Fortinet opublikował aktualizację dla FortiManager o oznaczeniu wersji 7.0.6. Aktualizacja przynosi poprawki dla komunikacji i wymiany informacji pomiędzy EMS a FMG oraz błędami interfejsu graficznego FMG podczas aktualizacji jednostek FortiGate zarządzanych przez FortiManagera. Ponadto, naprawiono błędy związane z zachowaniem FortiManagera w sytuacji konfiguracji BGP, co mogło skutkować unieszkodliwieniem sieci BGP. Aktualizacja przynosi również pomniejsze poprawki związane z konfiguracją interfejsów zarządzanych urządzeń, procesem instalacji konfiguracji na urządzeniach oraz z problemem, który sprawiał że nieuprzywilejowani użytkownicy byli stanie uzyskać dostęp do informacji za pomocą interfejsu API.

Aktualnie wspierane modele:

FortiManager	FMG-200F, FMG-200G, FMG-300F, FMG-400E, FMG-400G, FMG-1000F, FMG-2000E FMG-3000F, FMG-3000G, FMG-3700F, FMG-3700G, and FMG-3900E.
FortiManager VM	FMG_DOCKER, FMG-VM64, FMG_VM64_ALI, FMG-VM64-AWS, FMG-VM64-Azure, FMG-VM64-GCP, FMG-VM64-HV (including Hyper-V 2016, 2019), FMG-VM64-IBM, FMG-VM64-KVM, FMG-VM64-OPC, FMG-VM64-XEN (for both Citrix and Open Source Xen).

 

 

Rozwiązane problemy:

Bug ID	Description
853345	The clients are connected to the Wireless Access Point; however, „clients” section under the diagnostics & tools of AP does not display any info.

Device Manager

Bug ID	Description
845656	When BGP is enabled and no IP address is defined for set-ip-nexthop under the route-map config, FortiManager tries to set the IP to 0.0.0.0, and this may break the BGP network.
853061	Installation fails as FortiManager attempts configuring „allowas-in6” on neighbor when configuring router bgp via BGP template.
855425	System Template and CLI Template config did not install to all model device FortiGates.
856207	FortiGate’s WAN1 interface cannot be edited via FortiManager’s GUI.
859249	After upgrade, Firmware Templates under the Device Manager is blank. Even new entries cannot be created.
874811	FortiManager tries to set the „set-ip-nexthop” to „0.0.0.0” during the installation.

Others

Bug ID	Description
838638	FortiGates are upgraded successfully via FortiManager’s Group Firmware upgrade feature; however, the task monitor displays „Image upgrade failed” for some of the FortiGates.
845753	IPSec installation fails on Google Cloud Platform (GCP) ONDEMAND FortiGate.
850467	Unprivileged Users might be able to disclose unauthorized information via API.
851354	Installation while using CLI templates may fail and create the „securityconsole” Application crash.
855840	’allowaccess’ on interfaces completely removed on GCP ONDEMAND FortiGate.

Policy and Objects

Bug ID	Description
827602	Unable to import EMS Tags from EMS Server.
827607	The enable/disable status feature for the EMS Connector is not available on FortiManager.
841492	FortiManager unsets the system HA settings after pushing an unsuccessful installation Policy Package to FortiGates.
850105	Unable to perform Apply & Refresh on EMS Connector.
853347	ZTNA tags name/format from EMS/FortiGates don’t match with the ones from FortiManager’s DB.
866724	Copy Failed error has been observed with the error message, „Virtual server limit reached!”; this limit is 50 for FGT AWS ONDEMAND.
868937	GUI VIP Mapped IPv6 Address/Range gives „Mapping to IP 0 not allowed”.
873896	Unable to remove „(null)” objects under „endpoint-control”.
874188	Installation fails due to FortiManager’s attempts to remove the „endpoint-control fctems” entries.
875980	FortiManager unsets EMS connector Serial Number and the tenant-id during the installation.

System Settings

Bug ID	Description
848934	SNMPv3 does not work properly on FortiManager and FortiAnalyzer.

VPN Manager

Bug ID	Description
798995	It’s not possible to delete an SSL VPN portal profile from FortiManager GUI if the profile has been already installed.

 

Znane problemy:

AP Manager

Bug ID	Description
822525	FortiManager does not take the per device mapping authentication config for SSID under the Wifi Profiles.
824032	Some of the FAPs Radio configuration settings under the AP’s profile are missing.

Device Manager

Bug ID	Description
752443	Vertical scroll bar is missing in SD-WAN configuration.
789249	FortiManager does not have Logging Options after enabling One-Arm Sniffer under Interface.
789544	Status of the „Firmware Template” has been changed to „Unknown” after upgrade.
794764	FortiGate Modem Interface is not visible under Device Manager.
800191	During the ZTP deployment, „set hostname” command does not push to FortiGate.
801547	When removing an entry in the static route template, static route entries are shifted and the installation fails.
807771	FortiManager unsets the gateway settings in SDWAN template after upgrading ADOM from v6.4 to v7.0.
810936	After Upgrade, managed FortiAnalyzer on FortiManager does not display the Traffic logs under the Log View for HA devices.
815901	The router static entries created by IPSEC template are deleted and re-created after upgrade.
817346	Editing interface with normalized interface mapping displays some unnecessary messages for mapping change.
818905	FortiManager unsets the certificate for „endpoint-control fctems” setting during the installation.
828897	SD-WAN Monitor map doesn’t load all devices.
829404	SD-WAN Widget does not display any data for „Bandwidth Overview” and „Traffic Growth” under the Managed Devices’ dashboard.
835106	FortiManager cannot sync its devices with FortiAnalyzer when adding it to the Device Manager; it displays the error message „Serial number already in use”.
837213	Browser crashes when clicking „view diff” to compare with current device config.
839334	FortiManager does not allow empty value for „Interface Preference” as SD-WAN Rules under the SD-WAN Templates.
853810	Failed to edit the managed devices to modify the location.
855032	FortiManager displays the total devices/VDOMs count incorrectly when split VDOM enabled on FortiGates.
859638 860071	FortiManager’s SD-WAN monitor does not display the Health Check status correctly.
861220	Leaving the SD-WAN member empty when configuring the SD-WAN using the template fails due to the syntax differences between FortiGate and FortiManager.
861238	SD-WAN Monitor, under Device Manager’s Monitors, displays an Unknown status (a grey question mark) icon for HA devices under the Map View.
866243	The SD-WAN Monitor info for specific devices are not consistent with the map view SD-WAN interface status (based on performance SLA).
866247	Unable to change the static route „Description” section in the Device Manager without editing the static route.
870848	SD-WAN Monitor under Device Manager’s Monitors tab does not display any FortiGate devices which are running in 6.2 version.
874831	FortiManager attempts to install unknown and undesired static route when modifying or adding some new static routes.

FortiSwitch Manager

Bug ID	Description
818842	FortiManager displays „Failed loading data” for „Security Policy”, „LLDP Profile”, and „QoS Policy” features when editing ports in Per-device mode FortiSwitch Management.
868949	Installation fails as FortiSwitch Manager creates an alias name longer than the total limit 25 characters.

Global ADOM

Bug ID	Description
826522	Unable to remove global object from Global Database.
868212	Assigning global policies to ADOMs by admins with access to specific ADOMs fails.

Others

Bug ID	Description
713714	The schedule for firmware upgrade for FortiGates does not work; instead firmware upgrade starts immediately.
745958	Unable to config ipsec tunnel using the ipsec tunnel template.
777028	FortiManager does not support the FortiCarrier-7121F.
777831	When FortiAnalyzer is added as a managed device to FortiManager, the „Incident & Event” tile will be displayed instead of the „FortiSoC” tile.
814425	Sorting FortiExtenders by Network, RSSI, RSRP, RSRQ, and SINR does not work properly.
816936	FortiManager does not support the FGT/FGC 7KE/7KF syntax.
820921	FortiManager displays incorrect device firmware versions for FortiSandbox and FortiMail.
822263	Service Status under FortiGuard does not display the secondary Service status of the FortiGate’s cluster correctly.
839586	FortiManager does not save applying the configuration of „Enable AntiVirus and IPS service for FortiDeceptor” under FortiGuard settings pane.
850377	In Workflow Mode, when new session is created, the Policies disappear.
857659	FortiManager did not download the „AI Malware Engine” Package from FortiGuard Server.
865200	Users encountered unsatisfactory performance of FortiManager due to several crashes on the „Application fmgd” process.
870893	Unable to install pp to FortiGates after FortiManager’s DB got restored.
874369	Upgrading FortiManager fails due to some invalid data for managed FortiExtender’s Objects.
876425	FortiManager does not display the output of the „execute dmserver showconfig„.

Policy & Objects

Bug ID	Description
585177	FortiManager is unable to create VIPv6 virtual server objects.
698838	„Download Conflict File” does not display all of the firewall objects conflicts when importing policy packages from FortiGate to FortiManager.
738988	FortiManager does not detect the settings related to Web Cache Communication Protocol (WCCP) in SSLVPN Policies on the FortiGate.
741269	Unable to install configuration to FortiGates due to the error message „Resource temporarily unavailable”.
751443	FortiManager displays policy installation copy failures error when ipsec template gets unassigned.
752993	VPN IPSEC installation fails as phase1 settings on FortiManager are not consistent with the ones on FortiOS.
774058	Rule list order may not be saved under File Filter Profile.
795449	Unable to „Download Conflict File” to review the conflicts of firewall objects during import process.
803460	„User Definitions” entries under the „User & Authentication” cannot be removed from FortiManager.
810073	Fail to import the firewall policy due to the „interface mapping undefined” error message.
814364	FortiManager does not support the FCT EMS prefix; therefore, policies with ZTNA Tags cannot be installed properly to the FortiGates.
817220	FortiManager does not support the „userPrincipalName” as the common Name Identifier for LDAP Server configuration.
819847	FortiManager displays a false warning message „Duplicate Objects With Same Values” when creating the Firewall Objects’ Service entries under the Policy & Objects.
834806	Installation fails due to extra back slashes when installing the custom IPS signatures to the FortiGates.
835087	Policies cannot be edited as FortiManager displays a warning message, „Please select a SSL/SSH Inspection profile” in ADOM 6.2.
836933	Changes on the External-Resource settings from ADOMs for specific VDOMs/FortiGates alter the External-Resource settings for other ADOMs and VDOMs.
845022	SDN Connector failed to import objects from VMWare VSphere.
846634	GUI does not allow to edit the custom Application and Filter Overrides
847932	Hit count for a policy package does not always match the total count of all installation targets.
848666	„Install Device” task stuck without any progress when installing the templates and firewall policies to the FortiGates.
858183	After firmware’s upgrade, virtual wire pair interfaces are missing in virtual wire pair interface policy.
859217	Rearranging the Destination NAT (DNAT) objects whose names contain special characters displays an error message „object does not exist”.
862727	Policy Package installation failed due to the error „native vlan must be set” message.
862839	Cloning the Policy Packages on FortiManager creates the duplicate UUIDs.
863882	’Last Modified Time’ field is empty when exporting Policy Packages to Excel.
866826	Failed to modify Virtual Server addresses in Firewall Polices with Deny Action.
870688	Editing the „Install On” changes the Policy status to „Modified” for all FortiGates existing on that rule.
881857	Multiple security console Application crashes have been observed during the Policy Package installation when static router template and router static entry in device db are used.
882996	Unable to install to FortiGates when using null values for „local-gw6” and „remote-gw6”.
889563	FortiManager, for ADOM version 6.4, does not support Creating, Importing, or Inserting Above and Below actions for a deny policy with a „Log Violation Traffic” disabled. Workarounds: To Insert, use copy & paste instead of the using Insert Above/Below. To Create, either run script to create log disabled deny policy or enable log traffic first, and then edit the policy in order to disable and save it.
891106	ZTNA Tags cannot be downloaded by EMS Cloud connector.

System Settings

Bug ID	Description
753204	Admins of a specific ADOM are able to see tasks of others ADOMs.
825319	FortiManager fails to promote a FortiGate HA Slave member to the Primary.
850469	Radius group attribute filter does not work with Microsoft NFS.
851029	FortiManager’s HA cluster breaks after upgrading the FortiManager.
853353	SDWAN Monitor Map does not show up when admin profile has been set to „None” for System Settings.
862814	Event logs did not log FortiManager admins and their actions on managed devices.
864041	SNMPv3 stopped working after upgrading the FortiManager.
864931	Unable to login into FortiManager using TACACS and Radius credentials.
868706	SSO admin users do not have the same permissions as local users with the same assigned profiles.

VPN Manager

Bug ID	Description
762401	FortiManager is unable to preserve the Specify custom IP ranges option for SSL VPN Address range setting.
784385	FortiManager creates the faulty dynamic mapping for VPN manager interface during PP import. Workaround: It is strongly recommended to create a fresh backup of the FortiManager’s configuration prior to this workaround. Perform the following command to check & repair the FortiManager’s configuration database. diagnose cdb check policy-packages <adom> After running this command, FortiManager will remove the invalid mappings of vpnmgr interfaces.

Notatki producenta: FortiManager 7.0.6

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

FortiManager Fortinet