| 1145481 | URL filter exemption fails when adding regex entries to URL filter if newly added regex entry contains invalid perl style regex. |
| 1150232 | Threat feed URLs are not blocked since Sandbox block list file version check always fails and aborts loading other types of URL lists, including external-resource category URL list. |
| 1156789 | Web filter settings category name, block screen category name, and log category name are translated into different Japanese when using web filter profile on FortiGate. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 1001211 | Add optional antenna support for K-series models 443K and 243K. |
| 1018895 | Clients on local-bridging SSIDs appear offline despite having active traffic when acd-process-count is 2, caused by the AP failing to report client IPs to the controller. |
| 1063976 | Empty SN values occur in AP DTLS session timeout messages. |
| 1126824 | When WiFi client enables VPN endpoint, VPN traffic cannot pass through NP6Xlite FGT models. |
| 1131094 | The iPhone 16 fails to connect to a WPA3-SAE SSID on FWF-61F due to incorrect ordering of RSN and RSNXE parameters during the authentication handshake. |
| 1145326 | In non-root VDOM, device fails to authenticate when MPSK is used with an external RADIUS server. |
| 1147416 | Samsung S22 cannot connect WPA3-SAE SSID from local-radio of FWF-70G. |
| 1151713 | FortiAPs may go offline when memory pool of WiFi daemon cw_acd is fully occupied and not released properly. cw_acd debug constantly show ERR: NO MEM for USER_LOCAL_MSG |
| 1161023 | Groups of Wi-Fi clients are lost after roaming to a different AP, causing unintended behavior in network policies. |
| 1174782 | The client fails to authenticate and gets disconnected from the access point when initiating Fast BSS transition (FT) roaming with MAC authentication enabled. |
| 1177859 | When FWF local radio is in non-root vdom, wifi users encounter connectivity issues. |
ZTNA
| Bug ID | Description |
|---|---|
| 1134649 | WAD cannot re-verify new ems-tag after an ems-tag update for HTTPS access proxy, causing existing sessions to remain active despite matching a deny policy. |
| 1135441 | CLI error occurs when configuring SAML server in api-gateway with access-proxy6 and vip6 configured. |
| 1139201 | Internal resources are inaccessible via IP or FQDN when using agentless ZTNA Access proxy-portal with apptype web on FortiGate. |
| 1159018 | ZTNA agentless not working on FG-90G devices. |
Notatki producenta: FortiOS 7.6.4 Release Notes
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie