Fortinet opublikował aktualizację oprogramowania dla FortiManager o oznaczeniu wersji 7.4.2. Nowa wersja rozwiązuje problemy z device managerem, który powinien już prawidłowo odświeżać informacje na temat zarządzanych urządzeń, poprawnie wyświetlać różnice baz pod funkcją „Device Configuration DB”. Nowa wersja pozbawiona jest również błędów związanych z brakiem możliwości dodania nowych przełączników FortiSwitch czy nieprawidłowym wyświetlaniem statusów portów. Rozwiązano również problemy związane z instalacją pakietu polityk, gdzie usunięto problem pomijania polityk gdzie docelowym interfejsem był interfejs SD-WAN.
Aktualnie wspierane modele:
| FortiManager | FMG-200F, FMG-200G, FMG-300F, FMG-400G, FMG-1000F, FMG-2000E
FMG-3000F, FMG-3000G, FMG-3700F, and FMG-3700G. |
| FortiManager VM | FMG_DOCKER, FMG_VM64, FMG_VM64_ALI, FMG_VM64_AWS, FMG_VM64_AWSOnDemand, FMG_VM64_Azure, FMG_VM64_GCP, FMG_VM64_IBM, FMG_VM64_HV (including Hyper-V 2016, 2019), FMG_VM64_KVM, FMG_VM64_OPC, FMG_VM64_XEN (for both Citrix and Open Source Xen). |
Rozwiązane problemy:
AP Manager
| Bug ID | Description |
|---|---|
| 736930 | FortiManager is unable to efficiently display rogue AP lists for FortiGates with a high volume of rogue APs. |
| 861941 | FortiManager attempts to install „arrp-profile” even if „darrp” is disabled. |
| 906061 | It takes a significant amount of time to assign a profile to each FortiAP. |
Device Manager
| Bug ID | Description |
|---|---|
| 723720 | „strong-crypto” feature change under the CLI configuration cannot be installed to FortiGate. |
| 778131 | FortiManager did not support the per device mapping for user SAML configurations. |
| 811104 | Import policy package fails after installing web-proxy through CLI configurations. |
| 838462 | Adding device using „Add Model HA Cluster” feature failed as FortiManager does not allow „virtual switch interfaces” being used as „heartbeat interfaces”. |
| 880934 | FortiManager reverts Syslog mode settings on local FortiGates (when FortiGates are in FIPS mode). |
| 902577 | The status of the FortiLink split-interface radio button under FortiManager’s Device Manager does not match the configuration in FortiGates. |
| 920394 | Installation failed due to the incorrect install order during ZTP. |
| 923808 | Even with the „set dhcp-relay-request-all-server enable” option enabled, FortiManager does not keep the DHCP server & relay configurations on the same interface. |
| 935586 | When managed devices go down/appear offline, not all FGFM tunnels are automatically recovered by FortiManager. |
| 936168 | Unable to assign Device Group to the Firmware Template. |
| 939921 | The firmware upgrade in ADOM mode backup is not allowed. |
| 947393 | When adding a device via CSV file import, not all metadata values may be configured successfully if a variable is not used in any provisioning templates within the blueprint. |
| 948475 | „View Diff” function under the „Device Configuration DB” under Device Manager per device does not function properly. |
| 949546 | When assigning interfaces to a zone in a vdom, it is not visible in Device Manager. |
| 949612 | The SD-WAN monitor table-view takes too long to load/display information. |
| 952404 | FortiManager cannot install the Static Route config under the Provisioning Template due to a static route template error after upgrading to FortiManager 7.2.4/7.4.1. |
| 954610 | FortiManager does not show objects under the 'named address’ options in Ipsec VPN Phase 2 definitions. |
| 956567 | Not able to edit/delete Logging Devices Group. |
| 961447 | After upgrading FortiManager to versions 7.2.4 or 7.4.1, devices may not be able to be retrieved or refreshed. FortiManager displays an error message related to license limits: „liclimit1|110|liclimit2|110|liclimit3|1|liclimit4.” |
| 967611 | Device Manager interface link status is blank for various Interface types (Tunnel, Aggregate, VDOM Link, Software Switch). |
| 969542 | Sometimes IPsec Tunnel Template displays the „Response with errors” message when editing the template. |
| 969698 | FortiManager allows the creation of an empty service value for Internet Service routes. |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 940419 | When adding FortiSwitch on FortiManager, error message „Import error – invalid port number” is displayed. |
| 958072 | The „view ports” feature under the Managed FortiSwitches of the FortiSwitch manager does not display the ports. |
| 966726 | When viewing switch ports through the FortiSwitch manager, the port status was displayed as Down. |
| 967213 | While attempting to deploy a FortiSwitch template to a model device, FortiManager generates the following error message: „VLAN interface does not match FortiLink.” |
Global ADOM
| Bug ID | Description |
|---|---|
| 906058 | Firewall address cannot be deleted from Global ADOM; it displays an error message indicating that the object is being used in ADOM root. |
| 969182 | Under the Global ADOM, the assignment of specific policy packages does not function properly. |
Others
| Bug ID | Description |
|---|---|
| 583349 | FortiManager does not provide support for image upgrades on „ONDEMAND” devices. |
| 796858 | Subject Key Identifier extension is missing on FortiManager ADOM CA certificate. |
| 875584 | FortiManager cannot upgrade ADOMs to 7.2 due to error „copy system replacemsg spam.smtp-spam-emailblock”. |
| 891253 | The firmware upgrade is successful; however, the task line does not get updated for the retrieve action when device names exceed the predefined character limit. |
| 900512 | FortiManager ADOM Upgrade fails with the error message, „Peer type cannot be peer when authentication method is pre-share key”. |
| 922957 | The „fmgd” process may crash while loading the ADOM when multiple Policy Packages are locked. |
| 937448 | Unable to change the time zone on ADOM when FortiAnalyzer feature is enabled on FortiManager. |
| 941203 | FortiManager does not support the use of Certificate Templates to create certificates with a „range=global” setting for FortiGates operating in multi-vdom mode. |
| 945048 | Unable to edit/delete/clone extender controller for ADOM V7.0. |
| 957433 | When creating the FortiManager/FortiAnalyzer docker instances, UUID is missing under the „diagnose debug vminfo„. |
| 960796 | FortiExtenders are not displayed under the FortiExtender Manager for all FortiGates. |
| 963490 | Installation fails as FortiManager attempts to „set role primary” feature for the „lan-extension backhaul” under the „extender-controller„. |
| 971122 | FortiManager does not support all authentication types that are supported by FortiOS, leading to a certificate error in the FortiClient EMS connector. |
Policy and Objects
| Bug ID | Description |
|---|---|
| 630648 | A FortiManager instance running on Microsoft Azure is unable to import the SDN connector for a dynamic firewall address and is displaying an error message stating „wrong input parameter.” |
| 725427 | Policy package install skips the policy where destination interface is set as SD-WAN zone and policy is IPSEC policy. |
| 751443 | FortiManager displays policy installation copy failures error when ipsec template gets unassigned. |
| 830640 | „Send files to FortiSandbox for inspection” option is being enabled when creating an antivirus profile. |
| 854359 | An installation error occurs when FortiManager attempts to install wildcard FQDN addresses ’mzstatic-apple’ and ’cdn-apple’ within the ’custom-deep-inspection’ SSL-SSH profile. |
| 855073 | The „where used” feature does not function properly. |
| 875103 | Local categories gets purged if used in Profile Mode Security Profiles. |
| 894597 | Default value for „unsupported-ssl-version” in ssl-ssh-profile gets modified during the installation. |
| 899226 | Unable to create Central SNAT explicit port translations on FortiManager. |
| 900229 | In policy-based policy packaged, application IDs are displayed instead of their names. |
| 904751 | WebRating overrides can’t be deployed or deleted via FortiManager. |
| 907925 | IPS profile/Signature tab is not visible for admins with non-default admin profile. |
| 939979 | After editing authentication-rule/portal mapping, FortiManager installs unexpected changes to these rules. |
| 942659 | Syncing EMS tags from FortiManager fails when the EMS Connector is configured in multi-site mode. |
| 943386 | The installation failed with the message: „auto-firmware-upgrade-day is overridden by auto-firmware-upgrade-delay for automatic patch-level firmware upgrades from FortiGuard.” |
| 945632 | Modifying the Policy Installation Target does not trigger a status change in the Policy Package when adding an „install on” to a single policy. |
| 945853 | FortiManager doesn’t sync previously deleted FortiClient EMS tags. |
| 948437 | When adding a filter under Application Control, it results in a display of apps with messy names and icons. |
| 948559 | Policy blocks doesn’t load properly. |
| 948980 | After creating a new v7.4 ADOM, clicking on the „Show Global Object Search” displays empty page. |
| 949515 | Security Policy Installation Verification fails because the „internet-service-negate” feature gets enabled every time after modifying the policy. |
| 949972 | Filter isn’t working when trying to add a device as a Installation target for an existing policy package. |
| 955010 | Comments on policies may be cleared when a blank area within the text field is clicked. |
| 957225 | ADOM admin users not able to view the managed FortiGate in the policy push wizard |
| 958923 | Installing policy packages that utilize an SSL/SSH Inspection profile may fail with the error message, „Server certificate replace mode cannot support category exempt.” |
| 959166 | Export to Excel does not work. |
| 960660 | The Clone Reverse feature is not functioning when the firewall policy includes an Internet service address object. |
| 960778 | Installation failed because FortiManager attempts to remove a static entry, „QuarantinedDevices.” |
| 963536 | The policy package feature 'Export to Excel’ is not functioning. |
| 964464 | Policy Lookup feature does not function. |
| 965670 | Creating a new interface type 'vlan’; changing VDOM results in the removal of the selected interface. |
| 978814 | When attempting to use the Export to Excel feature under the Firewall Policy with extensive rules, GUI may slow down and become unresponsive for some time. |
Revision History
| Bug ID | Description |
|---|---|
| 513317 | FortiManager may fail to install policy after FortiGate failover on Azure. |
| 894523 | Object revision timestamp is taken from previous revision. |
Script
| Bug ID | Description |
|---|---|
| 937528 | Unable to send DHCP options „set value” using CLI template and using Script. |
Services
| Bug ID | Description |
|---|---|
| 863094 | The query status is not functioning correctly, and the 'top 10 unrated sites’ section actually displays ratings. |
| 938365 | FortiManager’s GUI does not display an option under FortiGuard Settings to support the 7.2 version for FortiClient and FortiMail. |
System Settings
| Bug ID | Description |
|---|---|
| 842732 | FortiManager does not display the Secondary HA member’s status correctly. |
| 853429 | Creating FortiManager’s configuration backup via scp cannot be done. |
| 871633 | The configuration that is not synchronized among HA members cannot be modified on slave devices. |
| 930200 | Unable to change the time and timezone from the GUI. |
| 930449 | Testing the syslog server displays the message, „Failed to send a test log to syslog server”. |
| 936694 | After removing a device, FortiManager generates repeated „sync dvmdb to faz” tasks for all logged-in administrative users. |
| 941082 | A password prompt is consistently requested with each new login attempt when applying password policies to a local account linked to FortiToken Cloud Mobile for multi-factor authentication (MFA). |
| 957308 | After enabling FAZ feature the new Event Logs are not displayed in Event Log under the system settings. |
| 966148 | RADIUS remote users are unable to successfully install changes to FortiGates. |
| 967862 | In the FortiManager dashboard, bandwidth is displayed in 'bps’. |
VPN Manager
| Bug ID | Description |
|---|---|
| 897574 | Address Objects with Meta Variables do not function correctly when creating Static routes using the VPN Manager. |
| 906097 | VPN Manager IPsec community Phase 2 encryption setting can’t be changed to AES256GCM from the GUI. |
Znane problemy:
AP Manager
| Bug ID | Description |
|---|---|
| 884233 | FortiManager displays the AP critical security vulnerability info even after FortiAPs are being upgraded. |
| 974444 | DNS server for SSIDs gets resets after Importing AP Profile. |
Device Manager
| Bug ID | Description |
|---|---|
| 888948 | The „firewall ssh setting” objects cannot be retrieved on FortiManager due to the FortiOS’s bug (ID 0906987). |
| 895994 | When using the 'where used’ feature in Phase 2 quick mode selector, objects do not appear, and they can be removed. |
| 955058 | Changes on address groups only referenced in phase2 selectors are not installed. |
Others
| Bug ID | Description |
|---|---|
| 703585 | FortiManager may return „Connection aborted” error with JSON API request. |
| 874052 | After upgrade ADOM from v7.0 to v7.2, when installing a policy package to FGT-v7.2 device, FortiManager tries to change 'match-vip’ from 'disabled’ to 'enabled’ |
| 894219 | The log filter does not function correctly when filtering by FortiGate HA cluster ID instead of the device ID for individual FortiGate units. |
| 924164 | The firmware template status changes to „unknown” after retrieve. |
| 935430 | When FortiAnalyzer is managed by FortiManager and FortiManager’s local logs are being sent to FortiAnalyzer, installing PP to FortiGates may display the following message: „Confirm Deletion FortiManager is going to sync the following device deletion to FortiAnalyzer,…”. |
Policy & Objects
| Bug ID | Description |
|---|---|
| 718223 | Hyperscale firewall EIF shall not be enabled when IP pool with CGN overload configuration is used in a policy. |
| 779363 | FortiManager fails to install analytics-wl-filetype in AV profile to FortiGates. |
| 817289 | FortiManager only accepts IPv6 Compressed Notation format for the Policy & Objects. |
| 845022 | SDN Connector failed to import objects from VMware VSphere. |
| 855317 | New users added to the user group for IPSec dial-up XAuth authentication do not get installed. |
| 908353 | When ISDB name is changed, FortiManager does not automatically update the new ISDB object name. |
| 917471 | The EMS connector is automatically being disabled. |
| 938019 | Policy Package Status not changed on modification of nested group used in policy block. |
| 959116 | The timestamps displayed for 'First/Last Used’ under the Hit Count for Firewall Policies within the Policy & Objects section are invalid. |
| 959890 | Per-device mapping search for VDOMs is not possible for users. |
| 960659 | FortiManager cannot display all the objects within the cell (e.g., Service Field, etc.) for the firewall policies. |
| 980649 | Where Used feature disappears when ADOM is unlocked. |
Revision History
| Bug ID | Description |
|---|---|
| 801614 | FortiManager might display an error message, „Failed to create a new revision.”, for some FortiGates when retrieving their configurations. |
System Settings
| Bug ID | Description |
|---|---|
| 825319 | FortiManager fails to promote a FortiGate HA member (running on firmware 7.2.0 to 7.2.4) to the Primary. |
| 962476 | Restricted Admin users cannot Install Web Filter, IPS, and Application Control profile to FortiGates. |
VPN Manager
| Bug ID | Description |
|---|---|
| 678319 | Once „os-check” option is enabled, „os-check-list” table is not loaded. |
Notatki producenta: FortiManager 7.4.2
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie