Producent oprogramowania Fortinet udostępnił aktualizację dla produktu FortiManager o numerze wersji 7.0.2. W najnowszej aktualizacji znalazło się wiele poprawek poprzednich wersji oraz kilka ciekawych nowości. W najnowszej wersji naprawiono problem, który powodował, iż FortiManager mógł losowo usuwać zasady FortiManager IPv4 podczas przypisywania z Global ADOM. Rozwiązano również problem powolnego działania FortiManager’a, gdy wielu użytkowników korzystało z GUI . Rozwiązano także problemy z crashującymi zadaniami aktualizacji AP, które mogło zawiesić się na 45%. W najnowszej wersji pojawiła się także możliwość uruchomienia FortiManager’a w dockerze DockerHub. Po więcej ciekawych informacji zapraszamy do przeczytania dalszej części artykułu.
Aktualnie wspierane modele:
| FortiManager | FMG-200F, FMG-200G, FMG-300F, FMG-400E, FMG-1000F, FMG-2000E
FMG-3000F, FMG-3000G, FMG-3700F, and FMG-3900E. |
| FortiManager VM | FMG_DOCKER, FMG-VM64, FMG-VM64-AWS, FMG-VM64-Azure, FMG-VM64-GCP, FMG-VM64-HV (including Hyper-V 2016, 2019), FMG-VM64-KVM, FMG-VM64-OPC, FMG-VM64-XEN (for both Citrix and Open Source Xen). |
FortiManager instalacja w dockerze:
Obraz okna dokowanego zweryfikowanego wydawcy Fortinet
Obraz dokera FortiManager 7.0.1 jest dostępny do pobrania z publicznego repozytorium Verified Publisher firmy Fortinet w witrynie dockerhub.
Instrukcja instalacji:
- Przejdź do dockerhub pod adresem https://hub.docker.com/ .Wyświetlona zostanie strona główna dockerhub.
- Na banerze kliknij Explore .
- W polu wyszukiwania wpisz Fortinet i naciśnij Enter .Fortinet / FortiManager i Fortinet / FortiAnalyzer wyświetlane są opcje.
- Kliknij fortinet/fortimanager .Zostanie wyświetlona strona fortinet/fortimanager i dostępne są dwie zakładki: Overview i Tags . Karta Overview jest wybrana domyślnie.
- Na karcie Przegląd skopiuj polecenie docker pull i użyj go, aby pobrać obraz.Polecenie CLI na karcie Przegląd wskazuje najnowszy dostępny obraz. Użyj karty Tags , aby uzyskać dostęp do różnych wersji, jeśli są dostępne.
Rozwiązane problemy:
AP Manager
| Bug ID | Description |
|---|---|
| 673020 | Creating SSID interface with central AP Manager automatically generates normalized interface name that has no default mapping configuration. |
| 702114 | FortiManager is unable to see 5Ghz Clients in Health Monitor. |
Device Manager
| Bug ID | Description |
|---|---|
| 563690 | Device Manager fails to add FortiAnalyzer that contains a FortiGate HA device with error: serial number does not match database. |
| 609859 | When installing device settings, the default name for downloaded preview file should be more identifiable for a device. |
| 637388 | System Dashboard’s time zones are not sorted within the dropdown list. |
| 638750 | Where Used may not work for IPsec Phase 2 allowing users to delete used objects. |
| 662095 | FortiManager may take too much time to send SLA updates to over thousands of FortiGate devices. |
| 665207 | FortiManager needs IPv6 support on Syslog server setting. |
| 691611 | FortiManager does auto-retrieve and causes all policy package statuses to become unknown after a new VDOM is created on FortiGate. |
| 696330 | FortiManager may change all devices to Managed FortiGate when hiding all unauthorized devices, and it cannot be switched back. |
| 696524 | Promote button task does not work and hangs, if FortiManager cannot SSH access to HA cluster. |
| 696730 | FortiManager is unable to promote Secondary FortiGate as Primary in a HA Cluster. |
| 698388 | FortiManager cannot edit or create a static route with SD-WAN returning an error. |
| 705448 | Device connection status may remain up after shutting down device port and updating device status. |
| 713833 | It may not be possible to rename device zone. |
| 714611 | Creating interface from VDOM may return No Match Found error. |
| 718184 | AutoUpdate with unset options and unset post-lang may cause device database and policy package status to display as OUT-OF-SYNC. |
| 719968 | SD-WAN Monitor should properly show the Map View of all devices. |
| 724600 | FortiManager may not be able to install static default route for SD-WAN from Static route Template. |
| 725570 | FortiManager may return device can not be empty error when creating or editing a static route on SD-WAN interface. |
| 726167 | Installing static route template may fail because interface is in another VDOM. |
| 727123 | Meta Field is not translating values with spaces into correct scripts. |
| 728655 | Configuration status may not be shown as Synchronized after installation. |
| 728687 | Policy package status may change to Modified on all FortiGate devices when a dynamic address group changes. |
| 729301 | A managed FortiGate with assigned CLI template remains in Modified state following a successful device configure installation. |
| 729606 | FortiManager should show where a Device Zone is used under Device Manager. |
| 730482 | CLI Template cannot add system DNS database entries if set domain contains the underscore character (_). |
| 731204 | FortiManager may incorrectly display Object already exists message while creating a new Hardware Switch interface. |
| 731551 | FortiManager may return error, Failed to synchronize FortiAnalyzer with current ADOM data.Fail(errno=-3):Object does not exist, when adding FortiAnalyzer devices. |
| 732246 | Clock format option no longer works to format date in TCL scripts. |
| 733076 | Model device links to real device may not work. |
| 733080 | Device status is shown as Up on GUI, even though there is no activity for the session between FortiManager and FortiGate. |
| 733934 | During zero-touch provisioning with Enforce Firmware Version enabled, upgrade task may hang if the connection is reset during the image transfer. |
| 734487 | Device’s hardware switch interface > physical interface member may not save. |
| 735106 | Delete is spelled incorrectly when attempting to delete invalid host cluster device. |
| 735402 | When creating a new CLI Group Template and trying to add members to it, it does not allow users to select other CLI Group Templates that were already created. |
| 737025 | SD-WAN Monitor widget may not be loaded when multiple performance SLAs are added. |
| 737173 | FortiManager should not unset l2tp and encapsulation with VPN phase2 interface. |
| 739369 | When revision history is very large, FortiManager may not be able to retrieve configuration. |
| 739624 | FortiManager should support FortiTester version 4. |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 684371 | Clicking OK to import FortiSwitch Template results in no response. |
| 714174 | FortiSwitch manager DHCP reservation configuration may not synchronize correctly with FortiGate. |
| 740936 | FortiSwitch VLAN template creates unknown interface platform mapping. |
Global ADOM
| Bug ID | Description |
|---|---|
| 667197 | User should not be able to delete global object when ADOM is unlocked. |
| 725763 | Automatic install to ADOM devices may fail from Global ADOM. |
| 728803 | Copying global firewall policy may fail due to duplicate IPS sensors. |
| 736541 | NAT may stay as disabled on Global ADOM. |
| 737381 | FortiManager should not allow users to delete the default reserved address object starting with g-. |
| 745772 | FortiManager may randomly delete FortiManager IPv4 policies when assigning from the Global ADOM. |
Others
| Bug ID | Description |
|---|---|
| 505795 | FortiManager should allow users to configure the list of allowed TLS cipher suites. |
| 510508 | FortiManager cannot assign multiple ADOMs to an admin user via JSON API. |
| 697361 | FortiExtender status may not be correctly displayed. |
| 718251 | Web Service with port 8080 disabled may still be in listening state. |
| 731574 | FortiManager may not be able to change web filter category action via JSON API. |
| 732144 | A CA certificate may be missing from some older FortiManager platforms causing failure to login with FortiCloud SSO. |
| 733078 | FortiManager may show multiple fmgd crashes with signal 11 segmentation fault. |
| 733208 | Users may not be able to login from GUI after restored database with changed HTTP or HTTPS port number. |
| 736229 | API may fail to promote unauthorized devices to a different ADOM. |
| 738918 | After upgrade, FortiManager may set firewall-address 100000 on VDOM enabled FortiGate. |
| 740523 | Retrieve task may fail due to auto-update file already having been deleted by FGFM tunnel. |
| 741118 | Install policy package may hang at 50% with security console crash. |
| 742137 | FortiManager may return an error when running an Ansible script to configure network interfaces, zones, and policies. |
| 744736 | FGFM tunnel may go up and down with multiple fgfmsd crashes. |
| 746311 | fgdsvr process may crash when URL length is longer than 1024 characters. |
Policy and Objects
| Bug ID | Description |
|---|---|
| 503978 | Thread Feeds should be Threat Feeds on Fabric Connector. |
| 549492 | Load-balance type VIP cannot be displayed and saved correctly. |
| 623346 | In NGFW-policy policy package, FortiManager does not show Security Virtual Wire Pair Policy or Virtual Wire Pair SSL Inspection & Authentication. |
| 644822 | Imported SDN Connector objects may change to random names. |
| 648970 | If a profile group enables WAF or ICAP profile, the group should be hidden in flow-based policy. |
| 657534 | SSH and MAPI should not be supported in file filter profile protocol under flow mode. |
| 666258 | User should not be able to create a firewall policy with an Internet service with Destination direction in Source by using drag and drop. |
| 690231 | Where-used may fail to display references to certificate-inspection that were added to firewall policies in previous versions. |
| 690295 | FortiManager may be slow when multiple users access GUI at the same time. |
| 699975 | Multiple filters are missing for Azure SDN Connector. |
| 709908 | When checking the status on AntiVirus profile, it may not show the correct inspection mode in list view when status stays in flow-based (Full Scan). |
| 710676 | System replacement message group, replacemsg-group auth-intf-quarantine, does not exist. |
| 710736 | Classic Dual Pane mode cannot change left-panel size of object configuration. |
| 714975 | Imported groups or labels may not be available for direct use with policy. |
| 716114 | FortiManager should push changes in ssl-ssh-profile with Untrusted SSL Certificates setting reverted from Block to Allow. |
| 719698 | Performance for policy install may be slightly degraded after upgrading from 6.4.5 to 6.4.6. |
| 720896 | SSO admin with Restricted Admin profile should be able to view Web Filter, Application Control, or IPS objects. |
| 722087 | Edit user group with remote members on FortiManager GUI may cause unexpected change in set group-name. |
| 724718 | When FortiManager’s NSX-T connector is executing an API request, it should not be limited to 50 records. |
| 725024 | Proxy Policy page shows empty when the View Mode is selected as Interface Pair View. |
| 725132 | When modifying IP address of Default VPN Interface of spoke in Device Manager, hub remote gateway should be modified to reflect that change. |
| 725681 | Under dual pane, scrolling may be available to move panels out of viewable area. |
| 726077 | Authentication Rules may run incorrect validation that prevents submission and results in an error: The IP versions in source and destination addresses or Internet Services do not match. |
| 726548 | User-info-server option is not available under dynamic mapping in CLI under user FSSO. |
| 728689 | FortiManager does not show warning or error while selecting no-inspection with UTM profile, which does not match FortiGate behavior. |
| 728985 | FortiManager may show signatures that have been deleted by FortiGuard. |
| 729289 | FortiManager should have an option to set fortitoken/email/sms to unset or blank. |
| 729705 | Installing policy requires Interface Validation for interfaces that are not being used in policy package. |
| 730523 | Unused policies tool may always generate a PDF containing all policies. |
| 731053 | FortiManager may miss some Internet Service entries. |
| 732138 | Non-full admin users should be able to export Policy Check and Unused Policy results. |
| 734556 | FQDN type firewall address object can be created with an unsupported format. |
| 735083 | Policy packages’ folders may not be displayed in alphabetical order. |
| 735397 | Cloned object’s revision history information may not be related to the clone task. |
| 735432 | Users with ADOM-specified admin privilege may not be able to view policy package. |
| 735738 | When creating a VIP object with port forwarding filter, FortiManager may show an error. |
| 735743 | In classic dual pane, column settings are hidden by the object configuration pane. |
| 738109 | FortiManager may not install auth-cert from policy package to device. |
| 738231 | Creating VIP with IPv4 external IP mapped to IPv6 may trigger an error, a.mappedip is undefined. |
| 738595 | FortiManager may not correctly push AWS connector credentials. |
| 738745 | When an object is renamed, the new name must be used on all policies. |
| 739205 | FortiManager may thrown error Cannot delete the only package or folder, when deleting policy block. |
| 740331 | IP Pool details may be missing in ADOM v6.2. |
| 740944 | Custom IPS Signature script may fail to run on policy package or ADOM database. |
| 742257 | NPU log servers for hyperscale does not show up in policy package. |
| 744591 | Installing or importing IPS custom signature may fail when a signature’s name contains a space character. |
| 746273 | Column filter may be extremely slow with large policy packages. |
| 747330 | FortiManager cannot assign or replace VIP with SD-WAN as source interface. |
| 748523 | After creating a VIP, FortiManager may not be able to choose the VIP on a policy. |
| 748524 | VIP is not visible in the policy, if the external interface is not the same as policy SD-WAN source interface. |
| 749519 | IPv4 policies in policy block may hidden on FortiManager’s GUI. |
| 750160 | custom-url-list may not be correctly parsed when URLs contain space characters. |
Revision History
| Bug ID | Description |
|---|---|
| 640714 | FortiManager cannot correctly retrieve and import interface subnet type address showing 0.0.0.0 for IP. |
| 642878 | FortiManager should return a clear copy fail log for dynamic interface check error. |
| 643101 | Copy may fail due to VIP overlapping when installing policy package. |
| 674094 | FortiManager may unset explicit proxy’s HTTPS and PAC ports, and change the value to 0 instead. |
| 674196 | Installation may fail after editing or creating a firewall policy if reputation-minimum is set. |
| 680549 | Restricted user’s Quick Install is not working correctly for Rating Overrides. |
| 683728 | Installation fails due to VIP mapped IP range error when installing v6.2 policy package to v6.4 device. |
| 711314 | VDOM specific Disclaimer Page configuration is purged from default replacemsg-group during Policy Package installation. |
| 713552 | If VIP address’s source-filter list is too long, installation may fail. |
| 722332 | For AP Profile change, installation preview may show No Entry. |
| 724340 | FortiManager may unset forward-error-correction from FortiGate 7060E devices. |
| 724647 | After upgrading to 6.4, retrieval from a chassis may take a long time. |
| 725252 | When customer is trying to push policy package to a device group, installation window may not show any progress, but with a red cross. |
| 725557 | Install always try to delete hardware switch member interface causing installation failure. |
| 725717 | After upgrade, installation may fail due to mcast-session-counting. |
| 728117 | After upgrade, install may fail due to set pri-type-max 1000000. |
| 728918 | FortiManager should install changes applied on Global policy package and not indicate warnings like no installing devices/no changes on package. |
| 729587 | FortiManager may create an already deleted admin account on FortiGate when installing changes for a new VDOM. |
| 733518 | FortiManager may incorrectly move DNAT objects. |
| 735455 | FortiManager may try to delete thousands of policies during install. |
| 735988 | Switch and AP names may be reverted by controller status update from FortiGate. |
| 740858 | GCP project name must be set during install. |
| 741543 | Install may fail with unset MAC address on EMAC VLAN. |
| 742242 | Install fails after upgrade due to set server-identity-check enable on LDAP server configuration. |
| 742806 | When modifying a configuration and installing Device Settings only, FortiManager may not display the device’s configuration change. |
| 745715 | FortiManager may not be able to install policy package with firewall rule using VIP group due to zone binding. |
| 747837 | FortiManager may try to delete interfaces lan1, lan2, and lan3, which are used by virtual-switch.sw0 on FortiGate-40F. |
Script
| Bug ID | Description |
|---|---|
| 630016 | FortiGate user can see scripts from all ADOMs. |
| 729571 | TCL script commands run on device no longer show in the script log. |
| 734942 | Script includes static route with SD-WAN enabled may report error. |
| 744030 | FortiManager should not allow running script against device database with incorrect command. |
Services
| Bug ID | Description |
|---|---|
| 685678 | When FortiMail FIPS mode is enabled, FortiManager should be able to validate its license. |
| 714127 | Backup ADOM does not support firmware template upgrade. |
| 725118 | FortiManager may not log FortiGuard connectivity failures. |
| 725721 | FortiManager may not be able to recognize all FortiGate units within HA cluster, and it may not be able to provide update services to all units. |
| 730877 | The upgrade matrix file may be missing, and FortiManager is unable to calculate upgrade paths without the upgrade matrix file. |
| 733174 | FortiManager may not be able to recognize the object id 06002000NIDS02604 as IPS Signature Database(Extended). |
| 733873 | FortiManager may not get FortiGate HA cluster’s contract information when Device Manager shows the secondary device’s SN. |
| 739625 | FortiManager may not display licensing information for FortiTester. |
| 741846 | AP upgrade task may hang at 45%. |
System Settings
| Bug ID | Description |
|---|---|
| 617601 | Sort by Time Used in Task Monitor may not be correct. |
| 663185 | Search may not work for event logs in text mode. |
| 690926 | FortiManager removes SD-WAN field description upon ADOM upgrading from 6.2 to 6.4. |
| 696554 | FortiManager may generate a lot of cdb event log for object changed event logs. |
| 700608 | The variable from meta data that is shown is not case sensitive, whereas the variable is case sensitive when using in a CLI template. |
| 705145 | Username is truncated to 49 characters in the notification Emails sent by FortiManager for workflow approvals. |
| 711686 | Workflow approval does not work when admin name has more than 49 characters. |
| 722320 | The NOT search in advanced/text mode search is not working for system event logs. |
| 726007 | Admin User systematically gets access to root ADOM in case of RADIUS authentication and Fortinet-Vdom-Name VSA is not set. |
| 727233 | ADOM license count should not count root ADOM. |
| 728942 | FortiManager may gray out some devices’ tasks with error, which cannot be grouped together. |
| 728991 | Nested group search fails with Bad search filter if the user DN contains characters like „,” and „()„. |
| 729280 | Admin User with no access to management ADOM or VDOM can create a new VDOM from non-management ADOM > VDOM. |
| 735067 | When creating a local account with the Force this administrator to change password upon next log on option checked, the setting should be applied for the first login. |
| 736205 | FortiManager may get stuck during upgrade. |
| 738395 | FortiManager tasks’ time used should not be increased by timezone. |
| 738622 | ADOM upgrade from 6.0 to 6.2 may fail due to FortiExtender object. |
| 743411 | FortiManager should show more than five local certificates. |
VPN Manager
| Bug ID | Description |
|---|---|
| 712633 | VPN Manager pushes default dpd-retrycount and dpd-retryinterval, but it cannot display them. |
| 712861 | Policy Package Status stays Synchronized despite SSL-VPN Portal configuration being changed by using VPN Manager. |
| 721783 | Applying Authentication or Portal Mapping changes may take several minutes. |
| 722924 | FortiManager may not be able to edit skip-check-for-unsupported-os enable under SSL portal profile. |
Znane problemy:
AP Manager
| Bug ID | Description |
|---|---|
| 708100 | AP Manager cannot show Channels when 160 MHz channel width is set. |
| 749820 | AP Manager > SSID > Advanced Options may not list objects under the settings address-group. |
Device Manager
| Bug ID | Description |
|---|---|
| 545239 | After adding FortiAnalyzer fabric ADOM to FortiManager, Device Manager’s Log Status, Log Rate, or Device Storage column cannot get data from FortiAnalyzer. |
| 554241 | FortiManager cannot delete and reassign ports to VDOM when split VDOM is enabled. |
| 610568 | FortiManager may not follow the order in CLI Script template. |
| 636638 | Fabric view may get stuck at loading. |
| 651560 | SD-WAN monitor may get stuck loading when admin user belongs to device group. |
| 660491 | Device Manager system interface should not allow duplicated secondary IP address. |
| 673548 | May not be possible for FortiManager to change FortiGate interface settings when the interface type is „Software Switch”. |
| 674904 | FortiManager may not be able to import policies with interface binding contradiction on srcintf error. |
| 689721 | When changing FortiGuard- related settings via CLI Configuration, FortiManager shows changes are reverted back, but it also shows the message: Successfully updated. |
| 710570 | Any statement is not accepted by FortiManager in the prefix-list configuration. |
| 740893 | Secondary IP may be purged when setting a description to VLAN interface. |
| 729413 | FortiManager is missing peer options with dial up user configuration with VPN IPSec Phase 1. |
| 748578 | Retrieve FortiGate configuration may fail due to FSSO connector. |
| 752443 | Vertical scroll bar is missing in SD-WAN configuration. |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 674539 | FortiManager may fail to upgrade two FortiSwitches at the same time. |
Global ADOM
| Bug ID | Description |
|---|---|
| 691562 | Threat feeds global objects are not installed to destination ADOM when using the assign all object option. |
Others
| Bug ID | Description |
|---|---|
| 703585 | FortiManager may return Connection aborted error with JSON API request. |
| 729175 | FortiManager should highlight device consisting of specific IP address under Fabric View. |
| 732116 | Setting of FortiCloud Single Sign-On is always displayed on login. |
| 747716 | JSON API does not return gateway for IPSec route. |
Policy & Objects
| Bug ID | Description |
|---|---|
| 585177 | FortiManager is unable to create VIPv6 virtual server objects. |
| 615250 | Search by CVE may not work for both IPS Signatures and IPS Filters. |
| 646329 | Policy Check may claim different IPS profiles as duplicate. |
| 652753 | Wen an obsolete internet service is selected, FortiManager may show entries’ IDs instead of names. |
| 655601 | FortiManager may be slow to add or remove a URL entry on web filter with a large list. |
| 656991 | FortiManager should not allow VIP to be created with same IP for External IP and Mapped IP Address. |
| 659296 | FortiManager may take a lot of time to update web filter URL filter list. |
| 688586 | Exporting Policy Package to CSV shows certificate-inspection in the ssl-ssh-profile column even when the profile is not in use. |
| 713692 | Web Filter Profile install may fail when using pre-defined URL filter. |
| 719774 | IP reputation for the policies are not working without source or destination. |
| 720673 | Many groups learned from Cisco ISE may be missing corresponding ADOM objects. |
| 725427 | Policy package install skips the policy where destination interface is set as SD-WAN zone and policy is IPSEC policy. |
| 726105 | CLI Only Objects may not be able to select FSSO interface. |
| 729179 | FortiManager may not be able to add Geography type address when interface mapping is enabled. |
| 731037 | There may be File Filter file type mismatch between FortiGate and FortiManager. |
| 744766 | FortiManager may not be able to retrieve IP address for group with NSX-T v3.1.2. |
| 745863 | FortiManager may display „Invalid internet service source error when selecting certain Internet services. |
| 747558 | FortiManager filters should work for HitCounters, First Session, and Last session. |
| 748467 | FortiManager does not have the same profiles as FortiGate with explicit proxy policy. |
| 751710 | Editing a global user FSSO object’s dynamic mapping is not possible. |
Revision History
| Bug ID | Description |
|---|---|
| 618305 | FortiManager changes configuration system CSF settings. |
| 635957 | Install fails for subnet overlap IP between two interfaces. |
Script
| Bug ID | Description |
|---|---|
| 384139 | Filter does not work on device group. |
| 654700 | Users need to open View Script Execution History to see that TCL script fails. |
Services
| Bug ID | Description |
|---|---|
| 753871 | FortiClient packages should not continue to be received once the service for that firmware version has been disabled. |
System Settings
| Bug ID | Description |
|---|---|
| 616703 | GUI CLI Console may not respond. |
| 640670 | If a user-specified ADOM includes a global ADOM, workflow approval may not be able to find the same user. |
| 652417 | FortiManager HA may go out of synchronization periodically based on the logs. |
| 721153 | Scroll bar is missing from device drop-down list on ADOM overview page. |
| 752916 | FortiManager should be able to set desired permissions for Extender Manager in administrator profile settings. |
VPN Manager
| Bug ID | Description |
|---|---|
| 615890 | IPSec VPN Authusergrp option Inherit from Policy is missing when setting xauthtype as auto server. |
| 699759 | When installing a policy package, per-device mapped objects used in SSL VPN cannot be installed. |
Notatki producenta: FortiManager 7.0.2
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie