3 days ago — END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA ... This maintains network connectivity without the need to use manual steps. 1 ...
12 февр. 2025 г. — FortiGate virtual machines (VMs) are not constrained by memory size and will continue to support all available features after upgrading to FortiOS 7.6.0.
Release Notes
FortiOS 7.6.2
FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO LIBRARY https://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortinet.com/training-certification FORTINET TRAINING INSTITUTE https://training.fortinet.com FORTIGUARD LABS https://www.fortiguard.com END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: techdoc@fortinet.com
February 4, 2025 FortiOS 7.6.2 Release Notes 01-762-1114584-20250204
TABLE OF CONTENTS
Change Log
5
Introduction and supported models
6
Supported models
6
FortiGate 6000 and 7000 support
6
Special notices
7
FortiManager support for updated FortiOS private data encryption key
7
Hyperscale incompatibilities and limitations
8
FortiGate 6000 and 7000 incompatibilities and limitations
8
SSL VPN removed from 2GB RAM models for tunnel and web mode
9
2 GB RAM FortiGate models no longer support FortiOS proxy-related features
9
FortiGate VM memory and upgrade
9
Hyperscale NP7 hardware limitation
9
FortiGate cannot restore configuration file after private-data-encryption is re-enabled 10
SSL VPN not supported on FortiGate 90G series models
10
RADIUS vulnerability
11
Upgrade information
12
Fortinet Security Fabric upgrade
12
Downgrading to previous firmware versions
14
Firmware image checksums
14
FortiGate 6000 and 7000 upgrade information
14
Default setting of cp-accel-mode is changed to none on 2GB memory models
15
Policies that use an interface show missing or empty values after an upgrade
16
Managed FortiSwitch do not permit empty passwords for administrator accounts
16
SLBC FG-5001E primary blade fails to install image
16
Product integration and support
17
Virtualization environments
18
Language support
18
SSL VPN support
19
SSL VPN web mode
19
FortiExtender modem firmware compatibility
19
Resolved issues
22
GUI
22
HA
22
Intrusion Prevention
22
IPsec VPN
22
SSL VPN
23
System
23
User & Authentication
23
VM
23
Known issues
24
New known issues
24
FortiOS 7.6.2 Release Notes
3
Fortinet Inc.
FortiGate 6000 and 7000 platforms
24
Hyperscale
24
Existing known issues
25
Endpoint Control
25
Firewall
25
FortiGate 6000 and 7000 platforms
25
FortiView
26
GUI
26
HA
26
Hyperscale
27
Intrusion Prevention
27
IPsec VPN
27
Log & Report
27
Proxy
28
REST API
28
Security Fabric
28
Switch Controller
28
System
29
Upgrade
29
User & Authentication
30
Web Filter
30
WiFi Controller
30
Built-in AV Engine
31
Built-in IPS Engine
32
Limitations
33
Citrix XenServer limitations
33
Open source XenServer limitations
33
FortiOS 7.6.2 Release Notes
4
Fortinet Inc.
Change Log
Date 2025-01-28 2025-01-30
2025-02-04
Change Description
Initial release.
Updated Policies that use an interface show missing or empty values after an upgrade on page 16 and Managed FortiSwitch do not permit empty passwords for administrator accounts on page 16.
Updated Resolved issues on page 22 and Known issues on page 24.
FortiOS 7.6.2 Release Notes
5
Fortinet Inc.
Introduction and supported models
This guide provides release information for FortiOS 7.6.2 build 3462. For FortiOS documentation, see the Fortinet Document Library.
Supported models
FortiOS 7.6.2 supports the following models.
FortiGate
FortiWiFi FortiGate Rugged FortiFirewall FortiGate VM
FG-40F, FG-40F-3G4G, FG-60F, FG-61F, FG-70F, FG-71F, FG-80F, FG-80F-BP, FG-80FDSL, FG-80F-POE, FG-81F, FG-81F-POE, FG-90G, FG-91G, FG-100F, FG-101F, FG-120G, FG-121G, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG-400E, FG-400EBP, FG-401E, FG-400F, FG-401F, FG-500E, FG-501E, FG-600E, FG-601E, FG-600F, FG601F, FG-800D, FG-900D, FG-900G, FG-901G, FG-1000D, FG-1000F, FG-1001F, FG1100E, FG-1101E, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG2600F, FG-2601F, FG-3000D, FG-3000F, FG-3001F, FG-3100D, FG-3200D, FG-3200F, FG3201F, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG3601E, FG-3700D, FG-3700F, FG-3701F, FG-3960E, FG-3980E, FG-4200F, FG-4201F, FG4400F, FG-4401F, FG-4800F, FG-4801F, FG-5001E, FG-5001E1, FG-6000F, FG-7000E, FG-7000F
FWF-40F, FWF-40F-3G4G, FWF-60F, FWF-61F, FWF-80F-2R, FWF-80F-2R-3G4G-DSL, FWF-81F-2R, FWF-81F-2R-3G4G-DSL, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE
FGR-60F, FGR-60F-3G4G, FGR-70F, FGR-70F-3G4G
FFW-1801F, FFW-2600F, FFW-3001F, FFW-3501F, FFW-3980E, FFW-4200F, FFW-4400F, FFW-4401F, FFW-4801F, FFW-VM64, FFW-VM64-KVM
FG-ARM64-AWS, FG-ARM64-AZURE, FG-ARM64-GCP, FG-ARM64-KVM, FG-ARM64OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG-VM64-GCP, FGVM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG-VM64-OPC, FG-VM64-RAXONDEMAND, FG-VM64-XEN
FortiGate 6000 and 7000 support
FortiOS 7.6.2 supports the following FG-6000F, FG-7000E, and FG-7000F models:
FG-6000F FG-7000E FG-7000F
FG-6001F, FG-6300F, FG-6301F, FG-6500F, FG-6501F FG-7030E, FG-7040E, FG-7060E FG-7081F, FG-7121F
FortiOS 7.6.2 Release Notes
6
Fortinet Inc.
Special notices
l FortiManager support for updated FortiOS private data encryption key on page 7 l FortiGate cannot restore configuration file after private-data-encryption is re-enabled on page 10 l Hyperscale incompatibilities and limitations on page 8 l FortiGate 6000 and 7000 incompatibilities and limitations on page 8 l SSL VPN removed from 2GB RAM models for tunnel and web mode on page 9 l 2 GB RAM FortiGate models no longer support FortiOS proxy-related features on page 9 l FortiGate VM memory and upgrade on page 9 l Hyperscale NP7 hardware limitation on page 9 l SSL VPN not supported on FortiGate 90G series models on page 10 l RADIUS vulnerability on page 11
FortiManager support for updated FortiOS private data encryption key
With the introduction of FortiOS 7.6.1, Fortinet has updated the private-data-encryption key feature. Administrators are no longer required to manually input a 32-digit hexadecimal private-data-encryption key. Instead administrators simply enable the command, and a random private-data-encryption key is generated.
Previous FortiOS CLI behavior
config system global set private-data-encryption enable
end Please type your private data encryption key (32 hexadecimal numbers): 12345678901234567890123456789abc Please re-enter your private data encryption key (32 hexadecimal numbers) again: 12345678901234567890123456789abc Your private data encryption key is accepted.
New FortiOS CLI behavior
config system global set private-data-encryption enable
end This operation will generate a random private data encryption key! Previous config files encrypted with the system default key cannot be restored after this operation! Do you want to continue? (y/n)y Private data encryption key generation succeeded!
FortiOS 7.6.2 Release Notes
7
Fortinet Inc.
Special notices
FortiManager behavior
Support for the FortiGate private-data-encryption key by the Device Manager in FortiManager 7.6.2 and earlier is unchanged. It automatically detects the remote FortiGate private-data-encryption key status and prompts the administrator to manually type the private key (see picture below). FortiManager 7.6.2 and earlier does not support the updated, random private-data-encryption key as the administrator will have no knowledge of the key generated in the FortiOS CLI command above. It will be supported in a later version of FortiManager.
FortiOS upgrade behavior If in FortiOS 7.4.5 or 7.6.0 the 32-digit hexadecimal private key is enabled, and then the FortiGate device is upgraded to 7.6.1, the 32-digit hexadecimal private-data-encryption key is preserved. As a result, FortiManager 7.6.2 and earlier is aware of the 32-digit hexadecimal private-data-encryption key and can continue to manage the FortiGate device. However, if the private-data-encryption key is enabled after an upgrade of FortiOS to 7.6.1, FortiManager 7.6.2 and earlier no longer can manage FortiGate devices running FortiOS 7.6.1.
Hyperscale incompatibilities and limitations
See Hyperscale firewall incompatibilities and limitations in the Hyperscale Firewall Guide for a list of limitations and incompatibilities with FortiOS 7.6.2 features.
FortiGate 6000 and 7000 incompatibilities and limitations
See the following links for information about FortiGate 6000 and 7000 limitations and incompatibilities with FortiOS 7.6.2 features.
l FortiGate 6000 incompatibilities and limitations l FortiGate 7000E incompatibilities and limitations l FortiGate 7000F incompatibilities and limitations
FortiOS 7.6.2 Release Notes
8
Fortinet Inc.
Special notices
SSL VPN removed from 2GB RAM models for tunnel and web mode
On FortiGate models with 2GB of RAM or below, the SSL VPN web and tunnel mode feature will no longer be available from the GUI or CLI. Settings will not be upgraded from previous versions. The affected models include:
l FGT-40F/FWF-40F and variants l FGT-60F/FWF-60F l FGT-61F/FWF-61F l FGR-60F and variants (2GB versions only) To confirm if your FortiGate model has 2 GB RAM, enter diagnose hardware sysinfo conserve in the CLI and check that the total RAM value is below 2000 MB (1000 MB = 1 GB). On these FortiGate models, consider migrating to using IPsec Dialup VPN for remote access. See SSL VPN to IPsec VPN Migration for more information.
FortiGate models not listed above will continue to have SSL VPN web and tunnel mode support.
2 GB RAM FortiGate models no longer support FortiOS proxyrelated features
As part of improvements to enhance performance and optimize memory usage on FortiGate models with 2 GB RAM or less, starting from version 7.4.4, FortiOS no longer supports proxy-related features. This change impacts the FortiGate 40F and 60F series devices, along with their variants. See Proxy-related features no longer supported on FortiGate 2 GB RAM models for more information.
FortiGate VM memory and upgrade
FortiGate virtual machines (VMs) are not constrained by memory size and will continue to support all available features after upgrading to FortiOS 7.6.0. However, it is recommended to setup VMs with at least 4 GB of RAM for optimal performance.
Hyperscale NP7 hardware limitation
Because of an NP7 hardware limitation, for CGN traffic accepted by a hyperscale firewall policy that includes an overload with port block allocation (overload PBA) IP Pool, only one block is allocated per client. The setting of the
FortiOS 7.6.2 Release Notes
9
Fortinet Inc.
Special notices
hyperscale firewall policy cgn-resource-quota option is ignored. Because of this limitation, under certain rare conditions (for example, only a single server side IP address and port are being used for a large number of sessions), port allocation may fail even if the block usage of the client is less than its quota. In cases such as this, if the client has traffic towards some other servers or ports, additional port allocation can become successful. You can also work around this problem by increasing the IP Pool block size (cgn-block-size).
FortiGate cannot restore configuration file after private-dataencryption is re-enabled
In a new enhancement, enabling private-data-encryption will utilize a randomly generated private key. Therefore, FortiGate cannot restore the configuration file in the following sequence: 1. private-data-encryption enabled with random key, and configuration is backed up. 2. private-data-encryption disabled. 3. private-data-encryption enabled again, with new random key. 4. Restore configuration file in step 1. When disabling private-data-encryption, a warning in the CLI will be displayed: This operation will restore system default data encryption key! Previous config files encrypted with the private key cannot be restored after this operation! Do you want to continue? (y/n)y
SSL VPN not supported on FortiGate 90G series models
The SSL VPN web and tunnel mode feature will not be available from the GUI or the CLI on the FortiGate 90G and 91G models. Settings will not be upgraded from previous versions.
FortiOS 7.6.2 Release Notes
10
Fortinet Inc.
RADIUS vulnerability
RADIUS vulnerability
Fortinet has resolved a RADIUS vulnerability described in CVE-2024-3596. As a result, firewall authentication, FortiGate administrative GUI authentication, and WiFi authentication may be affected depending on the functionality of the RADIUS server software used in your environment. RFC 3579 contains information on the affected RADIUS attribute, message-authenticator. In order to protect against the RADIUS vulnerability described in CVE-2024-3596, as a RADIUS client, FortiGate will: 1. Force the validation of message-authenticator. 2. Reject RADIUS responses with unrecognized proxy-state attribute. Message-authenticator checking is made mandatory under UDP/TCP. It is not mandatory when using TLS. Therefore, if FortiGate is using UDP/TCP mode without RADSEC, the RADIUS server should be patched to ensure the messageauthenticator attribute is used in its RADIUS messages.
Affected Product Integration
l FortiAuthenticator version 6.6.1 and older l Third party RADIUS server that does not support sending the message-authenticator attribute
Solution
l Upgrade FortiAuthenticator to version 6.6.2, 6.5.6 or 6.4.10 and follow the upgrade instructions: https://docs.fortinet.com/document/fortiauthenticator/6.6.2/release-notes/859240/upgrade-instructions
l Upgrade the RADIUS server and/or enable it to send the correct message-authenticator attribute
FortiOS 7.6.2 Release Notes
11
Fortinet Inc.
Upgrade information
Supported upgrade path information is available on the Fortinet Customer Service & Support site.
FortiGate Individual FortiGate devices
Multiple FortiGate devices in a Fortinet Security Fabric
Upgrade option
Details
Manual update
Use the procedure in this topic.
See also Upgrading individual devices in the FortiOS Administration Guide.
Automatic update based on FortiGuard upgrade path
See Enabling automatic firmware updates in the FortiOS Administration Guide for details
Manual, immediate or scheduled
See Fortinet Security Fabric upgrade
update based on FortiGuard upgrade on page 12 and Upgrading all devices
path
in the FortiOS Administration Guide.
To view supported upgrade path information:
1. Go to https://support.fortinet.com. 2. From the Download menu, select Firmware Images. 3. Check that Select Product is FortiGate. 4. Click the Upgrade Path tab and select the following:
l Current Product l Current FortiOS Version l Upgrade To FortiOS Version 5. Click Go.
Fortinet Security Fabric upgrade
FortiOS 7.6.2 is verified to work with these Fortinet products. This includes:
FortiAnalyzer FortiManager FortiExtender FortiSwitch OS (FortiLink support) FortiAP
l 7.6.2 l 7.6.2 l 7.4.0 and later l 6.4.6 build 0470 and later
l 7.2.2 and later
FortiOS 7.6.2 Release Notes
12
Fortinet Inc.
Upgrade information
FortiAP-U FortiAP-W2 FortiClient EMS FortiClient Microsoft Windows FortiClient Mac OS X FortiClient Linux FortiClient iOS FortiClient Android FortiSandbox
l 6.2.5 and later l 7.2.2 and later l 7.0.3 build 0229 and later l 7.0.3 build 0193 and later l 7.0.3 build 0131 and later l 7.0.3 build 0137 and later l 7.0.2 build 0036 and later l 7.0.2 build 0031 and later l 2.3.3 and later for post-transfer scanning l 4.2.0 and later for post-transfer and inline scanning
* If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version 6.0 and later are supported. When upgrading your Security Fabric, devices that manage other devices should be upgraded first.
When using FortiClient with FortiAnalyzer, you should upgrade both to their latest versions. The versions between the two products should match. For example, if using FortiAnalyzer 7.6.0, use FortiClient 7.6.0.
Upgrade the firmware of each device in the following order. This maintains network connectivity without the need to use manual steps.
1. FortiAnalyzer 2. FortiManager 3. FortiGate devices 4. Managed FortiExtender devices 5. Managed FortiSwitch devices 6. Managed FortiAP devices 7. FortiClient EMS 8. FortiClient 9. FortiSandbox 10. FortiMail 11. FortiWeb 12. FortiNAC 13. FortiVoice 14. FortiDeceptor 15. FortiNDR 16. FortiTester 17. FortiMonitor
If Security Fabric is enabled, then all FortiGate devices must be upgraded to 7.6.2. When Security Fabric is enabled in FortiOS 7.6.2, all FortiGate devices must be running FortiOS 7.6.2.
FortiOS 7.6.2 Release Notes
13
Fortinet Inc.
Upgrade information
Downgrading to previous firmware versions
Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:
l operation mode l interface IP/management IP l static route table l DNS settings l admin user account l session helpers l system access profiles
Firmware image checksums
The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in, go to Support > Firmware Image Checksums (in the Downloads section), enter the image file name including the extension, and click Get Checksum Code.
FortiGate 6000 and 7000 upgrade information
Upgrade FortiGate 6000 firmware from the management board GUI or CLI. Upgrade FortiGate 7000 firmware from the primary FIM GUI or CLI. The FortiGate 6000 management board and FPCs or the FortiGate 7000 FIMs and FPMs all run the same firmware image. Upgrading the firmware copies the firmware image to all components, which then install the new firmware and restart. A FortiGate 6000 or 7000 firmware upgrade can take a few minutes, the amount of time depending on the hardware and software configuration and whether DP or NP7 processor software is also upgraded. On a standalone FortiGate 6000 or 7000, or an HA cluster with uninterruptible-upgrade disabled, the firmware upgrade interrupts traffic because all components upgrade in one step. These firmware upgrades should be done during a quiet time because traffic can be interrupted for a few minutes during the upgrade process. Fortinet recommends running a graceful firmware upgrade of a FortiGate 6000 or 7000 FGCP HA cluster by enabling uninterruptible-upgrade and session-pickup. A graceful firmware upgrade only causes minimal traffic interruption.
Fortinet recommends that you review the services provided by your FortiGate 6000 or 7000 before a firmware upgrade and then again after the upgrade to make sure that these services continue to operate normally. For example, you might want to verify that you can successfully access an important server used by your organization before the upgrade and make sure that you can still reach the server after the upgrade and performance is comparable. You can also take a snapshot of key performance indicators (for example, number of sessions, CPU usage, and memory usage) before the upgrade and verify that you see comparable performance after the upgrade.
FortiOS 7.6.2 Release Notes
14
Fortinet Inc.
Upgrade information
To perform a graceful upgrade of your FortiGate 6000 or 7000 to FortiOS 7.6.2:
1. Use the following command to set the upgrade-mode to uninterruptible to support HA graceful upgrade: config system ha set uninterruptible-upgrade enable end
When upgrading from FortiOS 7.4.1 to a later version, use the following command to enable uninterruptible upgrade: config system ha
set upgrade-mode uninterruptible end
2. Download the FortiOS 7.6.2 FG-6000F, FG-7000E, or FG-7000F firmware from https://support.fortinet.com. 3. Perform a normal upgrade of your HA cluster using the downloaded firmware image file. 4. When the upgrade is complete, verify that you have installed the correct firmware version.
For example, check the FortiGate dashboard or use the get system status command. 5. Check the Cluster Status dashboard widget or use the diagnose sys confsync status command to confirm
that all components are synchronized and operating normally.
Default setting of cp-accel-mode is changed to none on 2GB memory models
This change disables CP acceleration to lower system memory usage thus can prevent some unexpected behavior due to lack of memory. Previous FortiOS CLI behavior: config ips global
set cp-accel-mode advanced end New FortiOS CLI behavior after upgrade: config ips global
set cp-accel-mode none end This change will cause performance impact as CPU will do the pre-match (pattern match) inside IPS (CPU) instead of hardware engine (cp module in SOC4). Some customers could expect an increase in CPU utilization as a result. FortiGate and FortiWiFi 4xF/6xF families are affected by this change.
FortiOS 7.6.2 Release Notes
15
Fortinet Inc.
Upgrade information
Policies that use an interface show missing or empty values after an upgrade
If local-in policy, DoS policy, interface policy, multicast policy, TTL policy, or central SNAT map used an interface in version 7.4.5, 7.6.0 GA or any previous GA version that was part of the SD-WAN zone, these policies will be deleted or show empty values after upgrading to version 7.4.6 or 7.6.1 or later. After upgrading to version 7.4.6 or 7.6.1 GA or later, users must manually recreate these policies and assign them to the appropriate SD-WAN zone.
Managed FortiSwitch do not permit empty passwords for administrator accounts
Starting from FortiOS version 7.6.1, a managed FortiSwitch no longer permits empty passwords for the admin account. If a FortiSwitch unit was previously authorized without an admin password, the FortiGate will automatically generate a random admin password for the FortiSwitch upon upgrading to 7.6.1 or later. This change will cause the admin to lose access. To regain access, configure a password override on the FortiGate device using the following commands: config switch-controller switch-profile
edit default set login-passwd-override enable set login-passwd <passwd>
next end
FortiSwitch units with an existing admin password will not be affected by this change.
SLBC FG-5001E primary blade fails to install image
For FG-5001E in a session-aware load balanced cluster (SLBC), all secondary blades install the image successfully. However, the primary blade fails, showing a sync timeout error, even with graceful-upgrade disabled.
FortiOS 7.6.2 Release Notes
16
Fortinet Inc.
Product integration and support
The following table lists FortiOS 7.6.2 product integration and support information:
Web browsers Explicit web proxy browser FortiController Fortinet Single Sign-On (FSSO)
AV Engine IPS Engine
l Microsoft Edge 112 l Mozilla Firefox version 113 l Google Chrome version 113 Other browser versions have not been tested, but may fully function. Other web browsers may function correctly, but are not supported by Fortinet.
l Microsoft Edge 112 l Mozilla Firefox version 113 l Google Chrome version 113 Other browser versions have not been tested, but may fully function. Other web browsers may function correctly, but are not supported by Fortinet.
l 5.2.5 and later Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C
l 5.0 build 0319 and later (needed for FSSO agent support OU in group filters) l Windows Server 2022 Standard l Windows Server 2022 Datacenter l Windows Server 2019 Standard l Windows Server 2019 Datacenter l Windows Server 2019 Core l Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2016 Core l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Windows Server 2012 Core l Novell eDirectory 8.8
l 7.00034
l 7.01026
See also:
l Virtualization environments on page 18 l Language support on page 18 l SSL VPN support on page 19 l FortiExtender modem firmware compatibility on page 19
FortiOS 7.6.2 Release Notes
17
Fortinet Inc.
Product integration and support
Virtualization environments
The following table lists hypervisors and recommended versions.
Hypervisor Citrix Hypervisor Linux KVM
Microsoft Windows Server Windows Hyper-V Server Open source XenServer
VMware ESXi
Recommended versions l 8.2 Express Edition, CU1 l Ubuntu 22.04.3 LTS l Red Hat Enterprise Linux release 9.4 l SUSE Linux Enterprise Server 12 SP3 release 12.3 l Windows Server 2022 l Microsoft Hyper-V Server 2022 l Version 3.4.3 l Version 4.1 and later l Versions 6.5, 6.7, 7.0, and 8.0.
Language support
The following table lists language support information.
Language support
Language
GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish
FortiOS 7.6.2 Release Notes
18
Fortinet Inc.
Product integration and support
SSL VPN support
SSL VPN web mode
The following table lists the operating systems and web browsers supported by SSL VPN web mode.
Supported operating systems and web browsers
Operating System Microsoft Windows 7 SP1 (32-bit & 64-bit) Microsoft Windows 10 (64-bit)
Ubuntu 20.04 (64-bit) macOS Ventura 13.1
iOS
Android
Web Browser
Mozilla Firefox version 113 Google Chrome version 112
Microsoft Edge Mozilla Firefox version 113 Google Chrome version 112
Mozilla Firefox version 113 Google Chrome version 112
Apple Safari version 16 Mozilla Firefox version 103 Google Chrome version 111
Apple Safari Mozilla Firefox Google Chrome
Mozilla Firefox Google Chrome
Other operating systems and web browsers may function correctly, but are not supported by Fortinet.
FortiExtender modem firmware compatibility
The following table lists the modem firmware file name and version for each FortiExtender model and its compatible geographical region.
FortiExtender model FEX-101F-AM
FEX-101F-EA
Modem firmware image name
FEM_EM06A-22-1-1 FEM_EM06E-22-01-01 FEM_EM06E-22.2.2
Modem firmware file on Support site
FEM_EM06A-22.1.1-build0001.out FEM_EM06E-22.1.1-build0001.out FEM_EM06E-22.2.2-build0002.out
Geographical region
America EU EU
FortiOS 7.6.2 Release Notes
19
Fortinet Inc.
Product integration and support
FortiExtender model FEX-201E
FEX-201F-AM
Modem firmware image name FEM_06-19-0-0-AMEU FEM_06-19-1-0-AMEU FEM_06-22-1-1-AMEU FEM_06-22-1-2-AMEU
FEM_07A-22-1-0-AMERICA
FEM_07A-22-2-0-AMERICA
FEX-201F-EA
FEM_07E-22-0-0-WRLD FEM_07E-22-1-1-WRLD
FEX-202F-AM
FEM_07A-22-1-0-AMERICA FEM_07A-22-2-0-AMERICA
FEX-202F-EA
FEX-211E
FEV-211F_AM FEV-211F FEX-211F-AM FEX-212F FEX-311F
FEM_07E-22-1-1-WRLD
FEM_12-19-1-0-WRLD FEM_12-19-2-0-WRLD FEM_12-22-1-0-AMEU FEM_12-22-1-1-WRLD FEM_12_EM7511-22-1-2AMERICA FEM_12-22-1-0-AMEU FEM_12_EM7511-22-1-2AMERICA FEM_12-19-2-0-WRLD FEM_12-22-1-1-WRLD FEM_EM160-22-02-03 FEM_EM160-22-1-2
Modem firmware file on Support Geographical
site
region
FEM_06-19.0.0-build0000-AMEU.out America and EU
FEM_06-19.1.0-build0001-AMEU.out America and EU
FEM_06-22.1.1-build0001-AMEU.out America and EU
FEM_06-22.1.2-build0001-AMEU.out America and EU
FEM_07A-22.1.0-build0001AMERICA.out
America
FEM_07A-22.2.0-build0002AMERICA.out
America
FEM_07E-22.0.0-build0001WRLD.out
World
FEM_07E-22.1.1-build0001WRLD.out
World
FEM_07A-22.1.0-build0001AMERICA.out
America
FEM_07A-22.2.0-build0002AMERICA.out
America
FEM_07E-22.1.1-build0001WRLD.out
World
FEM_12-19.1.0-build0001-WRLD.out World
FEM_12-19.2.0-build0002-WRLD.out World
FEM_12-22.0.0-build0001-AMEU.out America and EU
FEM_12-22.1.1-build0001-WRLD.out World
FEM_12_EM7511-22.1.2-build0001- America AMERICA.out
FEM_12-22.1.0-build0001-AMEU.out World
FEM_12_EM7511-22.1.2-build0001- America AMERICA.out
FEM_12-19.2.0-build0002-WRLD.out World
FEM_12-22.1.1-build0001-WRLD.out World
FEM_EM160-22.2.3-build0001.out World
FEM_EM160-22.1.2-build0001.out World
FortiOS 7.6.2 Release Notes
20
Fortinet Inc.
Product integration and support
FortiExtender model
FEX-511F
Modem firmware image name FEM_RM502Q-21-2-2 FEM_RM502Q-22-03-03
FEM_RM502Q-22-04-04-AU
FEM_RM502Q-22-1-1 FEM_RM502Q-22-2-2
Modem firmware file on Support site
FEM_RM502Q-21.2.2-build0003.out FEM_RM502Q-22.3.3-build0004.out FEM_RM502Q-22.4.4-build0005_ AU.out FEM_RM502Q-22.1.1-build0001.out FEM_RM502Q-22.2.2-build0002.out
Geographical region World World
Australia
World World
The modem firmware can also be uploaded manually by downloading the file from the Fortinet Customer Service & Support site. The firmware file names are listed in the third column of the table.
To download the modem firmware:
1. Go to https://support.fortinet.com/Download/FirmwareImages.aspx. 2. From the Select Product dropdown, select FortiExtender. 3. Select the Download tab. 4. Click MODEM-Firmware. 5. Select the FortiExtender model and image name, then download the firmware file.
FortiOS 7.6.2 Release Notes
21
Fortinet Inc.
Resolved issues
The following issues have been fixed in version 7.6.2. To inquire about a particular bug, please contact Customer Service & Support.
GUI
Bug ID 1092489
1110382
Description
The config system fortiguard > fortiguard-anycast setting was changed to automatically disable when the FortiGuard page is shown on GUI. Admin can log in to GUI (HTTPS) with password, even when admin-https-pki-required is enabled.
HA
Bug ID 1108895
Description
In an FGSP cluster, enabling and disabling standalone-config-sync results in the local dev_ base being deleted and synchronized with the peer, which leads to the absence of the dev_base.
Intrusion Prevention
Bug ID 1107445
Description Remove IPS diagnose command diagnose ips cfgscript run.
IPsec VPN
Bug ID 1103594 1012615 1073670
Description ADVPN IPsec traffic over shortcut drops when IPsec tunnel rekeys. IPsec VPN traffic is dropped after upgrading to version 7.4.3. An IkEd crash on secondary causes IPsec client to reconnect.
FortiOS 7.6.2 Release Notes
22
Fortinet Inc.
Resolved issues
SSL VPN
Bug ID 1077157
1101837
Description
FortiGate sends out expired server certificate for a given SSL VPN realm, even when the certificate configured in virtual-host-server-cert has been updated. Insufficient session expiration in SSL VPN using SAML authentication.
System
Bug ID 1102416
Description Cannot push config sfp-dsl enable and vectoring under interface.
User & Authentication
Bug ID 1075207
Description fnbam may crash due to configuration of two wildcard-enabled remote admins in separate VDOMs.
VM
Bug ID 1012000
Description When unicast HA setup has a large number of interfaces, FGT Hyper-V takes a long time to boot up.
FortiOS 7.6.2 Release Notes
23
Fortinet Inc.
Known issues
Known issues are organized into the following categories: l New known issues on page 24 l Existing known issues on page 25
To inquire about a particular bug or report a bug, please contact Customer Service & Support.
New known issues
The following issues have been identified in version 7.6.2.
FortiGate 6000 and 7000 platforms
Bug ID 1102072 1112581
1112582
1116862 1118004
Description
On the FortiGate 7000 platform, cmdbsvr CPU usage can be higher than normal for extended periods on one or more FPM.
On the FortiGate 7000F platform, after upgrading from FortiOS 7.4.7 to 7.6.2, cmdbsvr CPU usage can be at 99% on one or more FPMs for several minutes. During high CPU usage, FortiGuard packets cannot be synchronized to the affected FPM(s).
Under some conditions, such as during conserve mode, you may be unable to log in to the FortiGate 6000 management board GUI or CLI, or when you log in to the management board console, a message similar to fork failed() continuously repeats.
Graceful upgrade of a FortiGate 7000E chassis to FortiOS 7.6.2 may fail for some configurations.
On a FortiGate 7000E FGCP cluster, after using the execute ha disconnect command to disconnect a chassis from the cluster, you can't use the special management ports to connect to the FIM in slot 2 or to any of the FPMs of either chassis. You can still connect to the FIM in slot 1.
Hyperscale
Bug ID 1108263
Description
HA configurations are lost if hw-sess-sync-dev is configured with more interfaces than expected. (The expectation is two times the number of NP7 chips.)
FortiOS 7.6.2 Release Notes
24
Fortinet Inc.
Known issues
Existing known issues
The following issues have been identified in a previous version of FortiOS and remain in FortiOS 7.6.2.
Endpoint Control
Bug ID 1019658 1038004
Description On FortiGate, not all registered endpoint EMS tags are displayed in the GUI. FortiGate may not display the correct user information for some FortiClient instances.
Firewall
Bug ID 959065 990528 994986
1117165
Description
On the Policy & Objects > Traffic Shaping page, when deleting or creating a shaper, the counters for the other shapers are cleared.
When searching for an IP address on the Firewall Policy page, the search/filter functionality does not return the expected results.
The By Sequence view in the Firewall policy list may incorrectly show a duplicate implicit deny policy in the middle of the list. This is purely a GUI display issue and does not impact policy operation. The Interface Pair View and Sequence Grouping View do not have this issue.
Leaving the apn field empty in a GTP APN traffic shaping policy means that the policy will not match any traffic. Consequently, APN traffic shaping can only be applied to specific APNs. To configure GTP APN traffic shaping:
config gtp apn-shaper edit <policy-id> set apn [<apn-name> <apngrp-name> ...] set rate-limit <limit> set action {drop | reject} set back-off-time <time> next
end
FortiGate 6000 and 7000 platforms
Bug ID 653335
Description SSL VPN user status does not display on the FortiManager GUI.
FortiOS 7.6.2 Release Notes
25
Fortinet Inc.
Known issues
Bug ID 790464 936320 950983 994241 998615 1006759 1014826
FortiView
Bug ID 1034148
GUI
Bug ID 853352 1047146 1047963
HA
Bug ID 851743
Description After a failover, ARP entries are removed from all slots when an ARP query of single slot does not respond. When there is a heavy traffic load, there are no results displayed on any FortiView pages in the GUI. Feature Visibility options are visible in the GUI on a mgmt-vdom. On FortiGate 7000F using FGSP and FGCP, when TCP traffic takes an asymmetric path, the TCP ACK and data packets might be dropped in NP7. When doing a GUI-packet capture on FortiGate, the through-traffic packets are not captured. After an HA failover, there is no IPsec route in the kernel. SLBC does not function as expected with IPsec over TCP enabled.
Description The Application Bandwidth widget on the Dashboard > Status page does not display some external applications bandwidth data.
Description When viewing entries in slide-out window of the Policy & Objects > Internet Service Database page, users cannot scroll down to the end if there are over 100000 entries. After a firmware upgrade, a VLAN interface used in IPsec, SSL VPN, or SD-WAN is not displayed on the interface list or the SD-WAN page and cannot be configured in the GUI. High Node.js memory usage when building FortiManager in Report Runner fails. Occurs when FortiManager has a slow connection, is unreachable from the FortiGate (because FMG is behind NAT), or the IP is incorrect.
Description When running the diag sys ha checksum cluster command, a previous line result is added further down in the output instead of new line result when a FortiGate is configured with several VDOMs .
FortiOS 7.6.2 Release Notes
26
Fortinet Inc.
Known issues
Hyperscale
Bug ID 1013892 1030907 1042011 1093287
Description
On FortiGate's in an HA pair, the npd process do not work as expected when trying to manually update the threat feed.
With a FGSP and FGCP setup, sessions do not show on the HA secondary when the FGSP peer is in HA.
On FortiGate, an login error message displays in the event log after completing an automation.
Using fixed-allocation IP Pools may cause NP7 NSS/PRP modules to become stuck, potentially disrupting traffic. Other PBA IP pools do not have this issue.
Intrusion Prevention
Bug ID 1076213
Description
FortiGate's with 4GB memory might enter conserve mode during the FortiGuard update when IPS or APP control is enabled. Workaround: Disable the proxy-inline-ips option under config ips settings.
IPsec VPN
Bug ID 735398
995912
1012615 1042371 1103754
Description
On FortiGate, the IKE anti-replay does not log duplicate ESP packets when SA is offloaded in the event log. After a firmware upgrade, some VPN tunnels experience intermittent signal disruptions causing traffic to be re-routed. IPsec VPN traffic is dropped after upgrading to version 7.4.3. RADIUS authentication with EAP-TLS does not work as expected through IPsec tunnels. Traffic is not forwarded with Ntrubo enabled and an IPsec VPN tunnel to FortiGate.
Log & Report
Bug ID 611460
Description
On FortiOS, the Log & Report > Forward Traffic page does not completely load the entire log when the log exceeds 200MB.
FortiOS 7.6.2 Release Notes
27
Fortinet Inc.
Known issues
Proxy
Bug ID 1023054 1035490
Description
After an upgrade on a 2GB FortiGate device, the firewall policy does not switch from Proxy-based to Flow-based in the Inspection mode field.
The firewall policy works with proxy-based inspection mode on FortiGate models with 2GB RAM after an upgrade. Workaround: After an upgrade, reboot the FortiGate.
REST API
Bug ID 938349 993345 1051870
Description
Unsuccessful API user login attempts do not get reset within the time specified in adminlockout-threshold.
The router API does not include all ECMP routes for SD-WAN included in the get router info routing-table command.
After a firmware upgrade, some vlan interfaces attached to LAG interface are not displayed in the GUI.
Security Fabric
Bug ID 903922 1011833 1019844 1040058
Description
Physical and logical topology is slow to load when there are a lot of managed FortiAP devices (over 50). This issue does not impact FortiAP management and operation.
FortiGate experiences a CPU usage issue in the Node.js daemon when there multiple administrator sessions running simultaneously.
In an HA configuration, when the primary FortiGate unit fails over to a downstream unit, the previous primary unit displays as being permanently disconnected.
The Security Rating topology and results does not display non-FortiGate devices.
Switch Controller
Bug ID 961142
1113304
Description
An interface in FortiLink is flapping with an MCLAG FortiSwitch using DAC on an OPSFPP-T-05PAB transceiver.
FortiSwitch are offline after FortiGate is upgraded from 7.6.0 to 7.6.1 or later when LLDP configuration set to vdom/disable under the FortiLink interface.
FortiOS 7.6.2 Release Notes
28
Fortinet Inc.
Known issues Bug ID
System
Bug ID 947982 971466 1041726 1046484 1047085 1058256 1069208 1103146 1103617 1112376
Upgrade
Bug ID 1043815
1104649
1106072
Description Workaround: In LLDP configuration, enable lldp-reception and lldp-transmission under the FortiLink interface, or rebuild the FortiLink interface.
Description On NP7 platforms, DSW packets are missing resulting in VOIP experiencing performance issues during peak times. FortiGateRugged 60 models may experience packet loss when directly connected to Cisco switch. Traffic flow speed is reduced or interrupted when the traffic shaper is enabled. After shutting down FortiGate, the system automatically boots up again. The FortiOS GUI is unresponsive due to a CPU usage issue with the csfd and node processes. On FortiGate, interfaces with DAC cables remain down after upgrading to version 7.4.4. If the DHCP offer contains padding when DHCP relay is used, the DHCP relay deletes the padding before relaying the packet. Packet capture duplicate entries on FortiGate. Integrating an interface does not work when adding a new member into an existing interface or creating a new interface. On FortiGate 7000E, application newcli crashes at create_tree at ././cmf/cli/node.c:906.
Description Upgrading the firmware for a large number (100+) of FortiSwitch or FortiAP devices at the same time may cause performance issues with the GUI and some devices may not upgrade. Workaround: pace out the upgrade schedule and upgrade devices in smaller batches. If a local-in policy, DoS policy, interface policy, multicast policy, TTL policy, or central SNAT map used an interface in version 7.4.5, 7.6.0 or any previous GA version that was part of the SD-WAN zone, these policies will be deleted or show empty values after upgrading to version 7.4.6 or 7.6.1. Workaround: After upgrading to 7.4.6 or 7.6.1 GA, users must manually recreate these policies and assign them to the appropriate SD-WAN zone. The image file transfer between FortiManager and FortiGate may not work as expected when transferred by the FGFM tunnel.
FortiOS 7.6.2 Release Notes
29
Fortinet Inc.
Known issues
User & Authentication
Bug ID 802089 1021719 1082800
1112718
Description
User groups from FortiManager are not synchronized across all units except the MBD.
On the System > Certificates page, the Create Certificate pane does not function as expected after creating a new certificate.
When performing LDAP user searches from the GUI against LDAP servers with a large number of users (more than 100000), FortiGate may experience a performance issue and not operate as expected due to the HTTPSD process consuming too much memory. User may need to stop the HTTPSD process or perform a reboot to recover. Workaround: Perform an LDAP user search using the CLI.
When RADIUS server has the require-message-authenticator setting disabled, The GUI RADIUS server dialogs Test connectivity and Test user credentials still check for the message-authenticator value and incorrectly fail the test with missing authenticator error message.
config user radius edit <radius server> set require-message-authenticator disable next
end
This is only a GUI display issue and the end-to-end integration with RADIUS server should still work. Workaround: Confirm the connection to RADIUS server with the CLI command diagnose test authserver radius <server> <method> <user> <password>
Web Filter
Bug ID 1040147 1058007
Description Options set in ftgd-wf cannot be undone for a web filter configuration. Web filter custom replacement messages in group configurations cannot be edited in FortiGate.
WiFi Controller
Bug ID 1083395
Description
In an HA environment with FortiAPs managed by primary FortiGate, the secondary FortiGate GUI Managed FortiAP page may show the FortiAP status as offline if the FortiAP traffic is not routed through the secondary FortiGate. This is only a GUI issue and does not impact FortiAP operation.
FortiOS 7.6.2 Release Notes
30
Fortinet Inc.
Built-in AV Engine
AV Engine 7.00034 is released as the built-in AV Engine. Refer to the AV Engine Release Notes for information.
FortiOS 7.6.2 Release Notes
31
Fortinet Inc.
Built-in IPS Engine
IPS Engine 7.001026 is released as the built-in IPS Engine. Refer to the IPS Engine Release Notes for information.
FortiOS 7.6.2 Release Notes
32
Fortinet Inc.
Limitations
Citrix XenServer limitations
The following limitations apply to Citrix XenServer installations: l XenTools installation is not supported. l FortiGate-VM can be imported or deployed in only the following three formats: l XVA (recommended) l VHD l OVF l The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.
Open source XenServer limitations
When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.
FortiOS 7.6.2 Release Notes
33
Fortinet Inc.
www.fortinet.com
Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet's Chief Legal Officer, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet's internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
madbuild