Producent oprogramowania Fortinet udostępnił aktualizację dla produktu FortiManager o numerze wersji 7.0.1. W najnowszej aktualizacji znalazło się wiele poprawek poprzednich wersji oraz kilka ciekawych nowości. W najnowszej wersji naprawiono błąd, który skutkował tym, iż po dodaniu FortiGate do FortiManagera stan konfiguracji mógł zostać zmieniony. Rozwiązano również problem wielu błędów braku możliwości edycji konfiguracji przez użytkowników, którzy posiadają uprawnienia. Rozwiązano także problemy z crashującymi się procesami, które zwracały błędy niezgodne ze stanem faktycznym. Po więcej ciekawych informacji zapraszamy do przeczytania dalszej części artykułu.
Aktualnie wspierane modele:
| FortiManager | FMG-200F, FMG-200G, FMG-300F, FMG-400E, FMG-1000F, FMG-2000E
FMG-3000F, FMG-3000G, FMG-3700F, and FMG-3900E. |
| FortiManager VM | FMG-VM64, FMG-VM64-AWS, FMG-VM64-Azure, FMG-VM64-GCP, FMG-VM64-HV (including Hyper-V 2016, 2019), FMG-VM64-KVM, FMG-VM64-OPC, FMG-VM64-XEN (for both Citrix and Open Source Xen). |
Rozwiązane problemy:
AP Manager
| Bug ID | Description |
|---|---|
| 513324 | Users should be able to delete multiple APs in AP Manager. |
| 674636 | SSID may be empty in the AP Manager> WiFi Profiles> SSID column. |
| 677419 | FortiManager may show installation error on dual-5G radio band while pushing wireless-controller configuration. |
| 689325 | FortiManager may not be able to configure Channel 13 for Germany AP profile. |
| 698004 | When installing to a 6.4 FortiGate device from a 6.2 ADOM, there may be issue with set vap-all manual within the AP Profile. |
| 706233 | FortiManager may not detect changes in AP Manager > SSID > Pre-shared Key Password and display the message No record found. |
| 712669 | FortiManager may set darrp as enable when the Radio mode is set to monitor causing the installation to fail. |
| 716135 | There may be verification error when trying to install FortiAP with 2.4GHZ Radio 1 channel disabled. |
Device Manager
| Bug ID | Description |
|---|---|
| 521976 | Users may not be able to enable CSV format within a system template. |
| 603820 | FortiManager fails to import a policy when reputation-minimum and reputation-direction are set. |
| 615044 | Configuration status may be shown modified after adding FortiGate to FortiManager. |
| 640907 | FortiManager is unable to configure FortiSwitch port mirroring. |
| 649260 | Device Manager may return an error when deleting VPN phase1. |
| 664120 | When FortiGate HA secondary unit is down, action is displayed as promote in Device Manager. |
| 672344 | If a managed FortiAnalyzer is in HA, setting Send Logs to „Managed FortiAnalyzer” in the system template may cause an install error. |
| 690493 | License check setting may not be saved. |
| 692200 | FortiManager may return conflict after a zero-touch-provisioning cluster deployment. |
| 694713 | When Workspace mode is enabled, the SD-WAN template may sporadically disappear. |
| 696576 | The available Explicit FTP proxy certificates are not consistent with the ones available in the FortiGate. |
| 697596 | Advanced Options is not displayed when creating a new interface. |
| 701348 | Once VRPP instance is created, the user should be able to edit or delete it. |
| 702906 | DHCP Relay Service may not be deleted when it is configured on VLAN interface. |
| 708937 | FortiManager may randomly update the geographical coordinates of a FortiGate device. |
| 709214 | System template should allow source interface to be selected when Specify is activated as interface-select-method. |
| 709302 | SD-WAN monitor search function on the table view does not actually search but highlight. |
| 711005 | Under backup ADOM, FortiManager should hide the selection for Provisioning Templates and Policy Packages in add device wizard, device dashboard, and device edit page. |
| 711713 | DHCP relay is displayed as DHCP server when Workspace is unlocked. |
| 711888 | FortiManager is not retrieving and saving the vdom-exception configuration. |
| 713267 | Searching for FortiGate name when editing a device group should display FortiGate device name with all the VDOMs. |
| 714036 | SD-WAN widget cannot be loaded when a rule uses a specific SLA target. |
| 714208 | Device Manager may not be able to save scan-botnet-connections option in interface settings page. |
| 714710 | Secondary interface configuration may not show on Device Manager. |
| 719028 | FortiManager may not update FortiGate’s VDOM license information when it is changed. |
| 719568 | There should be Has Log Disk in editing device page. |
| 726990 | When an administrator has access to a specified device group, FortiManager may remove devices that do not belong to the group when synchronizing device list to FortiAnalyzer. |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 700023 | Install may fail with switch-controller managed-switch:poe-pre-standard-detection after upgrade. |
| 713492 | In the per-device mapping of the VLANs in FortiSwitch Manager, the Specify option for the gateway is not saved in the database. |
| 713553 | FortiSwitch Template sflow counter interval value variance between 6.0 and 6.2 ADOMs. |
Global ADOM
| Bug ID | Description |
|---|---|
| 680798 | FortiManager may return an error, Could not read zone validation results, when assigning global ADOM changes with Automatically Install Policies to ADOM Devices. |
| 693510 | Display Options for Object Config will reset to default after some time. |
| 710963 | FortiManager may show unclear error message when trying to promote an object from an ADOM to Global database in Workspace or Workflow mode. |
| 722562 | Users may not be able to filter when assigning global policy. |
| 724229 | Global ADOM display options may be reset to default after reboot. |
Others
| Bug ID | Description |
|---|---|
| 669191 | The fdssvd daemon may randomly crash. |
| 695782 | Connection to FortiGate may fail with multiple fgfmsd crashes. |
| 704545 | FortiManager may stop responding when there is a lot of Workflow sessions and users try to disable the Workflow mode with the GUI. |
| 706516 | Securityconsole may crash when there are quotes around group name. |
| 715601 | Under some conditions, disk usage may reach 100% after a few days. |
| 728375 | JSON API may return runtime error 0: invalid value error when getting dynamic mapping with the fields attribute. |
| 724470 | The dmworker may crash on device retrieve or revision import. |
Policy and Objects
| Bug ID | Description |
|---|---|
| 487186 | FortiManager may install a different local category ID to FortiGate causing a conflict with custom URL rating list. |
| 569446 | Interface subnet address object may show any as interface instead of the selected interface. |
| 580880 | FortiManager is unable to see dynamic mapping for Local Certificate if a Workflow session is created. |
| 636537 | CLI Only Objects > user > peergrp is not able to delete peergrp. |
| 642708 | View Mode may unexpectedly change from Interface Pair View to By Sequence mode. |
| 654172 | There may be webfilter local category ID mismatch between FortiManager and FortiGate causing incorrect action when using Custom URL List. |
| 659543 | FortiManager is not allowing reorder between Policy Blocks. |
| 663109 | FortiManager should not allow the user to select a profile group in a flow-based policy that uses a proxy-based feature. |
| 666091 | After cloning a policy package, the cloned policy package loses the installation targets. |
| 672035 | There may be an error when importing AWS credential from FortiGate to FortiManager. |
| 675501 | Policy check may show negative values. |
| 679282 | Editing a global object in an ADOM is not possible generating error, Undefined is not iterable. |
| 684728 | FortiManager and FortiGate should have equivalent filter list entries. |
| 696367 | Hit count, First used, and Last used may not get updated on FortiManager. |
| 696489 | The URL Filter in a Web Filter profile may not be enabled properly. |
| 701526 | There may be issue when scrolling down to view policy consistency results. |
| 702621 | When adding a remote usergroup when the LDAP service is unreachable, the Manually specify option is only available after a timeout. |
| 704148 | FortiManager is missing some IPS signatures while they are available on FortiGate. |
| 704637 | Firewall policy and VIPs may get deleted on policy package installation. |
| 705025 | Find Unused Policies may report incorrect session data for security policy. |
| 707953 | IPS sensor may incorrectly set the action to pass instead block when quarantine is set. |
| 708877 | FortiManager 6.0 ADOM should not allow users to set ISDB objects that are not supported on FortiOS 6.0. |
| 709435 | FortiManager may not be able to import existing Azure SDN Connector from FortiGate. |
| 711121 | Enabling FortiGuard Outbreak Prevention database does not match FortiGate’s behavior. |
| 712150 | The Search function in Address may not work after upgrading FortiManager to 6.4.5. |
| 712213 | Users may not be able to filter a policy using the Inspection Mode field. |
| 712900 | When new folders are created and the default policy package is deleted, then the new policy package cannot be created. |
| 713216 | When the policy package is large, it is slow to load the policy package, install the policy package, or view sessions revision diff in Workflow mode. |
| 713682 | FortiManager changes the Web URL Filter name on its own when saving a Web Filter Profile. |
| 715275 | FortiManager may not be able to show specific signature. |
| 715722 | Users may not be able to delete global object. |
| 719700 | FortiManager may have incorrect IPS default action entries in the database. |
| 719981 | The Where Used function may return no result for Internet Service objects. |
| 725274 | GUI may be slow when filtering many entries with DNS filter. |
| 726424 | IPS signature list may be empty after upgrade. |
| 727329 | FortiManager may fail to identify case sensitivity with interface having similar name for the Normalized Interfac” settings. |
| 729287 | User may not be able to edit DNAT. |
Revision History
| Bug ID | Description |
|---|---|
| 638060 | Installing an existing revision or renaming a revision should be allowed in backup ADOM. |
| 685509 | FortiManager may unset authmethod-remote causing the install to fail. |
| 691240 | FortiManager should not unset the value forward-error-correction with certain FortiGate platforms. |
| 693225 | FortiManager may install unset inspection-mode to FortiGate 6.2 device in 6.0 ADOM. |
| 694380 | Installation may fail when set whitelist enable in ssl-ssh-profile is pushed to FortiGate 6.2 from a in 6.0 ADOM. |
| 697642 | Connecting unauthorized FortiSwitch to a managed FortiGate may cause issues on FortiManager when auto-update is disabled. |
| 708913 | FortiManager may try to set sflow-counter-interval and unset trunk-member resulting in installation failure. |
| 715313 | FortiManager may not enable the option FortiGuard Category Based Filter after FortiManager is synchronized with FortiGate. |
| 724976 | In a Zero Touch Provisioning deployment, the device database may get wiped by an AutoRetreive task. |
| 728422 | Policy validation may fail due to dynamic mapping for global object that is for FortiGate 6.2 device but it is in 6.0 ADOM. |
| 728447 | Installation may fail due to VIP’s mapped IP as a range with two identical IP addresses. |
Script
| Bug ID | Description |
|---|---|
| 645684 | Users may not be able to run TCL script in Workflow mode. |
| 668876 | Using CLI script to create SD-WAN with auto-numbering, edit 0, may not work. |
| 689775 | Users may not be able to edit an empty CLI Script Group. |
| 701777 | Application ID is not being configured after policy script execution. |
| 707952 | Copying a CLI Script Group from one ADOM to another ADOM may not work. |
| 715305 | When changing the system setting opmode from nat to transparent via a script, FortiManager may return failure to commit to database stating that there is no interface. |
| 715623 | Running a script on the device database may not update the Save status. |
| 715632 | Script configuring AntiVirus quarantine may fail. |
| 721740 | FortiManager may fail to run CLI script on Device DB after dmworker rash. |
Services
| Bug ID | Description |
|---|---|
| 567664 | HA secondary unit does not update FortiMeter license. |
| 673302 | FDS updates may fail with TLS v1.3. |
| 688498 | FortiSwitch version shown in the FortiGuard package page is not seen on FortiGate. |
| 695685 | FortiGate HA firmware upgrade may fail when both HA units need disk check. |
| 712062 | FortiSwitch and FortiAP upgrades may fail with Response with errors by using FortiGuard image. |
| 714596 | For web filter query, FortiManager should support category 9 mapping data. |
| 714787 | FortiManager should have a diagnose command to force web filtering database merge. |
System Settings
| Bug ID | Description |
|---|---|
| 598194 | FortiManager two-factor authentication admin login is missing the option for FTK Mobile push notification authentication. |
| 625683 | Changes made by ADOM upgrade may not update Last Modified date/time and user admin. |
| 637377 | If Manage Device Configurations is set to none in the admin profile, the user may not be able to see interface in policy. |
| 667284 | FortiManager should have a better log message when aborting device upgrade. |
| 687171 | Users may not be able to assign devices to the ADOMs which they have full access to. |
| 687968 | FortiManager should not change to ipv6-autoconf to disablewhen management access is changed to the ipv6-autoconf enable state. |
| 697082 | Schedule SCP backup may fail due to incorrect default port number. |
| 700142 | FortiManager should allow the user to configure more than eight hosts per SNMP community. |
| 702165 | Wildcard search may not work for Event logs. |
| 705185 | ADOM upgrade may cause per device mapping of VLANs in FortiSwitch Manager change to 0. |
| 708939 | Dashboard is showing incorrect GB per day and Device Quota information when FortiManager is enabled. |
| 709873 | Global task assignment time may not be accurate. |
| 711446 | Copy may fail due to invalid protocol options when both FortiGate and ADOM are upgraded to v6.2. |
| 713233 | FortiManager may fail to upgrade firmware resulting in cdbupgrade task error on console and process crashes. |
| 714210 | LDAP admin group search should be done with the service or administrator bind account. |
| 714635 | FortiManager backup file size may increase gradually when the IPS package is updated. |
| 723117 | Admin user may not be able to see who has locked an ADOM. |
| 726138 | After upgrade, FortiSwitch Template setting poe-pre-standard-detection may cause the installation to fail. |
| 727458 | FortiManager may not allow users to access all the VDOMs within an ADOM. |
VPN Manager
| Bug ID | Description |
|---|---|
| 695879 | Edit community may not be able to set VPN zone to Off via the GUI. |
Znane problemy:
AP Manager
| Bug ID | Description |
|---|---|
| 673020 | Creating SSID interface with central AP Manager automatically generates normalized interface name that has no default mapping configuration. |
Device Manager
| Bug ID | Description |
|---|---|
| 545239 | After adding FortiAnalyzer fabric ADOM to FortiManager, Device Manager’s Log Status, Log Rate, or Device Storage column cannot get data from FortiAnalyzer. |
| 554241 | FortiManager cannot delete and reassign ports to VDOM when split VDOM is enabled. |
| 563690 | Device Manager fails to add a FortiAnalyzer which contains a FortiGate HA device with the error: serial number does not match database. |
| 596711 | FortiManager CLI Configuration shows incorrect default wildcard value for router access-list. |
| 610568 | FortiManager may not follow the order in CLI Script template. |
| 636638 | Fabric View may stall at loading. |
| 651560 | SD-WAN monitor may get stuck loading when the admin user belongs to device group. |
| 660491 | Device Manager system interface should not allow a duplicate secondary IP address. |
| 665207 | FortiManager needs IPv6 support on Syslog server setting. |
| 670577 | When creating an API admin from a CLI Configuration, the Trusted Host section is missing. |
| 673548 | FortiManager may not be able to make any change to the FortiGate interface settings when the interface type is Software Switch. |
| 674904 | FortiManager may not be able to import policy with interface binding contradiction on srcintf error. |
| 689721 | When changing FortiGuard related settings via CLI Configuration, FortiManager shows changes are reverted back, and it also shows the message: Successfully updated. |
| 696730 | FortiManager is unable to promote Secondary FortiGate as Primary in a HA Cluster. |
| 710570 | The Any statement is not accepted by FortiManager in the perfix-list configuration. |
| 728687 | Policy package status may change to Modified on all FortiGate devices when a dynamic address group changes. |
| 729301 | A managed FortiGate with assigned CLI template remains in Modified state following a successful device configure installation. |
| 729606 | FortiManager should show where a Device Zone is used under Device Manager. |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 674539 | FortiManager may fail to upgrade two FortiSwitch devices at the same time. |
Global ADOM
| Bug ID | Description |
|---|---|
| 667197 | User should not be able to delete a Global object when the ADOM is not locked. |
Others
| Bug ID | Description |
|---|---|
| 510508 | FortiManager cannot assign multiple ADOMs to an admin user via JSON API. |
| 657997 | Assigning a device to a system template may not work via JSON when FortiManager is in Workspace mode. |
| 677304 | the diagnose command cannot filer download objects by objid. |
| 697361 | FortiExtender status may not display correctly. |
| 732144 | Some older FortiManager platforms may be not able to login with a FortiCloud account. |
Policy & Objects
| Bug ID | Description |
|---|---|
| 538057 | The OR” button in column filter may not work. |
| 584288 | FortiManager may not be able to load configuration of virtual server on the policy page. |
| 585177 | FortiManager is unable to create VIPv6 virtual server objects. |
| 644822 | Imported SDN Connector Objects may change to random names. |
| 646329 | Policy Check may claim that different IPS profiles are duplicate. |
| 652753 | Wen an obsolete internet service is selected, FortiManager may show entries IDs instead of names. |
| 655601 | FortiManager may be slow to add or remove a URL entry on Web Filter with a large list. |
| 656991 | FortiManager should not allow VIP to be created with same IP for External IP and Mapped IP Address. |
| 659296 | FortiManager may take a lot of time to update Web Filter URL filter list. |
| 666258 | A user should not be able to create a firewall policy with an Internet Service with Destination direction in Source using drag and drop. |
| 670061 | FortiManager does not report error when an unsupported FQDN address format is created. |
| 681006 | Domain Name and FortiGuard Category Threat Feeds are not installed when set as Allow action in security profiles. |
| 682356 | FortiManager may not be able to map normalized interface. |
| 688586 | Exporting Policy Package to CSV shows certificate-inspection in the ssl-ssh-profile column even when the profile is not in use. |
| 711964 | Wildcard certificate should be able to be used for Deep Inspection. |
| 713692 | Web Filter Profile install may fail when using pre-defined URL filter. |
| 716114 | FortiManager should push changes in ssl-ssh-profile with Untrusted SSL Certificates setting reverted from Block to Allow. |
| 719774 | IP reputation for the policies are not working without Source or Destination. |
| 725024 | Proxy Policy page shows empty when the View Mode is selected as Interface Pair View. |
| 725427 | Policy package install skips the policy where destination interface is set as SD-WAN zone and policy is IPSEC policy. |
| 731053 | FortiManager may miss some Internet Service entries. |
Revision History
| Bug ID | Description |
|---|---|
| 618305 | FortiManager changes configuration system csf settings. |
| 635957 | Install fails for subnet overlap IP between two interfaces. |
| 672609 | After import, FortiManager may prompt a password error to administrator during install. |
| 674094 | FortiManager may unset explicit proxy’s HTTPS and PAC ports and change the value to 0 instead. |
| 724447 | When managing a dual chassis SLBC cluster, install may fail when private data encryption is enabled and cluster was previously failed-over. |
| 728117 | After upgrade, install may fail due to set pri-type-max 1000000. |
| 729587 | FortiManager may create an already deleted admin account on FortiGate when installing changes for a new VDOM. |
Script
| Bug ID | Description |
|---|---|
| 630016 | A FortiGate user can see scripts from all ADOMs. |
| 679313 | Meta variables used in CLI template should work with both Device and Device VDOM types. |
| 729571 | TCL script commands run on device no longer show in the script log. |
Services
| Bug ID | Description |
|---|---|
| 725118 | FortiManager may not logging FortiGuard connectivity failures. |
System Settings
| Bug ID | Description |
|---|---|
| 616703 | GUI CLI Console may not respond. |
| 617601 | Sort by Time Used in task monitor may not be correct. |
| 652417 | FortiManager HA may go out of synchronization periodically based on the logs. |
| 690926 | FortiManager is removing SD-WAN field description upon ADOM upgrading from 6.2 to 6.4. |
| 723447 | After ADOM upgrade, install may fail due to wildcard FQDN type firewall address for Microsoft update. |
| 726007 | Admin User systematically gets access to Root ADOM in case of RADIUS authentication and „Fortinet-Vdom-Name” VSA not set. |
| 729280 | Admin User with no access to management ADOM or VDOM can create a new VDOM from non-management ADOM > VDOM. |
VPN Manager
| Bug ID | Description |
|---|---|
| 615890 | IPSec VPN Authusergrp option Inherit from Policy is missing when setting xauthtype as auto server. |
| 699759 | When installing a policy package, per device mapped objects used in SSL VPN cannot be installed. |
| 712633 | VPN Manager pushes default dpd-retrycount and dpd-retryinterval, but it cannot display them. |
| 721783 | Applying Authentication or Portal Mapping changes may take several minutes. |
| 722924 | FortiManager may not be able to edit skip-check-for-unsupported-os enable under SSL portal profile. |
Notatki producenta: FortiManager 7.0.1
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
