Fortios v7.4.0 Release Notes
Fortios v7.4.0 Release Notes
Fortios v7.4.0 Release Notes
FortiOS 7.4.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
FEEDBACK
Email: techdoc@fortinet.com
Change Log 6
Introduction and supported models 7
Supported models 7
FortiGate 6000 and 7000 support 7
Special notices 8
Hyperscale incompatibilities and limitations 8
FortiGate 6000 and 7000 incompatibilities and limitations 8
Remove OCVPN support 8
Remove WTP profiles for older FortiAP models 8
IP pools and blackhole route configuration 9
Remove support for SHA-1 certificate used for web management interface (GUI) 9
Changes in GUI behavior 10
Changes in default behavior 11
Changes in table size 12
New features or enhancements 13
Cloud 13
GUI 13
Hyperscale 14
LAN Edge 14
Log & Report 18
Network 18
Operational Technology 21
Policy & Objects 21
SD-WAN 23
Security Fabric 25
Security Profiles 26
System 27
User & Authentication 28
VPN 29
ZTNA 31
Upgrade information 32
Fortinet Security Fabric upgrade 32
Downgrading to previous firmware versions 33
Firmware image checksums 34
FortiGate 6000 and 7000 upgrade information 34
IPS-based and voipd-based VoIP profiles 35
Product integration and support 37
Virtualization environments 38
Language support 38
SSL VPN support 39
2023-05-15 Updated Resolved issues on page 40 and Known issues on page 66.
2023-05-16 Updated Fortinet Security Fabric upgrade on page 32, Product integration and support on page
37, SSL VPN support on page 39, Resolved issues on page 40, and Known issues on page 66.
2023-05-23 Updated Resolved issues on page 40 and Known issues on page 66.
2023-05-29 Updated New features or enhancements on page 13, Resolved issues on page 40, and Known
issues on page 66.
2023-06-05 Updated Changes in table size on page 12, New features or enhancements on page 13,
Resolved issues on page 40, and Known issues on page 66.
2023-06-19 Updated Resolved issues on page 40 and Known issues on page 66.
2023-06-26 Updated Resolved issues on page 40 and Known issues on page 66.
This guide provides release information for FortiOS 7.4.0 build 2360.
For FortiOS documentation, see the Fortinet Document Library.
Supported models
FortiOS 7.4.0 supports the following FG-6000F, FG-7000E, and FG-7000F models:
See Hyperscale firewall incompatibilities and limitations in the Hyperscale Firewall Guide for a list of limitations and
incompatibilities with FortiOS 7.4.0 features.
See the following links for information about FortiGate 6000 and 7000 limitations and incompatibilities with FortiOS 7.4.0
features.
l FortiGate 6000 incompatibilities and limitations
l FortiGate 7000E incompatibilities and limitations
l FortiGate 7000F incompatibilities and limitations
The IPsec-based OCVPN service has been discontinued and licenses for it can no longer be purchased as of FortiOS
7.4.0. GUI, CLI, and license verification support for OCVPN has been removed from FortiOS. Upon upgrade, all IPsec
phase 1 and phase 2 configurations, firewall policies, and routing configuration previously generated by the OCVPN
service will remain. Alternative solutions for OCVPN are the Fabric Overlay Orchestrator in FortiOS 7.2.4 and later, and
the SD-WAN overlay templates in FortiManager 7.2.0 and later.
Support for WTP profiles has been removed for FortiAP B, C, and D series models, and FortiAP-S models in FortiOS
7.4.0 and later. These models can no longer be managed or configured by the FortiGate wireless controller. When one of
these models tries to discover the FortiGate, the FortiGate's event log includes a message that the FortiGate's wireless
controller can not be managed because it is not supported.
Starting in FortiOS 6.4.9, 7.0.1, 7.2.0, and 7.4.0, all IP addresses used as IP pools and VIPs are no longer considered
local IP addresses if responding to ARP requests on these external IP addresses is enabled (set arp-reply enable
by default). In this case, the FortiGate is not considered a destination for those IP addresses and cannot receive reply
traffic at the application layer without special handling.
l This behavior affects FortiOS features in the application layer that use an IP pool as its source IP pool, including
SSL VPN web mode and explicit web proxy.
l When a blackhole route is configured in the routing table and matches the IP pool reply traffic, the FortiGate will not
receive reply traffic at the application layer and the corresponding the FortiOS feature will not work as desired.
l Configuring an IP pool as the source NAT IP address in a regular firewall policy works as before.
See IP pools and blackhole route configuration in the FortiOS Administration Guide for more information.
Starting in FortiOS 7.4.0, users should use the built-in Fortinet_GUI_Server certificate or SHA-256 and higher
certificates for the web management interface. For example:
config system global
set admin-server-cert Fortinet_GUI_Server
end
Bug ID Description
In this enhancement, there are now two ways to configure the ZTNA rule in the GUI.
1. Full ZTNA policy: under System > Feature Visibility, enable Explicit Proxy. Under Policy &
Objects > Proxy Policy, create a policy with the ZTNA type.
2. Simple ZTNA policy: a regular Firewall Policy is used for policy management. When creating a
new Firewall Policy, configure a ZTNA policy with ZTNA mode.
As a result, the Policy & Objects > ZTNA > ZTNA rules tab has been removed. Existing ZTNA rules
now appear in Policy & Objects > Proxy Policy after upgrade.
l Add shortcut to create automation rule from the Log & Report > System Events page.
811852 Combine the Device Inventory widget and Asset Identity Center to create a more streamlined
appearance and conserve resources. The Asset Identity Center offers a unified view of asset
information, consolidates data from various sources, and can handle significantly larger sets of
data.
860252 The Network > Diagnostics page now supports launching multiple packet captures at a time. The
packet capture dialog is dockable, can be minimized, and run in the background. The minimized
dialog aligns with other CLI terminals that are minimized.
A new command palette feature is available for quickly changing between pages and actions using
keyboard shortcuts. Activate the command palette menu by pressing ctrl+p (or cmd+p for Mac)
and enter the destination page to jump to. Press Enter to jump to the page. Similarly, activate the
command palette menu for specific actions by pressing ctrl+shift+p (or cmd+shift+p for
Mac) and enter the action to take. Press Enter to run the action.
863212 Redesign all dashboard widgets and FortiView pages with a modern look, new graphs, and faster
performance. Administrators can:
l Search for dashboard widgets and FortiView pages using the global search function. They can
The performance of the managed FortiAP and WiFi client widgets has been improved.
Bug ID Description
798427 The following enhancements have been added to the FortiSandbox Files FortiView monitor:
l Add a pie chart with different file statuses for disk data sources.
l Add the Reports view, which lists PDF reports after they are downloaded successfully.
l PDF reports are downloaded on-demand. By default, only 10 are kept in memory.
841712 On FortiGates licensed for hyperscale firewall features, the config system setting options
nat46-force-ipv4-packet-forwarding and nat64-force-ipv6-packet-forwarding
now also apply to NP7-offloaded traffic. The config system npu option nat46-force-ipv4-
packet-forwarding has been removed.
864035 When the auto-firmware-upgrade setting is enabled, the FortiGate checks for updates every
day between the firmware upgrade time interval. When a newer firmware is found, the installation is
scheduled after the upgrade delay in days (0-14, default = 3) between the firmware upgrade time
interval. After a successful update, an email is sent to the account owner.
config system fortiguard
set auto-firmware-upgrade {enable | disable}
set auto-firmware-upgrade-delay <integer>
end
883727 For FortiGates with NP7 processors, the policy-offload-level option of the config system
npu command has been removed. The policy offload level is only set using the policy-offload-
level option of the config system settings command, allowing you to configure the policy
offload level separately for each VDOM. By default, policy-offload-level is set to disable.
You can change the policy-offload-level to dos-offload. If your FortiGate is configured
for hyperscale firewall features, you can set the policy-offload-level to full-offload in a
hyperscale firewall VDOM.
Bug ID Description
858877 Increase the number of supported dynamic FSSO IP addresses from 100 to 3000 per dynamic
FSSO group. The dynamic FSSO type addresses can be pointed to FortiManager's Universal
Connector, which imports the addresses from Cisco ACI or Guardicore Centra.
883103 Increase firewall.address from 40,000 to 50,000 for FG-1000D, FG-1100E, and FG-1101E.
Increase firewall.address from 65,000 to 100,000 for FG-1200D, FG-1500D, FG-1800F, FG-
1801F, FG-2000E, FG-2200E, FG-2201E, and FG-2500E.
Increase firewall.address from 65,000 to 150,000 for FG-2600F and FG-2601F.
Cloud
See Public and private cloud in the New Features Guide for more information.
Feature ID Description
855561 Use API endpoint domain name from instance metadata to support FortiOS VM OCI DRCC region.
860965 Support the AWS T4g instance family with the FG-ARM64-AWS firmware image. Support the AWS
C6a and C6in instance families with the FG-VM64-AWS firmware image.
868592 Support Saudi Cloud Computing Company (SCCC) and alibabacloud.sa domain (a standalone
cloud backed by AliCloud).
881186 Support deploying VMware FortiGate VMs directly as a Zero Trust Application Gateway using the
OVF template (.vapp). ZTNA related parameters such as EMS server, external and internal
interface IPs, and application server mapping can be configured during OVF deployment. ZTNA
policies, authentication schemes, rules, and user groups are also bootstrapped.
881898 Support the new AWS C7gn instance family with the FG-ARM64-AWS firmware image.
894654 Support UEFI Preferred boot mode on AWS FortiGate VM models with instance types that support
--boot-mode uefi-preferred.
GUI
Feature ID Description
745172 The information pane, which is located in the right-side gutter of many GUI pages, is enhanced to
display the top three contextually appropriate questions as hyperlinks under the Hot Questions at
FortiAnswers heading.
l Clicking a link takes the user to the related questions and answer page on the FortiAnswers
website.
l The number of answers, votes, and views is displayed for each question.
l Clicking the See more link takes the user to the related topic page on FortiAnswers.
Feature ID Description
l The Documentation section header is renamed to Online Guides.
l The Online Help link is renamed to Relevant Documentation.
761507 In the Top FortiSandbox Files FortiView monitor, it is possible to drill down on a submitted file, and
view its static and dynamic file analysis. It is possible to download the full FortiSandbox report in
PDF format. This feature works with FortiGate Cloud Sandbox, FortiSandbox Cloud, and
FortiSandbox appliance. FortiSandbox must be running version 3.2.1 or later.
766712 Improve the FortiOS user experience by adding more integration of support resources for
troubleshooting. Online guides, FortiOS documentation, and additional support can be accessed
straight from the help menu. The FortiAnswers community can be accessed within the FortiOS
interface by clicking on the link at the bottom of the global search results.
Hyperscale
Feature ID Description
836653 On FortiGates licensed for hyperscale firewall features, the following diagnose commands display
summary information for IPv4 or IPv6 hardware sessions.
# diagnose sys npu-session list-brief
LAN Edge
See LAN Edge in the New Features Guide for more information.
Feature ID Description
541626 Support retrieving and displaying DHCP option 82 data from managed FortiSwitches.
diagnose switch-controller switch-info option82-mapping snooping {ascii
| hex} <managed_switch_serial_number> <vlan> [port]
The serial number and VLAN are required, the port is optional.
Managed FortiSwitches must be running FortiSwitch 7.2.2 or later, and the managed FortiSwitches
must be configured with DHCP option 82 settings.
541631 Support DHCP option 82 configuration options in the switch controller settings including circuit ID,
remote ID, and other general settings used for DHCP snooping on managed FortiSwitches.
config switch-controller global
set dhcp-option82-format {ascii | legacy}
set dhcp-option82-circuit-id {intfname vlan hostname mode description}
set dhcp-option82-remote-id {hostname ip mac}
Feature ID Description
set dhcp-snoop-client-req {forward-untrusted | drop-untrusted}
set dhcp-snoop-client-db-exp <integer>
set dhcp-snoop-db-per-port-learn-limit <integer>
end
769722 Allow a managed FortiSwitch ID to be edited and store the device serial number as a new read-only
field.
config switch-controller managed-switch
edit <id>
set sn <serial_number>
next
end
The device ID can be configured to a maximum of 16 alphanumeric characters, including dashes (-)
and underscores (_).
Some related config, execute, and diagnose commands have been modified to configure and
display user-definable FortiSwitch IDs accordingly. The system data and daemons have been
modified to use the new switch serial number field to ensure the existing switch controller and
dependent features still work.
805867 Increase the number of supported NAC devices to 48 times the maximum number of FortiSwitch
units supported on that FortiGate model.
844011 In managed FortiSwitch switch controller CLI commands, allow a user-configurable access control
list (ACL) per port on a managed FortiSwitch to control user/system access to particular resources:
config switch-controller acl ingress
edit <id>
config action
set drop {enable | disable}
end
config classifier
set dst-ip-prefix <ip_netmask>
set src-mac <MAC_address>
end
next
end
Feature ID Description
set acl-group <name>
next
end
next
end
The user-configurable ACL will be assigned to ACL group 3 in FortiSwitch. Since the range of group
identifiers varies among FortiSwitch platforms, platforms that do not support group 3 may not be
supported. The user-configurable ACL may conflict with an ACL implemented by other managed
FortiSwitch features.
852280 Add the ability to perform multi-processing for the wireless daemon that handles all WPA
authentication requests (wpad_ac) by allowing users to specify the wpad-process-count. The
count varies by model based on the number of FortiAPs it is allowed to manage.
config wireless-controller global
set wpad-process-count <integer>
end
852998 Wi-Fi 5G Hz UNII-3 channels (149, 153, 157, 161, and 165) are allowed in European countries and
region code E countries (with a few exceptions).
860247 Add option in dtls-policy for ipsec-vpn-sn under config wireless-controller wtp-
profile, which automatically establishes an IPsec VPN tunnel between the FortiGate and FortiAP
that carries CAPWAP data packets and includes the FortiAP serial number within this tunnel.
config wireless-controller wtp-profile
edit <name>
set dtls-policy {clear-text | dtls-enabled | ipsec-vpn | ipsec-vpn-
sn}
next
end
866172 When the local radio of FortiWiFi platforms is configured as client mode, it can connect to a third-
party SSID with WPA3-SAE or OWE security mode. This feature is only supported in the CLI.
config system interface
edit <name>
config wifi-networks
edit <id>
set wifi-ssid <string>
set wifi-security {wpa3-sae | owe}
set wifi-passphrase <password>
next
end
next
end
Feature ID Description
866173 FortiAP 431G and 433G models operating in single 5G mode can make use of the UNII-4 frequency
band, 5.85 GHz - 5.925 GHz. Additional channels 169, 173, and 177 are provided to the user in the
5 GHz radio.
866174 The wtp-profile of FAP-432F, FAP-433F, FAP-U432F, and FAP-U433F models can set
external antenna parameters when the corresponding external antenna is installed.
config wireless-controller wtp-profile
edit <name>
config radio-1
set optional-antenna {none | FANT-04ABGN-0606-O-R | FANT-04ABGN-
0606-P-R}
end
next
end
867444 Add support for enforcing a maximum number of FortiExtender devices in LAN extension mode per
FortiGate platform. Support for enforcing a maximum number of FortiExtender devices in WAN
extension mode per FortiGate platform was added in a previous version of FortiOS.
869610 Add CLI support for WPA3-SAE security mode for FortiAP wireless mesh backhaul SSIDs:
config wireless-controller vap
edit <name>
set mesh-backhaul enable
set ssid <string>
set security wpa3-sae
set pmf enable
set sae-h2e-only enable
set schedule <string>
set sae-password <password>
next
end
Add support for Wi-Fi 6E FortiAP devices to configure mesh connections on 6 GHz bands using
WPA3-SAE with H2E only enabled.
877392 When a FortiExtender is configured as a FortiGate LAN extension and has two uplinks to the
FortiGate access controller (AC), add the ability to perform a fast fail over of the CAPWAP LAN
extension control channel. Two CAPWAP sessions are established between the FortiGate and the
FortiExtender: one is active,the other is in standby and when the active uplink goes down, CAPWAP
changes to use the other uplink quickly. When the previously active uplink comes back up,
CAPWAP continues to use the previously standby uplink used for the failover event as the control
channel.
To display the active and standby sessions for the CAPWAP LAN extension control channel:
l On the FortiGate, use get extender session-info where the active session is marked
and the uplink ports are displayed when both uplinks are up, and where the active session and
the uplink port is displayed when a single uplink is up.
Feature ID Description
Feature ID Description
780571 Add Logs Sent Daily chart for remote logging sources (FortiAnalyzer, FortiGate Cloud, and
FortiAnalyzer Cloud) to the Logging & Analytics Fabric Connector card within the Security Fabric >
Fabric Connectors page and to the Dashboard as a widget for a selected remote logging source.
Network
Feature ID Description
784626 Add Multiprotocol Border Gateway Protocol Ethernet Virtual Private Network (MP-BGP EVPN)
support for VXLAN, which allows for learning MAC addresses in a way that is more suitable for large
deployments than flood-and-learn.
MP-BGP EVPN is a standards-based control plane that supports the distribution of attached host
MAC and IP addresses using MP-BGP, namely, using the EVPN address family and MAC
addresses treated as routing entries in BGP. As a control plane that is separate from the data plane,
MP-BGP EVPN avoids flood-and-learn in the network, and the wide use of BGP as an external
gateway protocol on the internet proves its ability to scale well with large deployments.
MP-BGP EVPN supports the following features:
l Route type 2 (MAC/IP advertisement route) and route type 3 (inclusive multicast Ethernet tag
route)
l Intra-subnet communication
l Single-homing use cases
l VLAN-based service, namely, there is only one broadcast domain per EVPN instance (EVI).
This is due to the current VXLAN design that supports a single VNI for a VXLAN interface.
l EVPN running on IPv4 unicast VXLAN
l Egress replication for broadcast, unknown unicast, and multicast (BUM) traffic
l VXLAN MAC learning from traffic
l IP address local learning
l ARP suppression
Feature ID Description
812329 Support DVLAN mode 802.1ad and 802.1Q on NP7 platforms, which provides better performance
and packet processing.
829476 Support secure explicit web proxy with HTTPS connections between web clients and the FortiGate.
config web-proxy explicit
set secure-web-proxy {disable | enable | secure}
set secure-web-proxy-cert <certificate1> <certificate2> ...
set ssl-dh-bits {768 | 1024 | 1536 | 2048}
end
838346 Add the subscriber RSSO user and authentication server information associated with PBA sessions
logs to the corresponding PBA creation event logs since these details are helpful for identifying
users in CGNAT applications.
846399 Add 100G speed option for FG-180xF for ports 37, 38, 39, and 40. Upon firmware upgrade, existing
port speed configurations are preserved.
858436 BGP conditional advertisement allows the router to advertise a route only when certain conditions
are met. Add capability on the FortiGate to cross-check prefixes and make conditional
advertisements between IP address families, namely, to conditionally advertise an IPv6 prefix when
an IPv4 prefix is present, or vice-versa. A global option is added in the BGP configuration settings.
config router bgp
set cross-family-conditional-adv {enable | disable}
end
The condition-routemap setting can be configured with IPv4 and IPv6 route maps concurrently
as conditions. IPv4 and IPv6 BGP conditional advertisement is already supported in previous
versions of FortiOS.
860256 Support configuring DHCP relays on interfaces with secondary IP addresses. The FortiGate will
track the number of unanswered DHCP requests for a client on the interface's primary IP. After
three unanswered DHCP requests, the FortiGate will forward DHCP requests to DHCP relays
configured under the secondary IP using the secondary IP address as the source. After three
unanswered DHCP requests, the FortiGate will return to using the primary IP and restart the
process.
This feature is configured by setting dhcp-smart-relay within a specific port under config
system interface, and setting secip-relay-ip within the config secondaryip settings
of that port.
DHCP relay targets under both the primary and secondary IP may be the same or unique. If smart
relay is not configured, all requests are forwarded using the primary IP address on the interface.
868091 The DHCP shared subnet feature allows the FortiGate to act as a DHCP server that assigns IP
ranges in different subnets to requests coming from the same DHCP relay agent. For example,
clients on the same interface or VLAN requesting IP addresses from the DHCP relay will have their
requests relayed to the FortiGate. The FortiGate may have more than one server and pool
associated with the relay agent, and it assigns IP addresses from the second server when the first
one is exhausted.
Feature ID Description
config system dhcp server
edit <id>
set shared-subnet {enable | disable}
set relay-agent <IP_address>
next
end
875169 Add capability for the FortiGate to manage the broadcast flag for its DHCP client. This feature is
enabled by default.
config system interface
edit <name>
set mode dhcp
set dhcp-broadcast-flag {enable | disable}
next
end
875468 Enhance logging for explicit proxy traffic to improve troubleshooting the HTTP proxy status for each
HTTP transaction:
l Support monitoring HTTP header requests and responses in the UTM web filter log. This
requires an SSL deep inspection profile to be configured in the corresponding firewall policy.
l Support logging the explicit web proxy forward server name using set log-forward-
server, which is disabled by default.
config web-proxy global
set log-forward-server {enable | disable}
end
l Support logging TCP connection failures in the traffic log when a client initiates a TCP
connection to a remote host through the FortiGate and the remote host is unreachable.
876182 FortiGates have the ability to signal the LAG interface status to the peer devices when available
links fall below the number of min-links configured on the FortiGate.
888378 On FortiGates with a cellular modem and dual SIM support, support real-time switching to passive
SIM when any of the following issues arise with the active SIM:
l Ping link monitor fails
Operational Technology
See Operational Technology in the New Features Guide for more information.
Feature ID Description
851994 Add option to set/unset the default-purdue-level setting within the system interface
configuration, and apply this default Purdue Level value to discovered assets based on the interface
with which they were detected. This feature requires a FortiGuard Industrial Security Service (ISS)
license on the FortiGate so the Industrial Database can be used. Device identification must be
enabled on interfaces connected to OT devices.
config system interface
edit <name>
set default-purdue-level {1 | 1.5 | 2 | 2.5 | 3 | 3.5 | 4 | 5 | 5.5}
next
end
See Policy and objects in the New Features Guide for more information.
Feature ID Description
740416 Improve the backend of the FortiOS GUI to speed up loading of a large number of policies. This is
achieved by only loading the necessary data when needed, rather than loading all the data at once.
This can significantly improve performance and reduce the time it takes to load a large number of
policies. A new layout has also been added for the policy list with the option to choose between the
new layout and the old layout.
795814 The FortiGate has the ability to process Ethernet frames with both the Cisco Security Group Tag
and VLAN tag.
795908 Add scanunit support for learning mode. The scanunit provides a more powerful file detection
mechanism through full-scanning in learning mode. This improves the accuracy of the IPS engine in
detecting malicious files.
823710 Supports the Port Control Protocol (PCP) by allowing the FortiGate to act as a PCP server and
dynamically manage network addresses and port translations for PCP clients. The PCP server must
be enabled with a pool (config system pcp-server). In the firewall policy, enable either pcp-
outbound or pcp-inbound mode and assign the pool.
Feature ID Description
838344 A route tag (route-tag) firewall address object can include IPv4 or IPv6 addresses associated
with a BGP route tag number, and is updated dynamically with BGP routing updates. The route tag
firewall address object allows for a more dynamic and flexible configuration that does not require
manual intervention to dynamic routing updates. This address object can be used wherever a
firewall address can be used, such as in a firewall policy, a router policy, or an SD-WAN service
rule.
838363 Internet Service Database (ISDB) on-demand mode replaces the full-sized ISDB file with a much
smaller file that is downloaded onto the flash drive. This file contains only the essential entries for
Internet Services. When a service is used in a firewall policy, the FortiGate queries FortiGuard to
download the IP addresses and stores them on the flash drive. The FortiGate also queries the local
MAC Database (MADB) for corresponding MAC information.
config system global
set internet-service-database on-demand
end
838535 Support matching by destination port when matching a central NAT rule if the protocols are TCP,
UDP, or SCTP.
entering or leaving the firewall interface based on source and destination IP addresses, ports,
protocols, and applications.
l VLAN COS matching on shaping policy: the FortiGate can use the class of service (COS) value
of VLAN packets as a matching criterion for shaping policies. This enables the FortiGate to
prioritize traffic based on the COS value assigned by the switch or router.
l Multi-stage VLAN COS marking: the FortiGate can configure the traffic shaper to dynamically
change the COS value of outgoing VLAN packets based on the shaper profile. This allows the
FortiGate to mark traffic with different COS values at different stages of the shaping process.
875309 A port block allocation (PBA) IP pool for NAT64 traffic can be configured in the CLI.
config firewall ippool
edit <name>
set type port-block-allocation
set nat64 enable
next
end
Feature ID Description
PBA support for NAT64 is supported for FortiGates with a hyperscale firewall license. This feature
has been added to mainstream FortiOS to make it available to non-hyperscale customers, including
customers running a VM version of FortiOS. Hyperscale firewall logging is designed for optimal
performance and does not have the same detailed logging features as are available for non-
hyperscale traffic.
SD-WAN
Feature ID Description
838343 In an SD-WAN hub and spoke configuration where ADVPN is used, when a primary shortcut goes
out of SLA, traffic switches to the backup shortcut. During idle timeout, sessions will prefer using the
primary parent tunnel and try to establish a new primary shortcut. However, because it is out of SLA,
traffic switches back to the backup shortcut, which causes unnecessary traffic interruption.
Add the shortcut-stickiness option to keep existing sessions on the established ADVPN
shortcuts while they remain in SLA instead of switching to a new link every idle timeout. New
sessions will be routed by the primary shortcut if it is in SLA.
config system sdwan
config service
edit <id>
set shortcut-stickiness {enable | disable}
next
end
end
841590 When using FortiMonitor to detect advanced SD-WAN application performance metrics, the
FortiGate can log these statistics. These logs can be sent to FortiAnalyzer and FortiManager for
review and reporting. The log sending frequency is measured in seconds (0 - 3600, default = 0).
config system sdwan
set app-perf-log-period <integer>
end
864074 Allow better control over the source IP for local-out traffic used by each egress interface by allowing
a preferred source IP to be defined in the following scenarios.
l Static route configuration:
Feature ID Description
config system sdwan
config members
edit <id>
set preferred-source <IP_address>
next
end
end
l Route map configuration (so that a BGP route can support a preferred source):
config router route-map
edit <name>
config rule
edit <id>
set set-ip-prefsrc <IP_address>
next
end
next
end
864130 Add support for traffic classification on SLA probes to ensure they are prioritized in times of
congestion. The class-id is a data source (2 - 15) that is defined in the shaping policy profile.
config system sdwan
config health-check
edit <name>
set class-id <integer>
next
end
end
869198 Make the health check sensitive enough to detect small amounts of packet loss by decreasing the
link monitor check interval and probe timeout minimum limit down to 20 ms, which will significantly
impact VOD/voice.
872934 When ADVPN is configured on a FortiGate spoke along with maximize bandwidth (SLA) or load-
balance mode in the CLI, then spoke-to-spoke traffic is load balanced between multiple ADVPN
shortcuts only when a shortcut is within the configured SLA conditions. The SD-WAN rule must be
configured with set mode load-balance and set tie-break fib-best-match.
config system sdwan
config service
edit <id>
set mode load-balance
set dst <name>
config sla
edit <name>
set id <integer>
next
end
Feature ID Description
set priority-members <seq_num1>, <seq_num2>, ...
set tie-break fib-best-match
next
end
end
879047 Steer multicast traffic by SD-WAN rules. When an SD-WAN member is out of SLA, multicast traffic
can fail over to another member, and switch back when SLA recovers.
To use this feature in SD-WAN:
config router multicast
config pim-sm-global
set pim-use-sdwan {enable | disable}
end
end
This feature does not support ADVPN. The following setting is added to disable the use of shortcuts.
config system sdwan
config service
edit <id>
set shortcut {enable | disable}
next
end
end
884773 In the SD-WAN with ADVPN use case, two spokes can communicate with each other on the control
plane by an ADVPN shortcut. In order to separate the control traffic from data traffic, the IKE creates
a dynamic selector for health check packets sent between the spokes. BGP traffic is also matched
by this dynamic IKE selector. Therefore, when spokes establish BGP peering with other spokes, the
BGP traffic does not count towards the data traffic and will not impact IPsec idle timeout and
shortcut tunnel tear down.
886108 VRFs and sources can be configured in SD-WAN IPv6 health checks.
config system sdwan
config health-check
edit <name>
set addr-mode ipv6
set vrf <vrf_id>
set source6 <IPv6_address>
next
end
end
Security Fabric
See Security Fabric in the New Features Guide for more information.
Feature ID Description
785104 Add the ability to set multiple regions and compartments for a single OCI SDN connector. This
reduces the number of SDN connectors needed for any given OCI environment that uses multiple
regions and multiple compartments.
799982 Support adding FortiClient EMS and FortiClient EMS Cloud on a per-VDOM basis. Enabling
override is necessary to add an EMS server for each VDOM.
config endpoint-control settings
set override {enable | disable}
end
839877 FortiPolicy can be added to the Security Fabric. When FortiPolicy joins the Security Fabric and is
authorized in the Security Fabric widget, it appears in the Fabric topology pages. A FortiGate can
grant permission to FortiPolicy to perform firewall address and policy changes. Two security rating
tests for FortiPolicy have been added to the Security Posture scorecard.
856405 Add MAC Address external connector threat feed. A MAC address threat feed is a dynamic list that
contains MAC addresses, MAC ranges, and MAC OUIs. The list is periodically updated from an
external server and stored in text file format on an external server. After the FortiGate imports this
list, it can be used as a source in firewall policies, proxy policies, and ZTNA rules. For policies in
transparent mode or virtual wire pair policies, the MAC address threat feed can be used as a source
or destination address.
Security Profiles
See Security profiles in the New Features Guide for more information.
Feature ID Description
766158 Introduce a multi-tiered approach to determining the action taken on a video. The channel filter is
checked first, and if the video's channel matches a configuration entry, the corresponding action is
taken. If not, the FortiGuard category filter is checked and the corresponding action is taken if the
video's category matches a configuration entry. If neither of these conditions are met, the default
action specified in the video filter profile is used. Logging is also enabled by default.
config videofilter profile
edit <name>
set default-action {allow | monitor | block}
set log {enable | disable}
next
end
780875 Support OT/IoT virtual patching on NAC policies by enabling the category as a Vulnerability and
setting the match criteria based on severity. Devices that match the criteria can be assigned and
isolated to a NAC VLAN.
Feature ID Description
829478 Improve replacement message displayed for YouTube videos blocked by video filtering. When a
user visits a video directly by URL, a full-page replacement message is displayed. When a user
loads a video from YouTube, the page will load but the replacement message will display in the
video frame.
854704 FortiGate VMs with eight or more vCPUs can be configured to have a minimum of eight cores to be
eligible to run the full extended database (DB). Any FortiGate VM with less than eight cores will
receive a slim version of the extended DB. This slim-extended DB is a smaller version of the full
extended DB, and it is designed for customers who prefer performance.
System
Feature ID Description
749989 FortiGates, FortiSwitches, FortiAPs, and FortiExtenders can download an EOS (end of support)
package automatically from FortiGuard during the bootup process or by using manual commands.
Based on the downloaded EOS package files, when a device passes the EOS date, a warning
message is displayed in the device's tooltip, and the device is highlighted in the GUI.
The End-of-Support security rating check rule audits the EOS of FortiGates and Fabric devices.
This allows administrators to have clear visibility of their Security Fabric, and help prevent any
security gaps or vulnerabilities that may arise due to any devices that are past their hardware EOS
date.
754765 Add FortiConverter option in the FortiOS GUI. This provides an integrated solution for migrating
configurations to a new or older FortiGate appliance directly from the FortiGate itself, without the
need to access the FortiConverter portal.
836287 Support adding YAML to the file name when backing up the config as YAML, and detecting file
format when restoring the configuration.
The execute restore yaml-config command has been removed and execute restore
config should be used.
In the GUI, the File format field has been removed from the Restore system Configuration page.
852279 Add FortiGuard DLP service that offers a database with categorized predefined DLP data type
patterns such as:
l Drivers licenses for various countries, various states in the USA, and various provinces in
Canada
l Tax numbers for various countries
Feature ID Description
l Credit card numbers
l Bank statements
When enabled, the DLP database (DLDB) is downloaded to the FortiGate and its predefined
patterns can configured in DLP profiles.
config system fortiguard
set update-dldb {enable | disable}
end
852284 Add fqdn-max-refresh setting to control the global upper limit of the FQDN refresh timer. FQDN
entries with a TTL longer than the maximum refresh value will have their refresh timer reduced to
this upper limit. The timer is measured in seconds (3600 - 86400, default = 3600).
config system dns
set set fqdn-max-refresh <integer>
end
868164 Implement BIOS-level signature and file integrity checking for important system files and
executables. Warn users of failed integrity checks, or prevent the system from booting depending
on the severity and BIOS verification level.
Kernel and userspace processes can also periodically verify the integrity of AV and IPS engine files,
and other important system files and executables.
FortiOS firmware and each release of an AV or IPS engine file are dually-signed by Fortinet CA and
third-party CAs.
875306 Add command to computes the SHA256 file hashes for all of the files in a directory or directories.
# diagnose sys filesystem hash
894191 Improve GUI memory consumption for FortiGates with 2 GB of RAM or less.
Feature ID Description
843996 Add support for RADSEC clients in order to secure the communication channel over TLS for all
RADIUS traffic, including RADIUS authentication and RADIUS accounting over port 2083. This
enhancement also adds support for TCP connections, which use port 1812 for authentication and
port 1813 for accounting.
config user radius
edit <name>
set transport-protocol {udp | tcp | tls}
set ca-cert <string>
Feature ID Description
set client-cert <string>
set tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 |
TLSv1-2}
set server-identity-check {enable | disable}
next
end
857597 Simplify the activation of FortiToken Cloud trials by allowing administrators to activate free trials
directly in the FortiGate GUI. This can be performed while enabling two-factor authentication within
a user or administrator configuration, or from the System > FortiGuard page.
VPN
See IPsec and SSL VPN in the New Features Guide for more information.
Feature ID Description
827018 Update the SSL VPN web portal page layout with Neutrino styling:
l Update the top navigation bar. Users can now download and launch FortiClient.
l Allow the history and theme to be accessed from the user menu.
l Display the Quick Connection section at the top. Users can save the connection as a bookmark
after launch.
l Separate bookmarks into Predefined and Personal tabs. Users can search through their
bookmarks.
l Make a CLI console available for SSH and Telnet sessions.
827464 The FortiGate device ID is carried by the IKEv2 message NOTIFY payload when it is configured.
config vpn ipsec phase1-interface
edit <name>
set dev-id-notification enable
set dev-id <string>
next
end
857394 Enhance the FortiGate with a Key Management Interoperability Protocol (KMIP) client that sends
KMIP requests to locate the KMS server, creates keys if they do not exist on the KMS server, and
retrieves keys from the Key Management Services (KMS) server for use as IPsec security
association (SA) keys for IKEv2 only.
The FortiGate acting as the responder will try to locate keys on the KMS server first. If they do not
exist, the FortiGate requests to create new keys on KMS server. The responder sends the keys
names to the FortiGate acting as the initiator using IKE messages, and the initiator locates and
retrieve keys from KMS server using the keys names. The keylifeseconds parameter in phase 2
defines how often the FortiGate will try to synchronize local keys to those on the KMS server.
config vpn kmip-server
Feature ID Description
edit <name>
config server-list
edit <id>
set server <server_IP>
set cert <string>
next
end
set username <username_defined_on_KMS_server>
set password <password>
next
end
862145 Allow SSL VPN web mode users to log in to the web portal and be redirected to a custom landing
page. The new landing page accepts SSO credentials and SSO from form data. This allows
administrators to streamline web application access for their users. The custom redirected portal
can also listen for a logout URL so that when users log out from the web application, they are also
logged out from the SSL VPN web connection.
Settings can be configured on the VPN > SSL-VPN Portals page when creating or editing a portal
entry. In the Web Mode section, set Landing page to Custom.
865022 Update the SSL VPN web login page and portal with Fortinet corporate styling. Fortinet branding
elements are incorporated into each theme. Some changes include:
l The header displays the title of the portal with a new static subheader.
l Add quick access to RDP and VNC directly from the Quick Connection launch that prompts
866412 Add user group information to the Dashboard > SSL-VPN Monitor page.
868222 Support IPv6 source IP address for communications to the OCSP server.
config vpn certificate ocsp-server
edit <name>
set source-ip <IPv4/IPv6_address>
next
end
Feature ID Description
881903 Adjust the DTLS heartbeat parameters for SSL VPN. This improves the success rate of establishing
a DTLS tunnel in networks with congestion or jitter.
config vpn ssl settings
set dtls-heartbeat-idle-timeout <integer>
set dtls-heartbeat-interval <integer>
set dtls-heartbeat-fail-count <integer>
end
The default value for these attributes is 3 seconds, which is also the minimum allowable value. The
maximum allowable value for these attributes is 10 seconds.
ZTNA
See Zero Trust Network Access in the New Features Guide for more information.
Feature ID Description
829475 All desktop models lower than the 100-series have ZTNA, proxy, explicit proxy, WANOpt, and web
cache disabled by default. The following setting controls the proxy features.
config system global
set proxy-and-explicit-proxy enable | disable}
end
841165 When configuring a firewall policy for IP- or MAC-based access control that uses different EMS tag
types (such as ZTNA tags and classification tags), a logical AND can be used for matching. By
separating each tag type into primary and secondary groups, the disparate tag types will be
matched with a logical AND operator.
864995 In order to allow FortiClient EMS to share FortiClient information based on IP subnet mask, the
FortiGate must send its interface IP and netmask to EMS. This enhancement allows the FortiGate
to include its IP and netmask information in the gateway MAC request.
Supported upgrade path information is available on the Fortinet Customer Service & Support site.
1. Go to https://support.fortinet.com.
2. From the Download menu, select Firmware Images.
3. Check that Select Product is FortiGate.
4. Click the Upgrade Path tab and select the following:
l Current Product
5. Click Go.
FortiOS 7.4.0 greatly increases the interoperability between other Fortinet products. This includes:
FortiAnalyzer l 7.4.0
FortiManager l 7.4.0
*
If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version 6.0 and later are supported.
When upgrading your Security Fabric, devices that manage other devices should be upgraded first.
When using FortiClient with FortiAnalyzer, you should upgrade both to their latest versions.
The versions between the two products should match. For example, if using FortiAnalyzer
7.4.0, use FortiClient 7.4.0.
Upgrade the firmware of each device in the following order. This maintains network connectivity without the need to use
manual steps.
1. FortiAnalyzer
2. FortiManager
3. Managed FortiExtender devices
4. FortiGate devices
5. Managed FortiSwitch devices
6. Managed FortiAP devices
7. FortiClient EMS
8. FortiClient
9. FortiSandbox
10. FortiMail
11. FortiWeb
12. FortiNAC
13. FortiVoice
14. FortiDeceptor
15. FortiNDR
16. FortiTester
17. FortiMonitor
18. FortiPolicy
If Security Fabric is enabled, then all FortiGate devices must be upgraded to 7.4.0. When
Security Fabric is enabled in FortiOS 7.4.0, all FortiGate devices must be running FortiOS
7.4.0.
Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are
retained:
l operation mode
l interface IP/management IP
l static route table
l DNS settings
l admin user account
l session helpers
l system access profiles
The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support
portal, https://support.fortinet.com. After logging in, go to Support > Firmware Image Checksums (in the Downloads
section), enter the image file name including the extension, and click Get Checksum Code.
Upgrade FortiGate 6000 firmware from the management board GUI or CLI. Upgrade FortiGate 7000 firmware from the
primary FIM GUI or CLI. The FortiGate 6000 management board and FPCs or the FortiGate 7000 FIMs and FPMs all run
the same firmware image. Upgrading the firmware copies the firmware image to all components, which then install the
new firmware and restart. A FortiGate 6000 or 7000 firmware upgrade can take a few minutes, the amount of time
depending on the hardware and software configuration and whether DP or NP7 processor software is also upgraded.
On a standalone FortiGate 6000 or 7000, or an HA cluster with uninterruptible-upgrade disabled, the firmware
upgrade interrupts traffic because all components upgrade in one step. These firmware upgrades should be done during
a quiet time because traffic can be interrupted for a few minutes during the upgrade process.
Fortinet recommends running a graceful firmware upgrade of a FortiGate 6000 or 7000 FGCP HA cluster by enabling
uninterruptible-upgrade and session-pickup. A graceful firmware upgrade only causes minimal traffic
interruption.
Fortinet recommends that you review the services provided by your FortiGate 6000 or 7000
before a firmware upgrade and then again after the upgrade to make sure that these services
continue to operate normally. For example, you might want to verify that you can successfully
access an important server used by your organization before the upgrade and make sure that
you can still reach the server after the upgrade and performance is comparable. You can also
take a snapshot of key performance indicators (for example, number of sessions, CPU usage,
and memory usage) before the upgrade and verify that you see comparable performance after
the upgrade.
2. Download the FortiOS 7.4.0 FG-6000F, FG-7000E, or FG-7000F firmware from https://support.fortinet.com.
3. Perform a normal upgrade of your HA cluster using the downloaded firmware image file.
4. When the upgrade is complete, verify that you have installed the correct firmware version.
For example, check the FortiGate dashboard or use the get system status command.
Staring in FortiOS 7.4.0, the new IPS-based VoIP profile allows flow-based SIP to complement SIP ALG while working
together. There are now two types of VoIP profiles that can be configured:
config voip profile
edit <name>
set feature-set {ips | voipd}
next
end
A voipd-based VoIP profile is handled by the voipd daemon using SIP ALG inspection. This is renamed from proxy in
previous FortiOS versions.
An ips-based VoIP profile is handled by the IPS daemon using flow-based SIP inspection. This is renamed from flow in
previous FortiOS versions.
Both VoIP profile types can be configured at the same time on a firewall policy. For example:
config firewall policy
edit 1
set voip-profile "voip_sip_alg"
set ips-voip-filter "voip_sip_ips"
next
end
Where:
l voip-profile can select a voip-profile with feature-set voipd.
l ips-voip-filter can select a voip-profile with feature-set ips.
The VoIP profile selection within a firewall policy is restored to pre-7.0 behavior. The VoIP profile can be selected
regardless of the inspection mode used in the firewall policy. The new ips-voip-filter setting allows users to select
an IPS-based VoIP profile to apply flow-based SIP inspection, which can work concurrently with SIP ALG.
Upon upgrade, the feature-set setting of the voip profile determines whether the profile applied in the firewall
policy is voip-profile or ips-voip-filter.
The following table lists FortiOS 7.4.0 product integration and support information:
Other browser versions have not been tested, but may fully function.
Other web browsers may function correctly, but are not supported by Fortinet.
Other browser versions have not been tested, but may fully function.
Other web browsers may function correctly, but are not supported by Fortinet.
Fortinet Single Sign-On l 5.0 build 0311 and later (needed for FSSO agent support OU in group filters)
(FSSO) l Windows Server 2022 Standard
l Windows Server 2022 Datacenter
l Windows Server 2019 Standard
l Windows Server 2019 Datacenter
l Windows Server 2019 Core
l Windows Server 2016 Datacenter
l Windows Server 2016 Standard
l Windows Server 2016 Core
l Windows Server 2012 Standard
l Windows Server 2012 R2 Standard
l Windows Server 2012 Core
l Windows Server 2008 64-bit (requires Microsoft SHA2 support
package)
l Windows Server 2008 R2 64-bit (requires Microsoft SHA2 support
package)
l Windows Server 2008 Core (requires Microsoft SHA2 support package)
l Novell eDirectory 8.8
AV Engine l 7.00015
Virtualization environments
Language support
Language support
Language GUI
English ✔
Chinese (Simplified) ✔
Chinese (Traditional) ✔
French ✔
Japanese ✔
Korean ✔
Portuguese (Brazil) ✔
Spanish ✔
The following table lists the operating systems and web browsers supported by SSL VPN web mode.
Microsoft Windows 7 SP1 (32-bit & 64-bit) Mozilla Firefox version 113
Google Chrome version 112
Other operating systems and web browsers may function correctly, but are not supported by Fortinet.
The following issues have been fixed in version 7.4.0. To inquire about a particular bug, please contact Customer
Service & Support.
Anti Spam
Bug ID Description
848593 After spam mail is detected by the email filter, the X-ASE-REPORT does not insert into the mail
header of the spam mail.
857911 The Anti-Spam Block/Allow List Entry dialog page is not showing the proper Type values in the
dropdown.
877613 Mark as Reject can be still chosen as an Action in an Anti-Spam Block/Allow List in the GUI.
Anti Virus
Bug ID Description
818092 CDR archived files are deleted at random times and not retained.
845960 Flow mode opens port 8008 over the AV profile that does not have HTTP scan enabled.
849020 FortiGate enters conserve mode and the console prints a fork() failed message.
851706 Nothing is displayed in the Advanced Threat Protection Statistics dashboard widget.
869398 FortiGate sends too many unnecessary requests to FortiSandbox and causes high resource usage.
Application Control
Bug ID Description
857632 Unable to access to some websites when application control with deep inspection is enabled.
901166 Unable to connect to any site when application control is enabled with proxy-based or certificate
inspection.
Bug ID Description
DNS Filter
Bug ID Description
871854 DNS UTM log still presents unknown FortiGuard category even when the DNS proxy received a
rating value.
878674 Forward traffic log is generated for allowed DNS traffic if the DNS filter is enabled but the policy is
set to log security events only.
Endpoint Control
Bug ID Description
861316 A system object tagging entry is hindering the FortiGate's ability to process ZTNA tags.
Explicit Proxy
Bug ID Description
849794 Random websites are not accessible after upgrading when using a proxy policy.
865135 Multipart boundary parsing failed with CRLF before the end of boundary 1.
875736 The proxy-re-authentication-mode option has been removed in 7.2.4 and is replaced with
proxy-keep-alive-mode re-authentication. The new proxy-re-authentication-
time timer is associated with this re-authentication mode. There are two unresolved issues:
l After upgrading, the previously configured proxy-auth-timeout value for the absolute re-
should be configured in minutes to be consistent with other related authentication timers (such
as proxy-auth-timeout).
878713 The hit count and bytes of the implicit deny rule does not increase on the proxy policy.
Bug ID Description
880361 Transparent web proxy policy has no match if the source or destination interface is the same and
member of SD-WAN.
882867 Proxy policy match resolves IP to multiple internet service application IDs.
888078 Enabling http-ip-header on virtual server changes the log produced for transparent web proxy.
901239 Unexpected behavior in WAD caused by deploying virtual servers in non-server pool mode.
901614 Firewall schedule does not work as expected with a proxy policy.
Firewall
Bug ID Description
719311 On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are
combined but the custom section name (global label) is not automatically checked for duplicates. If
there is a duplicate custom section name, the policy list may show empty for that section. This is a
display issue only and does not impact policy traffic.
770541 Within the Policy & Objects menu, the firewall, DoS, and traffic shaping policy pages take around
five seconds to load when the FortiGate cannot reach the FortiGuard DNS servers.
835413 Inaccurate sFlow interface data reported to PRTG after upgrading to 7.0.
850175 When the UTM is enabled, NP7 NTurbo is not set properly, which causes the shaper to not
guarantee the SIP traffic based on the class ID.
851212 After traffic flow changes to FGSP peer from owner, iprope information for synchronized sessions
does not update on the peer side.
854107 NGFW VDOM incorrectly includes all interfaces belonging to the root VDOM on interface and policy
related GUI pages.
860480 FG-3000D cluster kernel panic occurs when upgrading from 7.0.5 to 7.0.6 and later.
861990 Increased CPU usage in softirq after upgrading from 7.0.5 to 7.0.6.
864612 When the service protocol is an IP with no specific port, it is skipped to be cached and causes a
protocol/port service name in the log.
865661 Standard and full ISDB sizes are not configurable on FG-101F.
872744 Packets are not matching the existing session in transparent mode.
Bug ID Description
875309 Support port block allocation (PBA) IP pools for NAT64 traffic.
875565 The policy or other cache lists are sometimes not freed in time. This may cause unexpected policies
to be stored in the cache list.
879225 Egress interface cannot be intermittently matched for wake-on-LAN (broadcast) packets.
881572 Columns for NPU sessions are missing on the FortiView Sessions monitor page.
884578 Unexpected behavior in WAD caused by enabling HTTP/2 while usingvirtual servers.
895962 Intermittent behavior in WAD during SSL renegotiation while using virtual servers.
Bug ID Description
FortiView
Bug ID Description
838652 The FortiView Sessions monitor displays VDOM sessions from other VDOMs.
892798 Memory and CPU usage issues caused by malformed method header while using virtual servers.
GUI
Bug ID Description
440197 On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates
shows an Unknown status, even if the server is working correctly. This is a display issue only; the
override feature is working properly.
535794 Policy page should show new name/content for firewall objects after editing them from the tooltip.
Bug ID Description
677806 On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows
the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows
the correct status.
685431 On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more
to load when there is a large number (over 20 thousand) of policies.
699508 When an administrator ends a session by closing the browser, the administrator timeout event is not
logged until the next time the administrator logs in.
722358 When a FortiGate local administrator is assigned to more than two VDOMs and tries logging in to
the GUI console, they get a command parse error when entering VDOM configuration mode.
753328 Incorrect shortcut name shown on the Network > SD-WAN > Performance SLAs page.
791367 Users should be able to perform a sniffer on a VWP member in the GUI.
821030 Security Fabric root FortiGate is unable to resolve firewall object conflicts in the GUI.
821734 Log & Report > Forward Traffic logs do not show the Policy ID if there is no Policy Name.
822991 On the Log & Report > Forward Traffic page, using the filter Result : Deny(all) does not work as
expected.
827893 Security rating test for FortiCare Support fails when connected to FortiManager Cloud or
FortiAnalyzer Cloud.
829736 Incorrect information is being displayed for the HA role on the System > HA page.
829773 Unable to load the Network > SD-WAN > SD-WAN Rules table sometimes due to a JavaScript error.
837048 Unable to delete the LAN interface's addresses without switching it back to a none-LAN role.
842079 On the System > HA page, a Failed to retrieve info caution message appears when hovering over
the secondary unit's Hostname. The same issue is observed on the Dashboard > Status > Security
Fabric widget.
848083 On the System > FortiGuard page, the license table shows expiry notifications for FortiGuard
entitlements, which are hidden by the GUI 's Feature Visibility.
853414 Policy and dashboard widgets do not load when the FortiGate manages a FortiSwitch with tenant
ports (exported from root to other VDOM).
854529 The local standalone mode in a VAP configuration is disabled when viewing or updating its settings
in the GUI.
857464 The CPU and Sessions widgets report the current numbers at the wrong places for most time
periods
861466 The Active Administrator Sessions widget shows the incorrect interface when accessing the firewall
through the GUI.
862474 IPsec tunnel interface Bandwidth widget inbound is zero and outbound value is lower than the
binding interface.
865956 On the Network > Policy Routes page, entries cannot be copied and pasted above or below.
Bug ID Description
866790 System > Firmware & Registration menu is not visible for administrator accounts without read-write
permissions for the sysgrp-permission category.
867802 GUI always displays Access denied error after logging in.
869828 An httpsd crash occurs when the GUI fails to get the disk log settings from the FortiGate.
870675 CLI console in GUI reports Connection lost. when the administrator has more than 100 VDOMs
assigned.
874502 An access privilege prompt is not displayed when logging in to the GUI of a FortiGate managed by a
FortiManager with post-login-banner enabled. The user is logged in with read-only
permissions.
880292 Global administrator backup configuration for specific VDOM contains configurations associated
with only the root VDOM.
881678 On the Network > Routing Objects page, editing a prefix list with a large number of rule entries fails
with an error notification that The integer value is not within valid range.
890531 Node.JS boots earlier than autod, which leads to a Node.JS crash.
890683 GUI being exposed to port 80 on the interfaces defined in the ACME settings, even if administrative
access is disabled on the interface.
891895 When remotely accessing the FortiGate from FortiGate Cloud, the web GUI console displays
Connection lost. Press Enter to start a new session.
893286 On the Dashboard > Status page, the CPU, Memory, and Sessions widgets always show zero data.
899434 A super_admin login is logged in the console logs when remotely logging in to a FortiGate with the
FortiCloud portal using a prof_admin profile.
HA
Bug ID Description
662978 Long lasting sessions are expired on HA secondary device with a 10G interface.
816904 DCE/RPC traffic is dropped when no session matches with the FGSP cluster and asynchronous
traffic.
825680 TACACS authentication to secondary FortiGate fails when HA group ID is changed on a FortiGate
cluster.
Bug ID Description
830538 FGCP FortiGates go out-of sync when the certificates used for IPsec are updated using SCEP.
843837 HA A-P virtual cluster information is not correctly presented in the GUI and CLI.
852308 New factory reset box failed to synchronize with primary, which was upgraded from 7.0.
856004 Telnet connection running ping fails during FGSP failover for virtual wire pair with VLAN traffic.
856643 FG-500E interface stops sending IPv6 RAs after upgrading from 7.0.5 to 7.0.7.
860497 Output of diagnose sys ntp status is misleading when run on a secondary cluster member.
864226 FG-2600F kernel panic occurs after a failover on both members of the cluster.
866296 The HBDEV status is displayed as DOWN when upgrading one node of the HA cluster to 6.4.9.
868622 The session is not synchronized after HA failover by detecting monitored interface as down.
869557 Upgrading or re-uploading an image to the HA secondary node causes the OS to be un-
certified.
870312 On a FortiGate HA cluster, both primary and secondary units are displayed as the Primary on the
GUI top banner, and as Current HA mode in the CLI.
870367 FGCP A-P devices get out of HA synchronization periodically due to FortiTokens being added and
deleted.
871636 HA configuration synchronization packets (Ethertype 0x8893) are dropped when going through
VXLAN.
873028 In HA A-A mode, authenticated users experience intermittent drops and disconnections.
874397 When re-enabling sync-config on the primary FGCP cluster member, it is automatically disabled
on the secondary.
874823 FGSP session-sync-dev ports do not use L2 Ethernet frames but always use UDP, which
reduces the performance.
875984 FortiGate is going to out-of-sync after changing parameters of VDOM link interfaces.
876178 hasync crashing with signal 6 after upgrading to 7.2.3 from 7.0.7.
878173 When downloading the speed test server list, the HA cluster gets and stays out-of-sync.
Bug ID Description
880786 Running diagnose sys ha vlan-hb-monitor incorrectly shows inter-VDOM VLANs inactive.
881337 Adding a VLAN interface on any VDOM causes BGP flapping and VIP connectivity issues on
VDOMs in vcluster2.
882354 When WAN extension redundant mode is configured in HA, after a redundant switch it will makes
the HA be out-of-sync.
883546 In HA, sending lot of CLI configurations causes the creation of a VDOM on the secondary unit.
885245 Unexpected failover occurs due to uptime, even if the uptime difference is less than the ha-
uptime-diff-margin.
885844 HA shows as being out-of-sync after upgrading due to a checksum mismatch for endpoint-
control fctems.
Hyperscale
Bug ID Description
771857 Firewall virtual IP (VIP) features that are not supported by hyperscale firewall policies are no longer
visible from the CLI or GUI when configuring firewall VIPs in a hyperscale firewall VDOM.
837270 Allowing intra-zone traffic is now supported in hyperscale firewall VDOMs. Options to block or allow
intra-zone traffic are available in the GUI and CLI.
841712 On FortiGates licensed for hyperscale firewall features, the config system setting options
nat46-force-ipv4-packet-forwarding and nat64-force-ipv6-packet-forwarding
now also apply to NP7-offloaded traffic. The config system npu option nat46-force-ipv4-
packet-forwarding has been removed.
843305 Get PARSE SKIP ERROR=17 NPD ERR PBR ADDRESS console error log when performing a
system bootup.
877696 Get KTRIE invalid node related error and kernel panic on standby after adding a second device into
A-P mode HA cluster.
Intrusion Prevention
Bug ID Description
696811 IPSA self test failed, disable IPSA! IPSA disabled: self test failed
message appears in system event logs.
842073 Improvements to IPS engine to optimize CPU usage when a decrypted traffic mirror profile is
applied to policies in flow mode.
842523 IPv6 with hardware offloading and IPS drops traffic (msg="anti-replay check fails,
drop).
845944 Firewall policy change causes high CPU spike with IPS engine.
872137 Unable to pass traffic when using GRE over IPsec (IPsec in transport mode).
873975 Source MAC changes and the packet drops due to both sides of the session using the same source
MAC address.
883600 Under config ips global, configuring set exclude-signatures none does not save to
backup configuration.
IPsec VPN
Bug ID Description
699973 IPsec aggregate shows down status on Interfaces, Firewall Policy, and Static Routes configuration
pages.
726326 IPsec server with NP offloading drops packets with an invalid SPI during rekey.
797342 Users cannot define an MTU value for the aggregate VPN.
798045 FortiGate is unable to install SA (failed to add SA, error 22) when there is an overlap in
configured selectors.
803010 The vpn-id-ipip encapsulated IPsec tunnel with NPU offloading cannot be reached by IPv6.
812229 A random four-character peer ID is displayed in the GUI and CLI when a VPN tunnel is formed using
IKEv2 if the peer ID is not configured.
828933 iked signal 11 crash occurs once when running a VPN test script.
Bug ID Description
842571 If mode-cfg is used, a race condition can result in an IP conflict and sporadic routing problems in
an ADVPN/SD-WAN network. Connectivity can only be restored by manually flushing the IPsec
tunnels on affected spokes.
852868 Issues with synchronization of the route information (using add-route option) on spokes during
HA failover that connect to dialup VPN.
855772 FortiGate IPsec tunnel role could be incorrect after rebooting or upgrading, and causes negotiation
to be stuck when it comes up.
858681 When upgrading from 6.4.9 to 7.0.6 or 7.0.8, the traffic is not working between the spokes on the
ADVPN environment.
858697 Native IPsec iOS authentication failure using LDAP account with two-factor authentication.
858715 IPsec phase 2 fails when both HA cluster members reboot at the same time.
861195 In IPsec VPN, the fnbamd process crashes when the password and one-time password are entered
in the same Password field of the VPN client.
869166 IPsec tunnel does not coming up after the upgrading firmware on the branch FortiGate (FG-61E).
873097 Phase 2 not initiating the rekey at soft limit timeout on new kernel platforms.
876795 RADIUS server will reject new authentication if a previous session is missing ACCT-STOP to
terminate the session, which causes the VPN connection to fail.
882483 ADVPN spoke does not delete the BGP route entry to another spoke over IPsec when the IPsec
VPN tunnel is down.
884921 Proxy DHCP is not following RFC 2132 for option 61.
885818 If a tunnel in an IPsec aggregate is down but its DPD link is on, the IPsec aggregate interface may
still forward traffic to a down tunnel causing traffic to drop.
887800 In an L2TP configuration, set enforce-ipsec enable is not working as expected after
upgrading.
891462 The Peer ID field in the IPsec widget should not show a warning message that Two-factor
authentication is not enabled.
892699 In an HA cluster, static routes via the IPsec tunnel interface are not inactive in the routing table when
the tunnel is down.
Log & Report
Bug ID Description
755632 Unable to view or download generated reports in the GUI if the report layout is custom.
816616 GUI logging issue for automation script that performs a backup to an external FTP server.
823183 FortiGates are showing Logs Queued in the GUI after a FortiAnalyzer reboot, even tough the
queued logs were actually all uploaded to FortiAnalyzer and cleared when the connection restores.
825318 Archived Data tab is missing from intrusion prevention and application control log Details pane once
log-packet is enabled.
829862 On the Log & Report > ZTNA Traffic page, the client's Device ID is shown as [object Object]. The
Log Details pane show the correct ID information.
839601 When log pages are scrolled down, no logs are displayed after 500 lines of logs.
856670 Forward traffic log doesn't contain result and security action values for sessions denied by
WAD.
858304 When FortiGate Cloud logging is enabled, the option to display 7 days of logs is not visible on the
Dashboard > FortiView pages.
858589 Unable to download more than 500 logs from the FortiGate GUI.
860141 Syslog did not update the time after daylight saving time (DST) adjustment.
860264 The miglogd process may send empty logs to other logging devices.
860487 Incorrect time and time zone appear in the forward traffic log when timezone is set to 18 (GMT-3
Brasilia).
861567 In A-P mode, when the link monitor fails, the event log displays a description of ha state is
changed from 0 to 1.
863548 When searching old logs on the Log & Report > Forward Traffic page and then navigating to another
page, the log_se process on the FortiGate is still busy as the cancel request is not sent after
navigating to the other page.
864219 A miglogd crash occurs when creating a dynamic interface cache on an ADVPN environment.
Bug ID Description
869073 A syslogd signal 11 crash occurs once while running VPN scripts.
871142 SAML SSO administrator login with post-login banner enabled does not have a login event.
872181 On the Log & Report > Log Settings > Local Logs page, the Local reports and Historical FortiView
settings cannot be enabled.
872326 FortiGate cannot retrieve logs from FortiAnalyzer Cloud. Results are shown rarely.
873987 High memory usage from miglogd processes even without traffic.
874026 Caching a large number of service port entries causes high log daemon memory usage.
879228 FortiAnalyzer override settings are not taking effect when ha-direct is enabled.
893199 Deallocate/allocate logs are lost if PBA IP pool NAT IP has been exhausted.
Proxy
Bug ID Description
707827 The video filter does not display the proper replacement message when the user redirects to a
blocked video from the YouTube homepage or video recommendation list.
746587 Error condition in WAD occurs during traffic scans in proxy mode.
766158 Video filter FortiGuard category takes precedence over allowed channel ID exception in the same
category.
823078 Improvements to WAD to optimize CPU usage when using user groups.
828917 WAD crash caused by linked list corruption with free group information node.
834387 In a firewall proxy policy, the SD-WAN zone assigned to interface is not checked.
835745 An error condition occurs in WAD when the srcintf of a firewall proxy-policy is set to an
SD-WAN zone.
837095 WAD daemon runs high with many child processes and is not coming down after configuring 250
CGN VDOMs.
843318 An error case occurs in WAD when requesting uncached resources in a specific HTTP request.
Bug ID Description
850426 POP3 proxy is unable to extract the username if AUTH PLAIN or AUTH LOGIN commands were
used for authentication.
853864 FortiGate out-of-band certificate check issue occurs in a proxy mode policy with SSL inspection.
854511 Unable to make API calls using Postman Runtime script after upgrading to 7.2.0.
855853 Improvements to WAD to optimize CPU usage when using user groups.
855882 Improvements to WAD to resolve a memory usage issue when user-info updates the FortiAP
information.
856235 The WAD process memory usage gradually increases over a few days, causing the FortiGate to
enter into conserve mode.
858148 Memory usage issue caused by the WAD user-info history daemon.
870151 Memory usage issue occurs on the WAD worker in a specific scenario.
870554 An error condition occurs in WAD when the dstaddr6 of a firewall proxy-policy is set to an
IPv6 address.
874563 User information attributes can cause disruption when they are not properly merged.
885674 Unable to send logs from FortiClient to FortiAnalyzer when deep inspection is enabled on firewall
policy.
886284 An error condition occurs in WAD when a task is queued in the dev-vuln daemon and the user-info
daemon restarts.
REST API
Bug ID Description
Bug ID Description
868265 The active sessions count for a specific policy displayed in the Fortiview Sessions monitor (Active
Sessions column ), on the Firewall Policy page, and in the results of diagnose sys session
list (total session value) are different. The total session count indicated in the CLI is the
accurate value.
892237 Updating the HA monitor interface using the REST API PUT request fails and returns a -37 error.
Routing
Bug ID Description
724468 Router policy destination address not take effect when internet-service-id is configured.
821149 Early packet drop occurs when running UTM traffic on virtual switch interface.
827565 Using set load-balance-mode weight-based in SD-WAN implicit rule does not take effect
occasionally.
839784 DHCP relay packets are not being sent out of WWAN interface.
848310 IPsec traffic sourced from a loopback interface does not follow the policy route or SD-WAN rules.
850778 Spoke-to-spoke communication randomly breaks. The BGP route to reach the spoke subnet points
to the main ADVPN tunnel instead of the shortcut tunnel.
850862 When creating a new rule on the Network > Routing Objects page, the user cannot create a route
map with a rule that has multiple similar or different AS paths in the GUI.
852498 BGP packets are marked with DSCP CS0 instead of CS6.
852525 When enabled, FEC is not effectively reducing packet loss when behind NAT.
858248 OSPF summary address for route redistribution from static route via IPsec VPN always persists.
858299 Redistributed BGP routes to the OSPF change its forward address to the tunnel ID.
859135 Disabling the VDSL interface caused packet drops afterwards on another interface.
860075 Traffic session is processed by a different SD-WAN rule and randomly times out.
862165 FortiGate does not add the route in the routing table when it changes for SD-WAN members.
862418 Application VWL crash occurs after FortiManager configuration push causes an SD-WAN related
outage.
862573 SD-WAN GUI does not load, and the lnkmtd process crashes frequently.
863833 BGP stuck in active state due to collisions when BGP neighborship is done over VDOM link.
Bug ID Description
865914 When BSM carries multiple CRPs, PIM might use the incorrect prefix to update the mroute's RP
information.
867196 SD-WAN and IP pool setting are not working as expected when one SD-WAN member link is down.
870990 Routing advertised by directly connected EBGP peer is not installed (denied due to non-
connected next-hop).
874677 Sometimes an IPv6 single-hop BFD neighbor fails to come up after a system reboot.
875177 TCP/HTTP health check does not work as expected for virtual servers in active-standby mode.
875668 SD-WAN SLA log information has incorrect inbound and outbound bandwidth values.
880390 When execute speed-test-server download fails with a token parse error, it still
reports Download completed.
881306 SD-WAN member shows as selected, even if the interface is down or underlying transport is down.
884372 All BGP routes in dual ADVPN redundant configuration are not getting updated to the correct WAN
interface post-rollback to WAN failover.
890379 After upgrading, SD-WAN is unable to fail over the traffic when one interface is down.
893603 GUI does not show gateway IP on the routing table page if VDOM mode is transparent.
896065 ISIS cannot establish the neighborship to peers, and all peers are in INIT states.
897940 Link monitor's probe timeout value range is not appropriate when the user decreases the minimum
interval.
898549 IPv6 route to SLA IPv6 target is lost after disabling and enabling the physical interface.
Security Fabric
Bug ID Description
809106 Security Fabric widget and Fabric Connectors page do not identify FortiGates properly in HA.
819192 After adding a Fabric device widget, the device widget does not appear in the dashboard.
825291 Security rating test for FortiAnalyzer fails when connected to FortiAnalyzer Cloud.
832015 Root FortiGate cannot finish the security rating with a large Fabric topology (more than 25 to 30
devices) because the REST API is not limited to the local network.
844412 When a custom LLDP profile has auto-isl disabled, the security rating test, Lockdown LLDP
Profile, fails.
Bug ID Description
848822 The FortiAP Firmware Versions and FortiSwitch Firmware Versions security rating tests fail
because the firmware version on the FortiAPs and FortiSwitches is not recognized correctly.
851656 Sessions with csf_syncd_log flag in a Security Fabric are not logged.
852340 Various places in the GUI do not show the secondary HA device.
862532 Unable to load topology pages for a specific Security Fabric topology on the root and downstream
FortiGates.
867313 Error triggering automation stitch message appears when the license expiry notification type is
FortiGuard Web Filter.
870527 FortiGate cannot display more than 500 VMs in a GCP dynamic address.
875100 Unable to remove external resource in a certain VDOM when the external resource has no
reference in that VDOM.
l GUI notification when a new device joins or leaves the Security Fabric
887967 Fabric crashes when synchronizing objects with names longer than 64 characters.
SSL VPN
Bug ID Description
631809 Configuring thousands of mac-addr-check-rule in portal makes the CPU spike significantly if
several hundreds of users are connecting to the FortiGate, thus causing SSL VPN packet drops.
710657 The dstaddr/dstaddr6 of an SSL VPN policy can be set to all when split tunnel mode is
enabled and only the default portal is set.
746440 When sending the SSL VPN settings email (VPN > SSL-VPN Settings > Send SSL-VPN
Configuration), the Email template only includes a hyperlink to the configuration, which is not
supported by Gmail and Fortinet email.
767086 Customer's internal website does not load properly in SSL VPN web mode.
Bug ID Description
787768 The web-mode setting should not be enabled when the portal is mapped in an SSL VPN policy
where a VIP is applied.
808107 FortiGate is not sending Accounting-Request packet that contains the Interim-Update AVP when
two-factor authentication is assigned to a user (defined on the FortiGate ) while connecting using
SSL VPN.
819754 Multiple DNS suffixes cannot be set for the SSL VPN portal.
822657 Internal resource pages and menus are not showing correctly in SSL VPN web mode.
839261 On the VPN > SSL-VPN Settings page, when the source-address-negate option is enabled for
an address in the CLI, the GUI does not display an exclamation mark against that address entry in
the Hosts field.
This is cosmetic and does not affect on the FortiGate functionality or operation. The source-
address-negate option being enabled can be confirmed in the CLI.
850898 OS checklist for the SSL VPN in FortiOS does not include macOS Ventura (13).
854615 Internal web interface is not working using web mode. The page is not loading properly.
854642 Internal website with JavaScript is proxying some functions in SSL VPN web mode, which breaks
them.
856194 Problem loading some graphs trough SSL VPN web mode after upgrading.
856554 SSL VPN web mode top-right dropdown button (user profile menu) does not work.
858478 SSL VPN DTLS tunnel is unavailable after changing the SSL VPN listening port.
859088 FortiGate adds extra parenthesis and causes clicking all links to fail in SSL VPN web mode.
863860 RDP over SSL VPN web mode to a Windows Server changes the time zone to GMT.
864096 EcoStruxure Building Operations 2022 does not render using SSL VPN bookmark.
867182 RDP/VNC host name is not encrypted when URL obscuration is enabled.
868491 SSL VPN web mode connection to VMware vCenter 7 is not working.
870061 Kernel does not delete original route after address assigned to the client changes.
871039 Internal website is not displaying user-uploaded PDF files when visited through SSL VPN web
mode.
Bug ID Description
871048 RDP over VPN SSL web mode stops working after upgrading.
871229 SSL VPN web mode does not load when connecting to customer's internal site.
872745 SSL VPN web mode to RDP broker leads to connection being closed.
873313 SSL VPN policy is ignored if no user or user group is set and the FSSO group is set.
873516 FortiGate misses the closing parenthesis when running the function to rewrite the URL.
875167 Webpage opened in SSL VPN web portal is not displayed correctly.
877124 RDP freezes in web mode with high CPU usage of SSL VPN process.
880791 Internal website access issue with SSL VPN web portal.
881220 Found bad login for SSL VPN web-bases access when enabling URL obscuration.
884051 Unable to access to Grafana tool using SSL VPN web mode (bookmark).
884860 SSL VPN tunnel mode gets disconnected when SSL VPN web mode is disconnected by limit-
user-logins.
886989 SSL VPN process reaches 99% CPU usage when HTTP back-end server resets the connection in
the middle of a post request.
888149 When srcaddr6 contains addrgrp6, sslvpnd crashes after dual-stack tunnel is established.
890876 One of the speed-connect website JavaScript files has trouble with host process.
891830 Internal website with JavaScript lacks some menus when using SSL VPN web mode.
896007 Specific SAP feature is not working with SSL VPN web mode.
896343 SSL VPN web mode is not working as expected for customer's web server.
898889 The internal website does not load completely with SSL VPN web mode.
Switch Controller
Bug ID Description
730472 FortiSwitch enabled VLANs with VLAN and proxy ARP access have large latencies on initial ARP
resolutions.
762615, FortiSwitches managed by FortiGate go offline intermittently and require a FortiGate reboot to
765283 recover.
Bug ID Description
769722 Support FortiLink to recognize a FortiSwitch based on its name and not just by serial number.
857778 Switch controller managed switch port configuration changes do not take effect on the FortiSwitch.
858113 On the WiFi & Switch Controller > Managed FortiSwitches page, when an administrator with
restricted access permissions is logged in, the Diagnostics and Tools page for a FortiSwitch cannot
be accessed.
858749 Redirected traffic should not hit the firewall policy when allow-traffic-redirect is enabled.
870083 FortiLink interface should not permit changes of the system interface allowaccess settings.
876021 FortiLink virtually managed switch port status is not getting pushed after the FortiGate reboots.
886887 When a MAC VLAN appears on the same MCLAG trunk, continuous event logs are received on
FortiGate and FortiAnalyzer.
894735 Unable to configure more than one NAC policy using the same EMS tag for different FortiSwitch
groups.
System
Bug ID Description
631046 diagnose sys logdisk smart does not work for NVMe disk models.
666664 Interface belonging to other VDOMs should be removed from interface list when configuring a
GENEVE interface.
709679 Get can not set mac address(16) error message when setting a MAC address on an
interface in HA that is already set.
729912 DNS proxy does not transfer the DNS query for IPv6 neighbor discovery (ND) when client devices
are using random MAC addresses, so one device can configure many IPv6 addresses.
763739 On FG-200F, the Outbound bandwidth in the Bandwidth widget does not match outbandwidth
setting.
776646 On the Network > Interfaces page, configuring a delegated interface to obtain the IPv6 prefix from
an upstream DHCPv6 server fails with an error notification (CLI internal error).
Bug ID Description
805122 In FIPS-CC mode, if cfg-save is set to revert, the system will halt a configuration change or
certificate purge.
810879 DoS policy ID cannot be moved in GUI and CLI when multiple DoS policies are enabled.
820268 VIP traffic access to the EMAC VLAN interface uses incorrect MAC address on NP7 platform.
822333 The tab title does not show the server address when accessing RDP/VNC using SSL VPN web
mode.
826490 NP7 platforms may reboot unexpectedly when unable to handle kernel null pointer de-reference.
838933 DoS anomaly has incorrect threshold after loading a modified configuration file.
840960 When kernel debug level is set to >=KERN_INFO on NP6xLite platforms, some tuples missing
debug messages may get flooded and cause the system to get stuck.
845736 After rebooting the FortiGate, the MTU value on the VXLAN interface was changed.
847314 NP7 platforms may encounter random kernel crash after reboot or factory reset.
850683 Console keeps displaying bcm_nl.nr_request_drop ... after the FortiGate reboots because
of the cfg-save revert setting under config system global. Affected platforms: FG-10xF
and FG-20xF.
850688 FG-20xF system halts if setting cfg-save to revert under config system global and after
the cfg-revert-timeout occurs.
853794 Issue with the server_host_key_algorithm compatibility when using SSH on SolarWinds.
853811 Fortinet 10 GB transceiver LACP flapping when shut/no shut was performed on the interface from
the switch side.
855573 False alarm of the PSU2 occurs with only one installed.
859717 The FortiGate is only offering the ssh-ed25519 algorithm for an SSH connection.
859795 High CPU utilization occurs when relay is enabled on VLAN, and this prevents users from getting an
IP from DHCP.
862941 GUI displays a blank page if vdom-admin user has partial permissions.
865770 RX and TX counters are incorrect on inter-VDOM link configured with VLANs.
865966 DHCP lease list CLI format gets misaligned when the data is over 15 characters long.
Bug ID Description
867978 Subnet overlap error occurs when configuring the same IPv4 link-local addresses on two different
interfaces.
868225 After a cold reboot (such as a power outage), traffic interfaces may not come up with a possible loss
of VLAN configurations.
869113 If a device is rebooted that has an ipsec-STS-timeout configured or the user configures the
ipsec-STS-timeout before any NPU tunnel is created, NPU will send random STS messages
that have an invalid tunnel index and trigger NP6XLite error messages.
870381 Memory corruption or incorrect memory access when processing a bad WQE.
874603 Dashboard loads slowly and csfd process has high CPU usage.
876874 The Dashboard > Status > Sensor Information widget does not load.
877039 On the Network > BGP page, creating or editing a table entry increases memory consumption of the
FortiGate to 99%.
877154 FortiGate with new kernel crashes when starting debug flow.
877240 Get zip conf file failed -1 error message when running a script configuring the FortiGate.
878400 When traffic is offloaded to an NP7 source MAC, the packets sent from the EMAC VLAN interface
are not correct.
879131 Unsetting the port 8888 setting in system fortiguard will set port 443, even if the protocol is
UDP.
880290 NP7 is not configured properly when the ULL ports are added to LAG interface, which causes
accounting on the LAG to not work.
882089 Unable to use ping and SSH when vne.root is not configured in local-in-policy.
882187 FortiGate enters conserve mode in a few hours after enabling UTM on the policies.
Bug ID Description
884970 Unbalanced throughput on LAG members with LAG enhancement feature enabled.
887772 CPU usage issue in WAD caused by checking authentication group member information.
891841 Unable to handle kernel NULL pointer dereference at 0000000000000000 for NP7 device; the
device keeps rebooting.
892195 LAG interface has NOARP flag after interface settings change.
892274 Daylight saving time is not applied for Cairo time zone.
897521 grep command including -f does not provide the full output.
Upgrade
Bug ID Description
850691 The endpoint-control fctems entry 0 is added after upgrading from 6.4 to 7.0.8 when the
FortiGate does not have EMS server, which means the endpoint-control fctems feature was
not enabled previously. This leads to a FortiManager installation failure.
883305 SSH public keys are lost after upgrading from Beta 1 to latest interim build, and they can no longer
be configured.
892647 Static route configurations were lost upgrading from 7.0.7 to 7.2.3.
903113 Upgrading FortiOS firmware with a local file from 6.2.13, 6.4.12, 7.0.11, or 7.2.4 and earlier may fail
for certain models because the image file size exceeds the upload limit. Affected models: FortiGate
6000 and 7000 series, FWF-80F-2R, and FWF-81F-2R-POE.
Bug ID Description
705731 Chrome throttles timers, which causes the keepalive page not update correctly and results in a user
timeout.
Bug ID Description
751763 When MAC-based authentication is enabled, multiple RADIUS authentication requests may be sent
at the same time. This results in duplicate sessions for the same device.
768669 If an administrator login fails due to an LDAP server connection timeout, invalid password
appears as the reason in the system log, which is confusing. The server connection timeout
reason is added to the system event logs for a failed administrator login.
846545 LDAPS connectivity test fails with old WinAD after OpenSSL was upgraded to 3.0.2.
850473 SSL VPN and firewall authentication SAML does not work when the application requires SHA-256.
853793 FG-81F 802.1X MAC authentication bypass (MAB) failed to authenticate Cisco AP.
855898 All devices are detected as Other identified device in the Device Inventory widget.
857438 SSL VPN group matching does not work as expected for Azure auto login.
858961 Client's firewall authentication session timeout is set to 900 when it passes MAC authentication
bypass by ping.
859845 In some cases, the proper hostnames are not showing up when looking at APs on the FortiSwitch
ports screen.
865166 A cid scan crash occurs when device detections happen in a certain order.
868481 After customizing the Guest User Email Template and Guest User Print Template (System
> Replacement Messages > Extended View) replacement message templates, the default template
is still being used when it is applied to users on the User & Authentication > Guest Management
page.
883006 Adding a new group membership to an FSSO user terminates all the user's open sessions.
901743 Device identification crash upon receipt of UDP with one-byte payload.
VM
Bug ID Description
856645 Session is not crated over NSX imported object when traffic starts to flow.
Bug ID Description
860096 CPU spike observed on all the cores in a GCP firewall VM.
865772 Interface does not get turned back up after changing the MTU in the aggregate interface.
868698 During a same zone AWS HA failover, moving the secondary IP will cause the EIP to be in a
disassociated state.
878074 FG-ARM64-GCP and FG-ARM64-AZURE have HA synchronization issue with internal IP after
failover.
881768 AWS MAC is not shown when the interface is attached immediately.
883203 FG-AWS SDN is unable to retrieve EKS cluster information, even thought its role is trusted by the
EKS role.
885829 Azure SDN connector stopped processing when Azure returned NotFound error for VMSS
interface from an AD DS-managed subscription.
890278 FG-VM Rackspace On-Demand upgrade from 7.2.3 to 7.2.4 breaks the pay-as-you-go license, and
reverts it to an evaluation license.
VoIP
Bug ID Description
757477 PRACK will cause voipd crashes when the following conditions are met: block-unknown is
disabled in the SIP profile, the PRACK message contains SDP, and PRACK fails to find any related
previous transactions (this is not a usual case).
887384 SIP session is dropped by ALG with media type doesn't match message.
Web Filter
Bug ID Description
766126 Block replacement page is not pushed automatically to replace the video content when using a
video filter.
Bug ID Description
856793 In flow mode, URL filter configuration changes cause a spike in CPU usage of the IPS engine
process.
863728 The urlfilter process causes a memory leak, even when the firewall policy not using the web filter
feature.
878442 FortiGuard block page image (logo) is missing when the Fortinet-Other ISDB is used.
WiFi Controller
Bug ID Description
807605 FortiOS exhibits segmentation fault on hostapd on the secondary controller configured in HA.
824441 Suggest replacing the IP Address column with MAC Address in the Collected Email widget.
825182 The 6 GHz channel lists should be updated according to the latest WiFi country region channels
map.
828901 Connectivity loss occurs due to switch and FortiAPs (hostapd crash).
837130 Wireless client shows portal related webpage while doing MAC authentication with MAB mode.
846730 Dynamic VLAN assignment is disabled in the GUI when editing an SSID with radius mac-auth
and dynamic-vlan enabled.
857975 The cw_acd process appears to be stuck, and is sending several access requests for MAC
authentication.
858653 Invalid wireless MAC OUI detected for a valid client on the network.
861552 Wireless client gets disconnect from WiFi if it is connected to a WPA2 SSID more than 12 hours.
868022 Wi-Fi clients on a RADIUS MAC MPSK SSID get prematurely de-authenticated by the secondary
FortiGate in the HA cluster.
882551 FortiWiFi fails to act as the root mesh AP, and leaf AP does not come online.
Bug ID Description
891625 Quarantined STA connected to a long interface name VAP is not moved to quarantined VLAN 4093.
892575 MPSK SSID with mpsk-schedules stopped working after the system time was changed due to
daylight saving time.
ZTNA
Bug ID Description
832508 The EMS tag name (defined in the EMS server's Zero Trust Tagging Rules) format changed in 7.2.1
from FCTEMS<serial_number>_<tag_name> to EMS<id>_ZTNA_<tag_name>.
After upgrading from 7.2.0 to 7.2.1, the EMS tag format was converted properly in the CLI
configuration, but the WAD daemon is unable to recognize this new format, so the ZTNA traffic will
not match any ZTNA policies with EMS tag name checking enabled.
859421 ZTNA server (access proxy VIP) is causing all interfaces that receive ARP request to reply with their
MAC address.
863057 ZTNA real server address group gets unset once the FortiGate restarts.
865316 Adding an EMS tag on the Policy & Objects > Firewall Policy edit page for a normal firewall policy
forces NAT to be enabled.
875589 An error case occurs in WAD when a client EMS tag changes.
The following issues have been identified in version 7.4.0. To inquire about a particular bug or report a bug, please
contact Customer Service & Support.
Anti Virus
Bug ID Description
908706 On the Security Profiles > AntiVirus page, a VDOM administrator with a custom administrator profile
cannot create or modify an antivirus profile belonging to the VDOM.
Workaround: set the VDOM administrator profile to super_admin.
Bug ID Description
911291 The FortiGate does not parse the entries of the sensor from DLP signature package properly, and
therefore cannot block files matching a sensor as expected.
Workaround: reboot the FortiGate after loading the DLP signature package.
Explicit Proxy
Bug ID Description
817582 When there are many users authenticated by an explicit proxy policy, the Firewall Users widget can
take a long time to load. This issue does not impact explicit proxy functionality.
Firewall
Bug ID Description
843554 If the first firewall service object in the service list (based on the order in the command line table) has
a protocol type of IP, the GUI may incorrectly modify its protocol number whenever a new firewall
service of the same protocol type IP is created in the GUI.
Bug ID Description
This silent misconfiguration can result in unexpected behavior of firewall policies that use the
impacted service. For example, some 6K and 7K platforms have firewall service ALL (protocol type
IP) as the first service, and this can cause the ALL service to be modified unexpectedly.
Workaround: create a new service in the CLI, or move a non-IP type services to the top of the
firewall service list. For example, if ALL is the first firewall service in the list:
config firewall service custom
edit "unused"
set tcp-portrange 1
next
move "unused" before "ALL"
end
910068 On the Policy & Objects > Firewall Policy page, if any of the interface names contain a space, the
page does not load when Interface Pair View is selected.
Workaround: remove all space characters in interface names referenced in policies.
912740 On a FortiGate managed by FortiManager, after upgrading to 7.4.0, the Firewall Policy list may
show separate sequence grouping for each policy because the global-label is updated to be
unique for each policy.
Workaround: drag and drop the policy to the correct sequence group in the GUI, or remove the
global-label for each member policy in the group except for the leading policy.
l Policy 1 (global-label "group1")
l Policy 2
l Policy 4
919418 On the Policy & Objects > Firewall Policy page, when the interface name used in a virtual wire pair is
a substring of interfaces used in a firewall policy, such policies are not displayed. For example, if a
virtual wire pair consists of interfaces port1 and port2, firewall policies with port10, port11, port21,
port22 are not displayed.
Bug ID Description
888310 The FortiGate 6000 or 7000 front panel does not appear on the Network > Interfaces and System
> HA GUI pages.
888447 In some cases, the FortiGate 7000F platform cannot correctly reassemble fragmented packets.
888873, The FortiGate 7000E and 7000F platforms do not support GTP and PFCP load balancing.
909160
Bug ID Description
891430 The FortiGate 6000 and 7000 System Information dashboard widget incorrectly displays the
management board or primary FIM serial number instead of the chassis serial number. Use get
system status to view the chassis serial number.
891642 FortiGate 6000 and 7000 platforms do not support managing FortiSwitch devices over FortiLink.
892844 In a FortiGate 6000 and 7000 FGCP cluster, when logged into the secondary FortiGate, the System
Information dashboard widget incorrectly displays the serial number of the primary FortiGate
instead of the serial number of the secondary FortiGate. Use get system status to view the
serial number of the secondary FortiGate.
896758 Virtual clustering is not supported by FortiGate 6000 and 7000 platforms.
897629 The FortiGate 6000 and 7000 platforms do not support EMAC VLANs.
899905 Adding a FortiAnalyzer to a FortiGate 6000 or 7000 Security Fabric configuration from the FortiOS
GUI is not supported.
Workaround: add the FortiGate 6000 or 7000 to the FortiAnalyzer from the FortiAnalyzer GUI.
901695 On FortiGate 7000F platforms, NP7-offloaded UDP sessions are not affected by the udp-idle-
timer option of the config system global command.
902545 Unable to select a management interface LAG to be the direct SLBC logging interface.
905692 On a FortiGate 6000 or 7000, the active worker count returned by the output of diagnose sys ha
dump-by group can be incorrect after an FPC or FPM goes down.
905788 Unable to select a management interface LAG to be the FGSP session synchronization interface.
907140 Authenticated users are not synchronized to the secondary FortiGate 6000 or 7000 chassis when
the secondary chassis joins a primary chassis to form an FGCP cluster.
907695 The FortiGate 6000 and 7000 platforms do not support IPsec VPN over a loopback interface or an
NPU inter-VDOM link interface.
908576 On a FortiGate 7000F, after a new FPM becomes the primary FPM, IPsec VPN dynamic routes are
not synchronized to the new primary FPM.
Workaround: reset IPsec VPN tunnels that use dynamic routing.
908674 Sessions for IPsec dialup tunnels that are configured to be handled by a specific FPC or FPM may
be incorrectly sent to a different FPC or FPM, resulting in traffic being blocked.
910606 FortiGate 6000 or 7000 FGCP session synchronization may not synchronize all sessions.
910824 On the FortiGate 7000F platform, fragmented IPv6 ICMP traffic is not load balanced correctly when
the dp-icmp-distribution-method option under config load-balance is set to dst-ip.
This problem may also occur for other dp-icmp-distribution-method configurations.
Bug ID Description
910883 The FortiGate 6000s or 7000s in an FGSP cluster may load balance FTP data sessions to different
FPCs or FPMs. This can cause delays while the affected FortiGate 6000 or 7000 re-installs the
sessions on the correct FPC or FPM.
911244 FortiGate 7000E IPv6 routes may not be synchronized correctly among FIMs and FPMs.
912778 FortiGate 6000 and 7000 graceful upgrade from FortiOS 7.0.11 (and older versions) to 7.4.0 is not
supported. After upgrading to 7.4.0, all or part of the configuration may be lost.
Workaround: upgrade to 7.4.0, reset the FortiGate to factory defaults, and then redo the
configuration.
GUI
Bug ID Description
898902 In the System > Administrators dialog, when there are a lot of VDOMs (over 200), the dialog can
take more than one minute to load the Two-factor Authentication toggle. This issue does not affect
configuring other settings in the dialog.
Workaround: use the CLI to configure two-factor-authentication under config system
admin.
905200 When logged in to the GUI of a non-management VDOM and trying to complete the Migrate Config
with FortiConverter step in the startup menu, the page does not update and the loading spinner is
stuck.
Workaround: in the browser's URL bar, remove everything after the /prompt, log in to the
FortiGate GUI with the management VDOM, and enable the Don't show again toggle on the Migrate
Config with FortiConverter page in the startup menu.
905795 Random FortiSwitch is shown as offline on the GUI when it is actually online.
907041 Network > SD-WAN > SD-WAN Zones and SD-WAN Rules pages do not load if a shortcut tunnel is
triggered.
Workaround: to load the Network > SD-WAN page, temporarily bring down the ADVPN shortcut
tunnels, go to the Network > SD-WAN page, and bring it back up after.
HA
Bug ID Description
919982, When an HA management interface is configured, the GUI may not show the last interface entry in
922867 config system interface on several pages, such as the interface list, policy list, address list,
and DNS servers page. This is a GUI-only display issue and does not impact the underlying
operation of the affected interface.
Workaround: create a dummy interface to be the last entry in the config system interface
table.
config system interface
edit <name>
set vdom "root"
set status down
set type loopback
set snmp-index <integer>
next
end
IPsec VPN
Bug ID Description
916260 The IPsec VPN tunnel list can take more than 10 seconds to load if the FortiGate has large number
of tunnels, interfaces, policies, and addresses. This is a GUI display issue and does not impact
tunnel operation.
Log & Report
Bug ID Description
860822 When viewing logs on the Log & Report > System Events page, filtering by domain\username does
not display matching entries.
Workaround: use a double backslash (domain\\username) while filtering or searching by username
only without the domain.
SSL VPN
Bug ID Description
922446 SSL VPN service over PPPoE interface does not work as expected if the PPPoE interface is
configured with config system pppoe-interface.
config system pppoe-interface
edit <name>
set device <string>
set username <string>
set password <password>
next
end
Workaround: configure the PPPoE interface with config system interface to allow the SSL
VPN service to continue to work over the PPPoE interface.
1. Delete the existing PPPoE interface and related configuration:
config system pppoe-interface
delete <PPPoE_interface_name>
end
Switch Controller
Bug ID Description
904640 When a FortiSwitch port is reconfigured, the FortiGate may incorrectly retain old detected device
data from the port that results in an unexpected number of detected device MACs for the port. Using
diagnose switch-controller mac-cache show to check the device data can result in the
Device Information column being blank on the WiFi & Switch Controller > FortiSwitch Ports page or
in the Assets widget.
Workaround: disable the device retention cache to remove old device data.
config switch-controller global
set mac-retention-period 0
end
911232 Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch
Controller > Managed FortiSwitches.
Workaround: select a FortiSwitch and use the Diagnostics & Tools tooltip to view the correct
registration status.
System
Bug ID Description
873391 If the FortiGate is added to FortiManager using the IPv6 address and tunnel is down for some
reason, the FortiGate will not reconnect to FortiManager since fmg under system central-
management is not set properly.
Workaround: set fmg manually or connect from the FortiManager side.
884023 When a user is logged in as a VDOM administrator with restricted access and tries to upload a
certificate (System > Certificates), the Create button on the Create Certificate pane is greyed out.
907622 GUI is missing DDNS Domain text field box when creating a new DDNS entry.
912383 FGR-70F and FGR-70F-3G4G failed to perform regular reboot process (using execute reboot
command) with an SD card inserted.
Bug ID Description
923164 EAP proxy daemon may keep reloading after updating the certificate bundle.
Workaround: reboot the system.
WiFi Controller
Bug ID Description
814541 When there are extra large number of managed FortiAP devices (over 500) and large number of
WiFi clients (over 5000), the Managed FortiAPs page and FortiAP Status widget can take a long
time to load. This issue does not impact FortiAP operation.
869978 CAPWAP tunnel traffic over tunnel SSID is dropped when offloading is enabled.
873273 The Automatically connect to nearest saved network option does not work as expected when FWF-
60E client-mode local radio loses connection.
903922 Physical and logical topology is slow to load when there are a lot of managed FortiAP (over 50). This
issue does not impact FortiAP management and operation.
904349 Unable to create FortiAP profile in the GUI for dual-5G mode FortiAP U231F/U431F models.
Workaround: use the CLI to update the profile to dual-5G mode.
Built-in AV engine
Bug ID Description
771025 Fix false PDF encryption detection by having PDFs with permission passwords to be consistently
reported as not encrypted.
771674 Malformed trailer and XREF stream appear in PDF files due to reconstruction by CDR. CDR also
returns NULL value for a reconstructed PDF's file path.
772019 New engine versions (6.2.155, 6.4.258, 6.6.350) cannot dump some XLS while some old versions
(6.2.142, 6.2.137) can.
775415 Add safeguards in CDR to manage orphaned files that may cause memory leaks.
809410 FortiGate should have the visibility of SMBv3 to detect suspicious contents.
849020 FortiGate enters conserve mode, then the console prints fork() failed.
886780 Explicit proxy does not block MSI file type in file filter.
Bug ID Description
872397 After 7.0.5 upgrade, application is working when IPS and UTM is applied.
878755 HTTPS performance drops when IPS and deep inspection(flow-based) are configured in firewall
policy.
893962 When using FortiGuard remote category threat feed in FQDN format, some websites are not
blocked/allowed as expected.
895991 The CPU processing performance of IPS Engine 6.00156 is degraded in IPS and deep-inspection
(flow-based).
901222 Web filter warning block page for FortiGuard categories is not displayed for HTTP2 with flow-based
and deep inspection.
l VHD
l OVF
l The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual
NIC. Other formats will require manual configuration before the first power on process.
When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise
when using the QCOW2 format and existing HDA issues.
Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.