Producent oprogramowania Fortinet udostępnił najnowszą aktualizację dla produktu FortiManager o numerze wersji 6.4.5. W najnowszej wersji naprawiono błąd, który po aktualizacji w regułach SD-WAN mógł usunąć wszystkich członków interfejsu. Rozwiązano również problem z profilem IPS, który mógł się nie załadować. Błąd z FortiManager, który nie mógł zwrócić wersji konfiguracji z podrzędną jednostką HA również został naprawiony. Po więcej informacji zachęcamy do przeczytania pozostałej części artykułu.
Wspierane modele:
| FortiManager | FMG-200F, FMG-300E, FMG-300F, FMG-400E, FMG-1000F, FMG-2000E, FMG-3000F, FMG-3000G, FMG-3700F, FMG-3900E, and FMG-4000E. |
| FortiManager VM | FMG-VM64, FMG-VM64-Ali, FMG-VM64-AWS, FMG-VM64-AWSOnDemand, FMG-VM64-Azure, FMG-VM64-GCP, FMG-VM64-HV (including Hyper-V 2016, 2019), FMG-VM64-KVM, FMG-VM64-OPC, FMG-VM64-XEN (for both Citrix and Open Source Xen). |
You can use any of the following FortiManager models as a host for management extension applications:
| FortiManager | FMG-3000F, FMG-3000G, FMG-3700F, FMG-3900E, and FMG-4000E. |
| FortiManager VM | FMG-3000F, FMG-3000G, FMG-3700F, FMG-3900E, and FMG-4000E. |
Rozwiązane problemy:
Device Manager
| Bug ID | Description |
|---|---|
| 610134 | FortiManager may not be able to save the admin setting page. |
| 616387 | Device configuration dashboard cannot update hostname or VDOM. |
| 658832 | FortiManager is unable to retrieve priority-members if outgoing interface is using the Manual strategy in SD-WAN rule. |
| 659387 | FortiManager should be able to provision CLI-template, SD-WAN-template, and Policy Package together to the model device. |
| 684372 | When using VDOMs, Policy Package status remains in modified status after using Push to device. |
| 684955 | Customized system dashboard may disappear after awhile. |
| 684961 | Registration with NSX-T may fail with error: Register service failed. |
| 688541 | FortiManager should not unset dynamic-vlan of wireless-controller VAP and gateway of router settings after import. |
| 688972 | SD-WAN rules may lose all interface members after upgrade. |
| 689920 | FortiWeb serial number may not be correctly recognized and firmware version is not available in the Add device wizard. |
| 690241 | FortiManager may fail to auto-link with FortiGate with error: Failed to update device management data 'invalid value – devmgmtdatafailed|invalid value. |
| 696496 | auto-link may fail when Workspace is enabled. |
Others
| Bug ID | Description |
|---|---|
| 667421 | FortiManager may report repeated miglogd crashes which causes log lost. |
| 671444 | FortiManager may fail to check-in configuration revision with the HA secondary unit. |
| 682404 | The rtmmond process memory usage may increase constantly. |
Policy and Objects
| Bug ID | Description |
|---|---|
| 660483 | IPS signatures may not match between FortiGate and FortiManager. |
| 677385 | IPS profile may not load. |
| 686591 | FortiManager may not be able to add individual VWP interface members to multicast policy. |
| 688589 | Setting the Local Webfilter Category Action to Allow should not disable the action when installed on FortiGate. |
| 690509 | FortiManager may fail to install ACI-Direct connector to FortiGate due to server-list command. |
Services
| Bug ID | Description |
|---|---|
| 677875 | Scheduling firmware upgrades may cause fds_svrd to consume 100% CPU resource. |
| 694903 | Some firmware upgrade paths may have issues. |
System Settings
| Bug ID | Description |
|---|---|
| 690921 | ADOM upgrade from 6.0 to 6.2 should not add custom ssl-ssh-profile to policies which were not configured for SSL inspection. |
VPN Manager
| Bug ID | Description |
|---|---|
| 685704 | After upgrading FortiManager, installing to any device participating in the full mesh VPN may fail with copy error fetch device/vdom list failed. |
Znane problemy:
AP Manager
| Bug ID | Description |
|---|---|
| 633171 | There may be DFS Channel mismatch between FortiManager and FortiGate for FAP-223E. |
| 648812 | DHCP server is incorrectly created for Bridge SSID. |
| 674636 | SSID may be empty on AP Manager > WiFi Profiles > SSID column. |
Device Manager
| Bug ID | Description |
|---|---|
| 485037 | Monitor > Map view may fail if proxy is enabled. |
| 545239 | After adding FortiAnalyzer fabric ADOM to FortiManager, Device Manager’s log status, Log Rate, or Device Astore column cannot get data from FortiAnalyzer. |
| 554241 | FortiManager cannot delete and reassign ports to VDOM when split VDOM is enabled. |
| 563690 | Device Manager fails to add FortiAnalyzer which contains a FortiGate HA device with error: Serial number does not match database. |
| 575215 | When creating an new interface for a VDOM, FortiManager may list interfaces that may belong to another ADOM. |
| 596711 | FortiManager CLI Configuration shows incorrect default wildcard value for router access-list. |
| 598431 | Install wizard may show a blank area when scrolling down the wizard to select device(s). |
| 604125 | FortiManager may not be able to edit VDOM link interface from VDOM level. |
| 610568 | FortiManager may not follow the order in CLI Script template. |
| 615044 | Configuration status may be shown as modified after adding FortiGate to FortiManager. |
| 624325 | Creating or editing transparent VDOM to disable may get stuck at 20%. |
| 630316 | After auto-conf IPv6 address is changed on FortiGate, the address is not updated in the device database. |
| 636357 | Retrieve may fail on FortiGate cluster with Failed to reload configuration. invalid value error. |
| 636638 | Fabric view may get stuck at loading. |
| 640907 | FortiManager is unable to configure FortiSwitch port mirroring. |
| 651560 | SD-WAN monitor may get stuck loading when an admin user belongs to a device group. |
| 652052 | FortiManager may fail to add another FortiManager in Fabric ADOM. |
| 654611 | Under Advanced mode and within a VDOM, clicking Device Manager on the top menu returns the no permission error. |
| 659981 | FortiManager should be able to identify and show default SSL-SSH profile as read-only profiles. |
| 660491 | Device Manager system interface should not allow duplicated secondary IP address. |
| 665207 | FortiManager needs IPv6 support on Syslog server setting. |
| 665955 | FortiManager is not reflecting proper admin timeout value in CLI only object. |
| 666872 | BGP Neighbors table does not have height limit and vertical scrollbar. |
| 667738 | GUI should generate error message when using invalid IP address or special characters in interface name. |
| 670535 | Install fails when creating a new DHCP reservation due to missing MAC address. |
| 670577 | When creating an API admin from CLI Configuration, trusted host section is missing. |
| 673548 | FortiManager may not be able to make any changes to the FortiGate interface settings when the interface type is Software Switch. |
| 674123 | SD-WAN template > SD-WAN Rules options for Load Balance Mode do not match those on FortiOS. |
| 674904 | FortiManager may not be able to import policy with interface binding contradiction on srcintf error. |
| 676002 | FortiManager is not re-installing a policy when the user selects all devices with VDOMs from Device Manager. |
| 678495 | FortiManager VPN L2TP may prompt invalid ip range. |
| 680516 | Host Name is truncated when name has more than 31 characters. |
| 681627 | FortiManager is accepting DNS source IP even though it is not part of the available interfaces. |
| 683411 | FortiManager may not display a FortiGate under the Device Manager > Managed Devices. |
| 684462 | FortiManager truncates the device configuration when downloading from View configuration option. |
| 689014 | FortiManager may return an error when changing FortiGate device log configuration from FortiManager with management VDOM is moved to another VDOM. |
| 689721 | When changing FortiGuard related settings via CLI Configuration, FortiManager shows changes are reverted back but it also show the message: Successfully updated. |
| 690493 | License check setting may not be saved. |
| 690566 | Changed to the Disclaimer Page may not be saved with error. |
| 690608 | Duplicate entries for FortiExtenders may exist with same serial number. |
| 692669 | Browser may display a message, A webpage is slowing down your browser, while checking revision difference. |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 667703 | After adding FortiSwitch, running a script to provision may fail. |
| 674539 | FortiManager may fail to upgrade two FortiSwitch devices at the same time. |
| 676739 | FortiManager may not be able to delete VLAN interfaces created by FortiSwitch Manager. |
| 690995 | FortiSwitch Manager should not install the auto-detected setting to FortiGate. |
Global ADOM
| Bug ID | Description |
|---|---|
| 662216 | In Global ADOMs the Where Used tool may not show object usage in ADOM. |
| 667197 | User should not be able to delete global object when ADOM is not locked. |
| 680798 | FortiManager may return error, Could not read zone validation results, when assigning global ADOM changes with Automatically Install Policies to ADOM Devices. |
| 689965 | Replacement message type UTM is not being pushed from global ADOM to local ADOM. |
| 691562 | Threat feeds global objects are not installed to destination ADOM when using the Assign All object option. |
| 693510 | Display Options for Object Config will reset to default after sometimes. |
Others
| Bug ID | Description |
|---|---|
| 510508 | FortiManager cannot assign multiple ADOMs to an admin user via JSON API. |
| 605560 | Flag is_model and linked_to_model are not working when adding model device with JSON API. |
| 667442 | FortiManager may not be able to connect to FortiGate CLI via SSH widget or execute TCL scripts. |
| 678322 | Rebuilding database may never start when FortiAnalyzer mode is enabled. |
| 680806 | GUI access for multiple administrators may hang when upgrading multiple FortiGate devices. |
| 681625 | The svc cdb reader process may crash during ADOM upgrade. |
| 681707 | The diagnose cdb upgrade check +al659981 command may unset defmap-intf. |
| 683841 | FortiManager databases may randomly lose integrity. |
| 686460 | ADOM integrity check may run slowly and it takes several minutes to response for each ADOM. |
Policy & Objects
| Bug ID | Description |
|---|---|
| 538057 | The „OR” button in column filter may not work. |
| 580880 | FortiManager is unable to see dynamic mapping for Local Certificate if workflow session is created. |
| 585177 | FortiManager is unable to create VIPv6 virtual server objects. |
| 593072 | After a non super user deleted a device, „super_user” admin cannot edit zone or interface with the deleted device’s dynamic mappings. |
| 601696 | FortiManager may add unexpected IPv6 address to IPv6 address field when deleting ::/0. |
| 607628 | After deletion, creating another DNS Filter object with the same name and „Domain Filter Subtable” returns a duplicate error. |
| 608535 | NAT option is missing from Central NAT policy package. |
| 615624 | Firewall policy and proxy policy cannot select IP type external resource as address. |
| 617894 | FortiManager is missing IPV6 none values after modifying policy. |
| 623100 | FortiManager is constantly changing UUID for firewall address object. |
| 630431 | Some application and filter overrides are not displayed in the GUI. |
| 631158 | FortiManager is unable to import firewall objects of fsso fortiems-cloud user due to Server cannot be empty. |
| 646329 | Policy Check may claim that different IPS profiles as duplicate. |
| 652753 | Wen an obsolete internet service is selected, FortiManager may show entry IDs instead of names. |
| 655601 | FortiManager may be slow to add or remove a URL entry on web filter with a large list. |
| 656991 | FortiManager should not allow VIP to be created with same IP for External IP and Mapped IP Address. |
| 659296 | FortiManager may take a lot of time to update web filter URL filter list. |
| 663109 | FortiManager should not allow user to select a profile group in a flow-based policy that uses a proxy-based feature. |
| 666258 | User should not be able to create a firewall policy with an Internet service with Destination direction in Source by using drag and drop. |
| 670061 | FortiManager does not report error when an unsupported FQDN address format is created. |
| 675509 | FortiManager may randomly set IPv4 IP Pool object to overload. |
| 677528 | Address object search may not display the address group which contains the searched object within the group. |
| 679282 | Editing a global object in an ADOM is not possible generating error, undefined is not iterable. |
| 681006 | Domain Name and FortiGuard Category Threat Feeds are not installed when set as Allow action in security profiles. |
| 681453 | Copy fails for address and group from the exempt list of an SSL profile not used in the policy package. |
| 682356 | FortiManager may not be able to map normalized interface. |
| 683167 | Policy Package single entry change may impact all Policy Package Installation Targets status. |
| 684081 | Policy Check and Find Unused Policies may not work for FortiGate in Policy-Based mode. |
| 686902 | FortiManager may not be able to configure ipv4-split-exclude attribute via CLI Object. |
| 686911 | Workflow session may not be able to compare with error: Cannot compare because of invalid Revision Diff data. |
| 686962 | FortiManager is not allowed to rename application control profile. |
| 687460 | The same filter may behave differently between source address and destination address. |
| 687784 | FortiManager may not be able to add rule with ISDB object when a rule is created with add above or below option. |
| 689589 | Internet Services may not match between FortiManager and FortiGate. |
| 690269 | Newly imported Cisco ACI connector object does not appear for selection until browser is refreshed. |
| 692114 | Where Used returns No Record Found when IPS Custom Signature is being used. |
| 694605 | FortiManager may not be able to push the entire Azure SDN Connector configuration. |
Revision History
| Bug ID | Description |
|---|---|
| 606737 | User may not be able to install policy package due to change with external interface with VIP settings. |
| 618305 | FortiManager changes configuration system csf settings. |
| 623159 | Zone validation in Re-Install Policy is not saving the user choice and deleting all related policies. |
| 635957 | Install fails for subnet overlap IP between two interfaces. |
| 664284 | FortiManager may not be able to configure SSH certificate. |
| 671481 | FortiManager may unset inspection-mode for 6.2 FortiGates in 6.0 ADOM while installation. |
| 672609 | After import, FortiManager may prompt password error on administrator during install. |
| 674094 | FortiManager may unset explicit proxy’s HTTPS and PAC ports and change the value to 0 instead. |
| 675867 | The ssl-anomaly-log configuration may be incorrectly pushed by FortiManager when installing 5.6 ADOM policy to 6.0 FortiGate. |
| 679139 | When a policy package is shared between many firewalls, web rating override purge may fail in some scenarios. |
| 687769 | FortiManager may not be able to set auto-asic-offload to disable. |
| 689270 | The following attributes under configs vpn ssl setting may have invalid range: login-attempt-limit, login-block-time, http-request-header-timeout, http-request-body-timeout and router bgp keep-alive-timer. |
| 691835 | FortiManager should be able to move one VLAN to a different zone without deleting many rules or zones. |
| 693225 | FortiManager may install unset inspection-mode to FortiGate 6.2 device in 6.0 ADOM. |
| 694380 | Installation may fail when set whitelist enable in ssl-ssh-profile is pushed to FortiGate 6.2 from a in 6.0 ADOM. |
Script
| Bug ID | Description |
|---|---|
| 613575 | After script is run directly on CLI, FortiManager may fail to reload configuration. |
| 630016 | FortiGate user can see scripts from all ADOMs. |
| 668876 | Using CLI script to create SD-WAN with auto-numbering, ’edit 0’, may not work. |
| 668947 | Changes using CLI script may not be applied to devices in the container or folder. |
| 671998 | TCL scripts may not work when ssh-kex-sha1 and ssh-mac-weak are not enabled on FortiGate. |
Services
| Bug ID | Description |
|---|---|
| 567664 | HA secondary device does not update FortiMeter license. |
| 616703 | GUI CLI Console may not response. |
| 617601 | Sort by Time Used in task monitor may not be correct. |
| 680857 | FortiExtender, FortiAP, or FortiSwitch upgrades can fail due to custom image being deleted during or after a failed upgrade. |
System Settings
| Bug ID | Description |
|---|---|
| 517964 | FortiManager may crate incorrect certificate and it cannot be deleted. |
| 579964 | FMGVM64-Cloud needs to provide GUI support for ADOM upgrade in system information dashboard. |
| 598194 | FortiManager two-factor authentication admin login is missing the option for FTK Mobile push notification authentication. |
| 614127 | FortiManager should show details in the fnbamd debug if login fails due to trusted hosts. |
| 625683 | Changes made by ADOM upgrade may not update Last Modified date/time and user admin. |
| 635181 | FortiManager is unable to delete mail server with error message used displayed. |
| 652417 | FortiManager HA may go out of synchronization periodically based on the logs. |
| 660130 | Invalid setting of ssl-exempt may cause ADOM upgrade to fail. |
| 670497 | After upgrading FortiManager, syslog configuration may be deleted. |
| 684907 | Changing of FortiGuard Server Location in License Information Dashboard may not have any effect. |
| 686569 | Creating and deleting the static route may remove specific connected route. |
| 687171 | Users may not be able to assign devices to the ADOMs to which they have full access. |
| 687223 | Users may not be able to upgrade ADOM because of profile-protocol-options. |
| 687968 | FortiManager should not change to ipv6-autoconf to disable when management access is changed to the ipv6-autoconf enable state. |
| 688517 | Upgrading ADOM may fail due to FortiExtender Object. |
| 695058 | Radius response packets should not timeout with less of the remoteauthtimeout setting. |
VPN Manager
| Bug ID | Description |
|---|---|
| 681110 | VPN manager may not push any configuration on ADOM 6.0 for dial up VPN on FortiGate. |
Notatki producenta: FortiManager 6.4.5
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
