Producent oprogramowania Fortinet opublikował najnowszą aktualizację dla produktu FortiManager w wersji 7.2.10. W ramach tej aktualizacji naprawiono problem z wyświetlaniem adresów IP interfejsów urządzeń FortiGate, gdy są one skonfigurowane w trybie DHCP. Dodatkowo rozwiązano kwestię, w której instalowanie pakietów zasad z wykorzystaniem profilu inspekcji SSL/SSH mogło kończyć się niepowodzeniem, wyświetlając komunikat o błędzie „Server certificate replace mode cannot support category exempt.” Po więcej szczegółów zapraszam do dalszej części artykułu.
Rozwiązane problemy:
AP Manager
| Bug ID | Description |
|---|---|
| 1040365 | FortiManager is generating false vulnerability reports for certain FortiAPs:
|
| 1076200 | Policy install fails due to FortiManager installs unexpected changes related to „<wifi_intf> address”. |
Device Manager
| Bug ID | Description |
|---|---|
| 973365 | FortiManager does not display the IP addresses of FortiGate interfaces configured with DHCP addressing mode. |
| 1015138 | Unable to edit interface with dhcp reservation. |
| 1030539 | Managed FortiAnalyzer shown as managed FortiGate in Device Manager. |
| 1030685 | Unable to export metadata variables if the metadata’s per-device-mapping value is empty. |
| 1050126 | Setting up a FortiGate-HA with ZTP fails because the FortiLink is not deleted during the „HA config pushed to FGT” process. |
| 1051889 | When downloading the FortiGate config through Device Manager > Managed Devices > Device Configuration DB, the downloaded file contains line breaks in middle of commands, which prevents it to be installed on FortiGate. |
| 1053194 | If the „system interface speed” attribute is changed from the FortiManager, it may potentially cause an installation failure. Modifying the „system interface speed” is not currently supported on the FortiManager and must be done on the FortiGate side. |
| 1063635 | FortiManager does not support the „FortiWiFi-80F-2R-3G4G-DSL”. |
| 1063835 | FortiManager ZTP installation to FortiGate versions 7.2.8 and lower may fail due to differing default „ssh-kex-algo” settings between FortiManager and FortiGate. |
| 1063850 | FortiManager is attempting to install a „PRIVATE KEY” with every installation, even after retrieving the config. |
| 1067706 | Metadata variables cannot be used in the firewall address objects. |
| 1070943 | Unable to upgrade the devices via Device Group Upgrade Firmware feature. |
| 1074717 | An error might be observed when the SD-WAN template health check name contains a space, displaying the following message: „Bad health check name…”. |
| 1075052 | Occasionally, installations may fail on FortiGates in HA mode due to a „Serial number does NOT match” error. This can happen if the HA device’s serial number on FortiManager does not immediately update after a failover. |
| 1075281 | Unable to add FortiAnalyzer to FortiManager, when „fgfm-peercert-withoutsn” is enabled. |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 1061315 | Device DB FortiLink config changes when authorizing or deauthorizing FortiSwitch from either FortiSwitch Manager or local FortiGate. |
Others
| Bug ID | Description |
|---|---|
| 998198 | When upgrading ADOM, the upgrade process fails with the following error: „invalid value – can not find import template 'XYZ’ „. |
| 1003711 | During the FortiGate HA upgrade, both the primary and secondary FortiGates may reboot simultaneously, which can disrupt the network. This issue is more likely to occur in FortiGates that require disk checks, leading to longer boot times. |
| 1020787 | ZTP Enforce firmware Version doesn’t upgrade the secondary cluster member. |
| 1058185 | FortiProxy policies not imported if the policies have either internet service or IPv6 used in the source or destination. |
| 1078947 | Repeatedly testing the URL rating on FortiManager (diagnose fmupdate test fgd-url-rating…) may cause the „fgdsvr daemon” to crash. |
| 1081941 | When UTM-Profile gets added to a FortiProxy policy FortiManager generates invalid config. |
Policy and Objects
| Bug ID | Description |
|---|---|
| 958923 | Installing policy packages that utilize an SSL/SSH Inspection profile may fail with the error message „Server certificate replace mode cannot support category exempt.” |
| 978136 | Occasionally, installation may fail due to an error message, „Waiting for another session”, which prevents policies from being installed from FortiManager. During this issue, the following message may also appear: „Blocked by session id(XYZ) username(n/a)”. This issue may be caused by a signal loss between the child and parent security console processes, leading the parent process to continue waiting for a copy result. |
| 983591 | In the Firewall section, when attempting to add a note to the policy, the comment window shifts towards the left corner. |
| 991720 | FortiManager still has an option to enable the „match-vip” through the policy package for „allow” policies. However, this is not supported anymore on the FortiGates. |
| 1004929 | FortiManager removes the Web Filter Profile from the Profile Group for Policy-Based FortiGates. |
| 1005161 | The policy package status changes for all devices even when an address object is opened and saved without any modifications. This issue is particularly observed in objects utilizing the per-device mapping feature. |
| 1008413 | FortiManager fails to load IPS signatures in the profile. This may only occur when the number of signatures listed in the profile is larger than 80. |
| 1014025
1087922 |
While attempting to access the Application Signatures list on FortiManager, an error message: „a.foreach is not a function” might be displayed. |
| 1029787 | The Firewall Policy pane in the FortiManager GUI may occasionally display both „Standard Security Profiles” (SSL no-inspection and protocol default profiles) and „Security Profile Groups” simultaneously. |
| 1046002 | Policy Package status does not display „unknown” status immediately following retrieve. |
| 1055795 | During device import via multiple CSV files at same time, some devices were imported successfully, while others encountered errors and had missing metadata variables. Additionally, FortiManager forced the admin to log out. When attempting to log back in, the following error message appeared: „ADOM not found”. |
| 1068736 | Best Quality SDWAN rules installation may fail with the following error message: „Commit failed: Bad health check name”. |
| 1069285 | Using TAB button while creating firewall address object creates error Invalid IP address. |
| 1071226 | Policy Lookup is not showing result as highlighted when the sections are not expended. |
| 1076659 | When policy package configured with policy block, installation to multiple devices may have copy fail errors if combined length of the Policy Block name and Policy name is greater than 35 characters and if the total number of such policies exceeds 1000. |
| 1079037 | The „internet-service-id” attribute is configurable in the FortiManager, whereas this attribute cannot be modified on the FortiGate. |
| 1079128 | ZTNA Server Per-Device Mapping may display a copy error failure if a new per-device mapping is created without specifying the object interface. |
| 1082548 | Address type FQDN is missing DNS resolve domain name function feature. |
Script
| Bug ID | Description |
|---|---|
| 931088 | Unable to delete VDOMs using the FortiManager script. Interfaces remain in the device database, causing the installation to fail.
InternalNotes: ————– – The case apparently has been reproduced by „”Olivier Brunori, 2024-06-27 00:47″”. |
| 1085374 | FortiManager does not support exporting the TCL scripts via CLI. |
Services
| Bug ID | Description |
|---|---|
| 1034102 | Unable to upgrade FortiGates from FortiManager due to a „no valid FMWR license” error, despite the FortiGates being licensed. This issue is reported when the „FMG Authorization table” on the FDS server is empty. |
| 1060509 | When updating query service packages from the global anycast server (globalupdate.fortinet.net), larger-sized IoTS packages may encounter checksum errors. These errors can prevent the proper updating of SPAM and URL databases, potentially impacting the FortiManager’s FortiGuard Services. |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
| Bug ID | CVE references |
|---|---|
| 1020280 | FortiManager 7.2.10 is no longer vulnerable to the following CVE Reference:
|
Notatki producenta: FortiManager 7.2.10 Release Notes
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie