Technical Tip: After upgrading FortiGate 2GB models to v7.6.4, ICMP traffic in non-root VDOM is dropped
| Description | This article describes a known issue that can cause ICMP traffic to be dropped after an upgrade when using specific models and configurations. |
| Scope | FortiGate with 2GB RAM or less v7.6.0 to v7.6.4. |
| Solution | This issue occurs for all models listed in Proxy-related features no longer supported on FortiGate 2 GB RAM models 7.4.4, including the following:
The issue is triggered by upgrading the firewall to an affected FortiOS v7.6 version while multi-vdom is enabled.
config system global set vdom-mode multi-vdom end
After the upgrade, all service objects configured in non-root VDOMs are incorrectly updated to 'set protocol TCP/UDP/UDP-Lite/SCTP'. While this does not open any additional UDP or TCP ports, it does prevent ICMP traffic from passing through the firewall, even if previously allowed by firewall policy.
config firewall service custom edit "ALL" set category "General" set protocol TCP/UDP/UDP-Lite/SCTP <----- Incorrectly applied by upgrade to v7.6.4. next end
Resolution: The issue is tracked under bug ID 1160065, which can be seen under Resolved Issues, and the fix is available in FortiOS v7.6.5, which has been released, and is expected to be fixed in FortiOS v8.0.0 (ETA late March 2026). Firmware release schedules are subject to change without notice. If the device is upgraded to an earlier v7.6 version before upgrading to v7.6.5, the issue will still occur.
Workaround: After the upgrade, manually update affected service objects to the desired protocol version.
config vdom edit <vdom name> config firewall service custom edit "ALL" set protocol IP next edit "ALL_ICMP" set protocol ICMP next edit "PING" set protocol ICMP set icmptype 8 next end end |