Producent oprogramowania Fortinet udostępnił najnowszą aktualizację dla FortiManager o numerze wersji 7.0.5. Dzięki aktualizacji, został poprawiony problem z konfiguracją protokołu komunikacyjnego IPv6, błędne działanie dotyczyło konfiguracji wspomnianego protokołu na urządzeniach FortiGate. Ponadto, naprawiono integrację pomiędzy platformami FortiManager w środowisku Docker z urządzeniem FortiAnalyzer w środowisku Docker. Nowsza wersja skorygowała błędy dotyczące konfiguracji SD-WAN, gdzie problem dotyczył konfiguracji przez konsole CLI. Po więcej ciekawych informacji zapraszamy do dalszej części artykułu.
Rozwiązane problemy:
AP Manager
| Bug ID | Description |
|---|---|
| 661938 | FortiManager displays an error when trying to edit and save managed APs. |
| 755815 | The „local-standalone” and „local-authentication” features are inconsistent with FortiOS/FortiGate. |
| 794836 | Protected Management Frames (PMF) feature always gets disabled when security mode is set to WPA2 (Enterprise or Personal). |
| 819137 | Installation failed if Distributed Automatic Radio Resource Provisioning (DARRP) is disabled on AP Profile. |
Device Manager
| Bug ID | Description |
|---|---|
| 723006 | FortiManager does not support creating the „DHCP Reservation” under the Network Monitors widget. |
| 738276 | FortiManager’s GUI does not display the „Routing Objects” under „Router”. |
| 745122 | FortiManager unsets the IPv6 configuration during the installation to the FortiGate. |
| 745586 | Local firmware images are duplicated under the Device Manager. |
| 746697 | Not able to delete the phase2-interface within the IPsec template. |
| 748579 | CLI configurations for SD WAN template is not working properly. |
| 752754 | Interface Edit button is grayed out, but double-clicking on the interface still lets the users modify and save the new configuration. |
| 757045 | Installation failed with „invalid ip address” error when configuring the multiple IPs for system dns-database’s forwarder as the meta field. |
| 759264 | Applied system template does not apply properly on „Install Wizard” mode after modifying config on device level. |
| 763234 | Installation failed due to the syntax’s difference between FortiGate and FortiManager in setting log-disk-quota for VDOMs. |
| 770600 | Comma between IP address and subnet causes saving problem on Prefix List Rule under BGP Templates. |
| 771417 | Cannot override system template settings. |
| 778131 | FortiManager did not support the per device mapping for user SAML configurations. |
| 780395 | FortiManager displays a blank page when creating the rules under the „distribute access list” for the BGP Templates. |
| 786264 | Unable to delete default „wireless-controller” „vap” configuration from the device DB. |
| 787905 | PM/AM feature for AV&IPS Scheduled Updates under the FortiGuard’s Device Manager cannot be set correctly. |
| 788923 | SD-WAN template does not change the value of „service-sla-tie-break” for an SD-WAN Zone. |
| 796447 | FortiManager shows CLI Provisioning templates even after removing association of Provisioning template. |
| 801022 | Config status gets modified even though the installation preview is empty. |
| 801415 | FortiManager adds quotations to IP addresses when configuring trusted hosts for „switch-controller snmp-community” under the GUI’s CLI Configuration. |
| 803289 | The „Routing – Static & Dynamic” widget gets added successfully, but disappears after a page refresh. |
| 804142 | Creating the „EMACVLAN” type interface on FortiManager displays an error: „VLAN ID is required”. |
| 804502 | Installation fails due to pushing the previous password expiration date to FortiGates. |
| 805208 | The forwarder IP in the DNS database is set to „[object Object]”. |
| 806622 | Installation failed after configurating the link-monitor. |
| 809793 | Unable to create vdom link with vcluster. |
| 812213 | Default factory setting on FortiGate does not match with its default factory setting on FortiManager’s DB. This causes status conflict if FortiGate added to the FortiManager using the „Add Model Device” method. |
| 812687 | Unable to add FortiGate WiFi-80F-2R to FortiManager when Trusted Platform Module (TPM) is enabled. |
| 813339 | First install after adding a FortiGate to the FortiManager failed due to FortiManager’s attempt for installing a new SSID passphrase for the Virtual Access Point (VAP). |
| 819710 | FortiManager does not display the VDOMs optmode correctly. |
| 820436 | FortiManager displays an error „Failed to update device management data.”, when adding a model device based on ZTP approach. |
| 820990 | IPSec VPN deployment via ZTP creates some issues on the FortiGate routing. |
| 821866 | For FortiGates with FGSP (FortiGate Session Life Support Protocol) configuration, the „ipsec-tunnel-sync” feature under the cluster-sync cannot be disabled. |
| 823092 | Not able to add multiple OU (Organization Unit) fields in the Certificate Templates. |
| 823281 | Changing Time/Schedule for scripts under the Device Manager makes the „OK” button grayed out. |
| 826141 | VLAN interface cannot be created and mapped to a hardware switch interface on the FortiManager. |
| 828122 | „Device Detection” gets enabled by FortiManager during the installation. |
| 830105 | FortiManager attempts to install 1.0.0.0 as the remote-gw for all the phase1-interfaces when 2 or more IPsec phase1-interfaces have same remote-gw IP. |
| 830727 | FortiManager-DOCKER platform does not support adding the FortiAnalyzer-DOCKER device. |
| 832321 | Configuration changes on the AP/Switch/Extender settings do not apply on the device DB when these changes are created from the system template. |
| 832753 | FortiManager does not install configurations from CLI Template group to FortiGates. |
| 834947 | „Resource-limits” proxy default value is missing under the Device Manager’s CLI Configurations. |
| 835451 | Editing SD-WAN/IPSec template (with no actual changes) removes all assigned devices. |
| 847631 | Failed to reload the FortiGate’s configuration. |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 755444 | Failed to import FortiSwitch Template due to the datasrc invalid error message. |
| 803175 | FortiSwitch Template does not enable all the POE interfaces. |
| 817436 | LLDP profile cannot be changed when Access Mode has been set to nac in Fortiswitch Template. |
| 829700 | FortiManager shows errors while installing FortiSwitch configuration. |
| 830099 | FortiSwitch Manager displays the „Missing Switch ID or Platform Info” error. |
| 833262 | FortiSwitch Manager does not display the list of firmware images for the FSW 108F-FPOE model. |
Global ADOM
| Bug ID | Description |
|---|---|
| 767325 | Failed to assign global ADOM v6.2 policy to local ADOM v6.4 due to policy IPv6 changed duplicate object. |
| 811660 | Global Database object assignment to ADOMs fails. |
| 815130 | Global Policy Assignment in FortiManager displays the „TCL error – dstintf in policy cannot be empty” error. |
| 835172 | Global ADOM Assignment fails when assigning some profile groups. |
| 835439 | Global Policy assignment is not completed successfully due to some missing objects on Global ADOM. |
| 838174 | FortiManager does not provide a clear error message when Global IPS Header/Footer profile assignment fails. |
| 842934 | Global address group cannot be modified from FortiManager GUI. |
| 847533 | Unassigned Policy Package cannot be removed from Global ADOM. |
Others
| Bug ID | Description |
|---|---|
| 739219 | FortiManager’s timeout parameters cannot be set by users as it is hardcoded. |
| 742819 | Promote to global feature should not be possible since GLOBAL ADOM are not accessible in FortiManager Cloud. |
| 747648 | FortiManager does not support some of the FortiExtender models and versions under the FortiExtender Profiles. |
| 750242 | FortiManager’s DB in HA clusters are not properly synced together. |
| 757524 | FortiManager displays many „duplicate license for [FGT devices SN Number] copy AVDB to AVEN” error messages. |
| 759333 | After upgrading ADOM 6.2 to 6.4, status of all Policy Packages changed to modified. |
| 770040 | FortiManager’s web interface and especially API calls are very slow if object-revision-status feature is enabled. |
| 784037 | FortiManager offers low encryption cipher Suite in TLS 1.2. |
| 786281 | During the installation, FortiManager displays Policy Consistency Check failure without any clear reason. |
| 793085 | Sub Type Filter on Event Log search does not show any results, even if logs are present. |
| 795624 | FortiManager does not let users to copy the contents of the „View Progress Report”. |
| 799378 | FortiManager’s admins are not able to run FortiManager’s CLI scripts/commands from remote stations. |
| 801871 | Unable to finish the ZTP installation process successfully. |
| 806109 | After ADOM upgrade, log-all is disabled for all protocols under Email Filter profile. |
| 806522 | Application websocket crashes and makes FortiManager’s GUI unresponsive. |
| 808822 | Changing the HTTPS port used for Administrative Web Access will cause FortiManager to stop listening to port 443 for FortiGate update requests. |
| 811018 | FortiManager does not support coping of the objects from the Policy Packages and pasting them to the search field. |
| 811379 | Users cannot tick any of the checkboxes for individual interfaces under the „speed-test-schedule” under the Device Manager’s CLI-Configuration. |
| 815875 | After FortiManager’s upgrade, device level status has been modified and Install preview shows that pdf-report and fortiview features will be enabled on the FortiGates even if these are already enabled on the FortiGates before. |
| 816444 | Extender Manager doesn’t display RSSI/RSRP/RSRQ/SINR info. |
| 816834 | FortiManager does not support FortiWeb and activate its license. |
| 817667 | FortiManager cannot upgrade the ADOM to v7.0 due to several cdb crashes during the upgrade. |
| 820071 | Upgrading the FortiOS/FortiGate firmware version via FortiManager did not complete successfully. |
| 820248 | Cloning same ADOM multiple times fails with error „Unknown DVM error”. |
| 820578 | The „svc authd” process is consuming 100% of CPU. |
| 820656 | FortiGate 7.2.1 failed to fetch the FortiGuard rating from FortiManager without raw DB Flags. |
| 822286 | Adding FortiExtender to FortiExtender Manager using name field causes device settings installation failure. |
| 823111 | After upgraded to 7.0.4, FortiManager removes the dev-obj data upon rebooting. |
| 823278 | Unable to manually import Query Category FortiGuard package. |
| 823294 | SSH connection between FortiGate and FortiAnalyzer/FortiManager v7.0.4/7.2.1 or later fails due to server_host_key_algorithms mismatch. |
| 823547 | In Advanced ADOM mode, it is not possible to create a new VDOM in a new ADOM via JSON API request. |
| 823872 | FortiManager lost its access to GUI, if a same IP makes more than 250 connections to https admin port. |
| 824316 | FortiManager displays an error when „adom-integrity” is performed. |
| 825052 | Not able to add the FortiProxy to the FortiProxy ADOM. |
| 826718 | Failed to delete the hanging task from task monitor. |
| 826881 | FortiManager attempts to apply some changes to voice, video, and interface configurations. |
| 829726 | Already existing CLI Templates cannot be modified after the upgrade. |
| 830881 | ADOM upgrade fails due to the ID of the sdwan applications; they are larger than the initial defined values. |
| 831453 | FortiManager shows an error message when multiple FortiGates are selected to be upgraded to the new version. |
| 833162 | FortiManager does not support the FortiProxy 7.0.6. |
| 833623 | Estimated Bandwidth for Upstream & Downstream under the interfaces and Upload & Download values under the SD-WAN Monitor’s table-view are displayed differently. |
| 835313 | FortiManager displays many „duplicate licence” messages for „copy AVDB to AVEN”. |
| 835748 | FortiManager’s GUI takes a very noticeable time to load properly when navigating to Policy & Objects tab. |
| 836489 | Firmware Images under the FortiGuard for „All” or „Managed” devices display same list. |
| 839035 | „Check License” under the FortiGuard’s Licensing Status does not Keep the changes. |
| 840068 | Unable to export device stored FortiGuard signatures through TFTP. |
Policy and Objects
| Bug ID | Description |
|---|---|
| 620680 | FortiManager does not support the geographic fields data for firewall internet-service Objects. |
| 686150 | FortiManager cannot import NSX-T dynamic IP when VPN Objects are presented in NSX-T Manager. |
| 688586 | Exporting Policy Package to „CSV” shows „certificate-inspection” in the „ssl-ssh-profile” column even when the profile is not in use. |
| 703408 | FortiManager does not display the interface type Geneve for interface mapping. |
| 704354 | „Blocked Certificates” and „Server certificate SNI check” features cannot be configured on SSL/SSH profile. |
| 707481 | Deleting DNS filter profile does not deletes the associated Domain filter. |
| 716943 | FortiManager’s GUI shows so many blank areas after adding the IPS Signatures and Filters. |
| 724011 | FortiManager needs to support multiple server certificate list in ssl/ssh profile. |
| 731961 | When FortiManager is working in the workspace mode, the installation for those FortiManagers with larger DB may take a longer time to be completed. |
| 762392 | The rating lookups does not return the correct category for the URL when it ends with „/” character. |
| 765154 | Installation fails when trying to disable the „safe search” on existing DNS filter from FortiManager. |
| 768125 | Default configurations of the Potentially Liable category under the Webfilter are different from their corresponding ones on FortiGate. |
| 778171 | After the upgrade, FortiManager is changing the „config antivirus quarantine” setting; this fails the installation. |
| 783195 | FortiManager changes the „cert-validation-timeout” value to „block” when installing to the FortiGates. |
| 787195 | FortiManager skips the zone interface policy without displaying copy fail error message. |
| 789238 | Installation error occurs when configuring a VIP with per-device mapping and setting an External IP Range to an IPv4 Range. |
| 793603 | Registering a service under the connector configuration displays an error „Failed to run script.”. |
| 794731 | The Policy package counter field does not display the number of modified policy packages. |
| 798955 | Traffic shaping policy changes does not trigger any changes/updates on the Policy Packages status. |
| 805178 | Installation failed due to the unnecessary setting changes of logtraffic feature in proxy policy. |
| 805211 | Installation failed due to the wrong fsw vlan type for the default nac and nac_segment vlans. |
| 805642 | New policies created in policy package do not inherit „global-label” section. |
| 805649 | Any modification on the „peer group” object within VPN Manager pane, makes all devices’ policy status „Modified” even though spoke devices have different policy packages than Hub devices. |
| 807287 | Unable to change virtual server objects on FortiManager’s Policy & Objects. |
| 808900 | Incorrect error message is displayed when re-installing the same policy to FortiGate immediately after the first installation. |
| 809888 | Replacement Message Group under Security profiles gets removed by FortiManager during the installation. |
| 811715 | FSSO dynamic addresses were visible on two address groups. |
| 812886 | On FortiManager, an internet-service-custom objects without protocol number or port-range can be configured on firewall proxy-policy; however, FortiGate/FortiOS does not support this. |
| 812909 | FortiManager unsets the „bypass-watchdog” setting on FGT400E-Bypass. |
| 813237 | ViewMode feature does not work properly when workspace mode is enabled on FortiManager. |
| 814468 | FortiManager purges 'gcp-project-list’ and unsets several values from GCP sdn-connector. |
| 814970 | EMS Connector is not able to import Tags when Multi-Site is enabled on EMS Server. |
| 815281 | SDN Dynamic Address object filter does not display the list properly. |
| 815812 | Installation failed because FortiManager tried removing the credentials for Amazon Web Services (AWS) type SDN Connector and enabling the „use-metadata-iam” feature. |
| 816108 | The „group-poll-interval” value for FSSO fabric connector cannot configured properly. |
| 816121 | FortiManager displays an improper error message when importing the policy package. |
| 816347 | Objects Field search under the „Add Object(s)” feature does not properly locate any firewall object addresses for Source & Destination. |
| 818512 | In WorkFlow Mode, adding a single policy removes and re-adds the entire policies. |
| 819665 | Installation Preview does not display the DNS-Filter configuration changes. |
| 819713 | FortiManager in task manager does not show the specific admin name who refreshes the hit-count. |
| 820939 | „Firewall Users” does not populate the user authenticated via explicit proxy authentication method. |
| 820993 | For Proxy-Policy, FortiManager unsets the „PROFILE-PROTOCOL-OPTION” when installing to the FortiGates. |
| 821412 | The Policy Block’s name cannot be edited if „/” character is being used. |
| 822843 | FortiManager displays an error when using the access-proxy type VIP and normal VIP in firewall policies as they are both using the same external IP. |
| 825411 | Installation fails when an application group with category 32 (unknown applications) is configured on FortiManager, even though this category is accepted on the FortiGate. |
| 825530 | Explicit web proxy policy does not allow selecting any source address objects. |
| 826928 | During the installation, FortiManager attempts to remove the physical ports which are members of the virtual-switch config. |
| 826946 | FortiManager does not show anything to install on FortiGates even though the Policy Package has been modified. |
| 827242 | For Policies under the Advanced Options, „custom-log-field” uses Names instead of IDs. |
| 827800 | When creating the address group on FortiManager, the „Exclude Members” field is not available. |
| 828492 | Policy installation fails when using „sdn-addr-type all”. |
| 830043 | Creating the Custom ipv6 service where icmpcode is not configured causes the Policy Package to get into a conflict state. |
| 830502 | FortiManager fails to create the CSV for Policy Package. |
| 831225 | Cloning a policy with VIP referencing SDWAN member causes subsequent installs to fail. |
| 831273 | FortiManager does not allow deleting the entries for „server-info” under thelog „npu-server”. |
| 831407 | NSX-T connector configurationdoes not display „VM16” and „VMUL” types. |
| 831484 | FortiManager was not able to connect to the „NSX-T Connector” and several „Application connector” failures have been observed. |
| 832962 | If Firmware Template status is „Unknown”, FortiManager allows installing the Policy & Packages repeatedly to the FortiGates. |
| 834447 | Objects are not visible in the Addresses tab when the per-device mapping feature is enabled. |
| 836783 | FortiManager changes the „use-metadata-iam” value for the SDN connectors. |
| 837555 | Connector’s Service Name, after FortiManager’s upgrade, does not display the correct name. |
| 838533 | SASE zone cannot be removed from SDWAN Template. |
| 841966 | When inserting „Above” or „Below” to add policy, the policy is added to the wrong section/place. |
Revision History
| Bug ID | Description |
|---|---|
| 722332 | For AP Profile change, installation preview may show No Entry. |
| 809191 | Configuration change of HA-logs setting is not reflected into the revision history. |
Script
| Bug ID | Description |
|---|---|
| 808398 | „View script executing history” displays scripts related to other ADOMs. |
| 817172 | Running scripts to add static route has been failed due to the „duplicate of static route” error. |
| 821778 | Using scripts does not create the ssl-ssh-profile with certificate inspection mode; instead it sets the value to deep-inspection mode. |
Services
| Bug ID | Description |
|---|---|
| 779997 | When upgrading the multiple FortiGates at the same time from the „Firmware Upgrade” feature does not let users to click „OK”. |
| 827982 | Downstream FortiManagers cannot get all the FDS/FGD packages from upstream FortiManagers in cascade mode network design. |
System Settings
| Bug ID | Description |
|---|---|
| 687223 | Users may not be able to upgrade ADOM because of profile-protocol-options. |
| 777153 | FortiManager displays an error when setting up a „Remote Authentication Server” with „No Certificate” option. |
| 780245 | Install Wizard shows all devices are selected even-though „Default Device Selection for Install” is set to „Deselect All”. |
| 796058 | Search box in the „Edit Meta Fields” page under the System Settings does not work. |
| 799519 | If Management Extension Applications (MEA) are enabled, all system settings may be lost after upgrading the FortiManager. |
| 807983 | FortiManager doesn’t display „NTP daemon change time” event log when it synchronizes with the NTP server at booting. |
| 809276 | Cloning administrators doesn’t copy the specified ADOMs for the cloned administrator and wrongly display „All ADOMs”. |
| 815728 | FortiManager takes very long hours to rebuild the HA Cluster back to synchronization status. |
| 817244 | Sorting function feature does not work properly based on the „Device” column in the „Meta Fields” under the system settings. |
| 818969 | Unable to poll SNMP with SNMP Engine ID. |
| 819383 | FortiManager disk usage rises to 100% due to traffic-shaping-history enabled. |
| 822316 | For RADIUS wildcard config, if „ext-auth-adom-override” feature is enabled, the APIs access are not allowed. |
| 822776 | Query Distinguished Name does not display the LDAP users in FortiManager when Secure connection is enabled. |
| 823898 | FortiManager does not use all of the configured „ssl-cipher-suites” under its „system global” settings. |
| 825078 | New admins with ADOM only access cannot see the previously assigned header and footer policies on that ADOM. |
| 827854 | Installation target disappears in workflow mode if session is approved via email. |
| 829751 | Installation tasks got stuck at 0% and failed to start any new installation tasks. |
| 830242 | FortiManager in Advanced Mode does not show the number of allowed VDOMs correctly. |
| 839715 | Any changes on the Admin Setting page alter the FortiManager’s Themes. |
| 841931 | When FortiManager works in Workspace Mode, users are able to disable „Per-Device Mapping” without locking the ADOMs. |
VPN Manager
| Bug ID | Description |
|---|---|
| 810027 | FortiManager Spoke IP setting for vpn configuration sets properly but the policy package does not change on the Hub phase1. |
| 831076 | Static Route (Protected Subnet of the HUB) is not installed to Spoke during install, with HUB and Spoke Dial-up VPN setup. |
Notatki producenta: FortiManager 7.0.5
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
