Fortinet opublikował siódmą aktualizacje oprogramowania, z rodziny 6.2 dla produktu FortiManager. W tej wersji naprawiono błąd, który dotyczył SSL-VPN. Dokładnie mówiąc, chodzi o problem z wyborem systemu operacyjnego, aby zezwolić lub odmówić połączenia VPN. Z ważniejszych aktualizacji poprawiono HA, który ulegał awarii podczas wcześniejszych aktualizacji. Wersja 6.2.7 jest wolna od błędu sprzętowego, dotyczącego FWF-60E-DSL. Problem polegał, na wdrożeniu usługi ADSL i VPI. Po więcej ciekawych informacji, zapraszam do dalszej części artykułu.
Rozwiązane problemy:
Notatki producenta: FortiManager 6.2.7
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
AP Manager
Bug ID | Description |
---|---|
663983 | FortiAP upgrade may not proceed past 20%. |
665945 | Brazil country (BR) code does not offer any radio choices. |
669906 | FortiManager may not be able to install mpsk-key from AP Manager. |
Device Manager
Bug ID | Description |
---|---|
601692 | FortiManager is unable to overwrite IPv6 default route. |
613029 | SD-WAN Monitor is showing effect of exceeded SLA even if this is disabled. |
616537 | FortiGate and FortiManager GUI should use similar terminology for configuring weight and volume-ratio in SD-WAN. |
627749 | Admin user with device-config set as read in admin profile cannot download configuration revision. |
635316 | Return button is not working when viewing HA mode. |
645086 | Policy Lookup shows an error even though device is in sync. |
646421 | FortiManager may not be able to configure VDOM property resources setting. |
649769 | FortiManager cannot view full list of Extenders. |
649785 | SD-WAN > Monitor may hang for an ADOM with 1500 devices. |
649821 | Installation may fail for FortiGate-600D. |
652481 | Allow access is missing under interface on AWS FortiGate and may cause installation to fail. |
653701 | When FortiManager is configured in advanced ADOM mode, FortiManager still allows device assignment of CLI Templates/Groups in an ADOM where the management VDOM of that device does not reside in that particular ADOM. |
657933 | Importing policy should be successful even with the / character in the zone name. |
659838 | Interfaces any & virtual-wan-link should not be visible as OSPF passive interface option. |
659862 | FortiManager sends unset serial for FortiAnalzyer settings when System Template is being used. |
661116 | Device configuration may not be updated after running CLI script on remote FortiGate. |
662073 | FortiManager should create a new OSPF interface when clicking on OK button. |
662095 | FortiManager may take a long time to send SLA updates to over thousands of FortiGate devices. |
664253 | The auto-join-forticloud configuration may cause out-of-sync status. |
664689 | FortiManager should list VAPs in CLI only object. |
666240 | CLI Configurations is missing options for antivirus heuristic and ips global. |
668664 | Policy package diff is much slower after upgrade. |
669129 | FortiManager does not create dynamic mapping for address group causing import failure. |
669618 | CLI Configuration may not show the corresponding ports or interfaces. |
669704 | FortiManager does not allow user to configure FortiGate admin password longer than 32 characters. |
670072 | FortiManager can export license file but it does not include HA information. |
670274 | CLI Configuration is missing system global for VDOM enabled device. |
672338 | FortiManager may unset interface weight in SD-WAN when installing within 6.0 ADOM. |
FortiClient Manager
Bug ID | Description |
---|---|
662432 | List of managed switches in FortiSwitch Manager is often incomplete with per-device management. |
FortiSwitch Manager
Bug ID | Description |
---|---|
650453 | FortiSwitch template and VLAN should appear for firewall policy creation. |
Global ADOM
Bug ID | Description |
---|---|
666842 | Cloning a global policy package may fail with runtime error -1: invalid value. |
Others
Bug ID | Description |
---|---|
596067 | In workflow mode, FortiManager cannot add device to policy package installation target via JSON API. |
659916 | FortiManager may consume high memory usage by the svc sys daemon. |
661069 | ADOM restricted access user is able to pull Device Manager information from ADOMs via JSON API. |
665617 | FortiManager may consume high CPU resource when locking ADOM or loading policy. |
Policy and Objects
Bug ID | Description |
---|---|
531112 | Consolidated policy is missing implicit deny policy. |
587994 | Some dynamic type FSSO sub-type addresses on FortiGate cannot be resolved when the configurations are from FortiManager. |
608268 | Users may not be able to edit firewall policy due to session-ttl:out of range in v5.6 or v6.0 ADOM. |
617031 | Right-clicking on IPv4/Proxy Policy or Installation Targets should not reload the page if the related information is already displayed. |
622040 | Security Policy is missing Implicit Deny policy. |
635966 | Azure SDN connector only fetches the first page of results. |
639437 | FortiManager intermittently not displaying custom objects inside of address group. |
647189 | FortiManager dynamic object filter generator is adding a „s” at the end of tag resulting in non working object. |
651785 | Address section under Policy & Objects > Security Profiles > SSL/SSH Inspection may load indefinitely. |
657826 | FortiManager should not allow unsupported options in Certificate Inspection SSL/SSH inspection profiles to be visible. |
657896 | FortiManager should provide more descriptive error message when copy fails. |
663219 | FortiManager may not be able to add more than 10240 service objects. |
664307 | Cloning DNS filter profile that assigned from Global ADOM results in Response with errors. |
666913 | Web URL Filter is deleted when URL Filter option is unchecked under the Web Filter Profile. |
667414 | FortiManager may freeze when editing comment field on a policy package with many policies. |
671072 | FortiGate should be able to synchronize and resolve dynamic address group to the IP address from FortiManager with NSX-T integration. |
671988 | FortiManager is not able to push dynamic objects to FortiGate after receiving the configurations from NSXT connector. |
673305 | Policy package install may stall and fail due to high memory usage. |
Revision History
Bug ID | Description |
---|---|
565138 | Installation to FortiGate fails for passphrase and password when private-data-encryption is enabled. |
579286 | Installation may fail for FortiGate 6.2 within ADOM 6.0 due to configuration changes with virtual-wan-link member weight and volume-ratio, and internet-service-ctrl. |
612263 | FortiManager may not install ADSL vci and VPI to FWF-60E-DSL. |
622540 | FortiManager prompts error, no hub configured, for a site even the site is not part of VPN Manager. |
654496 | Installing configuration to device after Auto link, FortiManager may send incorrect system ntp commands causing install to fail. |
657424 | FortiManager may disable the l2forward and stpforward settings on virtual switch interface when installing policy package. |
657526 | FortiManager should not try to unset ssl-ssh-profile configuration if it is already configured. |
662438 | FortiManager may try to purge all web rating override entries. |
667148 | When a policy install is performed, Install preview shows a lot of firewall policies with metafield changes without any actual changes being performed. |
673327 | When Traffic Shaper bandwidth is set to Mbps or Gbps, FortiManager should convert it to Kbps if installation target is non 64 bits FortiGate model. |
Script
Bug ID | Description |
---|---|
632014 | When editing CLI script group, user cannot see full CLI script name. |
663820 | The LDAP port value remains 636 on device database and FortiManager is not accepting custom port number via CLI script. |
Services
Bug ID | Description |
---|---|
603414 | FortiManager may show incorrect firmware upgrade path. |
654129 | FortiManager may not have the correct upgrade path for FortiGate KVM. |
666716 | FortiGuard license status page should have an option to show all FortiGate HA cluster contracts. |
671387 | FortiManager installs the latest IPS and application control signatures on managed device despite the To Be Deployed Version is configured. |
System Settings
Bug ID | Description |
---|---|
589203 | ADOM upgrade from 5.6 to 6.0 may fail due to invalid per-device mapping. |
597917 | Mail Server setting within Event Handler Notifications is not synchronized from FortiManager to managed FortiAnalyzer. |
611215 | SNMP Hosts in SNMP Community are not displayed in the GUI if ADOM is unlocked. |
619750 | When upgrading ADOM from 5.4 to 5.6, FortiManager does not add tcp-session-without-syn in all firewall policies. |
624354 | There may be an empty space in ADOM management page. |
639099 | There are many cdb event log for object changed in event logs after upgrade. |
654637 | After upgrade, non super user password change may not taking effect. |
658689 | Log service may shutdown and restarted routinely. |
660226 | HA may crash when upgrading. |
660361 | ADOM upgrade may fail when FortiManager has workspace-mode set to workflow. |
665033 | Global web rating overrides may not be assigned after upgrade. |
667445 | FortiManager may show errors on dynamic_mapping.local-int during upgrade. |
VPN Manager
Bug ID | Description |
---|---|
647413 | User should be able to select the OS to allow or deny an SSL-VPN tunnel connection. |
658221 | The dns-suffix on SSL VPN portal is not installed if web-mode is disabled. |
Znane problemy do rozwiązania:
AP Manager
Bug ID | Description |
---|---|
599189 | FortiManager should be able to handle upgrading more than 10 APs at once. |
633171 | There may be DFS Channel mismatch between FortiManager and FortiGate for FAP-223E. |
Device Manager
Bug ID | Description |
---|---|
575215 | When creating an new interface for a VDOM, FortiManager may list interfaces that may belong to another ADOM. |
596711 | FortiManager CLI Configuration shows incorrect default wildcard value for router access-list. |
598424 | Interface cannot create more than 48 IP-MAC bindings in DHCP reservation from GUI. |
598431 | Install wizard may show a blank area when scrolling down the wizard to select device(s). |
598916 | When creating user groups via CLI Only Objects, comma separated values are treated as a string instead of a list. |
610568 | FortiManager may not follow the order in CLI Script template. |
615044 | Configuration status may be shown modified after added FortiGate to FortiManager. |
636012 | Importing policy may report conflict for the default SSH CA certificates. |
636357 | Retrieve may fail on FortiGate cluster with Failed to reload configuration. invalid value error. |
636638 | Fabric view may stuck at loading. |
638061 | FortiGate 7000 may not be added and result with failure to update device information. |
654190 | FortiManager should not modify IPv4 addressing mode when IPv6 addressing mode is changed. |
664732 | Time zone is displayed as IST when FortiGate is set to GMT. |
665344 | User with full R/W DVM privileges should be allowed to see and modify the System Provisioning Templates. |
665955 | FortiManager is not reflecting proper admin timeout value in CLI only object. |
667738 | GUI should generate error message when using invalid IP address or special characters in interface name. |
670577 | When creating an API admin from CLI Configuration, trusted host section is missing. |
670839 | FortiManager should be able to configure IPSec Phase2 selector using the same IP range. |
674904 | FortiManager may not be able to import policy with interface binding contradiction on srcintf error. |
FortiSwitch Manager
Bug ID | Description |
---|---|
637220 | FortiManager may not able to upgrade FortiSwitch firmware. |
Global ADOM
Bug ID | Description |
---|---|
667423 | Assigned header policy from the global ADOM shows up on excluded policy package. |
670280 | Promoting the Profile Group object should not promote the default Protocol option. |
Policy & Objects
Bug ID | Description |
---|---|
580880 | FortiManager is unable to see dynamic mapping for Local Certificate if workflow session is created. |
585177 | FortiManager is unable to create VIPv6 virtual server objects. |
598938 | FortiManager should allow setting wildcard-fqdn type firewall address as destination on proxy policy. |
602176 | Creating a proxy policy with a profile group adds additional security profile. |
608535 | NAT option is missing from Central NAT policy package. |
612317 | FortiManager shows incorrect country code for Cyprus under User definition. |
615624 | Firewall policy and proxy policy cannot select IP type external resource as address. |
618499 | Right-click to edit zone incorrectly prompts dynamic interface window. |
630431 | Some application and filter overrides are not displayed on GUI. |
631158 | FortiManager is unable to import firewall objects of fsso fortiems-cloud user due to Server cannot be empty. |
650744 | FortiManager should remove obsolete geoip-country codes. |
652753 | When an obsolete internet service is selected, FortiManager may show entry IDs instead of names. |
655601 | FortiManager may be slow to add or remove a URL entry on web filter with a large list. |
659296 | FortiManager may take a long time to update web filter URL filter list. |
660483 | IPS signatures may not match between FortiGate and FortiManager. |
661397 | FortiManager may not be able to detect some duplicate objects. |
666258 | User should not be able to create a firewall policy with an Internet service with Destination direction in Source by using drag and drop. |
670061 | FortiManager does not report error when an unsupported FQDN address format is created. |
675541 | Deleting an override entry should trigger modified status for policy packages with FortiGuard Category Based Filter enabled within web filter profile. |
Revision History
Bug ID | Description |
---|---|
618305 | FortiManager changes configuration system csf settings. |
623159 | Zone validation in re-Install Policy is not saving the user choice and deleting all related policies. |
635957 | Install fails for subnet overlap IP between two interfaces. |
637103 | Scrolling in install preview is not smooth and may get stuck. |
655246 | The adom-rev-auto-delete option may not work to automatically delete revisions. |
660525 | When installing from FortiManager, it may reset comment, organization, and subnet-name during install. |
664284 | FortiManager may not be able to configure SSH certificate. |
675867 | The ssl-anomaly-log configuration may be incorrectly pushed by FortiManager when installing 5.6 ADOM policy to 6.0 FortiGate. |
Script
Bug ID | Description |
---|---|
613575 | After script is run directly on CLI, FortiManager may fail to reload configuration. |
Services
Bug ID | Description |
---|---|
541192 | FortiManager should keep firmware image files when the files are for different FortiExtender devices. |
567664 | HA slave does not update FortiMeter license. |
587730 | FortiGate-VM64-AZURE may not be listed in firmware image page. |
675255 | With FortiGate not sending previous update object in the request, package management Service Status keeps in pending. |
System Settings
Bug ID | Description |
---|---|
625683 | Changes made by ADOM upgrade may not update Last Modified date/time and user admin. |
631733 | Changing trusted IP can be saved and installed. |
635181 | FortiManager is unable to delete mail server with error message used displayed. |
642205 | While FortiAnalyzer model is disabled, FortiManager may fail to create an ADOM due to over size with disk quota. |
662970 | Firewall addresses may not be not visible on GUI after upgraded FortiManager. |
670497 | After upgraded FortiManager, it may delete syslog configuration. |
VPN Manager
Bug ID | Description |
---|---|
596953 | VPN manager > monitor: The monitor page displays a white screen when selecting a specific community from the tree menu to show only that community’s tunnels. |
620801 | SSLVPN > Edit SSLVPN Settings > IP Range: Only shows configuration from ADOM database objects. |
658221 | The dns-suffix on SSL VPN portal is not installed if web-mode is disabled. |
Post Views: 2 671