FortiOS 6.4.9 build 1966

SeedTheNet · May 22

Resolved issues

The following issues have been fixed in version 6.4.9. For inquires about a particular bug, please contact Customer Service & Support.

Anti Spam

Bug ID	Description
743693	Anti spam engine crashes when extracting a malformed IP address from Received: headers.

Anti Virus

Bug ID	Description
665173	Crash logs are sometimes truncated/incomplete.

Application Control

Bug ID	Description
752569	Per IP shaper under application list does not work as expected for some applications.

Data Leak Prevention

Bug ID	Description
745369	PDF corruption over HTTP by DLP.

DNS Filter

Bug ID	Description
748227	DNS proxy generated local out rating (FortiGuard category) queries can time out if they are triggered for the same DNS domains with the same source DNS ID.
751759	DNS filter breaks DNS zone transfer because the client socket might close prematurely (in which there is still some data in the user space) if the server side closed the connection.

Endpoint Control

Bug ID	Description
666426	IPsec VPN does not have FCT client IP to send to EMS if using DHCP-over-IPsec.
693010	No FortiClient entry in `diagnose endpoint record list` when the FortiClient is registered on EMS with a WiFi tunnel mode interface.
738614	EMS Cloud does not update the IP for dynamic address on the FortiGate.
743235	Dynamic group EMS tags are not showing up for connected wireless devices.
744613	EMS endpoint IP and MAC addresses are not synchronized to the ZTNA tags on the FortiGate.

Explicit Proxy

Bug ID	Description
607230	Percent encoding is not converted in FTP over HTTP explicit proxy.
638172	Proxy policy matching should support choosing the best internet service name when the IP matches multiple object names.
674996	WAD encounters segmentation crash at `wad_ssl_arm_close`; crash occurred on explicit web proxy.
695468	Unable to load URL when application control or AV are enabled in a proxy policy.
721039	Short disconnections of streaming applications (Teams and Whereby) through explicit proxy.
747840	When configuring authentication schemes to negotiate and NTLM (mix), Firefox may not show the authentication pop-up with an explicit proxy.
754259	When an explicit proxy policy has a category address as destination address, the FortiGate needs to check if the address is a Google Translate URL for extra rating. This will trigger a keyword match. However, if a web filter profile is not set yet, WAD will crash. The fix will delay the keyword match until a web filter profile is present.
757736	HTTPS TLS 1.3 handshake fails with internal error alert.

Firewall

Bug ID	Description
729245	HTTP/1.0 health check should process the whole response when `http-match` is set.
730803	Applying a traffic shaping profile and outbound bandwidth above 200000 blocks the traffic.
738584	Firewall is using the wrong NAT IP address to send out traffic after removing the VIP and its associated policy.
743160	SYN-ACK is dropped when application control with `auto-asic-offload` and NP acceleration are enabled in a firewall policy.
744888	FortiGate drops SERVER HELLO when accessing some TLS 1.3 websites using a flow-based policy with SSL deep inspection.
745853	FortiGate stops sending logs to Netflow traffic because the Netflow session cleanup routine runs for too long when there are many long live sessions in the cache.
746891	Auto-update script sent from FortiOS GUI has a policy ID of zero, which causes FortiManager to be out of synchronization.
754240	After a session updates its shaping policy, if the new shaping policy does not configure a per-IP shaper, the session will still use the old per-IP shaper from the previous shaping policy.

FortiView

Bug ID	Description
741792	Update FortiAnalyzer license REST API to use the FortiAnalyzer's licenses when in analyzer-collector mode.

GUI

Bug ID	Description
608770	When there is no IP/IPv6 address setting for Zone, the GUI incorrectly displays 0.0.0.0/0.0.0.0 for IP/Netmask and ::/0 for IPv6 Address.
610572	Guest user credentials never expire if a guest user logs in via the WiFi portal while an administrator is actively viewing the user's account via the GUI. If the administrator clicks OK in the user edit dialog after the guest user has logged in, the user's current login session is not subject to the configured expiration time.
650327	The values for `set gui-default-policy-columns` does not work for the `srcaddr`, `dstaddr`, and `source` columns.
696573	Firewall policy not visible in the GUI when enabling `internet-service src`.
699508	When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.
704618	When login banner is enabled, and a user is forced to re-login to the GUI (due to password enforcement or VDOM enablement), users may see a Bad gateway error and HTTPSD crash.
720613	The event log sometimes contains duplicated lines when downloaded from the GUI.
720657	Unable to reuse link local or multicast IPv6 addresses for multiple interfaces from the GUI.
733375	On the VPN > SSL-VPN Settings page, after clicking Apply, `source-address` objects become `source-address6` objects if IPv6 is enabled.
734157	On a downstream FortiGate, going to VDOM FG-traffic > Network > Interfaces takes a long time to load.
740254	Unable to view log details for Oracle.GlassFish.Server.ThemeServlet.Directory.Traversal log when clicking Details in the GUI.
740508	Bandwidth widget shows incorrect traffic on FG-40F.
742561	On the Network > Interfaces page, after upgrading to FortiOS 6.4.7, a previously valid VLAN switch VLAN ID of 0 now displays the error message The minimum value is 2.
745325	When creating a new (public or private) SDN connector, users are unable to specify an Update interval that contains 60, as it will automatically switch to Use Default.
745998	An IPsec phase 1 interface with a name that contains a `/` cannot be deleted from the GUI. The CLI must be used.
750490	Firewall policy changes made in the GUI remove the replacement message group in that policy.

HA

Bug ID	Description
658839	Cloning a policy from the CLI causes the HA cluster to get out of sync.
680753	`admin-restrict-local` feature does not work on management interface in HA cluster.
711521	When HA failover happens, there is a time difference between the old secondary becoming new primary and the new primary's HA ID getting updated. If a session is created in between, the session gets a wrong HA ID, which indicates incorrectly that the session's traffic needs to be handled by new secondary.
714788	Uninterruptible upgrade might be broken in large scale environments.
717788	FGSP has problem at failover when NTurbo or offloading is enabled (IPv4) with virtual wire pair traffic.
725240	HA cluster goes out of sync due to mismatched `vpn.certificate.crl` checksum.
729607	FTP transfers drop in active-active mode in cases where expectation sessions accumulated in the secondary unit reach the maximum number (128).
732201	VDOM restore on an already configured VDOM causes high CPU sometimes on the primary.
740743	When enabling `lag-out-port-select`, both cluster units simultaneously reboot.
740933	HA goes out of synchronization when uploading a local certificate.
744349	Unable to connect to FortiSandbox Cloud through proxy from secondary node in an HA cluster.
744826	API key (token) on the secondary device is not synchronized to the primary when `standalone-config-sync` is enabled.
746008	DNS may not resolve on the correct blade in a 6K/7K virtual cluster environment.
747270	When the HA secondary device relays logs to the primary device, it may encounter high CPU usage.
752892	PPPoE connection gets disconnected during HA failover.
757494	Unable to add a member to an aggregate interface that is down in a HA cluster.

Intrusion Prevention

Bug ID	Description
665755	The global UTM profiles named with a `g-` prefix are shared between all VDOMs and logically do not belong to any VDOM. When they are changed, the ipshelper cannot always refresh its configuration because the ipshelper tries to check each VDOM profile.
682071	IPS signatures not working with VIP in proxy mode.
746467	IPS engine crashes when IPS injects packets to vNP and vNP/DPDK fails to restart (crashes and sometimes is out of service).
751027	FortiGate can only collect up to 128 packets when detected by a signature.
755859	The IPS sessions count is higher than system sessions, which causes the FortiGate to enter conserve mode.

IPsec VPN

Bug ID	Description
668997	Duplicate entry found error shown when assigning multiple dialup IPsec tunnels with the same secondary IP in the GUI.
673049	FortiGate not sending its external interface IP in the IKE negotiation (Google Cloud Platform).
680783	Traffic is dropped in policy-based mode with FEC and NTurbo enabled.
684133	Site-to-site IPsec VPN cannot establish in asymmetric routing scenario where the IPsec VPN bound interface is a loopback interface.
691178	Exchanging IPs does not work with multiple dynamic tunnels.
691718, 728276	Traffic cannot pass through IPsec tunnel after FEC is enabled on server side if NAT is enabled between VPN peers.
696835	An iked kernel panic occurs whenever a large download is initiated over an IPsec dialup tunnel.
701404	Routes are not added or removed as expected when failover occurs with IPsec FGSP HA.
715671	Traffic is failing on dialup VPN IKEv2 with EAP authentication.
717082	FortiGate keeps initiating DHCP SA rekey after lifetime expires.
718617	In an IPsec tunnel XAuth with RADIUS, the RADIUS Accounting Stop packet is missing the Acct-Input-Octets/Acct-Output-Octets attribute.
720689	Kernel crash occurs with FEC enabled on IPsec VPN when corrupted packets are received.
725551	IKE idle timeout timers continue running when the HA state switches to secondary.
726326	IPsec server with NP offloading drops packets with an invalid SPI during rekey.
726450	Local out dialup IPsec traffic does not match policy-based routes.
729760	The ADVPN forwarder does not currently track the shortcut query that it forwards. Shortcut queries and replies are forwarded or terminated solely based on the route lookup.
735412	IKE HA resynchronizes the synchronized connection without an established IKE SA.
735430	TCP SYN-ACKs are silently dropped if the traffic is sourced from a dialup IPsec tunnel and UTM is enabled.
740475	Traffic cannot be sent out through IPsec VPN tunnel because SA is pushed to the wrong NP6 for platforms where NP6 is standalone. Affected models: FG-2000E and FG-2500E.
743732	If a failure happens during negotiating a shortcut IPsec tunnel, the original tunnel NAT-T setting is reset by mistake.
744598	Tunnel interface MTU settings do not work when `net-device` is enabled in phase 1.
745331	IPsec server with NP offloading drops packets with an invalid SPI during rekey.
747123	In an IPsec aggregate tunnel interface where one of the members is down and has an MTU of zero, and the other tunnel is up and has a non-zero MTU, the interface will take the minimum of both MTU values, which is zero. This results in no traffic going in the outbound direction.
752947	The hub sometimes allows the IKEv2 IPsec tunnel with a spoke to be established that uses an expired or revoked certificate.
765868	The packets did not pass through QTM, and SYN packets bypass the IPsec tunnel once traffic is offloaded. Affected platforms: NP7 models.

Log & Report

Bug ID	Description
712037	FortiAnalyzer OFTP connection is re-initialized every 30 seconds when the FortiGate connects to an unauthorized FortiAnalyzer.
715549	On the Log & Report > SSL page, the Service for SSL logs is displayed as FTPS instead of SSL.
718140	Logs are missing on FortiGate Cloud from a certain point.
724827	Syslogd is using the wrong source IP when configured with `interface-select-method auto`.
731154	SSL VPN tunnel down event log (log ID 39948) is missing.
745310	Need to add the MIGSOCK send handler to flush the queue when the first item is added to the syslog queue to avoid logs getting stuck.
745689	Unknown interface is shown in flow-based UTM logs.
749842	The miglogd process uses high CPU when handling a web rating error log that is reported with an invalid VDOM ID.
751358	Unable to set source IP for FortiCloud unless FortiCloud is already activated.
754143	Add `srcreputation` and `dstreputation` fields in the forward traffic logs to provide the reputation level of the source and destination when the traffic matches an entry in the internet service database.

Proxy

Bug ID	Description
568905	WAD crashes due to RCX having a null value.
582464	WAD SSL crash due to wrong cipher options chosen.
712584	WAD memory leak causes device to go into conserve mode.
726999	WAD crash on `wad_hash_map_del`.
728641	SSL renegotiation fails when Firefox offers TLS 1.3, but the server decides to use TLS 1.2.
733135	Web filter is blocking websites in proxy mode due to SSL certificate validation failure, which is caused by an unreachable OCSP server.
733760	Proxy inspection firewall policy with proxy AV blocks POP3 traffic of the Windows 10 built-in Mail app.
737737	WAD crashes when firewall FQDN address is null.
739627	`diagnose wad stats policy list` does not show statistics correctly when enabling certificate inspection and HTTP policy redirect.
743746	WAD encounters signal 11 crash when adding user information.
744756	Web proxy forward server group could not recover sometimes if the FQDN is not resolved.
747250	When a timeout happens while forticron is downloading a file, the original downloaded file is not be deleted, so the next successful download has extra data in front.
752744	Proxy-based certificate with deep inspection fails upon receipt of a large handshake message.
754969	Explicit FTP proxy chooses random destination port when the FTP client initiates an FTP session without using the default port.
756394	WAD crashes due to memory corruption.
756603	WAD memory spike when downloading files larger than 4 GB.
756616	High CPU usage in proxy-based policy with deep inspection and IPS sensor.
756887	WAD crashes if the certificate authentication request context is not closed in the following scenarios: when fnbamd returns a failure certificate authentication result or no response; and when the CA certificate is updated and the certificate cache is flushed.
758086	HTTPS traffic gets SSL error when deep inspection and an AV of file filter profile are enabled.
764193	The three-way handshake packet that was marked as `TCP port number reused` cannot pass through the FortiGate, and the FortiGate replies with a `FIN, ACK` to the client.

REST API

Bug ID	Description
743169	Update various REST API endpoints to prevent information in other VDOMs from being leaked.
743743	httpsd crashes due to `GET /api/v2/log/.../virus/archive` request when the `mkey` is not provided.
768056	HTTPS daemon is not responsive when successive API calls are made to create an interface.

Routing

Bug ID	Description
670031	LDAP traffic that originates from the FortiGate is not following SD-WAN rule.
693988	For DSL interface, adding static route with `set dynamic-gateway enable` does not add route to routing table.
707143	Suggest adding an option for NetFlow to use SD-WAN.
723726	TCP session drops between virtual wire pair with `auto-asic-offload` enabled in policy.
724574, 731248	BFD neighborship is lost between hub and spoke. One side shows BFD as down, and other side does not show the neighbor in the list.
724887	`set interface-select-method` takes a long time to take effect for DNS local out traffic when the source IP is specified.
725322	Improve the help text for `distance` to indicate that 255 means unreachable.
727812	ADVPN does not work with RIP as the routing protocol when `net-device` is enabled.
729002	PIM/PIM6 does not send out unicast packet with the correct source IP if interface is not specified.
731941	`Disconnected from FortiAnalyzer` events reported when the `interface-select-method` is set to `specify`, and the `interface port_<x>` is set to an interface that does not have the highest priority in the SD-WAN interface selection.
736705	ZEBOS launcher is unable to start and crashes constantly if `aspath` has more than 80 characters in the `config router router-map > set-aspath` setting.
737898	OSPFv3 cannot install IPv6 ECMP routes when both ABR next hops are in the same subnet.
746000	Multicast streams sourced on SSL VPN client are not registered in PIM-SM.
748733	Remote IP route shows `incomplete inactive` in the routing table, which causes issues with BGP routes where the peer is the next hop.
769321	After ADVPN HA failover, BGP is not established, and tunnels are up but not passing traffic between the hub and spokes.

Security Fabric

Bug ID	Description
635183	ACI dynamic address cannot be retrieved in HA vcluster2 from SDN connector.
670451	ACI SDN connector (connected by `aci-direct`) shows `curl` error 7 when updating from second VDOM.
735717	vmwd gives an error when folders are created in the vSphere web interface, and vmwd ignores the IP addresses from vApp.
738344	When CSF root synchronizes a large automation setting (over 16000) to the downstream FortiGate, csfd crashes while trying to process the relay message.
741346	The variable `%%date%%` resolves into `1900-01-00` instead of actual date when the schedule trigger type is used.
742743	Security rating Issue with unused deny policies.
745263	AV & IPS DB Update automation trigger is not working when clicking Update Licenses & Definitions Now in the GUI.
746950	When an Azure network interface ID contains upper case letters, the Azure SDN connector may not retrieve that network interface.

SSL VPN

Bug ID	Description
586035	The policy `script-src 'self'` will block the SSL VPN proxy URL.
673320	Pop-up window does not load correctly when accessing internal application at https://re*.wo*.nl using SSL VPN web mode.
676391	`set banned-cipher` command does not work for TLS 1.3.
676673	Ciphers with ARIA, AESCCM, and CHACHA cannot be banned for SSL VPN.
677057	SSL VPN firewall policy creation via CLI does not require setting user identity.
693237	DCE/RPC sessions are randomly dropped (`no session matched`).
693519	SSL VPN authentication fails for PKI user with LDAP.
695386	SAML login failure when a user belongs to multiple groups associated with multiple VPN realms.
706646	SolarWinds Orion NPM platform's web application has issues in SSL VPN web mode.
707792	SSL VPN connection breaks when deleting irrelevant CA and PKI is involved.
711974	SSL VPN bookmarks are not working correctly with multiple SD-WAN zones.
718133	In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.
718142	The map integrated in the public site is not visible when using SSL VPN web mode.
726338	The wildcard matching method does not always work as expected because the kernel sometimes does not have the address yet.
726576	Internal webpage with JavaScript is not loading in SSL VPN web mode.
729426	The wildcard FQDN does not always work reliably in cases where the kernel does not have the address yet.
731278	Customer internal website (ac*.sa*.com) does not load properly when connecting via SSL VPN web mode.
737154	Slow RDP response when using SSL VPN web mode access.
737341	Some links and buttons are not working properly when accessing them through SSL VPN web mode.
737894	If there are no users or groups in an SSL VPN policy, the SSL VPN daemon may crash when an FQDN is a destination address in the firewall policy.
738711	FortiClient error message is not pertinent when the client does not meet host checking requirements.
744494	Memory occupied by the SSLVPN daemon increase significantly while the process is busy.
744899	SSL VPN RDP bookmark is not working when using Chrome 93 32-bit. Firefox 64-bit and Chrome 64-bit are still not supported on Windows 32-bit.
745499	In cases where a user is establishing two tunnel connections, there is a chance that the second session knocks out the first session before it is updated, which causes a session leak.
746990	RADIUS accounting messages after SSL VPN do not include the Class attribute (Group name).
747352	Internal web server page, https://te*.ss*.es:10443, is not loading properly in SSL VPN web mode.
748085	Authentication request of SSL VPN realm can now only be sent to user group, local user, and remote group that is mapped to that realm in the SSL VPN settings. The authentication request will not be applied to the user group and remote group of non-realm or other realms.
748667	Remove the maximum check for resolution of RDP/VNC in web portal.
749452	SSL VPN login authentication times out if primary RADIUS server becomes unavailable.
749918	Keyboard keys do not work with RDP bookmarks when PT-BR and PT-BR-ABNT2 layouts are chosen.
752055	VNC (protocol version 3.6/3.3) connection is not working in SSL VPN web mode.
755296	SSL VPN web mode has issues accessing https://e*.or*.kr.
756561	Outdated OS support for host check should be removed.
764853	SSL VPN bookmark of VNC is not using ZRLE compression and consumes more bandwidth to end clients.
767818	SSL VPN bookmark issues with internal website.
768994	SSL VPN crashed when closing web mode RDP after upgrading to 6.4.7.

Switch Controller

Bug ID	Description
740661	FortiGate loses FortiSwitch management access due to excessive configuration pushes.

System

Bug ID	Description
488400	FGFM sessions time out when the session between two EMAC VLANs with no VLAN IDs are offloaded.
514239	There are no kernel routing updates when the session is re-initialized at the DSLAM side. DSL creates a default route to 240.0.0.1 after changing any configuration on the DSL interface.
572038	VPN throughput dropped when FEC is enabled.
572847	The wan1, wan2, and dmz interfaces should not be configured as hardware switch members on the 60F series. The wan interface should not be configured as a hardware switch member on the 40F series.
596942	SoC3 platforms may encounter kernel panic in cases when a PKCE IOCTL wait event is interrupted by WAD diagnose CLI commands.
643558	System halts after running `execute update-now` in FIPS-CC mode.
644616	NP6 does not update session timers for traffic IPsec tunnel if established over one pure EMAC VLAN interface.
651626	A session clash is caused by the same NAT port. It happens when many sessions are created at the same time and they get the same NAT port due to the wrong port seed value.
671116	Lack of null pointer check in NP6XLite driver may lead to kernel panic. Affected models: FG-40F, FG-60F, and FG-101F.
671824	On FG-40F, get `NP6XLITE: failed to read lif accounting` message on console.
681322	TCP 8008 permitted by authd, even though the service in the policy does not include that port.
682227	DSL creates a default route to 240.0.0.1 after changing any configuration on a DSL interface.
683929	IPv6 health check cannot send probe packets even if the IPv6 gateway is configured under `configure members` view.
686367	SFP port status is not correct under `get system interface transceiver` due to incorrect i2c reading/writing. Affected platforms: FG-110xE, FG-220xE, FG-330xE, FG-340xE, FG-360xE, and FG-390xE.
687398	Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices.
693344	port1 physical status is down. Affected models: FG-110xE, FG-220xE, FG-330xE, FG-340xE, FG-360xE, and FG-390xE.
696556	Support `gtp-enhance-mode` (GTP-U) on FG-3815D.
699152	QinQ (802.1ad) support needed on the following models: FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3600E, and FG-3601E.
702932	FG-1500D reboots suddenly after COMLog reported kernel panic and voipd is tainted.
702966	There was a memory leak in the administrator login debug that caused the getty daemon to be killed.
703131	Split-task VDOM does not update IPS/AV from ha-direct connected internal FortiManager.
703219	Kernel panic on FG-101F due to lack of null pointer check on NP6XLite driver.
704981	LLDP transmission fails if there are nested software switches.
706543	FortiGuard DDNS does not update the IP address when the PPPoE reconnects.
706588	Interoperability issue between FortiGate aggregate interface and Cisco 9K switch.
710477	Unexpected output in `get system interface transceiver`. Affected models: FG-110xE, FG-220xE, FG-330xE, FG-340xE, FG-360xE, and FG-390xE.
710958	Multiple SFP ports on Nexus 7K go into a suspended state as no LACP PDUs are received.
712258	SFP28 ports on FG-340xE/FG-360xE cannot receive or transmit packets when the speed is set to 1000full. This issue is triggered by warm rebooting the FortiGate/Cisco switch or disconnecting the fiber cable.
713835	The BLE pin hole behavior should not be applied on FG-100F generation 1 that has no BLE built in.
714805	FortiManager shows auto update for down port from FortiGate, but FortiGate event logs do not show any down port events when user shuts down the `ha monitor dev`.
715234	Packets are dropped for 30 seconds during or after massive configuration commit.
715978	NTurbo does not work with EMAC VLAN interface.
716169, 767848	SFP interface is set as `1000full` is down after rebooting.
716341	SFP28 port flapping when the speed is set to 10G.
716483	DNS proxy is case sensitive when resolving FQDN, which may cause DNS failure in cases where local DNS forwarder is configured.
718571	In cases where there are a lot of DHCP relay interfaces (such as 1000) and an interface is added or deleted, DHCP relay takes a long time to release and initialize all interfaces before it works again.
721487	FortiGate often enters conserve mode due to high memory usage by httpsd process.
721789	Account profile settings changed after firmware upgrade.
722547	Fragmented SKB size occurs if the tail room is too small to carry the NTurbo `vtag`, which causes packets to be dropped.
722781	MAC address flapping on the switch is caused by a connected FortiGate where IPS is enabled in transparent mode.
724065	`Power supply 2 DC is lost` log only appears when unplugging the power cable from power supply 2.
724779	HPE setting of NTurbo host queue is missing and causes IPS traffic to stop when HPE is enabled.
725264	FG-600E copper speed LED does not work.
726634	NTP daemon is not responding when using the manual setting.
727343	Quarantined IP is not synchronized in FortiController mode.
727829	DNS FQDN was not synchronized amongst all the working blade, so each blade might have different IP from the same FQDN. If policy a uses the FQDN as the address, it will cause the IP address of FQDN to not be in the list for the current blade, so the traffic will not match this FQDN policy.
728647	DHCP discovery dropped on virtual wire pair when UTM is enabled.
729939	Multiple processes crashing at the same time causes the device's management functionality to be unavailable when the packet size is smaller than `FSAE_HEADER_SIZE(6)`.
732633	DNS query timeout log generated for first entry in DNS domain list when multiple domains are added.
732760	SNMP trap packets are sometimes not sent from the primary `ha-direct` interface to all SNMP managers after upgrading.
738332	Connectivity issue with FortiGuard after upgrading from 7.0.0 to 7.0.1 when `ha-direct` is enabled.
738640	Add support for FS-TRAN-FX 100 Mbps SFP optical transceivers on the FGR-60F and FGR-60F-3G4G models. Previously, there was no I2C reading/writing handler in drivers for FGR-60F and FGR-60F-3G4G.
740649	FortiGate sends CSR configuration without double quote (`"`) to FortiManager.
741944	The forticron process has a memory leak if there are duplicated entries in the external IP range file.
742471	Parsing FFDB may cause a crash when loading at reboot if the versions of FFDB_APP and FFDB_GEO_ID_FILE are different.
743431	DDNS hostname is not correct when two VDOMs are configured.
744892	DNS query responses can be bumped when dealing with a high volume of visibility hostname log requests.
745017	`get system checksum status` should only display checksums for VDOMs the current user has permissions for.
747508	Default FortiLink configuration on FG-81F running versions 6.4.6 to 6.4.8 does not work as expected.
747834	Unexpected behavior of SNMP fgLogDeviceCachedCount value for syslog.
748409	Client traffic from VLAN to VXLAN encapsulation traffic is failing after upgrading from 6.2.7 to 6.4.6.
749835	Traffic logs reports ICMP destination as unreachable for received traffic
751523	When changing mode from DHCP to static, the existing DHCP IP is kept so no CLI command is generated and sent to FortiManager.
753602	FG-40F has a newcli signal 11 crash.
754567	FortiGate receives `Firmware image without valid RSA signature loaded` error when loading the image from FortiCloud.
754951	Static ARP entry was removed while using DHCP relay.
755746	SoC3 platforms failed to boot up when upgrading from 6.2.10 or 6.4.8.
755953	Direct CLI script from FortiManager fails due to additional `end` at the end of `diagnose debug crashlog read`.
756139	When split port is enabled on four 10 GB ports, only one LACP port is up, and the other ports do not send/receive the LACP PDU.
756445	Flow-based inspection on WCCP (L2 forwarding) enabled policy with VLAN interfaces causes traffic to drop if `asic-offload` is enabled.
756713	Packet Loss on the LAG interface (eight ports) in static mode. Affected models: FG-110xE, FG-220xE, and FG-330xE.
756779	NP7 platforms will very sparsely stop forwarding traffic with the root cause at QTM.
758815	Connectivity issue on port26 because NP6 table configuration has an incorrect member list. Affected models: FG-110xE, FG-220xE, and FG-330xE.
759689	When updated related configurations change, the updated configurations may crash.
760259	On SoC4-based FortiGates (FG-40F, FG-60F, FG-80F, FG-100F) the outbound bandwidth in the bandwidth widget does not adhere to the `outbandwidth` setting.
760661	DDNS interface update status can get stuck if changes to the interface are made rapidly.
761353	Kernel panic occurs on FG-90E after upgrading to 6.4.7.
763185	High CPU usage on platforms with low free memory upon IPS engine initialization.
763739	On FG-200F, the Outbound bandwidth in the Bandwidth widget does not match the outbandwidth setting.
765452	Slow memory leak in IPS engine 6.091, which persists in 6.107.
766661	Outbandwidth setting does not work in NP7 models when UTM/NTurbo is enabled.
767778	Kernel panic occurs when adding and deleting LAG members on FG-1101E.
770317	FG-5001D backplane interfaces did not work in FG-5913C SLBC system.
771442	Discrepancy between session count and number of active sessions; sessions number creeps high, causing high memory utilization.
777044	On a FortiGate only managed by FortiManager, the FDNSetup Authlist has no FortiManager serial number.
778474	dhcpd is not processing discover messages if they contain a 0 length option, such as 80 (rapid commit). The warning, `length 0 overflows input buffer`, is displayed.
797993	Using outbound traffic shaping and IPS NTurbo together in NP7 platforms causes some traffic to be blocked.

Upgrade

Bug ID	Description
754180	MAC address group is missing in the configuration after upgrading if it has members with other address groups that come behind the current one.
765493	After upgrading to 6.4.7, a web filter profile within flow-based firewall policies appears with a proxy mode feature set.

User & Authentication

Bug ID	Description
556724	LLDP neighbors cannot be seen on virtual switch ports.
682394	FortiGate is unable to verify the CA chain of the FSSO server if the chain is not directly rooted to FSSO endpoint.
691838	Memory leaks and crashes observed during stress long duration performance test when using FortiToken Cloud.
700838	FortiOS does not prompt for token when using RADIUS and two-factor authentication to connect to IPsec IKEv2.
701356	When a GUI administrator certificate, `admin-server-cert`, is provisioned via SCEP, the FortiGate does not automatically offer the newly updated certificate to HTTPS clients. FortiOS 7.0.0 and later does not have this issue.
709964	Apple devices cannot load the FortiAuthenticator captive portal via the system pop-up only.
711263	`diagnose fortitoken-cloud sync` fails when user email address is longer than 35 characters.
725327	FSSO user fails to log in with principal user name.
739702, 741403	There are unknown user logins on the FortiGate and the logs do not have any information for the unknown user.
744014	LLDP neighbors cannot be seen on virtual switch ports.
750551	DST_Root_CA_X3 certificate is expired.
751763	When MAC-based authentication is enabled, multiple RADIUS authentication requests may be sent at the same time. This results in duplicate sessions for the same device.
755302	The fnbamd process spikes to 99% or crashes during RADIUS authentication.
757883	FortiGate blocks expired root CA, even if the cross-signed intermediate CA of the root CA is valid.
765136	Dynamic objects are cleared when there is no connection between the FortiGate and FortiManager with NSX-T.

VM

Bug ID	Description
722290	Azure slow path NetVSC SoftNIC has stuck RX. If using an IPsec tunnel, use UDP/4500 for ESP protocol (instead of IP/50 ) when SR-IOV is enabled. On the phase 1 interface, use `set nattraversal forced`. UDP/4500 is the fast path for Azure SDN, and IP/50 is the slow path that stresses guest VMs and hypervisors to the extreme. If using cross-site IPsec data backup, use Azure VNet peering technology to build raw connectivity across the site, rather than using the default IP routing based on the assigned global IP address.
736067	NSX connector stops updating addresses sometimes.
739376	vmwd gives an error when folders are created in the vSphere web interface, and vmwd ignores the IP addresses from vApp.
759300	gcpd has signal 11 crash at `gcpd_mime_part_end`.

VoIP

Bug ID	Description
757477	PRACK will cause voipd crashes when the following conditions are met: `block-unknown` is disabled in the SIP profile, the PRACK message contains SDP, and PRACK fails to find any related previous transactions (this is not a usual case).

Web Filter

Bug ID	Description
677234	Unable to block webpages present in the external list when accessing them through the Google Translate URL.
717619	Running a remote CLI script from FortiManager can create a duplicated FortiGuard web filter category.
739349	Web filter local rating configuration check might strip the URL, and the URL filter daemon does not start when `utm-status` is disabled.

WiFi Controller

Bug ID	Description
720497	MAC authentication bypass is not working for some clients.
727301	Unable to quarantine hosts behind FortiAP and FortiSwitch.
733608	FG-5001D is unable to display managed FortiAPs after upgrading.
734801	Some Apple devices cannot handle 303/307 messages, and may loop to load the external portal page and fail to pass authentication. Some Android devices cannot process JavaScript redirect messages after users submit their username and password.
741946	FortiGate is not recognizing attribute 49, Acct-Terminate-Cause Value (6) Admin Reset, from RFC 2866.
748154	802.1X clients are disconnected following a FortiGuard update.
748479	cw_acd is crashing with signal 11 and is causing APs to disconnect/rejoin.
750425	In RADIUS MAC authentication, the FortiGate NAS-IP-Address will revert to `0.0.0.0` after using the FortiGate address.
776239	cw_acd is crashing with `signal 11 (Segmentation fault) received`.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

752134

FortiOS 6.4.9 is no longer vulnerable to the following CVE Reference:

CVE-2021-42757

752450