Fortios v6.4.2 Release Notes

FortiOS - Release Notes
Version 6.4.2
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE

https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdoc@fortinet.com
May 3, 2022
FortiOS 6.4.2 Release Notes
01-642-641039-20220503
TABLE OF CONTENTS
Change Log 6
Introduction and supported models 8
Supported models 8
Special branch supported models 8
Special notices 9
CAPWAP traffic offloading 9
FortiClient (Mac OS X) SSL VPN requirements 9
Use of dedicated management interfaces (mgmt1 and mgmt2) 9
Tags option removed from GUI 10
System Advanced menu removal (combined with System Settings) 10
PCI passthrough ports 10
FG-80E-POE and FG-81E-POE PoE controller firmware update 10
AWS-On-Demand image 10
Policy routing enhancements in the reply direction 11
Changes in CLI 12
Changes in GUI behavior 14
Changes in default behavior 15
Changes in table size 16
New features or enhancements 17
Upgrade Information 21
Device detection changes 21
FortiClient Endpoint Telemetry license 22
Fortinet Security Fabric upgrade 22
Minimum version of TLS services automatically changed 23
Downgrading to previous firmware versions 23
Amazon AWS enhanced networking compatibility issue 23
FortiLink access-profile setting 24
FortiGate VM with V-license 24
FortiGate VM firmware 25
Firmware image checksums 25
FortiGuard update-server-location setting 26
FortiView widgets 26
WanOpt configuration changes in 6.4.0 26
IPsec interface MTU value 27
Virtual WAN link member lost 27
Product integration and support 28
Language support 30
SSL VPN support 30
SSL VPN web mode 30
FortiOS 6.4.2 Release Notes 3

Fortinet Inc.
Resolved issues 32
Anti Spam 32
Anti Virus 32
Application Control 32
Data Leak Prevention 32
DNS Filter 33
Endpoint Control 33
Explicit Proxy 33
File Filter 33
Firewall 34
FortiView 34
GUI 34
HA 37
Intrusion Prevention 37
IPsec VPN 38
Log & Report 38
Proxy 39
Routing 39
Security Fabric 40
SSL VPN 40
Switch Controller 43
System 43
Upgrade 45
User & Authentication 45
VM 46
VoIP 47
Web Application Firewall 47
Web Filter 47
WiFi Controller 48
Common Vulnerabilities and Exposures 48
Known issues 49
Anti Virus 49
Data Leak Prevention 49
DNS Filter 49
Explicit Proxy 49
Firewall 50
FortiView 50
GUI 50
HA 52
Intrusion Prevention 53
IPsec VPN 53
Log & Report 53
Proxy 54
Routing 54

Fortinet Inc.
Security Fabric 54
SSL VPN 55
Switch Controller 55
System 55
Upgrade 56
User & Authentication 56
VM 56
Web Filter 57
WiFi Controller 57
Limitations 58
Citrix XenServer limitations 58
Open source XenServer limitations 58

Fortinet Inc.
Change Log
Date Change Description
2020-07-30 Initial release.
2020-07-31 Updated Changes in default behavior, New features or enhancements, Known issues, and
Resolved issues.
2020-08-04 Updated Known issues, Resolved issues, New features or enhancements, and New FortiGuard
anycast services.
2020-08-05 Updated Fortinet Security Fabric upgrade.
2020-08-10 Updated Changes in default behavior, New features or enhancements, New FortiGuard anycast
services, Known issues, and Resolved issues.
2020-08-11 Updated New FortiGuard anycast services and Changes in default behavior.
Removed 618718 from Known issues.
2020-08-12 Added 656869 to Known issues.
2020-08-13 Added FWF-40F, FWF-40F-3G4G, FWF-60F, and FWF-61F to Special branch supported
models.
2020-08-27 Updated Changes in default behavior, New features or enhancements, Known issues, Resolved
issues, Built-in AV engine, and Built-in IPS engine.
2020-09-02 Updated Changes in default behavior.
2020-09-17 Added 555169 to New features or enhancements.

Updated Known issues, and Resolved issues.
2020-09-18 Added 606167 to New features or enhancements.

Removed New FortiGuard anycast services.
Updated Known issues, and Resolved issues.
2020-09-21 Updated 623821 in New features or enhancements.
2020-09-23 Updated Known issues and Resolved issues.
2020-11-13 Updated New features or enhancements, Known issues, and Resolved issues.
2020-11-17 Updated 635589 in Resolved issues.
2020-11-26 Added Policy routing enhancements in the reply direction to Special notices.
2020-12-07 Added FG-VM64-IBM to Supported models.
2020-12-15 Updated Changes in table size, New features or enhancements, Known issues, and Resolved
issues.
Added Virtual WAN link member lost to Upgrade Information.

Fortinet Inc.
Change Log
Date Change Description

Removed Built-in AV engine and Built-in IPS engine.
2021-06-03 Updated FortiClient compatibility in Product integration and support.
2021-06-16 Updated New features or enhancements and Resolved issues.
2021-07-16 Updated Policy routing enhancements in the reply direction in Special notices.
2021-08-09 Updated Resolved issues.
2021-08-12 Updated Virtual WAN link member lost.
2021-10-20 Updated Known issues.
2021-11-01 Updated Resolved issues.
2022-05-03 Updated Product integration and support.

Fortinet Inc.
Introduction and supported models
This guide provides release information for FortiOS 6.4.2 build 1723.
For FortiOS documentation, see the Fortinet Document Library.
Supported models
FortiOS 6.4.2 supports the following models.
FortiGate FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-

61E, FG-61F, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E, FG-91E, FG-100E,
FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-201E,
FG-300D, FG-300E, FG-301E, FG-400D, FG-400E, FG-401E, FG-500D, FG-500E, FG-
501E, FG-600D, FG-600E, FG-601E, FG-800D, FG-900D, FG-1000D, FG-1100E, FG-
1101E, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2200E, FG-2201E, FG-2500E,
FG-3000D, FG-3100D, FG-3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3600E,
FG-3601E, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001D, FG-3960E,
FG-3980E, FG-5001E, FG-5001E1
FortiWiFi FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-61E
FortiGate VM FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS, FG-VM64-

AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-GCP, FG-VM64-GCPONDEMAND, FG-
VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG-VM64-OPC, FG-VM64-RAXONDEMAND,
FG-VMX, FG-VM64-XEN
Pay-as-you-go FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN

images
Special branch supported models
The following models are released on a special branch of FortiOS 6.4.2. To confirm that you are running the correct
build, run the CLI command get system status and check that the Branch point field shows 1723.
FWF-40F is released on build 5323.
FWF-40F-3G4G is released on build 5323.

Fortinet Inc.
Special notices
l CAPWAP traffic offloading

l FortiClient (Mac OS X) SSL VPN requirements
l Use of dedicated management interfaces (mgmt1 and mgmt2)
l Tags option removed from GUI
l System Advanced menu removal (combined with System Settings) on page 10
l PCI passthrough ports on page 10
l FG-80E-POE and FG-81E-POE PoE controller firmware update on page 10
l AWS-On-Demand image on page 10
l Policy routing enhancements in the reply direction on page 11
CAPWAP traffic offloading
CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both
ingress and egress ports belong to the same NP6 chip. The following models are affected:
l FG-900D
l FG-1000D
l FG-2000E
l FG-2500E
FortiClient (Mac OS X) SSL VPN requirements
When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.
Use of dedicated management interfaces (mgmt1 and mgmt2)
For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management
ports for general user traffic.

Fortinet Inc.
Special notices
Tags option removed from GUI
The Tags option is removed from the GUI. This includes the following:
l The System > Tags page is removed.
l The Tags section is removed from all pages that had a Tags section.
l The Tags column is removed from all column selections.
System Advanced menu removal (combined with System Settings)
Bug ID Description
584254 l Removed System > Advanced menu (moved most features to System > Settings page).
l Moved configuration script upload feature to top menu > Configuration > Scripts page.
l Removed GUI support for auto-script configuration (the feature is still supported in the CLI).
l Converted all compliance tests to security rating tests.
PCI passthrough ports
Bug ID Description
605103 PCI passthrough ports order might be changed after upgrading. This does not affect VMXNET3 and
SR-IOV ports because SR-IOV ports are in MAC order by default.
FG-80E-POE and FG-81E-POE PoE controller firmware update
FortiOS 6.4.2 has resolved bug 570575 to fix a FortiGate failing to provide power to ports. The PoE hardware controller,
however, may require an update that must be performed using the CLI. Upon successful execution of this command, the
PoE hardware controller firmware is updated to the latest version 2.18:
diagnose poe upgrade-firmware
AWS-On-Demand image
Bug ID Description
589605 Starting from FortiOS 6.4.0, the FGT-VM64-AWSONDEMAND image is no longer provided. Both
AWS PAYG and AWS BYOL models will share the same FGT-VM64-AWS image.

Fortinet Inc.
Special notices
Policy routing enhancements in the reply direction
When reply traffic enters the FortiGate, and a policy route or SD-WAN rule is configured, the egress interface is chosen
as follows.
With auxiliary-session enabled in config system settings:
l Starting in 6.4.0, the reply traffic will not match any policy routes or SD-WAN rules to determine the egress interface
and next hop.
l Prior to this change, the reply traffic will match policy routes or SD-WAN rules in order to determine the egress
interface and next hop.
With auxiliary-session disabled in config system settings:
l The reply traffic will egress on the original incoming interface.

Fortinet Inc.
Changes in CLI
Bug ID Description
614892 Remove spectrum-analysis in wtp-profile and override-analysis in wtp.
621751 In a FortiSwitch LACP trunk, ports of the same negotiated speed are grouped into an aggregator.
The aggregator-mode setting allows users to select the aggregator based on bandwidth or
number of links.
config switch-controller managed-switch
edit <serial_number>
config ports
edit <port>
set mode lacp-passive
set aggregator-mode {bandwidth | count}
next
end
next
end
639237 EMS server can now generate dynamic address with MAC address in addition to IP address. The
switch controller's NAC policy can reference MAC-based dynamic firewall address from EMS as a
match condition.
config firewall address
edit <name>
set type dynamic
set sub-type ems-tag
set obj-type [ip | mac]
next
end
config user nac-policy

edit <ID>
set category ems-tag
set ems-tag <address>
next
end
643514 The hold-time option allows users to set a hold time in hours or days to hold their signatures after
a FortiGuard IPS signature update. During the hold period, the signature's action becomes monitor.
config system ips
set signature-hold-time <##d##h>
set override-signature-hold-by-id <enable|disable>
end
643831 Enable users to filter IPS signatures based on CVE IDs (CVE-YYYY-NNNN), or by a CVE wildcard
(CVE-YYYY).

Fortinet Inc.
Changes in CLI
Bug ID Description
config ips sensor
edit "cve"
config entries
edit 1
set cve <CVE ID or Wildcard>
next
end
next
end

Fortinet Inc.
Changes in GUI behavior
Bug ID Description
516031 The following behaviors regarding security profiles have changed:

l Remove the Feature Visibility > Multiple Security Profiles option.
l All security profiles will allow multiple profiles by default.
l All security profile pages will be a list of profiles.
634719 Add the option to switch between optimal and comprehensive dashboard setups. This option is
available in the login prompt when upgrading from an old FortiOS build or logging in as a new user.
It can also be accessed any time after that from the Reset All Dashboards option available in the left
navigation bar.
Optimal offers a set of default dashboards and a pared down selection of FortiView pages.
Comprehensive consists of a set of dashboards and all the Monitor and FortiView pages that were
present in previous FortiOS versions.
643505 In the Hub-and-Spoke VPN wizard, add the ability to select multiple local interfaces, a step to review
changes, and real-time updates when the tunnels are being created. Within the VPN dialog, add the
Hub-and-Spoke topology section to display easy keys for each spoke and the ability to add
additional spokes.

Fortinet Inc.
Changes in default behavior
Bug ID Description
630433 Local category and remote category override can now be controlled at the profile level.
In proxy mode, webfilter profile, ssl-exempt, and proxy-address have similar behavior
in handling local and remote categories. For example, in local category:
l In 6.0.x, 6.2.x, 6.4.0, and 6.4.1, once a host is configured in the local rating as category 140, it
will be always rated as 140 at the global or VDOM level. There is no profile-level option to
control it.
l In 6.4.2, the host will be rated as the configured local rating only when that category is explicitly
configured in a web filter profile. This override can be applied to webfilter profile, ssl-
exempt, and proxy-address.
The following is an example configuration for a web filter profile:
config webfilter profile
edit webf-use-local-rating
config ftgd-wf
config filters
edit 1
set category 140
set action monitor
next
end
end
next
end
The rating in webfilter profile, ssl-exempt, and proxy-address are independent from
each other.
In the GUI, an Allow action of a local/remote category when editing a web filter profile is effectively a
shortcut to disable the local/remote category overrides.
For flow mode, only webfilter profile is involved, and it has different behavior as the change
is in the IPS engine:
l In 6.2.5 and 6.4.2, the local/remote rating only takes effect when the category is enabled in
webfilter profile.
l In 6.2.1-6.2.4 and 6.4.0-6.4.1, currently the local/remote rating is still at the global or VDOM
level. After the next IPS engine public release, the behavior will be changed to be the same as
6.2.5/6.4.2.
There is no change in ssl-exempt for FortiGuard with flow mode and the NGFW URL category.

Fortinet Inc.
Changes in table size
Bug ID Description
609785 Changed the switch-controller.managed-switch scale numbers for FG-1100E/1101E

platform from 128 to 196.
626765 FG-60F/61F and FWF-60F/61F total WTP size is increased to 64.

Fortinet Inc.
New features or enhancements
More detailed information is available in the New Features Guide.
Bug ID Description
480717 Add config system dedicated-mgmt to all FortiGate models with mgmt, mgmt1, and mgmt2
ports.
555169 FortiToken Cloud GUI enhancements:

l Add warning message when FortiToken Cloud balance is negative.
l Add warning message when FortiToken Cloud user count exceeds quota.
l Move email and SMS settings under the 2FA section.
l Add CSF support for user definition, user groups, TACACS+, and FortiToken.
556054 With the newly-added compression methods used in the CIFS messages, FortiGates can now scan
these compressed messages in proxy mode.
562031 Support security policy srcaddr-negate and dstaddr-negate options, which can be
configured under firewall security policy.
config firewall security-policy
edit <policyid>
...
set srcaddr-negate[enable|disable]
set dstaddr-negate [enable|disable]
...
next
end
573076 FortiGate generates a UUID for every managed FortiAP (WTP entry). A new BLE profile, fortiap-
discovery, can facilitate iBeacon UUID deployment over FortiAP devices.
589621 New Azure on-demand and upgraded instances can retrieve a FortiGate serial number and license
from FortiCare servers. Using the serial number, users can register the device to their account and
start using FortiToken and FortiGate Cloud services.
596002 Add two new tables to the FortiOS enterprise MIB: FgSwDeviceEntry for details about connected
FortiSwitches and FgSwPortEntry for port related information.
596870 Add kernel support for the IEEE 802.1ad (QinQ) standard. Previously, the 802.1Q standard allowed
a single VLAN header to be inserted into an Ethernet frame. This new feature allows one more
VLAN tag to be inserted into a single frame.
597301 Display information about autoscale members in the GUI and CLI, such as their serial number, IP
address, instance ID, and transit gateway (AWS only).
600037 BSS coloring support on FAP-U431F/U433F (802.11ax AP).

Fortinet Inc.
Bug ID Description
606167 When the network monitor feature is enabled on the switch controller, the update-user-device
option allows granular control of which sources to collect device information from. The information is
populated on the FortiGate device list.
608557 Support proxy server for push service.
610596 Users can define IPv6 MAC addresses and apply them in a firewall policy, virtual wire pair policy,
and other policy types.
610990 Add IPv6 only and IPv4v6 dual stack support for GTPv1 and GTPv2 on FortiOS Carrier.
614924 Users can configure automation with the Quarantine via FortiNAC action when setting triggers for
Compromised Host or Incoming Webhook. When the automation is triggered, the client PC will be
quarantined with its MAC address disabled in the configured FortiNAC.
617640 Add new filter keys servicetag and region in Azure SDN connector to filter out IP ranges of
service tags. This can be applied to dynamic firewall addresses.
620994 For FortiAP models with three radios, spectrum analysis can be performed on the thrid radio on all
channels from the 2.4 GHz and 5 GHz bands. On FortiAPs with two radios operating in AP mode,
spectrum analysis can be performed on operating channels.
621714 For the purpose of communicating timing precision between two ends, transparent clock can be
enabled to measure the overall path delay. This feature allows the FortiGate to configure this setting
for supported FortiSwitch models.
621742 Add support to configure the FortiSwitch to send multiple RADIUS attribute values within a single
RADIUS access request.
621746 Support explicit congestion notification (ECN) configuration for managed FortiSwitch.
621757 Add support to configure switch ports to enable inter-operability with rapid PVST+ on managed
FortiSwitches.
622291 Health metrics calculations are standardized in the backend, and consistent colors are used to
represent good, fair, and poor metrics. In addition, the health data is now available through a REST
API.
623821 For WiFi clients associated with a bridge SSID on a FortiAP that is connected to an Ethernet
interface of a FortiGate, the DHCP Monitor widget can indicate the AP bridge and the SSID name in
the Interface column of those clients' IP leases.
In the CLI, dhcp-option43-insertion is added under VAP configuration to support this feature.
config wireless-controller vap
edit VAP01
set dhcp-option43-insertion {enable | disable}
next
end
By default, dhcp-option43-insertion is set to enable.

The minimum version required for FAP-U is 6.0.3. The minimum version required for FAP-W2 is
6.4.1.

Fortinet Inc.
Bug ID Description
629530 Support running BYOL FortiGate VMs on IBM Cloud platform.
630238 Allow configuration of up to 16 FGSP standalone peers in system standalone-cluster.
630881 Various new scenarios are added in Security Rating to test the FortiSwitch network and make
recommendations to optimize the setup.
631818 Add new OIDs to support SNMP queries for IPv4 and IPv6 IPsec tunnels, and SNMP queries for
license details.
635717 Monitoring FortiAP antenna (per Rx chain) status and logging wireless events upon antenna defect
detection.
635795 The ARRP profile improves upon DARRP by enabling more factors to be considered for optimizing
channel selection among FortiAPs.
637508 Add CLI commands to improve WAD debugging.

l diagnose wad memory report prints memory-related statistics of all workers, which
includes those shown in diagnose test app wad {2 3 803 21 22 23 25 27 70

120 123}.
l diagnose wad memory monitor monitors WAD memory usage. WAD memory usage is
checked at a regular interval, and a report is generated if the WAD memory usage is over the
threshold.
l diagnose wad debug crash {enable | disable} saves debug messages to a file for
later viewing when the WAD crashes.
l diagnose wad debug crash list lists all crash logs.
l diagnose wad debug crash read <proc_type> <id> reads a specific crash log.
637829 Support adding FortiMail to the Security Fabric with standard authorization steps using FortiMail's
certificate. As part of the Security Fabric, FortiMail appears in the Fabric navigation, topologies,
Fabric widgets and under Security Rating.
637946 Replace previous slide-out terminal with a full page masking terminal. Allow admins to open multiple
CLI consoles that can be minimized.
638975 SD-WAN and policy route now allow users to choose the device MAC address object as source. In
addition, the FABRIC_DEVICE object can also be used in SD-WAN and policy route.
639590 In NGFW mode application control logs will be generated when an application, application category,
or application group is selected on a security policy and log traffic is set to UTM or all. In addition,
when one signature is accepted under the security policy, all child signatures are assessed and
logged correspondingly.
640563 The default command to restrict FortiLink interfaces to one interface has been removed. The GUI
will now display multiple FortiLink interfaces if more than one interface has FortiLink enabled from
the CLI.
641152 New bandwidth-limited VM licenses allow VM deployments with limited bandwidth usage per
interface. Dedicated management interfaces are exempt from calculation.
641928 Add an option to control whether BGP's ECMP next hops can use recursive distance to determine
which of them should be installed.

Fortinet Inc.
Bug ID Description
config router bgp
set multipath-recursive-distance {enable | disable}
end
If the next hop is resolved by connected route, its distance will be 0. If it is resolved by another route,
its distance will be same as that route. Only the shortest next hop can form ECMP routes and be
installed into the kernel when this option is enabled.
641990 The diagnose wad session list command is available in models without WANopt support.
642898 The following options are configurable in the flow-based web filter security profile in NGFW policy
mode, and they can be applied to a security policy:
l Block invalid URLs
l Static URL Filter
l Block malicious URLs discovered by FortiSandbox
l Content Filter
643616 Support FortiAP to query FortiGuard IoT service through FortiGate to determine device details.
643912 Sometimes it is necessary to map a VIP to an FQDN address. This setting can now be configured
from the GUI.
644049 Enhancements to multiple pre-shared key per SSID include the ability to batch generate or import
MPSK keys, export keys to CSV, dynamically assign VLANs based on the MPSK used, and to apply
an MPSK schedule in the GUI.
645140 Tunnel ID is added to traffic logs and GTP logs for GTP related traffic in order to correlate the
sessions.
648568 In additional to servers added in 6.4.0, FortiGuard servers for GeoIP, DDNS, and FortiToken Mobile
registration now support third-party CA signed certificates with OCSP stapling.
648604 For user location information (ULI) in GTP, it may contain more than one identity of different type.
This log enhancement displays all identity information in GTP logs.
651206 The GUI in the downstream FortiGate allows users to log in to the Fabric root device to authorize a
pending join request.

Fortinet Inc.
Upgrade Information
Supported upgrade path information is available on the Fortinet Customer Service & Support site.
To view supported upgrade path information:
1. Go to https://support.fortinet.com.
2. From the Download menu, select Firmware Images.
3. Check that Select Product is FortiGate.
4. Click the Upgrade Path tab and select the following:
l Current Product
l Current FortiOS Version
l Upgrade To FortiOS Version
5. Click Go.
Device detection changes
In FortiOS 6.0.x, the device detection feature contains multiple sub-components, which are independent:
l Visibility – Detected information is available for topology visibility and logging.
l FortiClient endpoint compliance – Information learned from FortiClient can be used to enforce compliance of those
endpoints.
l Mac-address-based device policies – Detected devices can be defined as custom devices, and then used in device-
based policies.
In 6.2, these functionalities have changed:
l Visibility – Configuration of the feature remains the same as FortiOS 6.0, including FortiClient information.
l FortiClient endpoint compliance – A new fabric connector replaces this, and aligns it with all other endpoint
connectors for dynamic policies. For more information, see Dynamic Policy - FortiClient EMS (Connector) in the
FortiOS 6.2.0 New Features Guide.
l MAC-address-based policies – A new address type is introduced (MAC address range), which can be used in
regular policies. The previous device policy feature can be achieved by manually defining MAC addresses, and then
adding them to regular policy table in 6.2. For more information, see MAC Addressed-Based Policies in the FortiOS
6.2.0 New Features Guide.
If you were using device policies in 6.0.x, you will need to migrate these policies to the regular policy table manually after
upgrade. After upgrading to 6.2.0:
1. Create MAC-based firewall addresses for each device.
2. Apply the addresses to regular IPv4 policy table.
In 6.4.0, device detection related GUI functionality has been relocated:
1. The device section has moved from User & Authentication (formerly User & Device) to a widget in Dashboard.
2. The email collection monitor page has moved from Monitor to a widget in Dashboard.

Fortinet Inc.
Upgrade Information
FortiClient Endpoint Telemetry license
Starting with FortiOS 6.2.0, the FortiClient Endpoint Telemetry license is deprecated. The FortiClient Compliance profile
under the Security Profiles menu has been removed as has the Enforce FortiClient Compliance Check option under
each interface configuration page. Endpoints running FortiClient 6.2.0 now register only with FortiClient EMS 6.2.0 and
compliance is accomplished through the use of Compliance Verification Rules configured on FortiClient EMS 6.2.0 and
enforced through the use of firewall policies. As a result, there are two upgrade scenarios:
l Customers using only a FortiGate device in FortiOS 6.0 to enforce compliance must install FortiClient EMS 6.2.0
and purchase a FortiClient Security Fabric Agent License for their FortiClient EMS installation.
l Customers using both a FortiGate device in FortiOS 6.0 and FortiClient EMS running 6.0 for compliance
enforcement, must upgrade the FortiGate device to FortiOS 6.2.0, FortiClient to 6.2.0, and FortiClient EMS to 6.2.0.
The FortiClient 6.2.0 for MS Windows standard installer and zip package containing FortiClient.msi and language
transforms and the FortiClient 6.2.0 for macOS standard installer are included with FortiClient EMS 6.2.0.
Fortinet Security Fabric upgrade
FortiOS 6.4.2 greatly increases the interoperability between other Fortinet products. This includes:
l FortiAnalyzer 6.4.2
l FortiManager 6.4.2
l FortiClient EMS 6.4.1 build 1487 or later
l FortiClient 6.4.1 build 1511 or later
l FortiAP 6.0.6 build 0075 or later
l FortiSwitch 6.0.6 build 0076 or later
When upgrading your Security Fabric, devices that manage other devices should be upgraded first. Upgrade the
firmware of each device in the following order. This maintains network connectivity without the need to use manual
steps.
1. FortiAnalyzer
2. FortiManager
3. FortiGate devices
4. Managed FortiSwitch devices
5. Managed FortiAP devices
6. FortiClient EMS
7. FortiClient
8. FortiSandbox
9. FortiMail
10. FortiWeb
11. FortiADC
12. FortiDDOS
13. FortiWLC
14. FortiNAC

Fortinet Inc.
Upgrade Information
If Security Fabric is enabled, then all FortiGate devices must be upgraded to 6.4.2. When
Security Fabric is enabled in FortiOS 6.4.2, all FortiGate devices must be running FortiOS
6.4.2.
Minimum version of TLS services automatically changed
For improved security, FortiOS 6.4.2 uses the ssl-min-proto-version option (under config system global) to
control the minimum SSL protocol version used in communication between FortiGate and third-party SSL and TLS
services.
When you upgrade to FortiOS 6.4.2 and later, the default ssl-min-proto-version option is TLS v1.2. The following
SSL and TLS services inherit global settings to use TLS v1.2 as the default. You can override these settings.
l Email server (config system email-server)
l Certificate (config vpn certificate setting)
l FortiSandbox (config system fortisandbox)
l FortiGuard (config log fortiguard setting)
l FortiAnalyzer (config log fortianalyzer setting)
l LDAP server (config user ldap)
l POP3 server (config user pop3)
Downgrading to previous firmware versions
Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are
retained:
l operation mode
l interface IP/management IP
l static route table
l DNS settings
l admin user account
l session helpers
l system access profiles
Amazon AWS enhanced networking compatibility issue
With this enhancement, there is a compatibility issue with 5.6.2 and older AWS VM versions. After downgrading a 6.4.2
image to a 5.6.2 or older version, network connectivity is lost. Since AWS does not provide console access, you cannot
recover the downgraded image.

Fortinet Inc.
Upgrade Information
When downgrading from 6.4.2 to 5.6.2 or older versions, running the enhanced NIC driver is not allowed. The following
AWS instances are affected:
C5 Inf1 P3 T3a
C5d m4.16xlarge R4 u-6tb1.metal
C5n M5 R5 u-9tb1.metal
F1 M5a R5a u-12tb1.metal
G3 M5ad R5ad u-18tb1.metal
G4 M5d R5d u-24tb1.metal
H1 M5dn R5dn X1
I3 M5n R5n X1e
I3en P2 T3 z1d
A workaround is to stop the instance, change the type to a non-ENA driver NIC type, and continue with downgrading.
FortiLink access-profile setting
The new FortiLink local-access profile controls access to the physical interface of a FortiSwitch that is managed by
FortiGate.
After upgrading FortiGate to 6.4.2, the interface allowaccess configuration on all managed FortiSwitches are
overwritten by the default FortiGate local-access profile. You must manually add your protocols to the local-
access profile after upgrading to 6.4.2.
To configure local-access profile:
config switch-controller security-policy local-access

edit [Policy Name]
set mgmt-allowaccess https ping ssh
set internal-allowaccess https ping ssh
next
end
To apply local-access profile to managed FortiSwitch:
config switch-controller managed-switch

edit [FortiSwitch Serial Number]
set switch-profile [Policy Name]
set access-profile [Policy Name]
next
end
FortiGate VM with V-license
This version allows FortiGate VM with V-License to enable split-vdom.

Fortinet Inc.
Upgrade Information
To enable split-vdom:
config system global

set vdom-mode [no-vdom | split vdom]
end
FortiGate VM firmware
Fortinet provides FortiGate VM firmware images for the following virtual environments:
Citrix Hypervisor 8.1 Express Edition
l .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
l .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the
QCOW2 file for Open Source XenServer.
l .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains
the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.
Linux KVM
l .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2
that can be used by qemu.
Microsoft Hyper-V Server 2019 and Windows Server 2012R2 with Hyper-V role
l .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains
three folders that can be imported by Hyper-V Manager. It also contains the file fortios.vhd in the Virtual Hard
Disks folder that can be manually added to the Hyper-V Manager.
VMware ESX and ESXi
l .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
l .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open
Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF
file during deployment.
Firmware image checksums
The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support
portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file
name including the extension, and select Get Checksum Code.

Fortinet Inc.
Upgrade Information
FortiGuard update-server-location setting
The FortiGuard update-server-location default setting is different between hardware platforms and VMs. On
hardware platforms, the default is any. On VMs, the default is usa.
On VMs, after upgrading from 5.6.3 or earlier to 5.6.4 or later (including 6.0.0 or later), update-server-location is
set to usa.
If necessary, set update-server-location to use the nearest or low-latency FDS servers.
To set FortiGuard update-server-location:
config system fortiguard

set update-server-location [usa|any]
end
FortiView widgets
Monitor widgets can be saved as standalone dashboards.

There are two types of default dashboard settings:
l Optimal: Default dashboard settings in 6.4.1
l Comprehensive: Default Monitor and FortiView settings before 6.4.1
WanOpt configuration changes in 6.4.0
Port configuration is now done in the profile protocol options. HTTPS configurations need to have certificate inspection
configured in the firewall policy.
In FortiOS 6.4.0, set ssl-ssh-profile certificate-inspection must be added in the firewall policy:
config firewall policy
edit 1
select srcintf FGT_A:NET_CLIENT
select dstintf FGT_A:WAN
select srcaddr all
select dstaddr all
set action accept
set schedule always
select service ALL
set inspection-mode proxy
set ssl-ssh-profile certificate-inspection
set wanopt enable
set wanopt-detection off
set wanopt-profile "http"
set wanopt-peer FGT_D:HOSTID
next
end

Fortinet Inc.
Upgrade Information
IPsec interface MTU value
IPsec interfaces may calculate a different MTU value after upgrading from 6.2.
This change might cause an OSPF neighbor to not be established after upgrading. The workaround is to set mtu-
ignore to enable on the OSPF interface's configuration:
config router ospf
config ospf-interface
edit "ipsce-vpnx"
set mtu-ignore enable
next
end
end
Virtual WAN link member lost
The member of virtual-wan-link is lost after upgrade if the mgmt interface is set to dedicated-to management
and part of an SD-WAN configuration before upgrade.

Fortinet Inc.
Product integration and support
The following table lists FortiOS 6.4.2 product integration and support information:
Web Browsers l Microsoft Edge 83

l Mozilla Firefox version 76
l Google Chrome version 83
Other web browsers may function correctly, but are not supported by Fortinet.
Explicit Web Proxy Browser l Microsoft Edge 44

l Mozilla Firefox version 74
l Google Chrome version 80
Other web browsers may function correctly, but are not supported by Fortinet.
FortiManager See important compatibility information in Fortinet Security Fabric upgrade on

page 22. For the latest information, see FortiManager compatibility with FortiOS in
the Fortinet Document Library.
Upgrade FortiManager before upgrading FortiGate.
FortiAnalyzer See important compatibility information in Fortinet Security Fabric upgrade on

page 22. For the latest information, see FortiAnalyzer compatibility with FortiOS in
the Fortinet Document Library.
Upgrade FortiAnalyzer before upgrading FortiGate.
FortiClient: l 6.4.0
l Microsoft Windows See important compatibility information in FortiClient Endpoint Telemetry license
l Mac OS X on page 22 and Fortinet Security Fabric upgrade on page 22.
l Linux FortiClient for Linux is supported on Ubuntu 16.04 and later, Red Hat 7.4 and
later, and CentOS 7.4 and later.
If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version 6.0
and later are supported.
FortiClient iOS l 6.4.0 and later
FortiClient Android and l 6.4.0 and later

FortiClient VPN Android
FortiClient EMS l 6.4.0
FortiAP l 5.4.2 and later

l 5.6.0 and later
FortiAP-S l 5.4.3 and later

l 5.6.0 and later
FortiAP-U l 5.4.5 and later
FortiAP-W2 l 5.6.0 and later

Fortinet Inc.
FortiSwitch OS l 3.6.9 and later

(FortiLink support)
FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C
FortiSandbox l 2.3.3 and later
Fortinet Single Sign-On l 5.0 build 0291 and later (needed for FSSO agent support OU in group filters)
(FSSO) l Windows Server 2016 Datacenter
l Windows Server 2016 Standard
l Windows Server 2016 Core
l Windows Server 2012 Standard
l Windows Server 2012 R2 Standard
l Windows Server 2008 (32-bit and 64-bit)
l Windows Server 2008 R2 64-bit
l Novell eDirectory 8.8
FortiExtender l 3.2.1
AV Engine l 6.00149
IPS Engine l 6.00032
Virtualization Environments
Citrix l Hypervisor 8.1 Express Edition, Dec 17, 2019
Linux KVM l Ubuntu 18.0.4 LTS, 4.15.0-72-generic, QEMU emulator version 2.11.1
(Debian 1:2.11+dfsg-1ubuntu7.21)
Microsoft l Windows Server 2012R2 with Hyper-V role

l Windows Hyper-V Server 2019
Open Source l XenServer version 3.4.3

l XenServer version 4.1 and later
VMware l ESX versions 4.0 and 4.1

l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, 6.5, and 6.7
VM Series - SR-IOV The following NIC chipset cards are supported:

l Intel 82599
l Intel X540
l Intel X710/XL710

Fortinet Inc.
Language support
The following table lists language support information.
Language support
Language GUI
English ✔
Chinese (Simplified) ✔
Chinese (Traditional) ✔
French ✔
Japanese ✔
Korean ✔
Portuguese (Brazil) ✔
Spanish ✔
SSL VPN support
SSL VPN web mode
The following table lists the operating systems and web browsers supported by SSL VPN web mode.
Supported operating systems and web browsers
Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit) Mozilla Firefox version 78

Google Chrome version 84
Microsoft Windows 10 (64-bit) Microsoft Edge

Mozilla Firefox version 78
Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 54
OS X Catalina 10.15 Apple Safari version 13

Mozilla Firefox version 78
iOS Apple Safari

Mozilla Firefox

Fortinet Inc.
Operating System Web Browser
Google Chrome
Android Mozilla Firefox

Google Chrome
Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

Fortinet Inc.
Resolved issues
The following issues have been fixed in version 6.4.2. For inquires about a particular bug, please contact Customer
Service & Support.
Anti Spam
Bug ID Description
497024 Flow mode banned word spam filter log is missing the banned word.
Anti Virus
Bug ID Description
560044 Secondary device blades occasionally report critical log event Scanunit initiated a virus
engine/definitions update. Affected models: FG-5K, 6K, and 7K series.
607432 500 internal error for some PDFs with AV applied.
615805 Device goes into conserve mode due to large files.
635535 Scanunit crashes with signal 14 at sys_fortiuser_cmd > get_iprope_mem_conserve.
Application Control
Bug ID Description
630075 After upgrading, FortiGate faced an internet access issue when IPS and AC profiles are enabled
and the outgoing interface is an npu_vlink.
Data Leak Prevention
Bug ID Description
629713 DLP filters not matching in order if a file-type filter is configured.

Fortinet Inc.
Resolved issues
DNS Filter
Bug ID Description
511729 Domain filter entries whose action is set to allow should not be logged.
613024 DNS logs do not contain response code.
Endpoint Control
Bug ID Description
640142 FortiOS 6.4 cannot verify EMS cloud certificate.
Explicit Proxy
Bug ID Description
599637 Web proxy does not work properly to redirect Chrome browser to websites when disclaimer is
enabled in proxy policy.
624513 IP pool address in proxy policy is not used sometimes when enabling a security profile.
634515 HTTP 1.1 host header is lost in FortiGuard web proxy requests.
File Filter
Bug ID Description
626652 The unknown and BIN file types catch too many random files, which leads to inconsistent results for
web traffic.
627795 In flow mode, file filter log can show the file type, but when in proxy inspection mode, it only shows
unknown file type.

Fortinet Inc.
Resolved issues
Firewall
Bug ID Description
590039 Samsung OEM internet browser cannot connect to FortiGate VS/VIP.
595949 Any changes to the security policy table causes the hit count to reset.
596633 In NGFW mode, IPS engine drops RPC data channel when IPS profile is applied to a security
policy.
606962 Timeout value is not reflected correctly to a new session when changing timeout value for system
session-ttl on FortiGate-HV.
628841 Internet service entry not detected due to some IP ranges being duplicated.
633856 Sessions are marked as dirty when a route change happens, but the route still exists.
635007 Updates causing conserve mode.
635074 Firewall policy dstaddr does not show virtual server available based on virtual WAN link member.
643841 DCE RPC helper cannot parse fragmented EPM packet.
644638 Policy with Tor-Exit.Node as source is not blocking traffic coming from Tor.
644865 Query string parameters omitted (HTTP redirect, SSL offloading).
645075 Real server byte counter resetting.
FortiView
Bug ID Description
573138 When the data source is FortiGate Cloud, there is no paging to load sessions; only entries 1-499 are
rendered.
615524 FortiView > All Sessions should be supported as a standalone dashboard widget in navigation bar.
639109 Top Countries/Regions by Bytes widget keeps trying to load.
640759 Unable to filter FortiView sessions in FortiOS 6.4.x.
GUI
Bug ID Description
513694 User cannot log in to GUI when password change is required and has pre-login or post-login banner
enabled or FIPS mode.

Fortinet Inc.
Resolved issues
Bug ID Description
516031 The following behaviors regarding security profiles have changed:

l Remove the Feature Visibility > Multiple Security Profiles option.
l All security profiles will allow multiple profiles by default.
l All security profile pages will be a list of profiles.
528145 BGP configuration gets applied on the wrong VDOM if user switches VDOM selection in between
operations (slow GUI).
541042 Log viewer Forward Traffic does not support multiple filters for one field.
547697 Inconsistency/confusion regarding Hostname field in FortiOS web filter log.
567936 Saved SMS phone number is missing + for country code.
577991 Dotted line shown between FortiGate and second tier switch in Managed FortiSwitch topology.
592073 LED indications for FortiSwitch ports do not auto-reflect the changes made on PoE.
594534 GUI shows Invalid LDAP server error while LDAP query successfully finished.
594702 When sorting the interface list by the Name column, the ports are not always in the correct order
(port10 appears before port2).
594991 New service group for explicit proxy could not be saved from GUI.
598222 After upgrading to 6.4.x from 6.2.5 and earlier, users must clear the browser cache for the best user
experience with the new firmware.
601568 Interface status is not displayed on faceplate when viewed from System > HA page.
601879 When logging in to the dashboard after a factory reset, the dashboard displays The web page
cannot be found.
604682 GUI takes two minutes to load VPN > IPsec Tunnels for 1483 tunnels.
605030 Send Logs to FortiCloud and Cloud Logging options not available in GUI for FG-900D.
605496 Configured overlapped subnet on GUI still shows error message after enabling subnet overlap.
606967 One-time schedules are not displayed correctly in Safari browser.
607296 Firewall address keeps loading addresses with read-write permission.
607549 GUI CMDB API to support case sensitive/insensitive filtering.
612236 RADIUS test fails from the GUI as it does not use the configured Authentication method, and
authentication fails; test passes on the CLI.
615267 In Firefox, SAML SSO admin cannot create additional SSO admins or normal admins via the GUI.
616878 DHCP relay IP address not showing on Network > Interfaces page for VLAN interface.
618379 Option for TLS in Fortinet FSSO connector does not change port to CA TLS port 8001.
618617 CLI parser error: shaper-profile default class with 0% bandwidth guarantee only possible in
GUI.

Fortinet Inc.
Resolved issues
Bug ID Description
620854 GUI should not add speed to virtual switch member port (FG-101F).
621902 Default gateway address of DHCP server setting does not follow the interface address when Same
as Interface IP is selected.
623109 IPS Filter Details column is empty when All is used.
623939 Interface bandwidth widgets for WAN, PPPoE and VDOM link interfaces are not loading.
624050 FortiGuard page does not open with custom read-write permission in the account profile (403
forbidden error).
624551 On POE devices, several sections of the GUI take over 15 seconds to fully load.
624662 CLI panel allows read-only managed device to be configured by read-only admin.
628373 Software switch members and their VLANs are not visible in the GUI interfaces list.
629139 Security Rating reports should not run as a dependent of Topology reports on downstream
FortiGates.
630638 Add a warning when Capture Packets is enabled in policy dialog.
631734 GUI not displaying PoE total power budget on FOS 6.2.3.
633937 GUI is not displaying DHCP configuration if the interface name includes the \ character.
634677 User group not visible in GUI when editing the user with a single right-click.
635538 In FortiGate SAML authentication with Azure AD, service provider configuration is grayed-out.
638034 Ctrl + V does not paste command in GUI CLI console and Ctrl + C does not copy selected output in
CLI console.
638277 Firewall address group object (including interface subnet) is invisible in Accessible Networks.
638615 SSO admin cannot open CLI console.
638911 IPS and application control actions cannot be modified to Quarantine.
639129 IPsec aggregate is not shown in Dashboard > Network > IPsec widget.
639163 GUI does not show user group information on firewall user widget.
639288 No historical sessions can be displayed when FortiView widget opens from Show in FortiView.
639542 The Edit pane for PAC File Content on the Explicit Proxy page cannot be opened.
639617 On Explicit Web Proxy Policy page, unable to change Outgoing Source IP option from IP Pools to
Proxy Default or Original Source IP. CLI does not have this issue.
642028 On some platforms (FG-60E-61E/81E), the CLI console in the GUI may not function immediately
after bootup.
642402 LCP-1250RJ3SR-K transceiver shows a warning in the GUI even though it is certified.
644999 Fortinet-sold active direct attached cable (SP-CABLE-ADASFP+) is showing as not certified by
Fortinet.

Fortinet Inc.
Resolved issues
HA
Bug ID Description
595340 hasync process consuming 80-95% CPU.
609631 Simultaneous reboot of both nodes in HA when gtp-enhance-mode enabled or disabled.
627610 When HA primary device is down, a time synchronization with NTP servers will be disabled after
failback.
627851 After the HA peer node has been replaced, need a way to reset the HA health status back to OK.
630070 HA is failing over due to cmdbsvr crashes.
631342 FG-100D HA active-passive mode not syncing.
634604 SCTP sessions are not fully synchronized between primary and secondary devices in version
5.6.11 on FG-3240C.
637843 HA secondary device is reporting multiple events (DDNS update failed).
638287 private-data-encryption causes cluster to be periodically out of sync due to customer

certificates.
639307 Both primary and secondary consoles keep printing get_ha_sync_obj_sig_4dir: stat
/etc/cert/ca/5c44d531.0 error 2.
640428 SSL VPN related auth login user event logs do not require HA to be in sync.
643958 Inconsistent data from FFDB caused several confsyncd crashes.
645293 traceroute not working in asymmetric FGSP environment.
645387 HA pingsvr is in up state in spite of lnkmtd showing it as being in die state.
648073 HA cluster uses physical port MAC address at the time of HA failover.
Intrusion Prevention
Bug ID Description
582936 IPS traffic log and PCAP archive do not match.
595062 SSL offloading randomly does not work when UTM (AV/IPS) is enabled in firewall policy.
617588 Unable to open TCP application via IPsec tunnel when np-accel-mode is enabled.
631381 RDP NLA authentication blocked by FortiGate when enabling IPS profile in the security group
(central NAT).
638235 Some IPS logs do not include direction field.

Fortinet Inc.
Resolved issues
IPsec VPN
Bug ID Description
516029 Remove the IPsec global lock.
610203 When an offloaded IPsec SA uses NP6 reserved space, it gets stuck and packets on the tunnel start
to drop.
622959 FortiGate does not send framed IPv6 address in RADIUS accounting records.
631804 OCVPN errors showing in logs when OCVPN is disabled.
631968 IKE daemon signal 6 crash when phase1 add-gw-route is enabled.
634883 IKE crashes at ike_hasync__xauth.
635325 Static route for site-to site VPN remains active even when the tunnel is down.
645196 Static routes added by iked in non-root VDOM are not removed when tunnel interface status is set
to down by configuration change.
Log & Report
Bug ID Description
589782 IPS sensor log-attack-context output truncated.
605405 IPS logs are recorded twice with TCP offloading on virtual server.
607449 Log searches being conducted in a FortiGate for logs stored on a FortiAnalyzer are only sent as
case-sensitive.
630769 miglogd crashes when the FortiGate does a weekly log purge.
634947 rlogd signal 11 crashes.
635013 FortiOS gives wrong time stamp when querying FortiGate Cloud log view.
637117 Incomplete log field returned from CEF formatted syslog message.
639807 PBA logs show only 0 or 1 duration in logs; cannot answer data requests from law enforcement.
641450 miglogd processes bound to busy CPUs even though there are other completely idle CPUs
available.

Fortinet Inc.
Resolved issues
Proxy
Bug ID Description
586281 WAD memory corruption.
603195 Multiple WAD crashes with signal 11.
623108 FTP-TP reaches high memory usage and triggers conserve mode.
624245 WAD crashes when all of these conditions are met: policy is doing deep inspection, SNI in client
hello is in the exempt list, server certificate CNAME is not in the exempt list.
631542 WAD signal 11 crash logs SSL/TLS errors and disconnects with the OCSP stapling.
633175 WAD crash observed, wad_http_pattern_match_response + 0x0045, on FG-80E-POE

during regression testing.
636508 FortiGate blocks traffic in transparent proxy policy, even if the traffic matches the proxy address.
637389 The WAD process is crashing multiple times.
640427 Web proxy WAD crash under WAN Opt auto-active mode.
643725 The IMAP proxy crashes with signal 7 (SIGBUS).
645943 Memory usage spike (all WAD workers) without bandwidth spike.
Routing
Bug ID Description
624621 Log traffic to remote servers does not follow SD-WAN rules.
627951 NTP and FSSO not following SD-WAN rules.
628896 DHCP relay does not match the SD-WAN policy route.
632160 FortiGuard GeoIP queries (TCP/443) and FortiSandbox Cloud traffic do not follow policy route/SD-
WAN rule.
632285 Health check SLA status log shows configured bandwidth value instead of used bandwidth value.
633463 DRother firewall in OSPFv3 generates neighbor state is less than Exchange log for the
LSA update from a DCother neighbor.
633600 BGP hold time and keepalive timers are not updated on spokes after changing on the hub side.
635716 FortiGuard web filter traffic also needs to follow SD-WAN service.
639834 Inconsistency in source IP-based ECMP for IPv6.
641022 Kernel does not remove duplicate routes generated by SD-WAN health checks when hostname IP
changes.

Fortinet Inc.
Resolved issues
Bug ID Description
641928 When BGP's recursive next hop can be resolved by multiple routes, the recursive distance is not
taken into account when installing the routes. Multiple ECMP paths can be installed with different
recursive distances to the next hop.
646418 SD-WAN information available in session list is confusing.
Security Fabric
Bug ID Description
619696 Automation stitch traffic is sent via mgmt with ha-direct to AWS Lambda after upgrading from
6.0.9 to 6.2.3
622032 SSH as automation action is not working as expected.
626691 FG-60F unable to join Security Fabric, unknown CA.
629723 SDN dynamic address import is too slow, and HA sync may miss endpoints in high scale and stress
conditions.
631607 CSF root FortiGate cannot listen to loopback interface.
637464 FortiMail appears as Unknown fabric device when multi-vdom is enabled.
638512 User sees a Failed to send request error when generating access token for FortiMail under multi-
VDOM FortiGate.
641006 Automation stitch causes HA sync failure.
SSL VPN
Bug ID Description
505986 On IE 11, SSL VPN web portal displays blank page titled {{::data.portal.heading}} after
authentication.
573853 TX packet drops on SSL root interface.
604772 SSL VPN tunnel is unexpectedly down sometimes when certificate bundle is updated.
608464 Get 305 error when browsing website through SSL VPN web mode bookmark and sslvpnd crashes.
611498 SMB/CIFS traffic via SSL VPN web mode not using correct SNAT IP (IP pool).
613612 Important GUI pages in 6.4.0 are not rendered well by SSL VPN portal.
620508 CLI command get vpn ssl monitor displays users from other VDOM.

Fortinet Inc.
Resolved issues
Bug ID Description
622110 SSL VPN disconnected when importing or renaming CA certificates.
623076 Add memory protection for web mode SSL VPN child process (guacd).
623217 Website pop-up error using SSL VPN web mode.
623379 Memory corrupt in some DNS callback cases causes SSL VPN crash.
624283 Customer has to manually add domain in SMB share login through SSL VPN portal.
624899 Log entry for tunnel stats shows wrong tunnel ID when using RDP bookmark.
624904 The company website is not shown properly in SSL VPN web mode.
626228 Bookmark does not load though SSL VPN web mode.
626237 SAP portal link is not working in SSL VPN web mode.
626822 SSL VPN denies login after receiving FortiToken Cloud token and entering token.
627150 SSL VPN web mode unable to load custom web application JavaScript parts.
627456 Traffic cannot pass when SAML user logs in to SSL VPN portal with group match.
628059 SSL VPN web mode gets redirected out of SSL VPN proxy.
628597 Unable to load the SSL VPN bookmark internal website https://fi***.
628801 Internal web application is not opened after the login.
628821 Internal aixws7test2 portal is not loading in SSL VPN web mode.
629190 After SSL VPN proxy, some JS files of hapi website could not work.
629373 SAML login button is lost on SSL VPN portal.
630432 Slides in website https://re***.nz are displayed in SSL VPN web mode.
631050 ERR_EMPTY_RESPONSE while accessing internal portal's webpages in SSL VPN web mode.
631130 Internal site http://va***.com not completely loading through SSL VPN web mode bookmark.
631402 Website (https://uj***) is not accessible in SSL VPN web mode.
631510 Some internal servers do not provide any content type or content length in response header;
sslvpnd treats it as HTML file to handle and has problem to finish it.
631809 Configuring thousands of mac-addr-check-rule in portal makes the CPU spike significantly if
several hundreds of users are connecting to the FortiGate, thus causing SSL VPN packet drops.
633047 Cannot load local 1C application through web mode.
633114 Cannot access internal website pl***.fr using SSL VPN web mode.
633812 For guacd daemon generated for RDP session, it would sometimes be in an unknown state with
100% CPU and could not be released.
634210 SSL VPN daemon crash due to limit-user-login.

Fortinet Inc.
Resolved issues
Bug ID Description
634991 Internal server error 500 while accessing contolavdip portal in SSL VPN web mode.
635307 Map could not be displayed correctly in SSL VPN web mode.
635341 SSL VPN not assigning IP from local IP pool when framed IP address is received with value
0xFFFFFFFE.
635608 Map could not be displayed correctly in SSL VPN web mode.
635896 The sa***.org website is not shown properly in SSL VPN web mode.
635899 SharePoint portal URL links for Office documents are not redirected over SSL VPN web mode in
Firefox.
635907 AM*** website is not shown properly using SSL VPN web mode.
636332 With SSL VPN proxy JIRA web application, get one wrong URL without proxy path.
636984 Website (pr***.com) not loading properly in SSL VPN web mode.
637018 After the upgrade to 6.0.10/6.2.4/6.4.0, SSL VPN portal mapping/remote authentication is matching
user into the incorrect group.
637164 The customer's website (https://vpn.***.org) is not shown properly using SSL VPN web mode.
638733 Internal website hosted in bookmark https://in***.cat is not loading completely in SSL VPN web
mode.
639431 Three of the internal applications/portal bookmarks do not load/partially work with SSL VPN web
mode.
639768 Log in page loading with delays in web mode.
639789 Apache Guacamole page is redirected to direct link in SSL VPN web mode.
640167 The Run*** website is not displayed properly using SSL VPN web mode.
642225 The IC*** internal website is not displayed properly using SSL VPN web mode.
643598 Application is not working using SSL VPN web mode.
643749 SSL VPN crashes when accessing a realm with an incorrect user, or when the correct user enters
the wrong password.
644506 Cannot authenticate to SSL VPN using 2FA if remote LDAP user and user within RADIUS group
has same user name and password.
644607 Sco*** internal portal webpage is not loading after logging in with web mode.
645276 After SSL VPN web mode proxy, some JS files of sthlm04 SCA*** website have problems.
646429 Update Telnet idle timeout setting and fix issue of Telnet not working.
647296 SSL VPN web mode problem with https://de***.com.
648192 DTLS tunnel performance improvements by allowing multiple packets to be read from the kernel
driver, and redistributing the UDP packets to several worker processes in the kernel.
648369 Some JS files of ji***.v** could not run in SSL VPN web mode.

Fortinet Inc.
Resolved issues
Bug ID Description
649197 Unable to use editor in Atlassian internal Confluence portal over SSL VPN web mode.
649466 SSL VPN authentication fails when all-usergroup is enabled in RADIUS server.
Switch Controller
Bug ID Description
620718 FortiSwitch port goes down and up too quickly when bounce-nac-port is enabled, and the
device interface does not get the new DHCP IP.
633842 FortiLink down with LACP mode set to active.
646178 It is possible to view information of shared FortiSwitch ports in a tenant VDOM from the GUI, but
there should not be recommended configuration changes in the GUI. Please use CLI for
configuration changes.
System
Bug ID Description
506485 FortiOS get system interface cross-check command improvement.
552788 DSL route not removed when interface is down.
567019 CP9 VPN queue tasklet unable to handle kernel NULL pointer dereference at 0000000000000120
and device reboots.
572847 The wan1, wan2, and dmz interfaces should not be configured as hardware switch members on the
60F series. The wan interface should not be configured as a hardware switch member on the 40F
series.
576323 SFP+ 1G speed should be supported on FG-1100E, FG-1800F, FG-2200E, and FG-3300E series.
594264 NP-offloaded active TCP/UDP sessions established over IPsec VPN tunnels will timeout at session
TTL expiry.
594871 Potential memory leak triggered by FTP command in WAD.
596209 Device has become unmanageable; receiving errno=Resource temporarily unavailable

when trying to update objects.
598928 FortiGate restarts FGFM tunnel every two minutes when FortiManager is defined as FQDN.
605723 FG-600E stops sending out packets on its SPF and copper port on NP6.

Fortinet Inc.
Resolved issues
Bug ID Description
611512 When a LAG is created between 10 GE SFP+ slots and 25 GE SFP28/10 GE SFP+ slots, only
about 50% of the sessions can be created. Affected models: FG-110xE, FG-220xE, and FG-330xE.
612302 FortiOS is not sending out IPv6 router advertisements from the link-local addresses added on the
fly.
613017 ip6-extra-addr does not perform router advertisement after reboot in HA.
615586 Incorrect IP/MAC address on ESXi hosts.
617134 Traffic not showing statistics for VLAN interfaces based on hardware switch.
617154 Fortinet_CA is missing in FG-3400E.
618158 DHCP client cannot get IP address when NTP server option in DHCP server settings is set to Same
as System NTP.
618762 Fail to detect transceiver on all SFP28/QSFP ports. Affected platforms: FG-3300E and FG-3301E.
626371 Request to blocked signature with SSL mirrored traffic capture causes FG-500E to reboot.
626785 FG-101F should support the same WTP size (128) as the FG-100F.
627054 HTTPSD signal 6 crash in cases of long application lists that are greater or equal to the maximum
size of 16.
627409 Cannot create hardware switch on FG-100F.
627629 DHCP client sent invalid DHCP-REQUEST format during INIT state.
628642 Issue when packets from same session are forwarded to each LACP member when NPx offload is
enabled.
630658 Auto-script output file size over 400 MB when configured output size is default 10 MB.
632353 Virtual WAN link stops responding after 45 members.
632407 Cannot delete VDOM due to ssl.vdom1 interface after changing mode from split-task VDOM to multi
VDOM.
632635 Frame size option in sniffer does not work.
633102 DHCPv6 client's DUID generated on two different FortiGates match.
633298 10G ports x1/x2 cannot be set as interfaces in firewall acl/acl6 policies.
634415 Speed of 100G in get system interface cross-check shown incorrectly as 34464 for
Fortinet-authorized FINISAR CORP FTLC9551REPM.
634494 accprofile permission for config system link-monitor is not correct.
634495 accprofile permission for execute ping is not correct.
635308 factoryreset2 does not preserve all interfaces.
636069 Unable to handle kernel NULL pointer dereference at 000000000000008f.
637420 execute shutdown reboots instead of shutting down on SoC4 platforms.

Fortinet Inc.
Resolved issues
Bug ID Description
638041 SFP28 port group (ha1, ha2, port1 and port2) missing 1000full speed option. Affected platforms:
FG-220xE, FG-330xE, FG-340xE, and FG-360xE.
638738 In VDOM, config log syslogd xxx is not shown in show full-configuration.
639623 Possible conflicts between software switch VLAN setting and its member interface VLAN setting.
641419 FG-40F LAN interfaces are down after upgrading to 6.2.4 (build 5632).
641708 FTLF8536P4BCV shows This transceiver is not certified by Fortinet, corrupt

part number and serial number after HA cluster sync.
643188 Interface forward-error-correction setting not honored after reboot.
644427 Interface forward-error-correction setting not honored after reboot. Affected platforms: FG-
1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3400E, and FG-3600E.
645363 SNMP monitoring does not provide the SD-WAN member interface name.
647593 After reboot, forward-error-correction value is not maintained as it should be.
647718 VDOM with long name cannot be deleted.
647777 FortiGate not responding to DHCP relay requests from clients behind a DHCP relay.
648977 Sometimes when updating the FortiGate license, there is a certificate verification failure.
649506 Sometimes FortiGate does not boot when restoring configuration using private data encryption.
678809 dhcpd crashes with signal 6 because the timer is not canceled before calling the free release
function.
Upgrade
Bug ID Description
635589 Upon upgrading to an affected 6.2 or 6.4 firmware, DoS policies configured on interfaces may drop
traffic that is passing through the DoS policy configuration. Note that this can occur if the DoS policy
is configured in drop or monitor mode.
Workaround: disable the DoS policy.
User & Authentication
Bug ID Description
597319 In SSL VPN certificate authentication, add auth policies in base of LDAP group.
605838 Device identification scanner crashes on receipt of SSDP search.

Fortinet Inc.
Resolved issues
Bug ID Description
620941 Two-factor authentication using FortiClient SSL VPN and FortiToken Cloud is not working due to
push notification delay.
625107 No response when using FTM-PUSH because unable to set source IP for FTM-PUSH.
627144 Remote admin LDAP user login has authentication failure when the same LDAP user has local two-
factor authentication.
629487 Older FortiGate models do not have CA2 and will cause EMS server authentication to fail.
634580 Peer users are matching every group instead of only groups based on the LDAP group
membership.
635385 In HA cluster, RADIUS accounting not working with use-management-vdom enable.
637577 Inconsistent fnbamd LDAP group match result.
638593 Certificate verification fails if any CA in a peer-provided certificate chain expires, but its cross-signed
certificate is still valid in the system trust store.
658982 ADVPN IKEv2 certificate authentication does not work with OCSP check when certificates do not
contain OCSP path.
663692 FortiOS queries first 10 LDAP servers for user authentication.
VM
Bug ID Description
587180 FG-VM64-KVM is unable to boot up properly when doing a hard reboot with the host.
603100 Autoscale not syncing certificate among the cluster members.
623376 Cross-zone HA breaks after upgrading to 6.4.0 because upgrade process does not add relevant
items under vdom-exception.
624657 Azure changes FPGA for Accelerated Networking live and VM loses SR-IOV interfaces.
626705 By assigning port1 as the HA management port, the HA secondary unit node is now able to send
system information to the Azure portal through waagent so that up-to-date information is displayed
on the Azure dashboard.
If port1 is not used as the HA management port, the Azure display and Azure Security Center alerts
will not reflect the correct state of the node, which may result in unnecessary alarms.
629709 AWS VM stops processing traffic in some interfaces when running diagnose debug
application ike -1.
634245 Dynamic address objects are not resolved to all addresses using Azure SDN connector.
634499 AWS FortiGate NIC gets swapped between port2 and port3 after FortiGate reboots.
637376 In FG-VM64-HV, 802.1Q does not work on interfaces with DPDK enabled.

Fortinet Inc.
Resolved issues
Bug ID Description
641038 SSL VPN performance problem on OCI due to driver.
644130 FortiGates in multi-Azure sync their SP addresses for SAML admin authentication.
653567 Admin cannot log in to FortiGate VM GUI after license expired.
VoIP
Bug ID Description
643548 SIP transfer calls fail when extensions are behind the same FortiGate (spoke).
Web Application Firewall
Bug ID Description
624452 user-agent setting under config system external-resource does not accept XSS
characters.
Web Filter
Bug ID Description
576862 Update urlfilteridx in traffic log to be webfilter.urlfilter.entry.id.
611501 Clarify meaning of urlfilteridx=0 log field when proxy-based inspection is used.
621807, Filtering Services Availability status is down on the GUI when HTTP/80 is used for web filtering
625897 rating service.
629005 foauthd has signal 11 crashes when FortiGate does authentication for a web filter category.
630232 Certain regex static URL entries stopped working in 6.2.3.
636754 If the last line in a threat feed does not end with \n, it is not parsed and is not displayed in the GUI.
647227 Externally imported list (custom threat feed) is matching incorrectly in web filter remote category.

Fortinet Inc.
Resolved issues
WiFi Controller
Bug ID Description
605937 WiFi health monitor Client Count widget shows clients on the wrong band (on local standalone
SSID).
625326 FortiAP not coming online on FG-PPPoE interface.
638537 Applications, Destinations, and Policies keep loading for WiFi Clients > Diagnostics and Tools drill-
down.
641811 In FG-100F/101F with PPPoE interface, the FortiGate could not manage FortiAP.
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
Bug ID CVE references
558685 FortiOS 6.4.2 is no longer vulnerable to the following CVE Reference:

l CVE-2020-12812

l CVE-2019-16151
618238 FortiOS 6.4.2 running AV engine version 6.00145 or later is no longer vulnerable to the following
CVE Reference:
l CVE-2020-9295

l CVE-2020-15937

l CVE-2020-12819

Fortinet Inc.
Known issues
The following issues have been identified in version 6.4.2. For inquires about a particular bug or to report a bug, please
contact Customer Service & Support.
Anti Virus
Bug ID Description
752420 If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV
engine will time out.
Data Leak Prevention
Bug ID Description
616918 DLP cannot detect attached ZIP and PDF files when receiving emails via MAPI over HTTPS.
DNS Filter
Bug ID Description
643521 DNS filter may encounter delays when connecting to anycast servers over TLS/853.
Workaround: Disable the anycast server or allow the rating error.
Explicit Proxy
Bug ID Description
650540 FortiGate sends traffic to an incorrect port using a wrong source NAT IP address.
654211 When the category proxy address is applied in a proxy policy, if SOCKS traffic passes through the
web proxy, when matching the SOCKS traffic with the proxy address, the WAD will crash with signal
11 at wad_url_choose_cate. Browsers may send SOCKS traffic in the background from time to
time.

Fortinet Inc.
Known issues
Firewall
Bug ID Description
586995 Cluster VDOM policy statistics data is not correct when VFID is different for same VDOM on
primary/secondary.
609027 SCTP secondary path not working in ECMP context; incorrect expectation session created from
auxiliary session.
616220 ICMP reply packets dropped by the FortiGate.
660461 Configuration changes take a long time, and ipsmonitor and cmdbsrv processes go up to 100% of
CPU in a large complex configuration
FortiView
Bug ID Description
643198 Threats drilldown for Sources, Destinations, and Country/Region (1 hour, 24 hours, 7 days) gives
the error, Failed to retrieve FortiView data.
673478 Some FortiView graphs and drilldown views show empty data due to filtering issue. Affected
graphs/views: Top System Events, Top Authentication Failures, Policy View, and Compromised
Host View.
GUI
Bug ID Description
446427 Using the GUI to update a VDOM license fails when the new license has lower VDOM count than
the current license.
547123 The help message for gui-dynamic-profile-display is not correct.
561889 When creating a firewall with an invalid subnet mask, an error is not generated.
567996 Managed FortiSwitch and FortiSwitch Ports pages cannot load when there is a large number of
managed FortiSwitches.
588159 When disabling Allow Endpoint Registration on the VPN Creation Wizard, the action succeeds, but
the error Unable to setup VPN is incorrectly displayed.
602102 Warning message is not displayed when a user configures an interface with a static IP address that
is already in use.

Fortinet Inc.
Known issues
Bug ID Description
606814 When creating a profile group with an SSL/SSH profile of no-inspection, the profile group correctly
displays this, but when you edit the profile, certificate-inspection is displayed.
612066 GUI does not allow user to select SSL VPN tunnel when configuring Multicast routing.
634550 GARP is not sent when using the GUI to move a VDOM from one virtual cluster to another. GARP is
sent when using the CLI.
638752 FortiGates in an HA A-P configuration may lose GUI access to the HA secondary device after a
period of 8 days of inactivity, when at least one static IPv6 address is configured on an interface.
638822 On Dashboard Setup page, changes made by super administrator and administrator of multiple
VDOMs should be reflected in all managed VDOMs.
645441 The FortiAnalyzer Cloud card on the Fabric Connectors page displays status as connected when it
is not connected.
646327 Web filter profile dialog cannot load URL filter table if there are a lot of URL filters.
649027 The FortiLink Interface pane incorrectly displays high CPU usage and poor health.
650307 GUI does not show the configured external FortiGuard category in the SSL-SSH profile's exempt
list.
651412 Unable to print user data for guest management.
651711 Unable to select an address group when configuring Source IP Pools for an SSL VPN portal.
652394 GUI cannot change action for the web-based email category in DNS filter profile.
653240 When refreshing the FortiGuard page, connectivity status for Web Filtering and Anti-Spam
incorrectly changes from up to down.
653422 When VDOM is enabled, the GUI cannot be used to edit a remote user group from within the
Administrators dialog.
654186 The top charts of the Device Inventory Monitor dashboard are empty when the visualization is set to
table view.
654250 Firewall users cannot change their password via web captive portal when password renewal is
enforced by the firewall policy for remote users.
654256 GUI interface speed test fails when there are multiple VDOMs.
654339 GUI search does not work in the interface list if DHCP client and range columns are present.
655568 Users cannot deselect Administrative Access options for VLAN interfaces from the GUI; the CLI
must be used.
655891 Web CLI console cannot load due to Connection lost if port 8080 is used (HTTP).
656139 When editing the Interface column from the Multicast Policy page, an empty column appears when
the any entry is selected from Select Entries and applied. The same occurs from the NAT64 and
NAT46 policy pages.
656429 Intermittent GUI process crash if a managed FortiSwitch returns a reset status.

Fortinet Inc.
Known issues
Bug ID Description
656668 On the System > HA page, GUI tooltip for the reserved management interface incorrectly shows the
connecting IP address instead of the configured IP address.
657322 For AV profiles, the outbreak-prevention setting on enabled protocols is not automatically
configured when enabling Use External Malware Block List.
657545 Enabling the Dynamic Gateway toggle for a static route fails without warning when the configuration
is incorrect.
661582 Date/Time filter does not work on FortiGate Cloud logs.
662873 Editing the LDAP server in the GUI removes the line set server-identity-check disable
from the configuration.
663351 Connectivity test for RADIUS server using CHAP authentication always returns failure.
663956 Unable to load web CLI console for LDAP admin with a login name that contains a space.
665712 When multiple favorite menus are configured, the new features video pops up after each GUI login,
even though user previously selected Don't show again.
668470 FortiGuard DDNS setting incorrectly displays truncated unique location and empty server selection
after saving changes.
668646 FortiSwitch topology is not shown on Managed FortiSwitch page topology view.
672599 After performing a search on firewall Addresses, the matched count over total count displayed for
each address type shows an incorrect total count number. The search functionality still works
correctly.
680805 The list of firewall schedules displays time based on the browser time, even though the global time
preference is set to use the FortiGate system time. The Edit Schedule page does not have this
issue.
682008 On SSL-VPN Settings page, the option to send an SSL VPN configuration to a user for FortiClient
provisioning does not support showing a domain name for the VPN gateway.
688016 GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload
is enabled on the firewall policy.
689605 On some browser versions, the GUI displays a blank dialog when creating custom application or
IPS signatures. Affected browsers: Firefox 85.0, Microsoft Edge 88.0, and Chrome 88.0.
HA
Bug ID Description
651177 When secondary device reboots, it adds an interface to the virtual switch. Secondary cannot
synchronize after it starts, as that interface disappears in system interface and virtual-
switch.

Fortinet Inc.
Known issues
Bug ID Description
654341 The new join-in secondary chassis failed to sync, while primary chassis has 6K policies in one
VDOM.
656099 mgmt interfaces are excluded for heartbeat interfaces (even if dedicate-mgmt is not enabled).
662893 HA cluster goes out of sync if SAML SSO admin logs in to the device.
678309 Cluster is out of sync because of config vpn certificate ca after upgrade.
Intrusion Prevention
Bug ID Description
654307 Wrong direction and banned location by quarantine action for ICMP.Oversized.Packet in
NGFW policy mode.
IPsec VPN
Bug ID Description
592361 Cannot pass traffic over ADVPN if: tunnel-search is set to nexthop, net-device disable,
mode-cfg enable, and add-route disable.
646012 IPsec over DHCP randomly works when net-device is disabled.
652774 OCVPN spoke-to-spoke communication intermittently fails with mixed topology where some spokes
have two ISPs and some have one, but the hubs have two.
659535 Setting same phase1-interface in SD-WAN member and SD-WAN zone causes iked watchdog
timeout.
Log & Report
Bug ID Description
643840 vwlservice should log the SD-WAN rule and not an internet service; impacts FortiAnalyzer SD-
WAN monitor widgets and reports.
661040 Cyrillic characters not displayed properly in local reports.

Fortinet Inc.
Known issues
Proxy
Bug ID Description
648831 WAD memory leak caused by Kerberos proxy authentication.
658654 Cannot access specific website using proxy-based UTM with certification inspection due to delays
from the server in replying to ClientHello message when a second connection from the same IP is
also waiting for ClientHello.
Routing
Bug ID Description
641050 Need support for SSL VPN web mode traffic to follow SD-WAN rules/policy route.
661769 SD-WAN rule disappears when an SD-WAN member experiences a dynamic change, such as
during a dynamic PPPoE interface update.
666829 Application bfdd crashes.
Security Fabric
Bug ID Description
614691 Slow GUI performance in large Fabric topology with over 50 downstream devices.
649344 When viewing CSF child Dashboard > WiFi from parent FortiGate, GUI reports, Cannot read
property 'spectrum_analysis' of undefined.
652737 FortiGate does not send interface configuration to FortiIPAM.
653368 Root FortiGate fails to load Fabric topology if HA downstream device has a trusted device in both
primary and secondary FortiGates.
660250 IPAMD causes high memory after a few days as the JSON was not freed.
662128 Security Rating Summary trigger is not available in multi-VDOM mode.

Fortinet Inc.
Known issues
SSL VPN
Bug ID Description
642838 Redirected URLs do not work in web mode for am***.com.
649130 SSL VPN log entries display users from other VDOMs.
651942 For RADIUS server, all-usergroup does not work if there is a same remote user created but not
used by SSL VPN.
Switch Controller
Bug ID Description
649913 HA cluster not synchronizing when configuring an active LACP with MCLAG via FortiManager.
652745 Compatibility issues with FortiGate in 6.0 branch and FortiSwitch 424E-Fiber.
System
Bug ID Description
594577 Out-of order packets for an offloaded multicast stream.
598464 Reboot of FG-1500D in 5.6.x during upgrade causes an L2 loop on the heartbeat interface and
VLAN is disabled on switch side.
607565 Interface emac-vlan feature does not work on SoC4 platform.
627269 Wildcard FQDN not resolved on the secondary unit.
633827 Errors during fuzzy tests on FG-1500D.
642327 FortiGate unable to boot with kernel panic by cmdbsvr when VLAN is configured on redundant
interface with non-NPU port.
644380 FG-40F/60F kernel panic if upgrading from 6.4.0 due to configuration file having a name conflict of
fortilink as both aggregate interface and virtual switch name.
Workaround: back up the 6.4.0 configuration, perform a clean install via TFTP of FortiOS 6.4.2,
and restore the 6.4.0 configuration.
644782 A large number of detected devices causes httpsd to consume resources and causes low-end
devices enter conserve mode.
648083 cmdbsvr may crash with signal 11 (segmentation fault) when frequently changing firewall policies.
651103 FG-101F crashed and rebooted when adding vlan-protocol 8021ad VLAN.

Fortinet Inc.
Known issues
Bug ID Description
654624 Error message shown (get_ha_sync_obj_sig_4dir delete broken symbolic

link/etc/cert/ca/5c44d531.0) when upgrading from 6.4.1.
662208 Configuration changes take a long time and cmdbsrv processes use up to 100% CPU.
662239 FGR-60F-3G4G hardware switch span does not work.
663603 The maximum number of IPS supported by each NTurbo load balancer should be 7 instead of 8 on
FG-3300E and FG-3301E.
663815 Low IPS HTTP throughput on SoC4 platforms.
Upgrade
Bug ID Description
656869 FG-100F/101F may continuously boot upon upgrading from FortiOS 6.4.0.
Workaround: back up the 6.4.0 configuration, perform a clean install via TFTP of FortiOS 6.4.2,
and restore the 6.4.0 configuration.
User & Authentication
Bug ID Description
655422 A space after a comma within CN is incorrectly removed during the bind request causing
authentication failure (LDAP).
659456 REST API authentication fails for API user with PKI group enabled due to fnbamd crash.
VM
Bug ID Description
639258 Autoscale GCP health check is not successful (port 8443 HTTPS).
596742 Azure SDN connector replicates configuration from primary device to secondary device during
configuration restore.
617046 FG-VMX manager not showing all the nodes deployed.
647800 Merge FIPS ciphers to 6.4.3 and 7.0 trunk (visible to AWS and Azure only).
652416 AWS Fabric connector always uses root VDOM even though it is not a management VDOM.

Fortinet Inc.
Known issues
Bug ID Description
657785 On FG-AWS, changing health check protocol to tcp-connect causes kernel panic and reboot.
662969 Azure SDN connector filter count is not showing a stable value.
663276 After cloning the OCI instance, the OCID does not refresh to the new OCID.
663487 Should add router policy in vdom-exception list.
664312 Support vfNIC driving for Broadcom 100G NIC.
668131 EIP is not updating properly on FG-VM Azure.
668625 During every FortiGuard UTM update, there is high CPU usage because only one vCPU is
available.
670166 FG-VM64-KVM configuration revisions lost after upgrading from 6.2.5.
Web Filter
Bug ID Description
654160 Web filter profile count decreased after upgrading to 6.4.0 on FG-100F.
WiFi Controller
Bug ID Description
647703 HTTPS server certificate is not presented when WiFi controller feature is disabled in Feature
Visibility.
655689 Wireless hostapd daemon crashes upon WPA3-SAE connection.
656804 Spectrum analysis disable/enable command removed in CLI from wtp-profile and causing a
bottleneck for APs, such as FAP-222C/223C at 100% CPU.
660991 FAP-U431F cannot view what channel is operating, and the override channel setting must be unset
to change to a different channel.
665766 Client failed to connect SSID with WPA2-Enterprise and user group authentication.

Fortinet Inc.
Limitations
Citrix XenServer limitations
The following limitations apply to Citrix XenServer installations:

l XenTools installation is not supported.
l FortiGate-VM can be imported or deployed in only the following three formats:
l XVA (recommended)
l VHD
l OVF
l The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual
NIC. Other formats will require manual configuration before the first power on process.
Open source XenServer limitations
When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise
when using the QCOW2 format and existing HDA issues.

Fortinet Inc.
Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the
U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.

Fortios v6.4.2 Release Notes

Uploaded by

Copyright:

Available Formats

Fortios v6.4.2 Release Notes

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fortios v6.4.2 Release Notes

Uploaded by

Copyright:

Available Formats

FortiOS - Release Notes

FORTINET VIDEO GUIDE

CUSTOMER SERVICE & SUPPORT

FORTINET TRAINING & CERTIFICATION PROGRAM

END USER LICENSE AGREEMENT

FortiOS 6.4.2 Release Notes 3

FortiOS 6.4.2 Release Notes 4

FortiOS 6.4.2 Release Notes 5

Date Change Description

2020-07-30 Initial release.

2020-08-05 Updated Fortinet Security Fabric upgrade.

2020-08-12 Added 656869 to Known issues.

2020-09-02 Updated Changes in default behavior.

2020-09-17 Added 555169 to New features or enhancements.

2020-09-18 Added 606167 to New features or enhancements.

2020-09-21 Updated 623821 in New features or enhancements.

2020-09-23 Updated Known issues and Resolved issues.

2020-10-05 Updated Known issues and Resolved issues.

2020-11-17 Updated 635589 in Resolved issues.

2020-12-07 Added FG-VM64-IBM to Supported models.

FortiOS 6.4.2 Release Notes 6

Date Change Description

2021-02-23 Updated Known issues and Resolved issues.

2021-05-03 Updated Known issues and Resolved issues.

2021-05-31 Updated Known issues and Resolved issues.

2021-06-03 Updated FortiClient compatibility in Product integration and support.

2021-06-16 Updated New features or enhancements and Resolved issues.

2021-08-09 Updated Resolved issues.

2021-08-12 Updated Virtual WAN link member lost.

2021-10-20 Updated Known issues.

2021-11-01 Updated Resolved issues.

2022-05-03 Updated Product integration and support.

FortiOS 6.4.2 Release Notes 7

FortiOS 6.4.2 supports the following models.

FortiGate FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-

FortiWiFi FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-61E

FortiGate VM FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS, FG-VM64-

Pay-as-you-go FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN

Special branch supported models

FWF-40F is released on build 5323.

FWF-40F-3G4G is released on build 5323.

FWF-60F is released on build 5323.

FWF-61F is released on build 5323.

FortiOS 6.4.2 Release Notes 8

l CAPWAP traffic offloading

CAPWAP traffic offloading

FortiClient (Mac OS X) SSL VPN requirements

Use of dedicated management interfaces (mgmt1 and mgmt2)

FortiOS 6.4.2 Release Notes 9

Tags option removed from GUI

System Advanced menu removal (combined with System Settings)

PCI passthrough ports

FG-80E-POE and FG-81E-POE PoE controller firmware update

FortiOS 6.4.2 Release Notes 10

Policy routing enhancements in the reply direction

FortiOS 6.4.2 Release Notes 11

614892 Remove spectrum-analysis in wtp-profile and override-analysis in wtp.

config user nac-policy

FortiOS 6.4.2 Release Notes 12

FortiOS 6.4.2 Release Notes 13