|
This issue occurs for all models listed in FortiOS New Features Guide v7.4.0 | Proxy-related features no longer supported on FortiGate 2 GB RAM..., including the following:
- FortiGate-40F and variants.
- FortiGate-60F and variants.
- FortiGate-Rugged 60F and variants.
The issue is triggered by upgrading the firewall to an affected FortiOS v7.6 version while multi-vdom is enabled.
config system global
set vdom-mode multi-vdom
end
After the upgrade, all service objects configured in non-root VDOMs are incorrectly updated to 'set protocol TCP/UDP/UDP-Lite/SCTP'. While this does not open any additional UDP or TCP ports, it does prevent ICMP traffic from passing through the firewall, even if previously allowed by firewall policy.
config firewall service custom
edit "ALL"
set category "General"
set protocol TCP/UDP/UDP-Lite/SCTP <----- Incorrectly applied by upgrade to v7.6.4.
next
end
Resolution:
The issue is tracked by ID 1160065 and is scheduled for fix in v7.6.5, expected to be released in mid-December 2025. Firmware release schedules are subject to change without notice. If the device is upgraded to an earlier v7.6 version before upgrading to v7.6.5, the issue will still occur.
Workaround:
After the upgrade, manually update affected service objects to the desired protocol version.
config vdom
edit <vdom name>
config firewall service custom
edit "ALL"
set protocol IP
next
edit "ALL_ICMP"
set protocol ICMP
next
edit "PING"
set protocol ICMP
set icmptype 8
unset icmpcode
next
end
end
|
