Release Notes

FortiOS 7.2.10
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO LIBRARY

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD LABS
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

February 18, 2025

FortiOS 7.2.10 Release Notes
01-7210-1073605-20250218
 TABLE OF CONTENTS

Change Log 6
Introduction and supported models 7
Supported models 7
FortiGate 6000 and 7000 support 7
Special notices 9
IPsec phase 1 interface type cannot be changed after it is configured 9
IP pools and VIPs are now considered local addresses 9
FortiGate 6000 and 7000 incompatibilities and limitations 10
Hyperscale incompatibilities and limitations 10
SMB drive mapping with ZTNA access proxy 10
Console error message when FortiGate 40xF boots 10
FortiGate models with 2 GB RAM cannot be a Security Fabric root 10
FortiGuard Web Filtering Category v10 update 11
FortiAP-W2 models may experience bootup failure during federated upgrade process if
they are powered by a managed FortiSwitch's PoE port 12
Remote access with write rights through FortiGate Cloud 12
Hyperscale NP7 hardware limitation 12
RADIUS vulnerability 12
HA unsupported between different FortiGate 90G and 91G series hardware generations 13
RADIUS vulnerability 15
Changes in CLI 16
Changes in GUI behavior 17
Changes in default behavior 18
Changes in table size 19
New features or enhancements 20
Upgrade information 22
Fortinet Security Fabric upgrade 22
Downgrading to previous firmware versions 24
Firmware image checksums 24
Strong cryptographic cipher requirements for FortiAP 24
FortiGate VM VDOM licenses 25
VDOM link and policy configuration is lost after upgrading if VDOM and VDOM link have
the same name 25
FortiGate 6000 and 7000 upgrade information 25
IPS-based and voipd-based VoIP profiles 26
Upgrade error message 27
BIOS-level signature and file integrity checking during downgrade 27
FortiOS restricts the automatic firmware upgrades to the FortiGate 28
GUI firmware upgrade does not follow the recommended upgrade path in previous
versions 29

FortiOS 7.2.10 Release Notes 3

Fortinet Inc.
 FortiGates with ULL ports may expereince status down on active ports 29
SLBC FG-5001E primary blade fails to install image 29
Product integration and support 30
Virtualization environments 31
Language support 31
SSL VPN support 32
SSL VPN web mode 32
Resolved issues 33
Proxy 33
SSL VPN 33
Switch Controller 33
System 33
VM 34
Common Vulnerabilities and Exposures 34
Known issues 35
New known issues 35
Explicit Proxy 35
Firewall 35
FortiGate 6000 and 7000 platforms 36
GUI 36
HA 36
Intrusion Prevention 37
IPsec VPN 37
Proxy 37
Routing 37
Security Fabric 37
System 38
User & Authentication 38
VM 38
WiFi Controller 38
Existing known issues 39
Anti Virus 39
Explicit Proxy 39
Firewall 39
FortiGate 6000 and 7000 platforms 40
GUI 41
HA 41
Hyperscale 42
IPsec VPN 43
Log & Report 43
Proxy 43
REST API 43
Routing 43
Security Fabric 44
SSL VPN 44
Switch Controller 45
System 45

FortiOS 7.2.10 Release Notes 4

Fortinet Inc.
 Upgrade 46
User & Authentication 46
VM 46
Web Filter 47
WiFi Controller 47
ZTNA 47
Built-in AV Engine 48
Built-in IPS Engine 49
Limitations 50
Citrix XenServer limitations 50
Open source XenServer limitations 50
Limitations on HA cluster formation between different FortiGate Rugged 60F and 60F
3G4G models 50

FortiOS 7.2.10 Release Notes 5

Fortinet Inc.
Change Log

Date Change Description

2024-09-19 Initial release.

2024-09-20 Updated RADIUS vulnerability on page 12 and Known issues on page 35.

2024-09-23 Updated Resolved issues on page 33 and Known issues on page 35.

2024-10-01 Updated Resolved issues on page 33 and Known issues on page 35.

2024-10-07 Updated Known issues on page 35.

2024-10-09 Updated Known issues on page 35.

2024-10-15 Updated Known issues on page 35.

2024-10-18 Updated Fortinet Security Fabric upgrade on page 22.

2024-10-21 Updated Known issues on page 35.

2024-10-28 Updated Known issues on page 35.

2024-11-05 Updated RADIUS vulnerability on page 12.

2024-11-08 Added HA unsupported between different FortiGate 90G and 91G series hardware generations
on page 13.

2024-11-14 Updated Known issues on page 35.

2024-11-18 Updated Known issues on page 35.

2024-11-28 Updated RADIUS vulnerability on page 12.

2024-12-03 Updated Known issues on page 35.

2024-12-04 Updated Known issues on page 35.

2024-12-10 Updated Known issues on page 35 and Limitations on page 50.

2024-12-16 Updated Known issues on page 35.

2025-01-08 Updated Known issues on page 35.

2025-01-14 Added RADIUS vulnerability on page 15.

Updated Resolved issues on page 33 and Known issues on page 35.

2025-01-21 Updated Known issues on page 35.

2025-01-23 Updated Known issues on page 35.

2025-02-03 Added SLBC FG-5001E primary blade fails to install image on page 29.
Updated Known issues on page 35.

2025-02-11 Updated Known issues on page 35.

2025-02-18 Updated Resolved issues on page 33 and Known issues on page 35.

FortiOS 7.2.10 Release Notes 6

Fortinet Inc.
Introduction and supported models

This guide provides release information for FortiOS 7.2.10 build 1706.
For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 7.2.10 supports the following models.

FortiGate FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-

61E, FG-61F, FG-70F, FG-71F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-DSL,
FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-90G, FG-91E,
FG-91G, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-120G, FG-121G, FG-
140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E,
FG-400E, FG-400E-BP, FG-401E, FG-400F, FG-401F, FG-500E, FG-501E, FG-600E, FG-
601E, FG-600F, FG-601F, FG-800D, FG-900D, FG-900G, FG-901G, FG-1000D, FG-1000F,
FG-1001F, FG-1100E, FG-1101E, FG-1500D, FG-1500DT, FG-1800F, FG-1801F, FG-
2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3000F, FG-
3001F, FG-3100D, FG-3200D, FG-3200F, FG-3201F, FG-3300E, FG-3301E, FG-3400E, FG-
3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3700F, FG-3701F, FG-
3960E, FG-3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-4800F, FG-4801F, FG-
5001E, FG-5001E1, FG-6000F, FG-7000E, FG-7000F

FortiWiFi FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-

61E, FWF-61F, FWF-80F-2R, FWF-80F-2R-3G4G-DSL, FWF-81F-2R, FWF-81F-2R-3G4G-
DSL, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE

FortiGate Rugged FGR-60F, FGR-60F-3G4G, FGR-70F, FGR-70F-3G4G

FortiFirewall FFW-1801F, FFW-2600F, FFW-3980E, FFW-4200F, FFW-4400F, FFW-4401F, FFW-4801F,

FFW-VM64, FFW-VM64-KVM

FortiGate VM FG-ARM64-AWS, FG-ARM64-AZURE, FG-ARM64-GCP, FG-ARM64-KVM, FG-ARM64-

OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG-VM64-GCP, FG-
VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG-VM64-OPC, FG-VM64-RAXONDEMAND,
FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN

Pay-as-you-go FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN

images

FortiGate 6000 and 7000 support

FortiOS 7.2.10 supports the following FG-6000F, FG-7000E, and FG-7000F models:

FortiOS 7.2.10 Release Notes 7

Fortinet Inc.
Introduction and supported models

FG-6000F FG-6001F, FG-6300F, FG-6301F, FG-6500F, FG-6501F

FG-7000E FG-7030E, FG-7040E, FG-7060E

FG-7000F FG-7081F, FG-7121F

FortiOS 7.2.10 Release Notes 8

Fortinet Inc.
Special notices

l IPsec phase 1 interface type cannot be changed after it is configured on page 9

l IP pools and VIPs are now considered local addresses on page 9
l FortiGate 6000 and 7000 incompatibilities and limitations on page 10
l Hyperscale incompatibilities and limitations on page 10
l SMB drive mapping with ZTNA access proxy on page 10
l Console error message when FortiGate 40xF boots on page 10
l FortiGate models with 2 GB RAM cannot be a Security Fabric root on page 10
l FortiGuard Web Filtering Category v10 update on page 11
l FortiAP-W2 models may experience bootup failure during federated upgrade process if they are powered by a
managed FortiSwitch's PoE port on page 12
l Remote access with write rights through FortiGate Cloud on page 12
l Hyperscale NP7 hardware limitation on page 12
l RADIUS vulnerability on page 12
l HA unsupported between different FortiGate 90G and 91G series hardware generations on page 13
l RADIUS vulnerability on page 15

IPsec phase 1 interface type cannot be changed after it is

configured

In FortiOS 7.2.0 and later, the IPsec phase 1 interface type cannot be changed after it is configured. This is due to the
tunnel ID parameter (tun_id), which is used to match routes to IPsec tunnels to forward traffic. If the IPsec phase 1
interface type needs to be changed, a new interface must be configured.

IP pools and VIPs are now considered local addresses

In FortiOS 7.2.6 and later, all IP addresses used as IP pools and VIPs are now considered local IP addresses if
responding to ARP requests on these external IP addresses is enabled (set arp-reply enable, by default). For
these cases, the FortiGate is considered a destination for those IP addresses and can receive reply traffic at the
application layer.
Previously in FortiOS 7.2.0 to 7.2.5, this was not the case. For details on the history of the behavior changes for IP pools
and VIPs, and for issues and their workarounds for the affected FortiOS versions, see Technical Tip: IP pool and virtual
IP behavior changes in FortiOS 6.4, 7.0, 7.2, and 7.4.

FortiOS 7.2.10 Release Notes 9

Fortinet Inc.
Special notices

FortiGate 6000 and 7000 incompatibilities and limitations

See the following links for information about FortiGate 6000 and 7000 limitations and incompatibilities with FortiOS
7.2.10 features.
l FortiGate 6000 incompatibilities and limitations
l FortiGate 7000E incompatibilities and limitations
l FortiGate 7000F incompatibilities and limitations

Hyperscale incompatibilities and limitations

See Hyperscale firewall incompatibilities and limitations in the Hyperscale Firewall Guide for a list of limitations and
incompatibilities with FortiOS 7.2.10 features.

SMB drive mapping with ZTNA access proxy

In FortiOS 7.2.5 and later, SMB drive mapping on a Windows PC made through a ZTNA access proxy becomes
inaccessible after the PC reboots when access proxy with TCP forwarding is configured as FQDN. When configured with
an IP for SMB traffic, same issue is not observed.
One way to solve the issue is to enter the credentials into Windows Credential Manager in the form of
domain\username.
Another way to solve the issue is to leverage the KDC proxy to issue a TGT (Kerberos) ticket for the remote user. See
ZTNA access proxy with KDC to access shared drives for more information. This way, there is no reply in Credential
Manager anymore, and the user is authenticated against the DC.

Console error message when FortiGate 40xF boots

In FortiOS 7.2.5 and later, FortiGate 400F and 401F units with BIOS version 06000100 show an error message in the
console when booting up.
The message, Write I2C bus:3 addr:0xe2 reg:0x00 data:0x00 ret:-121., is shown in the console, and
the FortiGate is unable to get transceiver information.
The issue is fixed in BIOS version 06000101.

FortiGate models with 2 GB RAM cannot be a Security Fabric root

A Security Fabric topology is a tree topology consisting of a FortiGate root device and downstream devices within the
mid-tier part of the tree or downstream (leaf) devices at the lowest point of the tree.

FortiOS 7.2.10 Release Notes 10

Fortinet Inc.
Special notices

As part of improvements to reducing memory usage on FortiGate models with 2 GB RAM, this version of FortiOS no
longer allows these models to be the root of the Security Fabric topology or any mid-tier part of the topology. Therefore,
FortiGate models with 2 GB RAM can only be a downstream device in a Security Fabric or a standalone device.
The affected models are the FortiGate 40F, 60E, 60F, 80E, and 90E series devices and their variants.

FortiGate models with 2 GB RAM running FortiOS 7.4.2 or later can be used as the Security
Fabric root. See FortiGate models with 2 GB RAM can be a Security Fabric root.

To confirm if your FortiGate model has 2 GB RAM, enter diagnose hardware sysinfo conserve in the CLI and
check that the total RAM value is below 2000 MB (1000 MB = 1 GB).
In the GUI on the Security Fabric > Fabric Connectors page when editing the Security Fabric Setup card, the Security
Fabric role can only be configured as Standalone or Join Existing Fabric.
In the CLI, the following error messages are displayed when attempting to configure a FortiGate model with 2 GB RAM
as a Security Fabric root:
config system csf
set status enable
end

...

2GB-RAM models cannot be a Security Fabric root.

Please set the upstream.
object set operator error, -39, roll back the setting
Command fail. Return code -39

FortiGuard Web Filtering Category v10 update

Fortinet has updated its web filtering categories to v10, which includes two new URL categories for AI chat and
cryptocurrency websites. To use the new categories, customers must upgrade their Fortinet products to one of the
versions below:
l FortiManager - Fixed in 6.0.12, 6.2.9, 6.4.7, 7.0.2, 7.2.0, 7.4.0.
l FortiOS - Fixed in 7.2.8 and 7.4.1.
l FortiClient - Fixed in Windows 7.2.3, macOS 7.2.3, Linux 7.2.3.
l FortiClient EMS - Fixed in 7.2.1.
l FortiMail - Fixed in 7.0.7, 7.2.5, 7.4.1.
l FortiProxy - Fixed in 7.4.1.
Please read the following CSB for more information to caveats on the usage in FortiManager and FortiOS:
https://support.fortinet.com/Information/Bulletin.aspx

FortiOS 7.2.10 Release Notes 11

Fortinet Inc.
Special notices

FortiAP-W2 models may experience bootup failure during federated

upgrade process if they are powered by a managed FortiSwitch's
PoE port

Disable the federated upgrade feature if you have FortiAP-W2 devices that are exclusively powered by a PoE port from a
FortiGate or FortiSwitch.
The federated upgrade feature starts the upgrades of managed FortiSwitch and FortiAP devices at approximately the
same time. Some FortiAP-W2 devices take a longer time to upgrade than the FortiSwitch devices. When the FortiSwitch
finishes upgrading, it reboots, and can disrupt the PoE power to the FortiAP devices. If a FortiAP device is still upgrading
when the power is disrupted, it can cause the FortiAP device to experience a bootup failure.
Manually triggering federated upgrade can cause this issue. Starting in 7.2.8, automatic firmware upgrade will no longer
trigger FortiSwitch and FortiAP to be upgraded.
For more information about federated upgrade, see Upgrading Fabric or managed devices.

Remote access with write rights through FortiGate Cloud

Remote access with read and write rights through FortiGate Cloud now requires a paid FortiGate Cloud subscription.
The FortiGate can still be accessed in a read-only state with the free tier of FortiGate Cloud. Alternatively, you can
access your FortiGate through its web interface.
Please contact your Fortinet Sales/Partner for details on purchasing a FortiGate Cloud Service subscription license for
your FortiGate device.
For more information see the FortiGate Cloud feature comparison and FortiGate Cloud Administration guide FAQ.

Hyperscale NP7 hardware limitation

Because of an NP7 hardware limitation, for CGN traffic accepted by a hyperscale firewall policy that includes an
overload with port block allocation (overload PBA) IP Pool, only one block is allocated per client. The setting of the
hyperscale firewall policy cgn-resource-quota option is ignored.
Because of this limitation, under certain rare conditions (for example, only a single server side IP address and port are
being used for a large number of sessions), port allocation may fail even if the block usage of the client is less than its
quota. In cases such as this, if the client has traffic towards some other servers or ports, additional port allocation can
become successful. You can also work around this problem by increasing the IP Pool block size (cgn-block-size).

RADIUS vulnerability

Fortinet has resolved a RADIUS vulnerability as described in CVE-2024-3596. As a result, firewall authentication,
FortiGate administrative web UI authentication, and WiFi authentication may be affected depending on the functionality

FortiOS 7.2.10 Release Notes 12

Fortinet Inc.
Special notices

of the RADIUS server software used in your environment. RFC 3579 contains information on the affected RADIUS
attribute, message-authenticator.
In order to protect against the RADIUS vulnerability described in CVE-2024-3596, as a RADIUS client, FortiGate will:
1. Force the validation of message-authenticator.
2. Reject RADIUS responses with unrecognized proxy-state attribute.

Message-authenticator checking is made mandatory under UDP/TCP. It is not mandatory when using TLS. Users are
highly encouraged to use RADSEC with the RADIUS server configuration, which is supported starting in version 7.4.0.
For more information, see Configuring a RADSEC client.
If FortiGate is using UDP/TCP mode without RADSEC, the RADIUS server should be patched to ensure the message-
authenticator attribute is used in its RADIUS messages.
Affected Product Integration
l FortiAuthenticator version 6.6.1 and older.
l Third party RADIUS server that does not support sending the message-authenticator attribute.
Solution
l Upgrade FortiAuthenticator to version 6.4.10, 6.5.6, or 6.6.2 and follow the Upgrade instructions.
l Upgrade the RADIUS server and/or enable it to send the correct message-authenticator attribute.

HA unsupported between different FortiGate 90G and 91G series

hardware generations

Because of significant differences in interface naming conventions between Generation 1 and Generation 2 FortiGate
90G and 91G series devices, the high availability (HA) feature is not supported between Generation 1 and Generation 2
of the same devices.
For example, for a Generation 1 FortiGate 91G device, the following output is observed:
FortiGate-91-Gen1 # get hardware status
Model name: FortiGate-91G
ASIC version: SOC5
CPU: ARMv8
Number of CPUs: 8
RAM: 7547 MB
EMMC: 9982 MB(MLC) /dev/mmcblk0
Hard disk: 114473 MB /dev/nvme0n1
USB Flash: not available
Network Card chipset: FortiASIC NP7LITE Adapter (rev.)
Hardware Board ID: 002

For a Generation 2 FortiGate 91G device, the following output is observed:

FortiGate-91G-Gen2 # get hardware status
Model name: FortiGate-91G
ASIC version: SOC5
CPU: ARMv8
Number of CPUs: 8
RAM: 7547 MB
EMMC: 9982 MB(MLC) /dev/mmcblk0

FortiOS 7.2.10 Release Notes 13

Fortinet Inc.
Special notices

Hard disk: 114473 MB /dev/nvme0n1

USB Flash: 58991 MB
Network Card chipset: FortiASIC NP7LITE Adapter (rev.)
Hardware Board ID: 003

Observe the Generation differences are reflected in the differences in Hardware Board ID.
In this example, for the Generation 1 FortiGate 91G, the WAN interfaces are wan1 and wan2, respectively. However, for
the Generation 2 FortiGate 91G, the WAN interfaces are x1 and x2, respectively. Therefore, because of the differences
in interface names, HA cannot be formed between these Generation 1 and Generation 2 devices.

FortiOS 7.2.10 Release Notes 14

Fortinet Inc.
RADIUS vulnerability

RADIUS vulnerability

Fortinet has resolved a RADIUS vulnerability described in CVE-2024-3596. As a result, firewall authentication, FortiGate
administrative GUI authentication, and WiFi authentication may be affected depending on the functionality of the
RADIUS server software used in your environment. RFC 3579 contains information on the affected RADIUS attribute,
message-authenticator.
In order to protect against the RADIUS vulnerability described in CVE-2024-3596, as a RADIUS client, FortiGate will:
1. Force the validation of message-authenticator.
2. Reject RADIUS responses with unrecognized proxy-state attribute.

Message-authenticator checking is made mandatory under UDP/TCP. It is not mandatory when using TLS. Therefore, if
FortiGate is using UDP/TCP mode without RADSEC, the RADIUS server should be patched to ensure the message-
authenticator attribute is used in its RADIUS messages.

Affected Product Integration

l FortiAuthenticator version 6.6.1 and older

l Third party RADIUS server that does not support sending the message-authenticator attribute

Solution

l Upgrade FortiAuthenticator to version 6.6.2, 6.5.6 or 6.4.10 and follow the upgrade instructions:
https://docs.fortinet.com/document/fortiauthenticator/6.6.2/release-notes/859240/upgrade-instructions
l Upgrade the RADIUS server and/or enable it to send the correct message-authenticator attribute

FortiOS 7.2.10 Release Notes 15

Fortinet Inc.
Changes in CLI

Bug ID Description

913040 The config vpn ssl settings option tunnel-addr-assigned-method is now available
again in the FortiGate 6000 and 7000 CLI. This option had been removed in a previous release
because setting this option to first-available and configuring multiple IP pools was found to
reduce FortiGate 6000 and 7000 SSL VPN load balancing performance. However, some users may
want the ability to use multiple IP pools for their SSL VPN configuration, even if performance is
reduced. So the change has been reverted.

921914 The URL to verify authentication has been removed from config user saml and replaced by
config user external-identity provider.
7.2.7 and earlier:
config user saml
edit <name>
set auth-url <string>
next
end

7.2.8 and later:

config user external-identity-provider
edit <name>
set type ms-graph
set version v1.0
next
end

After the external identity provider is set, make sure that the existing user group has both the SAML
server and the external identity provider as members:
config user group
edit <group>
set member <saml server> <id provider>
next
end

FortiOS 7.2.10 Release Notes 16

Fortinet Inc.
Changes in GUI behavior

Bug ID Description

1043593 On the Network > Diagnostics > Packet Capture page, the timeline graph is removed from the
packet viewer.

FortiOS 7.2.10 Release Notes 17

Fortinet Inc.
Changes in default behavior

Bug ID Description

1006011 Starting with version 7.4.4, FMG-Access is no longer enabled by default on all interfaces. In the
event of an upgrade from a previous version, if the central-management type is not set as
FortiManager, the fgfm will be disabled across all interfaces.

FortiOS 7.2.10 Release Notes 18

Fortinet Inc.
Changes in table size

Bug ID Description

823373 Increase the number of VRFs per VDOM from 64 to 252.

FortiOS 7.2.10 Release Notes 19

Fortinet Inc.
New features or enhancements

More detailed information is available in the New Features Guide.

Feature ID Description

913213 When authenticating users with a RADIUS server, FortiOS can now dynamically assign a different
NAS-IP-Address attribute to the managed switches. For more control, this feature also allows you to
manually override the dynamic assignment and set the NAS-IP-Address attribute for individual
switches as per your requirements.

936747 On FortiGates with multiple NP7 processors with hyperscale enabled, you can use the following
command to optimize NP7 network session setup (NSS) engine performance.
config system npu
set nss-threads-option {4T-EIF | 4T-NOEIF | 2T}
end

l 4T-EIF: the NSS is configured with four threads and the Endpoint Independent Filtering (EIF)
feature is allowed (the default). NSS with four threads supports the maximum NP7 Connections
Per Second (CPS) performance.
l 4T-NOEIF: the NSS is configured with four threads and the EIF feature is not allowed. Also
supports the maximum NP7 CPS performance.
l 2T: the NSS is configured with two threads and the EIF feature is allowed. This setting reduces
the maximum NP7 CPS performance.

Changing the nss-threads-option causes the FortiGate to restart.

955835 Previously, when auto-upgrade was disabled, users would receive a warning advising them to
execute exec federated-upgrade cancel in order to remove any scheduled upgrades.
However, with the new update, the system is now capable of autonomously canceling any pending
upgrades, eliminating the need for manual user action.

973573 You can now specify a tagged VLAN for users to be assigned to when the authentication server is
unavailable. Previously, you could only specify an untagged VLAN. This feature is available with
802.1x MAC-based authentication. It is compatible with both Extensible Authentication Protocol
(EAP) and MAC authentication bypass (MAB).

1006448 Enhance SSL VPN security by restricting and validating HTTP messages that are used only by web
mode and tunnel mode.

1007937 Support the Zstandard (zstd) compression algorithm for web content. This enhancement enables
FortiOS to decode, scan, and forward zstd-encoded web content in a proxy-based policy. The
content can then be passed or blocked based on the UTM profile settings. This ensures a seamless
and secure browsing experience.

FortiOS 7.2.10 Release Notes 20

Fortinet Inc.
New features or enhancements

Feature ID Description

1012626 In this enhancement, a hash of all executable binary files and shared libraries are taken during
image build time. The file containing these hashes, called the executable hash, is also hashed and
as a result signed. The signature for this hash is verified during bootup to ensure integrity of the file.
After validation, the hashes of all executable and share libraries can be loaded into memory for real-
time protection.

1013511 This enhancement requires the kernel to verify the signed hashes of important file-system and
object files during boot-up. This prevents unauthorized changes to file-systems to be mounted, and
other unauthorized objects to be loaded into user space on boot-up. If the signed hash verification
fails, the system will halt.

FortiOS 7.2.10 Release Notes 21

Fortinet Inc.
Upgrade information

Supported upgrade path information is available on the Fortinet Customer Service & Support site.
Multiple upgrade methods are available for individual FortiGate devices and multiple FortiGate devices in a Fortinet
Security Fabric:

FortiGate Upgrade option Details

Individual FortiGate devices Manual update Use the procedure in this topic.

See also Upgrading individual

devices in the FortiOS Administration
Guide.

Automatic update based on See Enabling automatic firmware

FortiGuard upgrade path updates in the FortiOS Administration
Guide for details

Multiple FortiGate devices in a Manual, immediate or scheduled See Fortinet Security Fabric upgrade
Fortinet Security Fabric update based on FortiGuard upgrade on page 22 and Upgrading Fabric or
path managed devices in the FortiOS
Administration Guide.

To view supported upgrade path information:

1. Go to https://support.fortinet.com.
2. From the Download menu, select Firmware Images.
3. Check that Select Product is FortiGate.
4. Click the Upgrade Path tab and select the following:
l Current Product
l Current FortiOS Version
l Upgrade To FortiOS Version
5. Click Go.

Fortinet Security Fabric upgrade

FortiOS 7.2.10 greatly increases the interoperability between other Fortinet products. This includes:

FortiAnalyzer l 7.2.8

FortiManager l 7.2.8

FortiExtender l 7.4.0 and later

FortiOS 7.2.10 Release Notes 22

Fortinet Inc.
Upgrade information

FortiSwitch OS l 6.4.6 build 0470 or later

(FortiLink support)

FortiAP l See Strong cryptographic cipher requirements for FortiAP on page 24

FortiAP-S
FortiAP-U
FortiAP-W2

FortiClient* EMS l 7.0.3 build 0229 or later

FortiClient* Microsoft l 7.0.3 build 0193 or later

Windows

FortiClient* Mac OS X l 7.0.3 build 0131 or later

FortiClient* Linux l 7.0.3 build 0137 or later

FortiClient* iOS l 7.0.2 build 0036 or later

*
FortiClient Android l 7.0.2 build 0031 or later

FortiSandbox l 2.3.3 and later for post-transfer scanning

l 4.2.0 and later for post-transfer and inline scanning

*
If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version 6.0 and later are supported.
When upgrading your Security Fabric, devices that manage other devices should be upgraded first.

When using FortiClient with FortiAnalyzer, you should upgrade both to their latest versions.
The versions between the two products should match. For example, if using FortiAnalyzer
7.2.0, use FortiClient 7.2.0.

Upgrade the firmware of each device in the following order. This maintains network connectivity without the need to use
manual steps.
1. FortiAnalyzer
2. FortiManager
3. FortiGate devices
4. Managed FortiExtender devices
5. Managed FortiSwitch devices
6. Managed FortiAP devices
7. FortiClient EMS
8. FortiClient
9. FortiSandbox
10. FortiMail
11. FortiWeb
12. FortiNAC
13. FortiVoice
14. FortiDeceptor
15. FortiAI
16. FortiTester

FortiOS 7.2.10 Release Notes 23

Fortinet Inc.
Upgrade information

17. FortiMonitor
18. FortiPolicy

If Security Fabric is enabled, then all FortiGate devices must be upgraded to 7.2.10. When
Security Fabric is enabled in FortiOS 7.2.10, all FortiGate devices must be running FortiOS
7.2.10.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are
retained:
l operation mode
l interface IP/management IP
l static route table
l DNS settings
l admin user account
l session helpers
l system access profiles

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support
portal, https://support.fortinet.com. After logging in, go to Support > Firmware Image Checksums (in the Downloads
section), enter the image file name including the extension, and click Get Checksum Code.

Strong cryptographic cipher requirements for FortiAP

FortiOS 7.0.0 has removed 3DES and SHA1 from the list of strong cryptographic ciphers. To satisfy the cipher
requirement, current FortiAP models whose names end with letter E or F should be upgraded to the following firmware
versions:
l FortiAP (F models): version 6.4.3 and later
l FortiAP-S and FortiAP-W2 (E models): version 6.2.4, 6.4.1, and later
l FortiAP-U (EV and F models): version 6.0.3 and later
l FortiAP-C (FAP-C24JE): version 5.4.3 and later
If FortiGates running FortiOS 7.0.1 and later need to manage FortiAP models that cannot be upgraded or legacy FortiAP
models whose names end with the letters B, C, CR, or D, administrators can allow those FortiAPs' connections with
weak cipher encryption by using compatibility mode:

FortiOS 7.2.10 Release Notes 24

Fortinet Inc.
Upgrade information

config wireless-controller global

set tunnel-mode compatible
end

FortiGate VM VDOM licenses

FortiGate VMs with one VDOM license (S-series, V-series, FortiFlex) have a maximum number or two VDOMs. An
administrative type root VDOM and another traffic type VDOM are allowed in 7.2.0 and later. After upgrading to 7.2.0 and
later, if the VM previously had split-task VDOMs enabled, two VDOMs are kept (the root VDOM is an administrative
type).

VDOM link and policy configuration is lost after upgrading if VDOM

and VDOM link have the same name

Affected versions:
l FortiOS 6.4.9 and later
l FortiOS 7.0.6 and later
l FortiOS 7.2.0 and later
When upgrading to one of the affected versions, there is a check within the set vdom-links function that rejects vdom-
links that have the same name as a VDOM. Without the check, the FortiGate will have a kernel panic upon bootup
during the upgrade step.
A workaround is to rename the vdom-links prior to upgrading, so that they are different from the VDOMs.

FortiGate 6000 and 7000 upgrade information

Upgrade FortiGate 6000 firmware from the management board GUI or CLI. Upgrade FortiGate 7000 firmware from the
primary FIM GUI or CLI. The FortiGate 6000 management board and FPCs or the FortiGate 7000 FIMs and FPMs all run
the same firmware image. Upgrading the firmware copies the firmware image to all components, which then install the
new firmware and restart. A FortiGate 6000 or 7000 firmware upgrade can take a few minutes, the amount of time
depending on the hardware and software configuration and whether DP or NP7 processor software is also upgraded.
On a standalone FortiGate 6000 or 7000, or an HA cluster with uninterruptible-upgrade disabled, the firmware
upgrade interrupts traffic because all components upgrade in one step. These firmware upgrades should be done during
a quiet time because traffic can be interrupted for a few minutes during the upgrade process.
Fortinet recommends running a graceful firmware upgrade of a FortiGate 6000 or 7000 FGCP HA cluster by enabling
uninterruptible-upgrade and session-pickup. A graceful firmware upgrade only causes minimal traffic
interruption.

FortiOS 7.2.10 Release Notes 25

Fortinet Inc.
Upgrade information

Fortinet recommends that you review the services provided by your FortiGate 6000 or 7000
before a firmware upgrade and then again after the upgrade to make sure that these services
continue to operate normally. For example, you might want to verify that you can successfully
access an important server used by your organization before the upgrade and make sure that
you can still reach the server after the upgrade and performance is comparable. You can also
take a snapshot of key performance indicators (for example, number of sessions, CPU usage,
and memory usage) before the upgrade and verify that you see comparable performance after
the upgrade.

To perform a graceful upgrade of your FortiGate 6000 or 7000 to FortiOS 7.2.10:

1. Use the following command to enable uninterruptible-upgrade to support HA graceful upgrade:

config system ha
set uninterruptible-upgrade enable
end

2. Download the FortiOS 7.2.10 FG-6000F, FG-7000E, or FG-7000F firmware from https://support.fortinet.com.
3. Perform a normal upgrade of your HA cluster using the downloaded firmware image file.
4. When the upgrade is complete, verify that you have installed the correct firmware version.
For example, check the FortiGate dashboard or use the get system status command.
5. Check the Cluster Status dashboard widget or use the diagnose sys confsync status command to confirm
that all components are synchronized and operating normally.

IPS-based and voipd-based VoIP profiles

Starting in FortiOS 7.2.5, the new IPS-based VoIP profile allows flow-based SIP to complement SIP ALG while working
together. There are now two types of VoIP profiles that can be configured:
config voip profile
edit <name>
set feature-set {ips | voipd}
next
end

A voipd-based VoIP profile is handled by the voipd daemon using SIP ALG inspection. This is renamed from proxy in
previous FortiOS versions.
An ips-based VoIP profile is handled by the IPS daemon using flow-based SIP inspection. This is renamed from flow in
previous FortiOS versions.
Both VoIP profile types can be configured at the same time on a firewall policy. For example:
config firewall policy
edit 1
set voip-profile "voip_sip_alg"
set ips-voip-filter "voip_sip_ips"
next
end

Where:

FortiOS 7.2.10 Release Notes 26

Fortinet Inc.
Upgrade information

l voip-profile can select a voip-profile with feature-set voipd.

l ips-voip-filter can select a voip-profile with feature-set ips.
The VoIP profile selection within a firewall policy is restored to pre-7.0 behavior. The VoIP profile can be selected
regardless of the inspection mode used in the firewall policy. The new ips-voip-filter setting allows users to select
an IPS-based VoIP profile to apply flow-based SIP inspection, which can work concurrently with SIP ALG.
Upon upgrade, the feature-set setting of the voip profile determines whether the profile applied in the firewall
policy is voip-profile or ips-voip-filter.

Before upgrade After upgrade

config voip profile config voip profile
edit "ips_voip_filter" edit "ips_voip_filter"
set feature-set flow set feature-set ips
next next
edit "sip_alg_profile" edit "sip_alg_profile"
set feature-set proxy set feature-set voipd
next next
end end

config firewall policy

config firewall policy
edit 1
edit 1
set ips-voip-filter "ips_voip_
set voip-profile "ips_voip_filter"
filter"
next
next
edit 2
edit 2
set voip-profile "sip_alg_profile"
set voip-profile "sip_alg_profile"
next
next
end
end

Upgrade error message

The FortiGate console will print a Fail to append CC_trailer.ncfg_remove_signature:error in stat

error message after upgrading from 7.2.4 to 7.2.5 or later. Affected platforms include: FFW-3980E, FFW-VM64, and
FFW-VM64-KVM. A workaround is to run another upgrade to 7.2.5 or later.

BIOS-level signature and file integrity checking during downgrade

When downgrading to a version of FortiOS prior to 6.4.13, 7.0.12, and 7.2.5 that does not support BIOS-level signature
and file integrity check during bootup, the following steps should be taken if the BIOS version of the FortiGate matches
the following versions:
l 6000100 or greater
l 5000100 or greater

FortiOS 7.2.10 Release Notes 27

Fortinet Inc.
Upgrade information

To downgrade or upgrade to or from a version that does not support BIOS-level signature and file
integrity check during bootup:

1. If the current security level is 2, change the security level to 0. This issue does not affect security level 1 or below.
2. Downgrade to the desired FortiOS firmware version.
3. If upgrading back to 6.4.13, 7.0.12, 7.2.5, 7.4.0, or later, ensure that the security level is set to 0.
4. Upgrade to the desired FortiOS firmware version.
5. Change the security level back to 2.

To verify the BIOS version:

The BIOS version is displayed during bootup:

Please stand by while rebooting the system.
Restarting system
FortiGate-1001F (13:13-05.16.2023)
Ver:06000100

To verify the security level:

# get system status

Version: FortiGate-VM64 v7.4.2,build2571,231219 (GA.F)
First GA patch build date: 230509
Security Level: 1

To change the security level:

1. Connect to the console port of the FortiGate.

2. Reboot the FortiGate (execute reboot) and enter the BIOS menu.
3. Press [I] to enter the System Information menu
4. Press [U] to enter the Set security level menu
5. Enter the required security level.
6. Continue to boot the device.

FortiOS restricts the automatic firmware upgrades to the FortiGate

Automatic firmware upgrades update the FortiGate and any connected FortiSwitch, FortiAP, and FortiExtender devices.
This caused issues with FortiAPs going into a boot loop due to reboot timing. Starting from FortiOS 7.2.8, a temporary fix
is introduced: restrict the automatic firmware upgrades to the FortiGate only.

FortiOS 7.2.10 Release Notes 28

Fortinet Inc.
Upgrade information

GUI firmware upgrade does not follow the recommended upgrade

path in previous versions

When performing a firmware upgrade from 7.2.0 - 7.2.8 that requires multiple version jumps, the Follow upgrade path
option in the GUI does not respect the recommended upgrade path, and instead upgrades the firmware directly to the
final version. This can result in unexpected configuration loss. To upgrade a device in the GUI, upgrade to each interim
version in the upgrade path individually.
For example, when upgrading from 7.0.7 to 7.0.12 the recommended upgrade path is 7.0.7 -> 7.0.9 -> 7.0.11 -> 7.0.12.
To ensure that there is no configuration loss, first upgrade to 7.0.9, then 7.0.11, and then 7.0.12.

FortiGates with ULL ports may expereince status down on active

ports

After upgrading to FortiOS version 7.2.9, FortiGate platforms with ultra-low-latency (ULL) ports like 600F and 901G
models may experience link status down on active ULL ports if the following conditions are met:
l The ULL port is set to 25G mode
l Forward error correcting (FEC) is enabled on the port
l Forward error correcting (FEC) is disabled on the connecting switch
This behaviour change is due to a fix in FortiOS 7.2.9 version for an issue where FEC feature was disabled even though
it was enabled in the CLI. This allowed the FortiGate ULL port to still connect to the switch with FEC disabled. After the
fix, FEC is activated on the ForitGate and caused a mismatch with the switch.
Workaround: User can disable FEC feature on the FortiGate ULL port to match with the connecting switch, or they can
enable FEC feature on the switch to match with the FortiGate side.
config system interface
edit <ULL port>
set forward-error-correction disable
next
end

SLBC FG-5001E primary blade fails to install image

For FG-5001E in a session-aware load balanced cluster (SLBC), all secondary blades install the image successfully.
However, the primary blade fails, showing a sync timeout error, even with graceful-upgrade disabled.

FortiOS 7.2.10 Release Notes 29

Fortinet Inc.
Product integration and support

The following table lists FortiOS 7.2.10 product integration and support information:

Web browsers l Microsoft Edge 114

l Mozilla Firefox version 113
l Google Chrome version 114
Other browser versions have not been tested, but may fully function.
Other web browsers may function correctly, but are not supported by Fortinet.

Explicit web proxy browser l Microsoft Edge 114

l Mozilla Firefox version 113
l Google Chrome version 114
Other browser versions have not been tested, but may fully function.
Other web browsers may function correctly, but are not supported by Fortinet.

FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

Fortinet Single Sign-On l 5.0 build 0318 and later (needed for FSSO agent support OU in group filters)
(FSSO) l Windows Server 2022 Standard
l Windows Server 2022 Datacenter
l Windows Server 2019 Standard
l Windows Server 2019 Datacenter
l Windows Server 2019 Core
l Windows Server 2016 Datacenter
l Windows Server 2016 Standard
l Windows Server 2016 Core
l Windows Server 2012 Standard
l Windows Server 2012 R2 Standard
l Windows Server 2012 Core
l Windows Server 2008 64-bit (requires Microsoft SHA2 support
package)
l Windows Server 2008 R2 64-bit (requires Microsoft SHA2 support
package)
l Windows Server 2008 Core (requires Microsoft SHA2 support package)
l Novell eDirectory 8.8

AV Engine l 6.00301

IPS Engine l 7.00342

FortiOS 7.2.10 Release Notes 30

Fortinet Inc.
Product integration and support

Virtualization environments

The following table lists hypervisors and recommended versions.

Hypervisor Recommended versions

Citrix Hypervisor l 8.1 Express Edition, Dec 17, 2019

Linux KVM l Ubuntu 18.0.4 LTS

l Red Hat Enterprise Linux release 8.4
l SUSE Linux Enterprise Server 12 SP3 release 12.3

Microsoft Windows Server l 2012R2 with Hyper-V role

Windows Hyper-V Server l 2019

Open source XenServer l Version 3.4.3

l Version 4.1 and later

VMware ESXi l Versions 6.5, 6.7, 7.0, and 8.0.

Language support

The following table lists language support information.

Language support

Language GUI

English ✔

Chinese (Simplified) ✔

Chinese (Traditional) ✔

French ✔

Japanese ✔

Korean ✔

Portuguese (Brazil) ✔

Spanish ✔

FortiOS 7.2.10 Release Notes 31

Fortinet Inc.
Product integration and support

SSL VPN support

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser

Microsoft Windows 7 SP1 (32-bit & 64-bit) Mozilla Firefox version 113
Google Chrome version 113

Microsoft Windows 10 (64-bit) Microsoft Edge

Mozilla Firefox version 113
Google Chrome version 113

Ubuntu 20.04 (64-bit) Mozilla Firefox version 113

Google Chrome version 113

macOS Ventura 13 Apple Safari version 15

Mozilla Firefox version 113
Google Chrome version 113

iOS Apple Safari

Mozilla Firefox
Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

FortiOS 7.2.10 Release Notes 32

Fortinet Inc.
Resolved issues

The following issues have been fixed in version 7.2.10. To inquire about a particular bug, please contact Customer
Service & Support.

Proxy

Bug ID Description

912116 Website (li***.cz) is not working in proxy inspection mode with deep inspection and web filter
applied.

SSL VPN

Bug ID Description

893190 FortiGate does not utilize timeout timers correctly for 2FA when SSL VPN is used as a server.

983513 The two-factor-fac-expiry command is not working as expected for remote RADIUS users
with a remote token set in FortiAuthenticator.

1061165 SSL VPN encounters a signal 11 interruption and does not work as expected due to a word-length
heap memory issue.

Switch Controller

Bug ID Description

1032105 FortiGate in an HA configuration goes out of synchronization due to a split-port interface on

FortiSwitch.

System

Bug ID Description

1069554 Upgrading directly from 7.2.4 or earlier versions to 7.2.9, or directly from 7.0.11 or earlier to 7.2.9 is

FortiOS 7.2.10 Release Notes 33

Fortinet Inc.
Resolved issues

Bug ID Description

not supported. Users must upgrade following the recommended upgrade path to avoid system
hanging.

VM

Bug ID Description

1073016 The OCI SDN connector cannot call the API to the Oracle service when an IAM role is enabled.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID CVE references

1062139 FortiOS7.2.10 is no longer vulnerable to the following CVE Reference:

l CVE-2024-40591

FortiOS 7.2.10 Release Notes 34

Fortinet Inc.
Known issues

Known issues are organized into the following categories:

l New known issues on page 35
l Existing known issues on page 39
To inquire about a particular bug or report a bug, please contact Customer Service & Support.

New known issues

The following issues have been identified in version 7.2.10.

Explicit Proxy

Bug ID Description

1059899 When setting sec-default-action to accept on an initial explicit web proxy configuration after
a factory reset, incoming traffic does not match the proxy policy and allows all traffic to pass.
Workaround: set sec-default-action to deny first in the CLI and then change the setting to
accept.

Firewall

Bug ID Description

992610 The source interface displays the name of the VDOM and local out traffic displays as forward traffic.

1078662 If an interface on an NP7 platform has the set inbandwidth XXX, set outbandwidth XXX,
and set egress-shaping-profile XX settings, the following issues may occur:
l Fragment packet checksum is incorrect.

l MTU is not honored when sending packets out.

l QTM hangs and blocks traffic when packet size is larger than 6000 bytes.
Workaround:
config system interface
edit xx
unset egress-shaping-profile
next
end

1117165 Leaving the apn field empty in a GTP APN traffic shaping policy means that the policy will not match
any traffic. Consequently, APN traffic shaping can only be applied to specific APNs.

FortiOS 7.2.10 Release Notes 35

Fortinet Inc.
 Known issues

Bug ID Description

To configure GTP APN traffic shaping:

config gtp apn-shaper
edit <policy-id>
set apn [<apn-name> <apngrp-name> ...]
set rate-limit <limit>
set action {drop | reject}
set back-off-time <time>
next
end

FortiGate 6000 and 7000 platforms

Bug ID Description

1060619 CSF is not working as expected.

1088402 On FortiGate 6K/7K FGSP clusters, the configuration does not synchronize properly with
standalone-config-sync enabled.

GUI

Bug ID Description

989512 When the number of users in the Firewall User monitor exceeds 2000, the search bar, column
filters, and graphs are no longer displayed due to results being lazily loaded.

993890 The Node.JS daemon restarts with a kill ESRCH error on FortiGate after an upgrade.

HA

Bug ID Description

781171 When performing HA upgrade in the GUI, if the secondary unit takes several minutes to bootup, the
GUI may show a misleading error message Image upgrade failed due to premature timeout.
This is just a GUI display issue and the HA upgrade can still complete without issue.

970316 When adding a new vcluster, the link-failure value of the newly added vcluster is not updated,
causing the wrong primary unit to be selected.

1054041 On FortiGates in an HA environment, DHCP clients can not get an IPv4 address from the server
with vcluster.

1062433 SASE FortiGate's go out of synchronization after HTTP.Chunk.Length.Invalid was removed

in the new FMWP package.
Workaround: run the diagnose ips global rule reload command on the FortiGate's.

FortiOS 7.2.10 Release Notes 36

Fortinet Inc.
 Known issues

Intrusion Prevention

Bug ID Description

1069190 After upgrading to FortiOS version 7.2.9, FortiGate may experience a CPU usage issue due to IPS
engine version 7.00342 when there is a large amount of proxy inspected traffic using the application
control and IPS sensor.
Workaround: downgrade the IPS engine to version 7.00341, or upgrade the device to FortiOS
7.4.6 or later.

IPsec VPN

Bug ID Description

1033154 FortiGate does not unregister the net_device causing the unit to encounter a performance issue.

Proxy

Bug ID Description

1047441 On FortiGate, the WAD process may not work as expected with H2 traffic when creating UTM logs.

Routing

Bug ID Description

1025201 FortiGate encounters a duplication issue in a hub and spoke configuration with set packet-
duplication force enabled on a spoke and set packet-de-duplication enabled on the
hub.

Security Fabric

Bug ID Description

1120652 Fabric topology with two devices on different VDOMs but behind the same router shows wrong
VDOM data on tooltip.
Workaround: Disable device-identification on that interface.

FortiOS 7.2.10 Release Notes 37

Fortinet Inc.
 Known issues

System

Bug ID Description

1078541 The FortiFirewall 2600F model may become stuck after a fresh image burn. Upgrading from a
previous version stills works.
Workaround: power cycle the unit.

1121548 Enabling device-identification also gets endpoint information, even though intermediate
router exists on FG and endpoints.
Workaround: Disable device-identification on that interface.

User & Authentication

Bug ID Description

1075627 On the User & Authentication > RADIUS Servers page, the Test Connectivity and Test User
Credentials buttons may incorrectly return a Can't contact RADIUS server error message when
testing against a RADIUS server that requires the message-authentication attribute in the
access request from the FortiGate.
This is a GUI display issue as the actual RADIUS connection does send the message-
authentication attribute.
Workaround: confirm if the connection to RADIUS server using the CLI:
diagnose test authserver radius <server> <method> <user> <password>

1080234 For FortiGate (versions 7.2.10 and 7.4.5 and later) and FortiNAC (versions 9.2.8 and 9.4.6 and
prior) integration, when testing connectivity/user credentials against FortiNAC that acts as a
RADIUS server, the FortiGate GUI and CLI returns an invalid secret for the server error.
This error is expected when the FortiGate acts as the direct RADIUS client to the FortiNAC RADIUS
server due to a change in how FortiGate handles RADIUS protocol in these versions. However, the
end-to-end integration for the clients behind the FortiGate and FortiNAC is not impacted.
Workaround: confirm the connectivity between the end clients and FortiNAC by checking if the
clients can still be authorized against the FortiNAC as normal.

VM

Bug ID Description

1094274 FortiGate becomes unresponsive due to an error condition when sending IPv6 traffic.

WiFi Controller

Bug ID Description

1049471 On FortiGate 90G and 120G models, traffic is dropped due to the MAC address of the VAP interface
being updated with the old MAC address when HA is enabled.

FortiOS 7.2.10 Release Notes 38

Fortinet Inc.
 Known issues

Existing known issues

The following issues have been identified in a previous version of FortiOS and remain in FortiOS 7.2.10.

Anti Virus

Bug ID Description

937375 Unable to delete malware threat feeds using the CLI.

Explicit Proxy

Bug ID Description

865828 The internet-service6-custom and internet-service6-custom-group options do not

work with custom IPv6 addresses.

890776 The GUI-explicit-proxy setting on the System > Feature Visibility page is not retained after a
FortiGate reboot or upgrade.

894557 In some cases, the explicit proxy policy list can take a long time to load due to a delay in retrieving
the proxy statistics. This issue does not impact explicit proxy functionality.
Workaround: restart the WAD process, or temporarily disable the WAD debugging process (when
FortiGate reboots, this process will need to be disabled again).
diagnose wad toggle

(use direct connect diagnose)

Firewall

Bug ID Description

985508 When allow-traffic-redirect is enabled, redirect traffic that ingresses and egresses from
the same interface may incorrectly get dropped if the source address of the incoming packet is
different from the FortiGate's interface subnet and there is no firewall policy to allow the matched
traffic.
Workaround: disable allow-traffic-redirect and create a firewall policy to allow traffic to
ingress and egress for the same interface.
config system global
set allow-traffic-redirect disable
end

FortiOS 7.2.10 Release Notes 39

Fortinet Inc.
 Known issues

FortiGate 6000 and 7000 platforms

Bug ID Description

790464 After a failover, ARP entries are removed from all slots when an ARP query of single slot does not
respond.

951135 Graceful upgrade of a FortiGate 6000 or 7000 FGCP HA cluster is not supported when upgrading
from FortiOS 7.0.12 to 7.2.6.
Upgrading the firmware of a FortiGate 6000 or 7000 FGCP HA cluster from 7.0.12 to 7.2.6 should
be done during a maintenance window, since the firmware upgrade process will disrupt traffic for up
to 30 minutes.
Before upgrading the firmware, disable uninterruptible-upgrade, then perform a normal
firmware upgrade. During the upgrade process the FortiGates in the cluster will not allow traffic until
all components (management board and FPCs or FIMs and FPMs) are upgraded and both
FortiGates have restarted. This process can take up to 30 minutes.

951193 SLBC for FortiOS 7.0 and 7.2 uses different FGCP HA heartbeat formats. Because of the different
heartbeat formats, you cannot create an FGCP HA cluster of two FortiGate 6000s or 7000s when
one chassis is running FortiOS 7.0.x and the other is running FortiOS 7.2.x. Instead, to form an
FGCP HA cluster, both chassis must be running FortiOS 7.0.x or 7.2.x.
If two chassis are running different patch releases of FortiOS 7.0 or 7.2 (for example, one chassis is
running 7.2.5 and the other 7.2.6), they can form a cluster. When the cluster is formed, FGCP elects
one chassis to be the primary chassis. The primary chassis synchronizes its firmware to the
secondary chassis. As a result, both chassis will be running the same firmware version.
You can also form a cluster if one chassis is running FortiOS 7.2.x and the other is running 7.4.x.
For best results, both chassis should be running the same firmware version, although as described
above, this is not a requirement.

954881 Image synchronization failure happened after a factory reset on FortiGate 7000E/F .

976521 On FortiGate 6000 models, a CPU usage issue occurs in the node process when navigating a policy
list with a large number (+7000) of policies in a VDOM.

994241 On FortiGate 7000F using FGSP and FGCP, when TCP traffic takes an asymmetric path, the TCP
ACK and data packets might be dropped in NP7.

1056894 On the FortiGate 6000 platform, IPv6 VRF routing tables appear under the new and old FPC
primary units when the primary FPC slot is changed.

1070365 FGCP HA session synchronization may stop working as expected on a FortiGate 7000F cluster
managed by FortiManager. This happens if the HA configuration uses management interfaces as
session synchronization interfaces by configuring the session-sync-dev option, for example:
config system ha
set session-sync-dev 1-M1 1-M2
end

The problem occurs when FortiManager updates the configuration of the FortiGate 7000F devices
in the cluster it incorrectly changes to the VDOM of the management interfaces added to the
session-sync-dev command from mgmt-vdom to vsys_ha and the interfaces stop working as
session sync interfaces.

FortiOS 7.2.10 Release Notes 40

Fortinet Inc.
Known issues

Bug ID Description

You can work around the problem by manually changing the vdom of the management interfaces
added to session-sync-dev to mgmt-vdom and then retrieving the FortiGate configuration from
FortiManager.
config system interface
edit 1-M1
set vdom mgmt-vdom
next
edit 1-M2
set vdom mgmt-vdom
next
end

1103958 Some autoupdate DB versions are not updated properly causing the blades to go out of
synchronization.

GUI

Bug ID Description

853352 On the View/Edit Entries slide-out pane (Policy & Objects > Internet Service Database dialog),
users cannot scroll down to the end if there are over 100000 entries.

974988 FortiGate GUI should not display a license expired notification due to an expired FortiManager
Cloud license if it still has a valid account level FortiManager Cloud license (function is not affected).

999972 Edits that are made to IP Exemptions in IPS Signatures and Filters more than once on the Security
Profiles > Intrusion Prevention page are not saved.

1047963 High Node.js memory usage when building FortiManager in report runner fails when the
FortiManager has a slow connection, is unreachable from the FortiGate (FMG behind NAT), or the
IP address is incorrect.

1055197 On FortiGate G series models with dual WAN links, the Interface Bandwidth widget may show an
incorrect incoming and outgoing bandwidth count where the actual traffic does not match the
display numbers.

1097263 Antivirus and webfilter profiles cannot be selected in a policy in the GUI. Affected platforms: FGT-
30G and FWF-30G.
Workaround: Configure the settings using the CLI.

HA

Bug ID Description

988944 On the Fabric Management page, the HA Secondary lists both primary and secondary FortiGate
units.

FortiOS 7.2.10 Release Notes 41

Fortinet Inc.
 Known issues

Bug ID Description

998004 When the HA management interface is set a LAG, it is not synchronized to newly joining secondary
HA devices.

1056138 On FortiGate 120G, and 121G models in an HA cluster, if the ha or mgmt interface is used as the
heartbeat interface, the HA cluster may not synchronize and the GUI HA page may not load.
Workaround: do not use ha or mgmt interface as heartbeat interface.

1072440 Special branch supported models of FortiGate in an HA cluster with an empty HA password,
upgrading from a special build GA version (version 7.0.x) to version 7.2.9 and version 7.2.10 GA
can cause one of the members to not upgrade.
Impacted models: Please see a full list of Special branch supported models for FortiOS version
7.0.15.
Workaround: configure a valid HA password for the cluster before the upgrade, or manually
upgrade the member that was impacted.
config system ha
set password <new-password>
end

Note that setting the password will cause a HA cluster re-election to occur.

1084662 FFDB signatures keep flapping on all blades except the master FIM of the primary chassis.

Hyperscale

Bug ID Description

802182 After successfully changing the VLAN ID of an interface from the CLI, an error message similar to
cmdb_txn_cache_data(query=log.npu-server,leve=1) failed may appear.

817562 NPD/LPMD cannot differentiate the different VRF's, considers as VRF 0 for all.

824071 ECMP does not load balance IPv6 traffic between two routes in a multi-VDOM setup.

843197 Output of diagnose sys npu-session list/list-full does not mention policy route
information.

853258 Packets drop, and different behavior occurs between devices in an HA pair with ECMP next hop.

872146 The diagnose sys npu-session list command shows an incorrect policy ID when traffic is
using an intra-zone policy.

920228 NAT46 NPU sessions are lost and traffic drops when a HA failover occurs.

FortiOS 7.2.10 Release Notes 42

Fortinet Inc.
 Known issues

IPsec VPN

Bug ID Description

944600 CPU usage issues occurred when IPsec VPN traffic was received on the VLAN interface of an NP7
vlink.

1018749 IPsec inserted SA's are not deleted successfully after flushing all tunnels.

Log & Report

Bug ID Description

1001583 On the Log & Report > Forward Traffic page, the GUI is slow and reverts the input when multiple
ports are added to a filter for destination ports.

Proxy

Bug ID Description

910678 CPU usage issue in WAD caused by a high number of devices being detected by the device
detection feature.

REST API

Bug ID Description

1004136 Unable to fetch more than 1000 logs using an REST API GET request.

Routing

Bug ID Description

896090 SD-WAN members can be out-of-sla after some retrieve times.

903444 The diagnose ip rtcache list command is no longer supported in the FortiOS 4.19 kernel.

924693 On the Network > SD-WAN > SD-WAN Rules page, member interfaces that are down are
incorrectly shown as up. The tooltip on the interface shows the correct status.

935297 Probe server aws.amazon.com is listed in SD-WAN default health-check list.

Workarounds:
1. Change aws.amazon.com to another available probe server manually in the default health-
check Default_AWS.
config system sdwan

FortiOS 7.2.10 Release Notes 43

Fortinet Inc.
 Known issues

Bug ID Description
config health-check
edit Default_AWS
set server <x.x.x.x/fqdn>
next
end
end

2. Remove the whole health-check Default_AWS manually.

config system sdwan
config health-check
delete Default_AWS
end
end

Security Fabric

Bug ID Description

903922 Security Fabric physical and logical topology is slow to load when there are a lot of downstream
devices, including FortiGates, FortiSwitches, FortiAPs, and endpoint device traffic. This is a GUI
only display issue and does not impact operations of downstream devices.

1011833 FortiGate experiences a CPU usage issue in the node process when there multiple administrator
sessions running simultaneously on the GUI in a Security Fabric with multiple downstream devices.
This may result in slow loading times for multiple GUI pages.
Workaround: Disconnect the other concurrent administrator sessions to avoid overloading node
process.

1057862 FortiGate models with 2GB of memory that manage many extension devices (FortiSwitches and
FortiAPs) may enter conserve mode due to the Node process experiencing a memory usage issue
over time.
Workaround: Avoid loading Security Fabric widget, Security Rating, and Topology pages.

SSL VPN

Bug ID Description

795381 FortiClient Windows cannot be launched with SSL VPN web portal.

941676 Japanese key input does not work correctly during RDP in SSL VPN web mode.

FortiOS 7.2.10 Release Notes 44

Fortinet Inc.
 Known issues

Switch Controller

Bug ID Description

947351 The FortiSwitch topology is not loading correctly on the GUI.

961142 An interface in FortiLink is flapping with MCLAG with DAC on an OPSFPP-T-05-PAB transceiver.

System

Bug ID Description

782710 Traffic going through a VLAN over VXLAN is not offloaded to NP7.

860460 On a redundant interface, traffic may drop with some NPU-offload enabled policies when the
interface is not initialized properly.

882862 On FortiGate 400F, 600F, 900G, 3200F, and 3700F models, LAG interface members are not
shutting down when the remote end interface (one member in the LAG) is admin down.

901621 On the NP7 platform, setting the interface configuration using set inbandwidth <x> or set
outbandwidth <x> commands stops traffic flow.
Workaround: unset the inbandwidth and outbandwidth in the CLI:
config system interface
edit <port>
unset inbandwidth
unset outbandwidth
next
end

921604 On the FortiGate 601F, the ports (x7) have no cables attached but the link LEDs are green.

983467 FortiGate 60F and 61F models may experience a memory usage issue during a FortiGuard update
due to the ips-helper process. This can cause the FortiGate to go into conserve mode if there is not
enough free memory.
Workaround: User can disable CP acceleration to reduce the memory usage.
config ips global
set cp-accel-mode none
end

1020921 When configuring an SNMP trusted host that matches the management Admin trusted host subnet,
the GUI may give an incorrect warning that the current SNMP trusted host does not match. This is
purely a GUI display issue and does not impact the actual SNMP traffic.
Workaround: If the trusted host is enabled on all administrative access, make sure the SNMP host
IP is included in at least one of these trusted IP/subnets.

1045866 The node daemon causes a CPU usage and memory usage issue when many interfaces are being
edited or created at once.

FortiOS 7.2.10 Release Notes 45

Fortinet Inc.
 Known issues

Bug ID Description

1076883 When the top application bandwidth feature is disabled, the GUI process still performs the initial
check for application bandwidth, which may cause FortiCron to experience high CPU usage.

1078119 Traffic is intermittently interrupted on virtual-vlan-switch on Soc5 based platforms when a multicast
or broadcast packet is received.

Upgrade

Bug ID Description

1055486 On the Firmware and Registration page, when performing a Fabric Upgrade using the GUI for the
whole Fabric topology that includes managed FortiAPs and FortiSwitches, the root FortiGate may
use an incorrect recommended image for FortiAP and FortiSwitch due to a parsing issue.
Workaround: initiate the Fabric Upgrade using the CLI.

User & Authentication

Bug ID Description

667150 When a remote LDAP user with Two-factor Authentication enabled and Authentication type
'FortiToken' tries to access the internet through firewall authentication, the web page does not
receive the FortiToken notification or proceed to authenticate the user.
Workaround: click the Continue button on the authentication page after approving the FortiToken
on the mobile device.

1043189 Low-end FortiGate models with 2GB memory may enter conserve mode when processing large
user store data with over 5000 user records and each record has a large number of IoT vulnerability
data.
For example, the Users and Devices page or FortiNAC request can trigger the following API call that
causes the httpsd process encounter a CPU usage issue and memory usage issue.
GET request /api/v2/monitor/user/device/query

VM

Bug ID Description

899984 If FGTVM was deployed in UEFI boot mode, do not downgrade to any GA version earlier than 7.2.4.

1082197 The FortiGate-VM on VMware ESXi equipped with an Intel E810-XXV network interface card (NIC)
using SFP28 transceivers at 25G speed is unable to pass VLAN traffic when DPDK is enabled.

FortiOS 7.2.10 Release Notes 46

Fortinet Inc.
 Known issues

Web Filter

Bug ID Description

885222 HTTP session is logged as HTTPS in web filter when VIP is used.

WiFi Controller

Bug ID Description

869106 The layer 3 roaming feature may not work when the wireless controller is running multiple cw_acd
processes (when the value of acd-process-count is not zero).

869978 CAPWAP tunnel traffic over tunnel SSID is dropped when offloading is enabled.

873273 The Automatically connect to nearest saved network option does not work as expected when FWF-
60E client-mode local radio loses connection.

941691 Managed FortiSwitch detects multiple MACs using the same IP address.

1001104 Some FortiAP 231F units show join/leave behavior after the FortiGate is upgraded to 7.2.7.

1050915 On the WiFi & Switch Controller > Managed FortiAPs page, when upgrading more than 30 managed
FortiAPs at the same time using the Managed FortiAP page, the GUI may become slow and
unresponsive when selecting the firmware.
Workaround: Upgrade the FortiAPs in smaller batches of up to 20 devices to avoid performance
impacts.

ZTNA

Bug ID Description

819987 SMB drive mapping made through a ZTNA access proxy is inaccessible after rebooting.

FortiOS 7.2.10 Release Notes 47

Fortinet Inc.
Built-in AV Engine

Built-in AV Engine

AV Engine 6.00301 is released as the built-in AV Engine. Refer to the AV Engine Release Notes for information.

FortiOS 7.2.10 Release Notes 48

Fortinet Inc.
Built-in IPS Engine

Built-in IPS Engine

IPS Engine 7.00342 is released as the built-in IPS Engine. Refer to the IPS Engine Release Notes for information.

FortiOS 7.2.10 Release Notes 49

Fortinet Inc.
Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

l XenTools installation is not supported.
l FortiGate-VM can be imported or deployed in only the following three formats:
l XVA (recommended)

l VHD

l OVF

l The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual
NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise
when using the QCOW2 format and existing HDA issues.

Limitations on HA cluster formation between different FortiGate

Rugged 60F and 60F 3G4G models

FortiGate Rugged 60F and 60F 3G4G models have various generations defined as follows:
l Gen1
l Gen2 = Gen1 + TPM
l Gen3 = Gen2 + Dual DC-input
l Gen4 = Gen3 + GPS antenna
l Gen5 = Gen4 + memory
The following HA clusters can be formed:
l Gen1 and Gen2 can form an HA cluster.
l Gen4 and Gen5 can form an HA cluster.
l Gen1 and Gen2 cannot form an HA cluster with Gen3, Gen4, or Gen5 due to differences in the config system
vin-alarm command.

FortiOS 7.2.10 Release Notes 50

Fortinet Inc.
 www.fortinet.com

Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s Chief Legal Officer, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.