Jump to content
SeedTheNet

FortiOS 6.4.9 build 1966


 Share

Recommended Posts

Resolved issues

The following issues have been fixed in version 6.4.9. For inquires about a particular bug, please contact Customer Service & Support.

Anti Spam

Bug ID

Description

743693

Anti spam engine crashes when extracting a malformed IP address from Received: headers.

Anti Virus

Bug ID

Description

665173

Crash logs are sometimes truncated/incomplete.

Application Control

Bug ID

Description

752569

Per IP shaper under application list does not work as expected for some applications.

Data Leak Prevention

Bug ID

Description

745369

PDF corruption over HTTP by DLP.

DNS Filter

Bug ID

Description

748227

DNS proxy generated local out rating (FortiGuard category) queries can time out if they are triggered for the same DNS domains with the same source DNS ID.

751759

DNS filter breaks DNS zone transfer because the client socket might close prematurely (in which there is still some data in the user space) if the server side closed the connection.

Endpoint Control

Bug ID

Description

666426

IPsec VPN does not have FCT client IP to send to EMS if using DHCP-over-IPsec.

693010

No FortiClient entry in diagnose endpoint record list when the FortiClient is registered on EMS with a WiFi tunnel mode interface.

738614

EMS Cloud does not update the IP for dynamic address on the FortiGate.

743235

Dynamic group EMS tags are not showing up for connected wireless devices.

744613

EMS endpoint IP and MAC addresses are not synchronized to the ZTNA tags on the FortiGate.

Explicit Proxy

Bug ID

Description

607230

Percent encoding is not converted in FTP over HTTP explicit proxy.

638172

Proxy policy matching should support choosing the best internet service name when the IP matches multiple object names.

674996

WAD encounters segmentation crash at wad_ssl_arm_close; crash occurred on explicit web proxy.

695468

Unable to load URL when application control or AV are enabled in a proxy policy.

721039

Short disconnections of streaming applications (Teams and Whereby) through explicit proxy.

747840

When configuring authentication schemes to negotiate and NTLM (mix), Firefox may not show the authentication pop-up with an explicit proxy.

754259

When an explicit proxy policy has a category address as destination address, the FortiGate needs to check if the address is a Google Translate URL for extra rating. This will trigger a keyword match. However, if a web filter profile is not set yet, WAD will crash. The fix will delay the keyword match until a web filter profile is present.

757736

HTTPS TLS 1.3 handshake fails with internal error alert.

Firewall

Bug ID

Description

729245

HTTP/1.0 health check should process the whole response when http-match is set.

730803

Applying a traffic shaping profile and outbound bandwidth above 200000 blocks the traffic.

738584

Firewall is using the wrong NAT IP address to send out traffic after removing the VIP and its associated policy.

743160

SYN-ACK is dropped when application control with auto-asic-offload and NP acceleration are enabled in a firewall policy.

744888

FortiGate drops SERVER HELLO when accessing some TLS 1.3 websites using a flow-based policy with SSL deep inspection.

745853

FortiGate stops sending logs to Netflow traffic because the Netflow session cleanup routine runs for too long when there are many long live sessions in the cache.

746891

Auto-update script sent from FortiOS GUI has a policy ID of zero, which causes FortiManager to be out of synchronization.

754240

After a session updates its shaping policy, if the new shaping policy does not configure a per-IP shaper, the session will still use the old per-IP shaper from the previous shaping policy.

FortiView

Bug ID

Description

741792

Update FortiAnalyzer license REST API to use the FortiAnalyzer's licenses when in analyzer-collector mode.

GUI

Bug ID

Description

608770

When there is no IP/IPv6 address setting for Zone, the GUI incorrectly displays 0.0.0.0/0.0.0.0 for IP/Netmask and ::/0 for IPv6 Address.

610572

Guest user credentials never expire if a guest user logs in via the WiFi portal while an administrator is actively viewing the user's account via the GUI. If the administrator clicks OK in the user edit dialog after the guest user has logged in, the user's current login session is not subject to the configured expiration time.

650327

The values for set gui-default-policy-columns does not work for the srcaddr, dstaddr, and source columns.

696573

Firewall policy not visible in the GUI when enabling internet-service src.

699508

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

704618

When login banner is enabled, and a user is forced to re-login to the GUI (due to password enforcement or VDOM enablement), users may see a Bad gateway error and HTTPSD crash.

720613

The event log sometimes contains duplicated lines when downloaded from the GUI.

720657

Unable to reuse link local or multicast IPv6 addresses for multiple interfaces from the GUI.

733375

On the VPN > SSL-VPN Settings page, after clicking Apply, source-address objects become source-address6 objects if IPv6 is enabled.

734157

On a downstream FortiGate, going to VDOM FG-traffic > Network > Interfaces takes a long time to load.

740254

Unable to view log details for Oracle.GlassFish.Server.ThemeServlet.Directory.Traversal log when clicking Details in the GUI.

740508

Bandwidth widget shows incorrect traffic on FG-40F.

742561

On the Network > Interfaces page, after upgrading to FortiOS 6.4.7, a previously valid VLAN switch VLAN ID of 0 now displays the error message The minimum value is 2.

745325

When creating a new (public or private) SDN connector, users are unable to specify an Update interval that contains 60, as it will automatically switch to Use Default.

745998

An IPsec phase 1 interface with a name that contains a / cannot be deleted from the GUI. The CLI must be used.

750490

Firewall policy changes made in the GUI remove the replacement message group in that policy.

HA

Bug ID

Description

658839

Cloning a policy from the CLI causes the HA cluster to get out of sync.

680753

admin-restrict-local feature does not work on management interface in HA cluster.

711521

When HA failover happens, there is a time difference between the old secondary becoming new primary and the new primary's HA ID getting updated. If a session is created in between, the session gets a wrong HA ID, which indicates incorrectly that the session's traffic needs to be handled by new secondary.

714788

Uninterruptible upgrade might be broken in large scale environments.

717788

FGSP has problem at failover when NTurbo or offloading is enabled (IPv4) with virtual wire pair traffic.

725240

HA cluster goes out of sync due to mismatched vpn.certificate.crl checksum.

729607

FTP transfers drop in active-active mode in cases where expectation sessions accumulated in the secondary unit reach the maximum number (128).

732201

VDOM restore on an already configured VDOM causes high CPU sometimes on the primary.

740743

When enabling lag-out-port-select, both cluster units simultaneously reboot.

740933

HA goes out of synchronization when uploading a local certificate.

744349

Unable to connect to FortiSandbox Cloud through proxy from secondary node in an HA cluster.

744826

API key (token) on the secondary device is not synchronized to the primary when standalone-config-sync is enabled.

746008

DNS may not resolve on the correct blade in a 6K/7K virtual cluster environment.

747270

When the HA secondary device relays logs to the primary device, it may encounter high CPU usage.

752892

PPPoE connection gets disconnected during HA failover.

757494

Unable to add a member to an aggregate interface that is down in a HA cluster.

Intrusion Prevention

Bug ID

Description

665755

The global UTM profiles named with a g- prefix are shared between all VDOMs and logically do not belong to any VDOM. When they are changed, the ipshelper cannot always refresh its configuration because the ipshelper tries to check each VDOM profile.

682071

IPS signatures not working with VIP in proxy mode.

746467

IPS engine crashes when IPS injects packets to vNP and vNP/DPDK fails to restart (crashes and sometimes is out of service).

751027

FortiGate can only collect up to 128 packets when detected by a signature.

755859

The IPS sessions count is higher than system sessions, which causes the FortiGate to enter conserve mode.

IPsec VPN

Bug ID

Description

668997

Duplicate entry found error shown when assigning multiple dialup IPsec tunnels with the same secondary IP in the GUI.

673049

FortiGate not sending its external interface IP in the IKE negotiation (Google Cloud Platform).

680783

Traffic is dropped in policy-based mode with FEC and NTurbo enabled.

684133

Site-to-site IPsec VPN cannot establish in asymmetric routing scenario where the IPsec VPN bound interface is a loopback interface.

691178

Exchanging IPs does not work with multiple dynamic tunnels.

691718, 728276

Traffic cannot pass through IPsec tunnel after FEC is enabled on server side if NAT is enabled between VPN peers.

696835

An iked kernel panic occurs whenever a large download is initiated over an IPsec dialup tunnel.

701404

Routes are not added or removed as expected when failover occurs with IPsec FGSP HA.

715671

Traffic is failing on dialup VPN IKEv2 with EAP authentication.

717082

FortiGate keeps initiating DHCP SA rekey after lifetime expires.

718617

In an IPsec tunnel XAuth with RADIUS, the RADIUS Accounting Stop packet is missing the Acct-Input-Octets/Acct-Output-Octets attribute.

720689

Kernel crash occurs with FEC enabled on IPsec VPN when corrupted packets are received.

725551

IKE idle timeout timers continue running when the HA state switches to secondary.

726326

IPsec server with NP offloading drops packets with an invalid SPI during rekey.

726450

Local out dialup IPsec traffic does not match policy-based routes.

729760

The ADVPN forwarder does not currently track the shortcut query that it forwards. Shortcut queries and replies are forwarded or terminated solely based on the route lookup.

735412

IKE HA resynchronizes the synchronized connection without an established IKE SA.

735430

TCP SYN-ACKs are silently dropped if the traffic is sourced from a dialup IPsec tunnel and UTM is enabled.

740475

Traffic cannot be sent out through IPsec VPN tunnel because SA is pushed to the wrong NP6 for platforms where NP6 is standalone. Affected models: FG-2000E and FG-2500E.

743732

If a failure happens during negotiating a shortcut IPsec tunnel, the original tunnel NAT-T setting is reset by mistake.

744598

Tunnel interface MTU settings do not work when net-device is enabled in phase 1.

745331

IPsec server with NP offloading drops packets with an invalid SPI during rekey.

747123

In an IPsec aggregate tunnel interface where one of the members is down and has an MTU of zero, and the other tunnel is up and has a non-zero MTU, the interface will take the minimum of both MTU values, which is zero. This results in no traffic going in the outbound direction.

752947

The hub sometimes allows the IKEv2 IPsec tunnel with a spoke to be established that uses an expired or revoked certificate.

765868

The packets did not pass through QTM, and SYN packets bypass the IPsec tunnel once traffic is offloaded. Affected platforms: NP7 models.

Log & Report

Bug ID

Description

712037

FortiAnalyzer OFTP connection is re-initialized every 30 seconds when the FortiGate connects to an unauthorized FortiAnalyzer.

715549

On the Log & Report > SSL page, the Service for SSL logs is displayed as FTPS instead of SSL.

718140

Logs are missing on FortiGate Cloud from a certain point.

724827

Syslogd is using the wrong source IP when configured with interface-select-method auto.

731154

SSL VPN tunnel down event log (log ID 39948) is missing.

745310

Need to add the MIGSOCK send handler to flush the queue when the first item is added to the syslog queue to avoid logs getting stuck.

745689

Unknown interface is shown in flow-based UTM logs.

749842

The miglogd process uses high CPU when handling a web rating error log that is reported with an invalid VDOM ID.

751358

Unable to set source IP for FortiCloud unless FortiCloud is already activated.

754143

Add srcreputation and dstreputation fields in the forward traffic logs to provide the reputation level of the source and destination when the traffic matches an entry in the internet service database.

Proxy

Bug ID

Description

568905

WAD crashes due to RCX having a null value.

582464

WAD SSL crash due to wrong cipher options chosen.

712584

WAD memory leak causes device to go into conserve mode.

726999

WAD crash on wad_hash_map_del.

728641

SSL renegotiation fails when Firefox offers TLS 1.3, but the server decides to use TLS 1.2.

733135

Web filter is blocking websites in proxy mode due to SSL certificate validation failure, which is caused by an unreachable OCSP server.

733760

Proxy inspection firewall policy with proxy AV blocks POP3 traffic of the Windows 10 built-in Mail app.

737737

WAD crashes when firewall FQDN address is null.

739627

diagnose wad stats policy list does not show statistics correctly when enabling certificate inspection and HTTP policy redirect.

743746

WAD encounters signal 11 crash when adding user information.

744756

Web proxy forward server group could not recover sometimes if the FQDN is not resolved.

747250

When a timeout happens while forticron is downloading a file, the original downloaded file is not be deleted, so the next successful download has extra data in front.

752744

Proxy-based certificate with deep inspection fails upon receipt of a large handshake message.

754969

Explicit FTP proxy chooses random destination port when the FTP client initiates an FTP session without using the default port.

756394

WAD crashes due to memory corruption.

756603

WAD memory spike when downloading files larger than 4 GB.

756616

High CPU usage in proxy-based policy with deep inspection and IPS sensor.

756887

WAD crashes if the certificate authentication request context is not closed in the following scenarios: when fnbamd returns a failure certificate authentication result or no response; and when the CA certificate is updated and the certificate cache is flushed.

758086

HTTPS traffic gets SSL error when deep inspection and an AV of file filter profile are enabled.

764193

The three-way handshake packet that was marked as TCP port number reused cannot pass through the FortiGate, and the FortiGate replies with a FIN, ACK to the client.

REST API

Bug ID

Description

743169

Update various REST API endpoints to prevent information in other VDOMs from being leaked.

743743

httpsd crashes due to GET /api/v2/log/.../virus/archive request when the mkey is not provided.

768056

HTTPS daemon is not responsive when successive API calls are made to create an interface.

Routing

Bug ID

Description

670031

LDAP traffic that originates from the FortiGate is not following SD-WAN rule.

693988

For DSL interface, adding static route with set dynamic-gateway enable does not add route to routing table.

707143

Suggest adding an option for NetFlow to use SD-WAN.

723726

TCP session drops between virtual wire pair with auto-asic-offload enabled in policy.

724574, 731248

BFD neighborship is lost between hub and spoke. One side shows BFD as down, and other side does not show the neighbor in the list.

724887

set interface-select-method takes a long time to take effect for DNS local out traffic when the source IP is specified.

725322

Improve the help text for distance to indicate that 255 means unreachable.

727812

ADVPN does not work with RIP as the routing protocol when net-device is enabled.

729002

PIM/PIM6 does not send out unicast packet with the correct source IP if interface is not specified.

731941

Disconnected from FortiAnalyzer events reported when the interface-select-method is set to specify, and the interface port_<x> is set to an interface that does not have the highest priority in the SD-WAN interface selection.

736705

ZEBOS launcher is unable to start and crashes constantly if aspath has more than 80 characters in the config router router-map > set-aspath setting.

737898

OSPFv3 cannot install IPv6 ECMP routes when both ABR next hops are in the same subnet.

746000

Multicast streams sourced on SSL VPN client are not registered in PIM-SM.

748733

Remote IP route shows incomplete inactive in the routing table, which causes issues with BGP routes where the peer is the next hop.

769321

After ADVPN HA failover, BGP is not established, and tunnels are up but not passing traffic between the hub and spokes.

Security Fabric

Bug ID

Description

635183

ACI dynamic address cannot be retrieved in HA vcluster2 from SDN connector.

670451

ACI SDN connector (connected by aci-direct) shows curl error 7 when updating from second VDOM.

735717

vmwd gives an error when folders are created in the vSphere web interface, and vmwd ignores the IP addresses from vApp.

738344

When CSF root synchronizes a large automation setting (over 16000) to the downstream FortiGate, csfd crashes while trying to process the relay message.

741346

The variable %%date%% resolves into 1900-01-00 instead of actual date when the schedule trigger type is used.

742743

Security rating Issue with unused deny policies.

745263

AV & IPS DB Update automation trigger is not working when clicking Update Licenses & Definitions Now in the GUI.

746950

When an Azure network interface ID contains upper case letters, the Azure SDN connector may not retrieve that network interface.

SSL VPN

Bug ID

Description

586035

The policy script-src 'self' will block the SSL VPN proxy URL.

673320

Pop-up window does not load correctly when accessing internal application at https://re***.wo***.nl using SSL VPN web mode.

676391

set banned-cipher command does not work for TLS 1.3.

676673

Ciphers with ARIA, AESCCM, and CHACHA cannot be banned for SSL VPN.

677057

SSL VPN firewall policy creation via CLI does not require setting user identity.

693237

DCE/RPC sessions are randomly dropped (no session matched).

693519

SSL VPN authentication fails for PKI user with LDAP.

695386

SAML login failure when a user belongs to multiple groups associated with multiple VPN realms.

706646

SolarWinds Orion NPM platform's web application has issues in SSL VPN web mode.

707792

SSL VPN connection breaks when deleting irrelevant CA and PKI is involved.

711974

SSL VPN bookmarks are not working correctly with multiple SD-WAN zones.

718133

In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.

718142

The map integrated in the public site is not visible when using SSL VPN web mode.

726338

The wildcard matching method does not always work as expected because the kernel sometimes does not have the address yet.

726576

Internal webpage with JavaScript is not loading in SSL VPN web mode.

729426

The wildcard FQDN does not always work reliably in cases where the kernel does not have the address yet.

731278

Customer internal website (ac***.sa***.com) does not load properly when connecting via SSL VPN web mode.

737154

Slow RDP response when using SSL VPN web mode access.

737341

Some links and buttons are not working properly when accessing them through SSL VPN web mode.

737894

If there are no users or groups in an SSL VPN policy, the SSL VPN daemon may crash when an FQDN is a destination address in the firewall policy.

738711

FortiClient error message is not pertinent when the client does not meet host checking requirements.

744494

Memory occupied by the SSLVPN daemon increase significantly while the process is busy.

744899

SSL VPN RDP bookmark is not working when using Chrome 93 32-bit. Firefox 64-bit and Chrome 64-bit are still not supported on Windows 32-bit.

745499

In cases where a user is establishing two tunnel connections, there is a chance that the second session knocks out the first session before it is updated, which causes a session leak.

746990

RADIUS accounting messages after SSL VPN do not include the Class attribute (Group name).

747352

Internal web server page, https://te***.ss***.es:10443, is not loading properly in SSL VPN web mode.

748085

Authentication request of SSL VPN realm can now only be sent to user group, local user, and remote group that is mapped to that realm in the SSL VPN settings. The authentication request will not be applied to the user group and remote group of non-realm or other realms.

748667

Remove the maximum check for resolution of RDP/VNC in web portal.

749452

SSL VPN login authentication times out if primary RADIUS server becomes unavailable.

749918

Keyboard keys do not work with RDP bookmarks when PT-BR and PT-BR-ABNT2 layouts are chosen.

752055

VNC (protocol version 3.6/3.3) connection is not working in SSL VPN web mode.

755296

SSL VPN web mode has issues accessing https://e***.or***.kr.

756561

Outdated OS support for host check should be removed.

764853

SSL VPN bookmark of VNC is not using ZRLE compression and consumes more bandwidth to end clients.

767818

SSL VPN bookmark issues with internal website.

768994

SSL VPN crashed when closing web mode RDP after upgrading to 6.4.7.

Switch Controller

Bug ID

Description

740661

FortiGate loses FortiSwitch management access due to excessive configuration pushes.

System

Bug ID

Description

488400

FGFM sessions time out when the session between two EMAC VLANs with no VLAN IDs are offloaded.

514239

There are no kernel routing updates when the session is re-initialized at the DSLAM side. DSL creates a default route to 240.0.0.1 after changing any configuration on the DSL interface.

572038

VPN throughput dropped when FEC is enabled.

572847

The wan1, wan2, and dmz interfaces should not be configured as hardware switch members on the 60F series. The wan interface should not be configured as a hardware switch member on the 40F series.

596942

SoC3 platforms may encounter kernel panic in cases when a PKCE IOCTL wait event is interrupted by WAD diagnose CLI commands.

643558

System halts after running execute update-now in FIPS-CC mode.

644616

NP6 does not update session timers for traffic IPsec tunnel if established over one pure EMAC VLAN interface.

651626

A session clash is caused by the same NAT port. It happens when many sessions are created at the same time and they get the same NAT port due to the wrong port seed value.

671116

Lack of null pointer check in NP6XLite driver may lead to kernel panic. Affected models: FG-40F, FG-60F, and FG-101F.

671824

On FG-40F, get NP6XLITE: failed to read lif accounting message on console.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

682227

DSL creates a default route to 240.0.0.1 after changing any configuration on a DSL interface.

683929

IPv6 health check cannot send probe packets even if the IPv6 gateway is configured under configure members view.

686367

SFP port status is not correct under get system interface transceiver due to incorrect i2c reading/writing. Affected platforms: FG-110xE, FG-220xE, FG-330xE, FG-340xE, FG-360xE, and FG-390xE.

687398

Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices.

693344

port1 physical status is down. Affected models: FG-110xE, FG-220xE, FG-330xE, FG-340xE, FG-360xE, and FG-390xE.

696556

Support gtp-enhance-mode (GTP-U) on FG-3815D.

699152

QinQ (802.1ad) support needed on the following models: FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3600E, and FG-3601E.

702932

FG-1500D reboots suddenly after COMLog reported kernel panic and voipd is tainted.

702966

There was a memory leak in the administrator login debug that caused the getty daemon to be killed.

703131

Split-task VDOM does not update IPS/AV from ha-direct connected internal FortiManager.

703219

Kernel panic on FG-101F due to lack of null pointer check on NP6XLite driver.

704981

LLDP transmission fails if there are nested software switches.

706543

FortiGuard DDNS does not update the IP address when the PPPoE reconnects.

706588

Interoperability issue between FortiGate aggregate interface and Cisco 9K switch.

710477

Unexpected output in get system interface transceiver. Affected models: FG-110xE, FG-220xE, FG-330xE, FG-340xE, FG-360xE, and FG-390xE.

710958

Multiple SFP ports on Nexus 7K go into a suspended state as no LACP PDUs are received.

712258

SFP28 ports on FG-340xE/FG-360xE cannot receive or transmit packets when the speed is set to 1000full. This issue is triggered by warm rebooting the FortiGate/Cisco switch or disconnecting the fiber cable.

713835

The BLE pin hole behavior should not be applied on FG-100F generation 1 that has no BLE built in.

714805

FortiManager shows auto update for down port from FortiGate, but FortiGate event logs do not show any down port events when user shuts down the ha monitor dev.

715234

Packets are dropped for 30 seconds during or after massive configuration commit.

715978

NTurbo does not work with EMAC VLAN interface.

716169, 767848

SFP interface is set as 1000full is down after rebooting.

716341

SFP28 port flapping when the speed is set to 10G.

716483

DNS proxy is case sensitive when resolving FQDN, which may cause DNS failure in cases where local DNS forwarder is configured.

718571

In cases where there are a lot of DHCP relay interfaces (such as 1000) and an interface is added or deleted, DHCP relay takes a long time to release and initialize all interfaces before it works again.

721487

FortiGate often enters conserve mode due to high memory usage by httpsd process.

721789

Account profile settings changed after firmware upgrade.

722547

Fragmented SKB size occurs if the tail room is too small to carry the NTurbo vtag, which causes packets to be dropped.

722781

MAC address flapping on the switch is caused by a connected FortiGate where IPS is enabled in transparent mode.

724065

Power supply 2 DC is lost log only appears when unplugging the power cable from power supply 2.

724779

HPE setting of NTurbo host queue is missing and causes IPS traffic to stop when HPE is enabled.

725264

FG-600E copper speed LED does not work.

726634

NTP daemon is not responding when using the manual setting.

727343

Quarantined IP is not synchronized in FortiController mode.

727829

DNS FQDN was not synchronized amongst all the working blade, so each blade might have different IP from the same FQDN. If policy a uses the FQDN as the address, it will cause the IP address of FQDN to not be in the list for the current blade, so the traffic will not match this FQDN policy.

728647

DHCP discovery dropped on virtual wire pair when UTM is enabled.

729939

Multiple processes crashing at the same time causes the device's management functionality to be unavailable when the packet size is smaller than FSAE_HEADER_SIZE(6).

732633

DNS query timeout log generated for first entry in DNS domain list when multiple domains are added.

732760

SNMP trap packets are sometimes not sent from the primary ha-direct interface to all SNMP managers after upgrading.

738332

Connectivity issue with FortiGuard after upgrading from 7.0.0 to 7.0.1 when ha-direct is enabled.

738640

Add support for FS-TRAN-FX 100 Mbps SFP optical transceivers on the FGR-60F and FGR-60F-3G4G models. Previously, there was no I2C reading/writing handler in drivers for FGR-60F and FGR-60F-3G4G.

740649

FortiGate sends CSR configuration without double quote (") to FortiManager.

741944

The forticron process has a memory leak if there are duplicated entries in the external IP range file.

742471

Parsing FFDB may cause a crash when loading at reboot if the versions of FFDB_APP and FFDB_GEO_ID_FILE are different.

743431

DDNS hostname is not correct when two VDOMs are configured.

744892

DNS query responses can be bumped when dealing with a high volume of visibility hostname log requests.

745017

get system checksum status should only display checksums for VDOMs the current user has permissions for.

747508

Default FortiLink configuration on FG-81F running versions 6.4.6 to 6.4.8 does not work as expected.

747834

Unexpected behavior of SNMP fgLogDeviceCachedCount value for syslog.

748409

Client traffic from VLAN to VXLAN encapsulation traffic is failing after upgrading from 6.2.7 to 6.4.6.

749835

Traffic logs reports ICMP destination as unreachable for received traffic

751523

When changing mode from DHCP to static, the existing DHCP IP is kept so no CLI command is generated and sent to FortiManager.

753602

FG-40F has a newcli signal 11 crash.

754567

FortiGate receives Firmware image without valid RSA signature loaded error when loading the image from FortiCloud.

754951

Static ARP entry was removed while using DHCP relay.

755746

SoC3 platforms failed to boot up when upgrading from 6.2.10 or 6.4.8.

755953

Direct CLI script from FortiManager fails due to additional end at the end of diagnose debug crashlog read.

756139

When split port is enabled on four 10 GB ports, only one LACP port is up, and the other ports do not send/receive the LACP PDU.

756445

Flow-based inspection on WCCP (L2 forwarding) enabled policy with VLAN interfaces causes traffic to drop if asic-offload is enabled.

756713

Packet Loss on the LAG interface (eight ports) in static mode. Affected models: FG-110xE, FG-220xE, and FG-330xE.

756779

NP7 platforms will very sparsely stop forwarding traffic with the root cause at QTM.

758815

Connectivity issue on port26 because NP6 table configuration has an incorrect member list. Affected models: FG-110xE, FG-220xE, and FG-330xE.

759689

When updated related configurations change, the updated configurations may crash.

760259

On SoC4-based FortiGates (FG-40F, FG-60F, FG-80F, FG-100F) the outbound bandwidth in the bandwidth widget does not adhere to the outbandwidth setting.

760661

DDNS interface update status can get stuck if changes to the interface are made rapidly.

761353

Kernel panic occurs on FG-90E after upgrading to 6.4.7.

763185

High CPU usage on platforms with low free memory upon IPS engine initialization.

763739

On FG-200F, the Outbound bandwidth in the Bandwidth widget does not match the outbandwidth setting.

765452

Slow memory leak in IPS engine 6.091, which persists in 6.107.

766661

Outbandwidth setting does not work in NP7 models when UTM/NTurbo is enabled.

767778

Kernel panic occurs when adding and deleting LAG members on FG-1101E.

770317

FG-5001D backplane interfaces did not work in FG-5913C SLBC system.

771442

Discrepancy between session count and number of active sessions; sessions number creeps high, causing high memory utilization.

777044

On a FortiGate only managed by FortiManager, the FDNSetup Authlist has no FortiManager serial number.

778474

dhcpd is not processing discover messages if they contain a 0 length option, such as 80 (rapid commit). The warning, length 0 overflows input buffer, is displayed.

797993

Using outbound traffic shaping and IPS NTurbo together in NP7 platforms causes some traffic to be blocked.

Upgrade

Bug ID

Description

754180

MAC address group is missing in the configuration after upgrading if it has members with other address groups that come behind the current one.

765493

After upgrading to 6.4.7, a web filter profile within flow-based firewall policies appears with a proxy mode feature set.

User & Authentication

Bug ID

Description

556724

LLDP neighbors cannot be seen on virtual switch ports.

682394

FortiGate is unable to verify the CA chain of the FSSO server if the chain is not directly rooted to FSSO endpoint.

691838

Memory leaks and crashes observed during stress long duration performance test when using FortiToken Cloud.

700838

FortiOS does not prompt for token when using RADIUS and two-factor authentication to connect to IPsec IKEv2.

701356

When a GUI administrator certificate, admin-server-cert, is provisioned via SCEP, the FortiGate does not automatically offer the newly updated certificate to HTTPS clients. FortiOS 7.0.0 and later does not have this issue.

709964

Apple devices cannot load the FortiAuthenticator captive portal via the system pop-up only.

711263

diagnose fortitoken-cloud sync fails when user email address is longer than 35 characters.

725327

FSSO user fails to log in with principal user name.

739702, 741403

There are unknown user logins on the FortiGate and the logs do not have any information for the unknown user.

744014

LLDP neighbors cannot be seen on virtual switch ports.

750551

DST_Root_CA_X3 certificate is expired.

751763

When MAC-based authentication is enabled, multiple RADIUS authentication requests may be sent at the same time. This results in duplicate sessions for the same device.

755302

The fnbamd process spikes to 99% or crashes during RADIUS authentication.

757883

FortiGate blocks expired root CA, even if the cross-signed intermediate CA of the root CA is valid.

765136

Dynamic objects are cleared when there is no connection between the FortiGate and FortiManager with NSX-T.

VM

Bug ID

Description

722290

Azure slow path NetVSC SoftNIC has stuck RX.

If using an IPsec tunnel, use UDP/4500 for ESP protocol (instead of IP/50 ) when SR-IOV is enabled. On the phase 1 interface, use set nattraversal forced. UDP/4500 is the fast path for Azure SDN, and IP/50 is the slow path that stresses guest VMs and hypervisors to the extreme.

If using cross-site IPsec data backup, use Azure VNet peering technology to build raw connectivity across the site, rather than using the default IP routing based on the assigned global IP address.

736067

NSX connector stops updating addresses sometimes.

739376

vmwd gives an error when folders are created in the vSphere web interface, and vmwd ignores the IP addresses from vApp.

759300

gcpd has signal 11 crash at gcpd_mime_part_end.

VoIP

Bug ID

Description

757477

PRACK will cause voipd crashes when the following conditions are met: block-unknown is disabled in the SIP profile, the PRACK message contains SDP, and PRACK fails to find any related previous transactions (this is not a usual case).

Web Filter

Bug ID

Description

677234

Unable to block webpages present in the external list when accessing them through the Google Translate URL.

717619

Running a remote CLI script from FortiManager can create a duplicated FortiGuard web filter category.

739349

Web filter local rating configuration check might strip the URL, and the URL filter daemon does not start when utm-status is disabled.

WiFi Controller

Bug ID

Description

720497

MAC authentication bypass is not working for some clients.

727301

Unable to quarantine hosts behind FortiAP and FortiSwitch.

733608

FG-5001D is unable to display managed FortiAPs after upgrading.

734801

Some Apple devices cannot handle 303/307 messages, and may loop to load the external portal page and fail to pass authentication. Some Android devices cannot process JavaScript redirect messages after users submit their username and password.

741946

FortiGate is not recognizing attribute 49, Acct-Terminate-Cause Value (6) Admin Reset, from RFC 2866.

748154

802.1X clients are disconnected following a FortiGuard update.

748479

cw_acd is crashing with signal 11 and is causing APs to disconnect/rejoin.

750425

In RADIUS MAC authentication, the FortiGate NAS-IP-Address will revert to 0.0.0.0 after using the FortiGate address.

776239

cw_acd is crashing with signal 11 (Segmentation fault) received.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

752134

FortiOS 6.4.9 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-42757

752450

FortiOS 6.4.9 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-44168
 
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...