Zarządzasz wieloma urządzeniami Fortinet jednocześnie? Fortinet opublikował właśnie aktualizację oprogramowania dla produktu FortiManager oznaczoną numerem 6.2.0! W nowej wersji oprogramowania oprócz wyeliminowania błędów znanych z poprzedniej wersji softu producent implementuje sporo nowych funkcjonalności, o których więcej poniżej:
Nowości w FortiManager 6.2.0 :
- Expanding Fabric
- Fabric Connectors
- SD-WAN
- Multi-Cloud
- Compliance
- Usability
- Consolidated Firewall Mode
- IPv6 Address Template
- Policy and Route Lookup
- Policy Blocks
- Promote Objects (LOCAL > GLOBAL)
- Address Icon/Tile View
- Improve RADIUS Setup
- Device Manager Map View
- Clone Reverse Policy
- Admin Preference – Policy Package Cookie
- Upgrade Path Enforcement for Managed FortiGates
- Spanish UI
- Other
Rozwiązane problemy:
| Bug ID | Description |
|---|---|
| 356454 | The Central SSL-VPN or SSL-VPN query unexpectedly shows users from all VDOMs that are managed in another ADOM. |
| 411314 | The diagnose cdb check adom-integrity command cannot recover ADOM with address name that has a leading or trailing space. |
| 417358 | Search result is lost after editing an object. |
| 434611 | Policy check should detect policies with „none” objects and report them as a specific category under Policy Consistency Check. |
| 436774 | FortiManager is missing permission settings when managing FortiAnalyzer. |
| 443240 | HA-status changes to standalone from ELBC cluster when making changes to FortiGuard server setting directly on FortiGate. |
| 474245 | The „set disk-usage log” command should not be installed for devices with log disk. |
| 478257 | VPN Manager should filter out invalid interfaces for the default VPN interface. |
| 486445 | Scheduled TCL scripts fail when executed against a single device, multiple devices, or a Device Group. |
| 489373 | Passwords should allow special characters on certificate templates in FortiManager. |
| 489817 | exec device replace fails when the target serial number already exists in database as an unregistered device. |
| 492088 | FortiManager attempts to change Chassis ID on FortiGate 7000 series when installing configuration. |
| 496827 | Unable to delete the LDAP server, if the user group is deleted before removing the LDAP members. |
| 497179 | The Monitor in the VPN Manager does not respect the units when sorting by incoming or outgoing data. |
| 498107 | When an address is a member of a dynamic address group, its Where Used results does not say which dynamic group it belongs to. |
| 500069 | DOS Policy Anomaly configuration settings are missing the Quarantine, Quarantine-Expiry, and Quarantine-Log options. |
| 500410 | FortiManager GUI should allow configuring Phase 2 Selector Local and Destination addresses with an IPv6 type with subnet, range, IP, or name. |
| 500697 | Application signature list is either empty or displayed as undefined. |
| 500991 | There should be a clear error message on why the policy package install failed after reclaimed tunnel. |
| 501202 | AP Manager Wi-Fi profiles missing LAN ports configuration settings on FortiManager GUI. |
| 503722 | FortiSwitch Manager and AP Manager reports switches and APs connected to FortiGates as online when the devices are no longer powered on. |
| 503915 | Users may not be able to change device password via JSON APIs. |
| 504302 | The IPv4 Split include option for IPSec should be available under the Range assignment mode. |
| 504962 | When creating new vdom-link from the global interface menu, all the VDOMs should be visible in the management VDOM. |
| 506163 | Device Manager GUI no longer displays interface zone members following upgrade. |
| 506697 | Under HA’s port monitor, we should be able to see all port-monitored interfaces, such as aggregated, loop-back, or VLAN interface. |
| 507044 | FortiManager always overrides the device-level configured parameters to DPD default values making impossible to tune DPD settings when using VPN Manager. |
| 507107 | FortiManager should not unset the switch-controller-igmp-snooping and switch-controller-dhcp-snooping settings. |
| 508340 | With the ADOM option Perform Policy Check Before Every Install enabled and no changes to install, an install will fail with the Validation Failed message. |
| 510665 | After an interface is created, the configuration status is not updated. |
| 511256 | Policy Package status should show as modified after making changes in web filter profile. |
| 511580 | After upgrade, install may fail on web filtering profile. |
| 511826 | FortiManager should remove the mandatory requirement of having a hub-to-hub interface when two hubs are defined in a VPN community using VPN Manager. |
| 512046 | When workspace is enabled, IPv6 session based counters are synchronized with FortiGate. |
| 513675 | Policy push should not be allowed if another user has the device locked. |
| 513763 | User should be allowed to change country code in existing or cloned AP profile settings. |
| 513799 | FortiManager should only display detected rogue APs that are online. |
| 515541 | FortiManager is not updating the password of FortiGates under managed FortiAnalyzer. |
| 516158 | FortiManager should not add domain-filter syntax during ADOM upgrade. |
| 516621 | When a new profile with password/secret field, such as TACACS, Radius, etc., is created, FortiManager populates secret values with a dummy value that is longer than the allowed maximum length. |
| 517060 | User should able to change the action for multiple signatures at once. |
| 517061 | ADOM upgrade may fail when the IPs in FortiSwitch VLAN DHCP server are configured with zero. |
| 517232 | Invalid Source/Destination „Negate Cell” option for certain policy types and missing „Negate Cell” for IPv4 policy source address. |
| 517618 | Users should be able to use „Header” type Explicit Policy address as Source Address in Explicit Proxy policies. |
| 517768 | FortiManager should allow users to create routes with interface that is dedicated to management. |
| 517874 | FortiManager should be able to use 'US only’ FortiGaurd servers with any license configuration. |
| 518148 | The System replacement messages for Manage Images should not be grayed out. |
| 518680 | IP Pool not imported due to an error while creating mapping failed due to „arp-intf” which is a member of a zone setting in IP pool. |
| 518708 | When viewing the devices in Device Manager, the list automatically scrolls back to the top for every heartbeat interval. |
| 518756 | When vdom-netflow is disabled, FortiManager should not push any collector-ip and source-ip settings to FortiGate. |
| 518949 | When exporting a Policy Package using CSV, it does not include Footer policies. |
| 518984 | Cluster members should show consistent results in dashboard and device settings. |
| 519108 | Scheduled Remote CLI Scripts are struck at 1%. |
| 519229 | When using workspace mode, modification to device group is not recognized as a change. |
| 519252 | After FortiManager was upgraded, cloning a policy package changes the package inspection mode. |
| 519297 | When FortiManager manages FortiGate v5.6 or earlier devices, FortiManager should not support fsso-type group for switch-controller security-policy. |
| 519487 | FortiGate fails to receive FortiGuard updates from FortiManager when ssl-static-key-ciphers is disabled. |
| 519495 | Running a script always returns the error, the script is not eligible, even though the actual error may be different. |
| 520092 | FortiManager should not update any dynamic attributes for SCEP generated objects. |
| 520548 | It should be possible to close the pop up window and see current number of successful tasks for the policy assignment of a global package. |
| 520651 | When querying a policy package, FortiManager API’s response may be missing the VDOM information. |
| 520691 | FortiManager should Warn user in install wizard if there is an IP address being installed that is 0.0.0.0/0. |
| 520976 | Revision diff always shows changes with policy package settings. |
| 521117 | FortiManager should not check for empty service when internet-service is disabled, which may cause copy to fail. |
| 521379 | FortiManager may disable the reliable option for FortiAnalyzer log settings. |
| 521649 | Policy counters may not be accurately synchronized with the FortiGate devices. |
| 521673 | FortiManager does not trigger policy package status to shown as modified when LDAP configuration is changed. |
| 521900 | SD-WAN rule protocol options 'ANY’ is not saved on GUI. |
| 522025 | Under Policy & Objects, the frame column width is reset to default when user refreshes or re-enters the same object list. |
| 522206 | GTP global tunnel limit is not configurable on FortiManager. |
| 522310 | Unable to edit Global ADOM DB to change global version from GUI (which will reset Global config). As a workaround, use CLI exec reset adom-settings global or upgrade global version. |
| 522440 | FortiManager should support the IPS signature syntax,--icmp.type !=. |
| 522713 | ADOM upgrade stuck at 5%. |
| 522779 | Secured backups fail due to issue with the SSH certificate. |
| 522828 | FortiManager unsets dhcp-snooping when installing from a 5.4 ADOM. |
| 523480 | IPS Filter does not include ALL if filtered based on OS. |
| 523639 | VPN Manager Monitor page stuck loading when an external gateway is defined. |
| 523705 | In webfilter profile, FortiManager should only allow configuring quota for categories set to monitor, warning, or authenticate. |
| 523878 | FortiManager should not install the CLIs, system csf {upstream-ip upstream-port group-name group-password}, which are read-only attributes on FGT-6000F. |
| 524202 | Upgrading Global Database removes all ADOMs from policy package Assignment section. |
| 524607 | FortiManager should not allow illegal change with ssl-ssh-profile causing installation to fail. |
| 524752 | IPS custom signature using protocol type ICMP is valid in FortiOS syntax and therefore should be able to import into FortiManager. |
| 525926 | The Local Users column is always empty even if a token is assigned. |
| 526002 | When having multiple hosts within an SNMP community, it’s not possible to edit a host and change the status of HA-direct. |
| 526287 | Policy install may be stuck at 67%. |
| 526642 | Some SMTP/splice options under firewall profile-protocol options cannot be disabled. |
| 526934 | Web UI should not enable HTTP access under Interface Settings when a user views interface settings. |
| 526938 | Searching an IP address in interface list should show the interface and the zone in which the interface is a member of. |
| 527140 | FortiManager is unable to add multiple DHCP Relay Servers from the Device Manager System Interface Menu. |
| 527407 | Users may not be able to change the FortiGate HA management interface IP. |
| 528633 | IS-IS interfaces cannot be deleted from GUI. |
| 528916 | Users may not be able to upgrade ADOM after ADOM name has been changed. |
| 528931 | FOS-VM may be getting invalid license from FMGR-VM-Meter. |
| 528938 | FortiManager does not allow users to manually set SD-WAN member sequence ID. |
| 528977 | FortiGuard 7000 Service Status shows slave chassis with serial number instead of host name. |
| 529036 | VPN Manager should not show the options for main and aggressive mode when IKEv2 is selected. |
| 529475 | Webfilter and Application profiles are not available in the FortiClient profile GUI. |
| 529480 | Policy look-up can only list policy package installation target device but not device group member. |
| 530207 | Installing configuration after fail-over in cluster causes installation fail because of difference in management-ip. |
| 530249 | Policies that are Last Modified matched by actual traffic always shows recently modified by 'admin’ even if the default admin user is not present in the FortiManager configuration. |
| 530376 | Users are unable to select Schedule Object for SSID in AP Manager. |
| 530735 | FortiManager may not be able to configure a full-mesh VPN among FortiGates with multi-VDOMs. |
| 530749 | FortiManager is unable to import policy configuration from devices with a long VDOM name. |
| 530792 | When configuring Per-Device Mappings for Real Servers, mode is missing and users cannot create multiple real servers. |
| 530837 | Users should not be allowed to delete default meta fields. |
| 531508 | When trying to add a new gateway from VPN Manager, FortiManager returns an error peer invalid value. |
| 531573 | FortiManager is not able to set Type of Service field for SD-WAN service. |
| 531610 | FortiManager is showing Create New option under script even though ADOM is not locked. |
| 531645 | FortiManager should be able to configure dynamic mappings for SD-WAN via a script. |
| 531813 | With Safari, there are two issues when user editing device group: there are two scroll bars in the Edit Device Groupwindow and Edit Device Group window size that cannot be changed. |
| 531963 | SSL/SSH Profile should not allow the user to enable „Allow Invalid SSL Certificates” when Inspection mode is „SSL Certificate Inspection”. |
| 532075 | When editing comment/description, FortiManager may display the slash character, /, as #x2F. |
| 532275 | Within the System Admin Profile, users may not be able to change access control due to JavaScript errors. |
| 532488 | Bytes/Hit/packet count should not be a parameter to consider in the diff as these are not part of the configuration. |
| 532721 | Once a Local ID value is configured for a VPN Node within VPN Manager, it can no longer be removed. |
| 532943 | FortiGate’s system time is now shown on FortiManager when timezone index is set at 79, 80, or 83. |
| 533141 | Retrieving configuration under Workspace mode does not allow further changes under AP manager. |
| 533857 | FortiManager is unable to automatically register devices via Pre-Shared Key method if a revision is imported prior to registering the devices. |
| 534559 | Editing WiFi interface which is a zone member should not enable block intra-zone traffic. |
| 534784 | FSSO Agent with option „Select FSSO groups via FortiGate” does not work if the policy has no pending changes. |
| 534784 | Adding section for traffic shaping policies causes runtime error. |
| 534927 | When there is a dynamic interface and a multicast interface that has the same name within a policy package, the install wizard was not be able to create dynamic mappings. |
| 535170 | FortiManager does not accept FQDN address configuration containing the _ character. |
| 535525 | Dynamic/Dial-up Type IPSec Tunnel Interface cannot be added as an SD-WAN member. |
| 535621 | Retrieving or importing configuration revision fails if configuration contains a large number of CRLs. |
| 535743 | Downstream FortiManager does not update signature until changing the schedule setting in the second tier FortiManager’s FDN. |
| 536043 | When AODM is locked, FortiManager may display incorrect values or configurations from some objects or policies. |
| 536805 | Install fails for DoS policy quarantine-expiry. |
| 537135 | There is no GUI validation when an invalid subnet mask is used as destination for a Static Route. |
| 537236 | LDAP query failure over slow satellite connection. |
| 537752 | FortiManager tries to add full scan options while using quick scan in default AV profile. |
| 537775 | Proxy policy should not allow empty source address. |
| 538029 | Occasionally, duplicate sequence number may appear in some policy packages. |
| 539184 | FortiManager should not install forward-error-correction on VLANs. |
| 539998 | Install fails when deny rule contains DNS filter profile. |
| 540065 | FortiManager should be able to display CA certificate under 6.0 ADOM. |
| 540095 | Scheduled TCL Script intermittently fails to run on the scheduled time after upgrade. |
| 540936 | Remote wildcard users break user profile access to workflow sessions. |
| 542823 | Script fails to set accprofile on device database. |
| 543567 | FortiManager does not install new certificate obtained from FortiAuthenticator. |
| 545457 | AP Manager may not be able to show map. |
| 545480 | When attempting to remove a VDOM from a FortiGate by running a script, the script fails unexpectedly and the VDOM is not deleted. |
| 547740 | When FortiManger is running in workspace mode, FortiManager may unexpectedly delete firewall policy. |
Znane problemy do rozwiązania:
| Bug ID | Description |
|---|---|
| 544042 | FortiManager 6.2.0 GA does not support upgrading 6.0 ADOM to 6.2 or 6.0 ADOM policy package installation to FortiGate 6.2.0. |
| 546131 | Importing SDN Connector fails within Global ADOM. |
| 546246 | Restore ADOM revision does not restore removed installation targets. |
| 546303 | Install fails when FortiManager sets VDOM mode to no-vdom. |
| 546656 | Import Azure SDN fails if subscription ID is not configured. |
| 547173 | FortiManager cannot install allow-routing for VLAN generated address. |
| 547854 | FortiManager cannot manage shaping profiles with the same name from multiple FortiGate. |
| 548131 | VAP interface page cannot show interface IP and SSID configuration. |
| 548136 | SSID configuration change cannot trigger install. |
| 548350 | After enabling Split-task VDOM, installing vdom-property fails for snmp-index. |
| 548416 | Changes on Existing Static Route does not show up on Installation Preview. |
| 548442 | Administrator with read-only profile can restart and upgrade FortiAP and FortiSwitch firmware. |
| 548682 | FortiManager generates invalid application override configuration for application profile. |
| 548976 | Unauthorized device alert directs to a page showing duplicate devices. |
| 549023 | FortiManager fails to set allowaccess on VWP interface. |
| 549043 | FortiManager cannot render the Virtual Wire Pair entry properly after edited an interface. |
| 549065 | Default AP profile shows incorrect country name. |
| 549113 | In the case that FortiGate is in NGFW policy-based mode, URL/Application control profiles should not be visible on FortiManager side. |
| 549175 | FortiManager does not install active directory group filter changes to FortiGate. |
| 549207 | Import Wizard fails to create dynamic mapping for Address, VIP, or IP Pool object or group if name has more than 63 characters. |
| 549260 | When enabling Split-task VDOM by script, installation fails as it tries to delete global certificate in the FG-Traffic VDOM. |
| 549287 | FortiManager is missing application category selection on traffic shaping policy page. |
| 549293 | FortiManager loses customization on the application and filter override page. |
| 549384 | FortiManager cannot show any query when FortiGate has CSF enabled but the CSF group is not established on FortiManager. |
| 549449 | Creating FortiSwitch template using the Import feature does not link the template to the FortiSwitch. |
| 549483 | When editing Application and Filter Overrides action to Allow or Monitor, FortiManager always shows that action as Traffic Shaping. |
| 549504 | Wildcard remote admin cannot run schedule install. |
| 549546 | If an address group contains many addresses, user cannot hover the number icon to view the address members. |
| 549566 | Device Manager does not show a FortiGate in a CSF group when the FortiGate is connected to the root FortiGate’s FG-Traffic VDOM. |
| 549587 | All the FortiSwitch ports are incorrectly displayed as POE enabled. |
| 549638 | MAC address Access control list entries under DHCP server get duplicated on editing the other entries. |
| 549693 | ADOM revision diff on a large database may take hours. |
| 549776 | Installing DLP sensor to FortiGate fails when setting full-archive-proto. |
| 549818 | FortiManager cannot display external resource setting on consolidated policy list. |
| 549824 | Consolidated policy page is missing external resource as data source. |
| 549827 | FortiManager failed to retrieve aes128gcm-prfsha encryption from FortiGate. |
| 549851 | Deleted APs are still shown in AP Manager’s Floor Map. |
| 550015 | FortiManager can communicate with mail server with secure option enabled. |
| 550078 | When defining a SSID, some security modes are missing: wpa3-sae, wpa3-sae-transition, and owe. |
| 550105 | FortiManager may not be able to change interface mapping of a zone via Device Manager. |
| 550127 | Threat Feeds types are not displayed consistently in Policy Objects and Fabric View. |
| 550140 | The fmupdate fds-settings and system-support-fgt configurations are lost if version 5.4 is configure prior to upgrade. |
| 550141 | With 6.2 ADOM, FortiGate installation purges devices on FortiGate. |
| 550157 | Assigned AP profile is not shown while editing APs from Map View. |
| 550161 | Under per-device management, managed AP status information is missing in Map View. |
| 550237 | Administrator with read-only profile can add Detected Device in Device Manager. |
| 550239 | The aes256cisco entry is missing for the priv-proto field. |
| 550344 | FortiManager is unable to import firewall policy due to invalid FQDN error. |
| 550430 | FortiManager fails to import Azure SDN connector if resource group is configured. |
| 550441 | After upgrade, verification fails for company-identifier with a DLP sensor. |
| 550460 | Duplicated default QoS profiles are listed when editing a FortiSwitch template. |
| 550513 | User cannot change IPsec Phase1 in existing IPsec Phase2 within Device Manager. |
| 550537 | Installing WAN Optimize proxy policy fails on FortiGate 60E or 80E. |
| 550546 | FortiManager is unable to retrieve ssl-ssh-profile for ssh-tunnel type Proxy policy. |
| 550579 | Under IPS Profile, the Rate Based Signatures table can never show any signatures. |
| 550591 | After upgrade, user cannot edit VPN table with the error: invalid value-prop[dpd]: option (enable). |
| 550629 | Search in Floor Map’s edit mode may not return proper results. |
| 550691 | Installation fails when changing tag type with Email Filter profile. |
| 550809 | FortiManager cannot set defined value on segment with IPv6 template address. |
| 550821 | Users may not be able to change revision history comments. |
| 550926 | AP Manager cannot delete SSID from FortiGate when the SSID is no longer in use. |
| 550949 | FortiManager cannot list FortiClient images. |
| 551091 | FortiManager is unable to bring up IPSec tunnel between FortiGates if the certificates are generated by FortiManager. |
| 551154 | Under per-device management, advanced options are kept loading when creating SD-WAN performance SLA. |
| 551180 | FortiManager may not be able to change some local categories within Web Filter profile to disable. |
| 551200 | FortiManager cannot select any internet service group on SD-WAN rules within Device Manager. |
| 551231 | Under per-device management, editing a SD-WAN rule generates duplicate entry. |
FortiManager 6.2.0 Release Notes
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
