Fortinet opublikował siódmą aktualizacje oprogramowania, z rodziny 6.2 dla produktu FortiManager. W tej wersji naprawiono błąd, który dotyczył SSL-VPN. Dokładnie mówiąc, chodzi o problem z wyborem systemu operacyjnego, aby zezwolić lub odmówić połączenia VPN. Z ważniejszych aktualizacji poprawiono HA, który ulegał awarii podczas wcześniejszych aktualizacji. Wersja 6.2.7 jest wolna od błędu sprzętowego, dotyczącego FWF-60E-DSL. Problem polegał, na wdrożeniu usługi ADSL i VPI. Po więcej ciekawych informacji, zapraszam do dalszej części artykułu.
Rozwiązane problemy:
Notatki producenta: FortiManager 6.2.7
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
AP Manager
| Bug ID | Description |
|---|---|
| 663983 | FortiAP upgrade may not proceed past 20%. |
| 665945 | Brazil country (BR) code does not offer any radio choices. |
| 669906 | FortiManager may not be able to install mpsk-key from AP Manager. |
Device Manager
| Bug ID | Description |
|---|---|
| 601692 | FortiManager is unable to overwrite IPv6 default route. |
| 613029 | SD-WAN Monitor is showing effect of exceeded SLA even if this is disabled. |
| 616537 | FortiGate and FortiManager GUI should use similar terminology for configuring weight and volume-ratio in SD-WAN. |
| 627749 | Admin user with device-config set as read in admin profile cannot download configuration revision. |
| 635316 | Return button is not working when viewing HA mode. |
| 645086 | Policy Lookup shows an error even though device is in sync. |
| 646421 | FortiManager may not be able to configure VDOM property resources setting. |
| 649769 | FortiManager cannot view full list of Extenders. |
| 649785 | SD-WAN > Monitor may hang for an ADOM with 1500 devices. |
| 649821 | Installation may fail for FortiGate-600D. |
| 652481 | Allow access is missing under interface on AWS FortiGate and may cause installation to fail. |
| 653701 | When FortiManager is configured in advanced ADOM mode, FortiManager still allows device assignment of CLI Templates/Groups in an ADOM where the management VDOM of that device does not reside in that particular ADOM. |
| 657933 | Importing policy should be successful even with the / character in the zone name. |
| 659838 | Interfaces any & virtual-wan-link should not be visible as OSPF passive interface option. |
| 659862 | FortiManager sends unset serial for FortiAnalzyer settings when System Template is being used. |
| 661116 | Device configuration may not be updated after running CLI script on remote FortiGate. |
| 662073 | FortiManager should create a new OSPF interface when clicking on OK button. |
| 662095 | FortiManager may take a long time to send SLA updates to over thousands of FortiGate devices. |
| 664253 | The auto-join-forticloud configuration may cause out-of-sync status. |
| 664689 | FortiManager should list VAPs in CLI only object. |
| 666240 | CLI Configurations is missing options for antivirus heuristic and ips global. |
| 668664 | Policy package diff is much slower after upgrade. |
| 669129 | FortiManager does not create dynamic mapping for address group causing import failure. |
| 669618 | CLI Configuration may not show the corresponding ports or interfaces. |
| 669704 | FortiManager does not allow user to configure FortiGate admin password longer than 32 characters. |
| 670072 | FortiManager can export license file but it does not include HA information. |
| 670274 | CLI Configuration is missing system global for VDOM enabled device. |
| 672338 | FortiManager may unset interface weight in SD-WAN when installing within 6.0 ADOM. |
FortiClient Manager
| Bug ID | Description |
|---|---|
| 662432 | List of managed switches in FortiSwitch Manager is often incomplete with per-device management. |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 650453 | FortiSwitch template and VLAN should appear for firewall policy creation. |
Global ADOM
| Bug ID | Description |
|---|---|
| 666842 | Cloning a global policy package may fail with runtime error -1: invalid value. |
Others
| Bug ID | Description |
|---|---|
| 596067 | In workflow mode, FortiManager cannot add device to policy package installation target via JSON API. |
| 659916 | FortiManager may consume high memory usage by the svc sys daemon. |
| 661069 | ADOM restricted access user is able to pull Device Manager information from ADOMs via JSON API. |
| 665617 | FortiManager may consume high CPU resource when locking ADOM or loading policy. |
Policy and Objects
| Bug ID | Description |
|---|---|
| 531112 | Consolidated policy is missing implicit deny policy. |
| 587994 | Some dynamic type FSSO sub-type addresses on FortiGate cannot be resolved when the configurations are from FortiManager. |
| 608268 | Users may not be able to edit firewall policy due to session-ttl:out of range in v5.6 or v6.0 ADOM. |
| 617031 | Right-clicking on IPv4/Proxy Policy or Installation Targets should not reload the page if the related information is already displayed. |
| 622040 | Security Policy is missing Implicit Deny policy. |
| 635966 | Azure SDN connector only fetches the first page of results. |
| 639437 | FortiManager intermittently not displaying custom objects inside of address group. |
| 647189 | FortiManager dynamic object filter generator is adding a „s” at the end of tag resulting in non working object. |
| 651785 | Address section under Policy & Objects > Security Profiles > SSL/SSH Inspection may load indefinitely. |
| 657826 | FortiManager should not allow unsupported options in Certificate Inspection SSL/SSH inspection profiles to be visible. |
| 657896 | FortiManager should provide more descriptive error message when copy fails. |
| 663219 | FortiManager may not be able to add more than 10240 service objects. |
| 664307 | Cloning DNS filter profile that assigned from Global ADOM results in Response with errors. |
| 666913 | Web URL Filter is deleted when URL Filter option is unchecked under the Web Filter Profile. |
| 667414 | FortiManager may freeze when editing comment field on a policy package with many policies. |
| 671072 | FortiGate should be able to synchronize and resolve dynamic address group to the IP address from FortiManager with NSX-T integration. |
| 671988 | FortiManager is not able to push dynamic objects to FortiGate after receiving the configurations from NSXT connector. |
| 673305 | Policy package install may stall and fail due to high memory usage. |
Revision History
| Bug ID | Description |
|---|---|
| 565138 | Installation to FortiGate fails for passphrase and password when private-data-encryption is enabled. |
| 579286 | Installation may fail for FortiGate 6.2 within ADOM 6.0 due to configuration changes with virtual-wan-link member weight and volume-ratio, and internet-service-ctrl. |
| 612263 | FortiManager may not install ADSL vci and VPI to FWF-60E-DSL. |
| 622540 | FortiManager prompts error, no hub configured, for a site even the site is not part of VPN Manager. |
| 654496 | Installing configuration to device after Auto link, FortiManager may send incorrect system ntp commands causing install to fail. |
| 657424 | FortiManager may disable the l2forward and stpforward settings on virtual switch interface when installing policy package. |
| 657526 | FortiManager should not try to unset ssl-ssh-profile configuration if it is already configured. |
| 662438 | FortiManager may try to purge all web rating override entries. |
| 667148 | When a policy install is performed, Install preview shows a lot of firewall policies with metafield changes without any actual changes being performed. |
| 673327 | When Traffic Shaper bandwidth is set to Mbps or Gbps, FortiManager should convert it to Kbps if installation target is non 64 bits FortiGate model. |
Script
| Bug ID | Description |
|---|---|
| 632014 | When editing CLI script group, user cannot see full CLI script name. |
| 663820 | The LDAP port value remains 636 on device database and FortiManager is not accepting custom port number via CLI script. |
Services
| Bug ID | Description |
|---|---|
| 603414 | FortiManager may show incorrect firmware upgrade path. |
| 654129 | FortiManager may not have the correct upgrade path for FortiGate KVM. |
| 666716 | FortiGuard license status page should have an option to show all FortiGate HA cluster contracts. |
| 671387 | FortiManager installs the latest IPS and application control signatures on managed device despite the To Be Deployed Version is configured. |
System Settings
| Bug ID | Description |
|---|---|
| 589203 | ADOM upgrade from 5.6 to 6.0 may fail due to invalid per-device mapping. |
| 597917 | Mail Server setting within Event Handler Notifications is not synchronized from FortiManager to managed FortiAnalyzer. |
| 611215 | SNMP Hosts in SNMP Community are not displayed in the GUI if ADOM is unlocked. |
| 619750 | When upgrading ADOM from 5.4 to 5.6, FortiManager does not add tcp-session-without-syn in all firewall policies. |
| 624354 | There may be an empty space in ADOM management page. |
| 639099 | There are many cdb event log for object changed in event logs after upgrade. |
| 654637 | After upgrade, non super user password change may not taking effect. |
| 658689 | Log service may shutdown and restarted routinely. |
| 660226 | HA may crash when upgrading. |
| 660361 | ADOM upgrade may fail when FortiManager has workspace-mode set to workflow. |
| 665033 | Global web rating overrides may not be assigned after upgrade. |
| 667445 | FortiManager may show errors on dynamic_mapping.local-int during upgrade. |
VPN Manager
| Bug ID | Description |
|---|---|
| 647413 | User should be able to select the OS to allow or deny an SSL-VPN tunnel connection. |
| 658221 | The dns-suffix on SSL VPN portal is not installed if web-mode is disabled. |
Znane problemy do rozwiązania:
AP Manager
| Bug ID | Description |
|---|---|
| 599189 | FortiManager should be able to handle upgrading more than 10 APs at once. |
| 633171 | There may be DFS Channel mismatch between FortiManager and FortiGate for FAP-223E. |
Device Manager
| Bug ID | Description |
|---|---|
| 575215 | When creating an new interface for a VDOM, FortiManager may list interfaces that may belong to another ADOM. |
| 596711 | FortiManager CLI Configuration shows incorrect default wildcard value for router access-list. |
| 598424 | Interface cannot create more than 48 IP-MAC bindings in DHCP reservation from GUI. |
| 598431 | Install wizard may show a blank area when scrolling down the wizard to select device(s). |
| 598916 | When creating user groups via CLI Only Objects, comma separated values are treated as a string instead of a list. |
| 610568 | FortiManager may not follow the order in CLI Script template. |
| 615044 | Configuration status may be shown modified after added FortiGate to FortiManager. |
| 636012 | Importing policy may report conflict for the default SSH CA certificates. |
| 636357 | Retrieve may fail on FortiGate cluster with Failed to reload configuration. invalid value error. |
| 636638 | Fabric view may stuck at loading. |
| 638061 | FortiGate 7000 may not be added and result with failure to update device information. |
| 654190 | FortiManager should not modify IPv4 addressing mode when IPv6 addressing mode is changed. |
| 664732 | Time zone is displayed as IST when FortiGate is set to GMT. |
| 665344 | User with full R/W DVM privileges should be allowed to see and modify the System Provisioning Templates. |
| 665955 | FortiManager is not reflecting proper admin timeout value in CLI only object. |
| 667738 | GUI should generate error message when using invalid IP address or special characters in interface name. |
| 670577 | When creating an API admin from CLI Configuration, trusted host section is missing. |
| 670839 | FortiManager should be able to configure IPSec Phase2 selector using the same IP range. |
| 674904 | FortiManager may not be able to import policy with interface binding contradiction on srcintf error. |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 637220 | FortiManager may not able to upgrade FortiSwitch firmware. |
Global ADOM
| Bug ID | Description |
|---|---|
| 667423 | Assigned header policy from the global ADOM shows up on excluded policy package. |
| 670280 | Promoting the Profile Group object should not promote the default Protocol option. |
Policy & Objects
| Bug ID | Description |
|---|---|
| 580880 | FortiManager is unable to see dynamic mapping for Local Certificate if workflow session is created. |
| 585177 | FortiManager is unable to create VIPv6 virtual server objects. |
| 598938 | FortiManager should allow setting wildcard-fqdn type firewall address as destination on proxy policy. |
| 602176 | Creating a proxy policy with a profile group adds additional security profile. |
| 608535 | NAT option is missing from Central NAT policy package. |
| 612317 | FortiManager shows incorrect country code for Cyprus under User definition. |
| 615624 | Firewall policy and proxy policy cannot select IP type external resource as address. |
| 618499 | Right-click to edit zone incorrectly prompts dynamic interface window. |
| 630431 | Some application and filter overrides are not displayed on GUI. |
| 631158 | FortiManager is unable to import firewall objects of fsso fortiems-cloud user due to Server cannot be empty. |
| 650744 | FortiManager should remove obsolete geoip-country codes. |
| 652753 | When an obsolete internet service is selected, FortiManager may show entry IDs instead of names. |
| 655601 | FortiManager may be slow to add or remove a URL entry on web filter with a large list. |
| 659296 | FortiManager may take a long time to update web filter URL filter list. |
| 660483 | IPS signatures may not match between FortiGate and FortiManager. |
| 661397 | FortiManager may not be able to detect some duplicate objects. |
| 666258 | User should not be able to create a firewall policy with an Internet service with Destination direction in Source by using drag and drop. |
| 670061 | FortiManager does not report error when an unsupported FQDN address format is created. |
| 675541 | Deleting an override entry should trigger modified status for policy packages with FortiGuard Category Based Filter enabled within web filter profile. |
Revision History
| Bug ID | Description |
|---|---|
| 618305 | FortiManager changes configuration system csf settings. |
| 623159 | Zone validation in re-Install Policy is not saving the user choice and deleting all related policies. |
| 635957 | Install fails for subnet overlap IP between two interfaces. |
| 637103 | Scrolling in install preview is not smooth and may get stuck. |
| 655246 | The adom-rev-auto-delete option may not work to automatically delete revisions. |
| 660525 | When installing from FortiManager, it may reset comment, organization, and subnet-name during install. |
| 664284 | FortiManager may not be able to configure SSH certificate. |
| 675867 | The ssl-anomaly-log configuration may be incorrectly pushed by FortiManager when installing 5.6 ADOM policy to 6.0 FortiGate. |
Script
| Bug ID | Description |
|---|---|
| 613575 | After script is run directly on CLI, FortiManager may fail to reload configuration. |
Services
| Bug ID | Description |
|---|---|
| 541192 | FortiManager should keep firmware image files when the files are for different FortiExtender devices. |
| 567664 | HA slave does not update FortiMeter license. |
| 587730 | FortiGate-VM64-AZURE may not be listed in firmware image page. |
| 675255 | With FortiGate not sending previous update object in the request, package management Service Status keeps in pending. |
System Settings
| Bug ID | Description |
|---|---|
| 625683 | Changes made by ADOM upgrade may not update Last Modified date/time and user admin. |
| 631733 | Changing trusted IP can be saved and installed. |
| 635181 | FortiManager is unable to delete mail server with error message used displayed. |
| 642205 | While FortiAnalyzer model is disabled, FortiManager may fail to create an ADOM due to over size with disk quota. |
| 662970 | Firewall addresses may not be not visible on GUI after upgraded FortiManager. |
| 670497 | After upgraded FortiManager, it may delete syslog configuration. |
VPN Manager
| Bug ID | Description |
|---|---|
| 596953 | VPN manager > monitor: The monitor page displays a white screen when selecting a specific community from the tree menu to show only that community’s tunnels. |
| 620801 | SSLVPN > Edit SSLVPN Settings > IP Range: Only shows configuration from ADOM database objects. |
| 658221 | The dns-suffix on SSL VPN portal is not installed if web-mode is disabled. |
