Producent oprogramowania Fortinet udostępnił aktualizację dla produktu FortiManager o numerze wersji 7.0.2. W najnowszej aktualizacji znalazło się wiele poprawek poprzednich wersji oraz kilka ciekawych nowości. W najnowszej wersji naprawiono problem, który powodował, iż FortiManager mógł losowo usuwać zasady FortiManager IPv4 podczas przypisywania z Global ADOM. Rozwiązano również problem powolnego działania FortiManager’a, gdy wielu użytkowników korzystało z GUI . Rozwiązano także problemy z crashującymi zadaniami aktualizacji AP, które mogło zawiesić się na 45%. W najnowszej wersji pojawiła się także możliwość uruchomienia FortiManager’a w dockerze DockerHub. Po więcej ciekawych informacji zapraszamy do przeczytania dalszej części artykułu.

Aktualnie wspierane modele:

FortiManager	FMG-200F, FMG-200G, FMG-300F, FMG-400E, FMG-1000F, FMG-2000E FMG-3000F, FMG-3000G, FMG-3700F, and FMG-3900E.
FortiManager VM	FMG_DOCKER, FMG-VM64, FMG-VM64-AWS, FMG-VM64-Azure, FMG-VM64-GCP, FMG-VM64-HV (including Hyper-V 2016, 2019), FMG-VM64-KVM, FMG-VM64-OPC, FMG-VM64-XEN (for both Citrix and Open Source Xen).

FortiManager instalacja w dockerze:

Obraz okna dokowanego zweryfikowanego wydawcy Fortinet

Obraz dokera FortiManager 7.0.1 jest dostępny do pobrania z publicznego repozytorium Verified Publisher firmy Fortinet w witrynie dockerhub.

Instrukcja instalacji:

1. Przejdź do dockerhub pod adresem https://hub.docker.com/ .Wyświetlona zostanie strona główna dockerhub.

   

2. Na banerze kliknij Explore .
3. W polu wyszukiwania wpisz Fortinet i naciśnij Enter .Fortinet / FortiManager i Fortinet / FortiAnalyzer wyświetlane są opcje.

   

4. Kliknij fortinet/fortimanager .Zostanie wyświetlona strona fortinet/fortimanager i dostępne są dwie zakładki:  Overview i Tags . Karta Overview jest wybrana domyślnie.

   

5. Na karcie Przegląd skopiuj polecenie docker pull i użyj go, aby pobrać obraz.Polecenie CLI na karcie Przegląd wskazuje najnowszy dostępny obraz. Użyj karty Tags , aby uzyskać dostęp do różnych wersji, jeśli są dostępne.

Rozwiązane problemy:

AP Manager

Bug ID	Description
673020	Creating SSID interface with central AP Manager automatically generates normalized interface name that has no default mapping configuration.
702114	FortiManager is unable to see 5Ghz Clients in Health Monitor.

Device Manager

Bug ID	Description
563690	Device Manager fails to add FortiAnalyzer that contains a FortiGate HA device with error: serial number does not match database.
609859	When installing device settings, the default name for downloaded preview file should be more identifiable for a device.
637388	System Dashboard’s time zones are not sorted within the dropdown list.
638750	Where Used may not work for IPsec Phase 2 allowing users to delete used objects.
662095	FortiManager may take too much time to send SLA updates to over thousands of FortiGate devices.
665207	FortiManager needs IPv6 support on Syslog server setting.
691611	FortiManager does auto-retrieve and causes all policy package statuses to become unknown after a new VDOM is created on FortiGate.
696330	FortiManager may change all devices to Managed FortiGate when hiding all unauthorized devices, and it cannot be switched back.
696524	Promote button task does not work and hangs, if FortiManager cannot SSH access to HA cluster.
696730	FortiManager is unable to promote Secondary FortiGate as Primary in a HA Cluster.
698388	FortiManager cannot edit or create a static route with SD-WAN returning an error.
705448	Device connection status may remain up after shutting down device port and updating device status.
713833	It may not be possible to rename device zone.
714611	Creating interface from VDOM may return No Match Found error.
718184	AutoUpdate with unset options and unset post-lang may cause device database and policy package status to display as OUT-OF-SYNC.
719968	SD-WAN Monitor should properly show the Map View of all devices.
724600	FortiManager may not be able to install static default route for SD-WAN from Static route Template.
725570	FortiManager may return device can not be empty error when creating or editing a static route on SD-WAN interface.
726167	Installing static route template may fail because interface is in another VDOM.
727123	Meta Field is not translating values with spaces into correct scripts.
728655	Configuration status may not be shown as Synchronized after installation.
728687	Policy package status may change to Modified on all FortiGate devices when a dynamic address group changes.
729301	A managed FortiGate with assigned CLI template remains in Modified state following a successful device configure installation.
729606	FortiManager should show where a Device Zone is used under Device Manager.
730482	CLI Template cannot add system DNS database entries if set domain contains the underscore character (_).
731204	FortiManager may incorrectly display Object already exists message while creating a new Hardware Switch interface.
731551	FortiManager may return error, Failed to synchronize FortiAnalyzer with current ADOM data.Fail(errno=-3):Object does not exist, when adding FortiAnalyzer devices.
732246	Clock format option no longer works to format date in TCL scripts.
733076	Model device links to real device may not work.
733080	Device status is shown as Up on GUI, even though there is no activity for the session between FortiManager and FortiGate.
733934	During zero-touch provisioning with Enforce Firmware Version enabled, upgrade task may hang if the connection is reset during the image transfer.
734487	Device’s hardware switch interface > physical interface member may not save.
735106	Delete is spelled incorrectly when attempting to delete invalid host cluster device.
735402	When creating a new CLI Group Template and trying to add members to it, it does not allow users to select other CLI Group Templates that were already created.
737025	SD-WAN Monitor widget may not be loaded when multiple performance SLAs are added.
737173	FortiManager should not unset l2tp and encapsulation with VPN phase2 interface.
739369	When revision history is very large, FortiManager may not be able to retrieve configuration.
739624	FortiManager should support FortiTester version 4.

FortiSwitch Manager

Bug ID	Description
684371	Clicking OK to import FortiSwitch Template results in no response.
714174	FortiSwitch manager DHCP reservation configuration may not synchronize correctly with FortiGate.
740936	FortiSwitch VLAN template creates unknown interface platform mapping.

Global ADOM

Bug ID	Description
667197	User should not be able to delete global object when ADOM is unlocked.
725763	Automatic install to ADOM devices may fail from Global ADOM.
728803	Copying global firewall policy may fail due to duplicate IPS sensors.
736541	NAT may stay as disabled on Global ADOM.
737381	FortiManager should not allow users to delete the default reserved address object starting with g-.
745772	FortiManager may randomly delete FortiManager IPv4 policies when assigning from the Global ADOM.

Others

Bug ID	Description
505795	FortiManager should allow users to configure the list of allowed TLS cipher suites.
510508	FortiManager cannot assign multiple ADOMs to an admin user via JSON API.
697361	FortiExtender status may not be correctly displayed.
718251	Web Service with port 8080 disabled may still be in listening state.
731574	FortiManager may not be able to change web filter category action via JSON API.
732144	A CA certificate may be missing from some older FortiManager platforms causing failure to login with FortiCloud SSO.
733078	FortiManager may show multiple fmgd crashes with signal 11 segmentation fault.
733208	Users may not be able to login from GUI after restored database with changed HTTP or HTTPS port number.
736229	API may fail to promote unauthorized devices to a different ADOM.
738918	After upgrade, FortiManager may set firewall-address 100000 on VDOM enabled FortiGate.
740523	Retrieve task may fail due to auto-update file already having been deleted by FGFM tunnel.
741118	Install policy package may hang at 50% with security console crash.
742137	FortiManager may return an error when running an Ansible script to configure network interfaces, zones, and policies.
744736	FGFM tunnel may go up and down with multiple fgfmsd crashes.
746311	fgdsvr process may crash when URL length is longer than 1024 characters.

Policy and Objects

Bug ID	Description
503978	Thread Feeds should be Threat Feeds on Fabric Connector.
549492	Load-balance type VIP cannot be displayed and saved correctly.
623346	In NGFW-policy policy package, FortiManager does not show Security Virtual Wire Pair Policy or Virtual Wire Pair SSL Inspection & Authentication.
644822	Imported SDN Connector objects may change to random names.
648970	If a profile group enables WAF or ICAP profile, the group should be hidden in flow-based policy.
657534	SSH and MAPI should not be supported in file filter profile protocol under flow mode.
666258	User should not be able to create a firewall policy with an Internet service with Destination direction in Source by using drag and drop.
690231	Where-used may fail to display references to certificate-inspection that were added to firewall policies in previous versions.
690295	FortiManager may be slow when multiple users access GUI at the same time.
699975	Multiple filters are missing for Azure SDN Connector.
709908	When checking the status on AntiVirus profile, it may not show the correct inspection mode in list view when status stays in flow-based (Full Scan).
710676	System replacement message group, replacemsg-group auth-intf-quarantine, does not exist.
710736	Classic Dual Pane mode cannot change left-panel size of object configuration.
714975	Imported groups or labels may not be available for direct use with policy.
716114	FortiManager should push changes in ssl-ssh-profile with Untrusted SSL Certificates setting reverted from Block to Allow.
719698	Performance for policy install may be slightly degraded after upgrading from 6.4.5 to 6.4.6.
720896	SSO admin with Restricted Admin profile should be able to view Web Filter, Application Control, or IPS objects.
722087	Edit user group with remote members on FortiManager GUI may cause unexpected change in set group-name.
724718	When FortiManager’s NSX-T connector is executing an API request, it should not be limited to 50 records.
725024	Proxy Policy page shows empty when the View Mode is selected as Interface Pair View.
725132	When modifying IP address of Default VPN Interface of spoke in Device Manager, hub remote gateway should be modified to reflect that change.
725681	Under dual pane, scrolling may be available to move panels out of viewable area.
726077	Authentication Rules may run incorrect validation that prevents submission and results in an error: The IP versions in source and destination addresses or Internet Services do not match.
726548	User-info-server option is not available under dynamic mapping in CLI under user FSSO.
728689	FortiManager does not show warning or error while selecting no-inspection with UTM profile, which does not match FortiGate behavior.
728985	FortiManager may show signatures that have been deleted by FortiGuard.
729289	FortiManager should have an option to set fortitoken/email/sms to unset or blank.
729705	Installing policy requires Interface Validation for interfaces that are not being used in policy package.
730523	Unused policies tool may always generate a PDF containing all policies.
731053	FortiManager may miss some Internet Service entries.
732138	Non-full admin users should be able to export Policy Check and Unused Policy results.
734556	FQDN type firewall address object can be created with an unsupported format.
735083	Policy packages’ folders may not be displayed in alphabetical order.
735397	Cloned object’s revision history information may not be related to the clone task.
735432	Users with ADOM-specified admin privilege may not be able to view policy package.
735738	When creating a VIP object with port forwarding filter, FortiManager may show an error.
735743	In classic dual pane, column settings are hidden by the object configuration pane.
738109	FortiManager may not install auth-cert from policy package to device.
738231	Creating VIP with IPv4 external IP mapped to IPv6 may trigger an error, a.mappedip is undefined.
738595	FortiManager may not correctly push AWS connector credentials.
738745	When an object is renamed, the new name must be used on all policies.
739205	FortiManager may thrown error Cannot delete the only package or folder, when deleting policy block.
740331	IP Pool details may be missing in ADOM v6.2.
740944	Custom IPS Signature script may fail to run on policy package or ADOM database.
742257	NPU log servers for hyperscale does not show up in policy package.
744591	Installing or importing IPS custom signature may fail when a signature’s name contains a space character.
746273	Column filter may be extremely slow with large policy packages.
747330	FortiManager cannot assign or replace VIP with SD-WAN as source interface.
748523	After creating a VIP, FortiManager may not be able to choose the VIP on a policy.
748524	VIP is not visible in the policy, if the external interface is not the same as policy SD-WAN source interface.
749519	IPv4 policies in policy block may hidden on FortiManager’s GUI.
750160	custom-url-list may not be correctly parsed when URLs contain space characters.

Revision History

Bug ID	Description
640714	FortiManager cannot correctly retrieve and import interface subnet type address showing 0.0.0.0 for IP.
642878	FortiManager should return a clear copy fail log for dynamic interface check error.
643101	Copy may fail due to VIP overlapping when installing policy package.
674094	FortiManager may unset explicit proxy’s HTTPS and PAC ports, and change the value to 0 instead.
674196	Installation may fail after editing or creating a firewall policy if reputation-minimum is set.
680549	Restricted user’s Quick Install is not working correctly for Rating Overrides.
683728	Installation fails due to VIP mapped IP range error when installing v6.2 policy package to v6.4 device.
711314	VDOM specific Disclaimer Page configuration is purged from default replacemsg-group during Policy Package installation.
713552	If VIP address’s source-filter list is too long, installation may fail.
722332	For AP Profile change, installation preview may show No Entry.
724340	FortiManager may unset forward-error-correction from FortiGate 7060E devices.
724647	After upgrading to 6.4, retrieval from a chassis may take a long time.
725252	When customer is trying to push policy package to a device group, installation window may not show any progress, but with a red cross.
725557	Install always try to delete hardware switch member interface causing installation failure.
725717	After upgrade, installation may fail due to mcast-session-counting.
728117	After upgrade, install may fail due to set pri-type-max 1000000.
728918	FortiManager should install changes applied on Global policy package and not indicate warnings like no installing devices/no changes on package.
729587	FortiManager may create an already deleted admin account on FortiGate when installing changes for a new VDOM.
733518	FortiManager may incorrectly move DNAT objects.
735455	FortiManager may try to delete thousands of policies during install.
735988	Switch and AP names may be reverted by controller status update from FortiGate.
740858	GCP project name must be set during install.
741543	Install may fail with unset MAC address on EMAC VLAN.
742242	Install fails after upgrade due to set server-identity-check enable on LDAP server configuration.
742806	When modifying a configuration and installing Device Settings only, FortiManager may not display the device’s configuration change.
745715	FortiManager may not be able to install policy package with firewall rule using VIP group due to zone binding.
747837	FortiManager may try to delete interfaces lan1, lan2, and lan3, which are used by virtual-switch.sw0 on FortiGate-40F.

Script

Bug ID	Description
630016	FortiGate user can see scripts from all ADOMs.
729571	TCL script commands run on device no longer show in the script log.
734942	Script includes static route with SD-WAN enabled may report error.
744030	FortiManager should not allow running script against device database with incorrect command.

Services

Bug ID	Description
685678	When FortiMail FIPS mode is enabled, FortiManager should be able to validate its license.
714127	Backup ADOM does not support firmware template upgrade.
725118	FortiManager may not log FortiGuard connectivity failures.
725721	FortiManager may not be able to recognize all FortiGate units within HA cluster, and it may not be able to provide update services to all units.
730877	The upgrade matrix file may be missing, and FortiManager is unable to calculate upgrade paths without the upgrade matrix file.
733174	FortiManager may not be able to recognize the object id 06002000NIDS02604 as IPS Signature Database(Extended).
733873	FortiManager may not get FortiGate HA cluster’s contract information when Device Manager shows the secondary device’s SN.
739625	FortiManager may not display licensing information for FortiTester.
741846	AP upgrade task may hang at 45%.

System Settings

Bug ID	Description
617601	Sort by Time Used in Task Monitor may not be correct.
663185	Search may not work for event logs in text mode.
690926	FortiManager removes SD-WAN field description upon ADOM upgrading from 6.2 to 6.4.
696554	FortiManager may generate a lot of cdb event log for object changed event logs.
700608	The variable from meta data that is shown is not case sensitive, whereas the variable is case sensitive when using in a CLI template.
705145	Username is truncated to 49 characters in the notification Emails sent by FortiManager for workflow approvals.
711686	Workflow approval does not work when admin name has more than 49 characters.
722320	The NOT search in advanced/text mode search is not working for system event logs.
726007	Admin User systematically gets access to root ADOM in case of RADIUS authentication and Fortinet-Vdom-Name VSA is not set.
727233	ADOM license count should not count root ADOM.
728942	FortiManager may gray out some devices’ tasks with error, which cannot be grouped together.
728991	Nested group search fails with Bad search filter if the user DN contains characters like „,” and „()„.
729280	Admin User with no access to management ADOM or VDOM can create a new VDOM from non-management ADOM > VDOM.
735067	When creating a local account with the Force this administrator to change password upon next log on option checked, the setting should be applied for the first login.
736205	FortiManager may get stuck during upgrade.
738395	FortiManager tasks’ time used should not be increased by timezone.
738622	ADOM upgrade from 6.0 to 6.2 may fail due to FortiExtender object.
743411	FortiManager should show more than five local certificates.

VPN Manager

Bug ID	Description
712633	VPN Manager pushes default dpd-retrycount and dpd-retryinterval, but it cannot display them.
712861	Policy Package Status stays Synchronized despite SSL-VPN Portal configuration being changed by using VPN Manager.
721783	Applying Authentication or Portal Mapping changes may take several minutes.
722924	FortiManager may not be able to edit skip-check-for-unsupported-os enable under SSL portal profile.

Znane problemy:

AP Manager

Bug ID	Description
708100	AP Manager cannot show Channels when 160 MHz channel width is set.
749820	AP Manager > SSID > Advanced Options may not list objects under the settings address-group.

Device Manager

Bug ID	Description
545239	After adding FortiAnalyzer fabric ADOM to FortiManager, Device Manager’s Log Status, Log Rate, or Device Storage column cannot get data from FortiAnalyzer.
554241	FortiManager cannot delete and reassign ports to VDOM when split VDOM is enabled.
610568	FortiManager may not follow the order in CLI Script template.
636638	Fabric view may get stuck at loading.
651560	SD-WAN monitor may get stuck loading when admin user belongs to device group.
660491	Device Manager system interface should not allow duplicated secondary IP address.
673548	May not be possible for FortiManager to change FortiGate interface settings when the interface type is „Software Switch”.
674904	FortiManager may not be able to import policies with interface binding contradiction on srcintf error.
689721	When changing FortiGuard- related settings via CLI Configuration, FortiManager shows changes are reverted back, but it also shows the message: Successfully updated.
710570	Any statement is not accepted by FortiManager in the prefix-list configuration.
740893	Secondary IP may be purged when setting a description to VLAN interface.
729413	FortiManager is missing peer options with dial up user configuration with VPN IPSec Phase 1.
748578	Retrieve FortiGate configuration may fail due to FSSO connector.
752443	Vertical scroll bar is missing in SD-WAN configuration.

FortiSwitch Manager

Bug ID	Description
674539	FortiManager may fail to upgrade two FortiSwitches at the same time.

Global ADOM

Bug ID	Description
691562	Threat feeds global objects are not installed to destination ADOM when using the assign all object option.

Others

Bug ID	Description
703585	FortiManager may return Connection aborted error with JSON API request.
729175	FortiManager should highlight device consisting of specific IP address under Fabric View.
732116	Setting of FortiCloud Single Sign-On is always displayed on login.
747716	JSON API does not return gateway for IPSec route.

Policy & Objects

Bug ID	Description
585177	FortiManager is unable to create VIPv6 virtual server objects.
615250	Search by CVE may not work for both IPS Signatures and IPS Filters.
646329	Policy Check may claim different IPS profiles as duplicate.
652753	Wen an obsolete internet service is selected, FortiManager may show entries’ IDs instead of names.
655601	FortiManager may be slow to add or remove a URL entry on web filter with a large list.
656991	FortiManager should not allow VIP to be created with same IP for External IP and Mapped IP Address.
659296	FortiManager may take a lot of time to update web filter URL filter list.
688586	Exporting Policy Package to CSV shows certificate-inspection in the ssl-ssh-profile column even when the profile is not in use.
713692	Web Filter Profile install may fail when using pre-defined URL filter.
719774	IP reputation for the policies are not working without source or destination.
720673	Many groups learned from Cisco ISE may be missing corresponding ADOM objects.
725427	Policy package install skips the policy where destination interface is set as SD-WAN zone and policy is IPSEC policy.
726105	CLI Only Objects may not be able to select FSSO interface.
729179	FortiManager may not be able to add Geography type address when interface mapping is enabled.
731037	There may be File Filter file type mismatch between FortiGate and FortiManager.
744766	FortiManager may not be able to retrieve IP address for group with NSX-T v3.1.2.
745863	FortiManager may display „Invalid internet service source error when selecting certain Internet services.
747558	FortiManager filters should work for HitCounters, First Session, and Last session.
748467	FortiManager does not have the same profiles as FortiGate with explicit proxy policy.
751710	Editing a global user FSSO object’s dynamic mapping is not possible.

Revision History

Bug ID	Description
618305	FortiManager changes configuration system CSF settings.
635957	Install fails for subnet overlap IP between two interfaces.

Script

Bug ID	Description
384139	Filter does not work on device group.
654700	Users need to open View Script Execution History to see that TCL script fails.

Services

Bug ID	Description
753871	FortiClient packages should not continue to be received once the service for that firmware version has been disabled.

System Settings

Bug ID	Description
616703	GUI CLI Console may not respond.
640670	If a user-specified ADOM includes a global ADOM, workflow approval may not be able to find the same user.
652417	FortiManager HA may go out of synchronization periodically based on the logs.
721153	Scroll bar is missing from device drop-down list on ADOM overview page.
752916	FortiManager should be able to set desired permissions for Extender Manager in administrator profile settings.

VPN Manager

Bug ID	Description
615890	IPSec VPN Authusergrp option Inherit from Policy is missing when setting xauthtype as auto server.
699759	When installing a policy package, per-device mapped objects used in SSL VPN cannot be installed.

 

Notatki producenta: FortiManager 7.0.2

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

7.0.2 FMG FortiManager FortiManager 7.0.2