Fortinet publikuje pierwszą wersję oprogramowania dla produktu FortiManager w nowej rodzinie 6.4! Od wersji 6.4.0 administratorzy mają możliwość wygenerowania darmowej bezterminowej licencji testowej do zarządzania trzema urządzeniami FortiGate. FortiManager doposażony został również w nowy SDN Connector do VMware vCenter, wspierane są również connectory do Aruba ClearPass. Menadżer od teraz wspiera również klaster urządzeń FortiAnalyzer, rozszerzone zostały możliwości instalacji paczek z polisami na wybranych urządzeniach. FortiManager otrzymał również możliwość wymuszania wskazanego przez nas firmware’u na „nowych” urządzeniach w naszej infrastrukturze (FortiAP, FortiSwitch). Więcej informacji w artykule!
Nowości w FortiManager 6.4:
- Darmowa rejestracja bezterminowych licencji testowych
Możesz uzyskać bezpłatną licencję próbną dla logowania z maksymalnie trzech urządzeń. Licencje próbne nie wygasają.
- Przejdź do strony logowania FortiManager VM.
- Kliknij Zaloguj się za pomocą FortiCloud.
- Wprowadź dane logowania do konta FortiCloud i kliknij Zaloguj się. Konto FortiCloud jest wymagane do wygenerowania darmowej licencji.
Przejdź do System settings> dashboard, aby wyświetlić stan licencji w widgecie License Information
Aby wyświetlić licencję próbną w FortiCloud, zaloguj się do swojego konta i kliknij Asset> Manage/View Products.
- FortiManager support for FortiAnalyzer HA
Możesz zarządzać FortiAnalyzer HA za pomocą FortiManagera. FortiManager pobiera listę członków klastra i aktualizuje informacje przy każdej zmianie, w tym przełączanie awaryjne FortiAnalyzer HA lub zmiana członków.
Aby włączyć obsługę FortiAnalyzer HA:
- Przejdź do Menedżera urządzeń> Urządzenia i grupy.
- Kliknij strzałkę w dół obok opcji Dodaj urządzenia.
- Wybierz Dodaj FortiAnalyzer.
- Zostanie otwarte okno dialogowe
W polu Dodaj FortiAnalyzer dodaj FortiAnalyzer HA do FortiManager DVM przez VIP klastra HA i kliknij Dalej.
FortiAnalyzer HA został wykryty na podstawie informacji o statusie HA. Naciśnij dalej by kontynuować.
- Multiple device selection and consolidated install preview for policy package installation
Teraz możesz wyświetlić podgląd pakietu zasad i ustawień urządzenia na maksymalnie 10 urządzeniach podczas korzystania z Kreatora instalacji. Wybór wielu urządzeń jest dostępny w Menedżerze urządzeń oraz w kafelkach Policy & Objects.
- FortiManager detects an unauthorized FortiAP connected to a managed FortiGate
Możesz teraz autoryzować nieznane AP, które są podłączone do zarządzanego FortiGate za pośrednictwem FortiManager.
- Enforce firmware version when on-boarding a new FortiAP
Możesz wymusić wersję oprogramowania układowego na urządzeniu FortiAP za pomocą FortiManager.
Aby wymusić wersję oprogramowania układowego:
Przejdź do AP Manager> Managed APs.
Kliknij opcję Utwórz nowy na pasku narzędzi. Zostanie otwarte okno dialogowe.
W oknie dialogowym skonfiguruj ustawienia urządzenia FortiAP.
Włącz opcję Enforce Firmware Version, aby wymusić wersję oprogramowania układowego i wybierz wersję oprogramowania z menu rozwijanego.
Kliknij OK, aby dodać urządzenie.
W menu drzewa pod AP Manager> Managed APs tworzone jest modelowe urządzenie FortiAP i dodawane do zarządzanego FortiGate.
Model FortiAP jest wyświetlany jako AP autoryzowany offline.
Po podłączeniu AP do FortiGate i pojawieniu się online, poczekaj około 10 minut na wyświetlenie wymuszonego oprogramowania.
Wybierz AP i kliknij more na pasku narzędzi i wybierz refresh.
- Enforce firmware version when on-boarding a new FortiSwitch
Możesz wymusić wersję oprogramowania na FortiSwitch za pomocą FortiManagera.
Aby wymusić wersję oprogramowania układowego:
Przejdź do FortiSwitch Manager> Managed Switches
Kliknij Create New. Zostanie wyświetlony panel Add model FortiSwitch.
W oknie dialogowym Dodaj model FortiSwitch skonfiguruj ustawienia swojego FortiSwitch.
Włącz opcję Enforce Firmware Version, aby wymusić wersję oprogramowania układowego i wybierz wersję oprogramowania z menu rozwijanego.
Kliknij przycisk OK, aby dodać FortiSwitch.
W menu drzewa w obszarze FortiSwitch Manager> Managed Switches, model FortiSwitch jest tworzony i dodawany do zarządzanego FortiGate.
Gdy FortiSwitch jest w trybie online, FortiManager ustawia oprogramowanie układowe na wymuszoną wersję.
Tutaj oprogramowanie układowe jest uaktualniane z poprzedniej wersji 194 do wersji 202.
- SDN connector to VMware vCenter
Możesz utworzyć złącza SDN dla VMware vCenter, aby umożliwić FortiGate pobieranie dynamicznych adresów z VMware vCenter za pomocą FortiManager.
Poniżej znajduje się omówienie konfiguracji złącza SDN dla VMware vCenter:
- Utwórz złącze SDN dla VMware vCenter. Zobacz Creating SDN connectors for VMware vCenter.
- Utwórz dynamiczny obiekt adresu, który odwołuje się do złącza SDN dla VMware vCenter. Zobacz Creating dynamic addresses.
- Utwórz polisę na firewallu. Zobacz Creating firewall policies.
- Zainstaluj zmiany w FortiGate. Zobacz Installing changes to FortiGate.
- FortiGate może pobierać adresy dynamiczne z VMware vCenter za pośrednictwem FortiManager.
- FortiManager firmware upgrade from FortiGuard servers
Możesz zaktualizować oprogramowanie FortiManager za pomocą obrazów dostępnych na serwerach FortiGuard. Zielony znacznik wyboru obok dostępnych obrazów oprogramowania układowego wskazuje zalecaną ścieżkę aktualizacji FortiManager. W razie potrzeby możesz także zaktualizować do obrazu oprogramowania układowego, który nie jest zalecany.
Rozwiązane problemy:
AP Manager
| Bug ID | Description |
|---|---|
| 588096 | FortiManager removes the Multiple Pre-shared Key entry after it is edited. |
| 604642 | Changing SSID Groups makes changes on all member SSIDs. |
| 521404 | Refresh or close button does not work in the AP Health Monitor widget. |
| 553985 | FortiManager incorrectly sets „security-external-web” when external authentication is selected. |
| 561911 | FortiManager may take over two minutes to display map in AP Manager. |
| 568631 | Per-Device Mapping for FortiAP SSID in Bridge mode should not have IP and it is missing VLAN field. |
| 570937 | AP Manager should allow individual configure LAN Ports. |
| 578123 | Multiple dhcp-relay-ip cannot be defined. |
| 585157 | FortiManager is missing 802.11ax/ac related settings on FAPU431F and FAPU433F. |
| 593366 | AP Manager may not be able to search for a SSID. |
| 595674 | When attempting to place an AP on a map, there is a considerable border around map image where it is not possible to place an AP to the far right or complete bottom of the floor. |
| 597818 | ADOM upgrade may delete Floor Map in AP Manager. |
| 600899 | FortiManager is unable to delete WiFi profile with forward slash in the name. |
| 603511 | AP Manager may try to unset authentication for SSID when device is configured under per-device mapping. |
Device Manager
| Bug ID | Description |
|---|---|
| 619377 | FortiManager cannot retrieve FortiGate-800D containing more than 2048 Firewall custom services. |
| 576850 | There may be possible VDOM Name inconsistencies between FortiManager and FortiGate. |
| 594905 | FortiManager may take longer to load a system interface. |
| 610015 | Scroll bar in the install preview pop-up is not working properly. |
| 544222 | In device configuration’s log setting, both local traffic log and event logging have Enable All buttons that may not work. |
| 544337 | FortiManager is missing Firmware information when creating or editing a device group. |
| 555635 | Certificate is not visible on GUI after restoring the configuration, which was exported from FortiManager. |
| 563373 | FortiManager should support FortiGate-VM FNDN. |
| 593505 | Provisioning Template sets incorrect syslog severity level under log settings. |
| 601223 | Device database configuration may mismatch with FortiGate even if auto-update happens. |
| 602706 | SD-wan Template may keep loading. |
| 616619 | Using script or CLI only page, user can create interface-policy without setting srcaddr, dstaddr, or service even though they are required fields. |
| 411914 | System Template’s „Enable FortiGuard Security Updates” option should check if „antispam-force-off” and „webfilter-force-off” are disabled. |
| 459895 | FortiManager may not configure an IPS profile on an One-Arm sniffer interface. |
| 523463 | Firmware version not displayed in backup ADOM. |
| 540502 | Installation may fail due to interface’s address mode changes to PPPoE. |
| 541911 | When workspace is enabled, FortiManager cannot run CLI template after it is assigned to a device. |
| 544562 | The „Force this Admin to Change Password Next Time He/She Logs on” option on administrator is not installed to FortiGate. |
| 568626 | FortiManager can only modify the order of DNS forwarder only if the IP addresses are in quotes („”) and when the IP addresses are not separated by comma. |
| 572337 | Config Status may display Modified instead of Conflict status following a failed policy package install. |
| 573293 | After upgrade, FortiManager may not be able to import policy package in Workflow mode. |
| 580485 | After defined per-device mapping a to model device, all policy packages status are changed to Modified. |
| 580533 | Build 0349: Saving configuration with incorrect IP/mask format does not display an error for inner configurations. |
| 581812 | Sorting Extenders by Device Name does not work. |
| 584463 | CLI Template’s comment field cannot be saved. |
| 586550 | Device Manager does not detect newly joined Telemetry group on FortiGate. |
| 587513 | FortiManager should not unset the IPv6 configuration on FortiGate when registering with the „Add Model Device” method. |
| 587610 | FortiManager is unable to show policy package diff of Security Policy. |
| 587693 | Users should able to delete interfaces from aggregate interface. |
| 589814 | User should be able to make interface changes using CLI Configuration. |
| 589826 | Device Manager cannot create EMAC VLAN interfaces over VLAN interface created in root VDOM. |
| 590064 | Device view > VDOM GUI should show which VDOM is the management VDOM. |
| 590321 | Sorting filtered static routes list does not work. |
| 590385 | FortiManager should not have limit of 1024 for VPN local certificate. |
| 590602 | Zero in seconds is lost in Web Filter Override expire time. |
| 591517 | FortiManager should not change VDOM configuration scope with CLI Template. |
| 591894 | User should be able to specify PAC or HTTPS port on GUI after upgrade. |
| 591981 | After modified „set max-revs” value, the change is not immediately reflected on GUI. |
| 592279 | AP Manager does not accept certain wtp-profile settings when switching country. |
| 592646 | When creating a SD-WAN and disabling its status, it causes neither monitor map view nor table view can be displayed. |
| 593244 | User may not be able to change the option, „Send logs to FortiAnalyzer/Manager” under Provisioning Template. |
| 593480 | When there is no interface assigned to SD-WAN, neither map view nor table view can be shown. |
| 594211 | FortiManager should be able to create new VLAN interface on fabric interface and install to FortiGate. |
| 594348 | FortiManager should show buttons to create, edit, and delete TACACS+ on the CLI Configuration page. |
| 594709 | Device Manager may not be able to generate Policy Package Diff result. |
| 594853 | FortiManager may create duplicate VDOMs when retrieve configuration for multiple devices. |
| 595683 | When using workflow mode, changing anything on a policy ID does not modify status of Policy Package. |
| 595803 | When configuring PPPoE from CLI Configuration, installation fails with unexpected deletion of system-interface. |
| 595941 | Importing policy package may unexpectedly convert regular address objects to dynamic address objects. |
| 597284 | When creating a new switch through a script, all configuration is visible in Device Manager but no port configuration is installed. |
| 598230 | Removing Per-device mapping causes all referenced Policy Packages status to become modified. |
| 598650 | SD-WAN monitor table view may not show data for FortiGate 5.6 device. |
| 598912 | Device Manager may not be able to display newly created VDOMs. |
| 599141 | After upgrade, Policy Route menu no longer displays Source Addresses or Destination Addresses. |
| 599768 | FortiManager may not be able to display the second shelf manager. |
| 599769 | FortiManager may not be able to „Enable Security Fabric” on some FortiGate platforms. |
| 602275 | FortiManager may not be able to remove VDOM or device when FortiAnalyzer feature is enabled. |
| 603215 | Fabric is not enabled in allow access after enabling FortiLink on an interface. |
| 603405 | FortiManager cannot set radio-2 band to „802.11ax” under CLI Configuration. |
| 603522 | Fabric should be shown as an option for administrative access. |
| 603542 | Password field should not be deleted when making changes to PPPoE interface. |
| 603606 | FortiManager should accept volume ratio value of 0 within SD-WAN configuration. |
| 603820 | FortiManager fails to import policy when reputation-minimum and reputation-direction are set. |
| 604269 | FortiManager should permit Virtual Wire Pair to use Aggregate interface. |
| 604808 | Verification may fail on system interface tc-mode or phy-mode when installing to FortiGate-60E-DSLJ. |
| 605178 | FortiManager should be able to set „None” interface under on Policy Route. |
| 605946 | Import may fail where there are objects with truncated names. |
| 606628 | FortiManager may fail to retrieve configuration with SAML SP IDP certificate. |
| 607672 | Import may fail with error „user group match is not a member”. |
| 608642 | Importing policy should not make dynamic mapping for policy object when there is only change on hidden attributes. |
| 609757 | Adding a new device on SD-WAN Template may cause Config status to change to Modified on all devices. |
FortiClient Manager
| Bug ID | Description |
|---|---|
| 548572 | FortiManager shows unclear message in FortiClient Profile with „Response with errors” instead of „Device groups cannot be empty”. |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 503722 | FortiSwitch Manager and AP Manager reports switches and APs connected to FortiGates as online when the devices are no longer powered on. |
| 573043 | Saving FSW VLANs configuration may trigger error and lead to data loss in Per Device Mapping. |
| 587526 | VLANs in FortiSwitch templates must support per-device secondary IP. |
| 597715 | Under FortiSwitch Manager Per device mode, FortiManager may prompt error [object Object] when trying to create a VLAN with in use VLAN ID. |
| 601242 | Installation may fail due to qtn.fortilink configuration cannot be deleted. |
| 601712 | Under Workflow mode, FortiManager may lose FortiSwitch templates and VLAN configuration. |
Global ADOM
| Bug ID | Description |
|---|---|
| 578089 | Address objects cannot be deleted from the FortiManager’s Global ADOM if they are not being used anywhere. |
| 582171 | FortiManager may not be able to assign all objects from 5.6 global ADOM to a 6.0 ADOM. |
| 587511 | gSSO_Guest_User should work the same as predefined SSO_Guest_User. |
Others
| Bug ID | Description |
|---|---|
| 609040 | Device manager may be empty after upgrade. |
| 364541 | The command, diagnose dvm support list, should include all supported platforms. |
| 581140 | The SNMP, FmDeviceEntPolicyPackageState, always returns (-1), which indicates never installed, regardless of the actual policy package status. |
| 591206 | The SNMP trap, fmDeviceTable, should show VDOM information as well. |
| 611548 | The dbcache.db file size may keep increasing. |
| 550140 | The system-support-fgt configuration is lost if there is a version lower than 5.4 selected prior to upgrade. |
| 551937 | FortiManager should only allow the browser to save and paste credentials at the logon prompt only. |
| 552085 | FortiManager live migration fails with Microsoft Hyper-V and it is not accessible via GUI and SSH. |
| 565515 | User may not be able to create a new SNMP host under System Templates.
Workaround: Please add a new SNMP host for System Templates under CLI Configurations within Device Manager. |
| 571235 | Enabling policy hit count may lock ADOM and provoke GUI slowness. |
| 574731 | Builds 0349 and 1121: Some hardware specific SNMP traps are missing from the device SNMP settings and the system provisioning templates. |
| 579648 | FortiManager may generate „fgfmsd” crashes when FortiGate sends registration request to FortiManager. |
| 584053 | FortiManager may show fmgd crashes after switched among pages. |
| 586991 | „Logver” field is missing when FortiAnalyzer is enabled affecting report related features. |
| 589805 | Installing policy package via JSON API with missing interface in zone definition deletes zone and corresponding firewall policies on FortiGate. |
| 590037 | FortiManager CPU usage may spike when going to interface and VPN Phase1 or Phase2 page. |
| 590649 | On FortiClient or FortiDDoS ADOM, the SOC page may refresh constantly. |
| 593245 | FortiManager may show incorrect warning when changing admin profile via CLI. |
| 593421 | Running ADOM integrity check may cause cdb reader to crash. |
| 593819 | FortiManager may generate several fmgd crash logs. |
| 595589 | When running a script on a device with large configuration, dmworker may crash with high CPU spike. |
| 595741 | After ADOM upgrade, FortiManager may report an error on reaching the max limit of firewall-service-custom. |
| 601978 | Diagnostic command may fail to repair database when device is in standalone mode but there are entries in HA member table. |
| 602216 | FortiManager is unable to add SNMP hosts when set alias is configured on a port. |
Policy and Objects
| Bug ID | Description |
|---|---|
| 622040 | Security Policy is missing Implicit Deny policy. |
| 615823 | VPN tunnel is not unset when changing the action of the firewall policy from IPSEC to Accept. |
| 598938 | FortiManager should allow setting wildcard-fqdn type firewall address as destination on proxy policy. |
| 602176 | Creating a proxy policy with a profile group adds additional security profile. |
| 604577 | When logged in as a Restricted Admin or regular User, it is not possible to reference „Web content filter” in a web profile. |
| 612672 | The policy block hit count stays at zero even if the counter increments properly on the FortiGate side. |
| 488897 | SSL VPN policy can be created with a FSSO user group assigned to the policy. |
| 491813 | FortiManager should group IPS Sensor entries with same filters as one rule. |
| 505887 | Internet Service should separate into source and destination |
| 528881 | Users are not able to remove all FSSO objects from selected list that has a large number of entries. |
| 544404 | When a remote user approves a session, session list shows zero sessions. |
| 545605 | Searching on Created Time or Last Modified does not work on policy table. |
| 548573 | FortiManager changes UUIDs of existing objects after policy install. |
| 563629 | Clicking on „+” function should allow users to add Wildcard FQDN objects. |
| 566446 | With a 5.6 ADOM and install to 6.0 FortiGate needs to keep the configured multicast policies and zone on FortiGate. |
| 569576 | Build 1121: Web rating override category change is not reflected in GUI. |
| 571473 | FortiManager should have „Configure Default Value” option for IP Pool. |
| 573250 | Find Duplicate Objects may show inaccurate results due to obj-id. |
| 574560 | Installation from FortiManager may fail with the error, „No response from remote” FortiGate. |
| 578004 | The policy interface colors are different between Device Manager and Policy & Objects. |
| 580484 | Signature, „Apache.Optionsbleed.Scanner”, cannot be selected as IPS Signature but only as „Rate based Signature”. |
| 581495 | Interface Validation should prompt only once per unmapped interface. |
| 581607 | FortiManager 6.2.2 may not be able to install class-id to a FortiOS 6.2.1 device. |
| 581825 | In workflow mode, changes to the SSL VPN portals do not trigger „Modified” status on the policy package. |
| 585021 | Adding or modifying rate based signature on IPS profile resets all rate based signature to default settings. |
| 587624 | Application Control profile page is blank for User with read-write permissions on Policy & Objects. |
| 588548 | Under workspace, addresses may be removed from a firewall policy when merging duplicated addresses. |
| 588684 | Central SNAT option in missing under Policy Package menu when mode is NGFW policy-based. |
| 589645 | GUI disables FSSO status after its removed one of the FSSO user groups with a policy. |
| 589771 | Policy Package installation fails when a Firewall Policy contains a VIP Group mapped to a zone interface. |
| 589775 | Entry without content should not be created when creating an Application Control Profile. |
| 589795 | User should be allowed to create a new tag in firewall policy or select an existing tag. |
| 589808 | After edited policy in policy package, the screen view should remain on the edited policy. |
| 590322 | When an Internet Service Database object is used in the destination field on proxy rule, the field is displayed as an empty field. |
| 590896 | FortiManager has no source interface column in the general view of Proxy Policy. |
| 593853 | Certificate generation fails if the CA certificate does not match ADOM name. |
| 594549 | Editing Per-Device mapping for zone containing slash in the name generates „Method failure” error message. |
| 594811 | Using copy and paste on multiple proxy policies may insert rules in reverse order. |
| 594866 | Internet Services may not match between FortiManager and FortiGate. |
| 594957 | SSL/SSH Inspection profile should not allow „Untrusted SSL Certificates” to be set to Block. |
| 595646 | After selecting a proxy policy and using the „Insert Above/Below” button, the new policy should be created with the same proxy type of the selected policy. |
| 597668 | FortiManager should be able to install the scheduled policy package even though it is scheduled by wildcard user. |
| 597879 | Policy package installation fails with commit check error on system interface dhcp-relay-type. |
| 598493 | FortiManager should get all datacenter information from exsi vm info. |
| 598656 | When long-vdom-name is enabled on FortiGate, installing from FortiManager may show nothing to install. |
| 601073 | When renaming address object, the error „invalid value” is prompted when it should be „object already exists”. |
| 601081 | FortiManager is missing the feature to change IPS Signatures status. |
| 602600 | FortiManager may show any duplicate sections in the policy page. |
| 602871 | FortiManager may show zero on First use, Last used, and Byte count on policy. |
| 604159 | Cloning an existing policy package adds the „clone_of_” to the name even the feature is disabled. |
| 605947 | FortiManager is unable to configure hold down-interval for Virtual Server. |
| 606721 | FortiManager should not allow users to create firewall address with a name which is in conflict with the name of existing wildcard-fqdn addresses. |
| 607370 | When workspace is enabled, auto-install fails with error „no write permission”. |
| 607958 | FortiManager should be able to modify Per-device mapping for global VIP in local ADOM. |
| 608105 | When making changes to Virtual server or Health check for load balance, should be detected and installed to FortiGate properly. |
| 608236 | FortiManager is unable to install ssl-ssh-profile policy updates when disabling protocols on a policy. |
Revision History
| Bug ID | Description |
|---|---|
| 612781 | FortiManager should try to remove any referenced policies prior to creating a zone interface. |
| 492088 | FortiManager attempts to change Chassis ID on FortiGate 7000 series when installing configuration. |
| 543507 | Install fails for newly defined transparent VDOM’s management IP. |
| 555796 | Installing policy on 6K series FortiGate may remove the interface setting „set forward-error-correction rs-fec”. |
| 560888 | FortiManager may unexpectedly reset some parameters for IPS sensor entry. |
| 605899 | FortiManager should not mandate the use of the access key, secret key, and region fields for SDN Connector. |
| 609110 | Config revision created by Script_manager causes error when restored onto the FortiGate directly. |
| 610687 | FortiManager should not unset forward-error-correct during install. |
| 613057 | During install verification, FortiManager is changing the IP of uni-cast heartbeat interfaces after FortiGate cluster failover. |
| 513317 | FortiManager may fail to install a policy after FortiGate failover on Azure. |
| 539829 | FortiManager should be able to delete FortiGate default admin user from FortiManager. |
| 539994 | Installing to FortiGate fails when wildcard-fqdn address is used in SSL profile. |
| 560638 | When checking the Revision Diff between two revisions for multiple times, the result may not be consistent. |
| 560689 | Auto-Update revision is missing „set stp-bpdu-guard enabled”. |
| 578231 | FortiManager tries to push „casi-profile” on a Deny Policy. |
| 582882 | Switch interface should not have duplicate members during device install. |
| 583833 | Auto Link Install skips installation for VLAN interface. |
| 584118 | Router access-list rule’s default value is mismatched causing installation failure. |
| 586979 | FortiManager may complain about duplicate tags and fail to install policy package. |
| 586992 | FortiManager does not install broadcast-forward enabled on „Virtual Switch” to managed FortiGate. |
| 587005 | FortiManager should support the radius-server-vdom setting and be able to install it. |
| 589858 | The BGP „scan-time” value of 0 can be set on FortiGate, but FortiManager resets it to default by „unset scan-time” on the next policy push. |
| 590325 | Installing EMAC-VLAN may fail on verifying device-identification setting. |
| 592062 | Custom Internet Service created on FortiManager systematically fails to be installed on the target FortiGate. |
| 592315 | Installation of Policy Package against a device group may generate copy fail error for one FortiGate device. |
| 594147 | FortiManager does not perform interface binding contradiction check when a firewall policy is using an address group and the user changes an address group member. |
| 597353 | Policy install may remove auth-redirect-addr when disclaimer is set. |
| 598173 | When changing the „User Group Source” from Local to Collector Agent, FortiManager should automatically unset the undesired commands. |
| 599413 | Policy Package Diff is showing differences for passwords when there is no actual difference. |
| 600085 | Some special characters may cause revision history not saved with a full tmp folder. |
| 600833 | When trying to create a local certificate, and assign and install it for remote administration, the install operation fails due to incorrect order of configurations. |
| 601668 | FortiManager may install overlapping VIP objects to FortiGate. |
| 602272 | Installing UUIDs from local-in policies for FortiGate-60F may cause installation failure. |
| 605187 | FortiManager may fail add members into a zone. |
| 607216 | When master-device is set on custom device, type should not be available on FortiManager. |
Script
| Bug ID | Description |
|---|---|
| 593217 | FortiManager is unable to delete Virtual-Switch members via script if the remaining members of interfaces is less than two. |
| 535066 | Task Monitor for script task shows browser 500 error if the return button is selected. |
| 587015 | When user tries to set signature with non escaped quotes from script, the signature becomes separate strings, and the installed string may not be what is expected. |
| 590889 | Using the search bar to assign devices under provisioning templates clears the previous selected device list. |
| 594238 | FortiManager should be able to create overlapping secondary IPs via a script if interfaces are assigned to different VDOMs. |
| 594238 | FortiManager should be able to create overlapping secondary IPs via a script if interfaces are assigned to different VDOMs. |
Services
| Bug ID | Description |
|---|---|
| 563624 | FortiManager dbcontract updated with the entitlement file shows different contracts compared to FortiManager dbcontract updated from FDS. |
| 535066 | Task Monitor for script task shows browser 500 error if the return button is selected. |
| 587015 | When user tries to set signature with non escaped quotes from script, the signature becomes separate strings, and the installed string may not be what it is expected. |
| 590889 | Using the search bar to assign devices under provisioning templates clears the previous selected device list. |
| 594238 | FortiManager should be able to create overlapping secondary IPs via a script if interfaces are assigned to different VDOMs. |
System Settings
| Bug ID | Description |
|---|---|
| 611825 | FortiManager fails to edit the device interface when FortiSwitch is set to RO within admin profile. |
| 592156 | Upgrade task for managed devices in Task Monitor always shows Pending status with 0. |
| 599812 | Stager or pusher admin has no permission to view VDOM interface mapping. |
| 202924 | FortiManager should be able to restore a large backup file via web interface. |
| 535607 | Upgrading ADOM may take a long time due to hit count statistics. |
| 570266 | When saving the values of the administrative access, the values do not save when unchecking HTTPS first before any other value. |
| 571181 | An admin user with read-write system permissions and restricted to one ADOM can change their permission to All ADOMs. |
| 576098 | Event log may not show the correct username when changing a non policy related object. |
| 581450 | ADOM upgrade may hang when DNS or URL filter name is null. |
| 584392 | Admin user with read-only profile should not be allowed to „Revoke Release” in DHCP query and „Bring Tunnel Down/Up” in Query IPsec. |
| 584749 | System Settings may not show the ADOM-VDOM association. |
| 587242 | Build 349: HA Cluster fails after upgrading to 6.0.6 with peer IP using IPv6. |
| 587295 | Admin users with prof_admin_regional profile should be allowed to see all application signatures. |
| 588852 | Idle time is constantly reset for inactive users. |
| 588884 | Event log for merging duplicated objects is missing object name. |
| 594556 | Admin user may not able to authorize FortiGate. |
| 595660 | FortiManager should generate event logs for imported images. |
| 596562 | Administrators allowed to access to only specific ADOMs cannot see „Managed Devices” in those ADOMs. |
| 596580 | Upgrade ADOM may fail on FSSO/SSO. |
| 597765 | ADOM upgrade may stuck with „svc cdb reader” crashes. |
| 599847 | FortiManager may not be able to move VDOMs with long names among different ADOMs. |
| 604069 | IPv6 communication fails after setting interface status between down and up. |
| 606545 | There may be HA synchronization issues when policy hit count is disabled. |
| 608378 | FortiManager is unable to upgrade ADOM due to name conflicts in wildcard FQDN address. |
| 611637 | Policies are not visible when workflow session is created in an ADOM that is upgraded. |
VPN Manager
| Bug ID | Description |
|---|---|
| 616352 | FortiManager may show empty value for phase1 and phase2 proposals. |
| 554080 | VPN monitor may not list all mesh tunnels if the remote VPN peer has a dynamically assigned IP address and subscribes to a dynamic DNS service. |
| 562729 | VPN Manager SSL VPN monitor’s Active Connections column may be blank. |
| 574727 | VPN Manager may not display SSL-VPN settings for some devices. |
| 586613 | FortiManager may randomly install incorrect Phase1 proposal settings. |
| 587760 | Address group dynamic mapping is ignored when it is used as a protected subnet with VPN Manager. |
| 589101 | VPN Manager prompts the copy error „no hub configured for vpn” if the hub is external gateway with no device assigned. |
| 589669 | FortiManager shows installation error when there are two Hubs in VPN community where Hub-to-Hub Interface is set to 'None’. |
| 590765 | The tunnel-search and net-device attributes are not being installed if device role is set as spoke. |
| 599242 | For Dialup tunnels, auto-negotiate should only be applied to spokes. |
Znane problemy do rozwiązania:
AP Manager
| Bug ID | Description |
|---|---|
| 610116 | FortiManager cannot choose platform mode between Dual 5G and Single 5G for FAP-U431F or FAP-U433F. |
| 620460 | FortiManager needs to update Frequent Handoff and AP Handoff as global settings instead of per radio. |
| 620522 | Import fails on FAP-U431F or FAP-U433F, which has DFS channels configured for Japan or Taiwan region. |
| 624238 | Changing AP mode to dedicated monitor may cause install to fail. |
| 555159 | AP Manager still shows the SSID after deleting it from Device Manager, |
| 620117 | AP Manager needs to support of FortiAP-U431F and FortiAP-U433F. |
| 623903 | AP Manager cannot upgrade FortiAP’s firmware image. |
| 607107 | FortiManager prompts installation errors when certain channels are selected for Radio 2 in 5 GHZ band of FAP-421E. |
Device Manager
| Buzz ID | Description |
|---|---|
| 619025 | FortiManager’s SD-WAN shows internal DNS on SLA as PING. |
| 544982 | Policy Package Status may get out-of-sync for all devices when adding one device to Install On. |
| 615092 | FortiManager should allow using FQDN for FortiAnalyzer logging. |
| 616264 | IPv6 extra-address may not convert properly. |
| 619106 | When importing a policy, the conflict page may truncate outputs. |
| 589453 | Application group of type category should not be used for SD-WAN rules. |
| 593364 | FortiManager does not install md5 key for OSPF interface configured from Device Manager. |
| 594474 | FortiManager ADOM in backup mode is not backing up device configuration changes from super_admin remote radius accounts. |
| 595058 | When the user sets Scheduled Updates configuration to 1 hour in FortiGuard on Device Manager, FortiManager installation preview is configured as set time 1:60. |
| 599819 | Changing static route from subnet to named address does not push the change to FortiGate. |
| 601692 | FortiManager is unable to overwrite IPv6 default route. |
| 525051 | Automation stitch cannot add FortiGates to automation. |
| 552492 | VAP is always loading under CLI configuration. |
| 558176 | Interface-subnet type addresses interface are re-set to zone after they are imported leading to copy fail during install. |
| 547768 | FortiManager should allow easier management of the compliance exempt lists. |
| 586809 | FortiManager incorrectly counts VDOM licenses for FortiGate 7000 series. |
| 598916 | When creating user groups via CLI Only Objects, comma separated values are treated as a string instead of a list. |
Global ADOM
| Bug ID | Description |
|---|---|
| 623916 | Installing global firewall policy with internet service name may fail for FortiGate 6.4. |
| 624186 | Install may fail when un-assigning and reassigning global policy package. |
| 624265 | FortiManager may fail to edit global policy to change source or destination address from IPv4 to IPv6. |
Others
| Bug ID | Description |
|---|---|
| 622411 | Valid zone and interface mappings are deleted after running the diag cdb check policy-packages command. |
Policy & Objects
| Buzz ID | Description |
|---|---|
| 621400 | FortiManager incorrectly sets service to None when service is set as Specify causing the install to fail. |
| 622292 | When a IPv6 SNAT policy is created on FortiGate and then imported to FortiManager, the policy summary table cannot show the source or destination address. |
| 612317 | FortiManager shows incorrect country code for Cyprus under User definition. |
| 614710 | Result of search in device interface should display zone that the interface is a member of. |
| 617031 | Right-clicking on IPv4/Proxy Policy or Installation Targets should not reload the page if the related information is already displayed. |
| 618321 | FortiManager is unable to create RSSO Group if Agent is configured with custom name. |
| 618499 | Right-clicking to edit the zone incorrectly prompts dynamic interface window. |
| 523350 | FortiManager does not show the default certificate under SSL/SSH Inspection within policy. |
| 578501 | FortiManager should show global icon for global objects assigned to ADOMs. |
| 586026 | FortiManager should display zone icon based on existing and non existing dynamic mappings. |
| 599780 | If there is one or more devices that has policy validation error, FortiManager does not add devices that are „ready to install”. |
| 545759 | From or To column filter displays unmapped interfaces in the drop-down list. |
| 547052 | FortiManager GUI should not allow creating Security Profiles without any SSL/SSH Inspection Profile defined. |
| 577201 | Next button should be inactive until zone validation is fixed in the case of 'Re-Install Policy’. |
Revision History
| Bug ID | Description |
|---|---|
| 594933 | Re-installing Policy Package cannot skip to install policy package, which fails validation. |
| 597650 | FortiManager cannot install allowed DNS and URL threat feed configuration. |
| 473517 | FortiManager should have a proper progress bar for device install preview. |
Script
| Bug ID | Description |
|---|---|
| 623841 | When device filter is set, FortiManager may return loading fail when running a script. |
Services
| Bug ID | Description |
|---|---|
| 437935 | FAD-VM license may not be validated on FortiManager. |
| 541192 | FortiManager should keep firmware image files when the files are for different FortiExtender devices. |
System Settings
| Bug ID | Description |
|---|---|
| 611215 | SNMP Hosts in SNMP Community are not displayed in the GUI if ADOM is unlocked. |
| 556334 | Standard ADOM users should be able to assign system templates to FortiGate devices. |
| 586626 | Users should be able to identify who locked their assigned ADOM. |
VPN Manager
| Bug ID | Description |
|---|---|
| 621187 | When a route is added in the Portal of SSL VPN, the policy package is shown as modified but install preview shows „No command to install”. |
| 621209 | VPN monitor should show the corresponding VPN community tunnels only under each community. |
| 596953 | When the user goes to VPN manager > Monitor, and selects a specific community from the tree menu to show only that community’s tunnels, the monitor page displays a white screen. |
Notatki do wydania
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie