Producent oprogramowania Fortinet właśnie udostępnił najnowszą aktualizację produktu FortiManager o numerze wersji 6.4.4. W najnowszej wersji rozwiązano min. problem FortiSwitch nie działałającego poprawnie w trybie dostępu NAC Switchport oraz generator dynamicznych filtrów obiektów FortiManager który dodawał „s” na końcu tagu, co powodowało, że obiekt nie działa. Naprawiono również FortiManager który, nie wyświetlał domyślnego certyfikatu w ramach inspekcji SSL / SSH w zawartej w polityce. Po więcej ciekawych informacji o nowej wersji oprogramowania zapraszamy do dalszej części artykułu.
Rozwiązane problemy:
AP Manager
| Bug ID | Description |
|---|---|
| 593168 | DFS channel list in WiFi template is inconsistent between FortiManager and FortiGate. |
| 667215 | FortiManager should be able to classify Rogue FortiAPs. |
| 669906 | FortiManager may not be able to install mpsk-key from AP Manager. |
| 679115 | No available interface can be selected when authorizing FortiExtender. |
Device Manager
| Bug ID | Description |
|---|---|
| 604855 | CLI Template should not prevent the lan interface from being deleted once all the dependencies have been removed. |
| 609744 | Device Manager > System > Interface may not be able to delete SSID interface. |
| 627664 | FortiManager cannot cooperate with socket-size 0 and changes it to 1 automatically. |
| 636012 | Importing a policy may report a conflict for the default SSH CA certificates. |
| 643845 | After auto link, FortiGate HA cluster members have the same hostname. |
| 645086 | Policy look-up shows an error even though the device is in sync. |
| 646421 | FortiManager may not be able to configure VDOM property resources setting. |
| 649785 | SD-WAN > Monitor may hang for an ADOM with 1500 devices. |
| 649821 | Installation may fail for FortiGate-600D. |
| 654190 | FortiManager should not modify IPv4 addressing mode when IPv6 addressing mode is changed. |
| 655264 | VDOM count is not correct when vdom-mode split-vdom is configured on FortiGate with VM0xV license. |
| 656433 | FortiManager device delete process may hang. |
| 657988 | FortiManager may lose connection and fail to install after FortiGate HA switches rolls. |
| 662243 | FortiManager is unable to clone SNMP Community under System Templates. |
| 662656 | When importing polices that contain policy block or global policy, the import wizard should give a warning that those polices will not be imported. |
| 664253 | The auto-join-forticloud configuration may cause out-of-sync status. |
| 665344 | A user with full read/write DVM privileges should be allowed to see and modify the System Provisioning Templates. |
| 666833 | GUI returns no warning when 4-byte AS or invalid community is being configured on Standard community. |
| 667826 | Device Manager may display No entry found and rtmmond and security console crashes. |
| 669129 | FortiManager does not create dynamic mapping for address group causing an import failure. |
| 669155 | SD-WAN monitor stuck at loading when admin profile is set to Read-Only for SD-WAN. |
| 669704 | FortiManager does not allow the user to configure FortiGate admin password longer than 32 characters. |
| 670839 | FortiManager should be able to configure IPSec Phase2 selector using the same IP range. |
| 671348 | FortiManager should allow more than ten incoming source interfaces for policy routing decision. |
| 672319 | View Config, View Install Log, and Revision Diff in workspace mode should not be greyed out when ADOM is unlocked. |
| 672338 | FortiManager may unset interface weight in SD-WAN when installing within 6.0 ADOM. |
| 673008 | SD-WAN Rules order changes to the default when creating a rule and moving it to the top. |
| 673641 | When creating a policy, all the vwpare names are display and not only the names from the installation target. |
| 674282 | FortiManager sends unset entry-id if FortiGate implements NAC access-mode at FortiSwitch switchport level. |
| 674938 | FortiManager should add support for set use-shortcut-sla option in SD-WAN rules. |
| 677241 | Interface speed is incorrectly set on port group due to missing aggregate membership verification. |
| 678066 | Install may fail when changing FortiGate admin password from FortiManager. |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 650453 | FortiSwitch template and VLAN shall appear for firewall policy creation. |
| 678804 | FortiSwitch template is not working properly in switchport NAC access-mode. |
Global ADOM
| Bug ID | Description |
|---|---|
| 632400 | When installing a global policy, FortiManager may delete policy routes and settings on an ADOM. |
| 667423 | Assigned header policy from the global ADOM shows up on excluded policy package. |
| 670280 | Promoting the Profile Group object should not promote the default Protocol option. |
Others
| Bug ID | Description |
|---|---|
| 649399 | After upgrade, install may failed if a FortiGate was assigned to a system template. |
| 659916 | FortiManager may consume high memory usage by the svc sys daemon. |
| 661069 | ADOM restricted access user is able to pull Device Manager information from ADOMs via JSON API. |
| 665617 | FortiManager may consume high CPU resource when locking ADOM or loading policy. |
| 670479 | FortiManager configuration file size may be large due to a bulk of resync files. |
| 673210 | When checking unused policy, implicit policy information is not included. |
Policy and Objects
| Bug I D | Description |
|---|---|
| 494367 | Users cannot search address in policy where the address is a part of a nested group. |
| 523350 | FortiManager does not show the default certificate under SSL/SSH Inspection within policy. |
| 547052 | FortiManager GUI should not allow creating Security Profiles without any SSL/SSH Inspection Profile defined. |
| 565301 | Exporting policy package to Excel may not work. |
| 587634 | FortiManager may not be able to create new wildcard FQDN type address to FortiGate 6.2. |
| 601229 | FortiManager is missing device-type option for custom device dynamic mapping. |
| 608268 | Users may not be able to edit firewall policy due to session-ttl:out of range in v5.6 or v6.0 ADOM. |
| 612317 | FortiManager shows incorrect country code for Cyprus under User definition. |
| 615936 | FortiManager is missing the SSH protocol in DLP filter. |
| 633727 | FortiManager is unable to display summary of policy package diff for VDOM with a long name. |
| 647189 | FortiManager dynamic object filter generator is adding a „s” at the end of tag resulting in non- working object. |
| 651991 | After adding and removing Security Profile, the policy Security Profile changes from no-inspection to empty. |
| 657026 | The GUI hangs in loading when trying to apply changes made to Anti Virus profile. |
| 658528 | The URL remote category, FortiGuard Threat Feed, is not available in the drop down menu for Proxy Address. |
| 660804 | Kubernetes SDN connector may show less options than on FortiGate. |
| 661590 | Without selecting security profile group on proxy policy, FortiManager should fail the install with a proper error message. |
| 666913 | Web URL Filter is deleted when URL Filter option is unchecked under the Web Filter Profile. |
| 667414 | FortiManager may freeze when editing the comment field on a policy package with many policies. |
| 668649 | Install may hang at 75% when no VLAN interface is configured for fsp managed-switch. |
| 669389 | Install may fail due to web filter profile in flow mode with setting changes available in proxy mode only. |
| 670019 | There is no Decrypted Traffic Mirror option in a policy when only one port mapping is enabled in Full SSL/SSH Inspection. |
| 670833 | Search box for address may not always work. |
| 671265 | Global object assignment may not work. |
| 671693 | Internet Service Group should give an error or a warning when the direction setting is not the same. |
| 671985 | Decrypted Traffic Mirror setting is not being removed from policy after changing the SSL Inspection method. |
| 671988 | FortiManager is not able to push dynamic objects to FortiGate after receiving the configurations from NSXT connector. |
| 673305 | Policy package install may stall and fail due to high memory usage. |
| 673311 | Full SSL/SSH Inspection profile’s Invalid SSL Certificates setting is not taking effect when Inspect All Ports is selected. |
| 674899 | FortiManager may not be able to edit proxy addresses objects. |
| 675199 | Local web category override is not installed if web filter is part of policy block package. |
| 675501 | Policy check may show negative values. |
| 675541 | Deleting an override entry should trigger modified status for policy packages with FortiGuard Category Based Filter enabled within web filter profile. |
| 675587 | Firewall VIP hover-over popup should not show ports when port forwarding is disabled. |
| 678439 | FortiManager may always configure empty application parameter values. |
| 680750 | IPS Profile is not able to set to action „Monitor” in the signature filter. |
| 681342 | Devices are evicted from Installation target after authorizing a new device. |
| 682370 | Having changed an IPS profile on the security profile, the change is not visible when editing the policy again. |
Revision History
| Bug I D | Description |
|---|---|
| 492088 | FortiManager attempts to change Chassis ID on FortiGate 7000 series when installing configuration. |
| 579286 | Installation may fail for FortiGate 6.2 within ADOM 6.0 due to configuration changes with virtual-wan-link member weight and volume-ratio, and internet-service-ctrl. |
| 637465 | Installation fails when installing global v6.2 IPv4 policy to v6.4 FortiGate. |
| 642075 | Install may fail with delete metadata-server error. |
| 660525 | When installing from FortiManager, it may unset comment, organization, and subnet-name during install. |
| 662438 | FortiManager may try to purge all web rating override entries. |
| 662661 | Default value of global: system npu ip-reassembly:max-timeout NPU setting in ADOM 6.0 for FortiGate-1800F should be changed to 10000 to avoid Conflict status. |
| 667148 | When a policy install is performed, Install preview shows a lot of firewall policies with metafield changes without any actual changes been done. |
| 673327 | With traffic shaper in Mbps or Gbps, FortiManager should convert it to Kbps if installation target is non 64 bits FortiGate model. |
Script
| Bug ID | Description |
|---|---|
| 663820 | The LDAP port value remains 636 on device database and FortiManager is not accepting custom port number via CLI script. |
Services
| Bug ID | Description |
|---|---|
| 591748 | Hide or show license expired devices may not work. |
| 671387 | FortiManager installs the latest IPS and application control signatures on managed device despite the To Be Deployed Version is configured. |
| 673307 | FortiManager may return invalid license to FortiMail and cause AntiSpam license to expire. |
| 674511 | FortiManager should counts FMGC expired device number. |
System Settings
| Bug ID | Description |
|---|---|
| 553488 | TACACS is unable to assign multiple ADOMs to admins. |
| 623457 | FortiManager prompts an error while importing CA certificate. |
| 631733 | Changes to trusted IP are not saved and installed. |
| 642205 | While FortiAnalyzer model is disabled, FortiManager may fail to create an ADOM due to over size with disk quota. |
| 654370 | Users may not be able to access Java console with an error message: „Too many concurrent connections.” |
| 660226 | HA may crash when upgrading. |
| 662970 | Firewall addresses may not be not visible in the GUI after upgrading FortiManager. |
| 667445 | FortiManager may show errors on „dynamic_mapping.local-int” during upgrade. |
| 674661 | After upgrade, FortiGate VDOM that contains a FortiToken user cannot be managed anymore, and policy install generates an error. |
| 677118 | Upgrading ADOM from 6.2 to 6.4 may fail due to replacement message. |
| 677461 | FortiManager is not able to identify ADOMs that are locked by none super user administrators. |
VPN Manager
| Bug ID | Description |
|---|---|
| 596953 | Go to VPN manager > Monitor. Select a specific community from the tree menu to show only that community’s tunnels, the monitor page displays a white screen. |
| 608221 | There is no XAUTH USER column in VPN Manager Monitor. |
| 620801 | SSLVPN > Edit SSLVPN Settings > IP Range, only shows configuration from ADOM database objects. |
| 647394 | VPN Manager with VPN zone feature disabled may trigger policy copy failure. |
| 653328 | FortiManager is unable to edit a SSL portal in VPN Manager containing „/” special character. |
| 658221 | The dns-suffix on SSL VPN portal is not installed if web-mode is disabled. |
Znane problemy:
AP Manager
| Bug ID | Description |
|---|---|
| 633171 | There may be DFS Channel mismatch between FortiManager and FortiGate for FAP-223E. |
| 648812 | DHCP server is incorrectly created for Bridge SSID. |
| 674636 | SSID may be empty in AP Manager> WiFi Profiles> SSID column. |
Device Manager
| Bug ID | Description |
|---|---|
| 485037 | Monitor > Map View may fail if proxy is enabled. |
| 575215 | When creating an new interface for a VDOM, FortiManager may list interfaces that may belong to another ADOM. |
| 596711 | FortiManager CLI Configuration shows incorrect default wildcard value for router access-list. |
| 598431 | Install wizard may show a blank area when scrolling down the wizard to select device(s). |
| 604125 | FortiManager may not be able to edit VDOM link interface from VDOM level. |
| 610568 | FortiManager may not follow the order in CLI Script template. |
| 615044 | Configuration status may be shown modified after added FortiGate to FortiManager. |
| 630316 | After auto-conf IPv6 address is changed on FortiGate, the address is not updated into device database. |
| 636357 | Retrieve may fail on FortiGate cluster with Failed to reload configuration. invalid value error. |
| 636638 | Fabric view may stuck at loading. |
| 640907 | FortiManager is unable to configure FortiSwitch port mirroring. |
| 651560 | SD-WAN monitor may stuck loading when admin user belongs to device group. |
| 652052 | FortiManager may fail to add another FortiManager in Fabric ADOM. |
| 659387 | FortiManager should be able to provision CLI-template, SD-WAN-template, and Policy Package together to the model device. |
| 659981 | FortiManager should be able to identify and show default SSL-SSH profile as ready only profiles. |
| 660491 | Device Manager system interface should not allow duplicated secondary IP address. |
| 665207 | FortiManager needs IPv6 support on Syslog server setting. |
| 665955 | FortiManager is not reflecting proper admintimeout value in CLI only object. |
| 666872 | BGP Neighbors table does not have height limit and vertical scroll bar. |
| 667738 | GUI should generate error message when using invalid IP address or special characters in interface name. |
| 670535 | Install fails when creating a new DHCP reservation due to missing MAC address. |
| 670577 | When creating an API admin from CLI Configuration, trusted host section is missing. |
| 674123 | SD-WAN template > SD-WAN Rules options for Load Balance Mode do not match those on FortiOS. |
| 674904 | FortiManager may not be able to import policy with interface binding contradiction on srcintf error. |
| 680516 | Host Name is truncated when name has more than 31 characters. |
| 684955 | Customized system dashboard may disappear after a while. |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 667703 | After FortiSwitch is added, running a script to provision may fail. |
| 674539 | FortiManager may fail to upgrade two FortiSwitch devices at the same time. |
Global ADOM
| Bug ID | Description |
|---|---|
| 667197 | User should not be able to delete global object when ADOM is not locked. |
Others
| Bug ID | Description |
|---|---|
| 605560 | Flag is_model and linked_to_model are not working for add model device with JSON API. |
| 678322 | Rebuilding the database may never start when FortiAnalyzer mode is enabled. |
| 681707 | The diagnose cdb upgrade check +all command may unset defmap-intf. |
Policy & Objects
| Bug ID | Description |
|---|---|
| 580880 | FortiManager is unable to see dynamic mapping for Local Certificate if workflow session is created. |
| 585177 | FortiManager is unable to create VIPv6 virtual server objects. |
| 601696 | FortiManager may add unexpected IPv6 address to IPv6 address field when deleting ::/0. |
| 608535 | NAT option is missing from Central NAT policy package. |
| 615624 | Firewall policy and proxy policy cannot select IP type external resource as address. |
| 617894 | FortiManager is missing IPV6 none values after modifying policy. |
| 623100 | FortiManager is constantly changing UUID for firewall address object. |
| 630431 | Some application and filter overrides are not displayed on GUI. |
| 631158 | FortiManager is unable to import firewall objects of fsso fortiems-cloud user due to Server cannot be empty. |
| 652753 | When an obsolete internet service is selected, FortiManager may show entries IDs instead of names. |
| 655601 | FortiManager may be slow to add or remove a URL entry on web filter with a large list. |
| 656991 | FortiManager should not allow VIP to be created with same IP for External IP and Mapped IP Address. |
| 659296 | FortiManager may take a lot of time to update web filter URL filter list. |
| 660483 | IPS signatures may not match between FortiGate and FortiManager. |
| 663109 | FortiManager should not allow a user to select a profile group in a flow-based policy that uses a proxy-based feature. |
| 666258 | User should not be able to create a firewall policy with an Internet service with Destination direction in Source by using drag and drop. |
| 670061 | FortiManager does not report error when an unsupported FQDN address format is created. |
| 675509 | FortiManager may randomly set IPv4 IP Pool object to overload. |
| 677528 | Address object search may not display the address group which contains the searched object within the group. |
| 679282 | Editing a global object in an ADOM is not possible and generates an error, undefined is not iterable. |
| 682356 | FortiManager may not be able to map normalized interface. |
| 684081 | Policy Check and Find Unused Policies may not work for FortiGate in Policy-Based mode. |
Revision History
| Bug ID | Description |
|---|---|
| 606737 | User may not be able to install policy package due to change with external interface with VIP settings. |
| 618305 | FortiManager changes configuration system csf settings. |
| 623159 | Zone validation in re-Install Policy is not saving the user choice and deleting all related policies. |
| 635957 | Install fails for subnet overlap IP between two interfaces. |
| 664284 | FortiManager may not be able to configure SSH certificate. |
| 672609 | After import, FortiManager may prompt password error on administrator during install. |
| 674094 | FortiManager may unset explicit proxy’s HTTPS and PAC ports and change the value to 0 instead. |
| 675867 | The ssl-anomaly-log configuration may be incorrectly pushed by FortiManager when installing 5.6 ADOM policy to 6.0 FortiGate. |
| 679139 | When a policy package is shared between many firewalls, web rating override purge may fail in some scenarios. |
Script
| Bug ID | Description |
|---|---|
| 613575 | After script is run directly on CLI, FortiManager may fail to reload configuration. |
| 630016 | FortiGate user can see scripts from all ADOMs. |
| 668876 | Using CLI script to create SD-WAN with auto-numbering, edit 0, may not work. |
| 668947 | Changes using CLI Script may not be applied to devices in the container or folder. |
Services
| Bug ID | Description |
|---|---|
| 567664 | HA secondary device does not update FortiMeter license. |
System Settings
| Bug ID | Description |
|---|---|
| 517964 | FortiManager may create an incorrect certificate and it cannot be deleted. |
| 579964 | FMGVM64-Cloud needs to provide GUI support for ADOM upgrade in system information dashboard. |
| 598194 | FortiManager two-factor authentication admin login is missing the option for FTK Mobile push notification authentication. |
| 614127 | FortiManager should show details in the fnbamd debug if login fails due to trusted hosts. |
| 625683 | Changes made by ADOM upgrade may not update Last Modified date/time and user admin. |
| 635181 | FortiManager is unable to delete mail server with error message used displayed. |
| 652417 | FortiManager HA may go out of synchronization periodically based on the logs. |
| 660130 | ADOM upgrade may fail caused by invalid setting of ssl-exempt. |
| 670497 | After upgraded FortiManager, it may delete syslog configuration. |
VPN Manager
| Bug ID | Description |
|---|---|
| 681110 | VPN manager may not push any configuration on ADOM 6.0 for dial up VPN on FortiGate. |