Fortinet opublikował aktualizację dla FortiManager oznaczeniu wersji 6.2.10. Wersja nie przynosi zmian, jednak warto zapoznać się ze specjalnymi uwagami dotyczącymi tej rodziny oprogramowania.
Aktualnie wspierane modele:
| FortiManager | FMG-200D, FMG-200F, FMG-300E, FMG-300F, FMG-400E, FMG-1000F, FMG-2000E, FMG-3000F, FMG-3000G, FMG-3700F, FMG-3900E, and FMG-4000E. |
| FortiManager VM | FMG-VM64, FMG-VM64-Ali, FMG-VM64-AWS, FMG-VM64-Azure, FMG-VM64-GCP, FMG-VM64-HV (including Hyper-V 2016, 2019), FMG-VM64-KVM, FMG-VM64-OPC, FMG-VM64-XEN (for both Citrix and Open Source Xen). |
Specjalne uwagi:
W tej sekcji omówiono niektóre zmiany operacyjne, o których administratorzy powinni wiedzieć w wersji 6.2.10.
- View Mode is disabled in policies when policy blocks are used
When policy blocks are added to a policy package, the View Mode option is no longer available, and policies in the table cannot be arranged by Interface Pair View. This occurs because policy blocks typically contain multiple policies using different incoming and outgoing interfaces, however, View Mode is still disabled even when policy blocks respect the interface pair.
- Custom signature filenames
Custom signature filenames are limited to a maximum of 50 characters because FortiManager appends the VDOM suffix to custom signature filenames when FortiGate uses VDOMs.
- VPN Manager in a Fabric type ADOM
After Upgrading to FortiManager 6.2.10, the VPN Manager may fail to install to any device participating in a full mesh VPN.
Customers using VPN Manager in a fabric type ADOM should not upgrade to 6.4.4 until the issue is resolved.
- Multi-step firmware upgrades
Prior to using the FortiManager to push a multi-step firmware upgrade, confirm the upgrade path matches the path outlined on our support site. To confirm the path, please run:
dia fwmanager show-dev-upgrade-path <device name> <target firmware>
Alternatively, you can push one firmware step at a time.
For a newly deployed VM instance or appliance, a disk format or a factory reset on a FortiManager unit running version 6.2.3 may trigger the upgrade code upon rebooting the system, which in turn may update the database configuration, although no upgrades are required. This issue does not affect FortiManager units upgraded from versions prior to 6.2.3.
Workaround: Immediately after deploying a new FortiManager with version 6.2.3, reboot the system before administering any configuration.
- Multicast policies with zones or zone members
Starting in FortiManager 6.0.7 and 6.2.1, multicast policies in ADOMs with version 5.6 or earlier cannot reference zones or zone members. Either upgrade the ADOM to 6.0 or later, or remove references to zones or zone members.
- Wildcard Address Support in Policy
With FortiOS 6.2.2 defines all wildcard address objects as regular address objects with type set as FQDN, FortiManager 6.2.2 can only select FQDN type address in policy and install to FortiOS 6.2.2 devices.
- Import Authentication Rules and Schemes
If kerberos-keytab user is referenced in config authentication scheme > set kerberos-keytab, FortiManager purges the authentication scheme and authentication rule after upgrading to FortiManager 6.2.1 and later. After upgrading, import the authentication rule and authentication scheme from FortiOS to the FortiManager ADOM before modifying and installing any configurations to FortiOS.
- Support of the NGFW mode in 6.2.1
Within a version 6.2 ADOM, policy package with NGFW mode set as policy based only supports FortiOS 6.2.1.
- Managing FortiGate with VDOMs that use Global, Shared Profiles
FortiManager managing FortiGates with global, shared g-xx profiles in VDOMs and running FortiOS 6.0.0 or later is unable to import global, shared g-xx profiles from FortiGate devices.
Before adding the FortiGate units to FortiManager, perform the following steps to unset the global ADOM objects. After the default configurations are unset, you can successfully add the FortiGate units to FortiManager.
- On the Fortigate for each VDOM, unset the following global ADOM objects by using the CLI:
config wireless-controller utm-profile edit "wifi-default" set comment "Default configuration for offloading WiFi traffic." next edit "g-wifi-default" set comment "Default configuration for offloading WiFi traffic." set ips-sensor "g-wifi-default" set application-list "g-wifi-default" set antivirus-profile "g-wifi-default" set webfilter-profile "g-wifi-default" set firewall-profile-protocol-options "g-wifi-default" set firewall-ssl-ssh-profile "g-wifi-default" next end FGVMULCV30310000 (utm-profile) # ed g-wifi-default FGVMULCV30310000 (g-wifi-default) # sh config wireless-controller utm-profile edit "g-wifi-default" set comment "Default configuration for offloading WiFi traffic." next end - After the global ADOM objects are unset, you can add the FortiGate unit to FortiManager.
- Managing FortiAnalyzer Devices
FortiManager 6.2 can only manage and process logs for FortiAnalyzer 6.2 devices.
- IOC Support on FortiManager
Please note that FortiManager does not support IOC related features even when FortiAnalyzer mode is enabled.
- Hyper-V FortiManager-VM running on an AMD CPU
A Hyper-V FMG-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.
- SSLv3 on FortiManager-VM64-AWS
Due to known vulnerabilities in the SSLv3 protocol, FortiManager-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:
config system global
set ssl-protocol t1sv1
end
Notatki producenta: FortiManager 6.2.10
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
