FortiOS 6.0.2 Release Notes (2023)

This document provides the following information for FortiOS 6.0.2 build 0163:

Supported models

FortiOS 6.0.2 supports the following models.

FortisFG-30D, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-30D-POE, FG-50E,

FG-51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-60E-POE, FG-61E, FG-70D, FG70D-POE, FG-80D, FG-80E, FG- 80E-POE, FG-81E, FG-81E-POE, FG-90D, FG-90D-POE,


FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG-200D, FG-200D-POE, FG-200E,

FG-201E, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-300E, FG-301E,

FG-400D, FG-500D, FG-500E, FG-501E, FG-600D, FG-800D, FG-900D, FG-1000D,

FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG-3000D, FG-3100D,

FG-3200D, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001D, FG-3960E, FG-3980E, FG-5001E, FG-5001E1

FortiWiFiFWF-30D, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-30D-POE,

FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60D-POE, FWF-60E, FWF-61E, FWF-90D, FWF-90D-POE, FWF-92D

FortiGate RuggedFGR-30D、FGR-35D、FGR-60D、FGR-90D
Fortis Virtual MachineFG-SVM、FG-VM64、FG-VM64-HV、FG-VM64-KVM、FG-VMX、FG-VM64-XEN、


pay-as-you-go imagesFOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN
FortiOS CarrierFortiOS Carrier 6.0.2 images are available upon request, but are not available on the customer support firmware download page.

WAN optimization and web caching features

WAN optimization and web caching features were removed from 60D and 90D series platforms, starting with 6.0.0, due to their limited disk size. Affected platforms are: l FGT-60D l FGT-60D-POE l FWF-60D l FWF-60D-POE l FGT-90D l FGT-90D-POE l FWF-90D l FWF-90D-POE l FGT-94D -POE

After upgrading from 5.6 patch to 6.0.0, diagnose debug config-error-log read will show command parsing errors regarding wanopt and webcache settings.

FortiGuard Security Rating Service

Not all FortiGate models support running the FortiGuard Security Rating Service as the fabric "root" device. The following FortiGate platforms can run the FortiGuard security rating service when added to an existing Fortinet security fabric managed by a supported FortiGate mode:

  • FGR-30D-A l FGR-30D l FGR-35D l FGR-60D l FGR-90D l FGT-200D l FGT-200D-POE l FGT-240D l FGT-240D-POE l FGT-280D-POE l FGT- 30D l FGT-30D-POE l FGT-30E l FGT-30E-MI l FGT-30E-MN l FGT-50E 特别提示 7
  • FGT-51E l FGT-52E l FGT-60D l FGT-60D-POE l FGT-70D l FGT-70D-POE l FGT-90D l FGT-90D-POE l FGT-94D-POE l FGT-98D-POE l FWF-30D l FWF-30D-POE l FWF-30E l FWF-30E-MI l FWF-30E-MN l FWF-50E-2R l FWF-50E l FWF-51E l FWF-60D l FWF-60D-POE l FWF-90D l FWF-90D-POE l FWF-92D

built-in certificate

FortiGate and FortiWiFi D-series and later have built-in Fortinet_Factory certificates that use 2048-bit certificates with 14 DH groups.

FortiGate and FortiWiFi-92D Hardware Limitations

FortiOS 5.4.0 reports issues with FG-92D modelsSpecial Notices > High Availability in FG-92D Interface Modepart of the release notes. These issues related to using ports 1 through 14 include:

  • PPPoE fails, HA cannot be formed. l IPv6 packets are discarded. l The FortiSwitch fails to be discovered. l Depending on the network topology, spanning tree loops may occur.

FG-92D and FWF-92D do not support STP. These issues were improved in FortiOS 5.4.1, but introduced a new command enabled by default with some side effects:

Configure the global setting hw-switch-ether-filter

Special Note

When the command is enabled:

  • Allow ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets. l BPDUs are discarded, so no STP loop occurs. l PPPoE packets are lost. l IPv6 packets are discarded. l The FortiSwitch device is not found. l Depending on the network topology, HA may not be formed.

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, may cause an STP loop.

FG-900D and FG-1000D

CAPWAP traffic will not be offloaded if the ingress and egress traffic ports are on different NP6 chips. It will only be offloaded if both ingress and egress ports belong to the same NP6 chip.

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiClient configuration file changes

With the introduction of the Fortinet Security Fabric, FortiClient configuration files will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for endpoint compliance, while FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and configuration.

FortiClient profiles on FortiGate are used for compliance-related FortiClient features such as antivirus, web filter, vulnerability scanning, and application firewall. you can setIrregularitiesSet asjamorwarn.

FortiClient users can change its functionality locally to meet FortiGate compliance standards. You can also configure endpoints centrally using FortiClient EMS. EMS also includes support for additional features such as VPN tunnels or other advanced options. For more information, seeFortiOS Manual - Security Profiles.

Using the dedicated management interface (mgmt1andmgmt2)

For best stability, use the management port (mgmt1andmgmt2) are used for management traffic only. Do not use the management port for general user traffic.

Upgrade to FortiOS 6.0.2

Supported upgrade paths information can be found atflying tower customer Serve & support Place.

View information about supported upgrade paths:

  1. go
  2. fromdownloadmenu, selectfirmware image.
  3. check thatselect productyesFortis.
  4. clickupgrade pathtab and select the following:

Liftcurrent productLiftCurrent FortiOS versionLiftUpgrade to FortiOS version5.clickgo.

This warning does not apply if you are upgrading from version 5.6.2 or 5.6.3.

(Video) FortiGate 6.2.2 - Updating Firmware

Before upgrading, make sure that port 4433 is not used for management port or management movement (in config system global), or for SSL VPN (in config vpn ssl settings). If you are using port 4433, you must change the admin-port, admin-sport, or SSL VPN port to a different port number before upgrading.

The physical interface is contained in the zone

Upgrading from 5.6.3 or later removes all members of the zone if the zone contains a physical interface and at least one of the physical interface's VLAN interfaces is removed. For example:

Before upgrade:

Configure System Zone Edit "Trust"

set interface "port1" "Vlan01" "Vlan02" "Vlan03"


After upgrade:

Configure System Zone Edit "Trust"


Remove "port1" from the list and the upgrade will preserve the VLAN.

Conditions for deleting a member of a physical zone: l If a physical interface is associated with a VLAN (regardless of whether they are in the same zone or any zone) Conditions for deleting a member of a VLAN zone: l If the parent physical interface is also set in a zone

You can use the following options to prepare for the upgrade:

  • Use only physical interfaces without VLAN association or:
  • Creates a new VLAN in place of the current physical interface zone member and removes all physical zone members from the zone with only the associated new VLAN entry.

Fortinet Security Architecture Upgrade

FortiOS 6.0.2 greatly increases interoperability between other Fortinet products. This includes:

l FortiAnalyzer 6.0.0 l FortiClient 6.0.0 l FortiClient EMS 6.0.0 l FortiAP 5.4.4 and later l FortiSwitch 3.6.4 and later

Upgrade the firmware for each product in the correct order. This keeps the network connected without using manual steps.

Before upgrading any product, you must readFortiOS Security Architecture Upgrade Guide.

The minimum version of the TLS service changes automatically

To improve security, FortiOS 6.0.2 uses the ssl-min-proto-version option (under config system global) to control the minimum SSL protocol version used for communication between FortiGate and third-party SSL and TLS services.

When you upgrade to FortiOS 6.0.2 and later, the default ssl-min-proto-version option is TLS v1.2. The following SSL and TLS services inherit the global setting to use TLS v1.2 by default. You can override these settings.

  • email server (configure system email server) l certificates (configure vpn certificate settings) l FortiSandbox (configure system fortisandbox) l FortiGuard (configure log fortiguard settings) l FortiAnalyzer (configure log fortianalyzer settings)
  • LDAP server (configure user ldap) l POP3 server (configure user pop3)

Downgrade to previous firmware version

Downgrading to a previous firmware version will result in loss of configuration for all models. Only keep the following settings:

l Operation Mode l Interface IP/Management IP l Static Routing Table l DNS Settings l VDOM Parameters/Settings l Admin User Account l Session Assistant l System Access Profile

If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:

  1. Backup your configuration.
  2. In the backup configuration, replace all long VDOM names with their corresponding short VDOM names. For example, the edit/replace with edit/
  3. Restore configuration.
  4. Perform a downgrade.

Amazon AWS enhances network compatibility issues

With this new enhancement, there are compatibility issues with older AWS VM versions. After downgrading a 6.0.2 image to an older version, network connectivity is lost. Because AWS does not provide console access, you cannot restore a downgraded image.

When downgrading from 6.0.2 to an older version, the enhanced nic driver is not allowed to run. The following AWS instances are affected:

(Video) 23. Upgrading the FortiGate 6.0's Firmware in an HA Cluster

  • C3 l C4 l R3
  • I2 l M4 l D2

FortiGate virtual machine firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download a 64-bit firmware image to upgrade an existing FortiGate VM installation.
  • Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 files for open source XenServer.
  • Download the 64-bit package for a new FortiGate VM installation. This package contains Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download a 64-bit firmware image to upgrade an existing FortiGate VM installation.
  • Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 which can be used by qemu.

Microsoft Hyper-V

  • .out: Download a 64-bit firmware image to upgrade an existing FortiGate VM installation.
  • Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the virtual hard disk folder, which can be manually added to the Hyper-V manager.

VMware ESX and ESXi

  • .out: Download a 64-bit firmware image to upgrade an existing FortiGate VM installation.
  • Download the 64-bit package for a new FortiGate VM installation. This package contains VMware's Open Virtualization Format (OVF) file and two Virtual Machine Disk Format (VMDK) files that the OVF file uses during deployment.

Firmware image checksum

MD5 checksums for all Fortinet software and firmware releases are available on the Customer Service and Support Portal, After login selectDownload > Firmware Image Checksum, enter an image filename including the extension, and selectGet check code.

FortiGuard update server location settings

The FortiGuard update-server-location default setting is different between hardware platforms and VMs. On hardware platforms, the default is ANY. On VMs, the default is usa.

On virtual machines, update-server-location is set to usa after upgrading from 5.6.3 or earlier to 5.6.4 or later (including 6.0.0 or later).

If necessary, set update-server-location to use the closest or low-latency FDS server.

Setting up FortiGuardupdate server location:

configure system fortiguard set update server location [US | any] end

FortiOS 6.0.2 support

The following table lists 6.0.2 product integration and support information:

Internet browserl Microsoft Edge 41 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (for Mac OS X)

Other web browsers may work but are not supported by Fortinet.

Explicit Web Proxy Browserl Microsoft Edge 41

l Microsoft Internet Explorer version 11 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (for Mac OS X)

Other web browsers may work but are not supported by Fortinet.

Enhanced ManagerSee Important Compatibility Information in Fortinet Security Fabric Upgrades on page 10. For the latest information, seeEnhanced Manager compatibility and FortiOSIn the Fortinet Documentation Library.

Upgrade FortiManager before upgrading FortiGate.

Enhanced AnalyzerSee Important Compatibility Information in Fortinet Security Fabric Upgrades on page 10. For the latest information, seeEnhanced Analyzer compatibility and FortiOSIn the Fortinet Documentation Library.

Upgrade FortiAnalyzer before upgrading FortiGate.

Enhanced client:

LiftMicrosoft WindowsLiftApple OSLiftLinux

l 6.0.0

See Important Compatibility Information in Fortinet Security Fabric Upgrades on page 10.

If FortiClient is managed by FortiGate, you must upgrade FortiClient before upgrading FortiGate.

FortiClient for Linux is supported on Ubuntu 16.04 and later, Red Hat 7.4 and later, and CentOS 7.4 and later.

If you are using FortiClient for IPsec VPN or SSL VPN only, FortiClient 5.6.0 and later are supported.

FortiClient iOSl 5.6.0 and later versions
FortiClient Android 和 FortiClient VPN Androidl Version 5.4.2 and later
FortiAPl 5.4.2 and later l 5.6.0 and later
FortiAP-Sl 5.4.3 and later l 5.6.0 and later
FortiSwitch operating system

(FortiLink support)

l 3.6.4 and later versions
Enhanced Controllerl Version 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

Enhanced Sandboxl Version 2.3.3 and later
Fortinet Single Sign-On (FSSO)l 5.0 build 0268 and later (requires OU in FSSO agent support group filter) l Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8
boosterl 3.2.1
video enginel 6.00012
enginel 4.00021
virtualization environment
Citrixl XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVMl RHEL 7.1/Ubuntu 12.04 and above l CentOS 6.4 (qemu 0.12.1) and above
Microsoftl Hyper-V Server 2008 R2、2012、2012 R2
open sourcel XenServer version 3.4.3 l XenServer version 4.1 and later
VMwarel ESX version 4.0 and 4.1

l ESXi version 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, 6.5

World Series – SR-IOVThe following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

language support

The following table lists language support information.

language support

Simplified Chinese)
Chinese traditional)
Portuguese (Brazil)

SSL VPN support

SSL VPN Standalone Client

The table below lists the SSL VPN Tunnel Client standalone installers for the following operating systems.

Operating system and installer

operating systeminstaller
Linux CentOS 6.5 / 7 (32 and 64 bit)

Linux Ubuntu 16.04

2336. Fortinet developer website download

Other operating systems may work but are not supported by Fortinet.

SSL VPN network mode

The table below lists the supported operating systems and web browsers for SSL VPN network mode.

Supported operating systems and web browsers

operating systembrowser
Microsoft Windows 7 SP1 (32-bit and 64-bit)

Microsoft Windows 8 / 8.1 (32-bit and 64-bit)

Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome Version 59

Microsoft Windows 10 (64-bit)microsoft edge

Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome Version 59

Linux CentOS 6.5 / 7 (32 and 64 bit)Mozilla Firefox version 54
OS X El Capitan 10.11.1Apple Safari version 9

Mozilla Firefox version 54

Google Chrome Version 59

iOSApple Safari

Firefox browser

Google Chrome

androidFirefox browser

Google Chrome

Other operating systems and web browsers may work but are not supported by Fortinet.

SSL VPN Host Compatibility List

The following table lists supported antivirus and firewall client software packages.

Supported Microsoft Windows XP antivirus and firewall software

productantivirus softwarefirewall
Symantec Endpoint Protection 11
Kaspersky Antivirus 2009
McAfee Security Center 8.1
Trend Micro Internet Security Expert
F-Safe Cyber ​​Security 2009

Supports Microsoft Windows 7 32-bit antivirus and firewall software

(Video) FortiGate Firmware/Image Upgrade | Lecture#3

productantivirus softwarefirewall
CA Internet Security Suite Plus software
AVG Cyber ​​Security 2011
F-Safe Cyber ​​Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360™ version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

The following issues have been fixed in version 6.0.2. For inquiries regarding specific errors, please contactcustomerServe & support.

antivirus software

Vulnerability numberdescribe
487946The MSS value increases when using AV or WEB filters results in Packet Too Large messages.
489308The scanunit process crashes frequently.
497371Flow-AV blocks Windows updates (.cab files).

application control

Vulnerability numberdescribe
423140After adding a new custom signature, all IPS sessions are lost.

Authentication and users

Vulnerability numberdescribe
477392HA slave units cannot be logged in using FAC username password and FortiToken two-factor authentication.
481469Unable to resolve hostname for CRL URL configured on non-management VDOM.
488566Renaming the guest user group name will not be reflected under the guest administrator account assigned to the black page.
491175diag test application fnbamd 1 causes fnbamd to go idle and cause authentication to fail.
491235New diag command diag test app wad 13.
491241Enhanced diag command diag test app fnbamd 1.
493470Authenticated users receiveOops "authentication requested"Refers to a proxy policy with no authentication.
493930Admins using the dedicated HA management interface are not visible in the CLI.
495210Guest user accounts do not show an expiration time, only an expiration time.
496524After the wired portal auth succeeds, the wired PC still receives many http redirects and cannot access the Internet.


Vulnerability numberdescribe
463982FortiManager IP is not set in FortiGate CM.
479607The scheduled auto-update happened twice within 10 seconds, but no log entry was recorded for the first attempt.
481058Unable to retrieve configuration revision control list from FortiCloud.

Digital Frame

Vulnerability numberdescribe
478524The diskless model lacks the full archive protocol in configuring DLP sensors when only FortiCloud logging is enabled.
486958Scanunit signal 14 alarm clock caused by DLP scanning bz2 files.
492624DLP blocking websites in FortiOS v6.0 GA.
496255Some XML-based MS Office files are recognized as ZIP files.


Vulnerability numberdescribe
474612SNAT uses low-end ports below 1023.
475539Inaccurate netflow export. Flow measurements do not match SNMP readings.
478681It should be possible to disable SNAT when the VIP is present and central NAT is enabled.
492961Setting utm-status disable does not hide the profile group. Unsetting profile-group will leave profile-protocol-options empty.
498188Dirty_session_check in FortiGate drops all established VIP64 sessions.
502579After upgrading from 5.6 to 6.0.1, local policies with FQDN addresses do not work.


Vulnerability numberdescribe
414172HTTPsd / DNSproxy / High CPU / Memory with high rate UDP 1Byte spoofing traffic.
Vulnerability numberdescribe
402457Suggestions for improving the IPsec VPN monitoring pageProxy ID sourceandProxy ID Destinationfield.
Vulnerability numberdescribe
413881VDOM link tooltip displayFailed to get information.
444104Accept/Decline buttons are not visible in GUIs with long login disclaimers and screens at some resolutions.
449598Remote LDAP User DefinitionsThe wizard does not pull the user.
457627Would like to be able to change the date/time format displayed in FortiGate's GUI.
457721FortiLink Switch Controller GUI - Allows user to edit FortiLink/ISL port descriptions.
457966Virtual pair > Add VLAN range filter on GUI.
460617GUI Hardening Guarddouble checkDue to a FortiGuard service 8888/53 routing error, the button does not work as expected.
462011When accessed using a RADIUS user with a read access profile, the GUI is blank and the FortiGate is managed by FortiManager.
462072The GUI should display the full FQDN name in the reputation search results.
468465Some filters do not return logs when the source is FortiCloud.
468797It is not possible to filter by date or timestamp when viewing logs from FortiCloud.
469082professor administratorProfile administrators cannot display GUI IPv4 source addresses.
470241Even if you select another log device in the GUI, raw logs are downloaded from the default location.
472023Outbreak prevention detection puts 'clean' counters atAdvanced Threat Protection Statisticssmall parts.
472558DHCP server GUI - GUI populates with wrong information when switching from DHCP relay to DHCP


473808Column filters are not persistent and will be removed after a page refresh.
474807There is no way to restore the default page in the replacement mail group.
475036Duplicate entries found for virtual serversBug in GUI.
477393Negative values ​​inload balancingMonitor logs.
477870The alias for the modem interface appears in the GUI but not the CLI.
479468Link state is lost after SD-WAN GUI changes tolist editor.
479937The GUI should hide options that don't apply to certificate checking.
481902when visitingFortiView > Websitepage, errorFailed to fetch FortiView dataAnd httpsd keeps crashing.
482628CPU.Speculative.Execution.Timing.Information.Disclosure signature cannot be filtered ifapplicationSelected.
Vulnerability numberdescribe
489674When scrolling to the end of the muTable, the GUI should display 100% of the entries.
489675The Firefox web browser sometimes fails to delete performance SLA rules.
489715Target address should not be mandatory in GUISD-WAN rules.
492898FSSO AD group entries can no longer be deleted in the GUI.
493351Object tooltips for the last page should not always be displayed on the current page.
493773SD-WAN rules in the GUI fail to select (either as source or destination) the address group grp_citrixfarm.
494724When creating a trunk interface on a managed FSW, the FSW ports in the right list show closed even though some ports are open.
496613Editing a web filter profile in the GUI deletes the web proxy profile and URL filter entries.
497667The FortiSwitch Ports page loads very slowly.
502785eliminate# interfacefrom the device list.


Vulnerability numberdescribe
408886Nonstop upgrade from B718 to label 9702 fails with 1.5M BGP routes and 6M session load.
461915When standalone configuration synchronization is enabled in FGSP, the IPv6 settings of the interfaces are synchronized.
473806Copied to the slave's management interface IP address when using a standalone management VDOM.
473806Copied to the slave's management interface IP address when using a standalone management VDOM.
474622IPsec itn=0 after a unit joins the FGSP cluster.
482548Save mode caused by hassync consuming most of the memory.
485340Cluster uptime: -141 days -20:-31:-50.
486552vcluster HA failover fails on 3800D with large site-to-site IPsec VPN configuration.
487444After HA failover in 80/81E, FortiGate stops accepting traffic from any interface in the hardware switch.
491311When creating a new NAT VDOM, the management port is synchronized.
493759After removing vcluster2 from the HA configuration, all active sessions are terminated once the session-ttl is reached.
494029After a failover, sometimes it is not possible to connect toManagement IPbackup device.
501147Moving a VDOM to a virtual cluster from the GUI causes the cluster to get out of sync.


Vulnerability numberdescribe
478185Improve the ability to detect fragmented intrusion attacks.
489557Weird traceroute issue when IPS is enabled.


Vulnerability numberdescribe
486756IPsec VPN traffic is not fragmented when proxy-based UTM is enabled.
489990Make PKI verification of IDi and certificate identities optional.
490066FortiClient with IPsec with Proxy / Webfilter - requires fragmentation.
491305Packets from FortiClient cannot pass through VXLAN over IPsec, depending on the packet size.
492046FortiGate does not respond to RFC requested information exchange messages.
493918IKED memory leak.

Records and Reports

Vulnerability numberdescribe
459306It is recommended to reduce the threat level of very large files.
493140Need to see Application Signature Name instead of LDS under Logs and Reports > System Event Log.
494040Creating or modifying a Security Profile generates multiple logs of misleading actions.
497357When we use DNS filters and a DNS query timeout occurs, the FortiGate logs show the operation as blocked.
498519Web filter authentication fails to set the status field in event log messages.


Vulnerability numberdescribe
479678IPpool does not work properly in explicit proxy policies.
482916WAD crashes on signal 6.
486821web applicationsymphonyFailed to enable AV profile in policy.
487096SSL handshake failed when activating ESET application.
491417FortiGate drops server hello packets when URLFILTER is enabled.
Vulnerability numberdescribe
491424Adjust proxy-auth-timeout defaults and units.
491630When UTM is enabled, the client cannot get a response from the server and receives a 500 internal error.
494081After upgrading the firmware to v5.6.4, the WAD process crashes with signal 11.


Vulnerability numberdescribe
443948High memory usage by zebos_launcher and isisd.
482631OSPF adjacency lost, FGFMD high CPU while pushing policy from FortiManager.
491423The BGP shutdown neighbor capability-default-originate parameter is always in use.
491679FortiGate chooses higher metric OSPF E2 routes for traffic in some cases.
492063Route-maps cannot use BGP conditional advertisement to set attributes.
493454Kernel 3.2 does not forward large PIM SM boot packets.
494393Router access lists should not default to any prefix and exact match disabled.
500673SD-WAN rules for applications do not work after HA switchover.


Vulnerability numberdescribe
466438High CPU usage by sslvpnd.
483712sslvpnd consumes a lot of memory causing FortiGate to enter save mode.
486918SSL VPN network mode does not load pages correctly.
489827In SSL VPN web mode, the URL does not load.
491895Web mode SSL VPN HTTP bookmarks do not work.
494948Confluence software does not render correctly in web mode.
494960SSL VPN network mode fails to load internal web applications.
494978After upgrading to 5.6.4, authd registers SSL VPN users with wrong user/group information and breaks SSL VPN.
498249SCEP needs to be updated with SSL hostname/certificate checking.
501769SSL VPN: Internal website bookmarks not loading correctly - JavaScript error.


Vulnerability numberdescribe
493685The hardware switch floods the traffic.


Vulnerability numberdescribe
370953The SLBC worker blade cannot resync with the config master blade due to a frozen confsync daemon.
394509There are no log entries for failed admin PKI authentications.
414081SMB1 support is disabled by default on some models.
441483Confused set enable-shaper disable to enable HPE protection.
459273Slave worker blade loses local administrator account.
462178front panelspeedThe LED blinks green when sending and receiving data.
466317[api] is in Z state.
468938Kernel panic on 3700D - slave.
472267DNS filter performance improvements.
472270SNMP functionality for DNS filter counts.
473354It is recommended to enable per-session-accounting by default on NP6Lite.
477886PRP support.
479142SLBC 5001D slave blade out of sync.
481783DHCP address assignment sometimes fails - DHCPD crashes multiple times.
485781Deleting the EMAC VLAN interface on a different VDOM causes loss of connectivity to the EMAC VLAN for 5-7 pings.
493219Softirq and nice are CPU intensive when sending and receiving packets using virtual wire pairs.
494603Once a trusted host is configured, FortiGate in transparent mode cannot be accessed via https/ssh (management access).
494707FortiGate trusted host settings are not respected.
499332There is no error message when configuring address .067 and address translation to .55.
499435Allow packet sniffer to use RAM disk.
499793FortiGate set the wrong time zone for Paraguay.


Vulnerability numberdescribe
495994After upgrading to 5.4.9, many IPS syntax errors are observed on the console screen.

virtual machine

Vulnerability numberdescribe
493225FTG-VM01 is missing diag sys mpstat command option.
499154FortiGate Azure rejects static routing configuration pushed from FortiManager.
501911In FOS-AWS prompt, user password = instance ID and force user to change password on initial login.
Vulnerability numberdescribe
471638FortiGate disconnects all clients when they roam from AP to AP.
479415Incorrect authorization success pageAuthentication success page replacementinformation.

online telephone

Vulnerability numberdescribe
478634Debug commands that do not apply SIP filters.

web filter

Vulnerability numberdescribe
454634Per-domain web filter settings warning prompts are per-category rather than per-domain warnings.
476806FortiOS incorrectly sends ICMP "Destination Unreachable" with WF/Certificate check.
486171thisNetwork Rating Overrideoption is not available in streaming mode.
490377thisNetwork Rating Overrideoption doesn't work properly in proxy-based scenarios.
498231sites like thisfedexMisclassified as malicious.

web proxy

Vulnerability numberdescribe
500182UDP via SOCKS proxy.


(Video) How to Update Firmware - FortiGate 7.0

Vulnerability numberdescribe
491248VAP RADIUS based MAC authentication should support CoA.
491769Support for third-party external portals with RADIUS MAC authentication.
495995Custom class overrides don't work.

Common Vulnerabilities and Exposures

access know more information.

Vulnerability numberCVE References
450553FortiOS 6.0.2 is no longer vulnerable to the following CVE references:

l CVE-2017-12150 l CVE-2017-12151 l CVE-2017-12163

487421FortiOS 6.0.2 is no longer vulnerable to the following CVE references:

l CVE-2018-13365

495090FortiOS 6.0.2 is no longer vulnerable to the following CVE references:

l CVE-2018-13366

496431FortiOS 6.0.2 is no longer vulnerable to the following CVE references:

l CVE-2018-9192

499552FortiOS 6.0.2 is no longer vulnerable to the following CVE references:

l CVE-2016-7431

The following issues were found in version 6.0.2. To inquire about a specific bug or to report a bug, please contactcustomer Serve & support.

application control

Vulnerability numberdescribe
435951Traffic continues through the DENY NGFW policy configured with the URL category.

Fortis 3815D

Vulnerability numberdescribe
385860FG-3815D does not support 1GE SFP transceivers.
Vulnerability numberdescribe
256264The live session list cannot display IPv6 sessions and related issues.

FortiSwitch Controller/FortiLink

Vulnerability numberdescribe
304199Using HA with FortiLink may experience traffic loss during failover.
357360DHCP snooping might not work with IPv6.


Vulnerability numberdescribe
375172A FortiGate under a FortiSwitch may appear to be directly connected to an upstream FortiGate.
453610Fortiview -> Policies (or Sources) -> Now, nothing is displayed when filtering by physical interface in PPPoE mode.
460016existFortiview > Threats, to drill down one level, clickreturnGraphics are cleared.
482045FortiView - no data displayedTraffic from the WAN.
494731Bug reporting in Fortiview.


Vulnerability numberdescribe
439185Unable to view and download AV Quarantine from the details panel when the source is FortiAnalyzer.
442231Links could not be displayed in different colors according to the link legend in the logical topology live view.
451776The OTP for the management GUI is limited to 10 characters.
470589thisForwarding traffic log detailscontrol panelSafetytab does not show security log details when multiple log facilities are enabled.
487350FortiGuard Filtering Service AvailabilityshowunavailableOn the GUI when no valid antispam license exists.
493839Cannot change quota type (time-based, traffic-based).


Vulnerability numberdescribe
451470Unexpected performance degradation in case of inter-chassis HA failback with HA override enabled.
479987FG MGMT1 does not authenticate Admin RADIUS users through the primary unit (secondary unit works).
503433The hassync daemon crashes when the management session times out, and the cluster may become out of sync for a short period of time.


Vulnerability numberdescribe
445113IPS engine 3.428 on FortiGate sometimes fails to detect Psiphon packets that iscan can.


Vulnerability numberdescribe
469798Interface shaping with an egress shaping profile does not apply to offload traffic.
481201After registering with FortiCare, there is a delay of about one day in OCVPN functionality.

Records and Reports

Vulnerability numberdescribe
412649In NGFW Policy mode, FortiGate does not create webfilter logs.

security structure

Vulnerability numberdescribe
403229In the FortiAnalyzer's FortiView display, the upstream FortiGate cannot drill down to the final level of downstream traffic.
411368In FortiView with FortiAnalyzer, the combined MAC address is shown inequipmentsite.


Vulnerability numberdescribe
405239Incorrect URL rewriting for specific pages in the application server.


Vulnerability numberdescribe
295292If private data encryption is enabled, FortiGate may not prompt the user for the key when restoring the configuration to FortiGate.
364280Users cannot log into FortiGate via SSH using the ssh-dss algorithm.
436746NP6 counters showing packet loss on FG-1500D. A pure firewall policy without UTM.
440411Monitor NP6 IPsec engine status.
466048Unable to detect Huawei USB LTE E3276.
468684EHP drop improvements for units using NP_SERVICE_MODULE.
472843FortiGate does not always save script changes when FortiManager is set to DM=set verify-install-disable.
474132FG-51E hangs under stress test since build 0050.
482497Running a diagnostic npu np6lite session in FGT-201E results in high CPU and system instability.
494042If we create a VLAN in VDOM A, then we cannot create a ZONE name with the same VLAN name in VDOM B.


Vulnerability numberdescribe
470575After upgrading from 5.6.3, g-sniffer-profile and sniffer-profile exist for IPS and webfilter.
473075When upgrading, multicast policies are lost when there are zone members as interfaces.
Vulnerability numberdescribe
481408When upgrading from 5.6.3 to 6.0.0, IPv6 policies will be lost if there are SD-WAN members as interfaces.
494217Peer-to-peer SSL VPN personal bookmarks do not display when upgrading to 6.0.1.Solution: Rename a user bookmark to a new name using the CLI.

web filter

Vulnerability numberdescribe
480003FortiGuard categories do not work in NGFW mode policies.

Citrix XenServer Limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can only be imported or deployed in the following three formats:
  • XVA (recommended)
  • VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration prior to the first power-on process.

Open Source XenServer Limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, there may be import issues using the QCOW2 format and existing HDA issues.

Having trouble configuring your Fortinet hardware or have some questions you need answered?Check out the Fortinet Guru Youtube channel! Want someone to handle it for you?Get some advice from Fortinet GURU!

Don't forget to visit the YouTube channel for the latest Fortinet training videos and Q&A sessions!
-FortinetGuru YouTube Channel
-FortiSwitch Training Videos

Cybersecurity videos and training are available through:CISO Security Training Video Office


What is the maximum number of entries has been reached in FortiGate? ›

Maximum number of entries: 10'. This is a limit that is not present in the Max Values table, and at the moment it exists on all FortiGate platforms.

How do I read Fortinet firewall logs? ›

To view raw logs, in the log message list view toolbar, click Tools > Display Raw. To switch back to formatted log view, click Tools > Formatted Log. For more information about FortiGate raw logs, see the FortiGate Log Message Reference in the Fortinet Document Library.

What is the difference between FortiOS mature and feature? ›

A release that contains new features also brings with it a greater chance of new bugs. Therefore, these releases are less suitable for use on production systems. Mature releases, on the other hand, contain more bug fixes and rather fewer new features and are therefore also to be regarded as more stable.

How to check open ports in Fortinet? ›

Go to Policy & Objects -> Local In and there is an overview of the active listening ports.


1. What's new in Zabbix 6.0 LTS
2. EVE-NG PRO new features! Version 2.0.4-77 upgrade on Sep 17 2018
(theLAN Tamer)
3. ANE Series: Learning New Network Technologies
4. day 282 - DEMO: new features in eve-ng 2.0.4-70-PRO. 50 days to go.
(theLAN Tamer)
5. FortiGate: Aktualizacja oprogramowania (firmware upgrade)
6. Instalación Básica de un Fortigate - Versión 5.4
(Exclusive Networks)


Top Articles
Latest Posts
Article information

Author: Aron Pacocha

Last Updated: 24/08/2023

Views: 5521

Rating: 4.8 / 5 (68 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Aron Pacocha

Birthday: 1999-08-12

Address: 3808 Moen Corner, Gorczanyport, FL 67364-2074

Phone: +393457723392

Job: Retail Consultant

Hobby: Jewelry making, Cooking, Gaming, Reading, Juggling, Cabaret, Origami

Introduction: My name is Aron Pacocha, I am a happy, tasty, innocent, proud, talented, courageous, magnificent person who loves writing and wants to share my knowledge and understanding with you.