Fortinet publikuje szóstą wersję oprogramowania z rodziny 6.2 dla produktu FortiManager! W tej wersji naprawiono błąd, który uniemożliwiał zapisanie zmian w obszarze roboczym urządzenia. Po aktualizacji FortiManager widzi poprawnie urządzenie FAP321E i nie zgłasza już błędów o nieprawidłowym modelu urządzenia. Rozwiązano również problem, który po zmianie konfiguracji VPN powodował niepotrzebne zmiany w konfiguracji FortiGate. Wersja FortiManager 6.2.6 jest wolna od błędu, który powodował wymazywanie ustawień FortiToken’a po aktualizacji zasad. Zapraszam do lektury dalszej części artykułu.
Rozwiązane problemy:
AP Manager
| Bug ID | Description |
|---|---|
| 556036 | FortiManager cannot configure AP profile short-guard-interval. |
| 599666 | Empty LLDP status information is shown under AP Manager. |
| 610724 | Unauthorized APs should be displayed so that users can authorize the APs. |
| 644584 | Upgrading an AP may get stuck at 5 % and no task is created for it. |
| 645030 | Adding FortiGate using custom admin profile may fail to list FAP in AP Manager. |
| 645713 | FortiManager allows the user to create SSID which cannot be deleted later. |
| 653329 | FortiManager is sending the wrong device setting after changing the FAP name. |
| 587879 | AP Manager central mode is missing AP group with VLAN ID. |
| 607170 | Dynamic VLAN option is not saved in SSID in AP Manager. |
| 654171 | There may be duplicate entries in objcfg_wireless_controller_wtp preventing the user to delete some custom WTP profiles. |
Device Manager
| Bug ID | Description |
|---|---|
| 581940 | SD-WAN Monitor may show gaps on the SD-WAN monitoring graph. |
| 593364 | FortiManager does not install md5 key for OSPF interface configured from Device Manager. |
| 598794 | IPSec Phase 1 setting shows inconsistencies between Lock and Unlock. |
| 599852 | When password policy is set as enforced, FortiManager should not accept the password if it does not meet the policy. |
| 603291 | Group membership may be incorrect after adding a VDOM. |
| 603820 | FortiManager fails to import policy when reputation-minimum and reputation-direction are set. |
| 605688 | Pac-file-datais limited to 4000 characters under CLI Configuration. |
| 610071 | FortiManager should not allow duplicated names when creating a new interface based VPN phase1. |
| 611315 | SD-WAN should be allowed to configure port for HTTP health-check server. |
| 612355 | Policy Package status remains in modified status after using Push to device on an updated object. |
| 616271 | FortiManager prompts a, response format error, when adding per-device mapping to a new interface in a new workflow
session |
| 619106 | When importing a policy, the conflict page may truncate outputs. |
| 624596 | Device Manager’s Connect to CLI function with SSH may prompt an error message. |
| 625831 | Deleting a device from Device Manager may take a long time and FortiManager becomes very slow. |
| 626598 | Custom Device Meta fields cannot be modified. |
| 631576 | Device list may be empty under device group when trying to edit it. |
| 637630 | FortiManager is not showing interface status in Device Manager interface page. |
| 637672 | Importing AP Profile in AP Manager may cause Config Status changes to Modified. |
| 637794 | FortiManager is unable to import firewall policy if the SD-WAN member interface referenced is dstaddr. |
| 638351 | FortiManager is unable to set FAZ IP override setting as global setting. |
| 643172 | FortiManager does not support dnsproxy-worker-count higher than two. |
| 644223 | FortiManager is unable to add FortiAnalyzer and triggers an error: Object does not exist. |
| 649195 | Editing an address group does not trigger any configuration change when the installation target is set to specific device(s). |
| 649711 | FortiManager is unable to add FortiAnalyzer and fails to synchronize FortiAnalyzer with current ADOM data with error: Fail(errno=-3):Object does not exist. |
| 650545 | Import may get stuck in an infinite loop when there is a recursive reference. |
| 558176 | Interface-subnet type addresses’ interface are re-set to zone after import, causing the copy to fail during install. |
| 649566 | CLI Template is not able to install an interface with the same name using vpn ipsec phase1-interface and config system ipsec-aggregate. |
| 653388 | IPsec VPN Phase-1 tunnel interface is not added to the VDOM interface list in a VDOM that has a long name. |
| 653465 | FortiManager may not be able to edit DHCP options function on the GUI. |
| 656984 | Importing system template CLI may fail. |
| 552492 | VAP is always loading under CLI configuration. |
| 633767 | There is a typo in Japanese in NTP Service of DHCP Server setting. |
| 651712 | SD-WAN monitor keeps loading and not displaying anything in backup mode ADOM. |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 642959 | When re-installing or installing any policy package, FortiManager tries to install security-8021x-dynamic-vlan-id even if there is no 8021x authenticationn configured on FortiManager. |
| 651788 | FortiSwitch Manager is not showing the correct online or offline status. |
Global ADOM
| Bug ID | Description |
|---|---|
| 645702 | Global policy install should not show warnings when a policy package has no installation target. |
| 647736 | Global ADOM policy package assignment may fail. |
Others
| Bug ID | Description |
|---|---|
| 551710 | /bin/ha may have high memory usage. |
| 623147 | FortiManager may never form a HA due to variance in certificates. |
| 626338 | The exec fmpolicy CLI command may not print out a policy package correctly. |
| 635616 | The ADOM integrity check may fail with SD-WAN dynamic interface members. |
| 643784 | FortiManager is crashing on security console and wizard is stopped at 50% of deployment. |
| 647791 | Cloning VDOM object may fail via the CLI. |
| 647156 | FortiManager cannot clone any of the deep-inspection ssl-ssh-profiles using JSON API. |
| 657566 | After upgrade, copy may fail for central SD-WAN with configuration error error service – 2 :-2 – Please assign a member. |
Policy and Objects
| Bug ID | Description |
|---|---|
| 525625 | When configuring web filter rating override, the configuration is pushed to all the VDOMs even a web filter is not used. |
| 540716 | Under Policy,there is no Session Count, Session First Used, Session Last Used options in the Column Settings drop-down list. |
| 553462 | FortiManager may prompt the error, Zone member VLAN is used by another zone, when installing policy package. |
| 569226 | The section title should always be displayed for filtered policy and the section title should not be deleted after policy was deleted. |
| 578501 | FortiManager should show global icon for global objects assigned to ADOMs. |
| 581588 | Central SNAT policy does not support showing IPv6 address in the table. |
| 593417 | FortiManager shows incorrect action for allowing invalid SSL certificates. |
| 596533 | Renaming policy package changes the implicit policy’s Log Violation Traffic setting to No Log. |
| 609300 | FortiManager may not be able to import all Cisco ACI Fabric Connector address. |
| 612445 | Policy package for v5.6 cannot be installed on v6.0 devices if default deep SSL inspection is used. |
| 613840 | Process bar does not show correct status when some addresses fail to import for fabric connector. |
| 614710 | Search result in device interface should display the zone that the interface is a member of. |
| 615117 | Policy Package section is not sent over to FortiGate if Policy Blocks are under the section in FortiManager. |
| 620890 | Unlock and discard changes on policy package may create duplicate section titles. |
| 625665 | Policy package installation may fail due to certificates errors after creating a new VDOM. |
| 626060 | FortiManager cannot set per-device mapping for user-radius-accounting-server-source-ip. |
| 628389 | When workspace is enabled, Policy Package status may change to Modified when there is nothing to be installed. |
| 628748 | When scrolling through URL Filter list under Web Filter Profile, the list either takes time to load or it does not show all URLs. |
| 630055 | Some custom application signatures have id 0 in the application list. |
| 630582 | Deleted policy IDs may still appear in the GUI. |
| 630891 | Cloned policy may not get installed onto devices. |
| 631405 | FortiManager should check for mgmt interface configuration for dedicated to mgmt setting before allow using the interface on a policy. |
| 632545 | Installing policy package may result in an error: Could not read zone validation results. |
| 632715 | In DoS policy, changing quarantine from attacker to none keeps quarantine-expiry set incorrectly. |
| 632771 | Sometimes users are not updated on FortiManager after a new session is created on ISE. |
| 633248 | Web proxy profile is not being installed on FortiGate when the proxy type is Transparent-web. |
| 633431 | Changing to Classical Dual Pane disables Policy Hit Count. |
| 633727 | FortiManager is unable to display summary of policy package diff for VDOM with a long name. |
| 634597 | FortiManager may unset speed on ports which are configured with 10000full. |
| 636010 | FortiManager cannot push custom application signatures from different policy packages to the same FortiGate. |
| 636133 | When is bfd disabled, FortiManager should exclude bfd-desired-min-tx and bfd-required-min-rx from installation. |
| 636732 | Copying policy causes interface binding contradiction for object member. |
| 637688 | FortiManager prompts the error message, The data is invalid for selected url, when copying and pasting policy to a different policy package. |
| 639753 | After a FortiToken is activated on the FortiGate, the next policy install from FortiManager would unset reg-id and os-ver on the token. |
| 640400 | FortiManager may purge the list of resolved IPs of a dynamic address on the FortiGate. |
| 640662 | Policy page shows a blank entry for the Users column when device group is selected. |
| 643098 | FortiManager may have slow installation of policy package due to many VIPs have the same external VIP. |
| 643113 | Changing an Accept policy to Deny when the policy contains a Security Profile Group results in installation failure. |
| 643930 | Finding Duplicate Objects shows does not display duplicated addresses if wildcard is empty. |
| 643957 | When there are many firewall addresses, FortiManager may be slow to show all addresses under CLI Only Objects. |
| 645367 | Discarded policy deletion in Policy Package may delete all policies while they are still visible on the GUI. |
| 645661 | A valid custom IPS signature may still trigger invalid IPS data error. |
| 647337 | FortiManager may fail to retrieve FSSO user groups via FortiGate. |
| 599129 | While editing policy from Policy Package, it is not possible to select SSL/SSH Inspection profile. |
| 618321 | FortiManager is unable to create RSSO Group if Agent is configured with a custom name. |
| 620092 | Interface Pair view is not working for Security Policies. |
| 634241 | VIP created using CLI script is not available to use in a policy. |
| 644689 | FortiManager may not be able to load application control profile. |
| 583151 | FortiManager should not change the default value of scan-mode and ssl-ssh-profile/inspection-mode when installing v6.0 policy package to v6.2. |
| 600165 | Firewall consolidated policy is still named as SSL Inspection & Authentication when it is profile based. |
| 623833 | Username cannot exceed 35 characters. |
| 640157 | Verification may fail due to wrong default setting of log.memory.global-setting > set max-size’. |
Revision History
| Bug ID | Description |
|---|---|
| 586275 | Policy Package Diff does not show user or admin details. |
| 594933 | Re-installing Policy Package cannot skip to Install Policy Package, which fails validation. |
| 604680 | FortiManager sets FSSO to disable even though FSSO group is in use. |
| 610032 | After upgrade, installation fails due to the set mediatype command of an interface. |
| 610687 | FortiManager should not unset forward-error-correct during install. |
| 613901 | FortiManager may not be able to show more than one log based on one revision ID. |
| 622540 | FortiManager prompts error, no hub configured, for a site even the site is not part of VPN Manager. |
| 632129 | syslogd setting source-ip is still visible after setting status to disable, which causes a verification failure. |
| 633515 | FortiManager should improve error message when FortiManager receives blank or invalid configurations from FortiGate. |
| 643803 | Policy Package Diff may shows all objects as new changes. |
| 646372 | When a customer applies changes to a policy package, then all the policy packages in this ADOM change to a Modified state. |
| 650239 | Installation fails with wireless-controller vap mesh-backhaul setting despite setting being disabled on FortiManager. |
| 652337 | VPN Manager changes may result in unnecessary FortiGate configuration changes. |
| 647180 | Install copy may fail with error message ftgd-wf – – The category is already set in another filter. |
| 634032 | Installing a policy may fail due to log disk setting. |
| 657344 | Installing from 6.0 ADOM may try to unset inspection-mode and unset ssl-ssh-profile on FortiGate 6.2. |
Script
| Bug ID | Description |
|---|---|
| 611396 | When a device is locked, FortiManager cannot show the list of devices to run a script. |
| 634242 | After applying profile-type group on a firewall policy via a script, proxy and SSL profiles should be removed from the corresponding firewall policy. |
| 592660 | Running a script remotely may trigger a full configuration retrieve instead of a partial configuration retrieve. |
Services
| Bug ID | Description |
|---|---|
| 569679 | Port 8888 or 8889 should not always be opened. |
| 647680 | When importing firmware image for FAP 321E, FortiManager reports the platform as a invalid model. |
| 652764 | FortiManager to Enforce Firmware Version may fail to upgrade FortGate to a custom build. |
System Settings
| Bug ID | Description |
|---|---|
| 493533 | FortiManager needs to rename custom default protocol option after upgrade. |
| 556334 | Standard ADOM users should be able to assign system templates to FortiGate devices. |
| 557949 | Changing a password should be enabled by default for all admin users. |
| 579563 | Workflow Session List menu seems to always match the first wildcard TACACS admin. |
| 596212 | SSH filter profile is unset in firewall profile group upon ADOM upgrade. |
| 618213 | When trying to upgrade FortiManager cluster from FortiManager Master GUI, FortiManager Master reboots before finishing to send firmware to FortiManager secondary device. |
| 618607 | Upgrading 5.4 ADOM does not convert delay-tcp-npu-sessoin to delay-tcp-npu-session and delete the option. |
| 628006 | Even though a user has Manage Device Configurations read/write privileges, the user appears to have partial permissions within Device Manager. |
| 637044 | FortiManager may not be able to save changes under Workspace mode and prompt the error Workspace request failed, please try again. |
| 640505 | Remote admin authentication with RADIUS may stop working. |
| 641018 | Upgrading Global ADOM may fail due to Fortinet_NSX local certificate. |
| 644660 | Installation preview may get stuck and system may run out of memory. |
| 647575 | Cloning an ADOM may fail with error 0: invalid value. |
| 655515 | FortiManager may not be able to clone the Security Fabric ADOM. |
| 650326 | After an HA failover, the new master may have incorrect policies. |
| 654370 | Users may not be able to access Java console with an error message: Too many concurrent connections. |
VPN Manager
| Bug ID | Description |
|---|---|
| 594889 | Dial-up IPSec VPN tunnel should show tunnel up on VPN manager monitor as it appears on FortiGate. |
| 621209 | VPN monitor should show the corresponding VPN community tunnels only under each community. |
| 622046 | Local ID should be visible from the GUI and should be able to modify it when using dial-up group. |
| 650454 | Installation may fail when Dialup VPN interface is PPPoE logical interface. |
Znane problemy do rozwiązania:
AP Manager
| Bug ID | Description |
|---|---|
| 599189 | FortiManager should be able to handle upgrading more than 10 APs at once. |
| 633171 | There may be DFS Channel mismatch between FortiManager and FortiGate for FAP-223E. |
Device Manager
| Bug ID | Description |
|---|---|
| 547768 | FortiManager should allow easier management of the compliance exempt lists. |
| 598424 | Interface cannot create more than 48 IP-MAC bindings in DHCP reservation from the GUI. |
| 598916 | When creating user groups via CLI Only Objects, comma separated values are treated as a string instead of a list. |
| 601692 | FortiManager is unable to overwrite IPv6 default route. |
| 604125 | FortiManager may not be able to edit the VDOM link interface from VDOM level. |
| 607923 | Security Fabric Connection option is removed from VLAN interface. |
| 610568 | FortiManager may not follow the order in CLI Script template. |
| 613029 | SD-WAN Monitor is showing effect of exceeded SLA even when it is disabled. |
| 616537 | FortiGate and FortiManager GUI should use similar terminology for configuring weight and volume-ratio in SD-WAN. |
| 627664 | FortiManager cannot understand socket-size 0 and changes it to 1 automatically. |
| 627749 | Admin user with device-config set as read in admin profile cannot download configuration revision. |
| 635316 | Return button is not working when viewing HA mode. |
| 636012 | Importing a policy may report conflict for the default SSH CA certificates. |
| 636357 | Retrieve may fail on FortiGate cluster with Failed to reload configuration. invalid value error. |
| 636638 | Fabric View keeps loading indefinitely. |
| 638061 | FortiGate 7000 may not be added and fails to update device information. |
| 645086 | Policy Lookup shows an error even though the device is in sync. |
| 649769 | FortiManager cannot view full list of Extenders. |
| 649785 | SD-WAN > Monitor may hang for an ADOM with 1500 devices. |
| 652427 | FortiManager may not be able to configure the any value on the access list prefix. |
| 652481 | Allow access is missing under interface on AWS FortiGate and may cause the installation to fail. |
| 575215 | When creating an new interface for a VDOM, FortiManager may list interfaces that may belong to another AODM. |
| 598431 | Install wizard may show a blank area when scrolling down the wizard to select device(s). |
| 618354 | Importing a policy with a profile group will display ssl-ssh profile and proxy options in the GUI. |
| 646421 | FortiManager may not be able to configure the VDOM property resources setting. |
| 649821 | Installation may fail for FortiGate-600D. |
| 657933 | Importing policy should be successful even with the zone name contains the / character. |
| 468776 | FortiManager fails to retrieve device configuration and displays data not exist error (g-xxxx firewall object). |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 650453 | FortiSwitch template and VLAN is missing when creating a new firewall policy. |
| 637220 | FortiManager may not able to upgrade FortiSwitch firmware. |
Global ADOM
| Bug ID | Description |
|---|---|
| 632400 | When installing global policy, FortiManager may delete policy routes and settings on an ADOM. |
Policy & Objects
| Bug ID | Description |
|---|---|
| 531112 | Consolidated policy is missing implicit deny policy. |
| 580880 | FortiManager is unable to see dynamic mapping for Local Certificate when workflow session is created. |
| 585177 | FortiManager is unable to create VIPv6 virtual server objects. |
| 586026 | FortiManager should display Zone icon based on existing and non existing dynamic mappings. |
| 597011 | Importing groups from Aruba ClearPass may fail. |
| 598938 | FortiManager should allow setting wildcard-fqdn type firewall address as a destination on proxy policy. |
| 601385 | A Restricted mode admin cannot install Web Rating Overrides changes. |
| 602176 | Creating a proxy policy with a profile group adds additional security profile. |
| 612317 | FortiManager shows the wrong country code for Cyprus under User definition. |
| 615624 | Firewall policy and proxy policy cannot select IP type external resource as address. |
| 617031 | Right-clicking on IPv4/Proxy Policy or Installation Targets should not reload the page if the related information is already displayed. |
| 617894 | FortiManager is missing IPV6 none values after modifying a policy. |
| 618499 | Right-clicking to edit zone incorrectly prompts dynamic interface window. |
| 622040 | Security Policy is missing Implicit Deny policy. |
| 630431 | Some application and filter overrides are not displayed on the GUI. |
| 631158 | FortiManager is unable to import firewall objects of fsso fortiems-cloud user because Server cannot be empty. |
| 635966 | Azure SDN connector only fetches the first page of results. |
| 647189 | FortiManager dynamic object filter generator is adding an „s” at the end of tag resulting in non working object. |
| 648767 | No connection request is sent out for ClearPass connector in an ADOM. |
| 652753 | When an obsolete internet service is selected, FortiManager may show entry IDs instead of names. |
| 654562 | FortiManager may fail to install a profile-group and apply it on a policy. |
| 608535 | NAT option is missing from Central NAT policy package. |
| 651785 | Address section under Policy & Objects > Security Profiles > SSL/SSH Inspection may load indefinitely. |
| 658528 | The URL remote category, FortiGuard Threat Feed, is not available in the dro down menu for Proxy Address. |
Revision History
| Bug ID | Description |
|---|---|
| 597650 | FortiManager cannot install allowed DNS and URL threat feed configuration. |
| 606737 | User may not be able to install a policy package due to a change with external interface with VIP settings. |
| 611169 | Install may fail with error Associated Interface conflict detected! |
| 612263 | FortiManager may not install ADSL vci and VPI to FWF-60E-DSL. |
| 618305 | FortiManager changes configuration system csf settings. |
| 623159 | When re-installing a policy, Zone validation is not saving the user choice and deleting all related policies. |
| 635786 | Default hbdev values may change after upgrade. |
| 635957 | Install fails for subnet overlap IP between two interfaces. |
| 637103 | Scrolling in Install Preview is not smooth and may get stuck. |
| 654496 | Installing configuration to device after Auto link, FortiManager may send incorrect system ntp commands causing the install to fail. |
| 655246 | The adom-rev-auto-delete option may not work to automatically delete revisions. |
Script
| Bug ID | Description |
|---|---|
| 613575 | After a script is run directly on the CLI, FortiManager may fail to reload the configuration. |
| 630016 | FortiGate user can see scripts from all ADOMs. |
| 632014 | When editing a CLI script group, the user cannot see the full CLI script name. |
Services
| Bug ID | Description |
|---|---|
| 541192 | FortiManager should keep firmware image files when the files are for different FortiExtender devices. |
| 567664 | HA secondary device does not update the FortiMeter license. |
| 587730 | FortiGate-VM64-AZURE may not be listed in firmware image page. |
| 654129 | FortiManager may not have the correct upgrade path for FortiGate KVM. |
| 592089 | Firmware upgrade of FortiGate devices via Firmware Manager may be slow if there are offline devices. |
System Settings
| Bug ID | Description |
|---|---|
| 611215 | SNMP Hosts in SNMP Community are not displayed in the GUI if ADOM is unlocked. |
| 625683 | Changes made by ADOM upgrade may not update Last Modified date/time and user admin. |
| 631733 | Changing the trusted IP cannot be saved and installed. |
| 639099 | There are many cdb event log for object changed in event logs after upgrade. |
| 654637 | Changing a non-Super_User password may not take effect after upgrade. |
| 619750 | When upgrading an ADOM from 5.4 to 5.6, FortiManager does not add tcp-session-without-syn in all firewall policies. |
VPN Manager
| Bug ID | Description |
|---|---|
| 596953 | The Monitor page displays a white screen inVPN manager > Monitor, and the user selects a specific community from the tree menu to show only that community’s tunnels. |
| 608221 | There is no XAUTH USER column in VPN Manager Monitor. |
| 620801 | SSLVPN > Edit SSLVPN Settings > IP Range, only shows configuration from ADOM database objects. |
| 645093 | VPN Manager error Peer Type cannot be peer when authentication method is a pre-share key. |
| 658221 | The dns-suffix on SSL VPN portal is not installed if web-mode is disabled. |
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie