Fortinet publikuje drugą poprawkę oprogramowania z rodziny 6.4 dla produktu FortiManager ! Wersja 6.4.2 jest wolna od błędów które skutkowały problemami podczas synchronizacji z FortiAnalyzerem bądź całkowitym brakiem możliwości jego podłączenia do FortiManagera. Oprócz tego producent zapewnia, iż rozwiązał wiele błędów związanych z wdrażaniem pakietów polis (policy packages) dla urządzeń FortiGate, nieprawidłowym wczytywaniem sygnatur IPS czy sygnatur kontroli aplikacji. Nowa wersja oprogramowania – FortiManager 6.4.2 jest również wolna od błędów które utrudniały synchronizację pomiędzy naszym UTM a Managerem (na przykład synchronizacja grup użytkowników FSSO która obecnie powinna działać prawidłowo).
Rozwiązane problemy:
AP Manager
| Bug ID | Description |
|---|---|
| 599666 | Empty LLDP status information is shown under AP Manager. |
| 619796 | When „JSON API Access” is set properly, admin user cannot authorize or deauthorize FAP, FSW, or FEX. |
| 556036 | FortiManager cannot configure AP profile short-guard-interval. |
Device Manager
| Bug ID | Description |
|---|---|
| 581940 | SD-WAN Monitor may show gaps on the SD-WAN monitoring graph. |
| 593364 | FortiManager does not install md5 key for OSPF interface configured from Device Manager. |
| 599852 | When password policy is set as enforced, FortiManager should not accept password if it does not meet the policy. |
| 603291 | Group membership may be incorrect after adding a VDOM. |
| 603820 | FortiManager fails to import policy when reputation-minimum and reputation-direction are set. |
| 612355 | Policy Package status remains in modified status after using „Push to device” on an updated object. |
| 619106 | When importing a policy, the conflict page may truncate outputs. |
| 626598 | Custom Device Meta Fields cannot be modified. |
| 633767 | Japanese typo in NTP Service of DHCP Server setting. |
| 637630 | FortiManager is not showing interface status in device manager interface page. |
| 637672 | Importing AP Profile in AP Manager may cause Config Status changes to „Modified”. |
| 642348 | Policy package diff from Device Manager may not work. |
| 642817 | Importing an interface may report datasrc invalid error if trying to map an interface to an ADOM with a different name. |
| 643172 | FortiManager does not support dnsproxy-worker-count higher than two. |
| 644223 | FortiManager is unable to add FortiAnalyzer and triggers an error: Object does not exist. |
| 647664 | The loopback interface should not be allowed to be added into the zone interface in Device Manager. |
| 648842 | CLI only object is missing the fmg-source-ip4 setting. |
| 649195 | Editing an address group does not trigger any configuration change when installation target is set to specific device(s). |
| 649711 | FortiManager is unable to add FortiAnalyzer and fail to synchronize FortiAnalyzer with current ADOM data with error: Fail(errno=-3):Object does not exist. |
| 650768 | When using the model device auto-link feature, FortiManager should keep the remote FortiGate configuration during auto-link install. |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 585926 | FortiSwitch Manager under per-device or central mode has no support for multiple FortiLink interfaces. |
| 642959 | When re-installing or installing any policy package, FortiManager tries to install security-8021x-dynamic-vlan-id even if there is no 8021x authentication configured on FortiManager. |
Global ADOM
| 647736 | Global ADOM policy package assignment may fail. |
Others
| Bug ID | Description |
|---|---|
| 626338 | The exec fmpolicy CLI command may not print out a policy package correctly. |
| 643784 | FortiManager is crashing on security console and wizard is stopped at 50% of deployment. |
| 647791 | Cloning VDOM object may fail via CLI. |
Policy and Objects
| Bug ID | Description |
|---|---|
| 540716 | Under Policy Package, the Column Settings dropdown list does not display the Session Count, Session First Used, and Session Last Used options . |
| 545605 | Searching on Created Time or Last Modified does not work on policy table. |
| 569226 | Section title should always be displayed for filtered policy and section title should not be deleted after policy was deleted. |
| 578501 | FortiManager should show global icon for global objects assigned to ADOMs. |
| 591540 | Export policy package to excel returns empty packages when table is not loaded. |
| 593417 | FortiManager shows incorrect action for allowing invalid SSL certificates. |
| 594888 | FortiManager is unable to export policies to excel when consolidated firewall mode is enabled. |
| 601385 | Restricted mode admin cannot install Web Rating Overrides changes. |
| 615117 | Policy Package section is not sent over to FortiGate if Policy Blocks are under the section in FortiManager. |
| 617031 | Right-clicking on IPv4/Proxy Policy or Installation Targets should not reload the page if the related information is already displayed. |
| 626060 | FortiManager cannot set per-device mapping for user-radius-accounting-server-source-ip. |
| 628389 | When workspace is enabled, Policy Package Status may change to Modified but there is nothing to be installed. |
| 630033 | Editing firewall policy and adding FSSO Groups is not displayed correctly. |
| 630055 | Some custom application signatures have id 0 in application list. |
| 630582 | Deleted policy IDs may still appear in the GUI. |
| 630891 | Cloned policy may not get installed onto devices. |
| 631134 | Profile type should be set to group if drag and drop security profile group into policy. |
| 632715 | In DoS policy, changing quarantine from attacker to none keeps quarantine-expiry set incorrectly. |
| 633431 | Changing to Classical Dual Pane disables Policy Hit Count. |
| 633727 | FortiManager is unable to display summary of policy package diff for a VDOM with a long name. |
| 636010 | FortiManager cannot push custom application signatures from different policy packages to the same FortiGate. |
| 636133 | When is bfd disabled, FortiManager should exclude bfd-desired-min-tx and bfd-required-min-rx from installation. |
| 637688 | FortiManager prompts the error message, „The data is invalid for selected url”, when copying and pasting policy to a different policy package. |
| 639753 | After a FortiToken is activated on the FortiGate, the next policy install from FortiManager would unset „reg-id” and „os-ver” on the token. |
| 640400 | FortiManager may purge the list of resolved IPs of a dynamic address on the FortiGate. |
| 643098 | FortiManager may have slow installation of policy package due to many VIPs with the same external VIP. |
| 643113 | Changing an Accept policy to Deny in a policy that contains a Security Profile Group results in installation failure. |
| 643930 | Finding Duplicate Objects does not display duplicated addresses if wildcard is empty. |
| 643957 | When there are many firewall addresses, FortManager may be slow to show all addresses under CLI Only Objects. |
| 645367 | Discarded policy deletion in Policy Package may delete all policies while they are still visible in the GUI. |
| 645661 | A valid custom IPS signature may still trigger invalid IPS data error. |
| 645960 | FortiManager only sets profile feature set to proxy if the AV profile is used in proxy based policy. |
| 647337 | FortiManager may fail to retrieve FSSO user groups via FortiGate. |
| 461746 | FortiManager is unable to delete IP Pool Object when disabling Dynamic IP Pool in a policy. |
| 630891 | Cloned policy is not installed on devices (global ADOM v5.6). |
Revision History
| Bug ID | Description |
|---|---|
| 594933 | Re-installing Policy Package cannot skip to install policy Package, which fails validation. |
| 610687 | FortiManager should not unset forward-error-correct during install. |
| 613901 | FortiManager may not be able to show more than one log based on one revision ID. |
| 622540 | FortiManager prompts error, 'no hub configured’, for a site even the site is not part of VPN Manager. |
| 632129 | The syslogd setting source-ip is still visible after setting status to disable, which causes verification failure. |
| 633515 | FortiManager should improve the error message when FortiManager receives blank or invalid configurations from FortiGate. |
| 634345 | Install preview may not show CLI configurations correctly. |
| 637076 | Installing PPPoE interface may fail. |
| 641145 | FMG-GCP-VM may always revert MTU to 1460. |
| 643803 | Policy Package Diff may shows all objects as new changes. |
| 645929 | If FortiGate and FortiManager have the same ISDB version, objects should match and installs should not fail due to mismatched internet service objects. |
| 646372 | When the user applies changes to a policy package, then all the policy packages in this ADOM change to a „Modified” state. |
Script
| Bug ID | Description |
|---|---|
| 634242 | After applying profile-type group on a firewall policy via a script, proxy and SSL profiles should be removed from the corresponding firewall policy. |
Services
| Bug ID | Description |
|---|---|
| 569679 | Port 8888 or 8889 should not always be opened. |
| 647680 | When importing firmware image for FAP 321E, FortiManager reports the platform as a invalid model. |
| 654214 | FortiManager cannot connect to FDS server via proxy when using FortiGuard Anycast. |
System Settings
| Bug ID | Description |
|---|---|
| 618213 | When trying to upgrade FortiManager cluster from FortiManager Master GUI, FortiManager Master is rebooting before finishing to send firmware to FortiManager Slave. |
| 628006 | Even though a user has 'Manage Device Configurations’ R/W privileges, the user appears to have partial permissions within Device Manager. |
| 637044 | FortiManager may not be able to save changes under Workspace mode and prompt error „Workspace request failed, please try again.” |
| 643246 | FortiManager may not be able to save the remote server LDAP configuration with special characters in Organizational Unit names. |
| 644660 | Installation preview may stuck and system may running out of memory. |
| 493533 | FortiManager needs to rename custom 'default’ protocol option after upgrade. |
| 641018 | Upgrading Global ADOM may fail due to Fortinet_NSX local certificate. |
Znane problemy do rozwiązania:
AP Manager
| Bug ID | Description |
|---|---|
| 607107 | FortiManager prompts installation errors when certain channels are selected for Radio 2 in 5 GHZ band of FAP-421E. |
| 599189 | FortiManager should be able to handle upgrading more than 10 APs at once. |
| 607170 | Dynamic VLAN option is not saved in SSID in AP Manager. |
| 633171 | There may be a DFS Channel mismatch between FortiManager and FortiGate for FAP-223E. |
| 645030 | Adding FortiGate using custom admin profile may fail to list FAP in AP Manager. |
| 645713 | FortiManager is able to create SSID which cannot be deleted after. |
| 648812 | DHCP server is incorrectly created for Bridge SSID. |
| 653329 | FortiManager is sending the wrong device setting after changing the FAP name. |
Device Manager
| Bug ID | Description |
|---|---|
| 547768 | FortiManager should allow easier management of the compliance exempt lists. |
| 552492 | VAP is always loading under CLI configuration. |
| 595058 | The user sets Scheduled Updates configuration to 1 hour in FortiGuard; however, in the FortiManager Device Manager, the installation preview is configured as „set time 1:60”. |
| 598916 | When creating user groups via CLI Only Objects, comma separated values are treated as a string instead of a list. |
| 610568 | FortiManager may not follow the order in CLI Script template. |
| 627749 | Admin user with device-config set as read in admin profile cannot download configuration revision. |
| 640907 | FortiManager is unable to configure FortiSwitch port mirroring. |
| 598424 | Interface cannot create more than 48 IP-MAC bindings in DHCP reservation from GUI. |
| 602393 | Device joined telemetry not showing on FortiManager under Telemetry group. |
| 604125 | FortiManager may not be able to edit VDOM link interface from VDOM level. |
| 605688 | Pac file data limited to 4000 characters under CLI Configuration. |
| 607923 | Security Fabric Connection option is removed from VLAN interface after changes are applied. |
| 613029 | SD-WAN Monitor is showing effect of exceeded SLA even if when it is disabled. |
| 625541 | Changing a certificate on FortiGate triggers auto-update that may incorrectly update partial configuration on multiple VDOMs. |
| 627664 | FortiManager cannot work with socket-size 0 and changes it to 1 automatically. |
| 630316 | After auto-conf IPv6 address is changed on FortiGate, the address is not updated into device database. |
| 635316 | Return button is not working when viewing HA mode. |
| 636012 | Importing a policy may report conflict for the default SSH CA certificates. |
| 636357 | Retrieve may fail on FortiGate cluster with „Failed to reload configuration. invalid value” error. |
| 636638 | Fabric view may stuck at loading. |
| 638061 | FortiGate 7000 may not be added and result with failure to update device information. |
| 639854 | No IPv6 format in router GUI for BGP. |
| 644596 | FortiManager is unable to deauthorize explicit proxy user(s). |
| 645086 | Policy Lookup shows an error even though device is in sync. |
| 649157 | Mapping interface containing „/” results error „Object does not exist” during import policy. |
| 649566 | CLI Template is not able to install same name interface using vpn ipsec phase1-interface and config system ipsec-aggregate. |
| 649769 | FortiManager cannot view full list of Extenders. |
| 649785 | SD-WAN > Monitor may hang for an ADOM with 1500 devices. |
| 651560 | SD-WAN monitor may stuck loading when the admin user belongs to device group. |
| 651712 | SD-WAN monitor keeps loading and not displaying anything in backup mode ADOM. |
| 652052 | FortiManager may fail to add another FortiManager in Fabric ADOM. |
| 652427 | FortiManager may not be able to configure any value on the access list prefix. |
| 652481 | Allow access is missing under interface on AWS FortiGate and may cause installation to fail. |
| 653388 | IPsec VPN Phase-1 tunnel interface is not added in VDOM interface list with long VDOM name. |
| 653465 | FortiManager may not be able to edit DHCP options function on GUI. |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 650453 | FortiSwitch template and VLAN shall appear for firewall policy creation. |
| 651788 | FortiSwitch Manager not showing correct online or offline status. |
Global ADOM
| Bug ID | Description |
|---|---|
| 632400 | When installing global policy, FortiManager may delete policy routes and settings on an ADOM. |
Others
| Bug ID | Description |
|---|---|
| 632822 | The merged_daemons process goes to 100% usage and prevents radius authentication. |
| 647337 | FortiManager fails to retrieve FSSO user groups via FortiGate |
| 481129 | FortiManager is lacking API for policy consistency check. |
| 647156 | FortiManager cannot clone any of the deep-inspection ssl-ssh-profiles using JSON API. |
Policy & Objects
| Bug ID | Description |
|---|---|
| 523350 | FortiManager does not show the default certificate under SSL/SSH Inspection within a policy. |
| 545759 | From or To column filter displays unmapped interfaces in the drop-down list. |
| 547052 | FortiManager GUI should not allow creating Security Profiles without any SSL/SSH Inspection Profile defined. |
| 586026 | FortiManager should display zone icon based on existing and non existing dynamic mappings. |
| 611980 | Policy is not installed on selected devices when one device is excluded due to Zone validation failed. |
| 612317 | FortiManager shows incorrect country code for Cyprus under User definition. |
| 618321 | FortiManager is unable to create RSSO Group if Agent is configured with custom name. |
| 620092 | Interface Pair View is not working for Security Policies. |
| 623100 | FortiManager is constantly changing UUID for firewall address object. |
| 630431 | Some application and filter overrides are not displayed on GUI. |
| 631158 | FortiManager is unable to import firewall objects of fsso fortiems-cloud user due to Server cannot be empty. |
| 634241 | VIP created using CLI script is not available to use in policy. |
| 635966 | Azure SDN connector only fetches the first page of results. |
| 640157 | Verification may fail due to wrong default setting of 'log.memory.global-setting’ > 'set max-size’. |
| 525625 | When configuring web filter rating override, the configuration is pushed to all the VDOMs even when web filter is not used. |
| 531112 | Consolidated policy is missing implicit deny policy. |
| 568482 | FortiManager ADOM web filter profile configuration promoted to Global database does not rename associated FortiGuard local categories. |
| 580880 | FortiManager is unable to see dynamic mapping for Local Certificate if workflow session is created. |
| 583151 | FortiManager should not change default value of scan-mode and ssl-ssh-profile/inspection-mode when installing v6.0 policy package to v6.2. |
| 585177 | FortiManager is unable to create VIPv6 virtual server objects. |
| 597011 | Importing groups from Aruba ClearPass may fail. |
| 599129 | While editing policy from Policy Package, it is not possible to select SSL/SSH Inspection profile. |
| 613171 | FortiManager is unable to export 3000 Policies to Excel Spreadsheet and return error InternalError: „too much recursion”. |
| 617894 | FortiManager is missing IPV6 none values after modifying policy. |
| 623833 | Username cannot exceed 35 characters. |
| 631311 | Promoting object groups to global may attempt to install contained objects back to ADOM upon global policy package assignment. |
| 645058 | Existing objects may disappear while editing policy and adding new one in batch mode. |
| 647189 | FortiManager dynamic object filter generator is adding a „s” at the end of tag resulting in non-working object. |
| 648767 | No connection request is sent out for ClearPass connector in ADOM. |
| 648815 | Package with address group in SSL inspection cannot be installed to FortiGate. |
| 650339 | Source or destination address may not show in policy. |
| 652753 | FortiManager may show entry IDs instead of names when an obsolete internet service is selected. |
| 655248 | Policy Consistency Check may return duplicate address object names. |
| 615624 | Firewall policy and proxy policy cannot select IP type external resource as address. |
| 651955 | Thread feed is not deleted by install even it is removed from a policy. |
| 654562 | FortiManager may fail to install profile-group and apply it on a policy. |
| 632771 | Sometimes users are not updated on FortiManager after a new session is created on ISE. |
Revision History
| Bug ID | Description |
|---|---|
| 597650 | FortiManager cannot install allowed DNS and URL threat feed configuration. |
| 604927 | FortiManager can create custom device without category which may lead to failed installation. |
| 618305 | FortiManager changes configuration system csf settings. |
| 586275 | Policy Package Diff does not show user or admin details. |
| 496870 | Fabric SDN Connector is installed on FortiGate even if it is not in used. |
| 587682 | Installing mobile token that does not belong to target FortiGate may fail. |
| 606005 | FortiManager may not show interface delta changes. |
| 606737 | User may not be able to install policy package due to change with external interface with VIP settings. |
| 611169 | Install may fail with error „Associated Interface conflict detected!„ |
| 612263 | FortiManager may not install ADSL vci and VPI to FWF-60E-DSL. |
| 623159 | Zone validation in re-Install Policy is not saving the user choice and deleting all related policies. |
| 635786 | Default hbdev values may change after upgrade. |
| 635957 | Install fails for subnet overlap IP between two interfaces. |
| 637103 | Scrolling in install preview is not smooth and may get stuck. |
| 647180 | Install copy may fail with error message „ftgd-wf – – The category is already set in another filter.” |
| 650239 | Installation fails with „wireless-controller vap mesh-backhaul” setting despite setting being disabled on FortiManager. |
| 652337 | VPN Manager changes may result in unnecessary FortiGate configuration changes. |
| 654496 | When installing configuration to a device after Auto link, FortiManager may send incorrect system ntp commands causing install to fail. |
| 655246 | The adom-rev-auto-delete option may not work to automatically delete revisions. |
Script
| Bug ID | Description |
|---|---|
| 630016 | FortiGate user can see scripts from all ADOMs. |
| 632014 | When editing CLI script group, the user cannot see full CLI script name. |
| 611396 | After locked on a device, FortiManager cannot show the list of devices to run a script. |
| 613575 | After script is run directly on CLI, FortiManager may fail to reload configuration. |
Services
| Bug ID | Description |
|---|---|
| 437935 | FAD-VM license may not be validated on FortiManager. |
| 541192 | FortiManager should keep firmware image files when the files are for different FortiExtender devices. |
| 567664 | HA secondary device does not update FortiMeter license. |
| 587730 | FortiGate-VM64-AZURE may not be listed in firmware image page. |
| 591821 | FortiManager may not honor the fgd-pull-interval and adjust download times accordingly. |
| 603414 | FortiManager may show incorrect firmware upgrade path. |
| 616320 | FortiManager may ignore FortiGuard update schedule. |
| 652764 | FortiManager Enforce Firmware Version may fail to upgrade FortGate to a custom build. |
| 654129 | FortiManager may not have the correct upgrade path for FortiGate KVM. |
System Settings
| Bug ID | Description |
|---|---|
| 556334 | Standard ADOM users should be able to assign system templates to FortiGate devices. |
| 586626 | Users should be able to identify who locked their assigned ADOM. |
| 596212 | SSH filter profile is unset in firewall profile group upon ADOM upgrade. |
| 611215 | SNMP Hosts in SNMP Community are not displayed in the GUI if ADOM is unlocked. |
| 631733 | Changing trusted IP can be saved and installed. |
| 479723 | FortiManager may have no control to Fabric View in admin profile. |
| 489837 | Certificate request CRS does not include the SAN DNS. |
| 598194 | FortiManager two-factor authentication admin login is missing the option for FTK Mobile push notification authentication. |
| 614127 | FortiManager should show details in the fnbamd debug if login fails due to trusted hosts. |
| 623457 | FortiManager prompts error while importing CA certificate. |
| 625683 | Changes made by ADOM upgrade may not update „Last Modified” date/time and user admin. |
| 639099 | There are many „cdb event log for object changed” in event logs after upgrade. |
| 650326 | After HA failover, the new master may have incorrect policies. |
| 652417 | FortiManager HA may go out of synchronization periodically based on the logs. |
| 654637 | Changing a non super user password may not take effect after an upgrade. |
| 655515 | FortiManager may not be able to clone the Security Fabric ADOM. |
VPN Manager
| Bug ID | Description |
|---|---|
| 596953 | The Monitor page displays a white screen when the user goes to VPN manager > Monitor, and selects a specific community from the tree menu to show only that community’s tunnels. |
| 576601 | FortiManager should be able to manage phase2 selectors separately. |
| 608221 | There is no „XAUTH USER” column in VPN Manager Monitor. |
| 620801 | SSLVPN > Edit SSLVPN Settings > IP Range only shows configuration from ADOM database objects. |
| 645093 | VPN Manager error Peer type cannot be peer when authentication method is pre-share key. |
| 647413 | User should be able to select the OS to allow or deny an SSL-VPN tunnel connection. |
| 650454 | Installation may fail when Dialup VPN interface is PPPoE logical interface. |
| 653328 | FortiManager is unable to edit a SSL portal in VPN Manager containing „/” special character. |
FortiManager 6.4.2 – Release Notes (klik)
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
