Producent oprogramowania Fortinet opublikował nową wersję software dla produktu FortiManager o numerze wersji 6.4.8. W najnowszej aktualizacji dla rodziny 6.4 pojawiło się wiele naprawionych błędów związanych z zarządzaniem Access Pointami oraz endpointami. Producent rozwiązał problem wymuszania niższej wersji firmware na FortiAP przy podłączeniu do FortiManagera. W aktualizacji naprawiono również drobny, lecz znaczący problem brakujących elementów konfiguracji SD-WAN z konsoli CLI. Po więcej informacji dotyczących aktualizacji zapraszamy do dalszej części posta.
Aktualnie wspierane modele:
|FMG-200F, FMG-200G, FMG-300E, FMG-300F, FMG-400E, FMG-400G, FMG-1000F, FMG-2000E,
FMG-3000F, FMG-3000G, FMG-3700F, FMG-3700G, FMG-3900E, and FMG-4000E.
|FMG-VM64, FMG-VM64-Ali, FMG-VM64-AWS, FMG-VM64-AWSOnDemand, FMG-VM64-Azure, FMG-VM64-GCP, FMG-VM64-HV (including Hyper-V 2016, 2019), FMG-VM64-KVM, FMG-VM64-OPC, FMG-VM64-XEN (for both Citrix and Open Source Xen).
|Where Used should indicate that an AP is still in used in one or more FortiGate devices.
|SSID with MPSK may not pass verification during an install.
|Firmware upgrade fails for FortiAP 421E from FortiManager.
|Deleting Floor Map may return a blank pop-up with error.
|Importing SSID with optional VLAN ID set creates incorrect per-device mapping.
|FortiManager should enable DFS channels on WTP profiles for FAP234F and FAP231F with region N.
|AP Manager should not send local-authentication for VAP with wpa-enterprise and Radius to managed FortiGate.
|FortiManager might downgrade FortiAP with enforce firmware version.
|AP profile may not contain SSID when AP Manager is in central management mode.
|5GHz DFS channels on AP Profile were not supported for FAP U231F.
|FortiManager should not install the setting, set security-redirect-url, without making any such change.
|FortiManager may try to delete default wtp 11ac-only profile on FortiWiFi-60F causing install to fail.
|FortiManager was deleting wireless-controller wtp and the objects referenced by wtp during the first installation after the upgrade.
|After added FortiAnalyzer fabric ADOM to FortiManager , Device Manager’s log status, Log Rate, or Device Storage column cannot get data from FortiAnalyzer.
|FortiManager sets incorrect captive-portal-port value when installing v6.0 Policy Package to v6.2 devices.
|Where Used may not work for IPsec Phase 2 allowing users to delete used objects.
|FortiManager may take too much time to send SLA updates to over thousands of FortiGate devices.
|SD-WAN Rules order changes to the default when creating a rule and moving it to the top.
|The Client Address Range setting should allow users to configure assign-IPs from firewall address or group.
|FortiManager does „auto-retrieve” causing all policy package status to go „unknown” after a new VDOM is created on FortiGate.
|SD-WAN’s priority-members is missing from CLI configuration page.
|Once VRPP instance is created, user should be able to edit or delete it.
|System template should allow source interface to be selected when specify is activated as interface-select-method.
|FortiManager does not allow WiFi SSID with special characters.
|It may not be possible to rename device zone.
|Importing policy package shows ngfw-mode policy-based with the inspection-mode set to proxy.
|Meta Field is not translating values with spaces into correct scripts.
|A managed FortiGate with assigned CLI template remains in „modified” state following a successful device configure installation.
|FortiManager is missing peer options with dial up user configuration with VPN IPSec Phase 1.
|CLI Template cannot add system DNS database entries if „set domain” contains the underscore character („_”).
|FortiManager may incorrectly display „Object already exists” message while creating a new Hardware Switch interface.
|Clock format option no longer works to format date in TCL scripts.
|FortiManager cannot edit global level configuration when management VDOM is not in the current ADOM.
|During zero-touch-provisioning with „Enforce Firmware Version” enabled, upgrade task may hang if the connection is reset during the image transfer.
|When editing a device group, search results do not show the device if VDOM name is matched by search keyword first.
|When creating a new CLI Group Template and try to add members to it, it does not allow users to select other „CLI Group Templates” that are already created.
|SD-WAN monitor widget may not be loaded when multiple performance SLAs are added.
|When revision history is very large, FortiManager may not be able to retrieve configuration.
|Secondary IP may be purged when setting a description to VLAN interface.
|Device & Groups > VPN Phase1/Phase2 does not show the proposal column when using FGT-VM type „FGVMIB”.
|Interface Bandwidth widget on FortiManager under Device Manager does not display any data for FortiGate.
|FortiManager’s GUI does not show the virtual-switch ports as interface members for Hardware switches.
|After exported system template, importing the same configuration via CLI may fail.
|FortiManager GUI throws an error when switching from Policy & Objects to Device Manager.
|There may be performance issue when onboarding new SD-WAN devices.
|When FortiAnalyzer is managed via FortiManager, new devices that are registered to FortiManager should be synchronization under the corresponding ADOM on FortiAnalyzer.
|Named Address Static Route with SD-WAN cannot be selected on FortiManager.
|SD-WAN logs cannot be saved for some devices when sdwan-monitor-history is set as enabled.
|Under System > Interface, the data shown on this page may be incomplete.
|FortiManager may fail to import device list from another FortiManager due to the meta field containing prefix „_meta_”.
|Provisioning Template with empty name cannot be deleted or edited.
|FortiManager may be unable to show SD-WAN monitor data when the rtmmond daemon is stuck.
|FortiManager should also count promoted hidden devices.
|Zero-touch provisioning with script installation may fail due to duplicated snmp-index.
|When creating a device zone, device mapping may not be created when the zone is mapped to a normalized interface with the 'map as zone only’ option.
|When creating EMAC VLAN from Device Manager, FortiManager should show VLAN ID field.
|Device Manager may not be able to delete FortiGate-7000E HA cluster members.
|When creating a Static Route, FortiManager may take a few seconds to display available „Named Address”.
|Installation fails due to configuring forward-error-correction on FGT’s interfaces.
|FortiManager is unable to use secondary IP as source IP in DNS database.
|FortiManager is unable to install the switch controller > VLAN interface configuration during the ZTP process.
|FortiToken provision button is grayed out in Device Manager while it is enabled on FortiGate with the same token.
|When sdwan-monitor-history is enabled, replace last 5 minutes with last 10 minutes.
|FortiManager cannot install TCP-connect using Random port for SD-WAN.
|Administrative user GUI-dashboard information should be deleted upon VDOM deletion.
|Error Probe Failure has been observed when adding FortiAnalyzer to FortiManager.
|Unable to add multiple DNS domain names in Provisioning Template.
|The install fails with verification failure displaying to try deleting the LAN interface members.
|Clicking OK to import FortiSwitch Template results in no response.
|FortiSwitch monitor may show incorrect interface status for QSFP port.
|FortiManager should not update trunk-member value as it is controlled by FortiGate.
|FortiManager should not save invalid default value for ssl-ssh-profile in global database.
|Threat feeds global objects are not installed to destination ADOM when using the assign all object option.
|Automatic install to ADOM devices may fail from Global ADOM.
|Copying global firewall policy may fail due to duplicate IPS sensors.
|FortiManager should not allow users to delete the default reserved address object starting with „g-„.
|„srcintf” selector in Traffic Shaping Header or Footer Policy may not work in Global ADOM.
|FortiManager should show clear error message for duplicated object assigned from Global ADOM.
|FortiManager may randomly delete FortiManager IPv4 policies when assigning from the Global ADOM.
|FortiManager may return an error when adding address object to global policy.
|FortiManager should allow users to configure the list of allowed TLS cipher suites.
|Assigning device to system template may not work via JSON when FortiManager is in workspace mode.
|FortiManager should be able to assign VLAN interface to FortiExtender.
|Under some conditions, disk usage may reach 100% after a few days.
|Web service with port 8080 disabled may still be in listening state.
|FortiManager may show multiple fmgd crashes with signal 11 segmentation fault.
|Users may not be able to log in from GUI after restored database with changed HTTP or HTTPS port number.
|Users should be able to obtain status of the FGFM reclaim-dev-tunnel via API call.
|Retrieve task may fail due to autoupdate file already been deleted by FGFM.
|FortiManager may return an error when running an Ansible script to configure network interfaces, zones, and policies.
|If an VDOM is created and then get the VDOM information from JSON API, the VDOM mode may be shown as NULL.
|FGFM tunnel may go up and going down with multiple fgfmsd crashes.
|fgdsvr process may crash when URL length is longer than 1024 characters.
|Execution of integrity check may remove dynamic mappings.
|FortiManager Pay-As-You-Go should support connect to FortiCare via proxy.
|Map should use the region defined by the coordinates in System Settings’ Advanced Settings or the FortiManager’s time zone.
|FortiManager may not be able to upgrade ADOM from 6.2 to 6.4 due to cdb crash.
|There is a Criteria Latency field which is different between FortiGate and FortiManager when creating the manual interface option for SDWAN rules.
|System NPU values may be different between FortiManager and FortiGate-1801F.
|FortiManagerlock/commit operation is very slow when FortiManager HA is enabled.
|Fabric View may keep loading.
|Verification fail for default dnsfilter profile due to wrongly install „set category 0”.
|’Thread Feeds’ should be 'Threat Feeds’ on Fabric Connector.
|Load-balance type VIP cannot be displayed and saved correctly.
|FortiManager is unable to create VIPv6 virtual server objects.
|Search by CVE may not work for both IPS Signatures and IPS Filters.
|Imported SDN Connector Objects may change to random names.
|SSH and MAPI should not be supported in file filter profile protocol under flow mode.
|Hit count, first used, and last used may not get updated on FortiManager.
|Multiple filters are missing for Azure SDN Connector.
|When checking the status on AntiVirus profile, it may not show the correct inspection mode in list view with status stays in „flow-based (Full Scan)”.
|FortiManager returns an error, „method failure”, when setting a shaping profile in normalized interface using per device mapping.
|FortiManager doesn’t update the „Hit Count” number.
|Hyperscale firewall EIF shall not be enabled when IP pool with CGN overload configuration is used in a policy.
|„Proxy Policy” page shows empty when the „View Mode” is selected as „Interface Pair View”.
|When modifying IP address of Default VPN Interface of spoke in Device Manager, hub remote gateway should be modified to reflect that change.
|SSL-SSH profile may display incorrect options when using SSL Certificate Inspection.
|Installing policy requires Interface Validation for interfaces that are not being use in policy package.
|Unused policies tool may always generate a PDF containing all policies.
|FortiManager may miss some Internet Service entries.
|Non-full admin users should be able to export Policy Check and Unused Policy results.
|FortiManager displays the group ID instead of display name with NSX-T Connector.
|FQDN type firewall address object can be created with an unsupported format.
|Special characters within policy’s comment causes all policies missing on GUI.
|Custom IPS Signature script may fail to run on policy package or ADOM database.
|NPU log servers for hyperscale does not show up in policy package.
|Proxy policy does not accept configuration with both ipv4 and ipv6 address objects.
|Installing or importing IPS custom signature may fail when a signature’s name contains a space character.
|FortiManager may not be able to retrieve IP address for group with NSX-T v3.1.2.
|FortiManager may try to install undesirable changes to FortiGate-5001E, FortiGate-5001E1, and FortiGate-5001D.
|FortiManager GUI may not response when triggering policy package install wizard under Policy & Objects.
|Column filter may extremely slow with large policy package.
|Where Used should show the correct object references for newly cloned objects.
|FortiManager filters should work for Hit Counters, First Session, and Last session.
|Cloning of a policy package is grayed out for admin users with restricted access to particular policy packager folder.
|Filtering by hit count may not work for policies.
|„Where Used” may result an empty top left frame for policy packages.
|FortiManager does not have the same profiles as on FortiGate with explicit proxy policy.
|There may be issue with Transparent Web Proxy when using interface pair view.
|FortiManager should not allow users to create Explicit proxy FTP with pool name.
|IPv4 policies in policy block may hidden on FortiManager’s GUI.
|FortiManager may try to install hidden synproxy parameters for DOS policy to FortiGate.
|custom-url-list may not be correctly parsed when URLs contain space characters.
|If FortiGate allows selecting LogMeIn app using specific filter override, FortiManager should also allow it.
|User may not be able to save changes in SSL/SSH inspection profile from GUI.
|There may be install performance issue when there is a huge number of dynamic mappings and there are many FortiAP or FortiSwitch devices.
|Editing a global user FSSO object’s dynamic mapping is not possible.
|Export to Excel when filters are applied for a policy package does not work.
|FortiManager should be able to manage valid authentication rules containing „User-Agent” proxy address.
|FortiManager may not response when adding a firewall address or group to a policy and changing the policy comment at the same time.
|Policy package status is out of sync without changes.
|Plus „+” sign should be added for SMS phone number when two-factor FortiToken Cloud is enabled.
|FortiManager should support more than one thousand traffic shapers.
|FortiManager database contains parameter webfilter-searchengine-Baidu-gb2312 that does not exist on FortiGate.
|FortiManager should be able to delete many per-device mappings quickly.
|When policy package in policy-based NGFW mode, FortiManager may still set action to accept even when the policy is specified as deny.
|Deleted objects may remain referenced in firewall policy.
|Adding custom signature with '_vdom-name’ should not prevent pushing changes to numerous devices.
|Hyperscale policy packages do not show log server until you get into a policy.
|Policy Hit Count may not be updated for Read-Only admin.
|Selection for user SAML as member under the user group may not take effect.
|Where used may not reporting used objects properly.
|FortiManager displays error when using „push to install” for objects utilized by policy blocks .
|Changing Action from Accept to Deny should ignore all UTM profiles within the firewall policy.
|FortiManager is unable to import or create virtual server with real servers using the same IP but different „http-host”.
|Right-click menu to add object may return an error: „cgn-resource-quote:out of range”.
|Policy lookup may not work if the managed devices are in Transparent mode.
|There may be slowness when using Find Duplicate Objects with Merge tools.
|Address group changes for per-device mapping does not apply to FortiGate when Address group is used in policy route.
|Users may not be able to export firewall header and footer policies to Excel.
|There may not be empty lines in „IPS Signature and Filters”.
|Installation fails because the virtual-wan-link did not exist.
|Created time doesn’t indicate AM or PM on the Tools > Find Unused Policies.
|FortiManager changes configuration system csf settings.
|Copy may fail due to VIP overlapping when installing policy package.
|FortiManager may disable the „l2forward” and „stpforward” settings on virtual switch interface when installing policy package.
|When installing from FortiManager, it may unset comment, organization, and subnet-name during install.
|FortiManager may unset explicit proxy’s HTTPS and PAC ports and change the value to 0 instead.
|Installation may fail after edited or created a firewall policy if reputation-minimum is set.
|FortiManager should not unset the value forward-error-correction with certain FortiGate platforms.
|FortiManager 6.2 ADOM may be sending set synproxy to FortiGate-1801F.
|If VIP address’s source-filter list is too long, installation may fail.
|After removed a member of user group that is used only in XAUTH, FortiManager is not deleting the unused local user on FortiGate.
|After upgraded to 6.4, retrieve from a chassis may take a long time.
|When customer is trying to push policy package to a device group, installation window may not show any progress but a red cross.
|Install always try to delete hardware switch member interface causing installation failure.
|After upgrade, installation may fail due to mcast-session-counting.
|Installation may fail due to VIP’s mapped IP as a range with two identical IP addresses.
|FortiManager should install changes applied on Global policy package and not indicate warnings like „no installing devices/no changes on package”.
|Install fails when new transparent mode VDOM is added directly via FortiGate CLI and imported into FortiManager.
|FortiManager may try to delete thousands of policies during install.
|GCP project name must be set during install.
|Install may fail with unset MAC address on EMAC VLAN.
|When modifying a configuration and installing Device Setting only , FortiManager may not display the device’s configuration change.
|After upgraded FortiManager, policy install verification may fail with Config status changes to Conflict due to invalid default value for log memory filter.
|FortiManager may not be able to install policy package with firewall rule using VIP group due to zone binding.
|FortiManager may try to delete interfaces lan1, lan2, and lan3 which are used by virtual-switch.sw0 on FortiGate-40F.
|Explicit proxy FTP ssl-ssh-profile application-list may not be installed.
|FortiManager should not set the HA interface IP under the central-management on FortiGate when the master unit fails.
|If a device revision is corrupted, FortiManager may be able to remove or create any revision.
|FortiGate-5001E, FortiGate-5001E1, and FortiGate-5001D may be mistakenly set to support switch-profile.
|Users may not be able to create hardware switch interface from FortiManager.
|Renaming IPSec Phase1 that is member of a zone causes all zone related rules to be re-created.
|Application Control signatures belong to Industrial Category are removed from FortiGate in split mode during policy install.
|After disabled NAT on hyperscale policy, there may be installation failure on unset action.
|FortiManager may show admin with no password when adding a new VDOM to FortiGate-2200E/2201E.
|FortiManager may unset chassis ID causing HA cluster lost.
|There may be install issue with Web Filter’s „config ftgd-wf” which does not exist on NGFW policy mode on FortiGate.
|FortiManager should not create a new wildcard FQDN object while renaming it.
|FortiManager may unexpectedly delete custom signature when installing policy package.
|Filter does not work on device group.
|Users need to open „View Script Execution History” to see that TCL script fails.
|Direct CLI script may fail when it contains an 'exec’ command.
|When running CLI script remotely on 100+ firewalls, partial configuration is retrieved and it may cause routing to be removed from device database.
|When creating a new phase1 interface, dpd=on-idle settings may not be saved.
|TCL scripts fails to run if the admin’s password is longer than 36 characters.
|FortiManager should be able to use custom certificate for the update related services.
|FortiAP firmware may not be listed and cannot be imported.
|FMG-VM64-AWSOnDemand may not retrieve the proper license when it is behind a proxy.
|FortiManager may not logging FortiGuard connectivity failures.
|AP upgrade task may hang at 45%.
|Numerous 'svc cdb reader’ processes reaching 100% CPU utilization.
|If a user specified ADOMs including global ADOM, workflow approval may not be able to find the same user.
|Backup that includes IPSec VPN cannot be restored.
|FortiManager is removing SD-WAN field description upon ADOM upgrading from 6.2 to 6.4.
|FortiManager may generate a lot of „cdb event log for object changed” event logs.
|Template assignment or save may not generate clear Event logs.
|Scroll bar is missing from device drop-down list on ADOM overview page.
|ADOM license count should not count root ADOM.
|Nested group search fails with „Bad search filter” if the user DN contains characters like „,” and „()”.
|Admin User with no access to management ADOM or VDOM can create a new VDOM from non-management ADOM > VDOM.
|FortiManager upgrade should not have warning when there is no upgrade path.
|The „svc sys” daemon may have high memory usage when API is used to upgrade FortiGate devices.
|When creating a local account with the „Force this administrator to change password upon next log on” option checked, the setting should be applied for the first login.
|FortiManager should support using the special character „@” in SNMP community name.
|ADOM upgrade from 6.0 to 6.2 may fail due to FortiExtender object.
|Remote authentication servers should not be synchronized among HA members.
|Event log may be truncated when the log contains many address objects.
|FortiManager may continuously changing NTP synchronization server.
|Users may not be able to disable ADOM via GUI or CLI.
|User may not be able to disable ADOM after upgrade.
|LDAP may stuck for twenty seconds if LDAP is not responding.
|Setting a Cluster ID for a model HA cluster results in an invalid group ID under config system ha.
|Two factor authentication fails when special characters are used in CN.
|FortiManager may not generate event logs for meta field changes.
|Script Groups should be copied with their members when cloning an ADOM.
|The number of FortiGate devices registered is in the upper limit of the license count may causes HA becomes asynchronized.
|idle_timeout under admin’s setting is not converted properly after performing the upgrade.
|Applying Authentication or Portal Mapping changes may take several minutes.
|FortiManager may purge mac-addr-check-rule when installing to FortiGate.
|Cloned VPN Phase1 interface may have several different parameters than the original interface.
|Removing a spoke or hub from VPN community may result in partial configuration removal.
|VPN monitor may not display correct information when FortiManager is in advanced ADOM mode.
|Policy package should be pushed to VPN hubs without error, „interface IP is 0”.
Visit https://fortiguard.com/psirt for more information.
|FortiManager 6.4.8 is no longer vulnerable to the following CVE-Reference:
|Browser may display a message, 'A webpage is slowing down your browser’, while checking revision difference.
|FortiManager should highlight device consisting of specific IP address under Fabric View.
|Wen an obsolete internet service is selected, FortiManager may show entries IDs instead of names.
|FortiManager should not allow VIP to be created with same IP for External IP and Mapped IP Address.
|CLI Only Objects may not be able to select FSSO interface.
|FortiManager may not display the correct number of firewall address objects while adding the objects to DoS policy.
|FortiManager may now differentiate between the ISDB objects „Predefined Internet Services” and „IP Reputation Database”.
|Rule list order may not be saved under File Filter Profile.
|Fabric SDN Connector is installed on FortiGate even if it is not in used.
|FortiManager cannot install ISDB object 'Microsoft-Intune’.
|FortiGate firmware upgrade via FortiManager may break FortiGate HA cluster.
|FMGVM64-Cloud needs to provide GUI support for ADOM upgrade in system information dashboard.
|IPSec VPN Authusergrp option „Inherit from Policy” is missing when setting xauthtype as auto server.
|When install a policy package, per device mapped object used in SSL VPN cannot be installed.
Notatki producenta: FortiManager 6.4.8
Bezpieczeństwo w biznesie