Introduction and supported models

This guide provides release information for FortiOS 6.2.0 build 0866.

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 6.2.0 supports the following models.

FortiGate	FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-50E, FG-51E, FG-52E, FG-60E, FG-60E-POE, FG-61E, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E, FG-92D, FG-100D, FG-100E, FG-100EF, FG-101E, FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG-200E, FG-201E, FG-300D, FG-300E, FG-301E, FG-400D, FG-400E, FG-401E, FG-500D, FG-500E, FG-501E, FG-600D, FG-600E, FG-601E, FG-800D, FG-900D, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG3000D, FG-3100D, FG-3200D, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001D, FG-3960E, FG-3980E, FG-5001E, FG-5001E1
FortiWiFi	FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60E, FWF-61E
FortiGate Rugged	FGR-30D, FGR-35D
FortiGate VM	FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN, FG-VM64-GCP, FG-VM64-OPC, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-GCPONDEMAND
Pay-as-you-go images	FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN
FortiOS Carrier	FortiOS Carrier 6.2.0 images are delivered on request and are not available on the Beta portal.

Special Notices

• FortiGuard Security Rating Service l FortiGate hardware limitation l CAPWAP traffic offloading
• FortiClient (Mac OS X) SSL VPN requirements l Use of dedicated management interfaces (mgmt1 and mgmt2) l Using FortiAnalyzer units running older versions on page 8

FortiGuard Security Rating Service

Not all FortiGate models can support running the FortiGuard Security Rating Service as a Fabric “root” device. The following FortiGate platforms can run the FortiGuard Security Rating Service when added to an existing Fortinet Security Fabric managed by a supported FortiGate model: l FGR-30D l FGR-35D l FGT-30E l FGT-30E-MI l FGT-30E-MN l FGT-50E l FGT-51E l FGT-52E l FWF-30E l FWF-30E-MI l FWF-30E-MN l FWF-50E-2R l FWF-50E l FWF-51E

FortiGate hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

• PPPoE failing, HA failing to form. l IPv6 packets being dropped. l FortiSwitch devices failing to be discovered. l Spanning tree loops may result depending on the network topology.

Special Notices                                                                                                                                                          7

FG-92D does not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

• ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed. l BPDUs are dropped and therefore no STP loop results. l PPPoE packets are dropped. l IPv6 packets are dropped. l FortiSwitch devices are not discovered. l HA may fail to form depending the network topology.

When the command is disabled:

• All packet types are allowed, but depending on the network topology, an STP loop may result.

CAPWAP traffic offloading

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip. The following models are affected: l FG-900D l FG-1000D l FG-2000E l FG-2500E

FortiClient (Mac OS X) SSL VPN requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

 

Special Notices

Using FortiAnalyzer units running older versions

When using FortiOS 6.2.0 with FortiAnalyzer units running 5.6.5 or lower, or 6.0.0-6.0.2, FortiAnalyzer might report increased bandwidth and session counts if there are sessions that last longer than two minutes.

For accurate bandwidth and session counts, upgrade the FortiAnalyzer unit to 5.6.6 or higher, or 6.0.2 or higher.

Changes in default behavior

Firewall

Remove dependency of ssl-ssh-profile on utm-status under firewall policy (531885).

Previous releases	6.2.0 release
You must enable utm-status under firewall policy before configuring ssl-ssh-profile.	You can configure ssl-ssh-profile by itself. When you upgrade, this configuration is added to the existing firewall policy.

Log & Report

Previous releases	6.2.0 release
Super admin: can back up and restore configuration file. Global admin: can back up and restore configuration file.	Super admin: can back up and restore configuration file. Global admin: can only back up configuration file.

Starting from the 6.2.0 release, exe log list displays the result of the current log device.

Previous releases	6.2.0 release
exe log list only lists the disk log file.	exe log list lists the log file from the current log device (disk/memory). exe log list shows the memory log file in exe log filter device memory. exe log list shows the disk log file in exe log filter device disk.

Separate policy and address log-uuid options into two individual options.

Previous releases	6.2.0 release
config system global set log-uuid [policy-only | extended | disable] end	config system global set log-uuid-policy [enable | disable] set log-uuid-address [enable | disable] end

System

Starting from the 6.2.0 release, Global admin can only back up but not restore the configuration file. default behavior

Previous releases	6.2.0 release
VDOM admin: can back up and restore VDOM configuration file with full Admin and Maintenance permission.	VDOM admin: can back up and restore VDOM configuration file with full Admin and Maintenance permission.

Devices configured under security-exempt-list are void after upgrading to 6.2.0.

Previous releases	6.2.0 release
config user security-exempt-list edit “1” set description “device” config rule edit 1 set devices “linux-pc” next edit 2 set srcaddr “10-1-100-0” next end next end	config user security-exempt-list edit “1” set description “device” config rule edit 2 set srcaddr “10-1-100-0” next end next end

 

Changes in CLI defaults

Anti-Spam

Rename spamfilter to emailfilter.

Previous releases	6.2.0 release
config spamfilter bwl end config spamfilter profile end config firewall policy edit [Policy ID] set spamfilter-profile [Profile Name] next end	config emailfilter bwl end config emailfilter profile end config firewall policy edit [Policy ID] set emailfilter-profile [Profile Name] next end

Data Leak Prevention

Rename DLP fp-sensitivity to sensitivity.

Previous releases	6.2.0 release
config dlp fp-sensitivity end	config dlp sensitivity end

Firewall

Rename utm-inspection-mode to inspection-mode under firewall policy.

Previous releases	6.2.0 release
config firewall policy edit [Policy ID] set utm-inspection-mode [proxy | flow] next end	config firewall policy edit [Policy ID] set inspection-mode [proxy | flow] next end

 

Add a new direction command to Internet service group. Members are filtered according to the direction selected. The direction of a group cannot be changed after it is set.

Previous releases	6.2.0 release
config firewall internet-service-group edit [Internet Service Group Name] set member 65537 65538 next end	config firewall internet-service-group edit [Internet Service Group Name] set direction [source | destination | both] set member 65537 65538 next end

FortiView

Previous releases	6.2.0 release
execute ha manage [ID]	execute ha manage [ID] [admin-username]

The following FortiView CLI has been changed in this release.

Previous releases	6.2.0 release
config system admin edit [User Name] config gui edit [Dashboard ID] config widget edit [Widget ID] set type fortiview set report-by source <- removed set timeframe realtime <- removed set sort-by “bytes” <- removed set visualization table <- removed next end next end next end	config system admin edit [User Name] config gui edit [Dashboard ID] config widget edit [Widget ID] set type fortiview set fortiview-type ” <- added set fortiview-sort-by ” <- added set fortiview-timeframe ” <- added set fortiview-visualization ” <- added set fortiview-device ” <- added next end next end next end

HA

The CLI command for HA member management is changed.

Intrusion Prevention

Move Botnet configuration option from interface level and policy level to IPS profile.

Previous releases			6.2.0 release
config system interface edit [Interface Name] set scan-botnet-connections block | monitor] next end config firewall policy edit [Policy ID] set scan-botnet-connections block | monitor] next end config firewall proxy-policy edit [Policy ID] set scan-botnet-connections block | monitor] next end config firewall interface-policy edit [Policy ID] set scan-botnet-connections block | monitor] next end config firewall sniffer edit [Policy ID] set scan-botnet-connections block | monitor] next end	[disable [disable [disable [disable [disable	| | | | |	config ips sensor edit [Sensor name] set scan-botnet-connections [disable | block | monitor] next end

IPsec VPN

Add net-device option under static/DDNS tunnel configuration.

Previous releases	6.2.0 release
config vpn ipsec phase1-interface edit [Tunnel Name] set type [static | ddns] next end	config vpn ipsec phase1-interface edit [Tunnel Name] set type [static | ddns] set net-device [enable | disable] next end

Log & Report

Move botnet-connection detection from malware to log threat-weight.

Previous releases	6.2.0 release
config log threat-weight config malware set botnet-connection [critical | high | medium | low | disable] end end	config log threat-weight set botnet-connection [critical | high | medium | low | disable] end

SDS.

Previous releases	6.2.0 release
config log threat-weight config malware set botnet-connection [critical | high | medium | low | disable] end end	config log threat-weight set botnet-connection [critical | high | medium | low | disable] end

Add new certificate verification option under FortiAnalyzer setting.

Previous releases	6.2.0 release
config log fortianalyzer setting set status enable set server [FortiAnalyzer IP address] end	config log fortianalyzer setting set status enable set server [FortiAnalyzer IP address] set certificate-verification [enable | disable] set serial [FortiAnalyzer Serial number] set access-config [enable | disable] end

Proxy

Move SSH redirect option from firewall ssl-ssh-profile to firewall policy.

Previous releases	6.2.0 release
config firewall ssl-ssh-profile edit [Profile Name] config ssh set ssh-policy-check [enable | disable] end next end	config firewall policy edit [Policy ID] set ssh-policy-redirect [enable | disable] next end

Move HTTP redirect option from profile protocol option to firewall policy.

Previous releases	6.2.0 release
config firewall profile-protocol-option edit [Profile Name] config http set http-policy [enable | disable] end next end	config firewall policy edit [Policy ID] set http-policy-redirect [enable | disable] next end

Move UTM inspection mode from VDOM setting/AV profile/webfilter profile/emailfilter profile/DLP sensor to firewall policy.

Previous releases		6.2.0 release
config system setting set inspection-mode [proxy | end config antivirus profile edit [Profile Name] set inspection-mode [proxy next end config webfilter profile edit [Profile Name] set inspection-mode [proxy	flow] | flow-based] | flow-based]	config firewall policy edit [Policy ID] set inspection-mode [flow | proxy] next end
Previous releases		6.2.0 release
next end config spamfilter profile edit [Profile Name] set flow-based [enable | disable] next end config dlp sensor edit [Sensor Name] set flow-based [enable | disable] next end

Routing

For compatibility with the API, the CLI command for OSPF MD5 is changed from a single line configuration to sub-table configuration.

Previous releases	6.2.0 release
config router ospf config ospf-interface edit [Interface Entry Name] set interface [Interface] set authentication md5 set md5-key [Key ID] [Key String Value] next end end	config router ospf config ospf-interface edit [Interface Entry Name] set interface [Interface] set authentication md5 config md5-keys edit [Key ID] set key-string [Key String Value] next end next end end

The name internet-service-ctrl and internet-service-ctrl-group is changed to internetservice-app-ctrl and internet-service-app-ctrl-group to specify it’s using application control.

Previous releases	6.2.0 release
config system virtual-wan-link config service edit [Priority Rule ID] set internet-service enable set internet-service-ctrl [Application ID] set internet-service-ctrl-group [Group Name] next end end	config system virtual-wan-link config service edit [Priority Rule ID] set internet-service enable set internet-service-app-ctrl [Application ID] set internet-service-app-ctrl-group [Group Name] next end end

Add cost for each SD-WAN member so that in the SLA mode in a SD-WAN rule, if SLAs are met for each member, the selection is based on the cost.

Previous releases	6.2.0 release
config system virtual-wan-link config member edit [Sequence Number] next end end	config system virtual-wan-link config member edit [Sequence Number] set cost [Value] next end end

Add a load-balance mode for SD-WAN rule. When traffic matches this rule, this traffic should be distributed based on the LB algorithm.

Previous releases	6.2.0 release
config system virtual-wan-link config service edit [Priority Rule ID] set mode [auto | manual | priority | sla] next end end	config system virtual-wan-link config service edit [Priority Rule ID] set mode [auto | manual | priority | sla | load-balance] next end end

Security Fabric

Add control to collect private or public IP address in SDN connectors.

Previous releases	6.2.0 release
config firewall address edit [Address Name] set type dynamic set comment ” set visibility enable set associated-interface ” set sdn aws set filter “tag.Name=publicftp” next end	config firewall address edit [Address Name] set type dynamic set comment ” set visibility enable set associated-interface ” set sdn aws set filter “tag.Name=publicftp” set sdn-addr-type [private | public | all] next end

Add generic support for integrating ET products (FortiADC, FortiMail, FortiWeb, FortiDDoS, FortiWLC) with Security Fabric.

Previous releases	6.2.0 release
config system csf config fabric-device edit [Device Name] set device-ip [Device IP] set device-type fortimail set login [Login Name] set password [Login Password] next end end	config system csf config fabric-device edit [Device Name] set device-ip [Device IP] set https-port 443 set access-token [Device Access Token] next end end

Add support for multiple SDN connectors under dynamic firewall address.

Previous releases	6.2.0 release
config firewall address edit [Address Name] set type dynamic set color 2 set sdn azure set filter “location=NorthEurope” next end	config firewall address edit [Address Name] set type dynamic set color 2 set sdn [SDN connector instance] set filter “location=NorthEurope” next end

System

Add split VDOM mode configuration.

Previous releases	6.2.0 release
config global set vdom-admin [enable | disable] end	config global set vdom-admin [no-vdom | split-vdom | multi-vdom] end

WiFi Controller

Remove http and telnet in allowaccess options under wireless-controller wtp-profile and wireless-controller wtp.

Previous releases	6.2.0 release
config wireless-controller wtp-profile edit [WTP Profile Name] set allowaccess http | https | telnet | ssh next end config wireless-controller wtp edit [WTP ID] set override-allowaccess enable set allowaccess http | https | telnet | ssh next end	config wireless-controller wtp-profile edit [WTP Profile Name] set allowaccess https | ssh next end config wireless-controller wtp edit [WTP ID] set override-allowaccess enable set allowaccess https | ssh next end

 

Changes in default values

Firewall

The default profile for ssl-ssh-profile is changed from certificate-inspection to no-inspection.

Previous releases	6.2.0 release
Config firewall policy edit [Policy ID] set ssl-ssh-profile certificateinspection   next end	Config firewall policy edit [Policy ID] set ssl-ssh-profile no-inspection next end

IPsec VPN

The default value for net-device option under dynamic(dialup) tunnel has changed from disable to enable.

Previous releases	6.2.0 release
config vpn ipsec phase1-interface edit [Tunnel Name] set type dynamic set net-device disable next end	config vpn ipsec phase1-interface edit [Tunnel Name] set type dynamic set net-device enable next end

Log & Report

The default value, minimum value, and maximum value for memory log is changed.

Previous releases	6.2.0 release
config log memory global-setting set max-size 65536 end	config log memory global-setting set max-size [1% of total RAM] end

Changes in default values                                                                                                                                         21

Routing

The default SD-WAN health-check interval is changed from 1 to 500 and the unit is changed from seconds to milliseconds.

Previous releases	6.2.0 release
config system virtual-wan-link config health-check edit [Health Check Name] set interval 1 next end end	config system virtual-wan-link config health-check edit [Health Check Name] set interval 500 next end end

The default link-monitor interval is changed from 1 to 500 and the unit is changed from seconds to milliseconds.

Previous releases	6.2.0 release
config system link-monitor edit [Link Monitor Name] set interval 1 next end	config system link-monitor edit [Link Monitor Name] set interval 500 next end

System

The default protocol used for FortiGuard service communication is changed from UDP to HTTPS.

The protocol setting remains unchanged for FortiGates upgrading from v6.0 to v6.2.

Previous releases	6.2.0 release
config system fortiguard set protocol udp set port 8888 end	config system fortiguard set protocol https set port 8888 end

Changes in default values

Switch Controller

The default value for FortiLink split interface is changed from disable to enable.

Previous releases	6.2.0 release
config system interface edit [FortiLink Interface] set fortilink enable set fortilink-split-interface disable next end	config system interface edit [FortiLink Interface] set fortilink enable set fortilink-split-interface enable next end

WiFi Controller

The default value of broadcast-suppression under wireless vap is changed from dhcp-up arp-known to dhcp-up arp-known dhcp-ucast.

Previous releases	6.2.0 release
config wireless-controller vap edit [vap-name] set broadcast-suppression dhcp-up arp- known next end	config wireless-controller vap edit [vap-name] set broadcast-suppression dhcp-up dhcp- ucast arp-known next end

The default value of control-message-offload under wireless-controller wtp-profile is changed from ebp-frame aeroscout-tag ap-list sta-list sta-cap-list stats aeroscout-mu to ebpframe aeroscout-tag ap-list sta-list sta-cap-list stats aeroscout-mu sta-health.

Previous releases	6.2.0 release
config wireless-controller wtp-profile edit [FAP Profile Name] set control-message-offload ebp-frame aeroscout-tag ap-list sta-list sta-cap-list stats aeroscout-mu next end	config wireless-controller wtp-profile edit [FAP Profile Name] set control-message-offload ebp-frame aeroscout-tag ap-list sta-list sta-cap-list stats aeroscout-mu sta-health next end

Upgrade Information

Supported upgrade path information is available on the Fortinet Customer Service & Support site.

To view supported upgrade path information:

1. Go to https://support.fortinet.com.
2. From the Download menu, select Firmware Images.
3. Check that Select Product is FortiGate.
4. Click the Upgrade Path tab and select the following:

l Current Product l Current FortiOS Version l Upgrade To FortiOS Version

5. Click Go.

FortiClient Endpoint Telemetry license

Starting with FortiOS 6.2.0, the FortiClient Endpoint Telemetry license is deprecated and as a result there are two upgrade scenarios:

• Customers using only a FortiGate device in FortiOS 6.0 to enforce compliance must install FortiClient EMS 6.2.0 and purchase a FortiClient Security Fabric Agent License.
• Customers using both a FortiGate device in FortiOS 6.0 and FortiClient EMS running 6.0 for compliance enforcement, must upgrade both the FortiGate device to FortiOS 6.2.0, FortiClient to 6.2.0, and FortiClient EMS to 6.2.0.

Fortinet Security Fabric upgrade

FortiOS 6.2.0 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 6.2.0 l FortiClient EMS 6.2.0 l FortiClient 6.2.0 l FortiAP 5.4.4 and later l FortiSwitch 3.6.9 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

If Security Fabric is enabled, then all FortiGate devices must be upgraded to 6.2.0. When Security Fabric is enabled in FortiOS 6.2.0, all FortiGate devices must be running FortiOS 6.2.0.

 

Minimum version of TLS services automatically changed

For improved security, FortiOS 6.2.0 uses the ssl-min-proto-version option (under config system global) to control the minimum SSL protocol version used in communication between FortiGate and third-party SSL and TLS services.

When you upgrade to FortiOS 6.2.0 and later, the default ssl-min-proto-version option is TLS v1.2. The following SSL and TLS services inherit global settings to use TLS v1.2 as the default. You can override these settings.

l Email server (config system email-server) l Certificate (config vpn certificate setting) l FortiSandbox (config system fortisandbox) l FortiGuard (config log fortiguard setting) l FortiAnalyzer (config log fortianalyzer setting) l LDAP server (config user ldap) l POP3 server (config user pop3)

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l admin user account l session helpers l system access profiles

Amazon AWS enhanced networking compatibility issue

With this enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 6.2.0 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

When downgrading from 6.2.0 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

• C3 l C4 l R3 l I2
• M4 l D2

FortiLink access-profile setting

The new FortiLink local-access profile controls access to the physical interface of a FortiSwitch that is managed by FortiGate.

After upgrading FortiGate to 6.2.0, the interface allowaccess configuration on all managed FortiSwitches are overwritten by the default FortiGate local-access profile. You must manually add your protocols to the localaccess profile after upgrading to 6.2.0.

To configure local-access profile:

config switch-controller security-policy local-access edit [Policy Name] set mgmt-allowaccess https ping ssh set internal-allowaccess https ping ssh

next

end

To apply local-access profile to managed FortiSwitch:

config switch-controller managed-switch edit [FortiSwitch Serial Number] set switch-profile [Policy Name] set access-profile [Policy Name]

next

end

FortiGate VM with V-license

This version allows FortiGate VM with V-License to enable split-vdom.

To enable split-vdom:

config system global set vdom-mode [no-vdom | split vdom] end

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

• .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
• .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

• .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

• .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

• .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

FortiGuard update-server-location setting

The FortiGuard update-server-location default setting is different between hardware platforms and VMs. On hardware platforms, the default is any. On VMs, the default is usa.

On VMs, after upgrading from 5.6.3 or earlier to 5.6.4 or later (including 6.0.0 or later), update-server-location is set to usa.

If necessary, set update-server-location to use the nearest or low-latency FDS servers.

To set FortiGuard update-server-location:

config system fortiguard set update-server-location [usa|any]

end

FortiView widgets

FortiView widgets have been rewritten in 6.2.0. FortiView widgets created in previous versions are deleted in the upgrade.

 

Product Integration and Support

The following table lists FortiOS 6.2.0 product integration and support information:

Web Browsers	l Microsoft Edge 41 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (For Mac OS X) Other web browsers may function correctly, but are not supported by Fortinet.
Explicit Web Proxy Browser	l Microsoft Edge 41 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (For Mac OS X) Other web browsers may function correctly, but are not supported by Fortinet.
FortiManager	See important compatibility information in Fortinet Security Fabric upgrade on page 23. For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library. Upgrade FortiManager before upgrading FortiGate.
FortiAnalyzer	See important compatibility information in Fortinet Security Fabric upgrade on page 23. For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library. Upgrade FortiAnalyzer before upgrading FortiGate.
FortiClient: l Microsoft Windows l Mac OS X l Linux	l 6.2.0 See important compatibility information in FortiClient Endpoint Telemetry license on page 23 and Fortinet Security Fabric upgrade on page 23. FortiClient for Linux is supported on Ubuntu 16.04 and later, Red Hat 7.4 and later, and CentOS 7.4 and later. If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version 5.6.0 and later are supported.
FortiClient iOS	l 6.2.0 and later
FortiClient Android and FortiClient VPN Android	l 6.2.0 and later
FortiAP	l 5.4.2 and later l 5.6.0 and later
FortiAP-S	l 5.4.3 and later l 5.6.0 and later

 

FortiSwitch OS (FortiLink support)	l 3.6.9 and later
FortiController	l 5.2.5 and later Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C
FortiSandbox	l 2.3.3 and later
Fortinet Single Sign-On (FSSO)	l 5.0 build 0276 and later (needed for FSSO agent support OU in group filters) l Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8
FortiExtender	l 3.2.1
AV Engine	l 6.00127
IPS Engine	l 4.00219
Virtualization Environments
Citrix	l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM	l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft	l Hyper-V Server 2008 R2, 2012, 2012 R2, and 2016
Open Source	l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware	l  ESX versions 4.0 and 4.1 l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5
VM Series – SR-IOV	The following NIC chipset cards are supported: l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language	GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System	Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit) Linux Ubuntu 16.04 (32-bit & 64-bit)	2336. Download from the Fortinet Developer Network: https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System	Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)	Mozilla Firefox version 61 Google Chrome version 68
Microsoft Windows 10 (64-bit)	Microsoft Edge Mozilla Firefox version 61 Google Chrome version 68
Linux CentOS 6.5 / 7 (32-bit & 64-bit)	Mozilla Firefox version 54
OS X El Capitan 10.11.1	Apple Safari version 11 Mozilla Firefox version 61 Google Chrome version 68
iOS	Apple Safari Mozilla Firefox Google Chrome
Android	Mozilla Firefox Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product	Antivirus		Firewall
Symantec Endpoint Protection 11
Kaspersky Antivirus 2009
McAfee Security Center 8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product	Antivirus	Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011
F-Secure Internet Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360 Version 4.0
Norton Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved Issues

The following issues have been fixed in version 6.2.0. For inquires about a particular bug, please contact Customer Service & Support.

Anti-Spam

Bug ID	Description
295539	Spam filter profile CLI options are disabled after GUI change.
477496	Unable to add email wildcard to black/white list GUI in Anti-Spam profile.

AntiVirus

Bug ID	Description
474538	Remove mobile malware protection option from GUI.
491675	FTP Server is not accessible when AV profile is set to proxy based inspection.
502138	AV full-scan mode causes traffic to fail.
513667	WAD crash when av-scan is blocking the input and HTTP session is closing.
516072	In flow mode, scanunit API does not allow IPS to submit a scan job for a URL with no filename.
519759	Process scanunit crash in removeTransformCleanup when Outbreak Prevention is enabled.
522343	scanunitd experiences a constant different kind of crash.
525151	Flow AV profile and SSL deep inspection writes blocked invalid cert logs to webfilter logs.
525711	FortiGate not sending email headers to FortiSandbox.
537666	Flow AV in quick mode cannot block large infected samples (eicar.exe).
541023	Scanunit worker leaves urlfilter API socket files behind in tmp.

Application Control

Bug ID	Description
511151	Application Control with traffic shaper is not attached to session.
Authentication
Bug ID	Description
447575	Standard vs. Advanced mismatch on FortiOS GUI.
Bug ID	Description
463849	FAC remote LDAP user authentication via RADIUS fails on invalid token if password change and 2FA are both required.

Data Leak Prevention

Bug ID	Description
486958	scanunit signal 14 alarm clock caused by DLP scanning bz2 file.
496255	Some XML-based MS Office files are recognized as ZIP files.
518146	DLP incorrectly blocking .deb file extension (DLP log unclear for matches in archive files).
524910	DLP profile to block the file name pattern “*” not blocking uploading files.

DNS Filter

Bug ID	Description
472267	DNS filter performance improvement.

Endpoint Control

Bug ID	Description
543635	Extend GTP0/GTP1 policy for new RAT types.

Explicit Proxy

Bug ID	Description
413187	XFF header enhancements (strip-off & enforcement) for URL filtering module.
445312	tcp-timewait-timer does not have any effect when WAD is running.
477289	Proxy is unexpectedly sending FIN packet (FTP over HTTP traffic).
491118	Kerberos users unable to access the internet.
500182	UDP over SOCKS PROXY.
503478	Presence of X-XSS-Protection header causes response to be not cacheable.
506654	High memory usage on WAD.
506821	Explicit web proxy, slow speed.
509876	Web-proxy internet service as DST address cannot work for some IP address range overlap case.
509994	Website denied due to certificate error (revoked) only in Proxy_policy and deep inspection profile.
512294	WAD should not keep buffer data if the server’s response broke the HTTP protocol.
Bug ID	Description
515327	WAD returns 502 Bad Gateway if the server disconnects without data received.
521344	Explicit FTP proxy doesn’t work with second IP address.
521899	When proxy srvc is set to protocol CONNECT and client tries to connect to HTTPS page, client gets message: Access Denied.
524933	Agentless NTLM – FortiGate adds redundant domain suffix to username when it is already present (UPN used).

Firewall

Bug ID	Description
390422	Cannot add a wildcard FQDN object to an addrgrp which is applying in policy
457294	GUI to allow negate an address object.
466999	Implicit deny policy generating logs when logging is disabled.
484599	Cannot use custom internet service group in traffic shaping policy.
484603	Cannot use application group in traffic shaping policy.
492034	Traffic not matching expected sessions and getting denied.
497535	In NGFW policy mode, applications allowed by unintended policy ID when together with firewall-session-dirty check new.
503904	Creating a new address group gives error: Associated Interface conflict detected!.
508085	Customer does not accept the confirmation of 0.0.0.0/0 object while creating address object errors.
508098	Creating wildcard address object errors but still creates the object.
511143	set logtraffic-start enable option is not available for policy64/policy46.
520558	Should not do passive port NAT for FTP session helper.
521337	Adding ports in a custom ISDB service for all the IP of the service is not easily achievable.
522447	FortiGate logging is not stable and stopped working.
525995	Session marked dirty when routing table updated for route which is not related to the session.
529685	WCCP not use the tunnel.
535468	DCE/RPC session-helper expectation session is removed unexpectedly.
536868	A FortiGate in TP mode with set send-deny-packet enabled policy, generates strange ICMP-REPLY for TCP SYN/ICMP-REQUEST/UD.
537227	When forwarding the multicast traffic for the first time, the packet size is not calculated correctly.
541248	FortiGate does not offer TLS-RSA-* ciphers when virtual server is configured and strongcrypto is disabled.
541596	Virtual server rejects TLS connections when plain RSA ciphers are specified in custom cipher-list.

FortiView

Bug ID	Description
256264	Realtime session list cannot show IPv6 session and related issues.
414172	HTTPsd / DNSproxy / high CPU / memory with high rate UDP 1Byte spoofing traffic.
453610	Fortiview >Policies(or Sources) >Now, it shows nothing when filtered by physical interface at PPPoE mode.
460016	In Fortiview > Threats, drill down one level, click Return and the graph is cleared.
488886	FortiView > Sources is unable to sort information accurately when filtering by policy ID number.
521497	FortiView > All Sessions > real time view is missing right-click menu to end session/ban ip.
527751	No user name on Fortiview > Sources main page

GUI

Bug ID	Description
457966	Virtual wire pair > Add VLAN range filter on GUI.
462011	GUI is blank when accessed by radius user with read-access profile.
469082	prof_admin profile admins not able to display GUI IPv4 source address.
470698	Create new default dashboards in factory default settings.
473148	FGT5001D Sessions widget in Dashboard show negative % for nTurbo after throughput test.
478057	Cannot restore configuration when GUI access to the FortiGate is via a connection with small bandwidth.
493704	While accessing FortiGate page, browser memory usage keeps spiking and finally PC hangs.
498738	GUI creating B/W widget referencing SIT-Tunnel generates error.
501911	In FOS-AWS prompts user password = instance ID, and forces user to change password upon initial log in.
502785	Remove # of interfaces from device list.
503867	Some certificates break Certificate page.
505187	Getting error Some changes failed to save when configuring IPv4 policies on firewall.
509791	Editing Address Objects name within SSL-SSH inspection profile selection pane cause loss of Address/Web exemption objects.
509978	Unable to download the results of the scheduled script.
515022	FortiGate and FSA has right connectivity, but Test Connectivity on GUI interface is showing Unreachable or not Authorized.
516295	Error connecting to FortiCloud message while trying to access Forticloud Reports in GUI.
Bug ID	Description
518964	Slowness when adding or removing member from address group via SSH.
518970	Suggestion to improve SD-WAN SLA creation page’s invalid-entry handling.
521253	LAG interface is not listed on the dropdown list when configuring DNS Service.
523902	REST API issue: Access Token only verifies the first 30 characters.
526748	Firewall policies with action DENY show default proxy-options applied in GUI.
527137	Local GW disappears from GUI.
528464	Disappearing policy add-also happens in 6.0.3 build 0200.
533018	Process nsm with high CPU when displaying the GUI section of IP4 and IPv6 policy when receiving full routing of BGP.
536841	DNS server in VPN SSL setting is overwritten when SSL-VPN settings are modified via GUI.

HA

Bug ID	Description
445214	Slave in AP cluster memory/CPU spike as a result of DHCP/HA sync issue.
461915	When standalone config sync is enabled in FGSP, IPv6 setting of interface is synced.
477392	Can’t use FAC username, password, and FortiToken two-factor authenticate login HA slave unit.
481943	A green check mark indicating HA sync status on GUI is only put on a side of virtual cluster 1.
482548	Conserve mode caused by hasync consuming most available memory.
486846	FGSP session sync for FGCP cluster keeps syncronizing sessions back to the originator even after the traffic is stopped.
487444	FortiGate stops accepting traffic from any interface in a hardware switch after HA fail-over in 80/81E.
494029	After failover, cannot connect to management-IP of backup device.
503433	hasync daemon crashes when admin session timeout and cluster could be out of sync for a short period.
503763	Config sync communication on heartbeat link not encrypted when encryption is enabled under system HA.
503897	FG-501E units generating logs only for five minutes after rebooting the unit, then do not generate anymore logs.
507013	Out of sync after config change.
509557	Duplicate MAC on mgmt2 ports.
510660	Upgrade to build 3574 fails for HA cluster.
511522	HA uninterruptible upgrade from 9790 to 3558 fails.
Bug ID	Description
513940	Enormous amount of session between heartbeat Interfaces for port 703 (HASYNC).
515401	SLBC-Dual mode: Slave chassis blade sending traffic logs.
516234	GUI checksums show slave is not synchronized when the master is synchronized.
517537	Slave out-of-sync. Unable to log into slave unit.
518116	Suggest to add a command to show virtual_mac usages on FGCP HA.
518621	ha-mgmt-interface IPv6 GW is not registered when ha-mgmt-interface IPv4 GW is not set.
518717	MTU of session-sync-dev does not come into effect.
519653	Increase FGSP session sync from 200 VDOM to 500 VDOM.
523733	Successive failovers lead to complete traffic stop (IPSEC[01]_IQUEUE counter catching all traffic).
526252	High memory caused by updated daemon.
526492	FGSP between two FGCP clusters – session expectation.
526703	FGSP of FGCP cluster, does not pickup NAT’ed sessions.
530215	Application hasync *** signal 11 (Segmentation fault) received ***.
531083	Config of HA pair of FortiGates goes out of sync when removed from Central Management (FortiManager).
531812	FGSP config replicating BGP and OSPF info after a config restore.
532015	High CPU on Core1 due to session sync process.
535534	Multicast-forward setting is lost after a backup restore on a FGCP cluster.
537289	Old master keeps forwarding traffic after failover.
539707	Wrong status for ping server after failover in the output of the command get sys ha status.

Bug ID	Description
381062	Provide accurate statistics across multiple IPS daemons.
452131	ipsengine up time on FG-51E is a negative number after changing db from extended to regular.
469608	ICMP Packets drop while FGD updates.

ICAP

Bug ID	Description
478617	ICAP X-Authenticated-Groups information.

Intrusion Prevention

Bug ID	Description
476219	Delay for BFD in IPinIP traffic hitting policy with IPS while IPsec calculates new key.
489557	traceroute issues when IPS is enabled.
503895	Traffic drops for 15 seconds when UTM is enabled.
509352	IPv4.Invalid.Datagram.Size attack is not detected in IDS mode.
516128	Victim is quarantined after IPS attack.
517059	One arm sniffer is unable to see HTTPS log in web filter logs.
537162	High memory due to IPS and SSL-VPN going into conserve mode.
541224	Network loop over virtual-wire-pair in HA mode if running diagnose sys ha reset-uptime.

IPsec VPN

Bug ID	Description
463441	NAT -T broken with AWS and Fortigate.
471326	AES-256-GCM for phase 1.
481720	Using transparent mode and policy base VPN, about 4 ICMP packets which exceed over MTU 1375 byte are dropped.
491305	Packet from FCT can not go through VXLAN over IPsec depending on packet size.
493918	Memory leak with IKED.
494285	Slow IPsec traffic between FortiGate and AWS FortiGate once run iPerf between unix and linux.
509559	Invalid ESP packet detected (replayed packet) when having high load on IPsec tunnel.
514519	OSPF neighbor can’t up because IPsec tunnel interface MTU keeps changing.
515132	ADVPN shortcut continuously flapping.
515375	VPN goes down randomly, also affects remote sites dialup.
517088	IPsec Gateway never clears unless manually forced.
517849	Index of existing OIDs changes when installing new IPsec tunnels to the FortiGate – breaks monitoring.
518063	DPD shows unnegotiated and is not functioning correctly on ADVPN Spoke.
519187	IKE route should not be deleted if it is needed by other proxyids.
520151	When two certificates are configured on p1, both aren’t offered or the wrong one is offered.
523567	MTU values does not gets calculated correctly in GRE over IPsec.
524101	Unnecessary next-hop restriction on static route prevents using static routing on Hub with ‘netdevice disable.’
Bug ID	Description
527496	Rename One Click VPN to Overlay Controller VPN.
529448	Shouldn’t PPK:no be shown at IKEv2 SA level when NO-PPK-AUTH was used?
531203	Cannot edit existing phase1-interface config.
536899	One issue and two possible enhancements when proxying IKE mode-cfg and DHCP.
537140	KEv2 EAP – FortiGate fails to respond to IKE_AUTH when ECDSA certificate is used by ForitGate.
537450	Site-to-site VPN policy based – with DDNS destination fail to connect.
537769	FortiGate sends failure response to L2TP CHAP authentication attempt before checking it against RADIUS server.
537848	FortiGate IPsec VPN phase1-interface and phase2-interface configurations are not saved into configuration file.
540560	Missing IKE SA HA sync when FortiGate is mode-cfg client + xauth.

Log & Report

Bug ID	Description
387324	Archive mark is always on under UTM logs page when log-display location set to FAZ.
477393	Negative values in ‘Load Balance’ monitor logs.
479607	Scheduled auto-update happens twice in ten seconds but a log entry for the first try is not logged.
490379	Long-live session statistics logs add sentdelta and rcvddelta fields for FortiCloud FortiView as required.
491914	miglogd : syslog reliable mode is claiming all logs failed when some pass.
503394	Duplicate description for different log IDs: LOG_ID_CHG_CONFIG & LOG_ID_CONF_CHG etc.
503395	Duplicate description for different log IDs: LOG_ID_POWER_FAILURE, LOG_ID_POWER_ FAILURE_WARNING etc.
503396	Duplicate description for different log IDs.
503397	IPsec logging – Duplicate description for different log IDs.
503398	AP Event log: Duplicate description for different log IDs.
503399	PPPOE Event log: Duplicate description for different log IDs.
503400	RADIUS event log: Duplicate description for different log IDs.
503401	SSL Event logs: Duplicate description for different log IDs.
504012	Duplicate description for different log IDs: LOG_ID_LEAVE_FD_CONSERVE_MODE, LOG_ID_ LEAVE_FD_CONSERVE_MODE_NOTIF.
505393	Quad File Dropped Reason forticloud-daily-quota-exceeded.
510973	FortiGate with disk and send logs to FAZ has PCI alerts.
Bug ID	Description
518402	miglogd crash and no logs are generated.
521020	VPN usage duration days in local report is not correct.
523829	When destination interface is PPPoE, intf-role is logged as Undefined even though the role is not undefined.
540157	Cannot view logs from FortiGate when secondary IP is used (only secondary IP is allowed to go internet on upstream).

Proxy

Bug ID	Description
458057	Constant DNS query on built-in FQDN cause network congestion.
470407	IPv6-Happy-Eyeballs-Mechanism not working with proxy-based Webfilter-Profile.
487096	SSL handshake fail when activate ESET application.
491417	FortiGate is dropping server hello packets when urlfilter is enabled.
492372	Multiple WAD crashes with signal 11 (Segmentation fault).
500965	FGT-200E in kernel conserve mode. WAD process consuming high memory.
505171	ICAP does not work if there is no other proxy-based UTM feature enabled in the policy.
506995	FGT1200D WAD Crashing 5.6.5 (wad mapi).
507155	System went into conserve mode due to wad after upgrade to 5.6.5.
507585	Support multiple DC servers in the agentless NTLM auth as well as user based matching.
512434	Need to do changes in default replacement message of Invalid certificate Message.
512936	SSL certificate inspection in proxy mode doesn’t use CN from Valid Certificate for categorization when SNI is not present.
513270	Certificate error with SSL deep inspection.
516147	WAD crashes.
516863	Webproxy learn-client-ip webfilter’s auth/warn/ovrd does not work.
518933	Certificate inspection (CN base) web category filter doesn’t work.
519021	The customer is unable to access internal CRM application server with antivirus enabled.
521051	HTTP WebSocket 101 switching protocol requests mismatch in v6.0.3.
525518	Skype call drops when handled by WAD process after around three sec of being answered.
526322	WAD Crashes when processing transparent proxy traffic after upgrade to 6.0.3.
526667	FortiGate doesn’t forward request:port command after 0 byte file transmission.
529792	WAD process crash with signal 11.
Bug ID	Description
530906	Certificate chaining is broken on FortiGate site (deep inspection) for certain web sites.
531526	FTP proxy ignores OTP in authentication.
531575	Web site access failure due to OCSP check in WAD + Deep SSL inspection.
532121	WAD uses high CPU with “netlink recvmsg No buffer space available” after upgrade to 6.0.3+.
534346	WAD memory leak on OCSP certificate caching.
536063	SSL deep inspection doesn’t work with OCSP stapling.
536623	WAD performs category SSL-Exemptions when SSL-inspection profiles are in “protect-server” mode.
537183	Removed default ssl-exempt entries page show empty.
539452	FortiGate does not follow Authority key identifier when sending certificate chain in deep inspection.
540067	Wildcard addresses removed from SSL deep inspection exempt list after upgrade to 6.0.4 from 5.6.

REST API

Bug ID	Description
424403	REST API for system csf didn’t return csf group name.
467747	REST API user cannot create API user via autoscript upload and cannot set API password via CLI.

Routing

Bug ID	Description
441506	BGP Aggregate address results in blackhole for incoming traffic.
448205	Network devices must be configured with rotating keys used for authenticating IGP peers that have a duration of 180 days or less.
449010	WAN LLB session log srcip and dstip are mixed up intermittently.
476805	FortiGate delays to send keepalive which causes neighbor’s hold down timer to expire and reset the BGP neighborship.
485408	Merge vwl_valeo project – No option for proute based on only dynamic routes.
499328	Add VRF filtering capability to command get router info routing-table all.
500432	IGMP multicast joins taking very long time and uses high NSM CPU utilization.
503638	config system ipip-tunnel is lost after reboot when pppoe interface is used.
505189	Kernel is missing routes.
509561	SD-WAN health check status log is incorrect.
509768	Spillover rules do not work on PPPoE virtual-wan-link.
Bug ID	Description
511203	When using policy route for IPv6, NAT64 does not work.
511932	Can’t make mgmt1 and mgmt2 redundant interfaces.
515683	FortiGate generates fragmented OSPFv3 DBD packets.
518655	IPv6 doesn’t respond to neighbor solicitation request.
518677	Log message MOB-L2-UNTRUST:311 not found in router advertisement enabled.	the list! seen on VDOM with IPv6
518943	RIPv2 with MD5 authentication key ID incompatible with oth	er vendors.
519498	Cease unspecified sent to all BGP peers when new peer is created.
522258	Some missing fields in proute list.
522271	Central NAT – Not updating when dst interface changes.
525182	WLAN guest user in VDOM makes the cluster out of sync.
526008	Differences between routing table and kernel forward information. ADVPN + BGP.
527478	Proute list fill “null ” application name.
529683	Upgrade from 5.6 to 6.0 causes all routes to be advertised in BGP.
530545	SD-WAN Health-Check – Reported packet loss inaccurate.
531660	With VRRP use VRDST checking without default gateway.
531947	SD WAN IPsec interfaces keep failing over when link selection strategy is set to Custom-profile.
532257	OSPFD crash (Segmentation fault) – NSSA – removal of network statement for interface in ‘down’ state.
537110	BGP/BFD packets marked as CS0.
538411	Successfully configured static route CLI commands fail with parse errors after reboot.
539982	Multicast failed after failover from another interface.
540103	OSPF6 will advertise only /128 prefixes to neighbours using point-to-point network type.
544603	Multicast on interfaces with secondary IP addresses.

Security Fabric

Bug ID	Description
473086	Quarantine monitor, should support showing devices for the whole fabric.
481381	Industry field shows up abnormally when adding security rating widget.
491508	If downstream device is part of security fabric, it should be exempted from FortiClient enforcement.
504773	Some minor GUI improvement to facilitate security fabric config.
Bug ID	Description
505068	Add CSF trust-list support into GUI.
505073	Should let approval request message be more standing out.
505656	Edge: Page reloaded when hovering on a connecting line between objects in topology.
525790	Not able to connect through SSL VPN to addresses resolved by SDN dynamic objects.
537130	Email notifications from automation stitches are being sent with a blank from field.

SSL VPN

Bug ID	Description
453740	Remove unused java source file in fortiweb/java.
466438	High CPU usage by sslvpnd [web and mixed mode].
477231	Unable to login to VMware vSphere vCenter 6.5 through SSL VPN web portal.
482497	Running diagnose npu np6lite session in FGT-201E results in high CPU and system instability.
483712	SSLVPND consumes high memory causing FGT enter conserve mode.
491130	SSLVPND 100% VPN when accessing OWA through bookmark.
491733	SSL VPN process taking 99% of CPU utilization even not using SSL VPN.
492654	SSLVPND process is crashing and users are disconnecting from SSL VPN.
493127	Connection to web server freezes when using SSL VPN web bookmark.
496584	SSL VPN bad password attempt causes excessive bindRequests against LDAP and lockout of accounts.
500901	SSL VPN web portal connect to FMG (5.6.3) unable to view Managed devices and policy packages.
508101	HTTPS bookmark to internal website produces error after the initial successful login.
509333	SSL VPN to Nextcloud doesn’t open.
511107	RADIUS 2FA + password change against FAC fails due to unexpected state AVP + GUI bug.
511111	When accessing an internal listing website via SSL VPN, loading long lists fails or is interrupted.
515370	SSL VPN access denied if address object added after group object in firewall policy
517819	Unable to load web page in SSL VPN web mode.
518406	Unable to load WebPage through SSL VPN webmode. Some js files of xunta internal web sites have problems.
519113	SSL VPN web mode SMB connection doesn’t work when enable then disable SMBCD debug.
519483	Invalid HTTP Request‘ when SMB via SSL VPN bookmark is executed.
519987	HTTP bookmark error SyntaxError: Expected ‘)’ after accessing internal server.

 

Bug ID	Description
520307	Unable to view Cisco APIC web interface page after logging using SSL VPN web portal.
520361	SSL VPN portal not loading predefined bookmarks.
520965	IBM QRadar page not displaying in SSL VPN web-mode.
521459	HSTS header missing again under SSL VPN.
522987	Backup and restore the VDOM config with SSL VPN settings causes some critical flags and counter for SSL VPN to not update so SSL VPN stops working.
523450	Unable to access internal website via bookmark in SSL VPN web mode.
523647	Search result gives empty output upon accessing the URL https://ieeexplore.ieee.org via SSL VPN bookmark.
523717	Dropdown list can not get expanded through bookmarks (SSL VPN).
525106	HTML PABX Admin Console not working correctly in SSL VPN Mode.
525375	Atlassian Confluence wiki Javascript problem via SSL VPN web mode.
527342	sslConnGotoNextState:298 error when use SSL VPN bookmark method access huawei appliances.
527348	JavaScript script is not available when connecting using SSL VPN web mode.
527476	Update from web mode fails for SharePoint page using MS NLB.
528289	SSL VPN crashes when it receives HTTP request with header “X-Forwarded-For” because of the wrong use of sslvpn_ap_pstrcat.
528630	For SSL VPN with the realm named sslvpn, the authentication fails.
529186	Problem loading reaching internal web server through SSL VPN Web bookmark when using HTTPS. Some js files of “srvdnsmgt” do not run correctly.
529930	Scrolling in Jira is not working in SSL VPN web mode.
530223	SSL VPN wants client certificate even when no client-cert for realm is configured.
530833	Synology NAS login page stuck after login when accessing by SSL VPN Web portal.
531683	Can’t authenticate on internal web server using web mode SSL VPN.
531827	Active cache memory leak after upgrade to 6.0.3 GA.
532261	SSL VPN web mode RDP connection not working when security set to NLA.
532464	Unable to load webpage in SSL VPN Webmode.
533008	SSL web mode is not modifying links on certain web pages.
534728	Unable to get dropdown menu from internal server via SSL VPN web mode connection.
535739	SSL VPN bookmark fails with JavaScript error.
536058	Redirected port is not entered in the URL through SSL VPN web mode.
536847	Not able to access OnlyOffice through SSL VPN web mode.
Bug ID	Description
537120	Adding latest macOS in the SSL OS-check-list.
537133	SSL VPN web mode gets redirected out of SSL VPN proxy.
537275	SSL VPN for users with passwords that expires allows password change after the password is expired.
537341	SSL bookmark is not loading a SAP portal information.
538904	Unable to receive SSL tunnel IP address.
539187	SSL VPN random stale sessions exhausting IP pool.
539948	Unable to load webpage in SSL VPN web mode.
545492	Unable to change tabs for internal website through web SSL VPN HTTPS bookmark.

Switch Controller

Bug ID	Description
306406	FortiSwitch Ports page display improvements.
503402	Switch controller event: duplicate description for different log IDs.
512112	Add allowaccess profile to the physical interfaces on the FortiSwitch.
522457	After a physical port of FortiLink LAG has link down/up, fortilinkd packet cannot be sent from FortiGate to FortiSwitch.
527521	On FortiSwitch Ports page, Display More does not work.
529915	FortiGate sends FortiSwitch serial# in SNMP trap fgFcSwName instead of FortiSwitch hostname.
530237	HA cluster out-of-sync after changing port POE mode on switch-controller managed-switch settings : Double commit.

System

Bug ID	Description
370151	CPU doesn’t remove dirty flag when returns session back to NP6.
404944	Kernel Panic on creation of aggregate interface belonging to different NP6, when NP6 is configured in low latency mode.
408977	802.1AX L4 algorithm and NP4 do not distribute UDP evenly on egress LAG bundle.
415910	CPU cores utilization shows 0 percent while handling CPS in 5.4.
435910	On FG-50E and FG-51E ifHCOutOctets rolls as if counter32.
462178	Front Panel “SPEED” LED is flushing Green when Transmitting & receiving data.

 

Bug ID	Description
466805	Adding USB Host devices to a virtual machine connected by USB to FortiGate 500D causes the units to restart in loop.
468684	EHP drop improvement for units using NP_SERVICE_MODULE.
471191	Request to improve CLI help text for config system NP6 session-timeout options.
474737	fwgrp read&read-write access profile doesn’t work properly.
477886	PRP support.
479533	skippingBad tar header message flooding on console after rebooting box and retrieving logs.
481511	Sniffer packet feature does not display any reverse packets on trunk interface.
482916	WAD crash with signal 6.
488400	FGFM sessions timeout when NPU offloaded (also applies to 6.0.0).
489772	vlan-filter is not straightforward.
491425	FortiGate sends MAB packet two minutes after receiving Access-Reject.
492441	Policy packet capture does not show timestamp.
492655	DNSproxy does not seem to update link-monitor module.
493126	One of the aggregate port members is transmitting irregularly LACP packets.
495572	Some of the FortiGate SNMP OIDs not giving any value.
496934	DNS Domain List.
498636	External resource should not update CMDB and cause FortiManager revision.
499435	Allow packet sniffer to use RAM disk.
503318	Accessing FDS via proxy server without DNS resolution.
504057	Service Object Limitation of 4096 needs to be increased.
505252	EMAC VLAN: SNMP data is incorrect.
505468	Incorrect SNMP answer for get-next.
505522	Intermittent failure of DHCP address assignment.
505715	DHCP lease new IP to same EFTPOS S800 device cause DHCP lease exhausted.
505927	ddnscd fortiddns monitor-interface is not being updated properly.
505930	FG3700D freeze when deleting VDOM.
506223	FortiGate is not compliant with rfc3397 (Domain Search Option Format).
507518	Partial configuration loss after root VDOM restore.

 

Bug ID	Description
509939	Firewall objects not visible or editable (Return code -361) when logged in via SSH key authentication.
510200	FGT DNS configuration doesn’t allow one word domain names.
510419	HTTP link-monitor – response parser is case-sensitive (Content-Length header).
511018	SSH/SSL VPN connection to external VLAN interface drop by changing unrelated interface IP or restart OSPF.
513339	Finisar FCLF8521p2BTL (FG-TRAN-GC) and (FS-TRAN-GC) FCLF8522P2BTL transceivers not detected by FortiOS.
513419	High CPU on some cores of CPU & packet drops around 2-3%.
516783	DSA and RSA fingerprints are identical.
519246	ipmc_sensord process not checking sensors due to pending jobs.
519492	Not able to access TP FortiGate from different network.
519493	MCLAG: if remote side change systemID, only one port goes down, the other remains up.
521193	DNSPROXY causing high CPU usage.
521902	Addresses are taking a long time to load.
524083	MSS size negotiation is wrong when configured MTU value is less than 297.
524422	Merge br_6-0_sp back to 6.0 and 6.2.
525813	FortiGate managed by FortiManager intermittently going offline after rebooting FortiGate.
526240	Inactive interfaces in LAG causing unbalance packet distribution and link saturation.
526646	LAG interface flaps when the member ports go up.
526771	Allow sit-tunnel to not specify the source address.
526788	Password policy forces password change even if expire-status is disabled.
527390	Kernel panic in the HA cluster with FortiGate-3800D units running FortiOS v6.0.0 build 0200
527599	Internal prioritization of OSPF/BGP/BFD packets in conjunction with HPE feature.
527902	TXT records are truncated in DNS replies, when FortiGate is used as DNS server.
528004	Add global log device statistics to SNMP.
528465	GRE tunnel does not come up.
531584	Kernel Panic when Fragmented Multicast Traffic received on EMAC-VLAN interface.
531636	Certificate chain validation fails when trying to fetch the intermediate CA cert; untrusted cert presented.
532966	In SNMPv3 config, to select the Encryption Algorithm should be “Encryption Algorithm” instead of the label “Authentication Algorithm”.
Bug ID	Description
533556	Read-only admin account can delete IPsec SA.
535420	SNMPv3 traps settings are not available in the GUI.
535730	Memory leak after upgrade to 6.0.4.
536520	GTP Tunnel States are not synced on subordinate unit after a reboot.
536817	FortiGate sending DHCP offer using broadcast.
539090	Modifying FortiGate administrator password to complex ones via SSH triggers a FortiManager password change by auto-update.
540634	Status of a port member of a redundant interface changes if an alias is set.
541211	Cannot create soft switch with VX LAN interface under same base interface.
541243	DHCP option doesn’t include all NTP servers.
542258	DHCP exclusion isn’t used for new DHCP range if the range is lower than the existing DHCP range.

Upgrade

Bug ID	Description
495994	After upgrade to V5.4.9, observing lot of IPS syntax errors on the console screen.
511529	vdom-property limits error after upgrade from 5.4.6 to 5.6.3.
524948	Wrong management-vdom after upgrade from V6.0 or rebooting FortiGate.
530793	config-error-log shows after upgrade from v5.6.6 to v5.6.7.

User & Device

Bug ID	Description
437117	Single Sign-on, multiple FSSO polling servers with the same AD (LDAP) server, cannot select the same user or group.
453095	Mobile FortiTokens not assignable VDOM in vcluster on slave unit.
470803	fnbamd uses high CPU when receive user member groups.
499941	Not able to SSH into FortiGate through FortiManager using TACAS+ user.
516403	FSSO – established session aren’t re-evaluated when a user is removed from an Active Directory group.
523891	FortiGate: Unable to browse structure of Netscape LDAP.
525648	FortiOS does not prompt for token when Access-Challenge is received – RADIUS authentication fails.
525816	LDAP search issue after upgrade to 5.6.6 build 3444 from 5.6.5 build 3342.
525925	Unable to login to FortiGate using Symantec 2-factor authentication.
Bug ID	Description
525929	LDAPS requests fail with fnbamd stop error “Not enough bytes”. LDAP works fine. Additional timeout observed.
527340	FortiGate fails to match User group after passing authentication (Local User).
529945	Local certificate content changes should be directly applied for the admin-server-cert sent to the client browser.
535279	FortiGate sends error user password to RADIUS server for CMCC auth user sometimes.
538304	Aggregate interface (four member) flapps when the third member interface goes down.
538407	FortiOS doesn’t allow setting source-ip for mobile token activation.

Bug ID	Description
500087	Support WCCP set up with one arm WCCP web cache diagram.

VM

Bug ID	Description
484540	FOS VM serial number changes during firmware upgrade.
512019	FortiGate VM closed network + UTM license showing Package update failed due to invalid contract.
512713	Connectivity loss between FGT-SVM and FGT-VMX cause license to became invalid after one hour.
526471	VMX: Adding a security group with ~30+ devices into the redirection policy the connection starts to experience huge delay.
528405	FortiMeter Consumption is not accurate.
540062	Kernel panic after upgrade from 5.6.7 to 5.6.8.
541531	Service Manager is not automatically updated with the NSX dynamic security groups.

VoIP

Bug ID	Description
508277	Non-SIP packet send to SIP ALG got dropped with no log.
509625	Issues with RTP when ISP connections flaps when two equal default routes are present.

WCCP Web Application Firewall

Bug ID	Description
463468	Clients are unable to connect to the mail server when WAF is enabled on the VIP policy.

Web Filter

Bug ID	Description
486087	Unable to open one URL on the redirection after the upgrade.
499604	Web Filter profile with SSL does not check SNI against server certificate.
499864	Web Filter profile’s proxy options to allow corporate Gmail accounts gets overlooked if “general interest” category is blocked.
506707	Web filter CLI only options are unset when clicking Apply via GUI.
507253	ovrd-auth-port-https uses VIP’s mapped IP as CN when no TLS SNI is present.
509860	Regex case insensitivity flag is ignored in 5.6.5 and 6.0.2 when FortiGate is in proxy mode.
526555	WAD Segmentation Signal 11 in 6.0.3.
531101	Web Filter inspection proxy mode unable to resolve hostname because website is unrated.
531471	The URL filter is not blocking a page when there are many entries in it.
532823	Wrong FortiGuard page displayed with Override enabled on Web Filter profile.
536099	“Filtering Services Availability” keeps showing as green even when port 8888 is blocked by an upstream device.
541539	URL filter wildcard expression not matched correctly in proxy mode.

WiFi Controller

Bug ID	Description
503106	Remote site client connected to the FAP14C Ethernet port is randomly not able to reach the LAN client connected to the FortiGate.
505661	FortiWiFi sends DHCP Offer as a unicast address via WiFi interface even though the BROADCAST bit is set to “1” in DHCP Discover.
507622	FortiGate does not send WTP-ID in RADIUS accounting packet when client is connected with captive-portal SSID.
512606	FortiWiFi not working with FortiPresence Pro.
519321	FWF-50E kernel panic due to a WiFi driver issue.
520521	Application hostapd crashed – causing a wireless outage.
521832	CAPWAP traffic is not offloaded successfully when using dynamic-vlan SSID and IPS profile or AV profile is enabled in the policy.
Bug ID	Description
522762	Frequent hostapd crash.
525959	Part of FAP221C and FAPC24JE went offline and failed to be managed by the controller again.
527587	Different accounting behavior between FAP221C and FAPC24JE for CMCC portal auth.
530328	CAPWAP traffic dropped when offloaded if packets are fragmented.
543562	11r clients stuck on the default/fail VLAN when using WPA2 enterprise and dynamic-vlan while roaming between APs.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID	CVE references
395544	FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference: l CVE-2017-17544
452730	FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference: l CVE-2017-14186
495090	FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference: l CVE-2018-13366
496642	FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference: l CVE-2018-13371
502940	FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference: l CVE-2018-13374
510148	FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference: l CVE-2018-15473
528040	FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference: l CVE-2018-13384
529353	FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference: l CVE-2018-13380
529377	FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference: l CVE-2018-13379
529712	FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference: l CVE-2018-13381
529719	FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference: l CVE-2018-13383
529745	FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference: l CVE-2018-13382

 

Bug ID	CVE references
534592	FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference: l CVE-2019-5587
539553	FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference: l CVE-2019-5586

 

Known Issues

The following issues have been identified in version 6.2.0. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Application Control

Bug ID	Description
435951	Traffic keeps going through the DENY NGFW policy configured with URL category.

Data Leak Prevention

Bug ID	Description
548396	DLP archiving intermittently blocks a file when it should be log only.
547437	WAD crash due to scheduler error occurs when oversized file is bypassing the DLP sensor.

Explicit Proxy

Bug ID	Description
548415	User cannot pass authentication after timeout if using IP-based authentication.
Firewall
Bug ID	Description
541348	Shaper in shaping policy is not applied when URL category is configured.

FortiView

Bug ID	Description
375172	FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
482045	FortiView – no data shown on Traffic from WAN.
526956	FortiView widgets get deleted upon upgrading to B222.
544017	FortiView > VPN 1 hour historical shows entries from 8 hours ago when logged in from FortiCloud.

GUI

Bug ID	Description
439185	AV quarantine cannot be viewed and downloaded from detail panel when source is FortiAnalyzer.
442231	Link cannot show different colors based on link usage legend in logical topology real time view.
451776	Admin GUI has limit of 10 characters for OTP.
504770	Introduce an enable/disable button in the GUI to toggle central SNAT table.
532309	Custom device page keep loading and cannot create device group.
546254	Forward traffic log cannot be shown on Windows Edge browser.
546953	DNS Filter column and Profile Group column is missing on policy list.
547393	GUI still shows fortianalyzer-cloud connection status error even after FortiGate connects to fortianalyzer-cloud.
547458	Cannot access VOIP profile list and only the default profile editor is shown.
547808	Security rating event logs cannot be shown in split-vdom FortiGate GUI.
548091	Cannot configure network interface IP addresses from GUI for FG-5001D and FG-5001E.

HA

Bug ID	Description
479987	FG MGMT1 does not authenticate Admin RADIUS users through primary unit (secondary unit works).

Intrusion Prevention

Bug ID	Description
445113	IPS engine 3.428 on FortiGate sometimes cannot detect Psiphon packets that iscan can detect.
548649	IPS custom signature is not detected after FortiGate is rebooted or upgraded.

IPsec VPN

Bug ID	Description
469798	The interface shaping with egress shaping profile doesn’t work for offloaded traffic.
481201	The OCVPN feature is delayed about one day after registering on FortiCare.
545871	IPsec tunnel can’t establish if OCVPN members with different Fortinet_CA and Fortinet_factory cert.

Log & Report

Bug ID	Description
412649	In NGFW Policy mode, FortiGate does not create web filter logs.

Proxy

Bug ID	Description
546360	When applying proxy address in transparent proxy policy, FortiGate blocks traffic and reports SSL_ ERROR_SYSCALL.
548233	SMTP, POP3, IMAP starttls cannot be exempted by FortiGate when first time traffic goes through FortiGate.

Bug ID	Description
304199	Using HA with FortiLink can encounter traffic loss during failover.
357360	DHCP snooping may not work on IPv6.
462552	Add an extra dialog in the interface page to clean up config when changing a FortiLink interface back to a regular port.
548145	Configuring FortiLink from GUI does not work on platforms that do not support hardware switch.

Security Fabric

Bug ID	Description
403229	In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
411368	In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.
547659	Access denied error when reviewing security recommendations from physical topology in VDOM mode.
547509	Fail to configure Security Fabric if only enable FortiAnalyzer cloud logging not FortiAnalyzer logging in GUI.

SSL VPN

Bug ID	Description
405239	URL rewritten incorrectly for a specific page in application server.
476838	Check domain log-on as SSL VPN host checks condition.
495522	RDP session freezes when using SSL VPN tunnel mode.

Switch Controller

Bug ID	Description
548453	Ondemand platforms show error with FortiCare/FortinetOne login.
548531	FGT-AWS HA failover and SDN using IAM role do not work due to AWS IAM role token length being +increased.

System

Bug ID	Description
295292	If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
364280	User cannot use ssh-dss algorithm to login to FortiGate via SSH.
385860	FG-3815D does not support 1GE SFP transceivers.
436746	NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
472843	When FortiManager is set for DM = set verify-install-disable, FortiGate does not always save script changes.
474132	FG-51E hang under stress test since build 0050.
494042	If we create VLAN in VDOM A, then we cannot create ZONE name with the same VLAN name in VDOM B.
495532	EHP drop improvement for units with no NP_SERVICE_MODUL.
548076	FortiGateCloud cannot restore configuration on FortiGate.

Upgrade

Bug ID	Description
470575	After upgrading from 5.6.3, g-sniffer-profile and sniffer-profile exist for IPS and web filter.
473075	When upgrading, multicast policies are lost when there is a zone member as interface.
481408	When upgrading from 5.6.3 to 6.0.0, the IPv6 policy is lost if there is SD-WAN member as interface.
494217	Peer user SSL VPN personal bookmarks do not show when upgrade to 6.0.1. Workaround: Use CLI to rename the user bookmark to the new name.
539112	Devices configured under security-exempt-list become void after upgrade.
548256	Upgrading to v6.2 from v6.0.x causes CIFS/SMB configurations in AV profile to be lost.

VM

Web Filter

Bug ID	Description
538593	B0821: FGD service on https/8888 does not work well under specific wanopt topology.
544342	When encryption is set to yes, file-type incorrectly shows all file types when only zip files are supported.
544342	Web filter file: filter match only encrypted files will still block un-encrypted MS Office files.
545334	Web filter file filtering does not support FTP traffic inspection but user can still configure FTP protocol in GUI and CLI.
547772	Web filter FGD category is not detected by sniffer policy for HTTPS traffic.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

• XenTools installation is not supported.
• FortiGate-VM can be imported or deployed in only the following three formats:
• XVA (recommended)
• VHD l OVF
• The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.