Producent oprogramowania Fortinet właśnie udostępnił najnowszą aktualizację produktu FortiManager o numerze wersji 6.4.4. W najnowszej wersji rozwiązano min. problem FortiSwitch nie działałającego poprawnie w trybie dostępu NAC Switchport oraz generator dynamicznych filtrów obiektów FortiManager który dodawał „s” na końcu tagu, co powodowało, że obiekt nie działa. Naprawiono również FortiManager który, nie wyświetlał domyślnego certyfikatu w ramach inspekcji SSL / SSH w zawartej w polityce. Po więcej ciekawych informacji o nowej wersji oprogramowania zapraszamy do dalszej części artykułu.
|DFS channel list in WiFi template is inconsistent between FortiManager and FortiGate.
|FortiManager should be able to classify Rogue FortiAPs.
|FortiManager may not be able to install mpsk-key from AP Manager.
|No available interface can be selected when authorizing FortiExtender.
|CLI Template should not prevent the lan interface from being deleted once all the dependencies have been removed.
|Device Manager > System > Interface may not be able to delete SSID interface.
|FortiManager cannot cooperate with socket-size 0 and changes it to 1 automatically.
|Importing a policy may report a conflict for the default SSH CA certificates.
|After auto link, FortiGate HA cluster members have the same hostname.
|Policy look-up shows an error even though the device is in sync.
|FortiManager may not be able to configure VDOM property resources setting.
|SD-WAN > Monitor may hang for an ADOM with 1500 devices.
|Installation may fail for FortiGate-600D.
|FortiManager should not modify IPv4 addressing mode when IPv6 addressing mode is changed.
|VDOM count is not correct when vdom-mode split-vdom is configured on FortiGate with VM0xV license.
|FortiManager device delete process may hang.
|FortiManager may lose connection and fail to install after FortiGate HA switches rolls.
|FortiManager is unable to clone SNMP Community under System Templates.
|When importing polices that contain policy block or global policy, the import wizard should give a warning that those polices will not be imported.
|The auto-join-forticloud configuration may cause out-of-sync status.
|A user with full read/write DVM privileges should be allowed to see and modify the System Provisioning Templates.
|GUI returns no warning when 4-byte AS or invalid community is being configured on Standard community.
|Device Manager may display No entry found and rtmmond and security console crashes.
|FortiManager does not create dynamic mapping for address group causing an import failure.
|SD-WAN monitor stuck at loading when admin profile is set to Read-Only for SD-WAN.
|FortiManager does not allow the user to configure FortiGate admin password longer than 32 characters.
|FortiManager should be able to configure IPSec Phase2 selector using the same IP range.
|FortiManager should allow more than ten incoming source interfaces for policy routing decision.
|View Config, View Install Log, and Revision Diff in workspace mode should not be greyed out when ADOM is unlocked.
|FortiManager may unset interface weight in SD-WAN when installing within 6.0 ADOM.
|SD-WAN Rules order changes to the default when creating a rule and moving it to the top.
|When creating a policy, all the vwpare names are display and not only the names from the installation target.
|FortiManager sends unset entry-id if FortiGate implements NAC access-mode at FortiSwitch switchport level.
|FortiManager should add support for set use-shortcut-sla option in SD-WAN rules.
|Interface speed is incorrectly set on port group due to missing aggregate membership verification.
|Install may fail when changing FortiGate admin password from FortiManager.
|FortiSwitch template and VLAN shall appear for firewall policy creation.
|FortiSwitch template is not working properly in switchport NAC access-mode.
|When installing a global policy, FortiManager may delete policy routes and settings on an ADOM.
|Assigned header policy from the global ADOM shows up on excluded policy package.
|Promoting the Profile Group object should not promote the default Protocol option.
|After upgrade, install may failed if a FortiGate was assigned to a system template.
|FortiManager may consume high memory usage by the svc sys daemon.
|ADOM restricted access user is able to pull Device Manager information from ADOMs via JSON API.
|FortiManager may consume high CPU resource when locking ADOM or loading policy.
|FortiManager configuration file size may be large due to a bulk of resync files.
|When checking unused policy, implicit policy information is not included.
Policy and Objects
|Bug I D
|Users cannot search address in policy where the address is a part of a nested group.
|FortiManager does not show the default certificate under SSL/SSH Inspection within policy.
|FortiManager GUI should not allow creating Security Profiles without any SSL/SSH Inspection Profile defined.
|Exporting policy package to Excel may not work.
|FortiManager may not be able to create new wildcard FQDN type address to FortiGate 6.2.
|FortiManager is missing device-type option for custom device dynamic mapping.
|Users may not be able to edit firewall policy due to session-ttl:out of range in v5.6 or v6.0 ADOM.
|FortiManager shows incorrect country code for Cyprus under User definition.
|FortiManager is missing the SSH protocol in DLP filter.
|FortiManager is unable to display summary of policy package diff for VDOM with a long name.
|FortiManager dynamic object filter generator is adding a „s” at the end of tag resulting in non- working object.
|After adding and removing Security Profile, the policy Security Profile changes from no-inspection to empty.
|The GUI hangs in loading when trying to apply changes made to Anti Virus profile.
|The URL remote category, FortiGuard Threat Feed, is not available in the drop down menu for Proxy Address.
|Kubernetes SDN connector may show less options than on FortiGate.
|Without selecting security profile group on proxy policy, FortiManager should fail the install with a proper error message.
|Web URL Filter is deleted when URL Filter option is unchecked under the Web Filter Profile.
|FortiManager may freeze when editing the comment field on a policy package with many policies.
|Install may hang at 75% when no VLAN interface is configured for fsp managed-switch.
|Install may fail due to web filter profile in flow mode with setting changes available in proxy mode only.
|There is no Decrypted Traffic Mirror option in a policy when only one port mapping is enabled in Full SSL/SSH Inspection.
|Search box for address may not always work.
|Global object assignment may not work.
|Internet Service Group should give an error or a warning when the direction setting is not the same.
|Decrypted Traffic Mirror setting is not being removed from policy after changing the SSL Inspection method.
|FortiManager is not able to push dynamic objects to FortiGate after receiving the configurations from NSXT connector.
|Policy package install may stall and fail due to high memory usage.
|Full SSL/SSH Inspection profile’s Invalid SSL Certificates setting is not taking effect when Inspect All Ports is selected.
|FortiManager may not be able to edit proxy addresses objects.
|Local web category override is not installed if web filter is part of policy block package.
|Policy check may show negative values.
|Deleting an override entry should trigger modified status for policy packages with FortiGuard Category Based Filter enabled within web filter profile.
|Firewall VIP hover-over popup should not show ports when port forwarding is disabled.
|FortiManager may always configure empty application parameter values.
|IPS Profile is not able to set to action „Monitor” in the signature filter.
|Devices are evicted from Installation target after authorizing a new device.
|Having changed an IPS profile on the security profile, the change is not visible when editing the policy again.
|Bug I D
|FortiManager attempts to change Chassis ID on FortiGate 7000 series when installing configuration.
|Installation may fail for FortiGate 6.2 within ADOM 6.0 due to configuration changes with virtual-wan-link member weight and volume-ratio, and internet-service-ctrl.
|Installation fails when installing global v6.2 IPv4 policy to v6.4 FortiGate.
|Install may fail with delete metadata-server error.
|When installing from FortiManager, it may unset comment, organization, and subnet-name during install.
|FortiManager may try to purge all web rating override entries.
|Default value of global: system npu ip-reassembly:max-timeout NPU setting in ADOM 6.0 for FortiGate-1800F should be changed to 10000 to avoid Conflict status.
|When a policy install is performed, Install preview shows a lot of firewall policies with metafield changes without any actual changes been done.
|With traffic shaper in Mbps or Gbps, FortiManager should convert it to Kbps if installation target is non 64 bits FortiGate model.
|The LDAP port value remains 636 on device database and FortiManager is not accepting custom port number via CLI script.
|Hide or show license expired devices may not work.
|FortiManager installs the latest IPS and application control signatures on managed device despite the To Be Deployed Version is configured.
|FortiManager may return invalid license to FortiMail and cause AntiSpam license to expire.
|FortiManager should counts FMGC expired device number.
|TACACS is unable to assign multiple ADOMs to admins.
|FortiManager prompts an error while importing CA certificate.
|Changes to trusted IP are not saved and installed.
|While FortiAnalyzer model is disabled, FortiManager may fail to create an ADOM due to over size with disk quota.
|Users may not be able to access Java console with an error message: „Too many concurrent connections.”
|HA may crash when upgrading.
|Firewall addresses may not be not visible in the GUI after upgrading FortiManager.
|FortiManager may show errors on „dynamic_mapping.local-int” during upgrade.
|After upgrade, FortiGate VDOM that contains a FortiToken user cannot be managed anymore, and policy install generates an error.
|Upgrading ADOM from 6.2 to 6.4 may fail due to replacement message.
|FortiManager is not able to identify ADOMs that are locked by none super user administrators.
|Go to VPN manager > Monitor. Select a specific community from the tree menu to show only that community’s tunnels, the monitor page displays a white screen.
|There is no XAUTH USER column in VPN Manager Monitor.
|SSLVPN > Edit SSLVPN Settings > IP Range, only shows configuration from ADOM database objects.
|VPN Manager with VPN zone feature disabled may trigger policy copy failure.
|FortiManager is unable to edit a SSL portal in VPN Manager containing „/” special character.
|The dns-suffix on SSL VPN portal is not installed if web-mode is disabled.
|There may be DFS Channel mismatch between FortiManager and FortiGate for FAP-223E.
|DHCP server is incorrectly created for Bridge SSID.
|SSID may be empty in AP Manager> WiFi Profiles> SSID column.
|Monitor > Map View may fail if proxy is enabled.
|When creating an new interface for a VDOM, FortiManager may list interfaces that may belong to another ADOM.
|FortiManager CLI Configuration shows incorrect default wildcard value for router access-list.
|Install wizard may show a blank area when scrolling down the wizard to select device(s).
|FortiManager may not be able to edit VDOM link interface from VDOM level.
|FortiManager may not follow the order in CLI Script template.
|Configuration status may be shown modified after added FortiGate to FortiManager.
|After auto-conf IPv6 address is changed on FortiGate, the address is not updated into device database.
|Retrieve may fail on FortiGate cluster with Failed to reload configuration. invalid value error.
|Fabric view may stuck at loading.
|FortiManager is unable to configure FortiSwitch port mirroring.
|SD-WAN monitor may stuck loading when admin user belongs to device group.
|FortiManager may fail to add another FortiManager in Fabric ADOM.
|FortiManager should be able to provision CLI-template, SD-WAN-template, and Policy Package together to the model device.
|FortiManager should be able to identify and show default SSL-SSH profile as ready only profiles.
|Device Manager system interface should not allow duplicated secondary IP address.
|FortiManager needs IPv6 support on Syslog server setting.
|FortiManager is not reflecting proper admintimeout value in CLI only object.
|BGP Neighbors table does not have height limit and vertical scroll bar.
|GUI should generate error message when using invalid IP address or special characters in interface name.
|Install fails when creating a new DHCP reservation due to missing MAC address.
|When creating an API admin from CLI Configuration, trusted host section is missing.
|SD-WAN template > SD-WAN Rules options for Load Balance Mode do not match those on FortiOS.
|FortiManager may not be able to import policy with interface binding contradiction on srcintf error.
|Host Name is truncated when name has more than 31 characters.
|Customized system dashboard may disappear after a while.
|After FortiSwitch is added, running a script to provision may fail.
|FortiManager may fail to upgrade two FortiSwitch devices at the same time.
|User should not be able to delete global object when ADOM is not locked.
|Flag is_model and linked_to_model are not working for add model device with JSON API.
|Rebuilding the database may never start when FortiAnalyzer mode is enabled.
|The diagnose cdb upgrade check +all command may unset defmap-intf.
Policy & Objects
|FortiManager is unable to see dynamic mapping for Local Certificate if workflow session is created.
|FortiManager is unable to create VIPv6 virtual server objects.
|FortiManager may add unexpected IPv6 address to IPv6 address field when deleting ::/0.
|NAT option is missing from Central NAT policy package.
|Firewall policy and proxy policy cannot select IP type external resource as address.
|FortiManager is missing IPV6 none values after modifying policy.
|FortiManager is constantly changing UUID for firewall address object.
|Some application and filter overrides are not displayed on GUI.
|FortiManager is unable to import firewall objects of fsso fortiems-cloud user due to Server cannot be empty.
|When an obsolete internet service is selected, FortiManager may show entries IDs instead of names.
|FortiManager may be slow to add or remove a URL entry on web filter with a large list.
|FortiManager should not allow VIP to be created with same IP for External IP and Mapped IP Address.
|FortiManager may take a lot of time to update web filter URL filter list.
|IPS signatures may not match between FortiGate and FortiManager.
|FortiManager should not allow a user to select a profile group in a flow-based policy that uses a proxy-based feature.
|User should not be able to create a firewall policy with an Internet service with Destination direction in Source by using drag and drop.
|FortiManager does not report error when an unsupported FQDN address format is created.
|FortiManager may randomly set IPv4 IP Pool object to overload.
|Address object search may not display the address group which contains the searched object within the group.
|Editing a global object in an ADOM is not possible and generates an error, undefined is not iterable.
|FortiManager may not be able to map normalized interface.
|Policy Check and Find Unused Policies may not work for FortiGate in Policy-Based mode.
|User may not be able to install policy package due to change with external interface with VIP settings.
|FortiManager changes configuration system csf settings.
|Zone validation in re-Install Policy is not saving the user choice and deleting all related policies.
|Install fails for subnet overlap IP between two interfaces.
|FortiManager may not be able to configure SSH certificate.
|After import, FortiManager may prompt password error on administrator during install.
|FortiManager may unset explicit proxy’s HTTPS and PAC ports and change the value to 0 instead.
|The ssl-anomaly-log configuration may be incorrectly pushed by FortiManager when installing 5.6 ADOM policy to 6.0 FortiGate.
|When a policy package is shared between many firewalls, web rating override purge may fail in some scenarios.
|After script is run directly on CLI, FortiManager may fail to reload configuration.
|FortiGate user can see scripts from all ADOMs.
|Using CLI script to create SD-WAN with auto-numbering, edit 0, may not work.
|Changes using CLI Script may not be applied to devices in the container or folder.
|HA secondary device does not update FortiMeter license.
|FortiManager may create an incorrect certificate and it cannot be deleted.
|FMGVM64-Cloud needs to provide GUI support for ADOM upgrade in system information dashboard.
|FortiManager two-factor authentication admin login is missing the option for FTK Mobile push notification authentication.
|FortiManager should show details in the fnbamd debug if login fails due to trusted hosts.
|Changes made by ADOM upgrade may not update Last Modified date/time and user admin.
|FortiManager is unable to delete mail server with error message used displayed.
|FortiManager HA may go out of synchronization periodically based on the logs.
|ADOM upgrade may fail caused by invalid setting of ssl-exempt.
|After upgraded FortiManager, it may delete syslog configuration.
|VPN manager may not push any configuration on ADOM 6.0 for dial up VPN on FortiGate.
Notatki producenta-FortiManager 6.4.4
Bezpieczeństwo w biznesie