877613

Mark as Reject can be still chosen as an Action in an Anti-Spam Block/Allow List in the GUI.

911332

When UTM status is enabled and the AV profile has no configuration, all SLL traffic is dropped and there is no WAD output.

923883

The FortiGate may display an error log in the crash log due to AV delta update. In case of failure, a full successful AV update is done.

939565

can not query meta rules list seen on graceful/non-graceful upgrade.

931998

DNS filter flow external domain AAAA query can still check the default category but not the remote category.

897048

FortiOS should support EMS 7.2.1 auth API status code changes.

913324

GUI repeated calls to the EMS API, which can cause EMS to not authorize the FortiGate correctly.

817582

When there are many users authenticated by an explicit proxy policy, the Firewall Users widget can take a long time to load. This issue does not impact explicit proxy functionality.

859693

Sessions between the explicit proxy and server stay in SYN_SENT state when using IP pools in the explicit proxy policy for source NAT, even though the sessions have established. Traffic is not impacted.

863665

Denied explicit proxy keeps using the Fortinet_CA_SSL default certificate, even if the configured certificate is different.

889300

Wrong source IP address used for packets through explicit proxy routed to a member of SD-WAN interface.

923302

Cannot send picture through web explicit proxy.

719311

On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.

752267

Load Balance Monitor detects a server in standby mode as being down.

848058

NPD failed to parse zone in the source interface of a DoS/ACL policy and failed to offload.

851212

After traffic flow changes to FGSP peer from owner, iprope information for synchronized sessions does not update on the peer side.

861981

Traffic drops between two back-to-back EMAC VLAN interfaces.

879225

Egress interface cannot be intermittently matched for Wake-on-LAN (broadcast) packets.

879705

Traffic issues occur with virtual servers after upgrading.

884908

Implicit deny policy is allowing "icmp/0/0" traffic.

895946

Access to some websites fails after upgrading to FortiOS 7.2.3 when the firewall policy is in flow-based inspection mode.

897849

Firewall Policy list may show empty sequence grouping sections if multiple policies are sharing the same global-label.

912089

Optimize CPU usage caused by a rare error condition which leads to no data being sent to the collector.

914939

UDP fragments dropped due to DF being set. Only the set honor-df global option.

926029

New sessions are created and evaluated after a certain number of UDP packets, even if set block-session-timer 300 is set.

951373

Traffic shaping is not matching the correct queue for outbound traffic.

894957

On FortiView Websites, the real time view is always empty if disk logging is disabled.

863126

In an environment where the Security Fabric is enabled and there are more than 100 firewall object conflicts between the root and downstream FortiGates, the Firewall Object Synchronization pane does not list the details.

892207

Unable to authorize a newly discovered FortiAP from the WiFi Controller > Managed FortiAPs page.

893560

When private data encryption is enabled, the GUI may become unresponsive and HA may fail to synchronize the configuration.

907041

Network > SD-WAN > SD-WAN Zones and SD-WAN Rules pages do not load if a shortcut tunnel is triggered.

916236

GUI policy table cannot display sequence grouping section titles correctly if they are duplicated in the global label.

919390

Disabling gui-wireless-controller on the root VDOM impacts other VDOMs (unable to add or show WiFi widgets on first load).

943949

When editing an interface description in GUI, the following characters are not allowed: <, >, (, ), #, ', and ".

946878

FortiGate HA management interface in the GUI not allowing multiple route entries, but the CLI does allow them.

703614

HA secondary synchronization fails and keeps rebooting when the primary has a split port configuration.

771316

Platforms in an HA environment get stuck in a reboot loop while attempting to synchronize configurations that differ in split ports.

805663

After upgrading, rebooting the primary in HA (A-A) results in unusually high bandwidth utilization on redundant interfaces.

818432

When private data encryption is enabled, all passwords present in the configuration fail to load and may cause HA failures.

838571

After an HA split-brain event, the PPPoE interfaces are not recovered.

870312

On a FortiGate HA cluster, both primary and secondary units are displayed as the Primary on the GUI top banner, and as Current HA mode in the CLI.

875984

FortiGate is going to out-of-sync after changing parameters of VDOM link interfaces.

881337

Adding a VLAN interface on any VDOM causes BGP flapping and VIP connectivity issues on VDOMs in vcluster2.

893041

Cannot access out-of-band IPv6 address on HA secondary unit.

897865

When NP7 platforms enable the GTP enhanced mode it does not use uninterruptible upgrade.

902945

Lost management connectivity to the standby node via in-band management.

904318

FortiGate sent ARP request with loopback IP address as the source address.

912665

FGCP primary-secondary cluster only uses one session-sync-dev, in spite of having multiple session-sync-dev.

916216

When adding a new interface, some other interfaces have the wrong virtual MAC address.

920233

The System > HA page is missing from the GUI on 5K models.

931724

HA events not synchronizing between members, leading to unexpected HA status.

950868

Traffic is not forwarded on L2 peer to keep FGSP with an available L2 connection.

953167

Access to console and SSH is lost due to a specific configuration.

915796

With an enabled hyperscale license, in some cases with exception traffic (like ICMP error traverse), the FortiGate may experience unexpected disruptions when handling the exception traffic.

924196

Device is rebooting randomly when driver processes exception packets.

884339

When the algo process starts up, it attempts to build an ICAP profile without allocating memory beforehand.

823583

Failover on clustered web application using keepalived daemon does not work seamlessly.

842523

IPv6 with hardware offloading and IPS drops traffic (msg="anti-replay check fails, drop).

860315

Unexpected behavior in IPS engine when executing diagnose test application ipsmonitor 44.

862830

[?Q?ci_" sekret=] causes the parser to create a new field, "sekret=".

873975

Source MAC changes and the packet drops due to both sides of the session using the same source MAC address.

882593

HTTPS traffic slows when IPS with NTurbo is used over a virtual wire pair.

892302

Constant reloading of the external domain table is causing high CPU due to lock contention when reloading the table.

926639

Constant reloading of the shared memory external domain table is causing high CPU usage due to lock contention when reloading the table.

952270

IPS logs for VIP traffic shows external IP as a destination for some signatures.

766750

FortiGate does not accept secondary tunnel IP address in the same subnet as the primary tunnel.

812229

ASCII-encoded byte code of remote gateway IP is displayed in the GUI and CLI when a VPN tunnel is formed using IKEv1 or v2 if the peer-id is not configured.

872769

Proxy ARP stops working for a client connected to a dialup IPsec when the previous VPN was established and is deleted.

885333

Forwarded broadcast traffic on ADVPN shortcut tunnel interface dropped.

887800

In an L2TP configuration, set enforce-ipsec enable is not working as expected after upgrading.

920725

IPsec tunnels that have external DHCP services for IP assignment have an extra selector added after upgrading to 7.0.11.

922064

Firewall becoming unresponsive to DPD/IKE messages, causing IPsec VPNs to drop.

926048

Traffic through a shortcut got dropped after an HA failover.

928774

IPsec VPN connection should allow % in FortiClient Connect REG_PASSWD field.

932112

EAP in IKEv2 dialup IPsec connection does not work with two firewall polices, each using both the IKEv2 interface and user group.

949086

Policy route is not matching ESP traffic.

954614

IPsec phase 2 negotiation fails with failed to create dialup instance, error 22 error message.

831441

The forward traffic log show exabytes of data being sent and received from external to external IP addresses in multiple VDOMs.

860822

When viewing logs on the Log & Report > System Events page, filtering by domain\username does not display matching entries.

879228

FortiAnalyzer override settings are not taking effect when ha-direct is enabled.

893199

The FortiGate does not generate deallocate/allocate logs of the first IP pool when the first IP pool has been exhausted.

902797

IPS alert email not being sent when IPS attack event has triggered.

908856

Traffic log can show exabytes of data sent and received when generating log task is triggered from userspace.

932537

If Security Rating is enabled to run on schedule (every 4 hours), the FortiGate can unintentionally send local-out traffic to fortianalyzer.forticloud.com during the Security Rating run.

783549, 902613, 921247

An error condition occurs in WAD caused by multiple outstanding requests sent from client to server with UTM enabled.

785927

Unexpected behavior in WAD when multiple DHCP servers are configured.

820096

CPU usage issue in proxyd caused by the absence of TCP teardown.

863132

Proxy mode inspection is slow when testing a single TCP stream from fast.com, which causes bandwidth slowness on FG-100F and FG-200F devices.

882182

Unexpected behavior in WAD due to the activation of firewall protocol options, with both client and server comfort features enabled.

897347

Memory usage issue caused by the WAD user info process while authenticating the LDAP users.

912116

Website (li***.cz) is not working in proxy inspection mode with deep inspection and web filter applied.

892237

Updating the HA monitor interface using the REST API PUT request fails and returns a -37 error.

903908

The forticron application crashes when restoring a VDOM configuration.

948356

An error condition occurs in HTTPSD when a REST API request is sent with invalid parameters.

775752

link-down-failover does not bring the BGP peering down.

779330

The SD-WAN service with load-balance mode is disabled, even though there is still a member alive in the service rule.

827565

Using set load-balance-mode weight-based in SD-WAN implicit rule does not take effect occasionally.

839669

Static route through an IPsec interface is not removed after the BFD neighbor goes down.

858248

OSPF summary address for route redistribution from static route via IPsec VPN always persists.

875668

SD-WAN SLA log information has incorrect inbound and outbound bandwidth values.

900941

config redistribute routing subsections cannot be configured when in workspace mode.

906896

Make OSPFv3 update the translator role and translated Type-5 LSA when the ASBR table is updated.

922491

Static routes are installed on hub FortiGate with add-route disabled in ADVPN scenario.

924940

When there are a lot of policies (several thousands), the interface member selection for the SD-WAN Zone dialog may take up to a minute to load.

928152

FortiGate generates two OSPF stub entries for the same prefix after upgrading from 6.4 to 7.0.

851656

Sessions with csf_syncd_log flag in a Security Fabric are not logged.

912592

Allow comments and IP addresses to be on the same line for external IP address threat feeds.

912917

Send Fabric API calls with pagination filter.

917024

Unexpected behavior in Security Fabric daemon (CSFD) caused by triggering HA failover while using Security Fabric.

920391

Non-management VDOM is not allowed to set a source-ip for config system external-resource.

922896

Azure SDN connector always uses HA management port for DNS resolve. This might not work on premises where the HA management port does not have a public IP address assigned.

631809

Configuring thousands of mac-addr-check-rule in portal makes the CPU spike significantly if several hundreds of users are connecting to the FortiGate, thus causing SSL VPN packet drops.

843756

Customer bookmark (*.tr***.pt) is not accessible when using SSL VPN web mode.

859088

FortiGate adds extra parenthesis and causes clicking all links to fail in SSL VPN web mode.

871229

SSL VPN web mode does not load when connecting to customer's internal site.

873516

FortiGate misses the closing parenthesis when running the function to rewrite the URL.

875167

Webpage opened in SSL VPN web portal is not displayed correctly.

881220

Found bad login for SSL VPN web-based access when enabling URL obscuration.

881268

Disconnecting from SSL VPN using the SSL-VPN widget does not disconnect the SSL VPN tunnel.

884869

Web mode bookmark showing blank page due to JS rewrite.

885978

Some buttons in URL are not working in SSL VPN web mode.

886989

SSL VPN process reaches 99% CPU usage when HTTP back-end server resets the connection in the middle of a post request.

887345

When a user needs to enter credentials through a pop-up window, the key events for modification key detected by SDL were ignored.

887674

FortiGate will intermittently stop accepting new SSL VPN connections across all VDOMs.

897385

Internal website keeps asking for credential with SSL VPN web mode.

897665

The external DHCP server is not receiving hostnames in SSL VPN and DHCP relay.

904919

DHCP option 12 hostname needed for SSL VPN with external DHCP servers.

927475

SSL VPN tunnel down log message not generated when an IP address is disassociated before the old tunnel times out.

933985

FortiGate as SSL VPN client does not work on NP6 and NP6XLite devices.

950157

SS LVPN connected/disconnected endpoint event log can be in the wrong sequence.

952860

During a handshake when FortiClient sends a larger-than-MTU hello message, the packet is fragmented by IP layer and dropped by the FortiGate.

890912

FortiLink VLAN interface should be renamed from default to _default after upgrading to 7.0.10.

893405

One discovery one transmit buffer was allocated and was not released on connection terminations.

894735

Unable to configure more than one NAC policy using the same EMS tag for different FortiSwitch groups.

911232

Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch Controller > Managed FortiSwitches.

920231

FortiGate loses QoS ip-dscp-map configuration after reboot.

936081

The vlan-optimization {enable | disable} and vlan-all-mode all configuration options disappear after upgrade or reboot.

708964

CPU usage issue is observed caused by reloading the system when the system has cfg-save set to revert.

713951

Not all ports are coming up after an LAG bounce on 8 × 10 GB LAG with ASR9K. Affected platforms: FG-3960E and FG-3980E.

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled.

729912

DNS proxy does not transfer the DNS query for IPv6 neighbor discovery (ND) when client devices are using random MAC addresses, so one device can configure many IPv6 addresses.

822297

Polling fgfwpolid returns disabled policies.

828129

A disabled EMAC VLAN interface is replying to a ping.

832154

The cmdbsvr process may crash when there are many addresses and address groups that include each other recursively.

842159

FortiGate 200F interfaces stop passing traffic after some time.

855573

False alarm of the PSU2 occurs with only one installed.

859393

SNMP poll for fgExplicitProxyRequests returns 0.

862519

FortiGate 40F-3G4G WWAN connection unstable on Verizon Carrier.

866437

CPU usage issue caused by the new Linux kernel.

867663

The FEC configuration under the interface is not respected when port23 and port24 are members of an LACP and the connection is 100G. Affected platforms: FGT-340xE, FGT-360xE.

869044

If the original packet was forwarded with NAT, generated ICMP error is routed back to SNAT'ed address.

873805

CPSS usage goes to 99% and causes initiation issues when traffic is flowing upon boot. Affected platforms: FG-40xF, FG-60xF, FG-300xF.

874292

ssh-rsa should be disabled under the SSH server_host_key_algorithm.

876853

No output of execute sensor list is displayed after rebooting.

879769

If the firewall session is in check-new mode, FortiOS will not flush its NPU offload entry when there is a MAC address update of its gateway.

882187

FortiGate enters conserve mode in a few hours after enabling UTM on the policies.

884023

When a user is logged in as a VDOM administrator with restricted access and tries to upload a certificate (System > Certificates), the Create button on the Create Certificate pane is greyed out.

885823

Sensor showing temperature of 0.00 Celsius.

891165

Auto-script causes FortiGate to repeat commands.

892274

Daylight saving time is not applied for Cairo time zone.

892478

Interface release from cmdb and iprope keep updating when DHCP client renewal fails.

894202

Incorrect temperature calculation appears in sensor list on FG-8xF, FWF-8xF, FG-9xE, FG-10xE, FG-20xE, and FG-14xE.

894884

FSTR session ticket zero causes a memory leak.

903362

SNMP OID, fgFwPolLastUsed (1.3.6.1.4.1.12356.101.5.1.2.1.1.4), does not show the correct information about the last time a specific policy was used.

903397

After upgrading to 7.0.11, FortiOS cannot display QSFP+ transceiver information. Affected platforms: FG-110xE, FG-220xE, FG-330xE, FG-340xE, and FG-360xE.

904414

Port speed 1000auto could not link up with a Cisco switch.

904486

The FortiGate may display a false alarm message and subsequently initiate a reboot.

907339

dnsproxy process aborts due to stack buffer overflow being detected upon function return.

910269

Unexpected behavior caused by the Linux Out of Memory (OOM) killer when memory is very low.

910273

Last reboot reason: power cycle after rebooting due to a kernel panic is misleading.

910616

When a non-zero DSCP copied from ingress to egress packet for NAT64, the IP checksum is calculated incorrectly.

910651

All members are up on an FG-600F, but the LACP status is showing as down after upgrading.

910677

Transparent mode FortiGate does not reply to SYN ACK when communicating with FortiManager.

920085

CPU usage issue observed in dnsproxyd caused by unused wildcard FQDN.

922965

CPU usage issue observed in hasync daemon when session count is large.

922982

FortiGate does not respond to ARP requests for the IP address on the WAN port when the interface is configured as EMAC.

923364

System goes into halt state with Error: Package validation failed... message in cases where there are no engine files in the FortiGate when the BIOS security level is set to 2.

924395

IPv6 local-in ping6 to management interface failed when newly configured.

925657

After a manual system administrator password change, the updated password-expire is not received by the FortiManager auto-update.

926035

On D-series FortiGates, a false alarm during system integrity check failure causes the firewall to reboot.

926817

Review the temperature sensor for the SoC4 system.

929821

An error condition occurred in httpsd and newcli when trying to generate a TAC report from the GUI and CLI, respectively.

939411

Multiple spawns of Hotplug process consuming high CPU resources.

940571

Memory usage issue caused by excessive log files.

942502

Kernel panic occurs when creating EMAC VLAN interfaces based on an aggregate interface with new kernel 4.1.9.

945871

DNAT does not work on software switch in explicit mode.

920223

System hangs after upgrade with the following error at bootup: cli 141 die in an exception in line 4495: Hrp.

939011

All transparent VDOMs cannot synchronize because of switch-controller.auto-config.policy.

790884

The FortiGate will not send a MAC-based authentication RADIUS authentication request for one of the devices on the network.

794477

When a user's membership in AD or port range is changed, all of the user sessions are cleared.

850473

SSL VPN and firewall authentication SAML does not work when the application requires SHA-256.

858877

Dynamic address only has 100 IP addresses while FSSO group lists all 56K ACI endpoints.

868994

FortiGate receives FSSO user in the format of HOSTNAME$.

883006

Adding a new group membership to an FSSO user terminates all the user's open sessions.

899852

FortiGate is sending Class(25) AVP with wrong length in RADIUS accounting when using 2FA with PUSH or external tokens.

901743

An error condition occurs during the processing of the UDP packets when device identification is activated on an interface.

943087

Guest management users no longer view the password automatically generated by the firewall.

901920

AWS external account list supports regional endpoints.

913696

In the periodic status check of the OCI VM status, too many API calls caused a lot of 429 errors.

921168

Restore operation overwrite passive configuration in AZURE A-P deployment based on SDN connector.

927323

Event log alert Write Permission Violation to read-only file on VMware after taking snapshot.

932085

In an Azure cluster, the NTP source-ip6 (IPv6) is synchronized while the source-ip (IPv4) is not.

950899

Azure FortiGate keeps rebooting after upgrading to 7.0.11, and the device enters kernel panic.

887384

SIP session is dropped by ALG with media type doesn't match message.

829704

Web filter is not logging all URLs properly.

878442

FortiGuard block page image (logo) is missing when the Fortinet-Other ISDB is used.

916140

An error condition occurs in WAD caused by the mismatch between the SNI host and CNAME.

941045

Local rating chooses the wrong category if the URL path falsely matches to a longer local rating URL.

875382

When accessing the managed FortiAP/Switch view with a large number of devices in the topology, the page takes a long time to load.

904349

Unable to create FortiAP profile in the GUI for dual-5G mode FortiAP U231F/U431F models.

Workaround: use the CLI to update the profile to dual-5G mode.

905406

In auth-logon and auth-logout logs, Wi-Fi users with random public IP addresses are observed.

926999

EAP proxy daemon crashed with signal 11 and keeps reloading after receiving an empty username.

888814

Unable to match first group attribute from SAML assertion for ZTNA rule.

889994

After client device information is updated, the session is closed even though all information from the session still matches the policy.

923804

ZTNA logs are showing the log message Denied: failed to match a proxy-policy when client device information matches the policy.

875854

FortiOS 7.0.13 is no longer vulnerable to the following CVE Reference:

• CVE-2023-28001

911617

FortiOS 7.0.13 is no longer vulnerable to the following CVE Reference:

• CVE-2023-37935