Producent oprogramowania Fortinet opublikował aktualizację oprogramowania o numerze wersji 7.2.0 dla produktu FortiManager. W najnowszej aktualizacji naprawiono problem zawieszającej się maszyny, której zużycie dysku osiągało 100% bez konkretnego powodu. W aktualizacji rozwiązano poważny błąd, który podczas aktualizacji oprogramowania FortiGate za pośrednictwem FortiManager powodował uszkodzenie klastra FortiGate HA. Po więcej informacji dotyczących aktualizacji zapraszamy do dalszej części posta.
Aktualnie wspierane modele:
| FortiManager | FMG-200F, FMG-200G, FMG-300F, FMG-400E, FMG-400G, FMG-1000F, FMG-2000E
FMG-3000F, FMG-3000G, FMG-3700F, and FMG-3700G. |
| FortiManager VM | FMG_DOCKER, FMG-VM64, FMG-VM64-AWS, FMG-VM64-AWSOnDemand, FMG-VM64-Azure, FMG-VM64-GCP, FMG-VM64-IBM, FMG-VM64-HV (including Hyper-V 2016, 2019), FMG-VM64-KVM, FMG-VM64-OPC, FMG-VM64-XEN (for both Citrix and Open Source Xen). |
Rozwiązane problemy:
AP Manager
| Bug ID | Description |
|---|---|
| 770234 | 5GHz DFS channels on AP Profile were not supported for FAP U231F. |
| 772213 | FortiManager may try to delete default wtp 11ac-only profile on FortiWiFi-60F causing install to fail. |
| 781561 | User may not be able to access AP Manager with a custom read-only admin profile. |
| 785471 | FortiManager was deleting wireless-controller wtp and the objects referenced by wtp during the first installation after the upgrade. |
Device Manager
| Bug ID | Description |
|---|---|
| 545239 | After added FortiManager fabric ADOM to FortiManager, Device Manager’s log status, Log Rate, or Device Storage column cannot get data from FortiAnalyzer. |
| 651560 | SD-WAN monitor may stuck loading when admin user belongs to device group. |
| 677836 | The Client Address Range setting should allow users to configure assign-IPs from firewall address or group. |
| 691611 | FortiManager does „auto-retrieve” causing all policy package status to go „unknown” after a new VDOM is created on FortiGate. |
| 705212 | When editing device in HA cluster, admin password change is not applied to secondary unit. |
| 725334 | Importing policy package shows ngfw-mode policy-based with the inspection-mode set to proxy. |
| 729413 | FortiManager is missing peer options with dial up user configuration with VPN IPSec Phase 1. |
| 743102 | Device & Groups > VPN Phase1/Phase2 does not show the proposal column when using FGT-VM type „FGVMIB”. |
| 751427 | Provisioning template with empty name cannot be deleted or edited. |
| 755519 | Zero-touch provisioning with script installation may fail due to duplicated snmp-index. |
| 759255 | User may not be able to click on the check box to import configuration with 6.2 ADOM. |
| 759708 | The Provisioning Template 's status on Summary Dashboard always displays „Modified”. |
| 763797 | Installation fails due to configuring forward-error-correction on FortiGate’s interfaces. |
| 763907 | Certificates CN information may be invalid when FortiGate is registered by Zero-Touch-Provisioning. |
| 764841 | FortiManager is unable to use secondary IP as source IP in DNS database. |
| 765762 | FortiManager is unable to install the Switch Controller > VLAN interface configuration during the ZTP process. |
| 770567 | When a device uses IPsec Tunnel Provisioning template with enable value for aggregate member, FortiManager may create a new system interface with the same name which is not expected behavior. |
| 773336 | FortiToken provision button is greyed out in Device Manager while it is enabled on FortiGate with the same token. |
| 776605 | Editing provisioning CLI template without any modification may cause device status changed to Modified. |
| 779260 | When sdwan-monitor-history is enabled, replace last 5 minutes with last 10 minutes. |
| 779836 | FortiManager cannot install TCP-connect using Random port for SD-WAN. |
| 779900 | Administrative user gui-dashboard information should be deleted upon VDOM deletion. |
| 780833 | FortiManager cannot use space to set location under SNMP configuration. |
| 783517 | Input-Device under CLI Configuration > System > SD-WAN > Service displays loading for a long time. |
| 791274 | When optional meta fields are being used, users cannot edit the devices. |
| 794368
771165 |
Removing the objects from Device Level DB did not delete the objects’ reference from ADOM Level DB. |
Global ADOM
| Bug ID | Description |
|---|---|
| 691562 | Threat feeds global objects are not installed to destination ADOM when using the assign all object option. |
| 740942 | „srcintf” selector in Traffic Shaping Header or Footer Policy may not work in Global ADOM. |
| 752328 | Global database may be locked when viewing Workflow Session Diff. |
| 795327 | When adding an ADOM to Global Database, the message „Double global assignment exists” keeps showing up. |
Others
| Bug ID | Description |
|---|---|
| 707911 | FortiManager should be able to assign VLAN interface to FortiExtender. |
| 715601 | Under some conditions, disk usage may reach 100% after a few days. |
| 774872 | FortiManager should support more than 88 characters for password when backing up all settings. |
| 775574 | There is a Criteria Latency field which is different between FortiGate and FortiManager when creating the manual interface option for SD-WAN rules. |
| 776342 | System NPU values may be different between FortiManager and FortiGate-1801F. |
| 776413 | FortiManager’s lock/commit operation is very slow when FortiManager-HA is enabled. |
| 781642 | FortiManager displays „failed to copy BRANCH_BGP_Recommended” error when performing the „check adom-integrity” test. |
| 786281 | During the installation, FortiManager displays Policy Consistency Check failure. |
| 792887 | Verification fail for default dnsfilter profile due to wrongly install „set category 0”. |
Policy and Objects
| Bug ID | Description |
|---|---|
| 696367 | Hit count, first used, and last used may not get updated on FortiManager. |
| 770210 | Where Used may not be reporting used objects properly. |
| 770256 | FortiManager displays error when using „push to install” for objects utilized by policy blocks. |
| 771941 | FortiManager is unable to import or create virtual server with real servers using the same IP but different „http-host”. |
| 774435 | Right-click menu to add object may return an error: „cgn-resource-quote:out of range”. |
| 776361 | Policy lookup may not work if the managed devices are in Transparent mode. |
| 777554 | There may be slowness when using Find Duplicate Objects with Merge tools. |
| 777879 | Copy fail error due to external-resource used in webfilter profile. |
| 778111 | Removing the objects from Device Level DB did not delete the object’s reference from ADOM Level DB. |
| 779853 | When creating a Central DNAT policy in FortiManager, more services may not be added to policy with error: can’t assign to property „from” on NaN: not an object. |
| 779947 | Address group changes for per-device mapping does not apply to FortiGate when Address group is used in policy route. |
| 781118 | 6.4 version ADOM policy package failed to enable policy NAT from GUI. |
| 781258 | IPv4 & IPv6’s ACLs are not available when Policy Offload Level is set to „Full Offload”. |
| 782435 | Moving a policy by dragging may not work properly. |
| 783899 | There may not be empty lines in „IPS Signature and Filters”. |
| 785341 | Consolidated policy NAT is always disabled on the GUI. |
| 786684 | Installation fails because the virtual-wan-link did not exist. |
| 786740 | FortiManager displays Install failure due to adding „g-” prefix to the external-resource objects. |
| 789957 | Created time doesn’t indicate AM or PM on the Tools > Find Unused Policies. |
Revision History
| Bug ID | Description |
|---|---|
| 725717 | After upgrade, installation may fail due to mcast-session-counting. |
| 729148 | Install fails when new transparent mode VDOM is added directly via FortiGate CLI and imported into FortiManager. |
| 775577 | AutoUpdate may purge firewall shaping-profile. |
Script
| Bug ID | Description |
|---|---|
| 767577 | Installing a script to device database fails if switch-interface member contains VXLAN interface. |
| 780604 | When creating a new phase1 interface, dpd=on-idle settings may not be saved. |
| 787113 | TCL scripts fails to run if the admin’s password is longer than 36 characters. |
Services
| Bug ID | Description |
|---|---|
| 754038 | FortiGate firmware upgrade via FortiManager may break FortiGate HA cluster. |
System Settings
| Bug ID | Description |
|---|---|
| 762663 | FortiManager should have the CA Identifier as configurable for SCEP server request. |
| 768636 | Password cannot be longer than 63 characters for configuration auto backup. |
| 768682 | Setting a Cluster ID for a model HA cluster results in an invalid group ID under config system HA. |
| 775091 | Two factor authentication fails when special characters are used in CN. |
| 777726 | FortiManager may not generate event logs for meta field changes. |
| 778405 | Script Groups should be copied with their members when cloning an ADOM. |
| 782345 | FortiManager may not be able to upgrade ADOM from 6.2 to 6.4: err=-2,Policy ippool (ippool6) name cannot be empty. |
| 783066 | The number of FortiGate devices registered is in the upper limit of the license count may causes HA becomes asynchronized. |
| 790409 | idle_timeout under admin’s setting is not converted properly after performing the upgrade. |
VPN Manager
| Bug ID | Description |
|---|---|
| 779498 | VPN monitor may not display correct information when FortiManager is in advanced ADOM mode. |
| 780154 | Policy package should be pushed to VPN hubs without error, „interface IP is 0”. |
Znane problemy:
Device Manager
| Bug ID | Description |
|---|---|
| 748578 | Retrieve FortiGate configuration may fail due to FSSO connector. |
| 756650 | Router > OSPF > Interface is missing configuration window for md5 keys. |
| 770600 | Comma between IP address and subnet causes saving problem on Prefix List Rule under BGP Templates. |
| 779847 | FortiManager cannot map OVERLAY-1/2 while using provisioning templates. |
Others
| Bug ID | Description |
|---|---|
| 729175 | FortiManager should highlight device consisting of specific IP address under Fabric View. |
| 781831 | FortiManager should be able to retrieve EMS tags using hostname of FortiClient EMS Server if its able to resolve the hostname. |
| 783226 | Fabric View may keep loading. |
Policy & Objects
| Bug ID | Description |
|---|---|
| 470276 | Where used may not work on internet service. |
| 523350 | FortiManager does not show the default certificate under SSL/SSH Inspection within policy. |
| 698448 | ’Block Malicious URLs Discovered by FortiSandbox’ in Web Filter Profile cannot be saved. |
| 713692 | Web Filter Profile install may fail when using pre-defined URL filter. |
| 724011 | FortiManager needs to support multiple server certificate list in ssl/ssh profile. |
| 725024 | „Proxy Policy” page shows empty when the „View Mode” is selected as „Interface Pair View”. |
| 751168 | Installation to FortiGate may fail when installing some specific applications. |
| 773249 | FortiManager may not display the correct number of firewall address objects while adding the objects to DoS policy. |
| 773333 | For users, the configurations for two-factor-authentication and two-factor-notification should not lead to installation failure. |
| 773403 | FortiManager may now differentiate between the ISDB objects „Predefined Internet Services” and „IP Reputation Database”. |
| 774058 | Rule list order may not be saved under File Filter Profile. |
| 774111 | FortiManager does not support Dynamic firewall address with sub-type Switch Controller NAC Policy TAG. |
| 779965 | Users may not be able to export firewall Header and Footer policies to Excel. |
Revision History
| Bug ID | Description |
|---|---|
| 774115 | After upgrade, install may fail for FSSO password when private-data-encryption is enabled. |
| 779864 | FortiManager cannot install ISDB object 'Microsoft-Intune’. |
Services
| Bug ID | Description |
|---|---|
| 704584 | FAP firmware may not be listed and cannot be imported. |
System Settings
| Bug ID | Description |
|---|---|
| 752916 | FortiManager should be able to set desired permissions for Extender Manager in administrator profile settings. |
| 780245 | Install Wizard shows all devices are selected even-though „Default Device Selection for Install” is set to „Deselect All”. |
| 799504 | Local restricted administrator users are able to view the task monitor. |
| 799519 | If Management Extension Applications (MEA) are enabled, all system settings may be lost after upgrading the FortiManager. |
VPN Manager
| Bug ID | Description |
|---|---|
| 615890 | IPSec VPN Authusergrp option „Inherit from Policy” is missing when setting xauthtype as auto server. |
| 773710 | When editing an existing SSL VPN settings, the Banned-cipher and cipersuite may be keep changing. |
Notatki producenta: FortiManager 7.2.0
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie