Resolved issues
The following issues have been fixed in version 7.0.13. To inquire about a particular bug, please contact Customer Service & Support.
Anti Spam
Bug ID |
Description |
---|---|
877613 |
Mark as Reject can be still chosen as an Action in an Anti-Spam Block/Allow List in the GUI. |
Anti Virus
Bug ID |
Description |
---|---|
911332 |
When UTM status is enabled and the AV profile has no configuration, all SLL traffic is dropped and there is no WAD output. |
923883 |
The FortiGate may display an error log in the crash log due to AV delta update. In case of failure, a full successful AV update is done. |
Application Control
Bug ID |
Description |
---|---|
939565 |
|
DNS Filter
Bug ID |
Description |
---|---|
931998 |
DNS filter flow external domain AAAA query can still check the default category but not the remote category. |
Endpoint Control
Bug ID |
Description |
---|---|
897048 |
FortiOS should support EMS 7.2.1 auth API status code changes. |
913324 |
GUI repeated calls to the EMS API, which can cause EMS to not authorize the FortiGate correctly. |
Explicit Proxy
Bug ID |
Description |
---|---|
817582 |
When there are many users authenticated by an explicit proxy policy, the Firewall Users widget can take a long time to load. This issue does not impact explicit proxy functionality. |
859693 |
Sessions between the explicit proxy and server stay in SYN_SENT state when using IP pools in the explicit proxy policy for source NAT, even though the sessions have established. Traffic is not impacted. |
863665 |
Denied explicit proxy keeps using the Fortinet_CA_SSL default certificate, even if the configured certificate is different. |
889300 |
Wrong source IP address used for packets through explicit proxy routed to a member of SD-WAN interface. |
923302 |
Cannot send picture through web explicit proxy. |
Firewall
Bug ID |
Description |
---|---|
719311 |
On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic. |
752267 |
Load Balance Monitor detects a server in standby mode as being down. |
848058 |
NPD failed to parse zone in the source interface of a DoS/ACL policy and failed to offload. |
851212 |
After traffic flow changes to FGSP peer from owner, iprope information for synchronized sessions does not update on the peer side. |
861981 |
Traffic drops between two back-to-back EMAC VLAN interfaces. |
879225 |
Egress interface cannot be intermittently matched for Wake-on-LAN (broadcast) packets. |
879705 |
Traffic issues occur with virtual servers after upgrading. |
884908 |
Implicit deny policy is allowing |
895946 |
Access to some websites fails after upgrading to FortiOS 7.2.3 when the firewall policy is in flow-based inspection mode. |
897849 |
Firewall Policy list may show empty sequence grouping sections if multiple policies are sharing the same |
912089 |
Optimize CPU usage caused by a rare error condition which leads to no data being sent to the collector. |
914939 |
UDP fragments dropped due to DF being set. Only the |
926029 |
New sessions are created and evaluated after a certain number of UDP packets, even if |
951373 |
Traffic shaping is not matching the correct queue for outbound traffic. |
FortiView
Bug ID |
Description |
---|---|
894957 |
On FortiView Websites, the real time view is always empty if disk logging is disabled. |
GUI
Bug ID |
Description |
---|---|
863126 |
In an environment where the Security Fabric is enabled and there are more than 100 firewall object conflicts between the root and downstream FortiGates, the Firewall Object Synchronization pane does not list the details. |
892207 |
Unable to authorize a newly discovered FortiAP from the WiFi Controller > Managed FortiAPs page. |
893560 |
When private data encryption is enabled, the GUI may become unresponsive and HA may fail to synchronize the configuration. |
907041 |
Network > SD-WAN > SD-WAN Zones and SD-WAN Rules pages do not load if a shortcut tunnel is triggered. |
916236 |
GUI policy table cannot display sequence grouping section titles correctly if they are duplicated in the global label. |
919390 |
Disabling |
943949 |
When editing an interface description in GUI, the following characters are not allowed: <, >, (, ), #, ', and ". |
946878 |
FortiGate HA management interface in the GUI not allowing multiple route entries, but the CLI does allow them. |
HA
Bug ID |
Description |
---|---|
703614 |
HA secondary synchronization fails and keeps rebooting when the primary has a split port configuration. |
771316 |
Platforms in an HA environment get stuck in a reboot loop while attempting to synchronize configurations that differ in split ports. |
805663 |
After upgrading, rebooting the primary in HA (A-A) results in unusually high bandwidth utilization on redundant interfaces. |
818432 |
When private data encryption is enabled, all passwords present in the configuration fail to load and may cause HA failures. |
838571 |
After an HA split-brain event, the PPPoE interfaces are not recovered. |
870312 |
On a FortiGate HA cluster, both primary and secondary units are displayed as the Primary on the GUI top banner, and as |
875984 |
FortiGate is going to out-of-sync after changing parameters of VDOM link interfaces. |
881337 |
Adding a VLAN interface on any VDOM causes BGP flapping and VIP connectivity issues on VDOMs in vcluster2. |
893041 |
Cannot access out-of-band IPv6 address on HA secondary unit. |
897865 |
When NP7 platforms enable the GTP enhanced mode it does not use uninterruptible upgrade. |
902945 |
Lost management connectivity to the standby node via in-band management. |
904318 |
FortiGate sent ARP request with loopback IP address as the source address. |
912665 |
FGCP primary-secondary cluster only uses one |
916216 |
When adding a new interface, some other interfaces have the wrong virtual MAC address. |
920233 |
The System > HA page is missing from the GUI on 5K models. |
931724 |
HA events not synchronizing between members, leading to unexpected HA status. |
950868 |
Traffic is not forwarded on L2 peer to keep FGSP with an available L2 connection. |
953167 |
Access to console and SSH is lost due to a specific configuration. |
Hyperscale
Bug ID |
Description |
---|---|
915796 |
With an enabled hyperscale license, in some cases with exception traffic (like ICMP error traverse), the FortiGate may experience unexpected disruptions when handling the exception traffic. |
924196 |
Device is rebooting randomly when driver processes exception packets. |
ICAP
Bug ID |
Description |
---|---|
884339 |
When the algo process starts up, it attempts to build an ICAP profile without allocating memory beforehand. |
Intrusion Prevention
Bug ID |
Description |
---|---|
823583 |
Failover on clustered web application using keepalived daemon does not work seamlessly. |
842523 |
IPv6 with hardware offloading and IPS drops traffic ( |
860315 |
Unexpected behavior in IPS engine when executing |
862830 |
|
873975 |
Source MAC changes and the packet drops due to both sides of the session using the same source MAC address. |
882593 |
HTTPS traffic slows when IPS with NTurbo is used over a virtual wire pair. |
892302 |
Constant reloading of the external domain table is causing high CPU due to lock contention when reloading the table. |
926639 |
Constant reloading of the shared memory external domain table is causing high CPU usage due to lock contention when reloading the table. |
952270 |
IPS logs for VIP traffic shows external IP as a destination for some signatures. |
IPsec VPN
Bug ID |
Description |
---|---|
766750 |
FortiGate does not accept secondary tunnel IP address in the same subnet as the primary tunnel. |
812229 |
ASCII-encoded byte code of remote gateway IP is displayed in the GUI and CLI when a VPN tunnel is formed using IKEv1 or v2 if the |
872769 |
Proxy ARP stops working for a client connected to a dialup IPsec when the previous VPN was established and is deleted. |
885333 |
Forwarded broadcast traffic on ADVPN shortcut tunnel interface dropped. |
887800 |
In an L2TP configuration, |
920725 |
IPsec tunnels that have external DHCP services for IP assignment have an extra selector added after upgrading to 7.0.11. |
922064 |
Firewall becoming unresponsive to DPD/IKE messages, causing IPsec VPNs to drop. |
926048 |
Traffic through a shortcut got dropped after an HA failover. |
928774 |
IPsec VPN connection should allow % in FortiClient Connect REG_PASSWD field. |
932112 |
EAP in IKEv2 dialup IPsec connection does not work with two firewall polices, each using both the IKEv2 interface and user group. |
949086 |
Policy route is not matching ESP traffic. |
954614 |
IPsec phase 2 negotiation fails with |
Log & Report
Bug ID |
Description |
---|---|
831441 |
The forward traffic log show exabytes of data being sent and received from external to external IP addresses in multiple VDOMs. |
860822 |
When viewing logs on the Log & Report > System Events page, filtering by domain\username does not display matching entries. |
879228 |
FortiAnalyzer override settings are not taking effect when |
893199 |
The FortiGate does not generate deallocate/allocate logs of the first IP pool when the first IP pool has been exhausted. |
902797 |
IPS alert email not being sent when IPS attack event has triggered. |
908856 |
Traffic log can show exabytes of data sent and received when generating log task is triggered from userspace. |
932537 |
If Security Rating is enabled to run on schedule (every 4 hours), the FortiGate can unintentionally send local-out traffic to fortianalyzer.forticloud.com during the Security Rating run. |
Proxy
Bug ID |
Description |
---|---|
783549, 902613, 921247 |
An error condition occurs in WAD caused by multiple outstanding requests sent from client to server with UTM enabled. |
785927 |
Unexpected behavior in WAD when multiple DHCP servers are configured. |
820096 |
CPU usage issue in proxyd caused by the absence of TCP teardown. |
863132 |
Proxy mode inspection is slow when testing a single TCP stream from fast.com, which causes bandwidth slowness on FG-100F and FG-200F devices. |
882182 |
Unexpected behavior in WAD due to the activation of firewall protocol options, with both client and server comfort features enabled. |
897347 |
Memory usage issue caused by the WAD user info process while authenticating the LDAP users. |
912116 |
Website (li***.cz) is not working in proxy inspection mode with deep inspection and web filter applied. |
REST API
Bug ID |
Description |
---|---|
892237 |
Updating the HA monitor interface using the REST API PUT request fails and returns a -37 error. |
903908 |
The forticron application crashes when restoring a VDOM configuration. |
948356 |
An error condition occurs in HTTPSD when a REST API request is sent with invalid parameters. |
Routing
Bug ID |
Description |
---|---|
775752 |
|
779330 |
The SD-WAN service with |
827565 |
Using |
839669 |
Static route through an IPsec interface is not removed after the BFD neighbor goes down. |
858248 |
OSPF summary address for route redistribution from static route via IPsec VPN always persists. |
875668 |
SD-WAN SLA log information has incorrect inbound and outbound bandwidth values. |
900941 |
|
906896 |
Make OSPFv3 update the translator role and translated Type-5 LSA when the ASBR table is updated. |
922491 |
Static routes are installed on hub FortiGate with |
924940 |
When there are a lot of policies (several thousands), the interface member selection for the SD-WAN Zone dialog may take up to a minute to load. |
928152 |
FortiGate generates two OSPF stub entries for the same prefix after upgrading from 6.4 to 7.0. |
Security Fabric
Bug ID |
Description |
---|---|
851656 |
Sessions with |
912592 |
Allow comments and IP addresses to be on the same line for external IP address threat feeds. |
912917 |
Send Fabric API calls with pagination filter. |
917024 |
Unexpected behavior in Security Fabric daemon (CSFD) caused by triggering HA failover while using Security Fabric. |
920391 |
Non-management VDOM is not allowed to set a |
922896 |
Azure SDN connector always uses HA management port for DNS resolve. This might not work on premises where the HA management port does not have a public IP address assigned. |
SSL VPN
Bug ID |
Description |
---|---|
631809 |
Configuring thousands of |
843756 |
Customer bookmark (*.tr***.pt) is not accessible when using SSL VPN web mode. |
859088 |
FortiGate adds extra parenthesis and causes clicking all links to fail in SSL VPN web mode. |
871229 |
SSL VPN web mode does not load when connecting to customer's internal site. |
873516 |
FortiGate misses the closing parenthesis when running the function to rewrite the URL. |
875167 |
Webpage opened in SSL VPN web portal is not displayed correctly. |
881220 |
Found bad login for SSL VPN web-based access when enabling URL obscuration. |
881268 |
Disconnecting from SSL VPN using the SSL-VPN widget does not disconnect the SSL VPN tunnel. |
884869 |
Web mode bookmark showing blank page due to JS rewrite. |
885978 |
Some buttons in URL are not working in SSL VPN web mode. |
886989 |
SSL VPN process reaches 99% CPU usage when HTTP back-end server resets the connection in the middle of a post request. |
887345 |
When a user needs to enter credentials through a pop-up window, the key events for modification key detected by SDL were ignored. |
887674 |
FortiGate will intermittently stop accepting new SSL VPN connections across all VDOMs. |
897385 |
Internal website keeps asking for credential with SSL VPN web mode. |
897665 |
The external DHCP server is not receiving hostnames in SSL VPN and DHCP relay. |
904919 |
DHCP option 12 hostname needed for SSL VPN with external DHCP servers. |
927475 |
SSL VPN tunnel down log message not generated when an IP address is disassociated before the old tunnel times out. |
933985 |
FortiGate as SSL VPN client does not work on NP6 and NP6XLite devices. |
950157 |
SS LVPN connected/disconnected endpoint event log can be in the wrong sequence. |
952860 |
During a handshake when FortiClient sends a larger-than-MTU hello message, the packet is fragmented by IP layer and dropped by the FortiGate. |
Switch Controller
Bug ID |
Description |
---|---|
890912 |
FortiLink VLAN interface should be renamed from |
893405 |
One discovery one transmit buffer was allocated and was not released on connection terminations. |
894735 |
Unable to configure more than one NAC policy using the same EMS tag for different FortiSwitch groups. |
911232 |
Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch Controller > Managed FortiSwitches. |
920231 |
FortiGate loses QoS |
936081 |
The |
System
Bug ID |
Description |
---|---|
708964 |
CPU usage issue is observed caused by reloading the system when the system has |
713951 |
Not all ports are coming up after an LAG bounce on 8 × 10 GB LAG with ASR9K. Affected platforms: FG-3960E and FG-3980E. |
724085 |
Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. |
729912 |
DNS proxy does not transfer the DNS query for IPv6 neighbor discovery (ND) when client devices are using random MAC addresses, so one device can configure many IPv6 addresses. |
822297 |
Polling fgfwpolid returns disabled policies. |
828129 |
A disabled EMAC VLAN interface is replying to a ping. |
832154 |
The cmdbsvr process may crash when there are many addresses and address groups that include each other recursively. |
842159 |
FortiGate 200F interfaces stop passing traffic after some time. |
855573 |
False alarm of the PSU2 occurs with only one installed. |
859393 |
SNMP poll for fgExplicitProxyRequests returns 0. |
862519 |
FortiGate 40F-3G4G WWAN connection unstable on Verizon Carrier. |
866437 |
CPU usage issue caused by the new Linux kernel. |
867663 |
The FEC configuration under the interface is not respected when port23 and port24 are members of an LACP and the connection is 100G. Affected platforms: FGT-340xE, FGT-360xE. |
869044 |
If the original packet was forwarded with NAT, generated ICMP error is routed back to SNAT'ed address. |
873805 |
CPSS usage goes to 99% and causes initiation issues when traffic is flowing upon boot. Affected platforms: FG-40xF, FG-60xF, FG-300xF. |
874292 |
|
876853 |
No output of |
879769 |
If the firewall session is in |
882187 |
FortiGate enters conserve mode in a few hours after enabling UTM on the policies. |
884023 |
When a user is logged in as a VDOM administrator with restricted access and tries to upload a certificate (System > Certificates), the Create button on the Create Certificate pane is greyed out. |
885823 |
Sensor showing temperature of 0.00 Celsius. |
891165 |
Auto-script causes FortiGate to repeat commands. |
892274 |
Daylight saving time is not applied for Cairo time zone. |
892478 |
Interface release from cmdb and iprope keep updating when DHCP client renewal fails. |
894202 |
Incorrect temperature calculation appears in sensor list on FG-8xF, FWF-8xF, FG-9xE, FG-10xE, FG-20xE, and FG-14xE. |
894884 |
FSTR session ticket zero causes a memory leak. |
903362 |
SNMP OID, fgFwPolLastUsed (1.3.6.1.4.1.12356.101.5.1.2.1.1.4), does not show the correct information about the last time a specific policy was used. |
903397 |
After upgrading to 7.0.11, FortiOS cannot display QSFP+ transceiver information. Affected platforms: FG-110xE, FG-220xE, FG-330xE, FG-340xE, and FG-360xE. |
904414 |
Port speed 1000auto could not link up with a Cisco switch. |
904486 |
The FortiGate may display a false alarm message and subsequently initiate a reboot. |
907339 |
dnsproxy process aborts due to stack buffer overflow being detected upon function return. |
910269 |
Unexpected behavior caused by the Linux Out of Memory (OOM) killer when memory is very low. |
910273 |
Last reboot reason: power cycle after rebooting due to a kernel panic is misleading. |
910616 |
When a non-zero DSCP copied from ingress to egress packet for NAT64, the IP checksum is calculated incorrectly. |
910651 |
All members are up on an FG-600F, but the LACP status is showing as down after upgrading. |
910677 |
Transparent mode FortiGate does not reply to SYN ACK when communicating with FortiManager. |
920085 |
CPU usage issue observed in dnsproxyd caused by unused wildcard FQDN. |
922965 |
CPU usage issue observed in hasync daemon when session count is large. |
922982 |
FortiGate does not respond to ARP requests for the IP address on the WAN port when the interface is configured as EMAC. |
923364 |
System goes into halt state with |
924395 |
IPv6 local-in ping6 to management interface failed when newly configured. |
925657 |
After a manual system administrator password change, the updated |
926035 |
On D-series FortiGates, a false alarm during system integrity check failure causes the firewall to reboot. |
926817 |
Review the temperature sensor for the SoC4 system. |
929821 |
An error condition occurred in httpsd and newcli when trying to generate a TAC report from the GUI and CLI, respectively. |
939411 |
Multiple spawns of Hotplug process consuming high CPU resources. |
940571 |
Memory usage issue caused by excessive log files. |
942502 |
Kernel panic occurs when creating EMAC VLAN interfaces based on an aggregate interface with new kernel 4.1.9. |
945871 |
DNAT does not work on software switch in explicit mode. |
Upgrade
Bug ID |
Description |
---|---|
920223 |
System hangs after upgrade with the following error at bootup: |
939011 |
All transparent VDOMs cannot synchronize because of |
User & Authentication
Bug ID |
Description |
---|---|
790884 |
The FortiGate will not send a MAC-based authentication RADIUS authentication request for one of the devices on the network. |
794477 |
When a user's membership in AD or port range is changed, all of the user sessions are cleared. |
850473 |
SSL VPN and firewall authentication SAML does not work when the application requires SHA-256. |
858877 |
Dynamic address only has 100 IP addresses while FSSO group lists all 56K ACI endpoints. |
868994 |
FortiGate receives FSSO user in the format of HOSTNAME$. |
883006 |
Adding a new group membership to an FSSO user terminates all the user's open sessions. |
899852 |
FortiGate is sending Class(25) AVP with wrong length in RADIUS accounting when using 2FA with PUSH or external tokens. |
901743 |
An error condition occurs during the processing of the UDP packets when device identification is activated on an interface. |
943087 |
Guest management users no longer view the password automatically generated by the firewall. |
VM
Bug ID |
Description |
---|---|
901920 |
AWS external account list supports regional endpoints. |
913696 |
In the periodic status check of the OCI VM status, too many API calls caused a lot of 429 errors. |
921168 |
Restore operation overwrite passive configuration in AZURE A-P deployment based on SDN connector. |
927323 |
Event log alert |
932085 |
In an Azure cluster, the NTP |
950899 |
Azure FortiGate keeps rebooting after upgrading to 7.0.11, and the device enters kernel panic. |
VoIP
Bug ID |
Description |
---|---|
887384 |
SIP session is dropped by ALG with |
Web Filter
Bug ID |
Description |
---|---|
829704 |
Web filter is not logging all URLs properly. |
878442 |
FortiGuard block page image (logo) is missing when the |
916140 |
An error condition occurs in WAD caused by the mismatch between the SNI host and CNAME. |
941045 |
Local rating chooses the wrong category if the URL path falsely matches to a longer local rating URL. |
WiFi Controller
Bug ID |
Description |
---|---|
875382 |
When accessing the managed FortiAP/Switch view with a large number of devices in the topology, the page takes a long time to load. |
904349 |
Unable to create FortiAP profile in the GUI for dual-5G mode FortiAP U231F/U431F models. Workaround: use the CLI to update the profile to dual-5G mode. |
905406 |
In |
926999 |
EAP proxy daemon crashed with signal 11 and keeps reloading after receiving an empty username. |
ZTNA
Bug ID |
Description |
---|---|
888814 |
Unable to match first group attribute from SAML assertion for ZTNA rule. |
889994 |
After client device information is updated, the session is closed even though all information from the session still matches the policy. |
923804 |
ZTNA logs are showing the log message |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
Bug ID |
CVE references |
---|---|
875854 |
FortiOS 7.0.13 is no longer vulnerable to the following CVE Reference:
|
911617 |
FortiOS 7.0.13 is no longer vulnerable to the following CVE Reference:
|
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now