Firma Fortinet, udostępniła najnowszą aktualizację FortiManager w wersji 7.4.4. Rozwiązano w niej problem z weryfikacją serwera LDAP za pomocą przeglądarki, który mógł powodować wyświetlanie komunikatu „Błąd operacji”. Ponadto, naprawiono błąd generujący fałszywe raporty o podatnościach dla niektórych punktów dostępowych FortiAP, takich jak U431F i 231F. W wersji 7.4.4 wyeliminowano również problem z brakiem wyświetlania wyników diagnostyki testu okablowania dla urządzeń FortiSwitch, a także informacji o podłączonych urządzeniach na portach oraz statusu aktualizacji rejestracji. Więcej szczegółów znajdziesz w dalszej części artykułu.
Wspierane urządzenia:
| FortiManager | FMG-200F, FMG-200G, FMG-300F, FMG-400G, FMG-410G, FMG-1000F, FMG-1000G, FMG-2000E, FMG-3000F, FMG-3000G, FMG-3100G, FMG-3700F, and FMG-3700G. |
| FortiManager VM | FMG_DOCKER, FMG_VM64, FMG_VM64_ALI, FMG_VM64_AWS, FMG_VM64_AWSOnDemand, FMG_VM64_Azure, FMG_VM64_GCP, FMG_VM64_IBM, FMG_VM64_HV (including Hyper-V 2016, 2019, and 2022), FMG_VM64_KVM, FMG_VM64_OPC, FMG_VM64_XEN (for both Citrix and Open Source Xen). |
Rozwiązane problemy:
AP Manager
| Bug ID | Description |
|---|---|
| 955558 | FortiManager unsets the Protected Management Frame (PMF) setting when the SSID security mode is configured to OWE-enabled in the AP Manager. |
| 1028657 | The captive-portal SSID and its configurations cannot be configured in the GUI. |
| 1029701 | Unsupported channel errors found when importing/creating AP profiles. |
| 1032319 | Importing AP profiles for FortiWiFi models will cause „Unable to assign template” error. |
| 1033105 | When importing the CSV file in the FortiSwitch and AP Manager, all columns show a green checkmark, but clicking „Next” to import is not possible. |
| 1034334 | Channels are not reflected properly for bands in AP Manager and there are missing bands in ADOM 7.4. |
| 1035299 | „Channel 1” under the „Radio-1” is not supported for ADOM 7.0 and 7.2. |
| 1036210 | AP Manager does not display all supported bands for the FortiAP platform. Hence, FortiAP Bands cannot be set on AP Profiles. |
| 1040365 | FortiManager is generating false vulnerability reports for certain FortiAPs: U431F U231F. |
Device Manager
| Bug ID | Description |
|---|---|
| 895994 | When using the „where used” feature in Phase 2 quick mode selector, objects do not appear, and they can be removed. |
| 960538 | FortiZTP AutoLink Device Discovery may get stuck at 10% during the autoLink process (updating device) and subsequently fail. |
| 963025 | When using the static route template, the „SD-WAN Zone” does not appear under the Interface column. |
| 980659 | When adding FortiGates (FWF-80F, FWF-80F-2R-3G4G-DSL, FWF-81F-2R-3G4G-DSL) as model devices, FortiManager may attempt to create a duplicate DHCP server. Consequently, this installation fails due to the duplicate configuration. |
| 1000101 | FortiManager fails to retrieve certificates that were directly imported into the FortiGate. As a result, FortiManager repeatedly attempts to push a CSR, leading to installation status conflicts. |
| 1000686 | HA autolink failure occurs when LAN interfaces do not exist. |
| 1003899 | FortiManager generates a VPN certificate that is not accepted by the FIPS-enabled FortiGate devices. |
| 1019886 | The columns under Network and VPN may become distorted and unreadable after being created. |
| 1021693 | Incorrect time displays on the SDWAN monitor health check status. |
| 1024581 | Unable to create/remove the „DHCP Reservation” widget for managed FortiGates with a configured DHCP server setting. |
| 1026955 | Configuring BGP communities encounters errors due to improper format on the FortiManager. |
| 1029689 | When configuring/modifying BGP settings in the Provisioning Templates, an error message is displayed. |
| 1029746 | There are „carriage return characters” in the downloaded config files from the Device Manager. |
| 1030959 | Unable to install SD-WAN Rule’s hash-mode config changes to managed FortiGates. |
| 1033653 | FortiManager is trying to install and configure „config web-proxy global” on the following FortiGates; this installation fails.
Affected FGTs: Some low-end FGTs have encountered this issue.
|
| 1034355 | When assigning a provisioning template with Admin Settings configuration, FortiManager changes the hostname of the device. |
| 1036235 | Domain field is missing from the advanced options in DHCP. |
| 1039014 | The following error has been observed while doing configuration changes in the FortiGate Global system settings. This issue has been reported after upgrading the FortiManager from 7.2.5 to 7.4.3. „Error : datasrc invalid. object: firewall ssh setting.:caname. detail: Fortinet_SSH_CA. solution: datasrc invalid”. This issue is mostly observed when the multi-vdom feature is enabled on the FortiGates. |
| 1040782 | [Specific to Azure FGT HA Clusters] Installation from FortiManager rewrites the interface IPs on the primary node to match those of the secondary node in an Azure FortiGate A/P HA cluster. |
| 1041440 | Some FortiGates platform (FGT-40F and FGT-60F) do not support the „ip-managed-by-fortiipam” and FortiGate refuses to take the configuration from FortiManager; hence users will be experiencing the install error. |
| 1050126 | Setting up a FortiGate-HA with ZTP fails because the FortiLink is not deleted during the „HA config pushed to FGT” process. |
| 1063835 | FortiManager ZTP installation to FortiGate versions 7.2.8 and lower may fail due to differing default „ssh-kex-algo” settings between FortiManager and FortiGate. |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 1040428 | FortiSwitch diagnostics tools do not display the cable test diagnose results, device information on Ports, and update Registration status. |
| 1053220 | Unable to delete FortiSwitches when central management is enabled for FortiSwitch.
Workaround: Removing the FortiSwitch on FortiGate and retrieve on the FortiManager. |
Global ADOM
| Bug ID | Description |
|---|---|
| 999500 | Unable to configure EMS settings in the Global ADOM. |
| 1005177 | When creating a script to rename the policies on global db policy block by taking their IDs, the error „[Policy id space out of range]” can be seen. |
Others
| Bug ID | Description |
|---|---|
| 983359 | The „40F-3G-4G LTE” modem is not listed on the FortiManager’s Extender Manager. |
| 988422 | The installation fails to FortiProxys when FortiManager attempts to set the firewall address object with the associated-interface value of „any”. FortiProxy does not support the „any” value key. |
| 993924 | „Application fmgd” keeps crashing when accessing SDWAN monitor page. |
| 995459 | Not able to fix and delete the „duplicate ADOM root node” objects after running the „cdb upgrade” command. |
| 1001748 | FortiManager does not display data usage for the FortiExtenders under the Extender Manager. |
| 1015890 | Unable to upgrade ADOM from v6.4 to v7.0 due to „switch-controller traffic-policy” error. |
| 1020787 | ZTP Enforce firmware version does not upgrade the secondary cluster member. |
| 1032350 | FortiManager fails to download Install preview log because the button is greyed out (for both policy package and device setting & device setting only installations). |
| 1034511 | Unable to upgrade ADOM from v7.2 to v7.4 due to a crash occurring with the assigned FortiSwitch template. |
| 1035552 | FortiManager’s GUI may crash when users are navigating through DHCP Monitor (Device Manager > Managed Fortigate > Dashboard: Network Monitors). |
| 1036901 | The „Export” button does not function when attempting to export the Security Rating Report under Fabric View. |
| 1047184 | When the „Allow FortiToken Mobile push notification” policy is enabled in the FortiAuthenticator, the „Token Code” field is not displayed on the FortiManager’s GUI login page for manual insertion of the token. It should be noted, the token is received on the phone, and the login completes successfully. |
| 1050556 | Unable to fix „adom-integrity” error using „diagnose cdb upgrade” command. |
| 1055036 | Using Firmware Templates for scheduled upgrades may cause the „fwmsvrd” application daemon to crash. |
| 1055417 | Unable to upgrade the firmware version of the FortiGates in HA cluster by using the firmware template when HA is in-sync status. The failure to upgrade FortiGate HA cluster firmware is caused by a crash in „dmserver” daemon. |
| 1062128 | After upgrading to the latest available build, the FortiManager GUI displays the warning message: „A new firmware version is available”. |
Policy and Objects
| Bug ID | Description |
|---|---|
| 843716 | FortiManager tries to unset url-map for TCP forwarding ZTNA virtual server. |
| 897470 | When running the „Policy Check”, FortiManager occasionally incorrectly marks policies as shadowed. |
| 963536 | The policy package feature „Export to Excel” is not functioning. |
| 970056 | The policy installation fails when FortiManager attempts to apply changes related to the „management address” on the interface of the FortiGates. |
| 971610 | FortiManager does not able to import the Central SNAT, DNAT, DOS, local-in and traffic shaping policies. |
| 981694 | When „NAC Policy” rules are created and the „Install On” option is set to specific FortiGates, the rules are still pushed to all FortiGates listed under „Installation Targets”. This results in policy installation failures on other devices, as some FortiGates might not support NAC Policy settings. |
| 998238 | Unable to delete some Object Addresses due to the invalid policy nodes and references. |
| 998850 | Modification to Policy with install target does not update the policy package status. |
| 1001027 | If using Static Route template, FortiManager may become unresponsive when trying to install multiple devices simultaneously. |
| 1004056 | The installation may encounter an error related to Syntax support for the „ssh-enc-algo” command. |
| 1004929 | FortiManager removes the Web Filter Profile from the Profile Group for Policy-Based FortiGates. |
| 1005161 | The policy package status changes for all devices even when an address object is opened and saved without any modifications. This issue is particularly observed in objects utilizing the per-device mapping feature. |
| 1013434 | Unable to add VIP/VIP group in the destination address field of policies, as they are not visible when trying to add them in ADOM 6.4. |
| 1013948 | After upgrading to FortiManager versions 7.2.5 or 7.4.3, the installation preview may hang. However, the installation process itself can be completed successfully. |
| 1013990 | There are no commands available for installing source or destination interfaces when adding them to a firewall policy or SNAT rule. |
| 1014035 | Video filter profile config is not getting pushed completely from FortiManager to FortiGate. |
| 1033126 | When „private-data-encryption” is enabled globally on the FortiManager, the installation fails when attempting to change the local/LDAP/RADIUS passwords. |
| 1034754 | Policy installation might fail for v7.4.4 FortiGates when the „system interface” and „system router” configurations are applied via the CLI template and assigned to them. |
| 1040160 | When installing policy to a FortiGate that uses FortiSandbox inline scanning on an AV profile, FortiManager unsets the configuration on install. |
| 1068736 | Best Quality SDWAN rules installation may fail with the following error message: „Commit failed: Bad health check name”. |
| 1070800 | FortiManager is attempting to install the „cli-cmd-audit” command on a FortiGate (FortiGate-101E and FortiGate-2000E) running version 7.2.8, which does not support this command, leading to an installation error. |
| 1029787 | The Firewall Policy pane in the FortiManager GUI may occasionally display both „Standard Security Profiles” (SSL no-inspection and protocol default profiles) and „Security Profile Groups” simultaneously. |
| 1037357 | FortiManager displays error when viewing policy consistency check results. |
| 1040107 | Unable to install the Type of Service (ToS) and ToS-mask configuration from FortiManager to FortiGates. |
| 1026986 | Firewall address show inconsistency result or not displaying correct objects on different GUI page |
| 1039766 | The Firewall Policy Lookup feature does not display the list of source interfaces for FortiGates. |
| 1046002 | Policy Package status does not display „unknown” status immediately following retrieve. |
| 1066617 | Unable to create the IP address object type wildcard, the following error message is displayed: „Invalid IP netmask”. |
Revision History
| Bug ID | Description |
|---|---|
| 801614 | FortiManager might display an error message „Failed to create a new revision.” for some FortiGates, when retrieving their configurations. |
System Settings
| Bug ID | Description |
|---|---|
| 1005098 | Verification of the LDAP Server through LDAP Browser may display an „Operation Error” message. |
| 1027547 | In certain cases (currently under investigation), the License Status on FortiManager may be incorrectly displayed as „Expired” despite the license being active in the account. |
| 1034021 | FortiManager does notredirect to SSO login page when „Default Login Page” in SAML SSO is set to „Single-Sign-On”. |
| 1034076 | Admin Profile with no access to provisioning template can view provisioning templates by using direct URLs. |
| 1036112 | The „Time Used”, „Start Time”, and „End Time” data displayed in the Task Monitor do not match. |
| 1040130 | GMT+6 is not visible on the System Settings. |
| 1040377 | Despite unchecking the backup strategy option and receiving the „Setup Complete” message, the „Setup Wizard” continues to display during future logins on the secondary members. |
| 1043581 | Unable to access SD-WAN Widget with only SD-WAN permissions. |
VPN Manager
| Bug ID | Description |
|---|---|
| 1042701 | The traffic view page for the full mesh does not display the FortiGate and the external gateway. |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
| Bug ID | CVE references |
|---|---|
| 1051914 | FortiManager 7.4.4 is no longer vulnerable to the following CVE Reference:
|
Notatki producenta: FortiManager 7.4.4
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie