Fortinet udostępnił najnowszą aktualizację dla FortiManager o oznaczeniu wersji 6.4.3! W tej wersji producent zaimplementował sporo poprawek, między innymi w AP manager poprawiono błąd z wysyłaniem ustawień po zmianie nazwy urządzenia FortiAP, dodatkowo problem z tworzeniem SSID i brakiem możliwości jego usunięcia, został naprawiony. W FortiSwitch manager naprawiono problem z nieprawidłowym wyświetlaniem stanu online lub offline, a co za tym idzie – niewidocznym urządzeniem w FortiManager. Aktualizacja 6.4.3 usprawniła wiele rzeczy, z ważniejszych usprawnień wynika, że nie będzie problemu z importowaniem polityk z FortiGate, a po aktualizacji FortiManager będzie mógł w stanie odświeżyć wiele urządzeń jednocześnie. Więcej informacji w dalszej części artykułu.
|AP Manager central mode is missing AP group with VLAN ID.
|FortiManager prompts installation errors when certain channels are selected for Radio 2 in 5 GHZ band of FAP-421E.
|Dynamic VLAN option is not saved in SSID in AP Manager.
|Changing FortiAP setting to override radio 1 TX power control from auto to manual generates incorrect configuration causing install to fail.
|Unauthorized APs should be displayed so that users can authorize the APs.
|Adding FortiGate using custom admin profile may fail to list FortiAP in AP Manager.
|FortiManager is able to create SSID which cannot be deleted.
|FortiManager sends the wrong device setting after changing the FortiAP name.
|There may be duplicate entries in objcfg_wireless_controller_wtp not allowing the user to delete some custom WTP profiles.
|FortiAP upgrade may not proceed past 20%.
|Brazil country (BR) code does not offer any radio choices.
|VAP is always loading under CLI configuration.
|When customer sets Scheduled Updates configuration to 1 hour in FortiGuard on Device Manager, FortiManager installation preview is configured as set time 1:60.
|The character limit for
pac-file-datais set to
4000 under CLI Configuration.
|SD-WAN Monitor is showing effect of exceeded SLA even when it is disabled.
|Device dashboard reboot and shutdown operations may not work.
|Admin users with device-config set as read in the admin profile cannot download configuration revision.
|Return button is not working when viewing HA mode.
|Blocked address, trusted address, disabled signature and disabled-sub-class lists are not displayed on WAF profile CLI Configuration.
|FortiManager should show a clear message when it fails to load device configuration.
|No IPv6 format in router GUI for BGP.
|FortiManager is unable to deauthorize explicit proxy user(s).
|Devices may disappear randomly after upgrade.
|Mapping interface containing „/” results error Object does not exist during import policy.
|CLI Template is not able to install same name interface using
vpn ipsec phase1-interface and
config system ipsec-aggregate.
|FortiManager cannot view full list of Extenders.
|Import may get stuck in an infinite loop when there is a recursive reference.
|Interface template may show an empty action list.
|DNS widget may be empty under system template.
|SD-WAN monitor keeps loading and not displaying anything in backup mode ADOM.
|Allow access is missing under interface on AWS FortiGate and may cause installation to fail.
|Device Manager may not be able to open the NTP page.
|IPsec VPN Phase-1 tunnel interface is not added in VDOM interface list with a long VDOM name.
|FortiManager may not be able to edit DHCP options function on GUI.
|When FortiManager is configured in advanced ADOM mode, FortiManager still allows device assignment of CLI Templates/Groups in an ADOM where the management VDOM of that device does not reside in that particular ADOM.
|SD-WAN rule may not show all internet services.
|Import policy may fail due to local certificate.
|When creating VLAN interface with non-management VDOM, no interfaces can be listed.
|FortiManager may lose connection and fail to install after FortiGate HA switching roll.
|Interfaces any and virtual-wan-link should not be visible as OSPF passive interface option.
|FortiManager sends unset serial for FortiAnalyzer settings when System Template is being used.
|FortiManager should support increased user local and user group member on FortiGate model 400E or 900E.
|Device configuration may not be updated after running CLI script on remote FortiGate.
|FortiManager should create a new OSPF interface when clicking the OK button.
|FortiManager may take a long time to send SLA updates to more than a thousand FortiGate devices.
|Importing a policy from FortiGate may not complete.
|After upgrade, FortiManager may not be able to refresh multiple devices at once.
|FortiManager is unable to edit or mouse over OSPF route after the seventh line.
|Policy package diff is much slower after upgrade.
|After enabling DHCP relay on one interface, DHCP server is disabled on another interface during install.
|FMG-VM64-AWSOnDemand may show serial number as FMG-VM0000000000 with valid license status.
|FortiSwitch Manager does not show the correct online or offline status.
|FortiSwitch may not be visible under FortiSwitch Manager.
|Global policy install should not show warnings when a policy package has no installation target.
|FortiManager is unable to replace firewall object in Global Header Policy using the option Find and Replace.
|Cloning a global policy package may fail with runtime error -1: invalid value.
workflow mode, FortiManager cannot add devices to policy package installation target via JSON API.
merged_daemons process goes to 100% usage and prevents radius authentication.
|FortiManager cannot clone any of the
deep-inspection ssl-ssh-profiles using JSON API.
|When using the Wireless Manager, FortiManager automatically returns to the main page after about 20 seconds.
|Docker interface range may create network conflict with the user’s network.
|After upgrade, copy may fail for central SD-WAN with configuration error, error service – 2 :-2 – Please assign a member.
|Error may occur when checking and repairing invalid object sequence with
diagnose cdb upgrade check.
|FortiManager is unable to configure system admin ssh-public-key via JSON API.
|HA sync error may print repeatedly on secondary FortiManager.
|Add an option in FortiManager CLI to skip unmapped normalized interface for input-device.
Policy and Objects
|When configuring web filter rating override, the configuration is pushed to all the VDOMs even when the web filter is not used.
|Consolidated policy is missing implicit deny policy.
|FortiManager should not change default value of scan-mode and ssl-ssh-profile/inspection-mode when installing v6.0 policy package to v6.2.
|While editing policy from Policy Package, it is not possible to select SSL/SSH Inspection profile.
|Firewall consolidated policy is still named SSL Inspection & Authentication when it is profile based.
|FortiManager should be able to modify per-device mapping for global VIP in local ADOM.
|Within the anti-virus profile, the Send Files to FortiSandbox Appliance for Inspection option should not always be set to None.
|FortiManager is unable to create RSSO Group if the agent is configured with custom name.
|Interface Pair View is not working for Security Policies.
|Username cannot exceed 35 characters.
server-cert-mode to replace may cause install failure if
|Users may not be updated on FortiManager after a new session is created on ISE.
|VIP created using CLI script is not available to use in a policy.
|Azure SDN connector only fetches the first page of results.
|FortiManager intermittently not displaying custom objects inside of address group.
|Verification may fail due to wrong default setting of
log.memory.global-setting'> set max-size.
|FortiManager may not be able to load application control profile.
|Existing objects may disappear while editing policy and adding new one in batch mode.
|Policy Lookup should be available on GUI.
|Address section under Policy & Objects > Security Profiles > SSL/SSH Inspection” may load indefinitely.
|FortiManager should remove interface reference check for normalized interface per-device mapping.
|FortiManager is unable to create and display destination of imported internet service custom object.
|Policy Consistency Check may return duplicate address object names.
|FortiManager may not be able to add a proxy policy and it may not be able to search on source address field.
|Policy object panel search may not work on source user group field.
|FortiManager should not allow unsupported options in Certificate Inspection SSL/SSH inspection profiles to be visible.
|FortiManager should provide more descriptive error message when copy fails.
|Renaming address object may bypass the length check.
|FortiManager may not be able to add more than 10240 service objects.
|Cloning DNS filter profile that is assigned from Global ADOM results in Response with errors.
|Policy Package Diff does not show user or admin details.
|Installing mobile token that does not belong to target FortiGate may fail.
|FortiManager may not install ADSL vci and VPI to FWF-60E-DSL.
|FortiManager should support the configuration,
set initiator-ts-narrow enable.
|FortiManager prompts error, ’no hub configured, for a site even when the site is not part of VPN Manager.
|Install copy may fail with error message ftgd-wf – – The category is already set in another filter.
|Install fails for adding md5-key on OSPF interface when default authentication is set as None.
|Installation fails with wireless-controller vap mesh-backhaul setting despite setting being disabled on FortiManager.
|VPN Manager changes may result in unnecessary FortiGate configuration changes.
|Installing configuration to device after Auto link, FortiManager may send incorrect system ntp commands causing install to fail.
|Install may fail for youtube-channel-filter after creating a web filer profile.
|Copy may fail due to missing Health Check in device database.
|FortiManager may try to delete dynamically generated EMS firewall addresses which causes install failure.
|Installing from 6.0 ADOM may try to unset inspection-mode and unset ssl-ssh-profile on FortiGate 6.2.
|FortiManager may disable the l2forward and stpforward settings on virtual switch interface when installing policy package.
|FortiManager should not try to unset ssl-ssh-profile configuration if it is already configured.
|FortiManager may try to purge all web rating override entries.
|Install preview may not show CLI configurations correctly.
|Running a script remotely may trigger a full configuration retrieve instead of a partial configuration retrieve.
|After it is locked on a device, FortiManager cannot show the list of devices to run a script.
|FortiManager cannot set system admin password with ENC format via CLI template.
|When editing CLI script group, user cannot see the full CLI script name.
|Running a script in Policy & Objects does not update Save status.
|FAD-VM license may not be validated on FortiManager.
|FortiGate-VM64-AZURE may not be listed in firmware image page.
|FortiManager may show incorrect firmware upgrade path.
|In FortiManager, Enforce Firmware Version may fail to upgrade FortiGate to a custom build.
|FortiManager may not have the correct upgrade path for FortiGate KVM.
|FortiGuard license status page should have an option to show all FortiGate HA cluster contracts.
|Certificate request CRS does not include the SAN DNS.
|Standard ADOM users should be able to assign system templates to FortiGate devices.
|Removing enrollment method from local certificate.
|ADOM upgrade from 5.6 to 6.0 may fail due to invalid per-device mapping.
|SSH filter profile is unset in firewall profile group upon ADOM upgrade.
|Mail Server setting within Event Handler Notifications is not synchronized from FortiManager to managed FortiAnalyzer.
|SNMP Hosts in SNMP Community are not displayed in the GUI if ADOM is unlocked.
|When upgrading ADOM from 5.4 to 5.6, FortiManager does not add tcp-session-without-syn in all firewall policies.
|There are many cdb event log for object changed in event logs after upgrade.
|Remote admin authentication with RADIUS may stop working.
|After HA failover, the new primary device may have incorrect policies.
|Users may not be able to access Java console with an error message: Too many concurrent connections.
|After upgrade, non super_user password changes may not taking effect.
|FortiManager may not be able to clone the Security Fabric ADOM.
|FortiManager requesting AuthnContext PasswordProtectedTransport causes errors if IdP is Azure AD with MFA.
|ADOM upgrade to 6.4 may hang and cause cdb reader to crash.
|FortiManager may not be able to upgrade ADOM from 6.2 to 6.4 when Policy Block is used.
|FortiManager needs to handle IPv6 policy migration with policy block.
|Log service may shutdown and restarted routinely.
|HA may crash when upgrading.
|ADOM upgrade may fail when FortiManager has
workspace-mode set to
|Global web rating overrides may not be assigned after upgrade.
|Event logs should not contain users are not responsible for synchronizing device manager database between FortiManager and FortiAnalyzer.
|Customer should be able to select the OS to allow or deny an SSL-VPN tunnel connection.
|Installation may fail when Dialup VPN interface is PPPoE logical interface.
|VPN Manager needs to support dynamic address group that has nested dynamic address objects.
ZNANE PROBLEMY DO ROZWIĄZANIA:
|FortiManager should be able to handle upgrading more than 10 APs at once.
|There may be DFS Channel mismatch between FortiManager and FortiGate for FAP-223E.
|DHCP server is incorrectly created for Bridge SSID.
|FortiManager should be able to classify Rogue FortiAPs.
|FortiManager should allow easier management of the compliance exempt lists.
|When creating a new interface for a VDOM, FortiManager may list interfaces that may belong to another ADOM.
|FortiManager CLI Configuration shows incorrect default wildcard value for router access-list.
|Interface cannot create more than 48 IP-MAC bindings in DHCP reservation from GUI.
|Install wizard may show a blank area when scrolling down the wizard to select device(s).
|When creating user groups via CLI Only Objects, comma separated values are treated as a string instead of a list.
|FortiManager may not be able to edit VDOM link interface from VDOM level.
|Removing Security Fabric Connection option from VLAN interface.
|FortiManager may not follow the order in CLI Script template.
|Configuration status may be shown modified after added FortiGate to FortiManager.
|Importing a policy with profile group will display ssl-ssh profile and proxy options in the GUI.
|FortiManager cannot cooperate with socket-size 0 and changes it to 1 automatically.
|After an auto-configured IPv6 address is changed on FortiGate, the address is not updated in the device database.
|Importing a policy may report conflict for the default SSH CA certificates.
|Retrieve may fail on FortiGate cluster with Failed to reload configuration. invalid value error.
|Fabric view may get stuck at loading.
|FortiGate 7000 may not be added and result with failure to update device information.
|FortiManager is unable to configure FortiSwitch port mirroring.
|Policy Lookup shows an error even though the device is in sync.
|FortiManager may not be able to configure VDOM property resources setting.
|SD-WAN > Monitor may hang for an ADOM with 1500 devices.
|Installation may fail for FortiGate-600D.
|SD-WAN monitor may get stuck loading when an admin user belongs to device group.
|FortiManager may fail to add another FortiManager in Fabric ADOM.
|FortiManager may not be able to configure the any value on the access list prefix.
|VDOM count is not correct when
vdom-mode split-vdom is configured on FortiGate with VM0xV license.
|FortiManager should be able to provision CLI-template, SD-WAN-template, and Policy Package together to the model device.
|FortiManager should be able to identify and show default SSL-SSH profile as read-only profiles.
|FortiManager is unable to clone SNMP Community under System Templates.
|FortiManager should list VAPs in CLI only object.
|Time zone is displayed as IST when FortiGate is set to GMT.
|User with full R/W DVM privileges should be allowed to see and modify the System Provisioning Templates.
|GUI returns no warning when 4-byte AS or invalid community being configured on Standard community.
|BGP Neighbors table does not have height limit and vertical scroll bar.
|GUI should generate error message when using invalid IP address or special characters in interface name.
|FortiManager does not create dynamic mapping for address group causing import failure.
|SD-WAN monitor hangs while loading when admin profile is set to Read-Only for SD-WAN.
|When VDOM is enable on FortiGate, backup ADOM is out of sync if changed by an administrator with a profile that has the same privileges as the super_admin profile.
|FortiManager does not allow the user to configure FortiGate admin password longer than 32 characters.
|When creating an API admin from CLI Configuration, Trusted Host section is missing.
|FortiManager should allow more than ten incoming source interfaces for policy routing decision.
|FortiSwitch template and VLAN shall appear for firewall policy creation.
|When installing a global policy, FortiManager may delete policy routes and settings on an ADOM.
|User should not be able to delete global object when ADOM is not locked.
|Assigned header policy from the global ADOM shows up on excluded policy package.
|Promoting the Profile Group object should not promote the default Protocol option.
linked_to_model are not working for add model device with JSON API.
|ADOM restricted access user is able to pull Device Manager information from ADOMs via JSON API.
Policy & Objects
|FortiManager GUI should not allow creating Security Profiles without any SSL/SSH Inspection Profile defined.
|FortiManager is unable to see dynamic mapping for Local Certificate if workflow session is created.
|FortiManager is unable to create VIPv6 virtual server objects.
|NAT option is missing from Central NAT policy package.
|FortiManager shows incorrect country code for Cyprus under User definition.
|Firewall policy and proxy policy cannot select IP type external resource as address.
|FortiManager is missing IPV6 none values after modifying policy.
|FortiManager is constantly changing UUID for firewall address object.
|Some application and filter overrides are not displayed on GUI.
|FortiManager is unable to import firewall objects of fsso fortiems-cloud user due to Server cannot be empty.
|When an obsolete internet service is selected, FortiManager may show entry IDs instead of names.
|The URL remote category, FortiGuard Threat Feed, is not available in the drop down menu for Proxy Address.
|Install may fail due to web filter profile in flow mode with setting changes available in proxy mode only.
|There is no Decrypted Traffic Mirror option in policy when only one port mapping is enabled in Full SSL/SSH Inspection.
|FortiManager does not report error when an unsupported FQDN address format is created.
|Search box for address may not always work.
|FortiGate should be able to synchronize and resolve dynamic address group to the IP address from FortiManager with NSX-T integration.
|Fabric SDN Connector is installed on FortiGate even if it is not in use.
|User may not be able to install policy package due to a change with external interface with VIP settings.
|FortiManager changes configuration system csf settings.
|Zone validation in Re-Install Policy is not saving the user choice and deleting all related policies.
|Installing a policy may fail due to log disk setting.
|Install fails for subnet overlap IP between two interfaces.
|Scrolling in Install Preview is not smooth and may get stuck.
|The adom-rev-auto-delete option may not work to automatically delete revisions.
|FortiManager is missing device-type option for custom device dynamic mapping.
|FortiManager may add unexpected IPv6 address to IPv6 address field when deleting ::/0.
|FortiManager is missing the SSH protocol in DLP filter.
|FortiManager dynamic object filter generator is adding a „s” at the end of tag resulting in non working object.
|After adding and removing Security Profile, policy Security Profile change from no-inspection to empty.
|FortiManager may be slow to add or remove a URL entry on web filter with a large list.
|FortiManager should not allow VIP to be created with same IP for External IP and Mapped IP Address.
|GUI stuck in loading when trying to apply changes made to Anti Virus profile.
|FortiManager may take a lot of time to update web filter URL filter list.
|FortiManager is not allowing reorder between Policy Blocks.
|IPS signatures may not match between FortiGate and FortiManager.
|FortiManager may not be able to detect some duplicate objects.
|Without selecting security profile group on proxy policy, FortiManager should fail to install with a proper error message.
|FortiManager does not parse user information from NSX-T manager.
|User should not be able to create a firewall policy with an Internet service with Destination direction in Source by using drag and drop.
|Web URL Filter is deleted when URL Filter option is unchecked under the Web Filter Profile.
|FortiManager may freeze when editing the comment field on a policy package with many policies.
|After script is run directly on CLI, FortiManager may fail to reload configuration.
|FortiGate user can see scripts from all ADOMs.
|Using CLI script to create SD-WAN with auto-numbering,
edit 0, may not work.
|Changes using CLI Script may not be applied to devices in the container or folder.
|Installation fails when installing global v6.2 IPv4 policy to v6.4 FortiGate.
|Installing from FortiManager, it may undo comment, organization, and subnet-name during the install.
|Default value of global: system npu ip-reassembly:max-timeout NPU setting in ADOM 6.0 for FortiGate-1800F should be changed to 10000 to avoid Conflict status.
|Install preview shows the comment field of policies that is already present on the managed devices.
|FortiManager should keep firmware image files when the files are for different FortiExtender devices.
|HA secondary device does not update FortiMeter license.
|Hide or show license expired devices may not work.
|FortiManager installs the latest IPS and application control signatures on managed device despite the To Be Deployed Version is configured.
|Certificate request CRS does not include the SAN DNS.
|Certificate request CRS does not include the SAN DNS.
|FortiManager two-factor authentication admin login is missing the option for FTK Mobile push notification authentication.
|FortiManager should show details in the fnbamd debug if login fails due to trusted hosts.
|FortiManager prompts error while importing CA certificate.
|Changes made by ADOM upgrade may not update Last Modified date/time and user admin.
|Changing trusted IP can be saved and installed.
|FortiManager is unable to delete mail server with error message used displayed.
|FortiManager HA may go out of synchronization periodically based on the logs.
|ADOM upgrade may fail caused by invalid setting of ssl-exempt.
|Firewall addresses may not be not visible on GUI after upgraded FortiManager.
|FortiManager should have better log message when aborting device upgrade.
|Upgrading FortiManager may delete syslog configuration.
|When the user goes to VPN manager > Monitor, and selects a specific community from the tree menu to show only that community’s tunnels, the monitor page displays a white screen.
|There is no XAUTH USER column in VPN Manager Monitor.
|SSLVPN > Edit SSLVPN Settings > IP Range, only shows configuration from ADOM database objects.
|FortiManager is unable to edit a SSL portal in VPN Manager containing „/” special character.
|The dns-suffix on SSL VPN portal is not installed if web-mode is disabled.
Notatki producenta: FortiManager 6.4.3
Bezpieczeństwo w biznesie