W ostatnim czasie oprócz aktualizacji FortiOS oraz FortiAnalyzera producent serwuje nam również aktualizację oprogramowania dla FortiManager! Nowa wersja pozbawiona została sporej ilości błędów oraz podatności o której przeczytacie w artykule!
FortiManager 6.2.5 nie jest już podatny na następujące CVE:
- CVE-2004-0230
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0230
Rozwiązane problemy w FortiManager 6.2.5:
AP Manager
| Bug ID | Description |
|---|---|
| 553985 | FortiManager incorrectly sets „security-external-web” when external authentication is selected. |
| 555159 | AP Manager still shows the SSID after it is deleted from Device Manager. |
| 568631 | Per-Device Mapping for FortiAP SSID in Bridge mode should not have IP and is missing the VLAN field. |
| 585157 | FortiManager is missing 802.11ax/ac related settings on FAPU431F and FAPU433F. |
| 595674 | When attempting to place an AP on a map, there is a considerable border around map image where it is not possible to place an AP to the far right or complete bottom of the floor. |
| 597818 | ADOM upgrade may delete Floor Map in AP Manager. |
| 600899 | FortiManager is unable to delete WiFi profile with a forward slash in the name. |
| 603511 | AP Manager may try to unset authentication for SSID when the device is configured under per-device mapping. |
| 604642 | Changing SSID Groups makes changes on all member SSIDs. |
| 620117 | AP Manager needs to support of FortiAP-U431F and FortiAP-U433F. |
Device Manager
| Bug ID | Description |
|---|---|
| 627351 | System Templates is unable to apply or import a certificate in syslog settings for v6.0 ADOMs. |
| 411914 | System Template’s Enable FortiGuard Security Updates option should check if antispam-force-off and webfilter-force-off are disabled. |
| 459895 | FortiManager may not configure an IPS profile on a One-Arm sniffer interface. |
| 525051 | Automation stitch cannot add FortiGates to automation. |
| 541911 | When workspace is enabled, FortiManager cannot run CLI template after it is assigned to a device. |
| 544222 | In the device configuration’s log setting, both local traffic log and event logging have Enable All buttons that may not work. |
| 544337 | FortiManager is missing Firmware information when creating or editing a device group. |
| 544982 | Policy Package Status may get out-of-sync for all devices when adding one device to Install On. |
| 555635 | Certificate is not visible in GUI after restoring the configuration, which was exported from FortiManager. |
| 563373 | FortiManager should support FortiGate-VM FNDN. |
| 572337 | Config Status may display Modified instead of Conflict status following a failed policy package install. |
| 573293 | After upgrade, FortiManager may not be able to import policy package in Workflow mode. |
| 576850 | VDOM names may be inconsistent between FortiManager and FortiGate. |
| 589453 | Application group of type category should not be used for SD-WAN rules. |
| 589814 | User should be able to make interface changes using CLI Configuration. |
| 591981 | After modified set max-revs value, the change is not immediately reflected on GUI. |
| 592646 | When creating an SD-WAN and disabling its status, both Monitor map view and table view cannot be displayed. |
| 593480 | When there is no interface assigned to SD-WAN, both map view and table view cannot be shown. |
| 593505 | Provisioning Template sets incorrect syslog severity level under log settings. |
| 594324 | Model FortiGate device connects to FortiManager may unset all configurations. |
| 594348 | FortiManager should show buttons to create, edit, and delete TACACS+ on the CLI Configuration page. |
| 594709 | Device Manager may not be able to generate Policy Package Diff result. |
| 594905 | FortiManager may take a long time to load system interface. |
| 595683 | Modifying anything on a policy ID does not modify status of Policy Package when using workflow mode. |
| 595803 | When configuring PPPoE from CLI Configuration, installation fails with unexpected deletion of system-interface. |
| 595941 | Importing policy package may unexpectedly convert regular address objects to dynamic address objects. |
| 598650 | SD-WAN monitor table view may not show data for FortiGate 5.6 device. |
| 599141 | After upgrade, the Policy Route menu no longer displays Source Addresses or Destination Addresses. |
| 599768 | FortiManager may not be able to display the second shelf manager. |
| 599769 | FortiManager may not be able to Enable Security Fabric on some FortiGate platforms. |
| 601223 | Device database configuration may mismatch with FortiGate even if auto-update happens. |
| 602275 | FortiManager may not be able to remove VDOM or device when FortiAnalyzer Features are enabled. |
| 602706 | SD-WAN Template may keep loading. |
| 603215 | Fabric is not enabled in allowaccess after enabling fortilink on an interface. |
| 603286 | Device Manager’s dashboard System Time and HA Mode buttons have no effect. |
| 603405 | FortiManager cannot set radio-2 band to 802.11ax under CLI Configuration. |
| 603522 | Fabric should be shown as an option for administrative access. |
| 603542 | Password field should not be deleted when making changes to PPPoE interface. |
| 603606 | FortiManager should accept volume ratio value of 0 within SD-WAN configuration. |
| 603820 | FortiManager fails to import policy when reputation-minimum and reputation-direction are set. |
| 604269 | FortiManager should permit Virtual Wire Pair to use Aggregate interface. |
| 604808 | Verification may fail on system interface tc-mode or phy-mode when installing to FortiGate-60E-DSLJ. |
| 605178 | FortiManager should be able to set None interface under Policy Route. |
| 605946 | Import may fail where there are objects with truncated names. |
| 606628 | FortiManager may fail to retrieve configuration with SAML SP IDP certificate. |
| 607672 | Import may fail with error user group match is not a member. |
| 608642 | Importing policy should not make dynamic mapping for policy object when there is only a change on hidden attributes. |
| 609757 | Adding a new device on SD-WAN Template may cause Config status to change to Modified on all devices. |
| 610015 | Scroll bar is not working well in install preview pop-up. |
| 610585 | Device Manager cannot save DHCP for Unknown MAC address with action set to block. |
| 610937 | In non-root management VDOM, FortiManager prompts no permission error when accessing device interface. |
| 613426 | VDOMs may show up twice in Device Manager. |
| 615092 | FortiManager should allow using FQDN for FortiAnalyzer logging. |
| 616264 | IPv6 extra-address may not convert properly. |
| 616606 | IPSec Phase 1 does not have all encryption proposals listed. |
| 616619 | When using a script or CLI only page, a user can create interface-policy without setting srcaddr, dstaddr, or service even though they are required fields. |
| 619377 | FortiManager cannot retrieve FortiGate-800D containing more than 2048 Firewall custom services. |
| 620029 | Deleting a VDOM may prompt Internal Error. |
| 622353 | Cloning VPN Phase1-Interface does not clone Phase1 proposals. |
| 625691 | FortiManager does not allow DHCP lease time to be disabled. |
| 626152 | Adding FortiGate-100E may fail at user group.guest. |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 503722 | FortiSwitch Manager and AP Manager reports switches and APs connected to FortiGates as online when the devices are no longer powered on. |
| 597715 | Under FortiSwitch Manager Per device mode, FortiManager may prompt error [object Object] when trying to create a VLAN with VLAN ID. |
| 601242 | Installation may fail due to qtn.fortilink configuration cannot be deleted. |
| 601712 | In Workflow mode, FortiManager may lose FortiSwitch templates and VLAN configuration. |
| 615472 | DHCP exclude range is not stored in FortiSwitch Manager central mode. |
| 624143 | FortiSwitch Manager may not install VLAN to FortiGate. |
Others
| Bug ID | Description |
|---|---|
| 364541 | The command, diagnose dvm support list, should include all supported platforms. |
| 574731 | Builds 0349 and 1121: Some hardware specific SNMP traps are missing from the device SNMP settings and the system provisioning templates. |
| 581140 | The SNMP, FmDeviceEntPolicyPackageState, always returns (-1), which indicates never installed, regardless of the actual policy package status. |
| 584053 | FortiManager may show fmgd crashes after switched among pages. |
| 590037 | FortiManager CPU usage may spike when going to interface and VPN Phase1 or Phase2 page. |
| 591206 | The SNMP trap, fmDeviceTable, should show VDOM information as well. |
| 593421 | Running ADOM integrity check may cause cdb reader to crash. |
| 601978 | Diagnostic command may fail to repair database when device is in standalone mode but there are entries in HA member table. |
| 602216 | FortiManager is unable to add SNMP hosts when set alias is configured on a port. |
| 609040 | Device manager may be empty after upgrade. |
| 611548 | dbcache.db file size may keep increasing. |
| 622411 | Valid zone and interface mappings are deleted after running the diag cdb check policy-packages command. |
Policy and Objects
| Bug ID | Description |
|---|---|
| 629412 | ADOM v6.0 ssl-ssh-profile with deep inspection disabled is changed with deep inspection when installing to a FortiGate v6.2 device. |
| 505887 | Internet Service should separate into source and destination |
| 545605 | Searching on Created Time or Last Modified does not work on policy table. |
| 574560 | Installation from FortiManager may fail with the error, „No response from remote” FortiGate. |
| 577201 | Next button should be inactive until zone validation is fixed in the case of 'Re-Install Policy’. |
| 577816 | Policy-based rule shows NAT status as disabled or empty. |
| 577818 | When a policy package in an ADOM v6.0 is enabled with policy-based mode, the rules do not show the application column. |
| 578004 | The policy interface colors are different between Device Manager and Policy & Objects. |
| 580166 | Bulk installation may become stuck with fake policy package. |
| 581825 | In workflow mode, changes to the SSL VPN portals do not trigger „Modified” status on the policy package. |
| 582255 | FortiManager is unable to lock an ADOM if another admin is installing a policy to the same FortiGate in a different ADOM. |
| 594957 | SSL/SSH Inspection profile should not allow „Untrusted SSL Certificates” to be set to Block. |
| 597879 | Policy package installation fails with commit check error on system interface dhcp-relay-type. |
| 598656 | When long-vdom-name is enabled on FortiGate, installing from FortiManager may show nothing to install. |
| 599780 | If one or more devices has a policy validation error, FortiManager does not show devices that are „ready to install”. |
| 601073 | When renaming an address object, the error „invalid value” is prompted when it should be „object already exists”. |
| 601081 | FortiManager is missing the feature to change IPS Signatures status. |
| 601320 | FortiManager should be able to display IPv4 policies in Interface Pair View mode. |
| 602600 | FortiManager may show any duplicate sections in the policy page. |
| 602871 | FortiManager may show zero on First use, Last used, and Byte count on policy. |
| 604159 | Cloning an existing policy package adds the „clone_of_” to the name even when the feature is disabled. |
| 604577 | When logged in as a Restricted Admin or regular User, it is not possible to reference „Web content filter” in a web profile. |
| 605947 | FortiManager is unable to configure holddown-interval for Virtual Server. |
| 606721 | FortiManager should not allow users to create firewall address with a name which is conflicted with the name of existing wildcard-fqdn addresses. |
| 607281 | pxgrid connector on FortiManager may not work with Cisco ISE version 2.7. |
| 607370 | When workspace is enabled, auto-install fails with error „no write permission”. |
| 607958 | FortiManager should be able to modify Per-device mapping for global VIP in local ADOM. |
| 608105 | When making changes to Virtual server or Health check for load balance, it should be detected and installed to FortiGate properly. |
| 608236 | FortiManager is unable to install ssl-ssh-profile policy updates when disabling protocols on a policy. |
| 612672 | The policy block hit count stays at zero even if the counter increments properly on the FortiGate side. |
| 615823 | VPN tunnel is not unset when changing the action of firewall policy from IPSEC to Accept. |
| 618711 | Installation to FortiGate may fail for dhcp-relay-agent-option. |
| 623104 | FortiManager may not be able to promote the Web Filter object from any ADOM to Global ADOM. |
| 624561 | Changing an Accept policy with proxy-based inspection mode to Deny may lead to installation failure. |
| 624586 | FortiManager may try to unset server-identity-check while pushing a new LDAP server. |
| 628830 | FortiManager should be able to select a device to install after adding a group object member to a nested group. |
Revision History
| Bug ID | Description |
|---|---|
| 492088 | FortiManager attempts to change Chassis ID on FortiGate 7000 series when installing configuration. |
| 543507 | Install fails for newly defined transparent VDOM’s management IP. |
| 555796 | Installing policy on 6K series FortiGate may remove the interface setting „set forward-error-correction rs-fec”. |
| 560888 | FortiManager may unexpectedly reset some parameters for IPS sensor entry. |
| 584118 | Router access-list rule’s default value is mismatched causing installation failure. |
| 590325 | Installing EMAC-VLAN may fail on verifying device-identification setting. |
| 592062 | Custom Internet Service created on FortiManager systematically fails to be installed on target FortiGate |
| 594147 | FortiManager does not perform interface binding contradiction check when the firewall policy is using an address group and the user changes an address group member. |
| 597353 | Policy install may remove auth-redirect-addr when disclaimer is set. |
| 598173 | When changing the „User Group Source” from Local to Collector Agent, FortiManager should automatically unset the undesired commands. |
| 599413 | Policy Package Diff is showing differences for passwords when there is no actual difference. |
| 600085 | Some special characters may prevent revision history from being saved with a full tmp folder. |
| 600833 | When trying to create a local certificate, and assign and install it for remote administration, the install operation fails due to incorrect order of configurations. |
| 601668 | FortiManager may install overlapping VIP objects to FortiGate. |
| 602272 | Installing UUIDs from local-in policies for FortiGate-60F may cause installation failure. |
| 604738 | Verification fails for replacemsg auth-authorization-fail after upgraded FortiManager and installed to FortiGate with system template assigned. |
| 605187 | FortiManager may fail to add members into a zone. |
| 605899 | FortiManager should not mandate the use of the access key, secret key, and region fields for SDN Connector. |
| 607216 | When a master-device is set on a custom device, the type should not be available on FortiManager. |
| 608051 | Policy package install time increases when using policy package diff option. |
| 609110 | Config revision created by Script_manager causes an error when restored onto the FortiGate directly. |
| 610687 | FortiManager should not unset forward-error-correct during install. |
| 612781 | FortiManager should try to remove any referenced policies prior to creating a zone interface. |
| 613057 | During install verification, FortiManager changes the IP of uni-cast heartbeat interfaces after FortiGate cluster failover. |
| 624583 | When pushing a new configuration, FortiManager may try to change the Kerberos keytab on the FortiGate causing install failure. |
Script
| Bug ID | Description |
|---|---|
| 593217 | FortiManager is unable to delete Virtual-Switch members via script if the remaining members of interfaces is less than two. |
| 608828 | Script’s timestamp under Template and Template group does not follow the correct data format YYYY-MM-DD |
Services
| Bug ID | Description |
|---|---|
| 591519 | FortiManager adds upgrade support for FortiAP-231E. |
| 563624 | FortiManager dbcontract updated with the entitlement file shows different contracts compared to FortiManager dbcontract updated from FDS. |
| 577875 | FortiManager may not correctly group firmware images. |
| 597656 | FortiManager may not be able to upgrade firmware on some FortiGate platforms, such as FGT-50E or FGT-30E. |
| 598940 | Pop-up window on license status may not be closed and stay on the screen. |
| 601222 | HTTP 1.1 host header may be missing in FortiGuard web proxy requests. |
| 604677 | When attempting to delete a selected firmware image, FortiManager randomly deletes a non selected image instead. |
| 604744 | Upgrading FortiGate firmware may fail when choosing an image downloaded from FortiGuard. |
| 634732 | When upgrading FortGate firmware from v5.4 to v5.6 or v5.6 to v6.0, it may fail with incorrect firmware version and it may cause retrieve to fail. |
System Settings
| Bug ID | Description |
|---|---|
| 202924 | FortiManager should be able to restore large backup files via web interface. |
| 571181 | An admin user with read-write system permissions and restricted to one ADOM can change their permission to All ADOMs. |
| 588852 | Idle time is constantly reset for inactive users. |
| 592156 | Upgrade task for managed devices in Task Monitor always shows Pending status with 0. |
| 599812 | Stager or pusher admin has no permission to view VDOM interface mapping. |
| 599847 | FortiManager may not be able to move VDOMs with long names among different ADOMs. |
| 604069 | IPv6 communication fails after setting interface status between down and up. |
| 606545 | There may be an HA synchronization issue when policy hit count is disabled. |
| 608378 | FortiManager is unable to upgrade ADOM due to name conflicts in wildcard FQDN address. |
| 611637 | Policies are not visible when workflow session is created in an ADOM that is upgraded. |
| 611825 | FortiManager fails to edit device interface when FortiSwitch is set to RO within admin profile. |
| 623149 | The list to select device is not consistent with All except ADOMs list restriction. |
VPN Manager
| Bug ID | Description |
|---|---|
| 621187 | When a route is added in the Portal of SSL VPN, policy package is shown as „Modified” but install preview shows „No command to install”. |
| 554080 | VPN monitor may not list all mesh tunnels if the remote VPN peer has a dynamically assigned IP address and subscribes to a dynamic DNS service. |
| 587760 | Address group dynamic mapping is ignored when it is used as a protected subnet with VPN Manager. |
| 599242 | For Dialup tunnels, auto-negotiate should only be applied to spokes. |
| 616352 | FortiManager may show empty value for phase1 and phase2 proposals. |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
| Bug ID | Description |
|---|---|
| 511903 | FortiManager 6.2.5 is no longer vulnerable to the following CVE-reference:
|
Znane problemy do rozwiązania w 6.2.5:
AP Manager
| Bug ID | Description |
|---|---|
| 607107 | FortiManager prompts installation errors when certain channels are selected for Radio 2 in 5 GHZ band of FAP-421E. |
Device Manager
| Bug ID | Description |
|---|---|
| 547768 | FortiManager should allow easier management of the compliance exempt lists. |
| 552492 | VAP is always loading under CLI configuration. |
| 558176 | The address interface for the interface-subnet type is re-set to zone after it is imported, leading to copy fail during install. |
| 586809 | FortiManager incorrectly counts the VDOM license for FortiGate 7000 series. |
| 593364 | FortiManager does not install md5 key for OSPF interface configured from Device Manager. |
| 594474 | FortiManager ADOM in backup mode is not backing up device configuration changes from super_admin remote radius accounts. |
| 595058 | When the user sets „Scheduled Updates” configuration to „1 hour” in FortiGuard on Device Manager, FortiManager installation preview is configured as „set time 1:60”. |
| 598916 | When creating user groups via CLI Only Objects, comma separated values are treated as a string instead of a list. |
| 599819 | Changing static route from subnet to named address does not push the change to FortiGate. |
| 601692 | FortiManager is unable to overwrite IPv6 default route. |
| 610568 | FortiManager may not follow the order in CLI Script template. |
| 619106 | When importing a policy, the conflict page may truncate outputs. |
| 634597 | FortiManager may unset speed on ports which are configured with 10000full on FortiGate-1100E/2200E/3300E/3400E. |
Policy & Objects
| Bug ID | Description |
|---|---|
| 523350 | FortiManager does not show the default certificate under SSL/SSH Inspection within policy. |
| 545759 | The From or To column filter displays unmapped interfaces in the drop-down list. |
| 577199 | Importing policy package does not add interfaces in dynamic mappings for zone if the zone mapping is empty. |
| 578501 | FortiManager should show global icon for global objects assigned to ADOMs. |
| 586026 | FortiManager should display zone icon based on existing and non existing dynamic mappings. |
| 598938 | FortiManager should allow setting wildcard-fqdn type firewall address as destination on proxy policy. |
| 602176 | Creating a proxy policy with a profile group adds additional security profile. |
| 612317 | FortiManager shows incorrect country code for Cyprus under User definition. |
| 612445 | Policy package for v5.6 cannot be installed on v6.0 devices if default deep SSL inspection is used. |
| 614710 | Result of search in device interface should display the zone that the interface is a member of. |
| 617031 | Right-clicking on IPv4/Proxy Policy or Installation Targets should not reload the page if the related information is already displayed. |
| 618321 | FortiManager is unable to create RSSO Group if Agent is configured with a custom name. |
| 618499 | Using right-click to edit a zone incorrectly prompts dynamic interface window. |
| 620092 | Interface Pair View is not working for Security Policies. |
| 622040 | Security Policy is missing Implicit Deny policy. |
| 623100 | FortiManager is constantly changing UUID for firewall address object. |
Revision History
| Bug ID | Description |
|---|---|
| 594933 | Re-installing Policy Package cannot skip to install policy package, which fails validation. |
| 597650 | FortiManager cannot install allowed DNS and URL threat feed configuration. |
| 604680 | FortiManager sets fsso to disable even though FSSO group is in use. |
| 604927 | FortiManager can create a custom device without a category, which may lead to failed installation. |
Services
| Bug ID | Description |
|---|---|
| 437935 | FAD-VM license may not be validated on FortiManager. |
| 541192 | FortiManager should keep firmware image files when the files are for different FortiExtender devices. |
System Settings
| Bug ID | Description |
|---|---|
| 556334 | Standard ADOM users should be able to assign system templates to FortiGate devices. |
| 586626 | Users should be able to identify who locked their assigned ADOM. |
| 611215 | SNMP Hosts in SNMP Community are not displayed in the GUI if ADOM is unlocked. |
VPN Manager
| Bug ID | Description |
|---|---|
| 596953 | The Monitor page displays a white screen when the user goes to VPN manager > Monitor and selects a specific community from the tree menu to show only that community’s tunnels. |
| 621209 | VPN monitor should show the corresponding VPN community tunnels only under each community. |
FortiManager 6.2.5 – notatki producenta
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie