FortiOS - Release Notes

Version 6.2.3
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

October 7, 2021
FortiOS 6.2.3 Release Notes
01-623-597145-20211007
 TABLE OF CONTENTS

Change Log 6
Introduction and supported models 8
Supported models 8
Special branch supported models 8
Special branch support for FortiAP-W2 231 9
Special notices 10
New Fortinet cloud services 10
FortiGuard Security Rating Service 10
Using FortiManager as a FortiGuard server 11
FortiGate hardware limitation 11
CAPWAP traffic offloading 12
FortiClient (Mac OS X) SSL VPN requirements 12
Use of dedicated management interfaces (mgmt1 and mgmt2) 12
NP4lite platforms 12
Tags option removed from GUI 12
System Advanced menu removal (combined with System Settings) 12
L2TP over IPsec on certain mobile devices 13
Unexpected termination of RDP sessions 13
Changes in default behavior 14
Changes in CLI defaults 15
Changes in default values 20
Changes in table size 21
New features or enhancements 22
Upgrade Information 24
Device detection changes 24
FortiClient Endpoint Telemetry license 25
Fortinet Security Fabric upgrade 25
Minimum version of TLS services automatically changed 25
Downgrading to previous firmware versions 26
Amazon AWS enhanced networking compatibility issue 26
FortiLink access-profile setting 27
FortiGate VM with V-license 27
FortiGate VM firmware 27
Firmware image checksums 28
FortiGuard update-server-location setting 28
FortiView widgets 29
Product integration and support 30
Language support 32
SSL VPN support 32
SSL VPN standalone client 32

FortiOS 6.2.3 Release Notes 3

Fortinet Technologies Inc.
 SSL VPN web mode 33
SSL VPN host compatibility list 33
Resolved issues 35
Anti Virus 35
Data Leak Prevention 35
DNS Filter 35
Explicit Proxy 36
Firewall 36
FortiView 36
GUI 37
HA 39
Intrusion Prevention 40
IPsec VPN 40
Log & Report 40
Proxy 41
REST API 41
Routing 42
Security Fabric 42
SSL VPN 43
Switch Controller 44
System 44
Upgrade 46
User & Device 46
VM 47
VoIP 48
Web Filter 48
WiFi Controller 48
Common Vulnerabilities and Exposures 49
Known issues 50
Anti Virus 50
Data Leak Prevention 50
DNS Filter 50
Explicit Proxy 50
Firewall 51
FortiView 51
GUI 51
HA 53
Intrusion Prevention 54
IPsec VPN 54
Log & Report 55
Proxy 55
REST API 55
Routing 55
Security Fabric 56

FortiOS 6.2.3 Release Notes 4

Fortinet Technologies Inc.
 SSL VPN 56
Switch Controller 57
System 57
Upgrade 59
User & Device 59
VM 60
WiFi Controller 61
Limitations 62
Citrix XenServer limitations 62
Open source XenServer limitations 62

FortiOS 6.2.3 Release Notes 5

Fortinet Technologies Inc.
Change Log

Date Change Description

2019-12-19 Initial release.

2019-12-19 Updated Resolved issues and Known issues.

2019-12-20 Updated Changes in CLI defaults.

2019-12-30 Added 585122 to Resolved issues.

2020-01-02 Updated Product integration and support > FortiExtender.

2020-01-03 Updated Known issues.

2020-01-06 Updated Introduction and supported models > Special branch supported models.
Removed image download note from Introduction and supported models.

2020-01-07 Added 581663 to Resolved issues.

2020-01-09 Added FG-60F, FG-61F, FG-100F, and FG-101F to Introduction and supported models >
Special branch supported models.

2020-01-17 Updated Resolved issues and Known issues.

Added Special notices > System Advanced menu removal (combined with System Settings).

2020-01-20 Updated Resolved issues and Known issues.

2020-01-22 Updated New features or enhancements and Known issues.

2020-01-27 Updated Special notices > New Fortinet cloud services.

2020-02-04 Added Special notices > L2TP over IPsec on certain mobile devices (459996).
Updated Resolved issues and Known issues.

2020-02-13 Added Special branch support for FortiAP-W2 231E section in Introduction and supported
models.

2020-02-21 Added FG-2200E, FG-2201E, FG-3300E, and FG-3301E to Introduction and supported models
> Special branch supported models.

2020-02-24 Updated Special notices, New features or enhancements, Known issues, and Resolved issues.

2020-02-25 Updated Known issues and Resolved issues.

2020-03-02 Updated Known issues.

2020-03-03 Updated Special notices, Known issues, and Resolved issues.

2020-03-09 Updated Known issues.

2020-04-07 Moved FG-VM64-AWS and FG-VM64-AWSONDEMAND to Special branch supported models.

2020-04-08 Removed FortiOS Carrier from Supported models.

FortiOS 6.2.3 Release Notes 6

Fortinet Technologies Inc.
Change Log

Date Change Description

2020-05-06 Updated Changes in CLI defaults, New features or enhancements, Known issues, and
Resolved issues.
Added Downgrading from 6.4.0 to 6.2.3 to Upgrade Information.

2020-07-06 Updated Special notices, Known issues, and Resolved issues.

Removed Downgrading from 6.4.0 to 6.2.3 from Upgrade Information.

2020-09-03 Added FG-4200F and FG-4201F to Special branch supported models.

2020-09-23 Updated Known issues and Resolved issues.

2020-10-14 Added FGR-60F to Special branch supported models.

2020-11-09 Updated Known issues.

2020-12-04 Updated Known issues and Resolved issues.

2021-02-12 Updated Known issues and Resolved issues.

2021-02-24 Updated Known issues and Resolved issues.

2021-05-03 Updated Known issues.

2021-05-18 Updated Known issues.

2021-05-31 Updated Known issues.

2021-10-07 Updated Known issues.

FortiOS 6.2.3 Release Notes 7

Fortinet Technologies Inc.
Introduction and supported models

This guide provides release information for FortiOS 6.2.3 build 1066.
For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 6.2.3 supports the following models.

FortiGate FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-50E, FG-51E, FG-52E, FG-60E,

FG-60E-POE, FG-61E, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E,
FG-92D, FG-100D, FG-100E, FG-100EF, FG-101E, FG-140D, FG-140D-POE, FG-140E,
FG-140E-POE, FG-200E, FG-201E, FG-300D, FG-300E, FG-301E, FG-400D, FG-400E,
FG-401E, FG-500D, FG-500E, FG-501E, FG-600D, FG-600E, FG-601E, FG-800D,
FG-900D, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG-
3000D, FG-3100D, FG-3200D, FG-3400E, FG-3401E, FG-3600E, FG-3601E, FG-3700D,
FG-3800D, FG-3810D, FG-3815D, FG-5001D, FG-3960E, FG-3980E, FG-5001E,
FG-5001E1

FortiWiFi FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-50E, FWF-50E-2R,

FWF-51E, FWF-60E, FWF-61E

FortiGate Rugged FGR-30D, FGR-35D, FGR-90D

FortiGate VM FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AZURE, FG-

VM64-AZUREONDEMAND, FG-VM64-GCP, FG-VM64-GCPONDEMAND, FG-VM64-HV,
FG-VM64-KVM, FG-VM64-OPC, FG-VM64-RAXONDEMAND, FG-VMX, FG-VM64-XEN

Pay-as-you-go FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN

images

Special branch supported models

The following models are released on a special branch of FortiOS 6.2.3. To confirm that you are running the correct
build, run the CLI command get system status and check that the Branch point field shows 1066.

FG-30E-MG is released on build 8255.

FG-60E-DSL is released on build 6164.

FG-60E-DSLJ is released on build 6164.

FG-60F is released on build 6188.

FG-61F is released on build 6188.

FortiOS 6.2.3 Release Notes 8

Fortinet Technologies Inc.
 Introduction and supported models

FG-100F is released on build 6188.

FG-101F is released on build 6188.

FG-1100E is released on build 5401.

FG-1101E is released on build 5401.

FG-2200E is released on build 8329.

FG-2201E is released on build 8329.

FG-3300E is released on build 8329.

FG-3301E is released on build 8329.

FG-4200F is released on build 6612.

FG-4201F is released on build 6612.

FG-VM64-AWS is released on build 8404.

FG-VM64-AWSONDEMAND is released on build 8404.

FGR-60F is released on build 6479.

FWF-60E-DSL is released on build 6164.

FWF-60E-DSLJ is released on build 6164.

Special branch support for FortiAP-W2 231

A special branch for FortiOS 6.2.3 to support the FortiAP-W2 231E has been released. You may download the FortiOS
images on the Fortinet Customer Service & Support site under the following directory:
/FortiGate/v6.00/Feature_Support/6.2.3/
Supplemental Release Notes are available.
The FortiAP-W2 231E is supported in FortiAP-W2 6.2.3.

FortiOS 6.2.3 Release Notes 9

Fortinet Technologies Inc.
Special notices

l New Fortinet cloud services

l FortiGuard Security Rating Service
l Using FortiManager as a FortiGuard server on page 11
l FortiGate hardware limitation
l CAPWAP traffic offloading
l FortiClient (Mac OS X) SSL VPN requirements
l Use of dedicated management interfaces (mgmt1 and mgmt2)
l NP4lite platforms
l Tags option removed from GUI
l System Advanced menu removal (combined with System Settings) on page 12
l L2TP over IPsec on certain mobile devices on page 13
l Unexpected termination of RDP sessions on page 13

New Fortinet cloud services

FortiOS 6.2.0 introduced several new cloud-based services listed below. The new services require updates to FortiCare
and Fortinet's FortiCloud single sign-on (SSO) service.
l Overlay Controller VPN
l FortiGuard Cloud-Assist SD-WAN Interface Bandwidth Monitoring
l FortiManager Cloud
l FortiAnalyzer Cloud

FortiGuard Security Rating Service

Not all FortiGate models can support running the FortiGuard Security Rating Service as a Fabric "root" device. The
following FortiGate platforms can run the FortiGuard Security Rating Service when added to an existing Fortinet Security
Fabric managed by a supported FortiGate model:
l FGR-30D
l FGR-35D
l FGT-30E
l FGT-30E-MI
l FGT-30E-MN
l FGT-50E
l FGT-51E
l FGT-52E
l FWF-30E

FortiOS 6.2.3 Release Notes 10

Fortinet Technologies Inc.
Special notices

l FWF-30E-MI
l FWF-30E-MN
l FWF-50E
l FWF-50E-2R
l FWF-51E

Using FortiManager as a FortiGuard server

If you use FortiManager as a FortiGuard server, and you configure the FortiGate to use a secure connection to
FortiManager, you must use HTTPS with port 8888. HTTPS with port 53 is not supported.

FortiGate hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface
Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:
l PPPoE failing, HA failing to form.
l IPv6 packets being dropped.
l FortiSwitch devices failing to be discovered.
l Spanning tree loops may result depending on the network topology.
FG-92D does not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the
introduction of a new command, which is enabled by default:
config global
set hw-switch-ether-filter <enable | disable>

When the command is enabled:

l ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed.
l BPDUs are dropped and therefore no STP loop results.
l PPPoE packets are dropped.
l IPv6 packets are dropped.
l FortiSwitch devices are not discovered.
l HA may fail to form depending the network topology.

When the command is disabled:

l All packet types are allowed, but depending on the network topology, an STP loop may result.

FortiOS 6.2.3 Release Notes 11

Fortinet Technologies Inc.
Special notices

CAPWAP traffic offloading

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both
ingress and egress ports belong to the same NP6 chip. The following models are affected:
l FG-900D
l FG-1000D
l FG-2000E
l FG-2500E

FortiClient (Mac OS X) SSL VPN requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management
ports for general user traffic.

NP4lite platforms

FortiOS 6.2 and later does not support NP4lite platforms.

Tags option removed from GUI

The Tags option is removed from the GUI. This includes the following:
l The System > Tags page is removed.
l The Tags section is removed from all pages that had a Tags section.
l The Tags column is removed from all column selections.

System Advanced menu removal (combined with System Settings)

Bug ID Description

584254 l Removed System > Advanced menu (moved most features to System > Settings page).

FortiOS 6.2.3 Release Notes 12

Fortinet Technologies Inc.
Special notices

Bug ID Description
l Moved configuration script upload feature to top menu > Configuration > Scripts page.
l Removed GUI support for auto-script configuration (the feature is still supported in the CLI).
l Converted all compliance tests to security rating tests.

L2TP over IPsec on certain mobile devices

Bug ID Description

459996 Samsung Galaxy Tab A 8 and Android 9.0 crash after L2TP over IPsec is connected.

Unexpected termination of RDP sessions

Bug ID Description

605950 RDP sessions are terminated (disconnect) unexpectedly.

If a customer is running FortiOS 6.2.3 with FSSO, they will run into a situation that causes sessions
to disappear and traffic to no longer match any session.
This happens when two types of sessions are active, one that is authenticated and another that is
not authentication-based but has the same user information in the session (such as by passing
through a firewall policy), if the authenticated session is changed (such as logging off), it will also
clear the non-authenticated session.

FortiOS 6.2.3 Release Notes 13

Fortinet Technologies Inc.
Changes in default behavior

CLI
l Removed dependency between gui-per-policy-disclaimer in the system setting and per-policy-
disclaimer in the user setting.
l There is a new default any-to-any-all-to-all policy after changing from NGFW mode to policy-based mode.

GUI
l In the Feature Visibility page, the Per-policy Disclaimer option name was changed to Policy Disclaimer.
l Firewall Policy was renamed to SSL Inspection & Authentication after changing from NGFW mode to policy-based
mode.

WiFi Controller

The default extension information setting in wtp-profile has changed from disable to enable.

Previous releases 6.2.3 release

config wireless-controller wtp-profile config wireless-controller wtp-profile
edit <FAP-Profile> edit <FAP-Profile>
set ext-info-enable disable set ext-info-enable enable <== changed
next next
end end

The default platform type in wtp-profile has changed from 220B to 221E.

Previous releases 6.2.3 release

config wireless-controller wtp-profile config wireless-controller wtp-profile
edit <New profile> edit <New profile>
config platform config platform
set type 220B set type 221E <== changed
end end
next next
end end

FortiOS 6.2.3 Release Notes 14

Fortinet Technologies Inc.
Changes in CLI defaults

Routing
l auxiliary-session {enable | disable} option added at the VDOM level. Use auxiliary-session
enable to allow reply traffic to follow the best route instead of selecting the ingress interface in the original direction.

System
l Consolidate FortiTelemetry and capwap into fabric to allow Security Fabric access in system interface.

Previous releases 6.2.3 release

config system interface config system interface
edit <Port number> edit <Port number>
set allowaccess capwap <== Removed set allowaccess fabric <== New
set fortiheartbeat <== Removed next
next end
end

l Add execute factoryreset-shutdown to combine the functionality of the factory-reset and shutdown
commands.
l Add more functions for SMC NTP and the ability to get information from SMC NTP:
config system smc-ntp <== New
set ntpsync disable <== New
set syncinterval 60 <== New
set channel 5 <== New
end

Web Filter
l Enable file-filter password protected blocked for 7Z, RAR, PDF, MSOffice, and MSOfficeX.

Previous releases 6.2.3 release

config webfilter profile config webfilter profile
edit "encrypted-web" edit "encrypted-web"
set comment '' set comment ''
set replacemsg-group '' set replacemsg-group ''
unset options unset options
config file-filter config file-filter
set status enable set status enable
set log enable set log enable
set scan-archive-contents enable set scan-archive-contents enable
config entries config entries
edit "1" edit "1"

FortiOS 6.2.3 Release Notes 15

Fortinet Technologies Inc.
Changes in CLI defaults

Previous releases 6.2.3 release

set comment '' set comment ''
set protocol http ftp set protocol http ftp
set action log set action log
set direction any set direction any
set password-protected set password-protected
yes yes
set file-type "zip" <== set file-type "zip" "7z"
only zip can be selected "msoffice" "msofficex" "pdf" "rar" <==-
next changed
end next
end end
next end
end next
end

WiFi Controller
l FAP-U431F and FAP-U433F can support 802.11ax on 2.4 GHz radio-2 when the platform mode is single-5G.

Previous releases 6.2.3 release

config wireless-controller wtp-profile config wireless-controller wtp-profile
edit "FAPU431F-default" edit "FAPU431F-default"
config platform config platform
set type U431F set type U431F
set mode single-5G set mode single-5G
end end
config radio-1 config radio-1
set band 802.11ax-5G set band 802.11ax-5G
end end
config radio-2 config radio-2
set band ? set band ?
802.11b 802.11b. 802.11b 802.11b.
802.11g 802.11g/b. 802.11g 802.11g/b.
802.11n 802.11n/g/b at 802.11n 802.11n/g/b at
2.4GHz. 2.4GHz.
802.11n,g-only 802.11n/g at 802.11ax 802.11ax/n/g/b at
2.4GHz. 2.4GHz. <==added
802.11g-only 802.11g. 802.11n,g-only 802.11n/g at
802.11n-only 802.11n at 2.4GHz.
2.4GHz. 802.11g-only 802.11g.
end 802.11n-only 802.11n at
config radio-3 2.4GHz.
set mode monitor 802.11ax,n-only 802.11ax/n
end at 2.4GHz. <==added
next 802.11ax,n,g-only
end 802.11ax/n/g at 2.4GHz. <==added

FortiOS 6.2.3 Release Notes 16

Fortinet Technologies Inc.
Changes in CLI defaults

Previous releases 6.2.3 release

802.11ax-only 802.11ax at
2.4GHz.<==added
end
config radio-3
set mode monitor
end
next
end

Resolved Issues

Bug ID Description

497161 Add function for SMC NTP on supported platforms.

config system smc-ntp
set ntpsync enable
set syncinterval 120
config ntpserver
edit 1
set server 208.91.114.98
next
end
end

574882 FAP-U431F and FAP-U433F can support 802.11ax on 2.4 GHz radio-2 when the platform mode
is single-5G.
config wireless-controller wtp-profile
edit "FAPU431F-default"
config platform
set type U431F
set mode single-5G
end
config radio-1
set band 802.11ax-5G
end
config radio-2
set band 802.11ax
end
config radio-3
set mode monitor
end
next
end

579703 Add hidden never option to session-ttl under firewall policy, firewall service, and
system session-ttl.

FortiOS 6.2.3 Release Notes 17

Fortinet Technologies Inc.
Changes in CLI defaults

Bug ID Description
config firewall policy
edit 201
set uuid ec5fd00e-eadb-51e9-457d-db7097aab5a5
set srcintf "wan1"
set dstintf "wan2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "TCP_8080"
set logtraffic disable
set session-ttl never
set nat enable
next
end

582979 Add DPDK related CLI commands.

config dpdk global
set status [enable | disable]
set multiqueue [enable | disable]
set sleep-on-idle [enable | disable]
set elasticbuffer [enable | disable]
set hugepage-percentage [Percentage of main memory allocated to huge
pages]
set mbufpool-percentage [Percentage of main memory allocated to DPDK
packet buffer]
end

config dpdk cpus

set rx-cpus [CPUs enabled to run DPDK RX engines]
set vnp-cpus [CPUs enabled to run DPDK VNP engines]
set ips-cpus [CPUs enabled to run DPDK IPS engines]
set tx-cpus [CPUs enabled to run DPDK TX engines]
end

586935 Add new execute factoryreset-shutdown command.

588180 Consolidate fortitelemetry and capwap into fabric for allowaccess in

system.interface.
config system interface
edit port4
set allowaccess ?
ping PING access.
https HTTPS access.
ssh SSH access.
snmp SNMP access.
http HTTP access.

FortiOS 6.2.3 Release Notes 18

Fortinet Technologies Inc.
Changes in CLI defaults

Bug ID Description
telnet TELNET access.
fgfm FortiManager access.
radius-acct RADIUS accounting access.
probe-response Probe access.
fabric Security Fabric access.
ftm FTM access.
next
end

FortiOS 6.2.3 Release Notes 19

Fortinet Technologies Inc.
Changes in default values

Bug ID Description

548906 Change default extension information setting in wtp-profile from disable to enable.
config wireless-controller wtp-profile
edit <FAP-Profile>
set ext-info-enable enable <== changed
next
end

585889 Change default platform type setting in wtp-profile from 220B to 221E.
config wireless-controller wtp-profile
edit <New profile>
config platform
set type 221E <== changed
end
next
end

FortiOS 6.2.3 Release Notes 20

Fortinet Technologies Inc.
Changes in table size

Bug ID Description

599271 Except for desktop models, all other platforms' table size of VIP real servers are increased as
follows:
l 1U platforms increased from 8 to 16

l 2U platforms increased from 32 to 64

l High-end platforms increased from 32 to 256

FortiOS 6.2.3 Release Notes 21

Fortinet Technologies Inc.
New features or enhancements

Bug ID Description

529445 In wids-profile, add the new ap-scan-threshold setting, which is the minimum signal level
of rogue APs detected and required by the managed FortiAP devices. Only the rogue APs with a
signal level higher than the threshold will be reported to the FortiGate WiFi Controller.
config wireless-controller wids-profile
edit <WIDS-profile-name>
set ap-scan enable
set ap-scan-threshold "-80"
next
end

The range of ap-scan-threshold, in dBm, is -95 to -20 (default = -90).

553372 Under Administrative Access, CAPWAP and FortiTelemetry have been combined into one option
labeled Fabric Connection. If either CAPWAP or FortiTelemetry were enabled on a particular
interface, the new fabric option will be enabled after upgrading.

557614 FortiGate support for NSX-T v2.4: East/West traffic.

562394 Add support for EMS cloud:

l Added CMDB attribute fortinet-one-cloud-authentication to FortiClient EMS table.

l Added curl verbose diagnosis debugs to FortiClient NAC daemon for debug images.

l Added fortiems-cloud option to type attribute in user.fsso table.

571639 Add support for tracking number of hits to a policy route:

l Policy route hit counter and last used tag added to each policy displayed in diagnose

firewall proute list command.

l New CLI command diagnose firewall proute show, displays policy route hit counter

and last used for a given proute id, (if 0, dumps all).
l New CLI command diagnose firewall proute clear, clears policy route hit counter

and last used for a given proute id, (if 0, clears all).

573568 Change public IP and routing table entries allocated in different resource groups in Azure HA.
In an Azure HA scenario, the EIP and route table to fail over is specified in the SDN connector
configuration. A new attribute, resource-group, is added to allow customers to specify the
resource group that a EIP or route table is from. This new attribute can be empty so upgrade code is
not needed.
If the resource-group of the EIP or route table is not provided, it is assumed the resource comes
from the same resource group as the SDN connector setting (if it is not set there, assume the same
resource group as the FortiGate itself by getting it from the instance metadata).

579484 Limit OCVPN spoke to only join existing overlay.

580889 DPDK support on FortiOS VM platform.

FortiOS 6.2.3 Release Notes 22

Fortinet Technologies Inc.
New features or enhancements

Bug ID Description

591567 Add support for additional SHA-2 algorithms with SNMPv3.

593148 Update interface-related pages to use AngularJS and muTable.

Interfaces list:
l Radio buttons in the top-right corner let users switch between grouping by type, role, and sort

lists alphabetically have been removed. There is a dropdown instead with the following options:
l Group by type
l Group by zone
l Group by status,
l Group by role
lNo grouping
l Zones do not support parent-child relationships anymore.
l The DHCP Server column has been divided into two separate columns, DHCP Clients and

DHCP Ranges.
l CSF support has been added. When switching to a downstream device, both the list and the

faceplate should update.

l For VDOMs, administrators can only view complete information about interfaces for the VDOM

they are in. This applies even to administrators who have access to more than one VDOM.
l On devices that support VLAN switching, the VLAN Switch Mode toggle has been removed

from the list page. It now shows up under System> Settings.

l Faceplates do not auto-refresh on page load anymore. For auto-refresh, users need to enable

the muTable refresh feature from the button in the bottom-right corner.
Interfaces dialog:
l Under Administrative Access, CAPWAP and FortiTelemetry have been combined into one

option labeled Fabric Connection.

l The secondary IP address toggle has been moved from the Miscellaneous section to the

Address section.
l A gutter has been added that displays the device hostname, the interface it belongs to, and

relevant help links.

CLI changes:
l Consolidate fortitelemetry and capwap into fabric for allowaccess in

system.interface.

597685 Starting from 6.2.3 and 6.4.0, a single annually contracted SKU that contains both a VM base and
one of the FortiCare service bundles. It is BYOL (bring your own license) and supports VMware
ESXi, KVM, Hyper-V, Xen, AWS, Azure, AzureStack, GCP, OCI, Alibaba Cloud, Rackspace,
VMware NSX-T, and Nutanix.

FortiOS 6.2.3 Release Notes 23

Fortinet Technologies Inc.
Upgrade Information

Supported upgrade path information is available on the Fortinet Customer Service & Support site.

To view supported upgrade path information:

1. Go to https://support.fortinet.com.
2. From the Download menu, select Firmware Images.
3. Check that Select Product is FortiGate.
4. Click the Upgrade Path tab and select the following:
l Current Product

l Current FortiOS Version

l Upgrade To FortiOS Version

5. Click Go.

Device detection changes

In FortiOS 6.0.x, the device detection feature contains multiple sub-components, which are independent:
l Visibility – Detected information is available for topology visibility and logging.
l FortiClient endpoint compliance – Information learned from FortiClient can be used to enforce compliance of those
endpoints.
l Device-based policies – Device type/category and detected devices/device groups can be defined as custom
devices, and then used in device-based policies.
In 6.2, these functionalities have changed:
l Visibility – Configuration of the feature remains the same as FortiOS 6.0, including FortiClient information.
l FortiClient endpoint compliance – A new fabric connector replaces this, and aligns it with all other endpoint
connectors for dynamic policies. For more information, see Dynamic Policy - FortiClient EMS (Connector) in the
FortiOS 6.2.0 New Features Guide.
l Mac-address-based policies – A new address type is introduced (Mac Address Range), which can be used in
regular policies. The previous device policy feature can be achieved by manually defining MAC addresses, and then
adding them to regular policy table in 6.2. For more information, see MAC Addressed-Based Policies in the FortiOS
6.2.0 New Features Guide.
If you were using device policies in 6.0.x, you will need to migrate these policies to the regular policy table manually after
upgrade. After upgrading to 6.2.0:
1. Create MAC-based firewall addresses for each device.
2. Apply the addresses to regular IPv4 policy table.

FortiOS 6.2.3 Release Notes 24

Fortinet Technologies Inc.
Upgrade Information

FortiClient Endpoint Telemetry license

Starting with FortiOS 6.2.0, the FortiClient Endpoint Telemetry license is deprecated. The FortiClient Compliance profile
under the Security Profiles menu has been removed as has the Enforce FortiClient Compliance Check option under
each interface configuration page. Endpoints running FortiClient 6.2.0 now register only with FortiClient EMS 6.2.0 and
compliance is accomplished through the use of Compliance Verification Rules configured on FortiClient EMS 6.2.0 and
enforced through the use of firewall policies. As a result, there are two upgrade scenarios:
l Customers using only a FortiGate device in FortiOS 6.0 to enforce compliance must install FortiClient EMS 6.2.0
and purchase a FortiClient Security Fabric Agent License for their FortiClient EMS installation.
l Customers using both a FortiGate device in FortiOS 6.0 and FortiClient EMS running 6.0 for compliance
enforcement, must upgrade the FortiGate device to FortiOS 6.2.0, FortiClient to 6.2.0, and FortiClient EMS to 6.2.0.
The FortiClient 6.2.0 for MS Windows standard installer and zip package containing FortiClient.msi and language
transforms and the FortiClient 6.2.0 for macOS standard installer are included with FortiClient EMS 6.2.0.

Fortinet Security Fabric upgrade

FortiOS 6.2.3 greatly increases the interoperability between other Fortinet products. This includes:
l FortiAnalyzer 6.2.3
l FortiClient EMS 6.2.0
l FortiClient 6.2.2
l FortiAP 5.4.4 and later
l FortiSwitch 3.6.9 and later
Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use
manual steps.

If the Security Fabric is enabled, then all FortiGate devices must be upgraded to 6.2.3. When
the Security Fabric is enabled in FortiOS 6.2.3, all FortiGate devices must be running FortiOS
6.2.3.

Minimum version of TLS services automatically changed

For improved security, FortiOS 6.2.3 uses the ssl-min-proto-version option (under config system global) to
control the minimum SSL protocol version used in communication between FortiGate and third-party SSL and TLS
services.
When you upgrade to FortiOS 6.2.3 and later, the default ssl-min-proto-version option is TLS v1.2. The following
SSL and TLS services inherit global settings to use TLS v1.2 as the default. You can override these settings.
l Email server (config system email-server)
l Certificate (config vpn certificate setting)
l FortiSandbox (config system fortisandbox)
l FortiGuard (config log fortiguard setting)

FortiOS 6.2.3 Release Notes 25

Fortinet Technologies Inc.
Upgrade Information

l FortiAnalyzer (config log fortianalyzer setting)

l LDAP server (config user ldap)
l POP3 server (config user pop3)

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are
retained:
l operation mode
l interface IP/management IP
l static route table
l DNS settings
l admin user account
l session helpers
l system access profiles

Amazon AWS enhanced networking compatibility issue

With this enhancement, there is a compatibility issue with 5.6.2 and older AWS VM versions. After downgrading a 6.2.3
image to a 5.6.2 or older version, network connectivity is lost. Since AWS does not provide console access, you cannot
recover the downgraded image.
When downgrading from 6.2.3 to 5.6.2 or older versions, running the enhanced NIC driver is not allowed. The following
AWS instances are affected:

C5 Inf1 P3 T3a
C5d m4.16xlarge R4 u-6tb1.metal
C5n M5 R5 u-9tb1.metal
F1 M5a R5a u-12tb1.metal
G3 M5ad R5ad u-18tb1.metal
G4 M5d R5d u-24tb1.metal
H1 M5dn R5dn X1
I3 M5n R5n X1e
I3en P2 T3 z1d

A workaround is to stop the instance, change the type to a non-ENA driver NIC type, and continue with downgrading.

FortiOS 6.2.3 Release Notes 26

Fortinet Technologies Inc.
 Upgrade Information

FortiLink access-profile setting

The new FortiLink local-access profile controls access to the physical interface of a FortiSwitch that is managed by
FortiGate.
After upgrading FortiGate to 6.2.3, the interface allowaccess configuration on all managed FortiSwitches are
overwritten by the default FortiGate local-access profile. You must manually add your protocols to the local-
access profile after upgrading to 6.2.3.

To configure local-access profile:

config switch-controller security-policy local-access

edit [Policy Name]
set mgmt-allowaccess https ping ssh
set internal-allowaccess https ping ssh
next
end

To apply local-access profile to managed FortiSwitch:

config switch-controller managed-switch

edit [FortiSwitch Serial Number]
set switch-profile [Policy Name]
set access-profile [Policy Name]
next
end

FortiGate VM with V-license

This version allows FortiGate VM with V-License to enable split-vdom.

To enable split-vdom:

config system global

set vdom-mode [no-vdom | split vdom]
end

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

l .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
l .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the
QCOW2 file for Open Source XenServer.

FortiOS 6.2.3 Release Notes 27

Fortinet Technologies Inc.
Upgrade Information

l .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains
the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

l .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
l .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2
that can be used by qemu.

Microsoft Hyper-V

l .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
l .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains
three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file fortios.vhd in
the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

l .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
l .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open
Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF
file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support
portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file
name including the extension, and select Get Checksum Code.

FortiGuard update-server-location setting

The FortiGuard update-server-location default setting is different between hardware platforms and VMs. On
hardware platforms, the default is any. On VMs, the default is usa.
On VMs, after upgrading from 5.6.3 or earlier to 5.6.4 or later (including 6.0.0 or later), update-server-location is
set to usa.
If necessary, set update-server-location to use the nearest or low-latency FDS servers.

To set FortiGuard update-server-location:

config system fortiguard

set update-server-location [usa|any]
end

FortiOS 6.2.3 Release Notes 28

Fortinet Technologies Inc.
Upgrade Information

FortiView widgets

FortiView widgets have been rewritten in 6.2.3. FortiView widgets created in previous versions are deleted in the
upgrade.

FortiOS 6.2.3 Release Notes 29

Fortinet Technologies Inc.
Product integration and support

The following table lists FortiOS 6.2.3 product integration and support information:

Web Browsers l Microsoft Edge 44

l Mozilla Firefox version 71
l Google Chrome version 78

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 42

l Mozilla Firefox version 71
l Google Chrome version 78

l Microsoft Internet Explorer version 11

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in Fortinet Security Fabric upgrade on

page 25. For the latest information, see FortiManager compatibility with FortiOS in
the Fortinet Document Library.
Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in Fortinet Security Fabric upgrade on

page 25. For the latest information, see FortiAnalyzer compatibility with FortiOS in
the Fortinet Document Library.
Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient: l 6.2.0

l Microsoft Windows See important compatibility information in FortiClient Endpoint Telemetry license
l Mac OS X on page 25 and Fortinet Security Fabric upgrade on page 25.
l Linux

FortiClient for Linux is supported on Ubuntu 16.04 and later, Red Hat 7.4 and
later, and CentOS 7.4 and later.

If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version
5.6.0 and later are supported.

FortiClient iOS l 6.2.0 and later

FortiClient Android and l 6.2.0 and later

FortiClient VPN Android

FortiAP l 5.4.2 and later

l 5.6.0 and later

FortiAP-S l 5.4.3 and later

l 5.6.0 and later

FortiAP-U l 5.4.5 and later

FortiOS 6.2.3 Release Notes 30

Fortinet Technologies Inc.
Product integration and support

FortiAP-W2 l 5.6.0 and later

FortiSwitch OS l 3.6.9 and later

(FortiLink support)

FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

FortiSandbox l 2.3.3 and later

Fortinet Single Sign-On l 5.0 build 0287 and later (needed for FSSO agent support OU in group filters)
(FSSO) l Windows Server 2019 Standard
l Windows Server 2019 Datacenter
l Windows Server 2019 Core
l Windows Server 2016 Datacenter
l Windows Server 2016 Standard
l Windows Server 2016 Core
l Windows Server 2012 Standard
l Windows Server 2012 R2 Standard
l Windows Server 2012 Core
l Windows Server 2008 (32-bit and 64-bit)
l Windows Server 2008 R2 64-bit
l Windows Server 2008 Core
l Novell eDirectory 8.8

FortiExtender l 4.1.2

AV Engine l 6.00132

IPS Engine l 5.00043

Virtualization Environments

Citrix l XenServer version 7.1

Linux KVM l Ubuntu 18.04.3 LTS

l QEMU emulator version 2.11.1 (Debian 1:2.11+dfsg-1ubuntu7.21)
l libvirtd (libvirt) 4.0.0

Microsoft l Hyper-V Server 2012 R2, and 2016

Open Source l XenServer version 3.4.3

l XenServer version 4.1 and later

VMware l ESX versions 4.0 and 4.1

l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, 6.5, and 6.7

VM Series - SR-IOV The following NIC chipset cards are supported:

l Intel 82599

l Intel X540

l Intel X710/XL710

FortiOS 6.2.3 Release Notes 31

Fortinet Technologies Inc.
 Product integration and support

Language support

The following table lists language support information.

Language support

Language GUI

English ✔

Chinese (Simplified) ✔

Chinese (Traditional) ✔

French ✔

Japanese ✔

Korean ✔

Portuguese (Brazil) ✔

Spanish ✔

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer

Linux CentOS 6.5 / 7 (32-bit & 64-bit) 2336. Download from the Fortinet Developer Network:
Linux Ubuntu 16.04 / 18.04 (32-bit & 64-bit) https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN standalone client no longer supports the following operating systems:
l Microsoft Windows 7 (32-bit & 64-bit)

l Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

l Microsoft Windows 10 (64-bit)

l Virtual Desktop for Microsoft Windows 7 SP1 (32-bit)

FortiOS 6.2.3 Release Notes 32

Fortinet Technologies Inc.
 Product integration and support

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser

Microsoft Windows 7 SP1 (32-bit & 64-bit) Mozilla Firefox version 61

Google Chrome version 68

Microsoft Windows 10 (64-bit) Microsoft Edge

Mozilla Firefox version 61
Google Chrome version 68

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 54

OS X El Capitan 10.11.1 Apple Safari version 11

Mozilla Firefox version 61
Google Chrome version 68

iOS Apple Safari

Mozilla Firefox
Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus Firewall

Symantec Endpoint Protection 11 ✔ ✔

Kaspersky Antivirus 2009 ✔

McAfee Security Center 8.1 ✔ ✔

Trend Micro Internet Security Pro ✔ ✔

F-Secure Internet Security 2009 ✔ ✔

FortiOS 6.2.3 Release Notes 33

Fortinet Technologies Inc.
Product integration and support

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall

CA Internet Security Suite Plus Software ✔ ✔

AVG Internet Security 2011

F-Secure Internet Security 2011 ✔ ✔

Kaspersky Internet Security 2011 ✔ ✔

McAfee Internet Security 2011 ✔ ✔

Norton 360™ Version 4.0 ✔ ✔

Norton™ Internet Security 2011 ✔ ✔

Panda Internet Security 2011 ✔ ✔

Sophos Security Suite ✔ ✔

Trend Micro Titanium Internet Security ✔ ✔

ZoneAlarm Security Suite ✔ ✔

Symantec Endpoint Protection Small ✔ ✔

Business Edition 12.0

FortiOS 6.2.3 Release Notes 34

Fortinet Technologies Inc.
Resolved issues

The following issues have been fixed in version 6.2.3. For inquires about a particular bug, please contact Customer
Service & Support.

Anti Virus

Bug ID Description

590092 Cannot clear scanunit vdom-stats to reset the statistics on ATP widget.

Data Leak Prevention

Bug ID Description

586689 Downloading a file with FTP client in EPSV mode will hang.

591676 Enable file filter password protected blocked for 7Z, RAR, PDF, MSOffice, and MSOfficeX.

DNS Filter

Bug ID Description

561297 DNS filtering does not perform well on the zone transfer when a large DNS zone's AXFR response
consists of one or more messages.

563441 7K DNS filter breaking DNS zone transfer.

574980 DNS translation is not working when request is checked against the local FortiGate.

583449 DNS filter explicit block all (wildcard FQDN) not working in 6.2 firmware.

586178 In domain threat feed, some URLs cannot be fetched due to SSL error.

586526 Unable to change DNS filter profile category action after upgrading from 6.0.5 to 6.2.0.

586834 With option error-allow DNS attempts fail when FortiGuard servers are unavailable.

FortiOS 6.2.3 Release Notes 35

Fortinet Technologies Inc.
 Resolved issues

Explicit Proxy

Bug ID Description

504011 FortiGate does not generate traffic logs for SOCKS proxy.

588211 WAD cannot learn policy if multiple policies use the same FQDN address.

589065 FSSO-based NTLM sessions from explicit proxy do not respect timeout duration and type.

589811 urfilter process does not started when adding a category as dstaddr in a proxy policy with the
deny action.

590942 AV does not forward reply when GET for FTP over HTTP is used.

Firewall

Bug ID Description

508015 Editing a policy in the GUI changes the FSSO setting to disable.

558996 FortiGate sends type-3 code-1 IP unreachable for VIP.

583173 Policy push from FortiManager failed due to abandoned ISDB entry.

584451 NGFW default block page partially loads.

585073 Adding too many address objects to a local-in policy causes all blocking to fail.

585122 Should not be allowed to rename VIP or address with the same name as an existing VIP group or
address group object.

590039 Samsung OEM internet browser cannot connect to FortiGate VS/VIP.

597110 When creating a firewall address with the associated-interface setting, CMD gets stuck if
there is a large nested address group.

FortiView

Bug ID Description

582341 On Policies page, consolidated policies are without names and tooltips; tooltips not working for
security policies.

FortiOS 6.2.3 Release Notes 36

Fortinet Technologies Inc.
Resolved issues

GUI

Bug ID Description

282160 GUI does not show byte information for aggregate and VLAN interface.

303651 Should hide Override internal DNS option if vdom-dns is set to disable.

438298 When VDOM is enabled, the interface faceplate should only show data for interfaces managed by
the admin.

451306 Add a tooltip for IPS Rate Based Signatures.

460698 There is no uptime information in the HA Status widget for the secondary unit's GUI.

467495 A message stating that all source interfaces have no members is erroneously displayed for the
explicit proxy policy list when a user enables a policy immediately after pasting or inserting it into the
list.

478472 Options 150, 15, and 51 for the DHCP server should not be shown after removing them and having
no related configuration in the backend.

480731 Interface filter gets incorrect result (EMAC VLAN, VLAN ID, etc.) when entries are collapsed.

482437 SD-WAN member number is not correct in Interfaces page.

493527 Compliance events GUI page does not load when redirected from the advanced compliance page.

498892 GUI shows wrong relationship between VLAN and physical interface after adding them to a zone.

499658 Editing system interface in the GUI causes explicit-web-proxy to become disabled.

502962 Get "Fail to retrieve info" for default VDOM link on Network > Interfaces page.

505066 Not possible to select value for DN field in LDAP GUI browser.

510685 Hardware Switch row is shown indicating a number of interfaces but without any interfaces below.

514027 Cannot disable CORS setting on GUI.

519102 GUI navigation menu notification should match with issue in the dialog box.

525535 OK button greyed out when editing an interface that has DHCP option 224 in the list with FortiClient-
On-Net Status enabled.

531376 Get "Internal Server Error" when editing an aggregate link that has a name with a space in it.

534853 Suggest GUI Interfaces list includes SIT tunnels.

536718 Cannot change MAC address setting when configuring a reserved DHCP client.

536843 LACP aggregate interface flaps when adding/removing a member interface (first position in member
list).

537307 "Failed to retrieve info" message appears for ha-mgmt-interface in Network > Interfaces.

538125 Hovering mouse over FortiExtender virtual interface shows incorrect information.

540098 GUI does not display the status for VLAN and loopback in the Network > Interfaces > Status
column.

FortiOS 6.2.3 Release Notes 37

Fortinet Technologies Inc.
Resolved issues

Bug ID Description

542544 In Log & Report, filtering for blank values (None) always shows no results.

544442 Virtual IPs page should not show port range dialog box when the protocol is ICMP.

547409 Admin with netgrp privilege unable to get interface page and got pyfcgid crash (signal 11
(Segmentation fault)).

552811 Scripts pushed from FortiCloud do not show up in System > Advanced Settings when FortiCloud
remote access is used.

553290 The tooltip for VLAN interfaces displays as "Failed to retrieve info".

555687 Network mask of a VPN interface is changed to 255.255.255.255 without an actual configuration
change.

559866 When sending CSF proxied request, segfault happens (httpsd crashes) if FortiExplorer accesses
root FortiGate via the management tunnel.

560206 Change/remove FortiCloud standalone reference.

563053 Warning messages for third-party transceivers were removed in 6.2.1 to prevent excessive RMA or
support tickets. In 6.2.2, warnings were re-added for third-party transceivers.

565748 New interface pair consolidated policy added via CLI is not displayed on GUI policy page.

566414 Application Name field shows vuln_id for custom signature, not its application name in logs.

567369 Cannot save DHCP Relay configuration when the Relay IP address list is separated by a comma.

571909 SSL VPN Settings page shows undefined error.

573456 FortiGate without disk email alert settings page should remove Disk usage exceeds option.

573862 Signature name should be shown when VDOM admin has WAF read/write permission only.

574101 Empty firmware version in managed FortiSwitch from FortiGate GUI.

580168 Connected routes in the routing monitor are showing up with 1969/12/31 18:59:59 for Up Since
times.

582658 Email filter page keeps loading and cannot create a new profile when the VDOM admin only has
emailfilter permission.

582716 Filtering service availability check always fails once anycast is enabled and override server is set.

583049 Internal server error while trying to create a new interface.

584419 Issue with application and filter overrides.

584426 Add Selected button does not show up under FSSO Fabric Connector with custom admin profile.

584560 GUI does not have the option to disable the interface when creating a VLAN interface.

584949 When the link status is up, the aggregate interface status icon is incorrectly displayed in red.

586604 No matching IPS signatures are found when Severity or Target filter is applied.

586749 Enable/disable Disarm and Reconstruction in the GUI only affects the SMTP protocol in AV profiles.

FortiOS 6.2.3 Release Notes 38

Fortinet Technologies Inc.
Resolved issues

Bug ID Description

587091 When logged in as administrator with web filter read/write only privilege, the Web Rating Overrides
GUI page cannot load.

587673 The Interface Pair View option is always unavailable for the Proxy Policy list.

587686 Wrong warning message, All source interface(s) has no members, appears in Proxy Policy page.

588028 If the Endpoint Control feature is disabled, the exempt options for captive portal are not shown in the
GUI.

588222 WAN Opt. Monitor displays Total Savings as negative integers during file transfers.

588665 Option to reset statistics from Monitor > WAN Opt. Monitor in GUI does not clear the counters.

589085 Web filter profile warning message when logged in with read/write admin on VDOM environment.

592244 VIPs dialog page should be able to create VIP with the same extip/extport but different source IP
address.

593433 DHCP offset option 2 has to be removed before changing the address range for the DHCP server in
the GUI.

594162 Interface hierarchy is not respected in the GUI when a LAG interface belongs to SD-WAN and its
VLANs belong to a zone.

594565 Wrong Sub-Category appears in the Edit Web Rating Override page.

HA

Bug ID Description

479780 Secondary unit fails to send and receive HA heartbeat when configuring cfg-revert setting on
FG-2500E.

540632 In HA, management-ip that is set on a hardware switch interface does not respond to ping after
executing reboot.

575020 HA failing config sync on VM01 with error (secondary and primary unit have different hdisk
status) when primary unit is pre-configured.

581906 HA secondary unit sending out GARP packets in 16-20 seconds after HA monitored interface failed.

585348 default-gateway injected by dynamic-gateway on PPP interface deleted by other interface

down.

585675 exe backup disk alllogs ftp command causes FortiGate to enter conserve mode.

586004 Moving VDOM via GUI between virtual clusters causes cluster to go out of sync and VDOM state
work/standby does not change.

586835 HA secondary unit unable to get checksum from primary unit. HA sync in Z state.

590931 Multiple PPPoE connections on a single interface does not sync PPPoE dynamic assigned IP and
cannot start re-negotiation.

FortiOS 6.2.3 Release Notes 39

Fortinet Technologies Inc.
Resolved issues

Intrusion Prevention

Bug ID Description

540718 Signal 14 alarm crashes were observed on DFA rebuild.

579018 IPS engine 5.030 signal 14 alarm clock crash at nturbo_on_event.

586608 The CPU consumption of ipsengine gets high with customer configuration file.

IPsec VPN

Bug ID Description

577502 OCVPN cannot register—status "Undefined".

582251 IKEv2 with EAP peer ID authentication validation does not work.

582876 ADVPN connections from the hub disconnects one-by-one and IKE gets stuck.

584982 The customer is unable to log in to VPN with RADIUS intermittently.

Log & Report

Bug ID Description

578057 Action field in traffic log cannot record security policy action—it shows the consolidated policy
action.

580887 No traffic log after reducing miglogd child to 1.

586038 FortiOS 6.0.6 reports too long VPN tunnel durations in local report.

586854 FortiGate sends change notice for global REST APIs once a minute.

590598 Log viewer application control cannot show any logs (page is stuck loading).

590852 Log filter can return empty result when there are too many logs, but the filter result is small.

591152 IPS logs set srcintf(role)/dstinf(role) reversely at the time of IPS signature reverse
pattern.

591523 When refreshing logs in GUI, some log_se processes are running extremely long and consuming
CPU.

593907 Miglogd still uses the daylight savings time after the daylight savings end.

596278 sentdelta and rcvddelta showing 0 if syslog format is set to CSV.

FortiOS 6.2.3 Release Notes 40

Fortinet Technologies Inc.
Resolved issues

Bug ID Description

596398 sentdelta and rcvddelta log fields appears as 0 in syslog CEF format.

599860 When logtraffic is set to all, existing sessions cannot change the egress interfaces when the
routing table is updated with a new outgoing interface.

Proxy

Bug ID Description

525328 External resource does not support no content length.

549660 WAD crash with signal 11.

573028 WAD crash causing traffic interruption.

579400 High CPU with authd process caused by WAD paring multiple line content-encoding error and IPC
broken between wad and authd.

580592 Policy in proxy-based mode with AV and WAF profile denies access to Nginx with enabled gzip
compression.

584719 WAD reads ftp over-limit multi-line response incorrectly.

587214 WAD crash for wad_ssl_port_on_ocsp_notify.

587987 In case of TLS 1.3 with certificate inspection and a certificate with an empty CN name, WAD
workers would locate a random size for CN name and then cause unexpected high memory usage
in WAD workers.

592153 Potential memory leak that will be triggered by certificate inspection CIC connection in WAD.

593365 WAD crash due to user learned from proxy not purged from the kernel when user is deleted from
proxy or zone with empty interface member.

594237 Slow download speed in proxy-based mode compared to flow-based mode.

594725 WAD memory leak detected on cert_hash in wad_ssl_cert.

596012 Receive SSL fatal alert with source IP 0.0.0.0.

REST API

Bug ID Description

587470 REST API to support revision flag.

FortiOS 6.2.3 Release Notes 41

Fortinet Technologies Inc.
Resolved issues

Routing

Bug ID Description

371453 OSPF translated type 5 LSA not flushed according to RFC-3101.

524229 SD-WAN health-check keep records useless logs under some circumstances.

570686 FortiOS 6.2.1 introduces asymmetric return path on the hub in SD-WAN after the link change due to
SLA on the spoke.

582078 ISDB ID is changed after restoring the configuration under the situation where the FortiGate has a
previous ISDB version.

584095 SD-WAN option of set gateway enable/set default enable override available on
connected routes.

584477 In transparent mode with asymmetric routing, packet in the reply direction does not use asymmetric
route.

585027 There is no indication in proute if the SD-WAN service is default or not.

585325 IPv6 route cannot be inactive after link-monitor is down when link-monitor are set with
ipv4 and ipv6.

587198 After failover/recovery of link, E2 route with non-zero forward address recurses to itself as a next
hope.

587700 Routing monitor policy view cannot show source and destination data for SD-WAN route and
wildcard destination.

587970 SD-WAN rules route-tag still used in service rule but not in diagnose sys virtual-wan-
link route-tag-list.

589620 Link monitor with tunnel as srcintf cannot recover after remote server down/up.

592599 FortiGate sends malformed OSPFv3 LSAReq/LSAck packets on interfaces with MTU = 9k.

593375 OSPF NSSA with multiple ASBRs losing valid external OSPF routes in upstream neighbors as
different ASBRs are power cycled.

593864 Routing table is not always updated when BGP gets an update with changed next hop.

594685 Unable to create the IPsec VPN directly in Network > SD-WAN.

595937 PPPoE interface bandwidth is mistakenly calculated as 0 in SD-WAN.

Security Fabric

Bug ID Description

575495 FGCP dynamic objects are not populated in the secondary unit.

FortiOS 6.2.3 Release Notes 42

Fortinet Technologies Inc.
Resolved issues

Bug ID Description

586587 Security Fabric widget keeps loading when FortiSwitches are in a loop, or the FortiSwitch is in
MCLAG mode.

587758 Invalid CIDR format shows as valid by the Security Fabric threat feed.

589503 Threat Feeds show the URL is invalid if there is a special character in the URL.

591015 ACI SDN connector dynamic address cannot be resolved.

592344 CSF automation configuration cannot be synced to downstream from root.

SSL VPN

Bug ID Description

525342 In some special cases, SSL VPN main state machine reads function pointer is empty that will cause
SSL VPN daemon crash.

557806 Cannot fully load a website through SSL VPN bookmark.

570171 When accessing ACT application through SSL VPN web mode, the embedded calendar request
gets wrong response and redirects to login page.

573787 SSL VPN web mode not displaying custom web application's JavaScript parts.

576288 FSSO groups set in rule with SSL VPN interface.

578908 Fails to load bookmark site over SSL VPN portal.

580377 Unable to access https://outlook.office365.com as bookmark in SSL VPN web mode.

583339 Support HSTS include SubDomains and preload option under SSL VPN settings.

584780 When the SSL VPN portal theme is set to red, the style is lost in the SSL VPN portal.

585754 A VPN SSL bookmark failed to load the Proxmox GUI interface.

586032 Unable to download report from an internal server via SSL VPN web mode connection.

586035 The policy "script-src 'self'" will block the SSL VPN proxy URL.

587075 SAML login is not stable for SSL VPN, it requires restarting sslvpnd to enable the function.

587117 SSL handshake failure with Server Architect in web mode.

588119 There is no OS support for the latest macOS Catalina version (10.15) when using SSL VPN tunnel
mode.

588720 SSL VPN web portal bookmarks cannot resolve hostname.

589015 SSO does not correctly URL-encode POST-ed credentials.

590643 href rewrite has some issues with the customer's JS file.

FortiOS 6.2.3 Release Notes 43

Fortinet Technologies Inc.
Resolved issues

Bug ID Description

591613 https://outlook.office365.com cannot be accessed in SSLVPN web portal.

592318 After sslvpn proxy, some Kurim JS files run with an error.

592935 sslvpnd crashed on FortiGate.

593082 SSL VPN bookmark does not load Google Maps on internal server.

593641 Cannot access HTTPS bookmark, get a blank page.

593850 SSL VPN logs out after some users click through the remote application.

594160 Screen shot feature is not working though SSL VPN portal.

594247 Cannot access https://cdn.i-ready.com through SSL VPN web portal.

595920 SSL VPN web mode goes to 99% on a specific bookmark.

596273 sslvpnd worker process crashes, causing a zombie tunnel session.

596843 Internal website not working in SSL VPN web mode.

597282 The latest FortiOS GUI does not render when accessing it by the SSL VPN portal.

Switch Controller

Bug ID Description

581370 FortiSwitch managed by FortiGate not updating the RADIUS settings and user group in the
FortiSwitch.

586299 Adding factory-reset device to HA fails with switch-controller.qos settings in root.

592111 FortiSwitch shows offline CAPWAP response packet getting dropped/failed after upgrading from
6.2.2.

System

Bug ID Description

484749 TCP traffic with tcp_ecn tag cannot go through ipip ipv6 tunnel with NP6 offload enabled.

502387 X.509 certificate support required for FGFM portocol.

511790 Router info does not update after plugging out/plugging in USB modem.

528052 FortiGuard filtering services show as unavailable for read-only admin.

534806 FGR-30D cannot add ports SFP1 and SFP2 on a virtual hardware switch.

FortiOS 6.2.3 Release Notes 44

Fortinet Technologies Inc.
Resolved issues

Bug ID Description

547712 HPE does not protect against DDoS attacks like flood on IKE and BGP destination ports.

556408 Aggregate link does not work for LACP mode active for FG-60E internal ports but works for wan1
and wan2 combination.

570759 RX/TX counters for VLAN interfaces based on LACP interface are 0.

572003 There was a hardware defect in an earlier revision of SSD used for FG-61E. When powering off
then powering on in a very short time, the SSD may jump into ROM mode and cannot recover until a
power circle.

573090 Making a change to a policy through inline editing is very slow with large table sizes.

573238 Session TTL expiry timer is not reset for VLAN traffic when offloading is enabled.

573973 ASIC offloading sessions sticking to interfaces after SD-WAN SLA interface selection.

576054 Missing mpsk-schedules option when restoring configuration via VDOM.

577423 FG-80D and FG-92D kernel error in CLI during FortiGate boot up.

578259 FG-3980E VLANs over LAG interface show no TX/RX statistics.

578608 High CPU usage due to dnsproxy process as high at 99%.

580038 Problems with cmdbsvr while handling a large number of FSSO address groups and security
policies.

581496 FG-201E stops sending out packets and NP6lite is stuck.

581528 SSH/RDP sessions are terminated unexpectedly.

581998 Session clash event log found on FG-6500F when passing a lot of the same source IP ICMP traffic
over load-balance VIP.

582520 Enabling offloading drops fragmented packets.

583199 fgfmsd crashed with signal 11 when some code accesses a VDOM that has been deleted, but
does not check the return value from CMDB query.

583602 Script to purge and re-create a local-in-policy ran against the remote FortiGate directly (in the CLI) is
causing auto-update issues.

585841 Console outputs unregister_netdevice error on UoM setup.

586042 NTPD does not requery the DNS server unless it restarts.

586301 GUI cannot show default Fortinet logo for replacement messages.

586551 When an SD-WAN member is disabled or VWL is disabled, snmpwalk shows "No Such Object
available on this agent at this OID" message.

587498 FortiGate sends ICMP type 3 code 3 (port unreachable) for UDP 500 and UDP 520 against
vulnerability scan.

587540 NetFlow traffic records sent with wrong interface index 0 (inputint = 0 and outputint = 0).

FortiOS 6.2.3 Release Notes 45

Fortinet Technologies Inc.
Resolved issues

Bug ID Description

587952 get system inter transceiver reports error for some transceivers.

588035 Kernel crashes when sniffing packets on interfaces that are related to EMAC VLAN.

588202 FortiGate returns invalid configuration during FortiManager retrieving configuration.

589027 EMAC VLAN drops traffic when asymmetric roue enabled on internet VDOM.

589234 Local system DNS setting instead of DNS setting acquired from upstream DHCP server was
assigned to client under management VDOM.

589517 Dedicated management CPU running on high CPU (soft IRQ).

589978 alertemail username length cannot go beyond 35 characters.

590295 OID for the IPsec VPN phase 2 selector only displays the first one on the list.

591466 Cannot change the mask for an existing secondary IP on interfaces.

592787 FortiGate got rebooted automatically due to kernel crash.

593606 diagnose hardware test suite all fails due to FortiLink loopback test.

594157 FortiGate accepts invalid configuration from FortiManager.

594499 Communication over PPPoE fails after installing PPPoE configuration from FortiManager.

595598 SOC4 devices may reboot by watchdog after upgrading to FortiOS 6.2.2 (build 6083).
Affected platforms: FG-60F, FG-61F, FG-100F, and FG-101F.

596180 Constant DHCPD crashes.

596421 FG-3400E/FG-3600E link is up on 25G ports only when the FEC is disabled on the Ixia tester.

Upgrade

Bug ID Description

586793 Address objects have reference to old firewall policy after upgrading from 6.0.6 > 6.2.x NGFW
policies.

User & Device

Bug ID Description

567831 Local FSSO poller regularly missing logon events.

583745 Wrong categorization of OS from device detection.

FortiOS 6.2.3 Release Notes 46

Fortinet Technologies Inc.
Resolved issues

Bug ID Description

586334 Brief connectivity loss on shared service when RDP session is logged in to from local device.

586394 Authentication list entry is not created/updated after changing the client PC with another user in
FSSO polling mode.

587293 The session to the SQL database is closed as timeout when a new user logs in to terminal server.

587519 fnbamd takes high CPU usage and user not able to authenticate.

587666 Mobile token authentication does not work for SSL VPN on SOC3 platforms.
Affected models include: FG-60E, FG-60E-POE, FG-61E, FG-80E, FG-80E-POE, FG-81E, FG-
81E-POE, FG-100E, FG-100EF, FG-101E, FG-140E, FWF-60E, FWF-61E.

592241 Gmail POP3 authentication fails with certificate error since version 6.0.5.

592253 RADIUS state attribute truncated in access request when using third-party MFA (ping ID).

593116 Client PC matching multiple authentication methods (firewall, FSSO, RSSO, WSSO) may not be
matched to NGFW policies correctly.

597496 Guest user log in expires after first log in and no longer works; user is not removed from the firewall
authentication list after the set time.

VM

Bug ID Description

571212 Only one CPU core in AWS is being used for traffic processing.

577653 vMotion tasks cause connections to be dropped as sessions related to vMotion VMs do not appear
on the destination VMX.

579708 Should replace GUI option to register to FortiCare from AWS PAYG with link to portal for
registration.

582123 EIP does not failover if the primary FortiGate is rebooted or stopped from the Alibaba Cloud
console.

586954 FGCP cluster member reboots in infinite loop and hatalk daemon dumps the core with
segmentation fault.

588436 Azure SDN connector unable to connect to Azure Kubneretes integrated with AAD.

589445 VM deployed in ESX platform with VMXNET3 does not show the correct speed and duplex settings.

590140 FG-VM-LENC unable to validate new license.

590149 Azure FortiGate crashing frequently when MLX4 driver RX jumbo.

590253 VLAN not working on FortiGate in a Hyper-V deployment.

590555 Allow PAYG AWS VM to bootstrap the configuration first before acquiring FortiCare license.

FortiOS 6.2.3 Release Notes 47

Fortinet Technologies Inc.
Resolved issues

Bug ID Description

590780 Azure FortiGate-VM (BYOL) unable to boot up when loading a lower vCPU license than the
instance's vCPU.

591563 Azure autoscale not syncing after upgrading to 6.2.2.

592000 In Alibaba Cloud, multiple VPC route entries fail to switch when HA fails over.

592611 HA not fully failing over when using OCI.

593797 FG-VM64-AWS not responding to ICMP6 request when destination IPv6 address is in the neighbor
cache entry.

596430 If central-management server is set to FortiManager IP address and FortiGuard update-

server-location is set to usa, the FOS-VM is able to get web filter license and server list from
FortiManager, but the GUI shows the service availability as down.

VoIP

Bug ID Description

582271 Add support for Cisco IP Phone keepalive packet.

Web Filter

Bug ID Description

560904 In NGFW mode, Security Profiles GUI is missing Web Rating Overrides page.

581523 Wrong web filter category when using flow-based inspection.

587120 Administrator logged in with web filter read/write privilege cannot create or edit web filter profiles in
the GUI.

590599 In flow mode web filter, a certificate warning is triggered when a site redirects HTTP request to
HTTPS and if ovrd-auth-https is enabled.

WiFi Controller

Bug ID Description

520677 When editing a FortiAP profile on the FortiGate web UI, the previously selected SSID group(s)
cannot be displayed.

FortiOS 6.2.3 Release Notes 48

Fortinet Technologies Inc.
Resolved issues

Bug ID Description

555659 When FortiAP is managed with cross VDOM links, the WiFi client cannot join to SSID when auto-
asic-offload is enabled.

566054 Errors pop up while creating or editing as SSID.

567011 WPA2-Enterprise SSID should support acct-all-servers setting in RADIUS to send

accounting messages to all servers.

567933 FortiAP unable to connect to FortiGate via IPsec VPN tunnel with dtls-policy clear-text.

572350 FortiOS GUI cannot support FAP-U431F and FAP-U433F profiles.

580169 Captive portal (disclaimer) redirect not working for Android phones.

587586 cw_acd crashes multiple times (FG-6501F).

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID CVE references

568788 FortiOS 6.2.3 is no longer vulnerable to the following CVE Reference:

l CVE-2007-6750

576090 FortiOS 6.2.3 is no longer vulnerable to the following CVE Reference:

l CVE-2019-17655

576941 FortiOS 6.2.3 is no longer vulnerable to the following CVE Reference:

l CVE-2019-15703

581663 FortiOS 6.2.3 is no longer vulnerable to the following CVE Reference:

l CVE-2019-9496

FortiOS 6.2.3 Release Notes 49

Fortinet Technologies Inc.
Known issues

The following issues have been identified in version 6.2.3. For inquires about a particular bug or to report a bug, please
contact Customer Service & Support.

Anti Virus

Bug ID Description

563250 Shared memory does not empty out properly under /tmp.

Data Leak Prevention

Bug ID Description

591178 WAD fails to determine the correct file name when downloading a file from Nextcloud.

DNS Filter

Bug ID Description

582374 License shows expiry date of 0000-00-00.

Explicit Proxy

Bug ID Description

540091 Cannot access explicit FTP proxy via VIP.

594580 FTP traffic over HTTP explicit proxy does not generate traffic logs once receiving error message.

594598 Enabling proxy policies (+400) increases memory by 30% and up to 80% total.

603707 The specified port configurations of https-incoming-port for config web-proxy

explicit disappeared after rebooting.

605209 LDAP ignores source-ip with web proxy Kerberos authentication.

FortiOS 6.2.3 Release Notes 50

Fortinet Technologies Inc.
 Known issues

Firewall

Bug ID Description

593103 When a policy denies traffic for a VIP and send-deny-packet is enabled, ICMP unreachable
message references the mapped address, not the external.

595044 Get new CLI signal 11 crash log when performing execute internet-service refresh.

595790 Hit Count column does not work for security policy with multiple VDOMs.

598559 ISDB matches all objects and chooses the best one based on their weight values and the firewall
policy.

599253 GUI traffic shaper Bandwidth Utilization should use KBps units.

600644 IPS engine did not resolve nested address groups when parsing the address group table for NGFW
security policies.

601331 Virtual load-balance VIP and intermittent HTTP health check failures.

604886 Session stuck in proto_state=61 only when flow-based AV is enabled in the policy.

606834 Adding more than one dynamic FSSO firewall address results in GUI and CLI error.

FortiView

Bug ID Description

592309 On FortiGate with double loop FortiSwitches, FortiView physical topology page cannot load; get
Failed to get FortiView data error message.

635309 When FortiAnalyzer logging is configured using an FQDN domain, the GUI displays a 500 error
message on the FortiView Compromised Hosts page.

GUI

Bug ID Description

354464 Antivirus archive logging enabled from the CLI will be disabled by editing the antivirus profile in the
GUI, even if no changes are made.

514632 Inconsistent reference count when using ports in HA session-sync-dev.

529094 When creating an antispam block/allow list entry, Mark as Reject should be grayed out.

535099 The SSID dialog page does not have support for the new MAC address filter.

FortiOS 6.2.3 Release Notes 51

Fortinet Technologies Inc.
Known issues

Bug ID Description

541042 Log viewer forwarded traffic does not support multiple filters for one field.

557786 GUI response is very slow when accessing Monitor > IPsec Monitor (api/v2/monitor/vpn/ipsec is
taking a long time).

564849 HA warning message remains after primary unit takes back control.

565309 Application groups improvements.

579711 Cannot run Security Rating due to disk issue (diagnose security-rating clean fails).

584314 NGFW mode should have a link to show all applications in the list.

584915 OK button missing from many pages when viewed in Chrome on an Android device.

584939 VPN event logs are incorrectly filtered when there are two Action filters and one of them contains "-".

585055 High CPU utilization by httpsd daemon if there are too many API connections.

585924 Wrong traffic shaper bandwidth unit on 32-bit platform GUI pages.

589709 Status icon in Tunnel column on IPsec Tunnels page should be removed.

593899 Upgrading from build 0932 to build 1010 displays Malware Hash Threat Feed is not found or
enabled error.

598725 Login page shows random characters when system language is not English.

599245 Nessus vulnerability scan tool reported more medium level vulnerabilities for 6.2.3 compared with
the 6.2.2 result.

599284 pyfcgid crashed with signal 11 (Segmentation fault) received.

599401 FortiGuard quota category details displays No matching entries found for local category.

600120 Reduce the number of core used by httpsd for low-end platforms.

601568 Interface status is not displayed on faceplate when viewing from the System > HA page.

601653 When deleting an AV profile in the GUI, there is no confirmation message prompt.

602102 Warning message is not displayed when a user configures an interface with a static IP address that
is already in use.

602637 Block intra-zone traffic toggle button function is inverted in FortiOS 6.2.3.

607972 FortiGate enters conserve mode when accessing Amazon AWS ISDB object.

601653 When deleting an AV profile in the GUI, there is no confirmation message prompt.

606074 Interfaces is missing in the GUI in sections for IPv4 Policy and SSL-VPN Settings after upgrading
from 6.2.2 to 6.2.3.

606428 GUI does not allow multiple IPsec tunnels with the same destination IP bound to the same interface
but sourced from a different IP.

610181 FG-OPC-ONDEMAND (FGVMPG license) shows FortiCare is not supported even though the
license was registered in FortiCare.

FortiOS 6.2.3 Release Notes 52

Fortinet Technologies Inc.
Known issues

Bug ID Description

611436 FortiGate displays a hacked webpage after selecting an IPS log.

621254 When creating or editing an IPv4 policy or address group, firewall address searching does not work
if there is an empty wildcard address due to a configuration error.

615462 GUI takes 10-15 seconds to load Device Inventory, IPv4 Policy, and Interfaces pages.

617364 GUI does not list AliCoud SDN address filter.

620854 FG-101F GUI should not add speed to virtual switch member port.

638752 FortiGates in an HA A-P configuration may lose GUI access to the HA secondary device after a
period of 8 days of inactivity, when at least one static IPv6 address is configured on an interface.

664007 GUI incorrectly displays the warning, Botnet package update unavailable, AntiVirus subscription not
found., when the antivirus entitlement is expiring within 30 days. The actual botnet package update
still works within the active entitlement duration.

689605 On some browser versions, the GUI displays a blank dialog when creating custom application or
IPS signatures. Affected browsers: Firefox 85.0, Microsoft Edge 88.0, and Chrome 88.0.

695163 When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log
page can take time to load if there is no specific filter for the time range.
Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

HA

Bug ID Description

588908 FG-3400E hasync reports the "Network is unreachable".

598937 Local user creation causes HA to be out of sync for several minutes.

601550 Application hasync might crash several times due to accessing some out of bound memory when
processing hastats data.

602266 The configuration of the SD-WAN interface gateway IP should not sync.

602406 In a FortiGate HA cluster, performance SLA (SD-WAN) information does not sync with the
secondary unit.

613714 HA failover takes over one minute when monitored aggregate interface goes down on primary unit.

621621 Ether-type HA cannot be changed.

FortiOS 6.2.3 Release Notes 53

Fortinet Technologies Inc.
Known issues

Intrusion Prevention

Bug ID Description

565747 IPS engine 5.00027 has signal 11 crash.

586544 IPS intelligent mode not working when reflect sessions are created on different physical interfaces.

587668 IPS engine 5.00035 has signal 11 crash.

590087 When IPS pcap is enabled, traffic is intermittently disrupted after disk I/O reaches IOPS limit.

608501 IPS forwards attacks that are previously identified as dropped.

IPsec VPN

Bug ID Description

516029 Remove the IPsec global lock.

589096 In IPsec after HA failover, performance regression and IKESAs is lost.

590633 Packet loss observed after ADVPN shortcut is created.

592361 Cannot pass traffic over ADVPN if: tunnel-search is set to nexthop, net-device disable,
mode-cfg enable, and add-route disable.

594962 IPsec VPN IKEv2 interoperability issue when the FortiGate uses a group as P2 selectors with a non-
FortiGate in a remote peer gateway.

595810 Unable to reach network resources via L2TP over IPsec with WAN PPPoE connection.

597748 L2TP/IPsec VPN disconnects frequently.

603090 The OCVPN log file was not closed or properly trimmed due to the incorrect state_refcnt. The
OCVPN log file stayed open, grew extremely large, and was never trimmed.

604334 L2TP disconnection when transferring large files.

607212 IKEv2 DPD is not triggered if network overlay network ID was mismatched when first configured.

609033 After two HA failovers, one VPN interface member of SD-WAN cannot forward packets.

611148 L2TP/IPsec does not send framed IP address in RADIUS accounting updates.

612319 MTU calculation of shared dynamic phase 1 interface is too low compared to its phase 2 MTU and
makes fragmentation high.

615360 OCVPN secondary hub cannot register.

622506 L2TP over IPsec tunnel established, but traffic cannot pass because wrong interface gets in route
lookup.

FortiOS 6.2.3 Release Notes 54

Fortinet Technologies Inc.
Known issues

Log & Report

Bug ID Description

593557 Logs to syslog server configured with FQDN addresses fail when the DNS entry gets updated for
the FQDN address.

602459 GUI shows 401 Unauthorized error when downloading forward traffic logs with the time stamp as
the filter criterion.

605174 Incorrect sentdelta/rcvddelta in statistic traffic logs.

606533 User observes FGT internal error while trying to log in or activate FortiGate Cloud from the
web UI.

608565 FortiGate sends incorrect long session logs to FortiGate Cloud.

Proxy

Bug ID Description

582475 WAD is crashing with signal 6 in wad_fmem_free when processing SMB2/CIFS.

610466 Multiple WAD crash on FG-500D after upgrading from 6.2.3 (wad_url_filter_user_cat_
load_entry.constprop.7).

629504 SSH status in SSL profile changes to deep-inspection from disable after upgrading.

REST API

Bug ID Description

584631 REST API admin with token unable to configure HA setting (via login session works).

599516 When managing FortiGate via FortiGate Cloud, sometimes user only gets read-only access.

Routing

Bug ID Description

537354 BFD/BGP dropping when outbandwidth is set on interface.

580207 Policy route does not apply to local-out traffic.

FortiOS 6.2.3 Release Notes 55

Fortinet Technologies Inc.
Known issues

Bug ID Description

593951 Improve algorithm to distribute ECMP traffic for source IP-based/destination IP-based.

597733 IPv6 ECMP routes cannot be synchronized correctly to HA secondary unit.

599884 Traffic not following SD-WAN rules when one of the interfaces is VLAN.

600332 SD-WAN GUI page bandwidth shows 0 issues when there is traffic running.

600830 SD-WAN health check reports have packet loss if response time is longer than the check interval.

600995 Policy routes with large address groups containing FQDNs no longer work after upgrading to 6.2.2.

604390 FortiOS 6.2.3 by default drops reply packets received from a different interface (unlike 6.2.2).

666829 Application bfdd crashes.

Security Fabric

Bug ID Description

599474 FortiGate SDN connector not seeing all available tag name-value pairs.

604670 Time zone of scheduled automation stitches will always be taken as GMT-08:00 regardless of the
system's timezone configuration.

SSL VPN

Bug ID Description

505986 On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after
authentication.

558685 Two-factor authentication with FortiToken easily bypassed when using LDAP authentication.

563022 SSL VPN LDAP group object matching only matches the first policy; is not consistent with normal
firewall policy.

595627 Cannot access some specific sites through SSL VPN web mode.

598659 SSL VPN daemon crash.

599668 In SSL VPN web mode, page keeps loading after user authenticates into internal application.

599671 In SSL VPN web mode, cannot display complete content on page, and cannot paste or type in the
comments section.

599960 RADIUS user and local token push cannot log in to SSL VPN portal/tunnel when the password
needs to be changed.

FortiOS 6.2.3 Release Notes 56

Fortinet Technologies Inc.
Known issues

Bug ID Description

600103 Sslvpnd crashes when trying to query a DNS host name without a period (.).

602645 SSL VPN synology NAS web bookmark log in page does not work after upgrading to 6.2.3.

603957 SSL VPN LDAPS authentication does not work in multiple user group configurations after upgrading
the firewall to 6.0.7.

605699 Internal HRIS website dropdown list box not loading in SSL VPN web mode.

613111 Traffic cannot pass through FortiGate in SSL VPN web mode if the user is a PKI peer.

616879 Traffic cannot pass through FortiGate for SSL VPN web mode if the user is a PKI peer.

624197 SSL VPN web mode does not completely load the redirected corporate SSO page when accessing
an internal resource.

Switch Controller

Bug ID Description

517663 For a managed FortiSwitch already running the latest GA image, Upgrade Available tag shows
unexpectedly.

588584 GUI should add support to allow using switch VLAN interface under a tenant VDOM on a managed
switch VDOM.

605864 If the firewall is downgraded from 6.2.3 to 6.2.2, the FortiLink interface looses its CAPWAP setting.

607707 Unable to push configuration changes from FortiGate to FortiSwitch.

608231 LLDP policy did not download completely to the managed FortiSwitch 108Es.

613323 FortiSwitch trunk configuration sync issue after FortiGate failover.

System

Bug ID Description

436904 Get fgt140d_i2c_write_byte_data:874 i2c_write_byte_data(0, 0x73, 0x00,

0x04) error! message by detecting transceiver. Affected platforms: FG-140D and FG-140D-
POE.

464340 EHP drops for units with no NP service module.

527459 SDN address filter unable to handle space character.

576337 SNMP polling stopped when FortiManager API script executed onto FortiGate.

FortiOS 6.2.3 Release Notes 57

Fortinet Technologies Inc.
Known issues

Bug ID Description

578031 FortiManager Cloud cannot be removed once the FortiGate has trouble on contract.

582498 Traffic cannot be offloaded to both NTurbo and NP6 when DoS policy is applied on ingress/egress
interface in a policy with IPS.

589079 QSFP interface goes down when the get system interface transceiver command is
interrupted.

589723 Wrong source IP is bound for config system fortiguard.

590021 Enabling auto-asic-offload results in keeping action=deny in traffic log with an accept
entry.

592570 VLAN switch does not work on FG-100E.

592827 FortiGate is not sending DHCP request after receiving offer.

594018 Update daemon is locked to one resolved update server.

594865 diagnose internet-service match does not return the IP value of the IP reputation
database object.

595338 Unable to execute ping6 when configuring execute ping6-options tos, except for
default.

595467 Invalid multicast policy created after transparent VDOM restored.

598527 ISDB may cause crashes after downgrading FortiGate firmware.

600032 SNMP does not provide routing table for non-management VDOM.

602523 DDNS monitor-interface uses the monitored interface if DDNS services other than FortiGuard
DDNS are used.

602548 Some of the clients are not getting their IP through DHCP intermittently.

603194 NP multicast session remains after the kernel session is deleted.

603551 DHCPv6 relay does not work on FG-2200E.

604550 Locally-originated DHCP relay traffic on non-default VRF may follow route on VRF 0.

604699 Header line that is not freed might cause system to enter conserve mode in a transparent mode
deployment.

607015 More than usual NTP client traffic caused by frequent DNS lookups and NTP sync for new servers,
which happens quite often on some global NTP servers.

607452 Automatically logged out of CLI when trying to configure STP due to /bin/newcli crash.

610900 Low throughput on FG-2201E for traffic with ECN flag enabled.

610903 SMC NTP functions are enabled on some of the models that do not support the feature.

610976 Get kernel panic when creating VLAN on GENEVE interface.

612113 xcvrd attaches shared memory multiple times causing huge memory consumption.

617453 fgfmsd crash due to REST agent.

FortiOS 6.2.3 Release Notes 58

Fortinet Technologies Inc.
Known issues

Bug ID Description

621771 FortiGate cannot be accessed by ping/telnet/ssh/capwap in transparent VDOM.

626785 FG-101F should support the same WTP size (128) as FG-100F.

627409 Cannot create hardware switch on FG-100F.

694202 stpforward does not work with LAG interfaces on a transparent VDOM.

Upgrade

Bug ID Description

649948 Upon upgrading to FortiOS 6.2.3 or 6.2.4, IKE/IPsec SAs are not synced to the primary when HA
uninterruptible-upgrade is enabled. As a result, IPsec traffic from a client may be detected
as having an invalid SPI until the client starts a new negotiation.

User & Device

Bug ID Description

573317 SSO admin with a user name over 35 characters cannot log in after the first login.

591461 FortiGate does not send user IP to TACACS server during authentication.

592047 GUI RADIUS test fails with vdom-dns configuration.

595583 Device identification via LLDP on an aggregate interface does not work.

596844 Admin GUI login makes the FortiGate unstable when there are lots of devices detected by device
identification.

593361 No source IP option available for OCSP certificate checking.

594863 UPN extraction does not work for particular PKI.

605206 FortiClient server certificate in FSSO CA uses weak public key strength of 1024 bits and certificate
expiring in May 2020.

605404 FortiGate does not respond to disclaimer page request when traffic hits a disclaimer-enabled policy
with thousands of address objects.

605437 FortiOS does not understand CMPv2 grantedWithMods response.

605950 RDP sessions are terminated (disconnect) unexpectedly.

FortiOS 6.2.3 Release Notes 59

Fortinet Technologies Inc.
Known issues

VM

Bug ID Description

575346 gui-wanopt cache missing under system settings after upgrading a FortiGate VM with two disks.

587180 FG-VM64-KVM is unable to boot up properly when doing a hard reboot with the host.

587757 FG-VM image unable to be deployed on AWS with additional HDD(st1) disk type.

596742 Azure SDN connector replicates configuration from primary unit to secondary unit during
configuration restore.

597003 Unable to bypass self-signed certificates on Chrome in macOS Catalina.

598419 Static routes are not in sync on FortiGate Azure.

599430 FG-VM-AZURE fails to boot up due to rtnl_lock deadlock.

600975 Race condition may prevent FG-VM-Azure from booting up because of deadlock when processing
NETVSC offering and vPCI offering at the same time.

601357 FortiGate VM Azure in HA has unsuccessful failover.

601528 License validation failure log message missing when using FortiManager to validate a VM.

603426 AWS-PAYG in HA setup can lose its VM license after rebooting with certain setup.

603599 VIP in autoscale on GCP not syncing to other nodes.

605435 API call to associate elastic IP is triggered only when the unit becomes the primary device.

605511 FG-VM-GCP reboots a couple of times due to kernel panic.

606527 GUI and CLI interface dropdown lists are inconsistent.

608881 IPsec VPN tunnel not staying up after failing over with AWS A-P cross-AZ setup.

609283 IP pools are synchronized in FortiGate Azure HA.

612611 Very hard to download image for FG-AWSONDEMAND from FDS.

613730 Unable to update routing table for a resource group in a different subscription with FortiGate Azure
SDN.

622031 azd keeps crashing if Azure VM contains more than 15 tags.

685782 HTTPS administrative interface responds over heartbeat port on Azure FortiGate despite
allowaccess settings.

FortiOS 6.2.3 Release Notes 60

Fortinet Technologies Inc.
Known issues

WiFi Controller

Bug ID Description

563630 Kernel panic observed on FWF-60E.

599690 Unable to perform COA with device MAC address for 802.1x wireless connection when use-
management-vdom is enabled.

601012 When upgrading from 5.6.9 to 6.0.8, channels 120, 124, and 128 are no longer there for NZ country
code.

615219 FortiGate cannot create WTP entry for FortiAP in transparent mode.

FortiOS 6.2.3 Release Notes 61

Fortinet Technologies Inc.
Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

l XenTools installation is not supported.
l FortiGate-VM can be imported or deployed in only the following three formats:
l XVA (recommended)

l VHD

l OVF

l The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual
NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise
when using the QCOW2 format and existing HDA issues.

FortiOS 6.2.3 Release Notes 62

Fortinet Technologies Inc.
Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the
U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.