Kolejny produkt ze stajni Fortinet dołącza do grona z zaimplementowanym systemem o wersji 6.2.2! Fortinet publikuje nową wersję oprogramowania dla FortiManager oznaczoną numerem wersji 6.2.2. Nowością w tej wersji jest to, iż FortiManager obsługuje teraz connector VMware NSX-T, co umożliwia pobieranie grup z menedżera NSX-T i przechowywanie ich jako dynamiczne obiekty adresów, a Fortigate może łączyć się z FortiManagerem w celu odbierania tych obiektów. Poza tym naprawiono wykryte błędy w poprzedniej wersji oprogramowania! Więcej w artykule!
Nowość w 6.2.2:
- FortiManager obsługuje złącza VMware NSX-T.
Producent udostępnia dokumentację, w której znajduje się przegląd kroków wymaganych do skonfigurowania konektora VMware NSX-T:
https://docs.fortinet.com/document/fortimanager/6.2.2/new-features/453532/vmware-nsx-t-connector
Rozwiązane problemy:
| Bug ID | Description |
|---|---|
| 412143 | Renaming user in policy objects does not update SSLVPN portal mapped user. |
| 494367 | Users cannot search address in policy where the address is a part of a nested group. |
| 500037 | FortiToken provision may not work. |
| 502967 | FortiManager attempts to push the incorrect VWP name to certain VDOMs when a FortiGate has multiple VDOMs with VWPs configured and the VWP uses the same dynamic interface. |
| 521904 | Policy and Object’s folders do not reflect policy package status. |
| 522284 | Access Point templates still have 5GHz channels that are not valid. |
| 529051 | Map to Policy Interface & Scan outgoing connection to Botnet Sites disappears in v6.0.3 when running FortiManager in workflow mode. |
| 529770 | Policy package integrity check provides no clarification on intended database changes. |
| 530717 | Under Policy & Objects > Policy Package > right click > add address in policy, the page is stuck on loading with Microsoft Edge. |
| 531585 | A Proxy policy’s source address field should display all address objects in the search list despite the interface binding defined for the addresses. |
| 536078 | Device Manager’s System->Virtual Domain cannot display more than 50 VDOMs. |
| 537312 | Event logs should not have the userfrom field when an internal process triggers the log. |
| 537338 | Policy & Objects created time and last modified timestamp reset after ADOM upgrade. |
| 539137 | User may not be able to access to FortiManager using IPv6 address even if user sets IPv6 allow access on HTTPS and HTTP. |
| 539196 | FortiManager should not show FortiGuard subscription status Expired if a trial license is expired. |
| 539928 | Objects used in SD-WAN rules show as not in use in address list. |
| 540034 | There may be repetitive fmgd crashes in FortiManager crash log. |
| 544012 | Missing DHCP mode in per-device mapping for FortiSwitch VLAN interface. |
| 544597 | VLAN interface is not available for EMAC VLAN on Device Manager > System > Interfaces. |
| 546334 | Dynamic interface is not visible in policies until web page refreshes. |
| 547007 | FortiManager may incorrectly show that a script finishes running. |
| 547052 | FortiManager GUI should not allow creating Security Profiles without any SSL/SSH Inspection Profile defined. |
| 548027 | After FortiGate upgrades, verification may fail on “set nat enabled” if “set central-nat enable” is configured. |
| 548034 | System Settings’ LDAP may not work with nested directory groups. |
| 549932 | FortiManager cannot use FQDN as Proxy address. |
| 551566 | Device Detection and its related settings are not available in SSID Central Management. |
| 552222 | When running „cdb check policy-packages”, FortiManager prompts central fap object not found errors. |
| 552403 | FortiManager does not reflect SD-WAN Template rule has negated source or destination. |
| 553860 | Hub-to-Hub IPsec Phase1 interface install use remote-gw as interface IP even though public IP is defined under the Advance section. |
| 553912 | FortiManager should hide the Quick Mode Selector setting if mode-cfg enabled. |
| 554325 | When creating an administrator with remote user group within Device Manager, it may prompt the error: “The remote-group „tacgroup” is not in admin user’s vdom.” |
| 554901 | EU country ID is available in FortiManager but is not part of latest geographical database. |
| 555175 | User may mistakenly configures FortiManager to run script against a group of targets when targeting a single device. |
| 556985 | FortiManager prompts unclear message when device configuration file is no found. |
| 557471 | FortiManager should prompt the list of firmware images for FortiGate 6000 and 7000 series. |
| 559009 | FortiManager should allow users to select SD-WAN interface on IPv6 policy. |
| 561008 | Second IP in central management removed by master FortiManager on re-connection. |
| 561946 | Upgrading FortiManager may fail due to incorrect limit for user adgrp. |
| 563918 | FortiManager should prompt more clear error when ADOM upgrade fails. |
| 564182 | FortiManager should always responds with „invalid VDOM name” when accessing FortiManager with incorrect hyperlinks. |
| 564202 | Policy package cannot export to excel when there is more than 20,000 policies. |
| 564625 | Re-importing a policy package may result in changing policy package status to „modified”. |
| 564937 | FortiManager allows users not to set device type when creating a user device resulting in install failure. |
| 565636 | FortiManager may prompt verification error on Global ADOM’s gall address. |
| 565772 | User may not be able to add a black hole route. |
| 566138 | FortiManager may not correctly install Application Control configurations. |
| 566310 | FortiManager is unable to push or change GeoIP override country code to FortiGate. |
| 566390 | Policy installation may fail due to FortiGuard certifications. |
| 567514 | Multiple policies may deleted by accident if they are selected on the background from the previous filtered result. |
| 567770 | Install custom internet service to FortiGate fails when None is selected for Master Service ID. |
| 568626 | FortiManager can only modify the order of DNS forwarder only if the IP addresses are in quotes („”) and when the IP addresses are not separated by comma. |
| 568988 | FortiManager is unable to create access list entries with IPv4 format based subnet mask or wild card entries. |
| 569188 | After upgrade, installation may fail on VPN configurations. |
| 569468 | Firmware version value may be incorrect in device list after upgrade. |
| 569551 | FortiManager should be able save quotas within web filter profile. |
| 569945 | When editing a policy, Select All objects may not work when there is no object selected on a field. |
| 569952 | FortiSwitch Templates are incorrectly set mac-addr values to all zeros for all interfaces. |
| 570109 | FortiManager cannot configure fail-detect-option in interface’s advanced options. |
| 570936 | AP Manager is pushing incorrect syntax for FAPU24JEV wtp-profile causing installation failure. |
| 571164 | VPN Manager has problem adding secondary WAN interface from a hub in star community. |
| 571203 | Changing interface order in SD-WAN SLA rule does not result in configuration push. |
| 571722 | AP Manager should hide WIDE profiles if they cannot be used in certain modes. |
| 572191 | Users are unable to remove ADOM when ADOM is set as a FortiAnalyzer ADOM. |
| 572283 | Policy hit counts may always show zero for FortiGate 7000 series. |
| 572544 | When creating a Managed AP, FortiManager should properly save the “Name” and “AP Profile” fields, and it should not accept FAP’s serial number with lower cases. |
| 572756 | The upgrade schedule status should correctly display for all the selected devices. |
| 573221 | FortiManager should be able to use default Replacement Message Group in policy package. |
| 573250 | Find Duplicate Objects may show inaccurate results. |
| 573710 | FortiManager should not use unused user group after changed the portal type from „Authentication” to „Disclaimer Only”. |
| 574148 | Upgrading ADOM from v6.0 to v6.2 may fail due to “replacement message-Web Proxy authorization fail”. |
| 574548 | Upgrading ADOM from v5.6 to v6.0 may fail due to VDOM conflict in wtp. |
| 574826 | FortiManager port negotiation switches to 100 half-duplex mode after a reboot. |
| 574847 | Global objects in local ADOM should not editable. |
| 574988 | CLI only Object cannot create router BGP AS-path list and community list, and prompt the error “entry does not exist”. |
| 575343 | Users are unable to disable the tunnel interface with IP 0.0.0.0 within Device Manager. |
| 575349 | ADOM address objects override Global objects with the same name if promoted as part of the Address Group. |
| 575736 | The dhcp-lease-time setting from AP Manager installs under “wireless-controller vap” instead of “system dhcp server”. |
| 575823 | FortiManager should not allow user to delete extra proposals when SUITE-B PRF is enabled. |
| 576267 | SSL/SSH inspection profile change does not change all related policy package status to modified. |
| 576308 | Policy package exported as CSV contains hit count data only for IPv4 but not for IPv6. |
| 576320 | Policy status of all devices used in VPN Manager is changing to 'modified’ after deleted some unrelated devices. |
| 576565 | Creating VXLAN may gradually take more time. |
| 576841 | FortiSwitch VLAN template should support IPv6 and dynamic mapping of IPv6 address. |
| 576867 | FortiAnalyzer wipes out NTPv3 authentication related settings after reboot. |
| 576999 | FortiManager prompts “runtime error -999” when changing setting in IPS profile on Global ADOM. |
| 577158 | Installation may fail when SSID dynamic interface is renamed. |
| 577183 | Scripts should be able to modify fsp vlan. |
| 577463 | Script scheduling should not be affected by the order of configuration. |
| 577939 | VPN Manager may install different PSKs to gateways. |
| 577964 | FortiManager should install imported CA certificates to managed FortiGate device. |
| 578045 | FortiManager is unable to configure OSPF routes with md5 keys via CLI script. |
| 578622 | Installation may fail when creating FortiLink interface. |
| 579075 | LDAP admin user may not be able to access FortiManager when there are many LDAP groups. |
| 579286 | The default value for weight or volume-ratio should not be zero on interfaces. |
| 579646 | Global Header/Footer policy cannot use Threat Feeds. |
| 579844 | When user login with remote Radius authentication with assigned VDOM and access profile, FortiManager may not show the installation target devices. |
| 580486 | Adding ADOM fails with errorCode 102 : 'Fail to lock adom Global workspace’ when workspace-mode is set to normal. |
| 580676 | FortiManager may not delete and change a policy and it affects another policy package. |
| 580951 | LDAP admin user with specific Policy Package Access set should correctly see policy package status and not „Never Installed”. |
| 582685 | Web Filter Profiles with URL filter lists may take a long time to load. |
| 583010 | Policy Block Name sets as a pre-fix to the individual Policy name for multiple times. |
| 583467 | FortiManager cannot edit the MTU parameter on an interface in Device Manager. |
| 583741 | Temporary device revision files may not be deleted. |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
| Vulnerability |
|---|
| FortiManager 6.2.1 is no longer vulnerable to the issue described in the following link – https://fortiguard.com/psirt/FG-IR-19-144. |
| Bug ID | Description |
|---|---|
| 542636 | FortiManager 6.2.2 is no longer vulnerable to the following CVE Reference:
|
Znane problemy do rozwiązania:
| Bug ID | Description |
|---|---|
| 574731 | Some hardware specific SNMP traps are missing from the device SNMP settings and the system provisioning templates. |
| 574841 | Central Management FortiSwitch Template GUI cannot assign VLANs with Microsoft Edge. |
| 576098 | The event log should may show the correct username. |
| 576601 | In the FortiGate’s GUI, the VPN Phase2 selectors can be managed separately, which is completely missing in FMG -> VPN Manager -> Monitor. |
| 576645 | VPN Manager’s dpd-retryinterval range is too small. |
| 577199 | Import policy package does not add interfaces in dynamic mapping for zone if the zone mapping is already empty. |
| 577201 | FortiManager should grey out the 'Next’ button when zone validation occurs while „Re-install Policy”. |
| 577884 | Deleting an unused object may change the policy package status. |
| 578004 | The policy interface colors are different in Device Manager and Policy & Objects. |
| 578501 | FortiManager does not show Global Icon for global Objects assigned to ADOMs. |
| 578929 | The warning message “input must be a number” should be displayed if an unexpected value is entered into “Heart Beat Interval” for HA. |
| 579563 | Workflow Session List menu seems to always match the first wildcard TACACS admin. |
| 579573 | FortiManager tries to delete replacemsg-group that is auto-created by adding tunnel SSID. |
| 580484 | Signature „Apache.Optionsbleed.Scanner” cannot be selected as IPS Signature anymore but only „Rate based Signature”. |
| 580533 | Saving configuration with an incorrect IP or net mask format does not trigger an error. |
| 580932 | LVM information may show disk unused. |
| 581140 | The FmDeviceEntPolicyPackageState SNMP always returns (-1), which indicates never installed, regardless of the actual policy package status. |
| 581481 | Handling of custom Application Control signatures may not be consistent between FortiManager and FortiGate. |
| 581495 | Interface Validation may display the interface mapping prompt multiple times for the same unmapped interface. |
| 581812 | Sorting Extenders by device Name does not work. |
| 581825 | In workflow mode, changes to the SSL VPN portals do not trigger policy package status to „Modified”. |
| 581940 | SD-WAN monitor may show a visual gap when monitoring traffics. |
| 582882 | FortiManager may install duplicated members during device install. |
| 584046 | License information for FortiAnalyzer shown in Device Manager is not correct. |
| 584118 | FortiManager may not correctly keep router access-list rule default value causing subsequent installation to fail. |
| 584392 | Admin user with read-only profile should not be allowed to „Revoke Release” in DHCP query and „Bring Tunnel Down/Up” in Query IPsec. |
| 585021 | Adding or modifying rate based signature within IPS profile, FortiManager resets all rate-based signatures to default setting. |
| 585480 | SD-WAN Monitor shows No Data for Performance SLA Statistics. |
| 586026 | FortiManager should display zone icon based on existing and non-existing dynamic mappings. |
| 586275 | Policy package difference does not show user or admin details. |
| 586450 | FortiManager should check if a script is applicable to global and report an error if the script cannot be ran. |
| 586557 | Workflow session removes user group for FortiSwitch Security Policy. |
| 586571 | VPN Manager may set add-route to disable when creating a managed gateway in dial-up topology as spoke and the option to select „Add Route” is set „off”. |
| 586636 | FortiManager Event Log may show policy package installed on different units. |
| 588869 | Re-install policy on FortiGate with multiple VDOMs wipes config when different VDOM in different package. |
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
