Release Notes

FortiOS 7.4.7
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO LIBRARY

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD LABS
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

January 21, 2025

FortiOS 7.4.7 Release Notes
01-747-1114568-20250121
 TABLE OF CONTENTS

Change Log 5
Introduction and supported models 6
Supported models 6
Special notices 7
Hyperscale incompatibilities and limitations 7
FortiGate 6000 and 7000 incompatibilities and limitations 7
SMB drive mapping with ZTNA access proxy 7
Local out traffic using ECMP routes could use different port or route to server 8
Hyperscale NP7 hardware limitation 8
Changes in table size 9
Upgrade information 10
Fortinet Security Fabric upgrade 10
Downgrading to previous firmware versions 12
Firmware image checksums 12
FortiGate 6000 and 7000 upgrade information 12
IPS-based and voipd-based VoIP profiles 13
GUI firmware upgrade does not respect upgrade path in previous versions 14
2 GB RAM FortiGate models no longer support FortiOS proxy-related features 15
FortiGate VM memory and upgrade 15
Managed FortiSwitch do not permit empty passwords for administrator accounts 15
Policies that use an interface show missing or empty values after an upgrade 15
Product integration and support 17
Virtualization environments 18
Language support 18
SSL VPN support 19
SSL VPN web mode 19
FortiExtender modem firmware compatibility 19
Resolved issues 22
Anti Virus 22
GUI 22
HA 22
Intrusion Prevention 22
Log & Report 23
SSL VPN 23
User & Authentication 23
Known issues 24
New known issues 24
Existing known issues 24
Explicit Proxy 24
Firewall 24
FortiGate 6000 and 7000 platforms 25

FortiOS 7.4.7 Release Notes 3

Fortinet Inc.
 GUI 25
HA 26
Hyperscale 26
IPsec VPN 27
Proxy 27
Routing 27
Security Fabric 28
System 28
Upgrade 28
User & Authentication 28
VM 29
WiFi Controller 30
ZTNA 30
Built-in AV Engine 31
Built-in IPS Engine 32
Limitations 33
Citrix XenServer limitations 33
Open source XenServer limitations 33
Limitations on HA cluster formation between different FortiGate Rugged 60F and 60F
3G4G models 33

FortiOS 7.4.7 Release Notes 4

Fortinet Inc.
Change Log

Date Change Description

2025-01-21 Initial release.

FortiOS 7.4.7 Release Notes 5

Fortinet Inc.
Introduction and supported models

This guide provides release information for FortiOS 7.4.7 build 2731.
For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 7.4.7 supports the following models.

FortiGate FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-

61E, FG-61F, FG-70F, FG-71F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-DSL,
FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-90G,
FG-91G, FG-100F, FG-101F, FG-120G, FG-121G, FG-140E, FG-140E-POE, FG-200E, FG-
200F, FG-201E, FG-201F, FG-300E, FG-301E, FG-400E, FG-400E-BP, FG-401E, FG-400F,
FG-401F, FG-500E, FG-501E, FG-600E, FG-601E, FG-600F, FG-601F, FG-800D, FG-900D,
FG-900G, FG-901G, FG-1000D, FG-1000F, FG-1001F, FG-1100E, FG-1101E, FG-1800F,
FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D,
FG-3000F, FG-3001F, FG-3100D, FG-3200D, FG-3200F, FG-3201F, FG-3300E, FG-3301E,
FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3700F,
FG-3701F, FG-3960E, FG-3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-4800F,
FG-4801F, FG-5001E, FG-5001E1

FortiWiFi FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-

61E, FWF-61F, FWF-80F-2R, FWF-80F-2R-3G4G-DSL, FWF-81F-2R, FWF-81F-2R-3G4G-
DSL, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE

FortiGate Rugged FGR-60F, FGR-60F-3G4G, FGR-70F, FGR-70F-3G4G

FortiFirewall FFW-1801F, FFW-2600F, FFW-3001F, FFW-3501F, FFW-3980E, FFW-4200F, FFW-4400F,

FFW-4401F, FFW-4801F, FFW-VM64, FFW-VM64-KVM

FortiGate VM FG-ARM64-AWS, FG-ARM64-AZURE, FG-ARM64-GCP, FG-ARM64-KVM, FG-ARM64-

OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG-VM64-GCP, FG-
VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG-VM64-OPC, FG-VM64-RAXONDEMAND,
FG-VM64-XEN

FortiOS 7.4.7 Release Notes 6

Fortinet Inc.
Special notices

l Hyperscale incompatibilities and limitations on page 7

l FortiGate 6000 and 7000 incompatibilities and limitations on page 7
l SMB drive mapping with ZTNA access proxy on page 7
l Local out traffic using ECMP routes could use different port or route to server on page 8
l Hyperscale NP7 hardware limitation on page 8

Hyperscale incompatibilities and limitations

See Hyperscale firewall incompatibilities and limitations in the Hyperscale Firewall Guide for a list of limitations and
incompatibilities with FortiOS 7.4.7 features.

FortiGate 6000 and 7000 incompatibilities and limitations

See the following links for information about FortiGate 6000 and 7000 limitations and incompatibilities with FortiOS 7.4.7
features.
l FortiGate 6000 incompatibilities and limitations
l FortiGate 7000E incompatibilities and limitations
l FortiGate 7000F incompatibilities and limitations

SMB drive mapping with ZTNA access proxy

In FortiOS 7.4.1 and later, SMB drive mapping on a Windows PC made through a ZTNA access proxy becomes
inaccessible after the PC reboots when access proxy with TCP forwarding is configured as FQDN. When configured with
an IP for SMB traffic, same issue is not observed.
One way to solve the issue is to enter the credentials into Windows Credential Manager in the form of
domain\username.
Another way to solve the issue is to leverage the KDC proxy to issue a TGT (Kerberos) ticket for the remote user. See
ZTNA access proxy with KDC to access shared drives for more information. This way, there is no reply in Credential
Manager anymore, and the user is authenticated against the DC.

FortiOS 7.4.7 Release Notes 7

Fortinet Inc.
Special notices

Local out traffic using ECMP routes could use different port or route
to server

Starting from version 7.4.1, when there is ECMP routes, local out traffic may use different route/port to connect out to
server. For critical traffic which is sensitive to source IP addresses, it is suggested to specify the interface or SD-WAN for
the traffic since FortiOS has implemented interface-select-method command for nearly all local-out traffic.
config system fortiguard
set interface-select-method specify
set interface "wan1"
end

Hyperscale NP7 hardware limitation

Because of an NP7 hardware limitation, for CGN traffic accepted by a hyperscale firewall policy that includes an
overload with port block allocation (overload PBA) IP Pool, only one block is allocated per client. The setting of the
hyperscale firewall policy cgn-resource-quota option is ignored.
Because of this limitation, under certain rare conditions (for example, only a single server side IP address and port are
being used for a large number of sessions), port allocation may fail even if the block usage of the client is less than its
quota. In cases such as this, if the client has traffic towards some other servers or ports, additional port allocation can
become successful. You can also work around this problem by increasing the IP Pool block size (cgn-block-size).

FortiOS 7.4.7 Release Notes 8

Fortinet Inc.
Changes in table size

Bug ID Description

1042266 On high-end FortiGate models, the number of policy routes and policy routes6 is increased from
2048 to 5000.

FortiOS 7.4.7 Release Notes 9

Fortinet Inc.
Upgrade information

Supported upgrade path information is available on the Fortinet Customer Service & Support site.

FortiGate Upgrade option Details

Individual FortiGate devices Manual update Use the procedure in this topic.
See also Upgrading individual
devices in the FortiOS Administration
Guide.

Automatic update based on See Enabling automatic firmware

FortiGuard upgrade path updates in the FortiOS Administration
Guide for details

Multiple FortiGate devices in a Manual, immediate or scheduled See Fortinet Security Fabric upgrade
Fortinet Security Fabric update based on FortiGuard upgrade on page 10 and Upgrading Fabric or
path managed devices in the FortiOS
Administration Guide.

To view supported upgrade path information:

1. Go to https://support.fortinet.com.
2. From the Download menu, select Firmware Images.
3. Check that Select Product is FortiGate.
4. Click the Upgrade Path tab and select the following:
l Current Product
l Current FortiOS Version
l Upgrade To FortiOS Version
5. Click Go.

Fortinet Security Fabric upgrade

FortiOS 7.4.7 greatly increases the interoperability between other Fortinet products. This includes:

FortiAnalyzer l 7.4.6

FortiManager l 7.4.6

FortiExtender l 7.4.0 and later

FortiSwitch OS l 6.4.6 build 0470 and later

(FortiLink support)

FortiOS 7.4.7 Release Notes 10

Fortinet Inc.
Upgrade information

FortiAP l 7.2.2 and later

FortiAP-U l 6.2.5 and later

FortiAP-W2 l 7.2.2 and later

FortiClient* EMS l 7.0.3 build 0229 and later

FortiClient* Microsoft l 7.0.3 build 0193 and later

Windows

FortiClient* Mac OS X l 7.0.3 build 0131 and later

FortiClient* Linux l 7.0.3 build 0137 and later

FortiClient* iOS l 7.0.2 build 0036 and later

FortiClient* Android l 7.0.2 build 0031 and later

FortiSandbox l 2.3.3 and later for post-transfer scanning

l 4.2.0 and later for post-transfer and inline scanning

*
If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version 6.0 and later are supported.
When upgrading your Security Fabric, devices that manage other devices should be upgraded first.

When using FortiClient with FortiAnalyzer, you should upgrade both to their latest versions.
The versions between the two products should match. For example, if using FortiAnalyzer
7.4.0, use FortiClient 7.4.0.

Upgrade the firmware of each device in the following order. This maintains network connectivity without the need to use
manual steps.
1. FortiAnalyzer
2. FortiManager
3. FortiGate devices
4. Managed FortiExtender devices
5. Managed FortiSwitch devices
6. Managed FortiAP devices
7. FortiClient EMS
8. FortiClient
9. FortiSandbox
10. FortiMail
11. FortiWeb
12. FortiNAC
13. FortiVoice
14. FortiDeceptor
15. FortiNDR
16. FortiTester
17. FortiMonitor

FortiOS 7.4.7 Release Notes 11

Fortinet Inc.
Upgrade information

If Security Fabric is enabled, then all FortiGate devices must be upgraded to 7.4.7. When
Security Fabric is enabled in FortiOS 7.4.7, all FortiGate devices must be running FortiOS
7.4.7.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are
retained:
l operation mode
l interface IP/management IP
l static route table
l DNS settings
l admin user account
l session helpers
l system access profiles

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support
portal, https://support.fortinet.com. After logging in, go to Support > Firmware Image Checksums (in the Downloads
section), enter the image file name including the extension, and click Get Checksum Code.

FortiGate 6000 and 7000 upgrade information

Upgrade FortiGate 6000 firmware from the management board GUI or CLI. Upgrade FortiGate 7000 firmware from the
primary FIM GUI or CLI. The FortiGate 6000 management board and FPCs or the FortiGate 7000 FIMs and FPMs all run
the same firmware image. Upgrading the firmware copies the firmware image to all components, which then install the
new firmware and restart. A FortiGate 6000 or 7000 firmware upgrade can take a few minutes, the amount of time
depending on the hardware and software configuration and whether DP or NP7 processor software is also upgraded.
On a standalone FortiGate 6000 or 7000, or an HA cluster with uninterruptible-upgrade disabled, the firmware
upgrade interrupts traffic because all components upgrade in one step. These firmware upgrades should be done during
a quiet time because traffic can be interrupted for a few minutes during the upgrade process.
Fortinet recommends running a graceful firmware upgrade of a FortiGate 6000 or 7000 FGCP HA cluster by enabling
uninterruptible-upgrade and session-pickup. A graceful firmware upgrade only causes minimal traffic
interruption.

FortiOS 7.4.7 Release Notes 12

Fortinet Inc.
Upgrade information

Fortinet recommends that you review the services provided by your FortiGate 6000 or 7000
before a firmware upgrade and then again after the upgrade to make sure that these services
continue to operate normally. For example, you might want to verify that you can successfully
access an important server used by your organization before the upgrade and make sure that
you can still reach the server after the upgrade and performance is comparable. You can also
take a snapshot of key performance indicators (for example, number of sessions, CPU usage,
and memory usage) before the upgrade and verify that you see comparable performance after
the upgrade.

To perform a graceful upgrade of your FortiGate 6000 or 7000 to FortiOS 7.4.7:

1. Use the following command to set the upgrade-mode to uninterruptible to support HA graceful upgrade:
config system ha
set uninterruptible-upgrade enable
end

When upgrading from FortiOS 7.4.1 to a later version, use the following command to
enable uninterruptible upgrade:
config system ha
set upgrade-mode uninterruptible
end

2. Download the FortiOS 7.4.7 FG-6000F, FG-7000E, or FG-7000F firmware from https://support.fortinet.com.
3. Perform a normal upgrade of your HA cluster using the downloaded firmware image file.
4. When the upgrade is complete, verify that you have installed the correct firmware version.
For example, check the FortiGate dashboard or use the get system status command.
5. Confirm that all components are synchronized and operating normally.
For example, open the Cluster Status dashboard widget to view the status of all components, or use diagnose
sys confsync status to confirm that all components are synchronized.

IPS-based and voipd-based VoIP profiles

In FortiOS 7.4.0 and later, the new IPS-based VoIP profile allows flow-based SIP to complement SIP ALG while working
together. There are now two types of VoIP profiles that can be configured:
config voip profile
edit <name>
set feature-set {ips | voipd}
next
end

A voipd-based VoIP profile is handled by the voipd daemon using SIP ALG inspection. This is renamed from proxy in
previous FortiOS versions.
An ips-based VoIP profile is handled by the IPS daemon using flow-based SIP inspection. This is renamed from flow in
previous FortiOS versions.
Both VoIP profile types can be configured at the same time on a firewall policy. For example:

FortiOS 7.4.7 Release Notes 13

Fortinet Inc.
Upgrade information

config firewall policy

edit 1
set voip-profile "voip_sip_alg"
set ips-voip-filter "voip_sip_ips"
next
end

Where:
l voip-profile can select a voip-profile with feature-set voipd.
l ips-voip-filter can select a voip-profile with feature-set ips.
The VoIP profile selection within a firewall policy is restored to pre-7.0 behavior. The VoIP profile can be selected
regardless of the inspection mode used in the firewall policy. The new ips-voip-filter setting allows users to select
an IPS-based VoIP profile to apply flow-based SIP inspection, which can work concurrently with SIP ALG.
Upon upgrade, the feature-set setting of the voip profile determines whether the profile applied in the firewall
policy is voip-profile or ips-voip-filter.

Before upgrade After upgrade

config voip profile config voip profile
edit "ips_voip_filter" edit "ips_voip_filter"
set feature-set flow set feature-set ips
next next
edit "sip_alg_profile" edit "sip_alg_profile"
set feature-set proxy set feature-set voipd
next next
end end

config firewall policy

config firewall policy
edit 1
edit 1
set ips-voip-filter "ips_voip_
set voip-profile "ips_voip_filter"
filter"
next
next
edit 2
edit 2
set voip-profile "sip_alg_profile"
set voip-profile "sip_alg_profile"
next
next
end
end

GUI firmware upgrade does not respect upgrade path in previous

versions

When performing a firmware upgrade from 7.4.0 - 7.4.3 that requires multiple version jumps, the Follow upgrade path
option in the GUI does not respect the recommended upgrade path, and instead upgrades the firmware directly to the
final version. This can result in unexpected configuration loss. To upgrade a device in the GUI, upgrade to each interim
version in the upgrade path individually.
For example, when upgrading from 7.0.7 to 7.0.12 the recommended upgrade path is 7.0.7 -> 7.0.9 -> 7.0.11 -> 7.0.12.
To ensure that there is no configuration loss, first upgrade to 7.0.9, then 7.0.11, and then 7.0.12.

FortiOS 7.4.7 Release Notes 14

Fortinet Inc.
Upgrade information

2 GB RAM FortiGate models no longer support FortiOS proxy-

related features

As part of improvements to enhance performance and optimize memory usage on FortiGate models with 2 GB RAM or
less, starting from version 7.4.4, FortiOS no longer supports proxy-related features.
This change impacts the FortiGate/FortiWiFi 40F, 60E, 60F, 80E, and 90E series devices, along with their variants, and
the FortiGate-Rugged 60F (2 GB versions only). See Proxy-related features no longer supported on FortiGate 2 GB
RAM models for more information.

FortiGate VM memory and upgrade

FortiGate virtual machines (VMs) are not constrained by memory size and will continue to support all available features
after upgrading to FortiOS 7.6.0. However, it is recommended to setup VMs with at least 4 GB of RAM for optimal
performance.

Managed FortiSwitch do not permit empty passwords for

administrator accounts

Starting from FortiOS version 7.6.1, a managed FortiSwitch no longer permits empty passwords for the admin account. If
a FortiSwitch unit was previously authorized without an admin password, the FortiGate will automatically generate a
random admin password for the FortiSwitch upon upgrading to 7.6.1. This change will cause the admin to lose access.
To regain access, configure a password override on the FortiGate device using the following commands:
config switch-controller switch-profile
edit default
set login-passwd-override enable
set login-passwd <passwd>
next
end

FortiSwitch units with an existing admin password will not be affected by this change.

Policies that use an interface show missing or empty values after an

upgrade

If local-in policy used an interface in version 7.4.5 GA, or any previous GA version that was part of the SD-WAN zone,
these policies will be deleted or show empty values after upgrading to version 7.4.6.

FortiOS 7.4.7 Release Notes 15

Fortinet Inc.
Upgrade information

After upgrading to version 7.4.6 GA, users must manually recreate these policies and assign them to the appropriate SD-
WAN zone.

FortiOS 7.4.7 Release Notes 16

Fortinet Inc.
Product integration and support

The following table lists FortiOS 7.4.7 product integration and support information:

Web browsers l Microsoft Edge 112

l Mozilla Firefox version 113
l Google Chrome version 113
Other browser versions have not been tested, but may fully function.
Other web browsers may function correctly, but are not supported by Fortinet.

Explicit web proxy browser l Microsoft Edge 112

l Mozilla Firefox version 113
l Google Chrome version 113
Other browser versions have not been tested, but may fully function.
Other web browsers may function correctly, but are not supported by Fortinet.

FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

Fortinet Single Sign-On l 5.0 build 0319 and later (needed for FSSO agent support OU in group filters)
(FSSO) l Windows Server 2022 Standard
l Windows Server 2022 Datacenter
l Windows Server 2019 Standard
l Windows Server 2019 Datacenter
l Windows Server 2019 Core
l Windows Server 2016 Datacenter
l Windows Server 2016 Standard
l Windows Server 2016 Core
l Windows Server 2012 Standard
l Windows Server 2012 R2 Standard
l Windows Server 2012 Core
l Novell eDirectory 8.8

AV Engine l 7.00035

IPS Engine l 7.00559

See also:
l Virtualization environments on page 18
l Language support on page 18
l SSL VPN support on page 19
l FortiExtender modem firmware compatibility on page 19

FortiOS 7.4.7 Release Notes 17

Fortinet Inc.
Product integration and support

Virtualization environments

The following table lists hypervisors and recommended versions.

Hypervisor Recommended versions

Citrix Hypervisor l 8.2 Express Edition, CU1

Linux KVM l Ubuntu 22.04.3 LTS

l Red Hat Enterprise Linux release 9.4
l SUSE Linux Enterprise Server 12 SP3 release 12.3

Microsoft Windows Server l Windows Server 2019

Windows Hyper-V Server l Microsoft Hyper-V Server 2019

Open source XenServer l Version 3.4.3

l Version 4.1 and later

VMware ESXi l Versions 6.5, 6.7, 7.0, and 8.0.

Language support

The following table lists language support information.

Language support

Language GUI

English ✔

Chinese (Simplified) ✔

Chinese (Traditional) ✔

French ✔

Japanese ✔

Korean ✔

Portuguese (Brazil) ✔

Spanish ✔

FortiOS 7.4.7 Release Notes 18

Fortinet Inc.
Product integration and support

SSL VPN support

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser

Microsoft Windows 7 SP1 (32-bit & 64-bit) Mozilla Firefox version 113
Google Chrome version 112

Microsoft Windows 10 (64-bit) Microsoft Edge

Mozilla Firefox version 113
Google Chrome version 112

Ubuntu 20.04 (64-bit) Mozilla Firefox version 113

Google Chrome version 112

macOS Ventura 13.1 Apple Safari version 16

Mozilla Firefox version 103
Google Chrome version 111

iOS Apple Safari

Mozilla Firefox
Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

FortiExtender modem firmware compatibility

The following table lists the modem firmware file name and version for each FortiExtender model and its compatible
geographical region.

FortiExtender Modem firmware image Modem firmware file on Support Geographical

model name site region

FEX-101F-AM FEM_EM06A-22-1-1 FEM_EM06A-22.1.1-build0001.out America

FEM_EM06E-22-01-01 FEM_EM06E-22.1.1-build0001.out EU
FEX-101F-EA
FEM_EM06E-22.2.2 FEM_EM06E-22.2.2-build0002.out EU

FortiOS 7.4.7 Release Notes 19

Fortinet Inc.
Product integration and support

FortiExtender Modem firmware image Modem firmware file on Support Geographical

model name site region

FEM_06-19-0-0-AMEU FEM_06-19.0.0-build0000-AMEU.out America and EU

FEM_06-19-1-0-AMEU FEM_06-19.1.0-build0001-AMEU.out America and EU

FEX-201E
FEM_06-22-1-1-AMEU FEM_06-22.1.1-build0001-AMEU.out America and EU

FEM_06-22-1-2-AMEU FEM_06-22.1.2-build0001-AMEU.out America and EU

FEM_07A-22.1.0-build0001-
FEM_07A-22-1-0-AMERICA America
AMERICA.out
FEX-201F-AM
FEM_07A-22.2.0-build0002-
FEM_07A-22-2-0-AMERICA America
AMERICA.out

FEM_07E-22.0.0-build0001-
FEM_07E-22-0-0-WRLD World
WRLD.out
FEX-201F-EA
FEM_07E-22.1.1-build0001-
FEM_07E-22-1-1-WRLD World
WRLD.out

FEM_07A-22.1.0-build0001-
FEM_07A-22-1-0-AMERICA America
AMERICA.out
FEX-202F-AM
FEM_07A-22.2.0-build0002-
FEM_07A-22-2-0-AMERICA America
AMERICA.out

FEM_07E-22.1.1-build0001-
FEX-202F-EA FEM_07E-22-1-1-WRLD World
WRLD.out

FEM_12-19-1-0-WRLD FEM_12-19.1.0-build0001-WRLD.out World

FEM_12-19-2-0-WRLD FEM_12-19.2.0-build0002-WRLD.out World

FEX-211E
FEM_12-22-1-0-AMEU FEM_12-22.0.0-build0001-AMEU.out America and EU

FEM_12-22-1-1-WRLD FEM_12-22.1.1-build0001-WRLD.out World

FEM_12_EM7511-22-1-2- FEM_12_EM7511-22.1.2-build0001-
FEV-211F_AM America
AMERICA AMERICA.out

FEV-211F FEM_12-22-1-0-AMEU FEM_12-22.1.0-build0001-AMEU.out World

FEM_12_EM7511-22-1-2- FEM_12_EM7511-22.1.2-build0001-
FEX-211F-AM America
AMERICA AMERICA.out

FEM_12-19-2-0-WRLD FEM_12-19.2.0-build0002-WRLD.out World

FEX-212F
FEM_12-22-1-1-WRLD FEM_12-22.1.1-build0001-WRLD.out World

FEM_EM160-22-02-03 FEM_EM160-22.2.3-build0001.out World

FEX-311F
FEM_EM160-22-1-2 FEM_EM160-22.1.2-build0001.out World

FortiOS 7.4.7 Release Notes 20

Fortinet Inc.
Product integration and support

FortiExtender Modem firmware image Modem firmware file on Support Geographical

model name site region

FEM_RM502Q-21-2-2 FEM_RM502Q-21.2.2-build0003.out World

FEM_RM502Q-22-03-03 FEM_RM502Q-22.3.3-build0004.out World

FEM_RM502Q-22.4.4-build0005_
FEX-511F FEM_RM502Q-22-04-04-AU Australia
AU.out

FEM_RM502Q-22-1-1 FEM_RM502Q-22.1.1-build0001.out World

FEM_RM502Q-22-2-2 FEM_RM502Q-22.2.2-build0002.out World

The modem firmware can also be uploaded manually by downloading the file from the Fortinet Customer Service &
Support site. The firmware file names are listed in the third column of the table.

To download the modem firmware:

1. Go to https://support.fortinet.com/Download/FirmwareImages.aspx.
2. From the Select Product dropdown, select FortiExtender.
3. Select the Download tab.
4. Click MODEM-Firmware.
5. Select the FortiExtender model and image name, then download the firmware file.

FortiOS 7.4.7 Release Notes 21

Fortinet Inc.
Resolved issues

The following issues have been fixed in version 7.4.7. To inquire about a particular bug, please contact Customer
Service & Support.

Anti Virus

Bug ID Description

1068321 MMDB and AVAI DBs are unsigned after upgrading from version 7.0.15 to version 7.2.9.

GUI

Bug ID Description

1110382 Admin can login to GUI (HTTPS) with password, even when admin-https-pki-required is
enabled.

HA

Bug ID Description

1054041 DHCP client can't get IPv4 address from server with vcluster.

Intrusion Prevention

Bug ID Description

1107445 Remove IPS diagnose command diagnose ips cfgscript run.

FortiOS 7.4.7 Release Notes 22

Fortinet Inc.
Resolved issues

Log & Report

Bug ID Description

1045253 FortiGate logs are not transferred into FortiGate Cloud Log server.

SSL VPN

Bug ID Description

1000674 When generating function backtrace in crash logs for ARM32, SSL VPN frequently crashes due to
segmentation faults.

1101837 Insufficient session expiration in SSL VPN using SAML authentication.

User & Authentication

Bug ID Description

1070560 Admin authentication bypass when configuring TACACS server.

FortiOS 7.4.7 Release Notes 23

Fortinet Inc.
Known issues

Known issues are organized into the following categories:

l New known issues on page 24
l Existing known issues on page 24
To inquire about a particular bug or report a bug, please contact Customer Service & Support.

New known issues

There are currently no issues that have been identified in version 7.4.7.

Existing known issues

The following issues have been identified in a previous version of FortiOS and remain in FortiOS 7.4.7.

Explicit Proxy

Bug ID Description

1026362 Web pages do not load when persistent-cookie is disabled for session-cookie-based
authentication with captive-portal.

Firewall

Bug ID Description

959065 On the Policy & Objects > Traffic Shaping page, when deleting or creating a shaper, the counters for
the other shapers are cleared.

994986 The By Sequence view in the Firewall policy list may incorrectly show a duplicate implicit deny
policy in the middle of the list. This is purely a GUI display issue and does not impact policy
operation.
The Interface Pair View and Sequence Grouping View do not have this issue.

1057080 On the Firewall Policy page, search results do not display in an expanded format.

FortiOS 7.4.7 Release Notes 24

Fortinet Inc.
 Known issues

FortiGate 6000 and 7000 platforms

Bug ID Description

790464 After a failover, ARP entries are removed from all slots when an ARP query of single slot does not
respond.

911244 FortiGate 7000E IPv6 routes may not be synchronized correctly among FIMs and FPMs.

976521 On FortiGate 6000 models, a CPU usage issue occurs in the node process when navigating a policy
list with a large number (+7000) of policies in a VDOM.

1006759 After an HA failover, there is no IPsec route in the kernel.

1026665 On the FortiGate 7000F platform with virtual clustering enabled and syslog logging configured,
when running the diagnose log test command from a primary vcluster VDOM, some FPMs
may not send log messages to the configured syslog servers.

1048808 If the secondary reboots, after it rejoins the cluster SIP sessions are not resynchronized.

1060619 CSF is not working as expected.

1070365 FGCP HA session synchronization may stop working as expected on a FortiGate 7000F cluster
managed by FortiManager. This happens if the HA configuration uses management interfaces as
session synchronization interfaces by configuring the session-sync-dev option, for example:
config system ha
set session-sync-dev 1-M1 1-M2
end

The problem occurs when FortiManager updates the configuration of the FortiGate 7000F devices
in the cluster it incorrectly changes to the VDOM of the management interfaces added to the
session-sync-dev command from mgmt-vdom to vsys_ha and the interfaces stop working as
session sync interfaces.
You can work around the problem by re-configuring the session-sync-dev option on the
FortiGate 7000F cluster (this resets the VDOM of the session sync interfaces to vsys_ha) and then
retrieving the FortiGate configuration from FortiManager. This synchronizes the correct
configuration to FortiManager.

1078532 When upgrading the FG6001F platform, in some instances the slave chassis does not synchronize
the FPC subscription license from master chassis.
Workaround: use the execute update-now command.

1092728 On FortiGate 6000 and 7000 platforms, fragmented IPv6 traffic is randomly dropped.

GUI

Bug ID Description

853352 When viewing entries in slide-out window of the Policy & Objects > Internet Service Database page,
users cannot scroll down to the end if there are over 100000 entries.

885427 Suggest showing the SFP status information on the faceplate of FGR-60F/60F-3G4G devices.

FortiOS 7.4.7 Release Notes 25

Fortinet Inc.
 Known issues

Bug ID Description

1047963 High Node.js memory usage when building FortiManager in Report Runner fails. Occurs when
FortiManager has a slow connection, is unreachable from the FortiGate (because FMG is behind
NAT), or the IP is incorrect.

1055197 On FortiGate G series models with dual WAN links, the Interface Bandwidth widget may show an
incorrect incoming and outgoing bandwidth count where the actual traffic does not match the
display numbers.

1071907 There is no setting for the type option on the GUI for npu_vlink interface.

1114549 FEXT can't be authorized by FGT GUI.

HA

Bug ID Description

781171 When performing HA upgrade in the GUI, if the secondary unit takes several minutes to boot up, the
GUI may show a misleading error message Image upgrade failed due to premature timeout.
This is just a GUI display issue and the HA upgrade can still complete without issue.

1000808 FortiGate in an HA setup has an unnecessary primary unit selection when a new member joins or
reboots one member in the VC cluster when the VC has more than 2 units.

1107137 The secondary FortiGate with an HA Reserved Management Interface cannot be accessed using
HTTPS after upgrading from version 7.4.3.

Hyperscale

Bug ID Description

817562 NPD/LPMD cannot differentiate the different VRFs, and considers all VRFs as 0.

896203 The parse error, NPD-0:NPD PARSE ADDR GRP gmail.com MEMBER ERR, appears after
rebooting the system.

961328 FortiGate does not choose a random port when set to random mode.

977376 FG-4201F has a 10% performance drop during a CPS test case with DoS policy.

1024274 When Hyperscale logging is enabled with multicast log, the log is not sent to servers that are
configured to receive multicast logs.

1025908 When running FGSP setup, the session count is approximately 50% less on the peer device.

FortiOS 7.4.7 Release Notes 26

Fortinet Inc.
 Known issues

IPsec VPN

Bug ID Description

866413 Traffic over GRE tunnel over IPsec tunnel, or traffic over IPsec tunnel with GRE encapsulation is not
offloaded on NP7-based units.

897871 GRE over IPsec does not work in transport mode.

944600 CPU usage issues occurred when IPsec VPN traffic was received on the VLAN interface of an NP7
vlink.

970703 FortiGate 6K and 7K models do not support IPsec VPN over vdom-link/npu-vlink.

1012615 IPsec VPN traffic is dropped after upgrading to version 7.4.3.

Proxy

Bug ID Description

910678 CPU usage issue in WAD caused by a high number of devices being detected by the device
detection feature.

1035490 The firewall policy works with proxy-based inspection mode on FortiGate models with 2GB RAM
after an upgrade.
Workaround: After an upgrade, reboot the FortiGate.

1060812 When Proxy-mode inline IPS scanning is enabled, the botnet check within the IPS profile does not
work as expected when the IPS profile is applied to a proxy-based inspection policy using certificate
inspection.
Workaround: disable ips.settings.proxy-inline-ips in the CLI.

Routing

Bug ID Description

903444 The diagnose ip rtcache list command is no longer supported in the FortiOS 4.19 kernel.

1040655 From version 7.4.1, when there is ECMP routes, local out traffic may use a different route/port to
connect out to the server.
Workaround: for critical traffic which is sensitive to source IP address, specify the interface or SD-
WAN for the traffic using the interface-select-method command for nearly all local-out traffic.
For example:
config system fortiguard
set interface-select-method specify
set interface "wan1"
end

FortiOS 7.4.7 Release Notes 27

Fortinet Inc.
 Known issues

Security Fabric

Bug ID Description

1011833 FortiGate experiences a CPU usage issue in the node process when there multiple administrator
sessions running simultaneously on the GUI in a Security Fabric with multiple downstream devices.
This may result in slow loading times for multiple GUI pages.

1021684 In some cases, the Security Fabric topology does not load properly and displays a Failed to load
Topology Results error.

System

Bug ID Description

912383 FGR-70F and FGR-70F-3G4G failed to perform regular reboot process (using execute reboot
command) with an SD card inserted.

1021903 After an interface role change, the updated role does not show in the le-switch member list.

1046484 After shutting down FortiGate, the system automatically boots up again.

1057131 A FortiGuard update can cause the system to not operate as expected if the FortiGate is already in
conserve mode. Users may need to reboot the FortiGate.

1078541 The FortiFirewall 2600F model may become stuck after a fresh image burn. Upgrading from a
previous version stills works.
Workaround: power cycle the unit.

1102416 Cannot push config sfp-dsl enable and vectoring under interface.

Upgrade

Bug ID Description

1114550 FortiExtender shows as offline after upgrading FGT from 7.4.5 to 7.4.6.
Workaround: Reboot FortiExtender manually.

User & Authentication

Bug ID Description

667150 On the User & Authentication > User Definition page, when a remote LDAP user with Two-factor
Authentication enabled and Authentication type FortiToken tries to access the internet through
firewall authentication, the web page does not receive the FortiToken notification or proceed to
authenticate the user.
Workaround: click the Continue button on the authentication page after approving the FortiToken
on the mobile device.

FortiOS 7.4.7 Release Notes 28

Fortinet Inc.
Known issues

Bug ID Description

884462 NTLM authentication does not work with Chrome.

972391 RADIUS group is not properly displayed as used.

1080234 For FortiGate (versions 7.2.10 and 7.4.5 and later) and FortiNAC (versions 9.2.8 and 9.4.6 and
prior) integration, when testing connectivity/user credentials against FortiNAC that acts as a
RADIUS server, the FortiGate GUI and CLI returns an invalid secret for the server error.
This error is expected when the FortiGate acts as the direct RADIUS client to the FortiNAC RADIUS
server due to a change in how FortiGate handles RADIUS protocol in these versions. However, the
end-to-end integration for the clients behind the FortiGate and FortiNAC is not impacted.
Workaround: confirm the connectivity between the end clients and FortiNAC by checking if the
clients can still be authorized against the FortiNAC as normal.

1082800 When performing LDAP user searches from the GUI against LDAP servers with a large number of
users (more than 100000), FortiGate may experience a performance issue and not operate as
expected due to the HTTPSD process consuming too much memory. User may need to stop the
HTTPSD process or perform a reboot to recover.
Workaround: Perform an LDAP user search using the CLI.

1112718 When RADIUS server has the require-message-authenticator setting disabled, the GUI
RADIUS server dialogs Test connectivity and Test user credentials still check for the message-
authenticator value and incorrectly fail the test with missing authenticator error message.
config user radius
edit <radius server>
set require-message-authenticator disable
next
end

This is only a GUI display issue and the end-to-end integration with RADIUS server should still
work.
Workaround: user can confirm if the connection to RADIUS server via CLI command
diagnose test authserver radius <server> <method> <user> <password>.

VM

Bug ID Description

978021 VNI length is zero in the GENEVE header when in FTP passive mode.

1082197 The FortiGate-VM on VMware ESXi equipped with an Intel E810-XXV network interface card (NIC)
using SFP28 transceivers at 25G speed is unable to pass VLAN traffic when DPDK is enabled.

1094274 FortiGate becomes unresponsive due to an error condition when sending IPv6 traffic.

FortiOS 7.4.7 Release Notes 29

Fortinet Inc.
 Known issues

WiFi Controller

Bug ID Description

814541 When there are extra large number of managed FortiAP devices (over 500) and large number of
WiFi clients (over 5000), the Managed FortiAPs page and FortiAP Status widget can take a long
time to load. This issue does not impact FortiAP operation.

869978 CAPWAP tunnel traffic over tunnel SSID is dropped when offloading is enabled.

903922 Physical and logical topology is slow to load when there are a lot of managed FortiAP devices (over
50). This issue does not impact FortiAP management and operation.

964757 Clients randomly unable to connect to 802.1X SSID when FortiAP has a DTLS policy enabled.

972093 RADIUS accounting data usage is different between the bridge and tunnel VAP.

1050915 On the WiFi & Switch Controller > Managed FortiAPs page, when upgrading more than 30 managed
FortiAPs at the same time using the Managed FortiAP page, the GUI may become slow and
unresponsive when selecting the firmware.
Workaround: Upgrade the FortiAPs in smaller batches of up to 20 devices to avoid performance
impacts.

1083395 In an HA environment with FortiAPs managed by primary FortiGate, the secondary FortiGate GUI
Managed FortiAP page may show the FortiAP status as offline if the FortiAP traffic is not routed
through the secondary FortiGate.
This is only a GUI issue and does not impact FortiAP operation.

ZTNA

Bug ID Description

819987 SMB drive mapping made through a ZTNA access proxy is inaccessible after rebooting.

1020084 Health check on the ZTNA realserver does not work as expected if a blackhole route is added to the
realserver address.

FortiOS 7.4.7 Release Notes 30

Fortinet Inc.
Built-in AV Engine

Built-in AV Engine

AV Engine 7.00035 is released as the built-in AV Engine. Refer to the AV Engine Release Notes for information.

FortiOS 7.4.7 Release Notes 31

Fortinet Inc.
Built-in IPS Engine

Built-in IPS Engine

IPS Engine 7.00559 is released as the built-in IPS Engine. Refer to the IPS Engine Release Notes for information.

FortiOS 7.4.7 Release Notes 32

Fortinet Inc.
Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

l XenTools installation is not supported.
l FortiGate-VM can be imported or deployed in only the following three formats:
l XVA (recommended)
l VHD
l OVF
l The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual
NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise
when using the QCOW2 format and existing HDA issues.

Limitations on HA cluster formation between different FortiGate

Rugged 60F and 60F 3G4G models

FortiGate Rugged 60F and 60F 3G4G models have various generations defined as follows:
l Gen1
l Gen2 = Gen1 + TPM
l Gen3 = Gen2 + Dual DC-input
l Gen4 = Gen3 + GPS antenna
l Gen5 = Gen4 + memory
The following HA clusters can be formed:
l Gen1 and Gen2 can form an HA cluster.
l Gen4 and Gen5 can form an HA cluster.
l Gen1 and Gen2 cannot form an HA cluster with Gen3, Gen4, or Gen5 due to differences in the config system
vin-alarm command.

FortiOS 7.4.7 Release Notes 33

Fortinet Inc.
 www.fortinet.com

Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s Chief Legal Officer, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.