Kolejny produkt ze stajni Fortinet dołącza do grona z zaimplementowanym systemem o wersji 6.2.1! Fortinet publikuje nową wersję oprogramowania dla FortiManager oznaczoną numerem 6.2.1. W nowej wersji oprogramowania załatano krytyczną lukę w oprogramowaniu o której wspominaliśmy tutaj. Nowa wersja pozbawiona została również innych błędów, o których więcej przeczytacie poniżej lub w notatkach producenta!
Rozwiązane problemy:
| Bug ID | Description |
|---|---|
| 460615 | FortiManager should adjust Radius configuration on SSID when renaming a Radius server. |
| 482441 | VPN Phase 2 Address Selector is not updated when Named Address is updated in Policy and Objects. |
| 500037 | FortiToken provision does not work. |
| 500922 | When renaming a local certificate in Device Manager, the related dynamic mapping is not updated. |
| 508020 | Web & IPS conflict information is not visible while importing Policy Package. |
| 513317 | FortiManager may fail to install policy after FortiGate failover on Azure. |
| 523208 | FortiManager may try to unset category for user device when installing policy package. |
| 523228 | Search in zone does not work after upgrade. |
| 524684 | API request returns all the devices even when the user does not have access to other ADOMs. |
| 529771 | Upgrading ADOM may be very timing consuming. |
| 531162 | FortiManager may try to push unexpected changes after ADOM upgrade. |
| 533603 | Policy hit count needs to support proxy policy. |
| 533835 | After upgrade, the URL, pm/pkg/adom/<adom_name>/<name>/scope member, returns the error: The data is invalid for selected url. |
| 534220 | Users cannot add entries for per device mapping with existing VIP group when a VIP binds to a port that is part of SD-WAN. |
| 534468 | Vulnerability scan should not disrupt HA or trigger re-synchronization. |
| 534847 | CLI Script fails to change config system auto-update schedule settings with invalid value error. |
| 535521 | Encrypt Log Transmission for FortiAnalyzer is not properly configured within Device Manager. |
| 536113 | AP Manager is still trying to 'unset wtp-mode remote’ when the option is configured on FortiGate. |
| 538915 | Firmware version is not displayed on NOC – SOC page. |
| 538934 | When configuration file is large, installing to device may delete configuration on FortiGate. |
| 540657 | There is an ordering issue on admin users where multiple wildcard users are configured on the same server. |
| 540684 | Verification fails after moving VDOM across vclusters from FortiGate GUI followed by an auto-update. |
| 541157 | GUI should support proxy address. |
| 541880 | The dmserver daemon may crash when installing to multiple devices and CPU usage reaches 100%. |
| 542024 | ’Where Used’ may not point to the entity using the object. |
| 543133 | Global user groups are not listed when creating an SSID in Per-Device AP management mode. |
| 543734 | Key Type specified as elliptic curve is not functional when generating a CSR. |
| 544121 | Installation log is missing due to dpm-logsize limited to 10 MB. |
| 544142 | Installation fails due to DNS server „SameasInterfaceIP” option inside device interface configuration. |
| 544580 | Two SSL-SSH profiles added by FortiManager may cause installation issues. |
| 544880 | FortiManager should not allow adding loopback interface to a zone. |
| 544886 | When importing device list of multiple model devices with PSKs, FortiManager prompts the error,”Serial number already in use”. |
| 545143 | Adding wildcard FQDN for SSL inspection exemption list from FortiManager fails. |
| 546340 | If a script is used to update SNMP passwords with „?” character, the installation fails during validation. |
| 547361 | AP Profile in AP Manager offers redundant options for specific AP models which can lead to failed installation. |
| 548320 | User should be able to create a FortiGate admin account with Restricted Administrator to Guest Account Provisioning Only option selected with VDOM(s) guest group(s). |
| 548416 | Changes on Existing Static Route is not displayed on Installation Preview. |
| 549159 | FortiManager may have a memory leak when running copy & install with a sub-admin. |
| 549638 | MAC address Access Control List entries under DHCP server get duplicated when editing an entry. |
| 549647 | It is possible to cause a DoS for remote user authentication by trying to login with a password of specific length. |
| 550237 | Read-only admin should not be allowed to add detected devices. |
| 550239 | System SNMP user is missing the value 'aes256cisco’ for the field 'priv-proto’. |
| 550240 | FortiGuard service event logs should always be generated with an internal FortiManager user. |
| 550502 | Installing DDoS policies via a CLI script may fail. |
| 551057 | FortiManager does not give an option to choose RSA4096 and Elliptic Curve algorithms in certificates. |
| 551072 | Assignment of 'object-tag’ from 5.6 Global ADOM to 6.0 ADOM should not fail. |
| 551077 | FortiManager may not be able to import policies from FortiGate SLBC. |
| 551096 | FortiMeter Program License is expired and it is displayed as FREZ even though FortiGate Traffic is still passing. |
| 551392 | A failed retrieve operation may result in empty device configuration. |
| 551701 | FortiManager is unable to set OSPF Interface Network Type as P2MP. |
| 552069 | FortiManager may fail to install local certificate on FortiGate and private key is missing after saving the configuration. |
| 552192 | The fmgd daemon may crash after upgrading FortiManager. |
| 552991 | FortiManager prompts Runtime Error when trying to import an AP profile that has a SSID with space character. |
| 553491 | Enabling or disabling multiple interfaces should be allowed in Device Manager. |
| 553704 | FortiManager may be stuck at loading when using the „Find Duplicate Objects” function. |
| 554092 | FortiManager is unable to use interface member of a zone as Source Interface filter for VIP object. |
| 554094 | FortiManager may not be able to upgrade ADOM from 5.4 to 5.6 with the error, „Fail(errno=0):invalid value”. |
| 554154 | FortiManager should be able to select multiple FortiExtenders for upgrade from the Extender Tab. |
| 554608 | FortiManager should be able to save longer description for SD-WAN template. |
| 554857 | Policy package does not go out-of-sync after VPN manager is enabled. |
| 555635 | Certificate is not visible on GUI after restoring the configuration which was exported from FortiManager. |
| 555796 | Installing policy on 6K series FortiGate may remove the interface setting „set forward-error-correction rs-fec”. |
| 556609 | When user wants to move a policy package to a different folder, the pop-up window does not list folders in alphabetical order. |
| 557355 | FortiManager may not connect to Fortiguard when fds-ssl-protocol is set to either tlsv1.1 or tlsv1.2. |
| 558781 | GUI response is slow with a large numbers of address objects. |
| 559104 | Incorrect ADOM name may be displayed in where Used. |
| 559112 | FortiManager may not be able to edit a proxy policy that was inserted above or below. |
| 559751 | Duplicated ##seq appears in policy packages and they cannot be fixed with diagnose command. |
| 559844 | FortiManager may not be able to set client-idle-timeout to 0 in device database. |
| 560410 | FortiManager may not accept the Log FortiAnalyzer setting without FortiAnalyzer serial number. |
| 560694 | If hitcount is updated while ADOM is locked, policies matched by traffic are highlighted as modified. |
| 561033 | SD-WAN Bandwidth Overview widget may not display the correct data. |
| 561279 | The newcli process may crash when running the „diagnose cdb upgrade check +all” command. |
| 562160 | FortiManager should be able to create dynamic mapping for object-tagging category. |
| 563169 | When user changes webfilter settings, username in last modified column should always be updated. |
| 565016 | The exchange-interface-ip should be available in VPN Manager. |
| 565436 | After FortiManager processed many auto-update requests, FortiManager may not be able to create a new revision. |
| 565970 | One specific unused adgrp is getting pushed to FortiGate that does not use FSSO anywhere. |
| 566912 | FortiManager should support firmware upgrade for FortiExtender 200 series. |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
| Vulnerability |
|---|
| FortiManager 6.2.1 is no longer vulnerable to the issue described in the following link – https://fortiguard.com/psirt/FG-IR-19-144. |
Znane problemy do rozwiązania:
| Bug ID | Description |
|---|---|
| 546246 | Restore ADOM revision does not restore removed installation targets. |
| 547854 | FortiManager cannot manage shaping profiles with the same name from multiple FortiGate. |
| 548976 | Unauthorized device alert directs to a page showing duplicate devices. |
| 549113 | In the case that FortiGate is in NGFW policy-based mode, URL/Application control profiles should not be visible on FortiManager side. |
| 549175 | FortiManager does not install active directory group filter changes to FortiGate. |
| 549384 | FortiManager cannot show any query when FortiGate has CSF enabled but the CSF group is not established on FortiManager. |
| 549504 | Wildcard remote admin cannot run schedule install. |
| 549546 | If an address group contains many addresses, user cannot hover the number icon to view the address members. |
| 549566 | Device Manager does not show a FortiGate in a CSF group when the FortiGate is connected to the root FortiGate’s FG-Traffic VDOM. |
| 549587 | All the FortiSwitch ports are incorrectly displayed as POE enabled. |
| 549818 | FortiManager cannot display external resource setting on consolidated policy list. |
| 549824 | Consolidated policy page is missing external resource as data source. |
| 550015 | FortiManager can communicate with mail server with secure option enabled. |
| 550157 | Assigned AP profile is not shown while editing APs from Map View. |
| 550161 | Under per-device management, managed AP status information is missing in Map View. |
| 550344 | FortiManager is unable to import firewall policy due to invalid FQDN error. |
| 550441 | After upgrade, verification fails for company-identifier with a DLP sensor. |
| 550460 | Duplicated default QoS profiles are listed when editing a FortiSwitch template. |
| 551231 | Under per-device management, editing a SD-WAN rule generates duplicate entry. |
| 552403 | FortiManager does not does not reflect the negation of either source or destination fields. |
| 554892 | Internet Service Groups need to be filtered by direction. |
| 556967 | Re-Install policy may hang when a Security Fabric cluster is selected. |
| 561008 | Second IP in central-management may be removed by master FortiManager on re-connection. |
| 561262 | Users cannot use question mark in CLI while setting password for an admin user. |
| 561481 | Under Device Manager, VPN IPsec phase2 should not allow user to save settings if phase 1 name is not set. |
| 562041 | Import with AP Manager cannot create dynamic mapping for SSIDs. |
| 563373 | FortiManager may not be able to add FortiGate VM FNDN. |
| 563606 | Authorizing or de-authorizing a FortiSwitch may not work. |
| 563689 | Import All Objects fails when security policy is defined for FortiSwitch. |
| 564497 | Installing policy package will delete host-check-software after FortiManager and FortiGate are upgraded to 6.2.1. |
| 564959 | Creating a new neighbor should only list not-configured neighbors. |
| 565138 | Installation to FortiGate failed for passphrase and password when private-data-encryption was enabled. |
| 565636 | The global address, gall, may trigger FortiManager to display validation error. |
| 565751 | FortiSwitch Manager may not be able to select multiple FortiSwitch for upgrade. |
| 565772 | When adding a black hole route with Named Address option, it fails with the error message. |
| 566034 | JSON API or GUI does not work when user is restricted to a Policy package. |
| 566298 | Device Manager may not be able to add member to an empty aggregate interface. |
| 566346 | SD-WAN rules are lack of way to add Internet Service, Custom Internet, Application groups, and Custom Internet Service. |
| 566409 | When an object contains 79 characters, tool-tip with mouse over cannot properly show the object name. |
| 566947 | FortiManager should not allow users to configure ICAP profile and WAF profile under flow-based policy. |
| 567534 | Editing or importing email filter profile protocol may append an extra „:” to the end of tag-msg causing installation to fail. |
| 568626 | Users can only modify the order of DNS forwarder if the IP addresses are in quotes („”) and when the IP addresses are not separated by comma. |
| 568631 | Per-Device Mapping for FortiAP SSID in Bridge mode is incorrect. |
| 568955 | Installation may fail for consolidated policy after changed package to profile mode. |
| 568988 | Users may not be able to create access-list entries with IPv6 format based subnet mask or wild card. |
| 569066 | FortiSwitch manager does not display FortiSwitch online status correctly. |
| 569253 | The Managed APs summary page may not properly display assigned SSID. |
| 569266 | FortiManager may not turn off the „Schedule background scan disable” option within the WIDS profile. |
| 569306 | FortiManager may fail to edit the property of a VDOM when there are more than 50 VDOMs on a 7000 series FortiGate unit. |
| 569515 | SD-WAN Monitor map view should have ability to drill down into individual details. |
| 570220 | FortiManager may not list upgrade images for 6000 or 7000 series of FortiGate units. |
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
