FortiOS 7.4.4 Release Notes

Release Notes

FortiOS 7.4.4

FORTINET DOCUMENT LIBRARY

https://docs.fortinet.com

FORTINET VIDEO LIBRARY

https://video.fortinet.com

FORTINET BLOG

https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD LABS

https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK

Email: [email protected]

September 3, 2024

FortiOS 7.4.4 Release Notes

01-743-986078-20240903

TABLEOFCONTENTS

Change Log 6

Introduction and supported models 7

Supported models 7

Special branch supported models 7

FortiGate 6000 and 7000 support 8

Special notices 9

Hyperscale incompatibilities and limitations 9

FortiGate 6000 and 7000 incompatibilities and limitations 9

Remove OCVPN support 9

Remove WTP profiles for older FortiAP models 10

IP pools and VIPs are now considered local addresses 10

Remove support for SHA-1 certificate used for web management interface (GUI) 10

Number of configurable DDNS entries 10

FortiGate models with 2 GB RAM can be a Security Fabric root 11

Admin and super_admin administrators cannot log in after a prof_admin VDOM

administrator restores the VDOM configuration and reboots the FortiGate 11

SMB drive mapping with ZTNA access proxy 11

Remote access with write rights through FortiGate Cloud 12

CLI system permissions 12

Default email server available to registered devices with FortiCare 13

Local out traffic using ECMP routes could use different port or route to server 13

Hyperscale NP7 hardware limitation 13

Changes in CLI 14

Changes in GUI behavior 16

Changes in default behavior 17

Changes in default values 18

Changes in table size 19

New features or enhancements 20

Cloud 20

LAN Edge 20

Log & Report 21

Network 22

Operational Technology 24

Policy & Objects 24

SD-WAN 25

Security Fabric 26

Security Profiles 26

System 27

User & Authentication 28

VPN 28

FortiOS 7.4.4 Release Notes 3

Fortinet Inc.

Upgrade information 29

Fortinet Security Fabric upgrade 29

Downgrading to previous firmware versions 31

Firmware image checksums 31

FortiGate 6000 and 7000 upgrade information 31

IPS-based and voipd-based VoIP profiles 32

GUI firmware upgrade does not respect upgrade path in previous versions 33

FortiOS restricts automatic firmware upgrades to FortiGate only 34

2 GB RAM FortiGate models no longer support FortiOS proxy-related features 34

FortiGate VM memory and upgrade 34

Product integration and support 35

Virtualization environments 36

Language support 36

SSL VPN support 37

SSL VPN web mode 37

FortiExtender modem firmware compatibility 37

Resolved issues 40

Anti Virus 40

Application Control 40

Data Loss Prevention 40

DNS Filter 41

Endpoint Control 41

Explicit Proxy 41

File Filter 42

Firewall 42

FortiGate 6000 and 7000 platforms 43

FortiView 45

GUI 45

HA 46

Hyperscale 47

Intrusion Prevention 48

IPsec VPN 48

Log &Report 49

Proxy 50

RESTAPI 51

Routing 51

Security Fabric 53

SSL VPN 54

Switch Controller 54

System 55

Upgrade 59

User & Authentication 59

VM 60

VoIP 60

FortiOS 7.4.4 Release Notes 4

Fortinet Inc.

Web Filter 60

WiFi Controller 61

ZTNA 61

Common Vulnerabilities and Exposures 61

Known issues 63

Anti Virus 63

Explicit Proxy 63

Firewall 63

FortiGate 6000 and 7000 platforms 64

GUI 64

Hyperscale 65

IPsec VPN 65

Log &Report 65

Proxy 66

Routing 66

Security Fabric 66

SSL VPN 66

Switch Controller 67

System 67

Upgrade 68

User & Authentication 68

VM 68

WiFi Controller 68

ZTNA 69

Built-in AV Engine 70

Built-in IPS Engine 71

Limitations 72

Citrix XenServer limitations 72

Open source XenServer limitations 72

FortiOS 7.4.4 Release Notes 5

Fortinet Inc.

Change Log

Date Change Description

2024-05-15 Initial release.

2024-05-16 Updated 2 GB RAM FortiGate models no longer support FortiOS proxy-related features on page

34 and Resolved issues on page 40.

2024-05-17 Updated Introduction and supported models on page 7.

2024-05-24 Updated Changes in default behavior on page 17, New features or enhancements on page 20,

Resolved issues on page 40, and Known issues on page 63.

2024-05-27 Updated Resolved issues on page 40 and Known issues on page 63.

2024-06-03 Updated Changes in table size on page 19, Resolved issues on page 40, and Known issues on

page 63.

2024-06-10 Updated New features or enhancements on page 20, Resolved issues on page 40, and Known

issues on page 63.

2024-06-18 Updated New features or enhancements on page 20 and Known issues on page 63.

2024-06-19 Added Built-in AV Engine on page 70 and Built-in IPS Engine on page 71.

Updated Resolved issues on page 40.

2024-06-24 Updated New features or enhancements on page 20 and Known issues on page 63.

2024-06-26 Added FortiGate VM memory and upgrade on page 34.

2024-07-02 Updated Resolved issues on page 40 and Known issues on page 63.

2024-07-09 Added Local out traffic using ECMP routes could use different port or route to server on page 13.

Updated New features or enhancements on page 20 and Known issues on page 63.

2024-07-19 Updated Resolved issues on page 40.

2024-07-24 Updated Resolved issues on page 40 and Known issues on page 63.

2024-07-31 Updated Resolved issues on page 40 and Known issues on page 63.

2024-08-15 Updated Virtualization environments on page 36.

2024-08-16 Added Hyperscale NP7 hardware limitation on page 13.

Updated New features or enhancements on page 20, Resolved issues on page 40, and Known

issues on page 63.

2024-08-22 Updated Resolved issues on page 40.

2024-08-23 Updated GUI firmware upgrade does not respect upgrade path in previous versions on page 33.

2024-09-03 Updated Resolved issues on page 40 and Known issues on page 63.

FortiOS 7.4.4 Release Notes 6

Fortinet Inc.

Introduction and supported models

This guide provides release information for FortiOS 7.4.4 build 2662.

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 7.4.4 supports the following models.

FortiGate FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-

61E, FG-61F, FG-70F, FG-71F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-DSL,

FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100F,

FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-

301E, FG-400E, FG-400E-BP, FG-401E, FG-400F, FG-401F, FG-500E, FG-501E, FG-600E,

FG-601E, FG-600F, FG-601F, FG-800D, FG-900D, FG-900G, FG-901G, FG-1000D, FG-

1000F, FG-1001F, FG-1100E, FG-1101E, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-

2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3000F, FG-3001F, FG-3100D,

FG-3200D, FG-3200F, FG-3201F, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F,

FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3700F, FG-3701F, FG-3960E, FG-3980E,

FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-4800F, FG-4801F, FG-5001E,

FG-5001E1, FG-6000F, FG-7000E, FG-7000F

FortiWiFi FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-

61E, FWF-61F, FWF-80F-2R, FWF-80F-2R-3G4G-DSL, FWF-81F-2R, FWF-81F-2R-3G4G-

DSL, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE

FortiFirewall FFW-1801F, FFW-2600F, FFW-3001F, FFW-3980E, FFW-4200F, FFW-4400F, FFW-4401F,

FFW-4801F, FFW-VM64, FFW-VM64-KVM

FortiGate VM FG-ARM64-AWS, FG-ARM64-AZURE, FG-ARM64-GCP, FG-ARM64-KVM, FG-ARM64-

OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG-VM64-GCP, FG-

VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG-VM64-OPC, FG-VM64-RAXONDEMAND,

FG-VM64-XEN

Special branch supported models

The following models are released on a special branch of FortiOS 7.4.4. To confirm that you are running the correct

build, run the CLI command get system status and check that the Branch point field shows 2662.

FGR-60F is released on build 6003.

FGR-60F-3G4G is released on build 6003.

FortiOS 7.4.4 Release Notes 7

Fortinet Inc.

Introduction and supported models

FGR-70F is released on build 6003.

FGR-70F-3G4G is released on build 6003.

FortiGate 6000 and 7000 support

FortiOS 7.4.4 supports the following FG-6000F, FG-7000E, and FG-7000F models:

FG-6000F FG-6001F, FG-6300F, FG-6301F, FG-6500F, FG-6501F

FG-7000E FG-7030E, FG-7040E, FG-7060E

FG-7000F FG-7081F, FG-7121F

FortiOS 7.4.4 Release Notes 8

Fortinet Inc.

Special notices

Hyperscale incompatibilities and limitations on page 9

FortiGate 6000 and 7000 incompatibilities and limitations on page 9

Remove OCVPN support on page 9

Remove WTP profiles for older FortiAP models on page 10

IP pools and VIPs are now considered local addresses on page 10

Remove support for SHA-1 certificate used for web management interface (GUI) on page 10

Number of configurable DDNS entries on page 10

FortiGate models with 2 GB RAM can be a Security Fabric root on page 11

Admin and super_admin administrators cannot log in after a prof_admin VDOM administrator restores the VDOM

configuration and reboots the FortiGate on page 11

SMB drive mapping with ZTNA access proxy on page 11

Remote access with write rights through FortiGate Cloud on page 12

CLI system permissions on page 12

Local out traffic using ECMP routes could use different port or route to server on page 13

Hyperscale NP7 hardware limitation on page 13

Hyperscale incompatibilities and limitations

See Hyperscale firewall incompatibilities and limitations in the Hyperscale Firewall Guide for a list of limitations and

incompatibilities with FortiOS 7.4.4 features.

FortiGate 6000 and 7000 incompatibilities and limitations

See the following links for information about FortiGate 6000 and 7000 limitations and incompatibilities with FortiOS 7.4.4

features.

FortiGate 6000 incompatibilities and limitations

FortiGate 7000E incompatibilities and limitations

FortiGate 7000F incompatibilities and limitations

Remove OCVPN support

The IPsec-based OCVPN service has been discontinued and licenses for it can no longer be purchased as of FortiOS

7.4.0. GUI, CLI, and license verification support for OCVPN has been removed from FortiOS. Upon upgrade, all IPsec

phase 1 and phase 2 configurations, firewall policies, and routing configuration previously generated by the OCVPN

FortiOS 7.4.4 Release Notes 9

Fortinet Inc.

Special notices

service will remain. Alternative solutions for OCVPN are the Fabric Overlay Orchestrator in FortiOS 7.2.4 and later, and

the SD-WAN overlay templates in FortiManager 7.2.0 and later.

Remove WTP profiles for older FortiAP models

Support for WTP profiles has been removed for FortiAP B, C, and D series models, and FortiAP-S models in FortiOS

7.4.0 and later. These models can no longer be managed or configured by the FortiGate wireless controller. When one of

these models tries to discover the FortiGate, the FortiGate's event log includes a message that the FortiGate's wireless

controller can not be managed because it is not supported.

IP pools and VIPs are now considered local addresses

In FortiOS 7.4.1 and later, all IP addresses used as IP pools and VIPs are now considered local IP addresses if

responding to ARP requests on these external IP addresses is enabled (set arp-reply enable, by default). For

these cases, the FortiGate is considered a destination for those IP addresses and can receive reply traffic at the

application layer.

Previously in FortiOS 7.4.0, this was not the case. For details on the history of the behavior changes for IP pools and

VIPs, and for issues and their workarounds for the affected FortiOS versions, see Technical Tip: IP pool and virtual IP

behavior changes in FortiOS 6.4, 7.0, 7.2, and 7.4.

Remove support for SHA-1 certificate used for web management

interface (GUI)

In FortiOS 7.4.0 and later, users should use the built-in Fortinet_GUI_Server certificate or SHA-256 and higher

certificates for the web management interface. For example:

config system global

set admin-server-cert Fortinet_GUI_Server

end

Number of configurable DDNS entries

Starting in FortiOS 7.4.0, the number of DDNS entries that can be configured is restricted by table size. The limits are 16,

32, and 64 entries for lentry-level, mid-range, and high-end FortiGate models respectively.

After upgrading to FortiOS 7.4.0 or later, any already configured DDNS entries that exceed the limit for the FortiGate

model in use will be deleted. For example, if a user has 20 DDNS entries before upgrading to 7.4.0 and is using a entry-

level FortiGate model, the last four DDNS entries will be deleted after upgrading.

In such instances where the number of DDNS entries exceeds the supported limit for the FortiGate model in use, users

have the option to upgrade their FortiGate model to one that supports a higher number of DDNS entries.

FortiOS 7.4.4 Release Notes 10

Fortinet Inc.

Special notices

FortiGate models with 2 GB RAM can be a Security Fabric root

A Security Fabric topology is a tree topology consisting of a FortiGate root device and downstream devices within the

mid-tier part of the tree or downstream (leaf) devices at the lowest point of the tree.

As part of improvements to reducing memory usage on FortiGate models with 2 GB RAM, FortiOS 7.4.2 and later can

authorize up to five devices when serving as a Fabric root.

The affected models are the FortiGate 40F, 60E, 60F, 80E, and 90E series devices and their variants.

To confirm if your FortiGate model has 2 GB RAM, enter diagnose hardware sysinfo conserve in the CLI and

check that the total RAM value is below 2000 MB (1000 MB = 1 GB).

Admin and super_admin administrators cannot log in after a prof_

admin VDOM administrator restores the VDOM configuration and

reboots the FortiGate

When a VDOM administrator using the prof_admin profile is used to restore a VDOM configuration and then reboot the

FortiGate, an administrator using the super_admin profile (including the default admin administrator) cannot log in to the

FortiGate.

Therefore, in FortiOS 7.4.1, a prof_admin VDOM administrator should not be used to restore a VDOM configuration

(FortiOS 7.4.2 and later are not affected).

Workarounds:

If a prof_admin VDOM administrator has already been used to restore a VDOM configuration, then do not reboot.

Instead, log in using a super_admin administrator (such as default admin), back up the full configuration, and

restore the full configuration. After the full configuration restore and reboot, super_admin administrators will

continue to have the ability to log into the FortiGate.

After this workaround is done, the FortiGate is still susceptible to the issue if the backup

and restore is performed again by the prof_admin VDOM administrator. A FortiOS

firmware upgrade with this issue resolved will be required to fully resolve this issue.

To recover super_admin access after having restored a VDOM configuration and performing a FortiGate reboot,

power off the device and boot up the FortiGate from the backup partition using console access.

SMB drive mapping with ZTNA access proxy

In FortiOS 7.4.1 and later, SMB drive mapping on a Windows PC made through a ZTNA access proxy becomes

inaccessible after the PC reboots when access proxy with TCP forwarding is configured as FQDN. When configured with

an IP for SMB traffic, same issue is not observed.

FortiOS 7.4.4 Release Notes 11

Fortinet Inc.

Special notices

One way to solve the issue is to enter the credentials into Windows Credential Manager in the form of

domain\username.

Another way to solve the issue is to leverage the KDC proxy to issue a TGT (Kerberos) ticket for the remote user. See

ZTNA access proxy with KDC to access shared drives for more information. This way, there is no reply in Credential

Manager anymore, and the user is authenticated against the DC.

Remote access with write rights through FortiGate Cloud

Remote access with read and write rights through FortiGate Cloud now requires a paid FortiGate Cloud subscription.

The FortiGate can still be accessed in a read-only state with the free tier of FortiGate Cloud. See the FortiGate Cloud

feature comparison for more details: https://docs.fortinet.com/document/fortigate-cloud/23.4.0/administration-

guide/215425/feature-comparison.

CLI system permissions

Starting in FortiOS 7.4.2, the usage of CLI diagnostic commands (cli-diagnose), previously named system-

diagnostics, is disabled by default, with the exception of super_admin profile users. Users can now exercise more

granular control over the CLI commands. See CLI system permissions for more information.

When the user upgrades to FortiOS 7.4.2 or later, the following settings for CLI options will be applied, irrespective of

whether system-diagnostics was enabled or disabled in FortiOS 7.4.1 or earlier.

CLI option Status

cli-diagnose

Disabled

cli-get

Enabled

cli-show

Enabled

cli-exec

Enabled

cli-config

Enabled

To enable permission to run CLI diagnostic commands after upgrading:

config system accprofile

edit <name>

set cli-diagnose enable

end

Many diagnostic commands have privileged access. As a result, using them could

unintentionally grant unexpected access or cause serious problems, so understanding the

risks involved is crucial.

FortiOS 7.4.4 Release Notes 12

Fortinet Inc.

Special notices

Default email server available to registered devices with FortiCare

Starting with FortiOS7.4.4, the default email server has been switched from notification.fortinet.net to fortinet-

notifications.com. This default server is only available to registered devices with an active FortiCare support contract.

The reply-to field in the source email is automatically updated to [email protected] for all servers,

including custom ones.

Local out traffic using ECMP routes could use different port or route

to server

Starting from version 7.4.1, when there is ECMP routes, local out traffic may use different route/port to connect out to

server. For critical traffic which is sensitive to source IP addresses, it is suggested to specify the interface or SD-WAN for

the traffic since FortiOS has implemented interface-select-method command for nearly all local-out traffic.

config system fortiguard

set interface-select-method specify

set interface "wan1"

end

Hyperscale NP7 hardware limitation

Because of an NP7 hardware limitation, for CGN traffic accepted by a hyperscale firewall policy that includes an

overload with port block allocation (overload PBA) IP Pool, only one block is allocated per client. The setting of the

hyperscale firewall policy cgn-resource-quota option is ignored.

Because of this limitation, under certain rare conditions (for example, only a single server side IP address and port are

being used for a large number of sessions), port allocation may fail even if the block usage of the client is less than its

quota. In cases such as this, if the client has traffic towards some other servers or ports, additional port allocation can

become successful. You can also work around this problem by increasing the IP Pool block size (cgn-block-size).

FortiOS 7.4.4 Release Notes 13

Fortinet Inc.

Changes in CLI

Bug ID Description

967017 On a FortiGate with hyperscale firewall enabled, using the tcp-timeout-profile or udp-

timeout-profile options of the config system npu command to create TCP or UDP timer

profiles and then add them to hyperscale firewall policies using the tcp-timeout-pid or udp-

timeout-pid firewall policy options may not work as intended.

In FortiOS 7.4.4 tcp-timeout-profile and udp-timeout-profile are now hidden and

Fortinet recommends using config system global options such as the following to set TCP

and UDP timers:

config system global

set early-tcp-npu-session

set reset-sessionless-tcp

set tcp-halfclose-timer

set tcp-halfopen-timer

set tcp-option

set tcp-rst-timer

set tcp-timewait-timer

set udp-idle-timer

end

If you have used tcp-timeout-pid or udp-timeout-pid to add profiles to hyperscale firewall

policies, this configuration will still work the same after upgrading to FortiOS 7.4.4 and the profiles

that you have added will still be there, but all this configuration will be hidden. To stop using these

TCP timeout profiles you can unset the tcp-timeout-pid or udp-timeout-pid firewall policy

options.

968305 The ssh-xxx-algo commands have been moved from the config system global setting to

the config system ssh-config setting.

7.4.3 and earlier:

config system global

set ssh-enc-algo

set ssh-hsk-algo

set ssh-kex-algo

set ssh-mac-algo

end

7.4.4 and later:

config system ssh-config

set ssh-enc-algo

set ssh-hsk-algo

set ssh-kex-algo

set ssh-mac-algo

end

FortiOS 7.4.4 Release Notes 14

Fortinet Inc.

Changes in CLI

Bug ID Description

976646 The captive portal is now an independent setting and separated from the wireless authentication

methods.

7.4.3 and earlier:

config wireless-controller vap

edit <name>

set security {captive portal | wpa-personal+captive+portal |

wpaonly-personal+captive-portal | wpa2-onlyu-personal+captive-portal}

end

7.4.4 and later:

config wireless-controller vap

edit <name>

set security {open | wpa-personal | wpa2-only-personal | wpa3-sae |

wpa3-sae-transition | owe}

end

Captive portal is disabled when security mode is wpa2-enterprise/wpa3-enterprise/OSEN.

999014 The diagnose sys sdwan service command is now divided into two separate commands for

IPv4 and IPv6.

IPv4:

diagnose sys sdwan service4

IPv6:

diagnose sys sdwan service6

FortiOS 7.4.4 Release Notes 15

Fortinet Inc.

Changes in GUI behavior

Bug ID Description

907058 Improve the visibility of OT vulnerabilities and virtual patching signatures:

Add a Security Profiles > Virtual Patching Signatures page that displays all OT virtual patching

signatures.

In the Assets widget (Dashboard >Assets & Identities), display a tooltip for detected IoT and

OT vulnerabilities when hovering over the Vulnerabilities column.

Add the View IoT/OT Vulnerabilities option per device to drill down and list the IoT and OT

vulnerabilities.

Display the OT Security Service entitlement status and OT package versions in the right-side

gutter of a virtual patching profile page.

915481 Optimize the Policy &Objects pages for loading large datasets. For example, instead of loading an

entire dataset of address objects on the Addresses page or within the address object dialog inside a

firewall policy, data is lazily-loaded. Different types of address objects are loaded separately.

Enhancements include:

Add a tabbed design for firewall object list pages.

Lazily- load the firewall address list and introduce sub-tabs for each type of address object.

Update the Address dialog page.

Update the Policy dialogs and use new address dialogs with a lazy-load selection widget.

954319 On the Policy & Objects > Firewall Policy, Proxy Policy, and ZTNA pages, ZTNA Tag references are

renamed Security Posture Tag.

955294 To reduce the number of clicks to configure a ZTNA server object, the settings to create a new

Server/service mapping are condensed. Real server mappings can be configured directly in the

Service/Server Mapping pane. To display additional real servers or load balancing options in the

GUI, create a second real server first in the CLI.

FortiOS 7.4.4 Release Notes 16

Fortinet Inc.

Changes in default behavior

Bug ID Description

896277 If a DHCP Interface is added as an SD-WAN Member inside an SD-WAN zone, before config

static route on SD-WAN zone, FortiOS by default adds a default route with dhcp interface

distance in the routing table using the gateway IP information retrieved from the DHCP server. This

default route will take precedence over other default routes that have a higher AD.

938115 Enhance the QUIC option by introducing a tri-state selection: bypass, block, or inspect. The default

setting for QUIC is inspect. This enhancement provides more granular control over QUIC traffic.

config firewall ssl-ssh-profile

edit <name>

config https

set quic {inspect | bypass | block}

end

config dot

set quic {inspect | bypass | block}

end

959084 On FortiGate VMs that are using the FortiFlex license, once the expiration date is reached, an

automatic three-day grace period offered by FortiGuard starts. Afterwards, the VM license will

expire, and all firewall functions stop working.

975220 The Gentree Compiler is enabled by default on all NP7 platforms for threat feed support.

1005746 As part of a security enhancement, FortiGate-initiated connections to central management using an

on-premise FortiManager will have the following requirements:

1. When initiating the connection from GUI, administrators must validate and accept the

FortiManager serial number from the FortiManager certificate before a connection is

established.

2. When initiating the connection from CLI, administrators must configure the FortiManager serial

number in central-management before a connection is established.

config system central-management

set type fortimanager

set serial-number <FortiManager Serial Number>

set fmg <ip/domain name>

end

1006011 Starting with 7.4.4, FMG-Access is no longer enabled by default on all interfaces. When upgrading

from a previous version, if the central management type is not set to FortiManager, the FGFM will

be disabled across all interfaces.

FortiOS 7.4.4 Release Notes 17

Fortinet Inc.

Changes in default values

Bug ID Description

1019804 SSL VPN feature visibility is disabled and hidden in factory default, as well as after upgrading from a

previous firmware where SSL VPN is not used. Users will not experience any changes when

upgrading from a previous firmware where SSL VPN is used.

To enable SSL VPN feature visibility, configure in the CLI:

config system settings

set gui-sslvpn enable

end

FortiOS 7.4.4 Release Notes 18

Fortinet Inc.

Changes in table size

Bug ID Description

913153 Increase the number of software switch members from 256 to 1024 per switch interface.

965490 Increase the maximum connection numbers in these FEX lan-extension controllers:

Models 60F to 100: change from 6 to 18 (2 wanext, 16 lanext)

Models 100 to 400: change from 10 to 18 (2 wanext, 16 lanext)

Models 400 to 1000: change from 10 to 34 (2 wanext, 32 lanext)

Models 1000 to 3000: change from 18 to 258 (2 wanext, 256 lanext)

Models 3000 to 7000: change from 34 to 1026 (2 wanext, 1024 lanext)

Models VM2 and VM2V: change from 6 to 18 (2 wanext, 16 lanext)

Models VM4 and VM4V: change from 10 to 34 (2 wanext, 32 lanext)

Models VM8 and VM8V: change from 18 to 258 (2 wanext, 256 lanext)

Models VM16V to VMUL: change from 34 to 1026 (2 wanext, 1024 lanext)

988201 On FortiGate 400F, 401F, 600F and 601F models, increase the number of firewall addresses and

firewall address6 objects from 20000 to 40000.

989627 On FortiGate 260F models, the number of system admins is increased from 300 to 500.

FortiOS 7.4.4 Release Notes 19

Fortinet Inc.

New features or enhancements

More detailed information is available in the New Features Guide.

Cloud

See Public and private cloud in the New Features Guide for more information.

Feature ID Description

979375 FIPS-CC cipher mode is silently enabled when configured using cloud-init for AWS.

995867 FortiGate-VM is officially certified on AliCloud Apsara Stack.

997374 High availability (HA) failover is now supported for IPv6 networks on GCP. The NextHopInstance

route table attribute is used during an HA failover event.

LAN Edge

See LAN Edge in the New Features Guide for more information.

Feature ID Description

919714 Users can now use FortiSwitch event log IDs as triggers for automation stitches. This allows for

automated actions like console alerts, script execution, and email notifications in response to

events, such as switch group modifications or location changes. This boosts automation and

system management efficiency.

947945 FortiOS WiFi controller allows customers to generate MPSK keys using the FortiGuest self-

registration portal. This addition empowers customers to independently create and assign MPSK

keys to their devices, streamlining the process and enhancing security.

952124 Users connected to a WiFi Access Point in a FortiExtender can now access the internet, even when

the FortiGate is in LAN-extension mode. This ensures seamless internet connectivity for WiFi

clients using the FortiGate LAN-extension interface.

975075 The FortiAP K series now supports IEEE 802.11be, also known as Wi-Fi 7, for these models: FAP-

441K, FAP-443K, FAP-241K and FAP-243K. This expands device compatibility, boosts network

performance, and enhances user experience.

975545 Support for Dynamic Access Control List (DACL) on the 802.1x ports of managed switches. This

allows customers to use RADIUS attributes to configure DACLs, enabling traffic control on a per-

user session or per-port basis for switch ports directly connected to user clients.

FortiOS 7.4.4 Release Notes 20

Fortinet Inc.

New features or enhancements

Feature ID Description

976646 FortiOS extends captive portal support to newer wireless authentication methods, such as OWE

and WPA3-SAE varieties. This ensures that users can benefit from the most advanced and secure

authentication methods available.

983561 Enhanced memory optimization in FortiGate-managed FAPs by introducing controls to limit data

from rogue APs, station capabilities, rogue stations, and Bluetooth devices. This prevents rapid

memory increase and enhances CAPWAP stability.

990058 FortiOS supports managing the USB port status on compatible FortiAP models.

conf wireless-controller wtp-profile

edit <name>

set usb-port {enable | disable}

end

997048 FortiOS supports beacon protection, improving Wi-Fi security by protecting beacon frames. This

helps devices connect to legitimate networks, reducing attack risks.

config wireless-controller vap

edit <name>

set beacon-protection {enable | disable}

end

999971 Supports receiving the NAS-Filter-Rule attribute after successful WiFi 802.1X authentication. These

rules can be forwarded to FortiAP to create dynamic Access Control Lists (dACLs) for the WiFi

station, enhancing network access control and security.

1006398 Enhanced device matching logic based on DPP policy priority. Users can utilize the CLI to dictate

the retention duration of matched devices for dynamic port or NAC policies, providing greater

control over device management.

1006607 FortiOS WiFi controllers MPSK feature now includes both WPA2-Personal and WPA3-SAE security

modes. This provides customers with more versatile security options, leveraging the MPSK feature

with the latest WPA3-SAE security mode.

1012115 Support fast failover for FortiExtender. This enhancement ensures that FortiGate can swiftly

recover data sessions in the event of a failover, reducing downtime and enhancing reliability.

Log & Report

See Logging in the New Features Guide for more information.

Feature ID Description

969386 FortiOS now adds an event timestamp and timezone information in the Log package header.

FortiOS 7.4.4 Release Notes 21

Fortinet Inc.

New features or enhancements

Network

See Network in the New Features Guide for more information.

Feature ID Description

652281 Disable all proxy features on FortiGate models with 2 GB of RAM or less by default. Mandatory and

basic mandatory category processes start on 2 GB memory platforms. Proxy dependency and

multiple workers category processes start based on a configuration change on 2 GB memory

platforms.

733258 Support DNS over QUIC (DoQ) and DNS over HTTP3 (DoH3) for transparent and local-in DNS

modes. Connections can be established faster than with DNS over TLS (DoT) or DNS over HTTPS

(DoH). Additionally, the FortiGate is now capable of handling the QUIC/TLS handshake and

performing deep inspection for HTTP3 and QUIC traffic.

888417 Internal Switch Fabric (ISF) Hash Configuration Support for NP7 Platforms. This provides a new

level of flexibility and control to NP7 platform users, allowing them to fine-tune network settings for

optimal performance and security. These NP7 FortiGate models support this feature: FG-1800F,

FG-2600F, FG-3500F, FG-4200F, and FG-4400F.

Use the following command to configure NPU port mapping:

config system npu-post

config port-npu-map

edit <interface-name>

set npu-group <group-name>

end

Use the following command to configure the load balancing algorithm used by the ISF to distribute

traffic received by an interface to the interfaces of the NP7 processors in your FortiGate:

config system interface

edit <interface>

set sw-algorithm {l2 | l3 | eh | default}

end

962341 Support Radius Vendor-Specific Attributes (VSA) for Captive Portal redirects. This provides a

smoother user experience during Captive Portal redirects, especially in environments where

vendor-specific attributes are heavily used such as corporate networks or public WiFi hotspots.

963570 You can monitor ARP packets for a specific VLAN on a DHCP-snooping trusted port of a managed

FortiSwitch unit and save the VLAN ID, MAC addresses, and IP addresses in the DHCP-snooping

database.

964518 Selective Subnet Assignment is now supported in IPAM. This ensures that the configured IPAM

pool will not utilize any subnets listed in the exclude table, providing more control and flexibility over

the configuration of IPAM pools.

967653 FortiOS allows backup interval customization for DHCP leases during power cycles. This provides

enhanced control and flexibility, ensuring lease preservation during events like outages or reboots.

FortiOS 7.4.4 Release Notes 22

Fortinet Inc.

New features or enhancements

Feature ID Description

config system global

set dhcp-lease-backup-interval < integer >

end

971109 The new dhcp-relay-allow-no-end-option supports DHCP packets without an end option, enhancing

our systems adaptability to diverse network conditions. In the realm of DHCP packets, the end

option signifies the end of valid information in the options field. However, there may be scenarios

where this end option is absent. This enhancement is designed to manage such situations

effectively.

config system interface

edit <interface>

set dhcp-relay-allow-no-end-option {disable |enable}

end

973573 You can now specify a tagged VLAN for users to be assigned to when the authentication server is

unavailable. Previously, you could only specify an untagged VLAN. This feature is available with

802.1x MAC-based authentication. It is compatible with both Extensible Authentication Protocol

(EAP) and MAC authentication bypass (MAB).

976152 FortiOS includes support for source IP anchoring in dial-up IPsec Tunnels. This allows the gateway

to match connections based on the IPv4/IPv6 gateway address parameters, such as the subnet,

address range, or country.

977097 A new CLI option allows users to choose to discard or permit IPv4 SCTP packets with zero

checksums on the NP7 platform.

config system npu

config fp-anomaly

set sctp-csum-err {allow | drop | trap-to-host}

end

978974 Users can upgrade their LTE modem firmware directly from the FortiGuard. This eliminates the

need for manual downloading and uploading and provides users flexibility to schedule the upgrade.

985285 Enhancement to Packet Capture Functionality. This feature adds the capability to store packet

capture criteria, allowing for the re-initiation of packet captures multiple times using the same

parameters such as interface, filters, and more, thereby streamlining packet capture management.

Additionally, this feature incorporates diagnostic commands to list, initiate, terminate, and remove

GUI packet captures, enhancing the level of control users have over their packet capture

operations.

990096 FortiOS allows multiple remote Autonomous Systems (AS) to be assigned to a single BGP neighbor

group using AS path lists. This enhancement offers increased flexibility and efficiency in managing

BGP configurations, especially in intricate network environments.

FortiOS 7.4.4 Release Notes 23

Fortinet Inc.

New features or enhancements

Operational Technology

See Operational Technology in the New Features Guide for more information.

Feature ID Description

952000 Support for Modbus Serial to Modbus TCP has been added. All FortiGate rugged models equipped

with a Serial RS-232 (DB9/ RJ45) interface can perform real-time monitoring, control, and

coordination across your network. Industrial automation users can now transfer Modbus data more

efficiently, reducing the need for extra devices and streamlining operations.

972541 Support for IEC 60870-5-101 Serial to IEC 60870-5-104 TCP/IP transport has been added. All

FortiGate rugged models equipped with a Serial RS-232 (DB9/ RJ45) interface can now perform

telecontrol, teleprotection, and associated telecommunications for electric power systems over

network access.

Policy & Objects

See Policy and objects in the New Features Guide for more information.

Feature ID Description

807549 FortiOS supports NPU offloading for shaping ingress traffic on NP7 and SOC5 models. This

enhances system performance and efficiency, especially when there is a high volume of incoming

traffic. NPU offloading for shaping ingress traffic is not supported by NP6 and SOC4 FortiGate

models.

865786 This feature combines the policy name and ID into a unified Policy column, ensuring the ID and

name are consistently visible. It also introduces the ability to move policies using their ID, simplifying

management when handling large policy tables that may include hundreds of policies.

961309 The src-vip-filter in VIP now allows src-filter to be used as the destination filter for reverse SNAT

rules, in addition to its traditional role in forward DNAT rules. This dual functionality simplifies

bidirectional NAT, enhancing IP address mapping and translation efficiency.

config firewall vip

edit <name>

set src-filter <IP>

set extip <IP>

set mappedip <IP>

set extintf <string>

set nat-source-vip enable

set src-vip-filter enable

end

FortiOS 7.4.4 Release Notes 24

Fortinet Inc.

New features or enhancements

Feature ID Description

966992 FortiOS now supports a configurable interim log for PBA NAT logging. This enables continuous

access to PBA event logs during an ongoing session, providing comprehensive logging throughout

the session's lifespan.

config firewall ippool

edit <name>

set type port-block-allocation

set pba-interim-log <integer>

end

967654 FortiOS allows internet service as source addresses in the local-in policy. This provides more

flexibility and control in managing local traffic, improving network security and efficiency.

977005 FortiOS supports DSCP Marking for Self-generated traffic, enabling the FortiGate to operate as a

fully functional CPE device capable of directly connecting to the provider's network without needing

a CPE router. This enhancement reduces user costs and complexity.

SD-WAN

See SD-WAN in the New Features Guide for more information.

Feature ID Description

987765 Enhancements have been added to improve overall ADVPN 2.0 operation for SD-WAN, including:

The local spoke directly sends a shortcut-query to a remote spoke to trigger a shortcut after

ADVPN 2.0 path management makes a path decision.

ADVPN 2.0 path management can trigger multiple shortcuts for load-balancing SD-WAN

rules.Traffic can be load-balanced over these multiple shortcuts to use as much of the available

WAN bandwidth as possible without wasting idle links if they are healthy. The algorithm to

calculate multiple shortcuts for the load-balancing service considers transport group and in-

SLA status for both local and remote parent overlays.

Spokes can automatically deactivate all shortcuts connecting to the same spoke when user

traffic is not observed for a specified time interval. This is enabled by configuring a shared idle

timeout setting in the IPsec VPN Phase 1 interface settings for the associated overlays.

1016452 To ensure FortiGate spoke traffic remains uninterrupted when configuration is orchestrated from the

SD-WAN Overlay-as-a-Service (OaaS), there is added support for an OaaS agent on the FortiGate.

The OaaS agent communicates with the OaaS controller in FortiCloud, validates and compares

FortiOS configuration, and applies FortiOS configuration to the FortiGate as a transaction when it

has been orchestrated from the OaaS portal.

If any configuration change fails to be applied, the OaaS agent rolls back all configuration changes

that were orchestrated. Secure communication between the OaaS agent and the OaaS controller is

achieved using the FGFM management tunnel. The new CLI command get oaas status

displays the detailed OaaS status.

FortiOS 7.4.4 Release Notes 25

Fortinet Inc.

New features or enhancements

Security Fabric

See Security Fabric in the New Features Guide for more information.

Feature ID Description

789237 FortiOS supports customizing the source IP address and the outgoing interface for communication

with the upstream FortiGate in the Security Fabric.

config system csf

set source-ip <class_ip>

set upstream-interface-select-method {auto | sdwan | specify}

end

943352 Users can apply a FortiVoice tag dynamic address to a NAC policy.

config user nac-policy

edit <name>

set category fortivoice-tag

set fortivoice-tag <string>

end

972642 The external resource entry limit is now global. Additionally, file size restrictions now adjust

according to the device model. This allows for a more flexible and optimized use of resources,

tailored to the specific capabilities and requirements of different device models.

Security Profiles

See Security profiles in the New Features Guide for more information.

Feature ID Description

886575 FortiOS extends Search Engine support to Flow-based Web Filter Profiles. This introduces several

features, including: Safe Search, Restrict YouTube Access, and Restrict Vimeo Access.

937178 FortiOS antivirus supports XLSB, OpenOffice, and RTF files through its CDR feature. This allows

FortiGate to sanitize these files by removing active content, such as hyperlinks and embedded

media, while preserving the text. It also provides an additional tool for network administrators to

protect users from malicious documents.

939342 GUI support for Exact Data Match (EDM) for Data Loss Prevention. This improves the user

experience during configuration and optimizes data management.

968303 Add support to control TLS connections that utilize Encrypted Client Hello (ECH), with options to

block, allow, or force the client to switch to a non-ECH TLS connection by modifying DoH

responses. This increases control and flexibility for managing TLS connections.

FortiOS 7.4.4 Release Notes 26

Fortinet Inc.

New features or enhancements

System

See System in the New Features Guide for more information.

Feature ID Description

480717 Add config system dedicated-mgmt to all FortiGate models with mgmt, mgmt1, and mgmt2

ports.

883606 FortiOS allows customers to enable or disable the INDEX extension, which appends a VDOM or an

interface index in RFC tables.

config system snmp sysinfo

set append-index {enable | disable}

end

925233 Supports the separation of the SSHD host key and administration server certificate. This

improvement introduces support for ECDSA 384 and ECDSA 256, allowing the SSHD to

accommodate the most commonly used host key algorithms.

config system global

set ssh-hostkey-override {enable | disable}

set ssh-hostkey-password <password>

set ssh-hostkey <encrypted_private_key>

end

957562 New feature to control the rate at which NP7 processors generate ICMPv4 and ICMPv6 error

packets to prevent excessive CPU usage. This feature is enabled by default, and you can use the

following options to change the configuration if required for your network conditions:

config system npu

config icmp-error-rate-ctrl

set icmpv4-error-rate-limit {disable | enable}

set icmpv4-error-rate <packets-per-second>

set icmpv4-error-bucket-size <token-bucket-size>

set icmpv6-error-rate-limit {disable | enable}

set icmpv6-error-rate <packets-per-second>

set icmpv6-error-bucket-size <token-bucket-size>

end

971546 GUI support added to control the use of CLI commands in administrator profiles.

1012626 In this enhancement, a hash of all executable binary files and shared libraries are taken during

image build time. The file containing these hashes, called the executable hash, is also hashed and

as a result signed. The signature for this hash is verified during bootup to ensure integrity of the file.

After validation, the hashes of all executable and share libraries can be loaded into memory for real-

time protection.

1013511 This enhancement requires the kernel to verify the signed hashes of important file-system and

object files during bootup. This prevents unauthorized changes to file-systems to be mounted, and

other unauthorized objects to be loaded into user space on boot-up. If the signed hash verification

fails, the system will halt.

FortiOS 7.4.4 Release Notes 27

Fortinet Inc.

New features or enhancements

User & Authentication

See Authentication in the New Features Guide for more information.

Feature ID Description

951626 Support for client certificate validation and EMS tag matching has been added to the explicit proxy

policy, improving user experience and security.

973805 Added support to cache the client certificate as an authentication cookie, eliminating the need for

repeated authentication.

VPN

See IPsec and SSL VPN in the New Features Guide for more information.

Feature ID Description

951763 FortiOS supports a cross-validation mechanism for IPsec VPN, bolstering security and user

authentication. This mechanism cross-checks whether the username provided by the client

matches the identity field specified in the peer certificate. The identity field, which could be an

Othername, RFC822Name, or CN, serves as a unique identifier for the client.

972643 FortiOS supports the TCP Encapsulation of IKE and IPsec packets across multiple vendors. This

cross-vendor interoperability ensures that users can maintain a secure and efficient network, while

also having the flexibility to choose the hardware that aligns best with user requirements.

979375 FIPS-CC cipher mode is silently enabled when configured using cloud-init for AWS.

996136 FortiOS supports session resumptions for IPSec tunnel version 2. This enhances user experience

by maintaining the tunnel in an idle state, allowing for uninterrupted usage even after a client

resumes from sleep or when connectivity is restored after a disruption. It also removes the necessity

for re-authentication when reconnecting, improving efficiency.

1006448 Enhanced SSL VPN security by restricting and validating HTTP messages that are used only by

web mode and tunnel mode.

FortiOS 7.4.4 Release Notes 28

Fortinet Inc.

Upgrade information

Supported upgrade path information is available on the Fortinet Customer Service & Support site.

FortiGate Upgrade option Details

Individual FortiGate devices Manual update Use the procedure in this topic.

See also:

Virtualization environments on page 36

Language support on page 36

SSL VPN support on page 37

FortiExtender modem firmware compatibility on page 37

FortiOS 7.4.4 Release Notes 35

Fortinet Inc.

Product integration and support

Virtualization environments

The following table lists hypervisors and recommended versions.

Hypervisor Recommended versions

Citrix Hypervisor

8.2 Express Edition, CU1

Linux KVM

Ubuntu 22.04.3 LTS

Red Hat Enterprise Linux release 8.4

SUSE Linux Enterprise Server 12 SP3 release 12.3

Microsoft Windows Server

Windows Server 2022

Windows Hyper-V Server

Microsoft Hyper-V Server 2022

Open source XenServer

Version 3.4.3

Version 4.1 and later

VMware ESXi

Versions 6.5, 6.7, 7.0, and 8.0.

Language support

The following table lists language support information.

Language support

Language GUI

English ✔

Chinese (Simplified) ✔

Chinese (Traditional) ✔

French ✔

Japanese ✔

Korean ✔

Portuguese (Brazil) ✔

Spanish ✔

FortiOS 7.4.4 Release Notes 36

Fortinet Inc.

Product integration and support

SSL VPN support

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser

Microsoft Windows 7 SP1 (32-bit & 64-bit) Mozilla Firefox version 113

Google Chrome version 112

Microsoft Windows 10 (64-bit) Microsoft Edge

Mozilla Firefox version 113

Google Chrome version 112

Ubuntu 20.04 (64-bit) Mozilla Firefox version 113

Google Chrome version 112

macOSVentura 13.1 Apple Safari version 16

Mozilla Firefox version 103

Google Chrome version 111

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

FortiExtender modem firmware compatibility

The following table lists the modem firmware file name and version for each FortiExtender model and its compatible

geographical region.

FortiExtender

model

Modem firmware image

name

Modem firmware file on Support

site

Geographical

region

FEX-101F-AM FEM_EM06A-22-1-1 FEM_EM06A-22.1.1-build0001.out America

FEX-101F-EA

FEM_EM06E-22-01-01 FEM_EM06E-22.1.1-build0001.out EU

FEM_EM06E-22.2.2 FEM_EM06E-22.2.2-build0002.out EU

FortiOS 7.4.4 Release Notes 37

Fortinet Inc.

Product integration and support

FortiExtender

model

Modem firmware image

name

Modem firmware file on Support

site

Geographical

region

FEX-201E

FEM_06-19-0-0-AMEU FEM_06-19.0.0-build0000-AMEU.out America and EU

FEM_06-19-1-0-AMEU FEM_06-19.1.0-build0001-AMEU.out America and EU

FEM_06-22-1-1-AMEU FEM_06-22.1.1-build0001-AMEU.out America and EU

FEM_06-22-1-2-AMEU FEM_06-22.1.2-build0001-AMEU.out America and EU

FEX-201F-AM

FEM_07A-22-1-0-AMERICA

FEM_07A-22.1.0-build0001-

AMERICA.out

America

FEM_07A-22-2-0-AMERICA

FEM_07A-22.2.0-build0002-

AMERICA.out

America

FEX-201F-EA

FEM_07E-22-0-0-WRLD

FEM_07E-22.0.0-build0001-

WRLD.out

World

FEM_07E-22-1-1-WRLD

FEM_07E-22.1.1-build0001-

WRLD.out

World

FEX-202F-AM

FEM_07A-22-1-0-AMERICA

FEM_07A-22.1.0-build0001-

AMERICA.out

America

FEM_07A-22-2-0-AMERICA

FEM_07A-22.2.0-build0002-

AMERICA.out

America

FEX-202F-EA FEM_07E-22-1-1-WRLD

FEM_07E-22.1.1-build0001-

WRLD.out

World

FEX-211E

FEM_12-19-1-0-WRLD FEM_12-19.1.0-build0001-WRLD.out World

FEM_12-19-2-0-WRLD FEM_12-19.2.0-build0002-WRLD.out World

FEM_12-22-1-0-AMEU FEM_12-22.0.0-build0001-AMEU.out America and EU

FEM_12-22-1-1-WRLD FEM_12-22.1.1-build0001-WRLD.out World

FEV-211F_AM

FEM_12_EM7511-22-1-2-

AMERICA

FEM_12_EM7511-22.1.2-build0001-

AMERICA.out

America

FEV-211F FEM_12-22-1-0-AMEU FEM_12-22.1.0-build0001-AMEU.out World

FEX-211F-AM

FEM_12_EM7511-22-1-2-

AMERICA

FEM_12_EM7511-22.1.2-build0001-

AMERICA.out

America

FEX-212F

FEM_12-19-2-0-WRLD FEM_12-19.2.0-build0002-WRLD.out World

FEM_12-22-1-1-WRLD FEM_12-22.1.1-build0001-WRLD.out World

FEX-311F

FEM_EM160-22-02-03 FEM_EM160-22.2.3-build0001.out World

FEM_EM160-22-1-2 FEM_EM160-22.1.2-build0001.out World

FortiOS 7.4.4 Release Notes 38

Fortinet Inc.

Product integration and support

FortiExtender

model

Modem firmware image

name

Modem firmware file on Support

site

Geographical

region

FEX-511F

FEM_RM502Q-21-2-2 FEM_RM502Q-21.2.2-build0003.out World

FEM_RM502Q-22-03-03 FEM_RM502Q-22.3.3-build0004.out World

FEM_RM502Q-22-04-04-AU

FEM_RM502Q-22.4.4-build0005_

AU.out

Australia

FEM_RM502Q-22-1-1 FEM_RM502Q-22.1.1-build0001.out World

FEM_RM502Q-22-2-2 FEM_RM502Q-22.2.2-build0002.out World

The modem firmware can also be uploaded manually by downloading the file from the Fortinet Customer Service &

Support site. The firmware file names are listed in the third column of the table.

To download the modem firmware:

Go to https://support.fortinet.com/Download/FirmwareImages.aspx.

From the Select Product dropdown, select FortiExtender.

Select the Download tab.

Click MODEM-Firmware.

Select the FortiExtender model and image name, then download the firmware file.

FortiOS 7.4.4 Release Notes 39

Fortinet Inc.

Resolved issues

The following issues have been fixed in version 7.4.4. To inquire about a particular bug, please contact Customer

Service & Support.

Anti Virus

Bug ID Description

948197 Large file downloads may intermittently stall when flow-based UTM and SSL deep inspection are

enabled.

977634 FortiOS High Security Alert block page reference URL is incorrect.

977905 An issue in the WAD prevents access to SMB when an AV proxy based profile is included in a

policy.

993785 When logged in as an administrator with Security Fabric access permissions set to none, trying to

create a new antivirus profile on the Security Profiles > Antivirus page shows an error.

Application Control

Bug ID Description

934197 Selected applications will disappear after searching or filtering for other applications in override.

982147 Remote TACACS+ administrators cannot edit application control profiles using the GUI due to

transaction failure.

988029 On FortiGate, when in policy-based mode, the Service of a security policy cannot be changed from

Specify to App Default.

Data Loss Prevention

Bug ID Description

977334 Users cannot download files more than 5MB in size using FPX when SSL deep inspection and DLP

profiles are enabled.

980995 DLP Reference check slide window is empty on Global level.

1007202 An upgrade issue may prevent the upload or download of large files using HTTP2.

FortiOS 7.4.4 Release Notes 40

Fortinet Inc.

Resolved issues

DNS Filter

Bug ID Description

804790 SDNS server latency increases by 15 seconds when a request times out. This increase may give a

perception that this server is unreachable or has a latency value that doesn't reflect real-world

conditions.

875072 The DNS filter prevents web connectivity with NPU acceleration.

1010464 When the DNS filter is enabled with external-ip-blocklist, the IPS Engine remains in D

status for an extended period of time and the DNSsession ends.

Endpoint Control

Bug ID Description

937462 The Assets - FortiClient monitor widget still shows online/register vpn entry even the VPN tunnel is

down.

979811 The ZTNA channel is not cleaned when overwriting old lls entries.

987456 FortiOS experiences a CPU usage issue in the daemon when connecting to an EMS that has a

large amount of EMS tags.

1007809 On FortiGate, anonpages and active(anon) pages frequently use a high amount of memory,

causing FortiGate to enter into conserve mode.

Explicit Proxy

Bug ID Description

775882 The WAD does not function as expected due to a memory allocation issue.

830418 Website content does not load properly when using an explicit proxy.

894557 In some cases, the explicit proxy policy list can take a long time to load due to a delay in retrieving

the proxy statistics. This issue does not impact explicit proxy functionality.

991106 Traffic logs and security events cannot be viewed in the SASE portal caused by the WAD not

functioning as expected.

978473 Explicit proxy policy function issues when matching external-threat feed categories.

980752 Applications on the BOX cannot be started through proxy.

983358 A memory usage issue with the SAML causes FortiGate to enter into conserve mode.

FortiOS 7.4.4 Release Notes 41

Fortinet Inc.

Resolved issues

Bug ID Description

983897 Traffic that should not be matching a policy is incorrectly matching an allow policy or a deny policy.

990643 FortiGate blocks pages when browsing websites though a transparent proxy-redirect policy on

SDWAN.

1001700 If explicit webproxy uses SAML authentication and the PAC file is enabled at the same time, the

browser will report a too many redirects error when trying to visit any websites.

1006362 Debug daemon may be blocked while handling client connection and increases the GUI load time.

1011209 The proxy policy does not work as expected when the session-ttl value is greater than the global

session-ttl value.

File Filter

Bug ID Description

1004198 .exe files in ZIP archives are not blocked by file-filter profiles during CIFS file transfers.

Firewall

Bug ID Description

921658 SD-WAN IPsec egress traffic shaping is not working when traffic offloading is enabled on an NP7

unit.

951422 Unable to download files larger than 30 MB using FortiGate AWS with AV and IPS enabled in proxy

mode.

958311 Firewall address list may show incorrect error for an unresolved FQDN address. This is purely a GUI

display issue; the FQDN address can be resolved by the FortiGate and traffic can be matched.

966466 On an FG-3001F NP7 device, packet loss occurs even on local-in traffic.

969255 On the Policy & Objects > Services page, administrators with firewall read-write permission cannot

delete service entries.

970179 Unrelated route changes will cause the existing session to be marked dirty.

972473 WAD crashes when using load balancing with SSL offloading.

973388 TCP state of a session was not updated properly.

976651 On the Policy & Objects > Firewall Policy page, adding a global threat feed to a policy displays an

error message - Invalid entries - and is not available to select in the Source field.

FortiOS 7.4.4 Release Notes 42

Fortinet Inc.

Resolved issues

Bug ID Description

976713 A Hello Retry Request message is not sent from the FortiGate during an SSL offload by config

firewall ssl-server.

977641 In transparent mode, multicast packets are not forwarded through the bridge and are dropped.

979802 On the Policy & Objects > Firewall Policy page, changing a policy action hides the NAT toggle, IP

pool configuration field, and Security Profiles field in the GUI.

980766 FortiGate drops traffic on unrelated firewall policies when tcp-without-syn is enabled.

981283 NAT64/46 HTTP virtual server does not work as expected in the policy.

981907 Global Search does not return results for a full or partial IP address search.

985057 The set holddown-interval command description in the CLI is incorrect.

985419 On the Policy & Objects > Firewall Policy page, the Log violation traffic checkbox displays as being

unchecked when the policy is configured and reopened for editing. This purely a GUI display issue

and does impact system operation.

985508 When allow-traffic-redirect is enabled, redirect traffic that ingresses and egresses from

the same interface may incorrectly get dropped if the source address of the incoming packet is

different from the FortiGate's interface subnet and there is no firewall policy to allow the matched

traffic.

987397 When creating or editing an entry on the Policy & Objects > Virtual IPs page in the GUI, if a subnet

source filter is added after an IP range source filter in the Optional Filters section, an error message

- Invalid source filter IP address/subnet/range - is shown and the settings cannot be saved.

991961 On the Policy & Objects > Addresses page, address objects are not sorted in alphabetical order for

address group or firewall policies.

996876 Adding IPv6 address group memberships to a policy using FortiGate RESTAPI does not work as

expected.

1008863 SNAT type port-block-allocation does not work as expected in NAT64.

1011438 On the Policy & Objects > Firewall Policy List page, the Interface Pair View does not display policies

alphanumerically and by interface alias.

1012239 When creating a new policy using the GUI in TPmode, NAT is automatically enabled.

1014584 On the Policy & Objects > Firewall Policy page, firewall policies with FQDN show as unresolved in

the table.

FortiGate 6000 and 7000 platforms

Bug ID Description

638799 The DHCPv6 client does not work with vcluster2.

FortiOS 7.4.4 Release Notes 43

Fortinet Inc.

Resolved issues

Bug ID Description

639064 On FortiGate 6000F models, there is no information on FPCs available for traffic matching the

firewall policy with srcaddr-negate enabled.

787604 Transceiver information in unavailable for FPM/FIM2 ports in the GUI.

887946 UTM traffic is blocked by an FGSP configuration with asymmetric routing.

910883 The FortiGate 6000s or 7000s in an FGSP cluster may load balance FTP data sessions to different

FPCs or FPMs. This can cause delays while the affected FortiGate 6000 or 7000 re-installs the

sessions on the correct FPC or FPM.

940541 A permanent MAC address is used instead of an HA virtual MAC address during automation.

946399 On the Policy & Objects > Firewall Policy page, address entries cannot be edited using the Edit

button from the tooltip pop-up window.

973407 FIM installed NPU session causes the SSE to get stuck.

978241 FortiGate does not honor worker port partition when SNATing connections using a fixed port range

IP pool.

983236 Under normal conditions, a FortiGate 6000 or 7000 may generate event log messages due to a

known issue with a feature added to FortiOS 7.2 and 7.4. The feature is designed to create event

log messages for certain DP channel traffic issues but also generates event log messages when the

DP processor detects traffic anomalies that are part of normal traffic processing. This causes the

event log messages to detect false positives that don't affect normal operation.

For example, DP channel 15 RX drop detected! messages can be created when a routine problem

is detected with a packet that would normally cause the DP processor to drop the packet.

Similar discard message may also appear if the DP buffer is full.

994241 On FortiGate 7000F using FGSPand FGCP, when TCP traffic takes an asymmetric path, the TCP

ACK and data packets might be dropped in NP7.

1003879 Incorrect SLBC traffic-related statistics may be displayed on the FortiGate 6000 or FortiGate 7000

GUI (for example, in a dashboard widgets). This can occur if an FPC or FPM is not correctly

registered for statistic collection during startup. This is purely a GUI display issue and does not

impact system operation.

1013046 On FortiGate 6000 and 7000 models, interested traffic cannot trigger the IPsec tunnel.

1025926 After a firmware upgrade, the configuration does not synchronize because the sdn connector

password is unmatched.

1028313 On FortiGate 7000E and 7000F platforms in an HA cluster, FortiGate experiences a split brain

scenario between the primary and secondary units when the primary unit is rebooted.

FortiOS 7.4.4 Release Notes 44

Fortinet Inc.

Resolved issues

FortiView

Bug ID Description

941521 On the Dashboard > FortiView Websites page, the Category filter does not work in the Japanese

GUI.

945448 On the Asset Vulnerability Monitor page, filtering by FortiClient user does not show any results.

1009287 On the Dashboard > FortiView Sessions page, closing a large number of FortiView sessions (+100)

can take longer than expected and result in a CPU usage issue.

GUI

Bug ID Description

848660 Read-only administrator may encounter a Maximum number of monitored interfaces reached error

when viewing an interface bandwidth widget for an interface that does not have the monitor

bandwidth feature enabled.

896008 On wide resolution screens, the GUI-based CLI console widget has text overlap display issues on

very wide screens.

908670 A No language entry found for error message occurs when loading the GUI. This is purely a GUI

display issue and does not impact system function.

931486 Unexpected behavior in httpsd when the user has a lot of FQDN addresses.

957441 On the Firmware & Registration page, the GUI displays a Cannot determine mkey for cmdb source

entry. error message. This is purely a GUI display issue and does not impact system function.

961796 When administrator GUI access (HTTPS) is enabled on SD-WAN member interfaces, the GUI may

not be accessible on the SD-WAN interface due to incorrect routing of the response packet.

961797 In a new page layout, changes made (saves or edits) in the Virtual IP page may produce a warning

pop-up message on the screen.

964386 GUI dashboards show all the IPv6 sessions on every VDOM.

970528 The hsts-max-age is not enforced as set under config system global.

972887 The interface firewall object created automatically is not found by a firewall policy search with IP

address.

974988 FortiGate GUI should not show a license expired notification due to an expired device-level

FortiManager Cloud license if it still has a valid account-level FortiManager Cloud license (function

is not affected).

975403 On the System > Replacement Messages page, the ? is removed from custom replacement

messages.

FortiOS 7.4.4 Release Notes 45

Fortinet Inc.

Resolved issues

Bug ID Description

978716 On the Security Profiles > Inline-CASB page, when a SaaS application is added to a CASB profile,

the option is not grayed out and the SaaS application can be added again.

979508 The Operation Technology category cannot be turned on or off from the GUI. The option to enable

and disable the Operational Technology category on application control profiles when hovering the

mouse over the category name is missing.

981244 On the FortiGate GUI, IPsec or GRE configurations are missing when using set type tunnel.

983422 A GTP profile cannot be applied to policy using the GUI.

994915 The CLI GUI console is disconnected after creating a new VDOM.

996845 When saving a packet capture, the file name saves as a generic file name with no identifiable

information.

998155 The Node.JS restarts and causes a Cannot read properties of undefined (reading

'on') error on FortiGate after an upgrade.

1006079 When changing administrator account settings, the trusthost10 setting is duplicated.

1006868 On the FortiGuard page, when setting a schedule using the Scheduled updates option on the GUI,

the CLI displays the wrong value.

1013455 On the FortiGate GUI, inter-VDOM links are not available for packet capture.

1013866 The category action change is not saved if the category number is the same as the existing entry ID.

Bug ID Description

956577 For SSLVPN users, some endpoint logs are generated on the secondary HA vcluster VDOM.

962491 Some long lasting TCP established sessions expire on the HA secondary unit earlier than on the

primary unit.

962525 In HA mode, FortiGate uses ha-mgmt-interface as the portal for the DNS resolver, even if this

port may not able to reach the DNS server.

962681 In a three member A-P cluster, the dhcp lease list (execute dhcp lease-list) might be empty

on secondary units.

964412 The firewall does not detect that the secondary HA unit has been upgraded and returned to the

cluster.

964427 There is a session count discrepancy when the firewall is configured without NAT.

964828 Enabling HA direct prevents users from changing the interface as the set-interface command

is hidden in the CLI.

FortiOS 7.4.4 Release Notes 46

Fortinet Inc.

Resolved issues

Bug ID Description

970334 The vcluster2 on a Secondary HA unit does not use session-sync-dev to synchronize sessions

to FGSP peer unit.

971075 The last interface belonging to the non-root management VDOM is not visible when accessing the

GUI using the HA management interface.

972163 Under heavy traffic, some sessions are not fully synchronized to the FGCP secondary unit.

972896 No configuration error when restoring a configuration with incorrect config firewall

wildcard-fqdn custom entries, resulting in an HA-unsync status.

974749 TCP/SCTP sessions count mismatch in an HA pair in A-P mode.

976024 VXLAN traffic does not pass through after HA cluster failover.

976160 In a FortiGate HA, the unit periodically produces a warning message for a missing sync file.

985237 Output is missing from the diagnose sys ha vlan-hb-monitor command.

985601 When configuring VDOMs in an HA cluster, the VDOM assigned to the VDOM link in vcluster2

active on the secondary unit is incorrect.

993849 After restoring a VDOM configuration, the HA is not synchronized.

1000001 A secondary HA unit may go into conserve mode when joining an HA cluster if the FortiGate

configuration is large.

1004215 Local out traffic from the primary HA unit uses the wrong interface when SNMP points to the

secondary HAunit.

1007395 When downgrading to a 7.2.x firmware version, an error message displays on the primary HA

device and does not get removed when the device is rebooted.

1013152 After a factory reset, the FortiGate HA cluster may remain out of synchronization between the

primary and secondary units.

Hyperscale

Bug ID Description

961684 When DoS policies are used and the system is under stress conditions, BGP might go down.

967017 TCP or UDP timer profiles configured using config-system npu may not work as intended.

975264 Hyperscale should not support threat feed addresses with the negate option.

976972 New primary can get stuck on failover with HTTPCC sessions.

981918 Hyperscale policy loses the cgn-log-server-grp setting with log mode per-mapping when the

system reboots.

986501 When switching from a hyperscale to regular interface, the FortiGate encounters a kernel

interruption during configuration.

FortiOS 7.4.4 Release Notes 47

Fortinet Inc.

Resolved issues

Bug ID Description

994019 Harpin traffic may not work due to a rare situation caused by a race condition.

1016478 When modifying existing policies with a BOA loaded configuration, NPD is not working as expected.

1024313 The template for the netflow v9 log packets is not included in the configuration.

Intrusion Prevention

Bug ID Description

782966 IPS sensor GUI shows All Attributes in the filter table when IPS filters with default values are

selected in the CLI.

968464 nTurbo passes the wrong ID to the IPS engine when the set vrf value is above 32.

1000223 HTTPS connections to a Virtual IP (VIP) on TCP port 8015 are incorrectly blocked by the firewall,

displaying an IPS block page even when no packet from the outside to TCP port 8015 should reach

the internal VIP address.

1001860 If you create a default IPS filter override with no filters selected, All Attributes cannot show up in the

table.

1008064 The IPS DB is not preserved when upgrading to 7.2.5 or later.

IPsec VPN

Bug ID Description

564920 IPsec VPN fails to connect if ftm-push is configured.

787673 IPsec VPN types are not saved to the configuration when edited using the GUI.

914418 File transfer stops after a while when offloading is enabled.

950012 IPsec traffic may stop for the SOC4 platform due to a rare error condition.

950445 After a third-party router failover, traffic traversing the IPsec tunnel is lost.

965915 After an HA failover, static gateway IPsec routing fails.

966085 IKEv2 authorization with an invalid certificate can cause tunnel status mismatch.

968055 After an upgrade, L2TP/IPsec connections using the RIP protocol do not function as expected.

968080 Shortcut negotiation cannot trigger when traffic flows over an existing shortcut unless auto-

discovery-forwarder is set on the spoke.

968218 When the IPsec tunnel destination MAC address is changed, tunnel traffic may stop.

FortiOS 7.4.4 Release Notes 48

Fortinet Inc.

Resolved issues

Bug ID Description

968376 Changes to the IPsec tunnel type from a static to dialup user on the GUI does not change the actual

configuration.

974648 Editing existing IPsec aggregate members does not update in the bundle list.

977486 On FortiGate, a Tunnel Mode IPsec VPN policy cannot be created using the GUI.

978243 Unable to send all prefixes through FortiClient using dial-up IPsec VPN split tunnel to macOS

devices.

982599 When a NAT port is changed between two static IPsec endpoints, the new port cannot be applied on

the tunnel.

989570 On FortiGate, firewall address groups created using the VPN wizard cannot be edited.

994115 When ASIC offload is enabled and packet size is larger than 1422, FortiGate does not generate an

ICMP Type 3, Code 4 error message.

996625 Unable to create a FortiClient dial-up VPN with certificate authentication because a peer CA

certificate cannot be selected.

998229 Traffic loss is experienced on inter-region ADVPN tunnels after phase 2 rekey.

999619 A peername conflict error occurs when users configure static tunnels and then dynamic tunnels.

There is no conflict when done in the reverse order.

1001602 Using IPSec over back to back EMAC VLAN interfaces does not work as expected with NPU offload

enabled.

1001996 The iked does not function as expected due to a misplaced object being created in the secondary

HA during failover.

1003830 IPsec VPN tunnel phase 2 instability after upgrading to 7.4.2 on the NP6xlite platform.

1007043 Iked may experience an interruption in operation resulting in all VPN tunnels going down.

1009732 If there are more than 2000 dialup IPsec tunnel interfaces used in multiple FGT firewall polices, and

IKE policy update may not able to complete before IKE watchdog timeout.

Log &Report

Bug ID Description

872493 Disk logging files are cached in the kernel, causing high memory usage.

954565 Although there is enough disk space for logging, IPS archive full message is shown.

957130 On the Log & Report > Forward Traffic page, when running version 7.2.3 of FortiGate, log retrieval

speed from FortiAnalyzer is slow.

960661 FortiAnalyzer report is not available to view for the secondary unit in the HA cluster on the Log &

Report > Reports page.

FortiOS 7.4.4 Release Notes 49

Fortinet Inc.

Resolved issues

Bug ID Description

967692 The received traffic counter is not increasing when the traffic is HTTPS with webfilter.

972087 Logs entries are still visible in General System Events after being excluded from the disk logging

filter.

973673 The monitor-failure-retry-period is not working as expected when the log daemon

restarts the next oftp connection after a connection timeout.

978526 The configuration attribute cfgattr="password[*]" does not appear in the log when

password-policy is enabled.

987261 In the webfilter content block UTM log in proxy inspection mode, sentbyte and rcvdbyte are

zero.

993476 FortiGate encounters a CPU usage issue after rebooting with multiple VDOMs configured.

996551 The UTM Log for blocking unknown-content-encoding is shown under the utm-webfilter

when a web filter profile is not applied.

1005171 After upgrading to version 7.0.14, the system event log generates false positives for individual ports

that are not used in any configuration.

1006611 FortiOS may not function as expected when the miglogd application attempts to process logs.

1008626 ReportD does not function as expected when event logs have message fields over 2000 bytes.

Proxy

Bug ID Description

900546 DNS proxy may resolve with an IPv4 address, even when pref-dns-result is set to IPv6, if the

IPv4 response comes first and there is no DNS cache.

915404 Proxyd did not account for all RFC-compliant SMTP pipelining cases.

922093 CPU usage issue in WAD caused by source port exhaustion when using WAN optimization.

926315 A web cache issue on FPX results in an unexpected disruption on FortiOS.

947814 Too many redirects on TWPP after the second KRB keytab is configured.

955990 Captive portal reappears repeatedly in the browser after importing user credentials.

965966 An error condition occurred in WAD due to heavy HTTP video traffic when using a video filter profile

with deep inspection enabled.

979361 After an upgrade, FortiOS encounters an error condition in the application daemon wad caused by

an SSL cache error.

986528 The WAD process is interrupted when trying to build a local rating.

988473 On FortiGate 61E and 81E models, a daemon WAD issue causes high memory usage.

FortiOS 7.4.4 Release Notes 50

Fortinet Inc.

Resolved issues

Bug ID Description

994101 SSL Logs show certificate-probe-failed error when web profile is enabled.

1000653 The proxy policy does not validate IP addresses in the XFF when an HTTP address is sent by AGW.

1003481 FortiGate may not work as expected due to an error condition in the daemon WAD.

1010718 The proxy policy is deleted from the configuration without notification after an upgrade.

1012965 Deep inspection and web filter for an explicit proxy policy do not work if profile-protocol-

options has additional ports for HTTP.

1016970 High memory usage in WAD causes FortiGate to enter into conserve mode.

1020828 An HTTP2 stream issue causes an error condition in the WAD.

RESTAPI

Bug ID Description

964424 REST API GET /ips/sensor/{name} adds extra space to locations, severity, protocol,

os, and application field values.

984499 REST API query /api/v2/monitor/system/ha-peer does not return the primary attribute of

an HA cluster member.

Routing

Bug ID Description

792512 The dashboard Session widget cannot display the correct IPv6 session count per VDOM.

924693 On the Network > SD-WAN > SD-WAN Rules page, member interfaces that are down are

incorrectly shown as up. The tooltip on the interface shows the correct status.

935886 SD-WAN packet duplication feature in force mode suddenly stops duplicating and starts to duplicate

again once the FortiGate is rebooted.

943333 When SD-WAN health-check is configured, the IPv6 interface IP address of shortcut fails to be

pinged.

966681 FortiGate cannot ping an IPv6 loopback address.

969671 GRE tunnel, established over a VLAN that has been created on specific interface types, may

reference non-existent device indexes due to the reloading of VLANs.

974921 When creating or editing a rule on the Network > Routing Objects page, if the weight is set to 0 the

changes are not saved.

FortiOS 7.4.4 Release Notes 51

Fortinet Inc.

Resolved issues

Bug ID Description

977215 SD-WAN health check with state = dead moves between 100% and 0% packet loss while the state

stays the same.

977327 DTLS with SSL VPN not working as expected on multiple ports that are within the same SD-WAN

zone.

977751 BGP advertisement and Route-Reflector advertisement do not advertise additional routes after first

table is announced and encoded.

978204 BFD/BGP dropping when outbandwidth is applied.

978683 The link-down-failover command does not bring the BGP peering down when the IPsec

tunnel is brought down on the peer FortiGate.

983172 After traffic switching, ingress and egress ports do not follow the correct session.

984478 The SD-WAN Rules GUI page keeps loading.

984612 After upgrading from 7.2.5 and 7.2.6, management access and ZTNA Access Proxy do not work

when accessed from external networks

985539 SD-WAN health check logs are not generated for ADVPN shortcuts.

986147 SD-WAN traffic is distributed unexpectedly on different shortcuts when in priority mode.

987360 SDWAN health checks are not deleted after all related references are removed when applied over

ADVPN.

988498 Multicast traffic flow is not functioning as expected when static-join is used.

989012 The ICMP_TIME_EXCEEDED packet does not follow the original ICMP path displays the incorrect

traceroute from the user.

989840 Issue with PIM neighborship over an IPSec tunnel with NP offload.

990211 On the Network > BGP > Neighbor Groups page, an error message is shown under IPv4 Filtering

for routes that are already have in and out routes configured in the GUI.

991995 FortiGate does not remove the BGP community list when using regex.

995264 When using the BGPORF debugging command, received-prefix-filter does not display an

output.

995972 When accessing the ZebOS in chroot, the ospfd does not work as expected.

1000433 The IPv6 route with dynamic gateway enabled cannot be configured after an upgrade and reboot.

1001556 VXLAN does not match SD-WAN rule when a service is specified.

1006703 OSPF logs for neighbor status are not generated when using multiple VRFs.

1009907 The OSPF daemon does not function as expected causing routing to stop working after an HA

cluster failover.

1012895 The set-regexp command does not function as expected in the extcommunity-list.

FortiOS 7.4.4 Release Notes 52

Fortinet Inc.

Resolved issues

Security Fabric

Bug ID Description

789237 Support the use of loopback IP as the source for Security Fabric connections.

941728 Email notifications not working as expected for automation Reboot stitch.

956423 In HA, the primary unit may sometimes show a blank GUI screen.

958429 On the Security Fabric > Automation page, the webhook request header does not contain

Content-type: application/json when using the JSON format. This causes Microsoft

Teams to reject the request.

966740 On the Security Fabric > Security Rating page, the format of the Unused Policies test Last Used

date is incorrect.

967842 Error message Fail to retrieve FortiView data displays when switching from the CSF root summary

page to CSF child summary page.

968585 The automation stitch triggered by the FortiAnalyzer event handler does not work as expected.

968621 Erroneous memory allocation resulting in unexpected behavior in csfd after upgrading.

972921 On the Security Fabric > External Connectors page, the comments are not working as expected in

the threat feed list for the domain threat feed.

984127 FortiGate shows the wrong notification to setup an upstream device that is not a FortiGate to the

Security Fabric.

985198 The IP address threat feed connection status indicates an Other Error.

988526 Address object changes from the CLI of the root FortiGate in Security Fabric are not synchronized

with downstream devices.

990703 In certain scenarios, dynamic addresses managed by the Azure SDN connector may be removed

leading to potential network interruptions.

991462,

993279

When automation stitch is configured with the once schedule, the stitch is not synchronized to the

downstream FortiGates.

994167 An issue with the csfd results in FortiGate being disconnected from the Security Fabric.

1003503 During a full fabric upgrade where a PoE powered device (PD) connected to a Power Sourcing

Equipment (PSE) are upgraded, the upgrade of the PD may be interrupted if the PSE finishes

upgrading first, causing a boot loop on the PD. This behavior is now avoided by performing

upgrades on PDs first before upgrading PSEs and the FortiGate itself.

FortiOS 7.4.4 Release Notes 53

Fortinet Inc.

Resolved issues

SSL VPN

Bug ID Description

821240 Erroneous memory allocation observed in SSLVPNVD caused by a rare error condition.

905050 Intermittent behavior in samld due to an absent crucial parameter in the SP login response may lead

to SSL VPN users experiencing disconnections.

906756 Update SSL VPN host check logic for unsupported OS.

951827 SSL VPN client certificate verification failed after importing the VDOM user peer CA certificate into

the global VDOM.

979000 FortiGate does not execute the radius disconnect request from FortiAuthenticator.

979590 On FortiOS, the OSchecklist for SSLVPN does not include macOS Monterrey 12.7.x for host

check.

981121 When authenticating SSLVPN users on RADIUS with 2-factor authentication, the Framed-IP is not

always assigned as expected.

981310 SSL VPN Web mode experiences intermittent traffic disruption due to the non-standard response of

the users web server.

982705 When editing a security policy, the custom signature is removed from the policy.

987501 On FortiGate, the GRE tunnel stops sending traffic after an upgrade.

993822 After a SAML user is connected to SSLVPN, an incorrect Framed-IP-Address is set in the radius

accounting packet.

999378 When the GUI tries to write a QR code for the SSL VPN configuration to the file system to send in an

email, it tries to write it in a read-only folder.

1001272 The SAML DB Insert does not function as expected and causes a CPU usage issue.

1022439 SAMLD encounters a memory usage issue, preventing successful login attempts on SSL VPN.

Switch Controller

Bug ID Description

899414 On the WiFi & Switch Controller > WiFi maps page Diagnostics and Tools panel, and on the WiFi &

Switch Controller > FortiSwitch Clients page, the status of the LACP interface is incorrectly shown

as down when it is up.

This is a GUI issue that does not affect the operations of the LACP interface. To view the correct

status of the LACP interface, go to the WiFi & Switch Controller > FortiSwitch Ports page, or use the

CLI.

FortiOS 7.4.4 Release Notes 54

Fortinet Inc.

Resolved issues

Bug ID Description

911232 Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi &Switch

Controller > Managed FortiSwitches.

984404 On the System > Firmware & Registration page, after upgrading the version 7.4.2, the FortiSwitch

shows as not registered in the GUI.

988335 If a user's network has more than 20 MAC addresses in a NAC environment, it is possible for the

CAPWAP to come down.

989015 The SWC switch port does not have all of the speed options compared to FortiSwitch.

991855 The access-mode and storm control policy commands are not visible in FortiGate clusters

causing them to go out of synchronization and does not send updated configurations to the

FortiSwitch.

995518 On the WiFi & Switch Controller > Managed FortiSwitches > Upgrade page, the FortiGuard option is

not available to upgrade when new firmware is available.

1000663 The switch-controller managed-switch ports' configurations are getting removed after each reboot.

System

Bug ID Description

733096 FG-100F HA secondary's unused ports flaps from down to up, then to down.

782710 Traffic going through a VLAN over VXLAN is not offloaded to NP7.

811367 Ports 33-35 constantly show suspect messaging in the transceiver output. Affected platforms: FG-

2600F and FG-2601F.

820268 VIP traffic access to the EMAC VLAN interface uses incorrect MAC address on NP7 platform.

874449 On the NP7 platform, some applications do not work as expected when nTurbo is enabled.

880271 Aggregate interface (LAG) dropping traffic.

880610 On FortiGate, the device enters into conserve mode unexpectedly due to a memory usage issue.

882131 PPPoE interface with SFP does not recover after a connectivity failure.

882187 FortiGate might enter conserve mode if disk logging is enabled and log-traffic all is set in a

policy.

882862 LAG interface members are not shutting down when the remote end interface (one member in the

LAG) is down.

883606 FortiOS allows customers to enable or disable the INDEX extension that appends the VDOM or

interface index in RFC tables.

901721 In a certain edge case, traffic directed towards a VLAN interface could cause a kernel interruption.

906074 On FortiGate, the WWAN connection is not always stable due to a source IP issue with the VZW.

FortiOS 7.4.4 Release Notes 55

Fortinet Inc.

Resolved issues

Bug ID Description

908790 Some LTE modems are not activated automatically and need to be rebooted manually using the CLI

in order to be activated.

910364 CPU usage issue in miglogd caused by constant updates to the ZTNA tags.

912092 FortiGate does not send ARP probe for UDP NP-offloaded sessions.

918574 When cloud-communication under the global setting and include-default-servers under

the central-management setting are disabled in the CLI, FortiGate still directs traffic to the public

server.

920349 Connectivity was lost after creating new VDOM and NPU_VLINK.

921604 On the FortiGate 601F, the ports (x7) have no cables attached but the link LEDs are green.

924143 Logs for failed login attempt lock-duration is not consistent with the configuration.

925554 On the Network > Interfaces page, hardware and software switches show VLAN interfaces as down

instead of up. The actual status of the VLAN interface can be verified using the command line.

929896 Unable to configure a 9600 baud-rate on DNP3-Proxy.

930803 Unable to monitor DSL parameters and the get sys dsl status command shows errors.

932002 Possible infinite loop can cause FortiOS to become unresponsive until the FortiGate goes through a

power cycle.

938449 In the 4.19 kernel, when a neighbor's MAC is changed, the session and IPsec tunnel cannot be

flushed from the NPU.

938475 A memory usage issue occurs when multiple threads try to access VLAN group.

947398 When an EMAC VLAN interface is set up on top of a redundant interface, the kernel may encounter

an error when rebooting.

952284 A FortiGate with 2 GB of memory enters conserve mode when a node uses 20% of the memory.

953140 FG-1801F silently drops forward traffic at the NP7 modules.

954529 The diagnose npu sniffer stop command can lead to a traffic outage.

957135 EMAC VLAN interface uses two MAC addresses when it should only use an internally generated

MAC address.

960643 IP addresses with an expired quarantine period might not be removed from quarantine.

960707 Egress shaping does not work on NP when applied on the WAN interface.

962153 A port that uses a copper-transceiver does not update the link status in real-time.

964465 Administrators with read-write permission for WiFi and read permission for network configuration

cannot create SSIDs on the System > Administrator Profiles page.

964820 Traffic forwarding on Dialup VPN IPSec does not work as expected when npu-offload is

enabled.

966187 Unable to set a static ARP entry on the EMAC VLAN interface.

FortiOS 7.4.4 Release Notes 56

Fortinet Inc.

Resolved issues

Bug ID Description

968134 FortiGate 200F experiences a performance issue due to Marvell switch HOL mode.

968421 IPsec experiences traffic loss when inbound-dscp-copy and npu-offload are enabled on

FFW-4401F.

970053,

1006324

When a different transceiver type is added to FortiGate, the new transceiver information does not

update in the GUI or CLI.

971109 FortiGate does not forward requests for some devices causing VoIP devices to not get IP addresses

on the network.

971404 Session expiration does not get updated for offloaded traffic between a specific host range.

971460 After an upgrade, the daemon ipldbd causes a CPU usage issue on one core.

974740 FortiGate 2600F does not set 10G ports to 100G.

974746 Changing interface settings causes the cluster to reboot and leads to a kernel interruption.

975496 FortiGate 200F experiences slow download and upload speeds when traversing from a 1G to a 10G

interface.

975895 FortiGate locks when Configuration save mode is set to Manual and triggers a reboot.

977231 An error condition occurred in fgfm caused by an out-of-band management configuration.

977688 On FortiGate, the application cmdbsvr operation is interrupted when performing a configuration

backup from the GUI.

977740 Transparent-mode VDOM system switch-interface and Firewall policies deleted after a power cycle.

979957 When a FortiGate is added to FortiManager in backup mode, the ability to enable or disable auto-

firmware-update on FortiGuard does not function as expected. This generates an error indicating

the FortiGate is managed by FortiManager, despite backup mode suggesting otherwise.

981685 On the FortiGate 4400F, high CPU usage by random CPU cores in the system space.

982200 FortiGate enters into conserve mode due to excessive memory usage by Slabs.

982651 Security mode 802.1X authentication happens every hour on a hardware switch with 7.2 code.

983102 FortiGate uses one core causing CPU usage to go to 99%.

984148 The SNMP OID session count for NP6 and NP7 is not displayed.

984696 Network usage is not accurately reported by the get system performance status command.

985928 On FortiGate, the HA Firewall sends STP frames in a software switch when the parameters are

blocked.

985978 On FortiGate, SNMP polling for NPU and related OIDs do not return any values.

986698 The NP7 should use the updated MAC address from the ARP table to forward traffic to the

destination server.

986713 When restoring a FortiGate from a backup configuration, the device enters into system

maintenance mode and is not accessible.

FortiOS 7.4.4 Release Notes 57

Fortinet Inc.

Resolved issues

Bug ID Description

988528 With NGFW mixed traffic, FortiGate experiences a CPU usage issue.

989473 On FortiGate, the device may not work as expected due to a memory usage issue with the cmdbsvr.

989574 The intrazone allow setting does not function as expected if the zone has only one member.

990409 After an upgrade on FortiOS, the kernel operation is interrupted and reboots due to a switch

command issue.

990757 During an upgrade on FortiGate, the device does not continue updating past the Disk usage

changed, please wait for reboot message during reboot.

991925 The EMAC VLAN, with a vlanid over a physical interface and a VIP configuration, has the incorrect

mac address once traffic is offloaded.

995269 On FortiGate, the multicast session walker is rescheduled on the same CPU instead of the next

CPU.

995395 Typo in the set ipv6-allow-local-in-slient-drop command.

996893 On FortiWiFi 81F-2R-3G4G-POE models, GPS service cannot be activated.

1000658 After an integrity check, the dates on the hash files do not match causing a false positive error

message.

1001498 On FortiGate, TCP and UDP traffic cannot pass through with dos-offload enabled.

1001601 A kernel interruption on FortiGate prevents it from rebooting after an upgrade with a specific

configuration.

1002766 FortiGate prevents select interface a as an option for traceroute, ssl, and telnet services.

1003349 CPU usage issue in WAD after upgrading from 7.4.1 to 7.4.3 when using address group member.

1004804 FortiGate running firmware 7.2.7, the device encounters an error condition in the application

daemon.

1006979 FortiGate may encounter a memory usage issue on the flpold process, causing the primary and

secondary units to go out of synchronization.

1007934 FortiGate may experience a memory usage issue with the node daemon once a connection is

closed.

1008049 The I2C bus become stuck during an upgrade due to an error in the switch-config-init

command.

1009853 Outgoing traffic from EMAC-VLAN uses default cos tag when traffic is not offloaded.

1011229 On FortiGate, a slab memory usage issue causes the device to enter into conserve mode.

1012518 Some FortiGate models on NP6/NP6Lite/NP6xLite platforms experience unexpected behavior due

to certain traffic conditions after upgrading to 7.2.8. Traffic may be interrupted momentarily.

1025927 In an HA configuration, FortiGate cannot access the GUI after a firmware upgrade due to a

certificate matching issue.

FortiOS 7.4.4 Release Notes 58

Fortinet Inc.

Resolved issues

Upgrade

Bug ID Description

925567 When upgrading multiple firmware versions in the GUI, the Follow upgrade path option does not

respect the recommended upgrade path.

952828 The automatic patch upgrade feature overlooks patch release with the Feature label. Consequently,

a FortiGate running 7.4.2 GA does not automatically upgrade to 7.4.3 GA.

955810 Upgrading FortiOS is unsuccessful due to unmount shared data partition failed error.

977281 After the FortiGate in an HA environment is upgraded using the Fabric upgrade feature, the GUI

might incorrectly show the status Downgrade to 7.2.X shortly, even though the upgrade has

completed.

This is only a display issue; the Fabric upgrade will not recur unless it is manually scheduled.

999324 FortiGate Pay-As-You-Go or On-demand VM versions cannot upload firmware using the System >

Firmware & Registration > File Upload page.

1017519 Auto firmware-upgrade may run when a FortiGate is added to a FortiManager that is added behind

a NAT.

User & Authentication

Bug ID Description

825561 2FA push for FAC token and FTC will not start the push notification process without user input on

the browser.

893475 When using the TACACS test server button in a FortiGate environment with HA-direct interface

enabled, the traffic originates from the cluster interface instead of the designated ha-direct interface.

934096 If AD password policy is not met, the password change is not set without a clear message to the

user.

934263 After authentication in authorization portal, page loading stalls and the user is not redirected to set

redirect-url.

946191 CPU usage issue in WAD caused by a high number of devices being detected by the device

detection feature.

960230 After the authentication timeout setting value is reached, the Time Left value on the Firewall User

Monitor > Firewall Users > Time Left page increases to thousands of days.

988958 When rsso user groups are updated, the session table is not cleared of old sessions and traffic still

hits the old policy.

FortiOS 7.4.4 Release Notes 59

Fortinet Inc.

Resolved issues

Bug ID Description

938382 OpenStack Queens FortiGate VM HA heartbeat on broadcast is not working as expected.

954962 The Client Hello packet is delayed connecting to FortiGate proxy-based mode and certificate

inspection in an AWS GWLB environment using a GENEVE interface.

967134 An interrupt distribution issue may cause the CPU load to not be balanced on the FG-VM cores.

980683 After upgrading FortiGate, the VM license status is removed even though the VM license is still

valid.

996389 AWS SDN Connector stops processing caused by the IAM external account role missing the

sts:AssumeRolevalue.

998208 The FortiGate-VM system stops after sending an image to the HA secondary during an firmware

upgrade due to different Flex-VM CPU license.

999599 On FortiGate AWS, the IPsec configuration goes missing after an upgrade due to an inconsistent

table-size.

1006570 VPN tunnels go down due to IKE authentication loss after a firmware upgrade on the VM.

VoIP

Bug ID Description

986431 An error condition occurs with VoIP profile deep inspections, preventing SIPTLS calls from going

through.

1004894 VOIPD experiences high memory usage and enters into conserve mode.

Web Filter

Bug ID Description

634781 Unable to customize replacement message for FortiGuard category in web filter profile.

925801 Custom Images are not seen on Web Filter block replacement page for HTTP traffic in flow mode.

983759 User internal IP address is visible on the internet through certificate.

1002266 Web filtering does not update rating servers if there is a FortiGuard DNS change.

1004985 The webfilter cookie override trigger process had no issue observed and an override entry was

created in the FortiGate, but client access was kept blocked by the old profile and the client received

a replacement message with an override link just like the initial access to trigger the override.

FortiOS 7.4.4 Release Notes 60

Fortinet Inc.

Resolved issues

WiFi Controller

Bug ID Description

883021 Is the FortiGate 100F RFC 2865 compliant and, if yes, why does the FortiGate not always re-

authenticated after the Session-Timeout value?

883938 Flooded wireless STA traffic seen in L2 tunneled VLAN (FG-1800F).

915715 On a secondary FortiGate in an HA cluster, user and vlan-id values do not show up when using

the diagnose wireless-controller wlac -d sta online command in the CLI.

950379 The diagnostics of online FortiAPs shows Link Down in the trunk port Connected Via field when the

FortiAP has an LACP connection to a FortiSwitch.

965695 Join/leave is repeated between FortiAP 421E and FortiGate 100E at multiple sites.

982626 Application httpsd does not work as expected when selecting a MPSK setting in any MPSK enabled

VAP using the GUI.

983019 HA synchronization issue with FortiAP causes connectivity flapping when managed by a secondary

VM.

994752 A memory usage on the secondary firewall causes FortiGate to enter conserve mode.

998578 On FortiGate devices running 7.4.2 or 7.4.3, managed FortiAP-W2 devices might randomly go

offline.

1001104 Some FortiAP 231F units show join/leave behavior after the FortiGate is upgraded to 7.2.7.

1003070 On FortiGate, the sta count is not accurate when some wireless clients connect to APs managed by

FortiGate.

1018107 Unable to manage FortiAPfrom FortiGate.

ZTNA

Bug ID Description

973214 An error condition in the WAD due to filter issue generates an error message.

975342 ZTNA TFAP access using a FQDN private server does not work if a ZTNA tag is not set on the

policy.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

FortiOS 7.4.4 Release Notes 61

Fortinet Inc.

Resolved issues

Bug ID CVE references

973348 FortiOS 7.4.4 is no longer vulnerable to the following CVE Reference:

CVE-2024-21754

980300 FortiOS 7.4.4 is no longer vulnerable to the following CVE Reference:

CVE-2024-26015

985990 FortiOS 7.4.4 is no longer vulnerable to the following CVE Reference:

CVE-2023-48795

988622 FortiOS 7.4.4 is no longer vulnerable to the following CVE Reference:

CVE-2024-26006

989004 FortiOS 7.4.4 is no longer vulnerable to the following CVE Reference:

CVE-2024-23111

998718 FortiOS 7.4.4 is no longer vulnerable to the following CVE Reference:

CVE-2024-26010

FortiOS 7.4.4 Release Notes 62

Fortinet Inc.

Known issues

The following issues have been identified in version 7.4.4. To inquire about a particular bug or report a bug, please

contact Customer Service & Support.

Anti Virus

Bug ID Description

1028114 FortiGate cannot connect to FortiSandboxCloud when inline content block scan mode is

set to default in an antivirus profile.

1031084 When FortiGate is in HAAA mode, the secondary unit does not connect to all FSA types for inline

scanning.

Explicit Proxy

Bug ID Description

1026362 Web pages do not load when persistent-cookie is disabled for session-cookie-based

authentication with captive-portal.

Firewall

Bug ID Description

959065 On the Policy & Objects > Traffic Shaping page, when deleting or creating a shaper, the counters for

the other shapers are cleared.

1007566 When the FortiGate has thousands of addresses and hundreds address groups, the GUI can take a

few minutes to search for a specific address inside the address group dialog.

Workaround: User can create the address group in the CLI instead by using the exact address

name. User can also perform a search in the CLI using a partial match. For example:

config firewall addrgrp

edit address_group

set member <pattern>?

end

FortiOS 7.4.4 Release Notes 63

Fortinet Inc.

Known issues

FortiGate 6000 and 7000 platforms

Bug ID Description

790464 After a failover, ARP entries are removed from all slots when an ARP query of single slot does not

respond.

885205 IPv6 ECMP is not supported for the FortiGate 6000F and 7000E platforms. IPv6 ECMP is supported

for the FortiGate 7000F platform.

911244 FortiGate 7000E IPv6 routes may not be synchronized correctly among FIMs and FPMs.

976521 On FortiGate 6000 models, high CPU usage by node process when navigating policy list with 7000

policies in a VDOM.

1006759 After an HA failover, there is no IPsec route in the kernel.

1018594 On FortiGate 7000, if gtp-mode is enabled and then disabled, after disabling gtp-enhanced mode

and rebooting the device, traffic is disrupted on the FIM and cannot be recovered.

Workaround: downgrade to version 7.2.x or 7.4.3.

1026665 On the ForqtiGate 7000F platform with virtual clustering enabled and syslog logging configured,

when running the diagnose log test command from a primary vcluster VDOM, some FPMs

may not send log messages to the configured syslog servers.

1070365 The vdom setting sess-sync-dev is not automatically updated to FortiManager due to the HA

sess-sync not working as expected.

Workaround: Retrieve the FortiGate configuration from FortiManager after configuring the HA

session-sync-dev.

GUI

Bug ID Description

853352 When viewing entries in the slide-out window of the Policy & Objects > Internet Service Database

page, users cannot scroll down to the end if there are over 100000 entries.

885427 On the Network > Interfaces page, the SFP port is grayed out on the faceplate diagram even though

the port is working. This is purely a GUI display issue and does not affect system operation.

Workaround: View the SFP port information and status using the interface list in the CLI.

989512 When the number of users in the Firewall User monitor exceeds 2000, the search bar is no longer

being displayed.

FortiOS 7.4.4 Release Notes 64

Fortinet Inc.

Known issues

Hyperscale

Bug ID Description

817562 NPD/LPMD cannot differentiate the different VRFs, and considers all VRFs as 0.

850252 Restoring a specific VDOM configuration from the GUI does not restore the complete configuration.

961328 FortiGate does not choose a random port when set to random mode.

977376 FG-4201F has a 10% performance drop during a CPS test case with DoS policy.

1024274 When Hyperscale logging is enabled with multicast log, the log is not sent to servers that are

configured to receive multicast logs.

1024902 After FTP traffic passes, the npu-session stat does not display the accurate amount of actual

sessions on FortiGate.

1025908 When running FGSP setup, the session count is approximately 50% less on the peer device.

IPsec VPN

Bug ID Description

866413 Traffic over GRE tunnel over IPsec tunnel, or traffic over IPsec tunnel with GRE encapsulation is not

offloaded on NP7-based units.

897871 GRE over IPsec does not work in transport mode.

944600 CPU usage issues occurred when IPsec VPN traffic was received on the VLAN interface of an NP7

vlink.

970703 FortiGate 6K and 7K models do not support IPsec VPN over vdom-link/npu-vlink.

Log &Report

Bug ID Description

1010244 When uploading the log file to the FTP server, some parts of the log files are not included in the

upload.

FortiOS 7.4.4 Release Notes 65

Fortinet Inc.

Known issues

Proxy

Bug ID Description

910678 CPU usage issue in WAD caused by a high number of devices being detected by the device

detection feature.

Routing

Bug ID Description

903444 The diagnose ip rtcache list command is no longer supported in the FortiOS 4.19 kernel.

1023878 Intermittent SD-WAN SLA fails on all links at the same time with no actual packet loss.

Security Fabric

Bug ID Description

948322 After deauthorizing a downstream FortiGate from the System >Firmware & Registration page, the

page may appear to be stuck to loading.

Workaround:perform a full page refresh to allow the page to load again.

1021684 On the Security Fabric > Physical Topology and Security Fabric > Logical Topology pages, the

topology results do not load properly and display errors.

1057862 FortiGate models with 2GB memory that manage many extension devices (FortiSwitches and

FortiAPs) may enter conserve mode due to the GUI process taking up more and more memory over

time.

Workaround: Avoid loading Security Fabric widget, Security Rating, and Topology pages.

SSL VPN

Bug ID Description

1024837 OneLogin SAML does not work with SSL VPN after upgrading to version 7.0.15 or 7.4.3.

FortiOS 7.4.4 Release Notes 66

Fortinet Inc.

Known issues

Switch Controller

Bug ID Description

955550 Unexpected behavior in cu_acd and fortilinkd is causing the CPU to handle the majority of the traffic

instead of the NPU.

System

Bug ID Description

912383 FGR-70F and FGR-70F-3G4G failed to perform regular reboot process (using execute reboot

command) with an SD card inserted.

921134 GUI is inaccessible when using a SHA1 certificate as admin-server-cert.

956697 On NP7 platforms, the FortiGate maybe reboot twice when upgrading to 7.4.2 or restoring a

configuration after a factory reset or burn image. This issue does not impact FortiOS functionality.

1020921 When configuring an SNMP trusted host that matches the management Admin trusted host subnet,

the GUI may give an incorrect warning that the current SNMP trusted host does not match. This is

purely a GUI display issue and does not impact the actual SNMP traffic.

Workaround: If the trusted host is enabled on all administrative access, make sure the SNMP host

IP is included in at least one of these trusted IP/subnets.

1021542 FortiGate reboots twice after a factory reset when gtp-enchanced-mode is enabled.

1021903 After an interface role change, the updated role does not show in the le-switch member list.

1025870 On FortiGate Rugged FGR70F-3G4G models, wan1 and wan2 port mode changes to static after

a factory reset.

1029351 The OPC VM does not boot up when in native mode.

1034322 FortiGates using a SOC4 platform with a virtual switch configured may continuously reboot when

upgrading due to an interruption in the kernel.

1041457 The kernel 4.19 cannot concurrently reassemble IPv4 fragments for a source IP with more than 64

destination IP addresses.

1041669 FortiGate does not upgrade if private-data-encryption is enabled and the device is not

rebooted.

Workaround: Reboot FortiGate after enabling private-data-encryption.

1058397 On FortiGate 900 models, when the baudrate is configured, the changes are not applied and is set

to 9600.

FortiOS 7.4.4 Release Notes 67

Fortinet Inc.

Known issues

Upgrade

Bug ID Description

955835 When auto-upgrade is disabled, scheduled upgrades on FortiGate are not automatically

canceled. To cancel any scheduled upgrades, exec federated-upgrade cancel must be

done manually.

1027462 When restoring an FortiGate, the 7.4.1 config file with deprecated Inline CASB entries displays

errors messages and causes the confsyncd to not function as expected.

1031574 During a graceful upgrade, the confsync daemon and updated daemon encounter a memory usage

issue, causing a race condition.

User & Authentication

Bug ID Description

667150 When a remote LDAP user with Two-factor Authentication enabled and Authentication type

FortiToken tries to access the internet through firewall authentication, the web page does not

receive the FortiToken notification or proceed to authenticate the user.

Workaround: click the Continue button on the authentication page after approving the FortiToken

on the mobile device.

884462 NTLM authentication does not work with Chrome.

972391 RADIUS group is not properly displayed as used.

Bug ID Description

978021 VNI length is zero in the GENEVE header when in FTP passive mode.

WiFi Controller

Bug ID Description

814541 When there are a large number of managed FortiAP devices (over 500) and a large number of WiFi

clients (over 5000), the Managed FortiAPs page and FortiAP Status widget can take a long time to

load. This issue does not impact FortiAP operation.

FortiOS 7.4.4 Release Notes 68

Fortinet Inc.

Known issues

Bug ID Description

869978 On the FortiGate 200F, CAPWAP tunnel traffic over tunnel SSID is dropped when offloading is

enabled.

903922 Physical and logical topology is slow to load when there are a lot of managed FortiAP devices (over

50). This issue does not impact FortiAP management and operation.

949682 Intermittent traffic disruption observed in cw_acd caused by a rare error condition.

964757 Clients randomly unable to connect to 802.1X SSID when FortiAP has a DTLS policy enabled.

972093 RADIUS accounting data usage is different between the bridge and tunnel VAP.

ZTNA

Bug ID Description

819987 SMB drive mapping made through a ZTNA access proxy is inaccessible after rebooting.

1018303 ZTNA does not allow tcp-forwarding SSH traffic to pass through.

1020084 Health check on the ZTNA realserver does not work as expected if a blackhole route is added to the

realserver address.

FortiOS 7.4.4 Release Notes 69

Fortinet Inc.

Built-in AV Engine

AV Engine 7.00026 is released as the built-in AV Engine. Refer to the AV Engine Release Notes for information.

FortiOS 7.4.4 Release Notes 70

Fortinet Inc.

Built-in IPS Engine

IPS Engine 7.00536 is released as the built-in IPS Engine. Refer to the IPS Engine Release Notes for information.

FortiOS 7.4.4 Release Notes 71

Fortinet Inc.

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

XenTools installation is not supported.

FortiGate-VM can be imported or deployed in only the following three formats:

XVA (recommended)

VHD

OVF

The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual

NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise

when using the QCOW2 format and existing HDA issues.

FortiOS 7.4.4 Release Notes 72

Fortinet Inc.

www.fortinet.com

Copyright© 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein

may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were

attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance

results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,

signed by Fortinet’s Chief Legal Officer, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only

the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal

conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,

modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.