Jump to content
  • SeedTheNet
  • FortiOS 7.0.13 Resolved Issues


    SeedTheNet

    Resolved issues

    The following issues have been fixed in version 7.0.13. To inquire about a particular bug, please contact Customer Service & Support.

    Anti Spam

    Bug ID

    Description

    877613

    Mark as Reject can be still chosen as an Action in an Anti-Spam Block/Allow List in the GUI.

    Anti Virus

    Bug ID

    Description

    911332

    When UTM status is enabled and the AV profile has no configuration, all SLL traffic is dropped and there is no WAD output.

    923883

    The FortiGate may display an error log in the crash log due to AV delta update. In case of failure, a full successful AV update is done.

    Application Control

    Bug ID

    Description

    939565

    can not query meta rules list seen on graceful/non-graceful upgrade.

    DNS Filter

    Bug ID

    Description

    931998

    DNS filter flow external domain AAAA query can still check the default category but not the remote category.

    Endpoint Control

    Bug ID

    Description

    897048

    FortiOS should support EMS 7.2.1 auth API status code changes.

    913324

    GUI repeated calls to the EMS API, which can cause EMS to not authorize the FortiGate correctly.

    Explicit Proxy

    Bug ID

    Description

    817582

    When there are many users authenticated by an explicit proxy policy, the Firewall Users widget can take a long time to load. This issue does not impact explicit proxy functionality.

    859693

    Sessions between the explicit proxy and server stay in SYN_SENT state when using IP pools in the explicit proxy policy for source NAT, even though the sessions have established. Traffic is not impacted.

    863665

    Denied explicit proxy keeps using the Fortinet_CA_SSL default certificate, even if the configured certificate is different.

    889300

    Wrong source IP address used for packets through explicit proxy routed to a member of SD-WAN interface.

    923302

    Cannot send picture through web explicit proxy.

    Firewall

    Bug ID

    Description

    719311

    On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.

    752267

    Load Balance Monitor detects a server in standby mode as being down.

    848058

    NPD failed to parse zone in the source interface of a DoS/ACL policy and failed to offload.

    851212

    After traffic flow changes to FGSP peer from owner, iprope information for synchronized sessions does not update on the peer side.

    861981

    Traffic drops between two back-to-back EMAC VLAN interfaces.

    879225

    Egress interface cannot be intermittently matched for Wake-on-LAN (broadcast) packets.

    879705

    Traffic issues occur with virtual servers after upgrading.

    884908

    Implicit deny policy is allowing "icmp/0/0" traffic.

    895946

    Access to some websites fails after upgrading to FortiOS 7.2.3 when the firewall policy is in flow-based inspection mode.

    897849

    Firewall Policy list may show empty sequence grouping sections if multiple policies are sharing the same global-label.

    912089

    Optimize CPU usage caused by a rare error condition which leads to no data being sent to the collector.

    914939

    UDP fragments dropped due to DF being set. Only the set honor-df global option.

    926029

    New sessions are created and evaluated after a certain number of UDP packets, even if set block-session-timer 300 is set.

    951373

    Traffic shaping is not matching the correct queue for outbound traffic.

    FortiView

    Bug ID

    Description

    894957

    On FortiView Websites, the real time view is always empty if disk logging is disabled.

    GUI

    Bug ID

    Description

    863126

    In an environment where the Security Fabric is enabled and there are more than 100 firewall object conflicts between the root and downstream FortiGates, the Firewall Object Synchronization pane does not list the details.

    892207

    Unable to authorize a newly discovered FortiAP from the WiFi Controller > Managed FortiAPs page.

    893560

    When private data encryption is enabled, the GUI may become unresponsive and HA may fail to synchronize the configuration.

    907041

    Network > SD-WAN > SD-WAN Zones and SD-WAN Rules pages do not load if a shortcut tunnel is triggered.

    916236

    GUI policy table cannot display sequence grouping section titles correctly if they are duplicated in the global label.

    919390

    Disabling gui-wireless-controller on the root VDOM impacts other VDOMs (unable to add or show WiFi widgets on first load).

    943949

    When editing an interface description in GUI, the following characters are not allowed: <, >, (, ), #, ', and ".

    946878

    FortiGate HA management interface in the GUI not allowing multiple route entries, but the CLI does allow them.

    HA

    Bug ID

    Description

    703614

    HA secondary synchronization fails and keeps rebooting when the primary has a split port configuration.

    771316

    Platforms in an HA environment get stuck in a reboot loop while attempting to synchronize configurations that differ in split ports.

    805663

    After upgrading, rebooting the primary in HA (A-A) results in unusually high bandwidth utilization on redundant interfaces.

    818432

    When private data encryption is enabled, all passwords present in the configuration fail to load and may cause HA failures.

    838571

    After an HA split-brain event, the PPPoE interfaces are not recovered.

    870312

    On a FortiGate HA cluster, both primary and secondary units are displayed as the Primary on the GUI top banner, and as Current HA mode in the CLI.

    875984

    FortiGate is going to out-of-sync after changing parameters of VDOM link interfaces.

    881337

    Adding a VLAN interface on any VDOM causes BGP flapping and VIP connectivity issues on VDOMs in vcluster2.

    893041

    Cannot access out-of-band IPv6 address on HA secondary unit.

    897865

    When NP7 platforms enable the GTP enhanced mode it does not use uninterruptible upgrade.

    902945

    Lost management connectivity to the standby node via in-band management.

    904318

    FortiGate sent ARP request with loopback IP address as the source address.

    912665

    FGCP primary-secondary cluster only uses one session-sync-dev, in spite of having multiple session-sync-dev.

    916216

    When adding a new interface, some other interfaces have the wrong virtual MAC address.

    920233

    The System > HA page is missing from the GUI on 5K models.

    931724

    HA events not synchronizing between members, leading to unexpected HA status.

    950868

    Traffic is not forwarded on L2 peer to keep FGSP with an available L2 connection.

    953167

    Access to console and SSH is lost due to a specific configuration.

    Hyperscale

    Bug ID

    Description

    915796

    With an enabled hyperscale license, in some cases with exception traffic (like ICMP error traverse), the FortiGate may experience unexpected disruptions when handling the exception traffic.

    924196

    Device is rebooting randomly when driver processes exception packets.

    ICAP

    Bug ID

    Description

    884339

    When the algo process starts up, it attempts to build an ICAP profile without allocating memory beforehand.

    Intrusion Prevention

    Bug ID

    Description

    823583

    Failover on clustered web application using keepalived daemon does not work seamlessly.

    842523

    IPv6 with hardware offloading and IPS drops traffic (msg="anti-replay check fails, drop).

    860315

    Unexpected behavior in IPS engine when executing diagnose test application ipsmonitor 44.

    862830

    [?Q?ci_" sekret=] causes the parser to create a new field, "sekret=".

    873975

    Source MAC changes and the packet drops due to both sides of the session using the same source MAC address.

    882593

    HTTPS traffic slows when IPS with NTurbo is used over a virtual wire pair.

    892302

    Constant reloading of the external domain table is causing high CPU due to lock contention when reloading the table.

    926639

    Constant reloading of the shared memory external domain table is causing high CPU usage due to lock contention when reloading the table.

    952270

    IPS logs for VIP traffic shows external IP as a destination for some signatures.

    IPsec VPN

    Bug ID

    Description

    766750

    FortiGate does not accept secondary tunnel IP address in the same subnet as the primary tunnel.

    812229

    ASCII-encoded byte code of remote gateway IP is displayed in the GUI and CLI when a VPN tunnel is formed using IKEv1 or v2 if the peer-id is not configured.

    872769

    Proxy ARP stops working for a client connected to a dialup IPsec when the previous VPN was established and is deleted.

    885333

    Forwarded broadcast traffic on ADVPN shortcut tunnel interface dropped.

    887800

    In an L2TP configuration, set enforce-ipsec enable is not working as expected after upgrading.

    920725

    IPsec tunnels that have external DHCP services for IP assignment have an extra selector added after upgrading to 7.0.11.

    922064

    Firewall becoming unresponsive to DPD/IKE messages, causing IPsec VPNs to drop.

    926048

    Traffic through a shortcut got dropped after an HA failover.

    928774

    IPsec VPN connection should allow % in FortiClient Connect REG_PASSWD field.

    932112

    EAP in IKEv2 dialup IPsec connection does not work with two firewall polices, each using both the IKEv2 interface and user group.

    949086

    Policy route is not matching ESP traffic.

    954614

    IPsec phase 2 negotiation fails with failed to create dialup instance, error 22 error message.

    Log & Report

    Bug ID

    Description

    831441

    The forward traffic log show exabytes of data being sent and received from external to external IP addresses in multiple VDOMs.

    860822

    When viewing logs on the Log & Report > System Events page, filtering by domain\username does not display matching entries.

    879228

    FortiAnalyzer override settings are not taking effect when ha-direct is enabled.

    893199

    The FortiGate does not generate deallocate/allocate logs of the first IP pool when the first IP pool has been exhausted.

    902797

    IPS alert email not being sent when IPS attack event has triggered.

    908856

    Traffic log can show exabytes of data sent and received when generating log task is triggered from userspace.

    932537

    If Security Rating is enabled to run on schedule (every 4 hours), the FortiGate can unintentionally send local-out traffic to fortianalyzer.forticloud.com during the Security Rating run.

    Proxy

    Bug ID

    Description

    783549, 902613, 921247

    An error condition occurs in WAD caused by multiple outstanding requests sent from client to server with UTM enabled.

    785927

    Unexpected behavior in WAD when multiple DHCP servers are configured.

    820096

    CPU usage issue in proxyd caused by the absence of TCP teardown.

    863132

    Proxy mode inspection is slow when testing a single TCP stream from fast.com, which causes bandwidth slowness on FG-100F and FG-200F devices.

    882182

    Unexpected behavior in WAD due to the activation of firewall protocol options, with both client and server comfort features enabled.

    897347

    Memory usage issue caused by the WAD user info process while authenticating the LDAP users.

    912116

    Website (li***.cz) is not working in proxy inspection mode with deep inspection and web filter applied.

    REST API

    Bug ID

    Description

    892237

    Updating the HA monitor interface using the REST API PUT request fails and returns a -37 error.

    903908

    The forticron application crashes when restoring a VDOM configuration.

    948356

    An error condition occurs in HTTPSD when a REST API request is sent with invalid parameters.

    Routing

    Bug ID

    Description

    775752

    link-down-failover does not bring the BGP peering down.

    779330

    The SD-WAN service with load-balance mode is disabled, even though there is still a member alive in the service rule.

    827565

    Using set load-balance-mode weight-based in SD-WAN implicit rule does not take effect occasionally.

    839669

    Static route through an IPsec interface is not removed after the BFD neighbor goes down.

    858248

    OSPF summary address for route redistribution from static route via IPsec VPN always persists.

    875668

    SD-WAN SLA log information has incorrect inbound and outbound bandwidth values.

    900941

    config redistribute routing subsections cannot be configured when in workspace mode.

    906896

    Make OSPFv3 update the translator role and translated Type-5 LSA when the ASBR table is updated.

    922491

    Static routes are installed on hub FortiGate with add-route disabled in ADVPN scenario.

    924940

    When there are a lot of policies (several thousands), the interface member selection for the SD-WAN Zone dialog may take up to a minute to load.

    928152

    FortiGate generates two OSPF stub entries for the same prefix after upgrading from 6.4 to 7.0.

    Security Fabric

    Bug ID

    Description

    851656

    Sessions with csf_syncd_log flag in a Security Fabric are not logged.

    912592

    Allow comments and IP addresses to be on the same line for external IP address threat feeds.

    912917

    Send Fabric API calls with pagination filter.

    917024

    Unexpected behavior in Security Fabric daemon (CSFD) caused by triggering HA failover while using Security Fabric.

    920391

    Non-management VDOM is not allowed to set a source-ip for config system external-resource.

    922896

    Azure SDN connector always uses HA management port for DNS resolve. This might not work on premises where the HA management port does not have a public IP address assigned.

    SSL VPN

    Bug ID

    Description

    631809

    Configuring thousands of mac-addr-check-rule in portal makes the CPU spike significantly if several hundreds of users are connecting to the FortiGate, thus causing SSL VPN packet drops.

    843756

    Customer bookmark (*.tr***.pt) is not accessible when using SSL VPN web mode.

    859088

    FortiGate adds extra parenthesis and causes clicking all links to fail in SSL VPN web mode.

    871229

    SSL VPN web mode does not load when connecting to customer's internal site.

    873516

    FortiGate misses the closing parenthesis when running the function to rewrite the URL.

    875167

    Webpage opened in SSL VPN web portal is not displayed correctly.

    881220

    Found bad login for SSL VPN web-based access when enabling URL obscuration.

    881268

    Disconnecting from SSL VPN using the SSL-VPN widget does not disconnect the SSL VPN tunnel.

    884869

    Web mode bookmark showing blank page due to JS rewrite.

    885978

    Some buttons in URL are not working in SSL VPN web mode.

    886989

    SSL VPN process reaches 99% CPU usage when HTTP back-end server resets the connection in the middle of a post request.

    887345

    When a user needs to enter credentials through a pop-up window, the key events for modification key detected by SDL were ignored.

    887674

    FortiGate will intermittently stop accepting new SSL VPN connections across all VDOMs.

    897385

    Internal website keeps asking for credential with SSL VPN web mode.

    897665

    The external DHCP server is not receiving hostnames in SSL VPN and DHCP relay.

    904919

    DHCP option 12 hostname needed for SSL VPN with external DHCP servers.

    927475

    SSL VPN tunnel down log message not generated when an IP address is disassociated before the old tunnel times out.

    933985

    FortiGate as SSL VPN client does not work on NP6 and NP6XLite devices.

    950157

    SS LVPN connected/disconnected endpoint event log can be in the wrong sequence.

    952860

    During a handshake when FortiClient sends a larger-than-MTU hello message, the packet is fragmented by IP layer and dropped by the FortiGate.

    Switch Controller

    Bug ID

    Description

    890912

    FortiLink VLAN interface should be renamed from default to _default after upgrading to 7.0.10.

    893405

    One discovery one transmit buffer was allocated and was not released on connection terminations.

    894735

    Unable to configure more than one NAC policy using the same EMS tag for different FortiSwitch groups.

    911232

    Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch Controller > Managed FortiSwitches.

    920231

    FortiGate loses QoS ip-dscp-map configuration after reboot.

    936081

    The vlan-optimization {enable | disable} and vlan-all-mode all configuration options disappear after upgrade or reboot.

    System

    Bug ID

    Description

    708964

    CPU usage issue is observed caused by reloading the system when the system has cfg-save set to revert.

    713951

    Not all ports are coming up after an LAG bounce on 8 × 10 GB LAG with ASR9K. Affected platforms: FG-3960E and FG-3980E.

    724085

    Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled.

    729912

    DNS proxy does not transfer the DNS query for IPv6 neighbor discovery (ND) when client devices are using random MAC addresses, so one device can configure many IPv6 addresses.

    822297

    Polling fgfwpolid returns disabled policies.

    828129

    A disabled EMAC VLAN interface is replying to a ping.

    832154

    The cmdbsvr process may crash when there are many addresses and address groups that include each other recursively.

    842159

    FortiGate 200F interfaces stop passing traffic after some time.

    855573

    False alarm of the PSU2 occurs with only one installed.

    859393

    SNMP poll for fgExplicitProxyRequests returns 0.

    862519

    FortiGate 40F-3G4G WWAN connection unstable on Verizon Carrier.

    866437

    CPU usage issue caused by the new Linux kernel.

    867663

    The FEC configuration under the interface is not respected when port23 and port24 are members of an LACP and the connection is 100G. Affected platforms: FGT-340xE, FGT-360xE.

    869044

    If the original packet was forwarded with NAT, generated ICMP error is routed back to SNAT'ed address.

    873805

    CPSS usage goes to 99% and causes initiation issues when traffic is flowing upon boot. Affected platforms: FG-40xF, FG-60xF, FG-300xF.

    874292

    ssh-rsa should be disabled under the SSH server_host_key_algorithm.

    876853

    No output of execute sensor list is displayed after rebooting.

    879769

    If the firewall session is in check-new mode, FortiOS will not flush its NPU offload entry when there is a MAC address update of its gateway.

    882187

    FortiGate enters conserve mode in a few hours after enabling UTM on the policies.

    884023

    When a user is logged in as a VDOM administrator with restricted access and tries to upload a certificate (System > Certificates), the Create button on the Create Certificate pane is greyed out.

    885823

    Sensor showing temperature of 0.00 Celsius.

    891165

    Auto-script causes FortiGate to repeat commands.

    892274

    Daylight saving time is not applied for Cairo time zone.

    892478

    Interface release from cmdb and iprope keep updating when DHCP client renewal fails.

    894202

    Incorrect temperature calculation appears in sensor list on FG-8xF, FWF-8xF, FG-9xE, FG-10xE, FG-20xE, and FG-14xE.

    894884

    FSTR session ticket zero causes a memory leak.

    903362

    SNMP OID, fgFwPolLastUsed (1.3.6.1.4.1.12356.101.5.1.2.1.1.4), does not show the correct information about the last time a specific policy was used.

    903397

    After upgrading to 7.0.11, FortiOS cannot display QSFP+ transceiver information. Affected platforms: FG-110xE, FG-220xE, FG-330xE, FG-340xE, and FG-360xE.

    904414

    Port speed 1000auto could not link up with a Cisco switch.

    904486

    The FortiGate may display a false alarm message and subsequently initiate a reboot.

    907339

    dnsproxy process aborts due to stack buffer overflow being detected upon function return.

    910269

    Unexpected behavior caused by the Linux Out of Memory (OOM) killer when memory is very low.

    910273

    Last reboot reason: power cycle after rebooting due to a kernel panic is misleading.

    910616

    When a non-zero DSCP copied from ingress to egress packet for NAT64, the IP checksum is calculated incorrectly.

    910651

    All members are up on an FG-600F, but the LACP status is showing as down after upgrading.

    910677

    Transparent mode FortiGate does not reply to SYN ACK when communicating with FortiManager.

    920085

    CPU usage issue observed in dnsproxyd caused by unused wildcard FQDN.

    922965

    CPU usage issue observed in hasync daemon when session count is large.

    922982

    FortiGate does not respond to ARP requests for the IP address on the WAN port when the interface is configured as EMAC.

    923364

    System goes into halt state with Error: Package validation failed... message in cases where there are no engine files in the FortiGate when the BIOS security level is set to 2.

    924395

    IPv6 local-in ping6 to management interface failed when newly configured.

    925657

    After a manual system administrator password change, the updated password-expire is not received by the FortiManager auto-update.

    926035

    On D-series FortiGates, a false alarm during system integrity check failure causes the firewall to reboot.

    926817

    Review the temperature sensor for the SoC4 system.

    929821

    An error condition occurred in httpsd and newcli when trying to generate a TAC report from the GUI and CLI, respectively.

    939411

    Multiple spawns of Hotplug process consuming high CPU resources.

    940571

    Memory usage issue caused by excessive log files.

    942502

    Kernel panic occurs when creating EMAC VLAN interfaces based on an aggregate interface with new kernel 4.1.9.

    945871

    DNAT does not work on software switch in explicit mode.

    Upgrade

    Bug ID

    Description

    920223

    System hangs after upgrade with the following error at bootup: cli 141 die in an exception in line 4495: Hrp.

    939011

    All transparent VDOMs cannot synchronize because of switch-controller.auto-config.policy.

    User & Authentication

    Bug ID

    Description

    790884

    The FortiGate will not send a MAC-based authentication RADIUS authentication request for one of the devices on the network.

    794477

    When a user's membership in AD or port range is changed, all of the user sessions are cleared.

    850473

    SSL VPN and firewall authentication SAML does not work when the application requires SHA-256.

    858877

    Dynamic address only has 100 IP addresses while FSSO group lists all 56K ACI endpoints.

    868994

    FortiGate receives FSSO user in the format of HOSTNAME$.

    883006

    Adding a new group membership to an FSSO user terminates all the user's open sessions.

    899852

    FortiGate is sending Class(25) AVP with wrong length in RADIUS accounting when using 2FA with PUSH or external tokens.

    901743

    An error condition occurs during the processing of the UDP packets when device identification is activated on an interface.

    943087

    Guest management users no longer view the password automatically generated by the firewall.

    VM

    Bug ID

    Description

    901920

    AWS external account list supports regional endpoints.

    913696

    In the periodic status check of the OCI VM status, too many API calls caused a lot of 429 errors.

    921168

    Restore operation overwrite passive configuration in AZURE A-P deployment based on SDN connector.

    927323

    Event log alert Write Permission Violation to read-only file on VMware after taking snapshot.

    932085

    In an Azure cluster, the NTP source-ip6 (IPv6) is synchronized while the source-ip (IPv4) is not.

    950899

    Azure FortiGate keeps rebooting after upgrading to 7.0.11, and the device enters kernel panic.

    VoIP

    Bug ID

    Description

    887384

    SIP session is dropped by ALG with media type doesn't match message.

    Web Filter

    Bug ID

    Description

    829704

    Web filter is not logging all URLs properly.

    878442

    FortiGuard block page image (logo) is missing when the Fortinet-Other ISDB is used.

    916140

    An error condition occurs in WAD caused by the mismatch between the SNI host and CNAME.

    941045

    Local rating chooses the wrong category if the URL path falsely matches to a longer local rating URL.

    WiFi Controller

    Bug ID

    Description

    875382

    When accessing the managed FortiAP/Switch view with a large number of devices in the topology, the page takes a long time to load.

    904349

    Unable to create FortiAP profile in the GUI for dual-5G mode FortiAP U231F/U431F models.

    Workaround: use the CLI to update the profile to dual-5G mode.

    905406

    In auth-logon and auth-logout logs, Wi-Fi users with random public IP addresses are observed.

    926999

    EAP proxy daemon crashed with signal 11 and keeps reloading after receiving an empty username.

    ZTNA

    Bug ID

    Description

    888814

    Unable to match first group attribute from SAML assertion for ZTNA rule.

    889994

    After client device information is updated, the session is closed even though all information from the session still matches the policy.

    923804

    ZTNA logs are showing the log message Denied: failed to match a proxy-policy when client device information matches the policy.

    Common Vulnerabilities and Exposures

    Visit https://fortiguard.com/psirt for more information.

    Bug ID

    CVE references

    875854

    FortiOS 7.0.13 is no longer vulnerable to the following CVE Reference:

    • CVE-2023-28001

    911617

    FortiOS 7.0.13 is no longer vulnerable to the following CVE Reference:

    • CVE-2023-37935

    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Member Statistics

    40
    Total Members
    60
    Most Online
    fluoxetine cost
    Newest Member
    fluoxetine cost
    Joined


×
×
  • Create New...

Important Information

Privacy Policy