Fortinet ogłosił wydanie aktualizacji do wersji 7.2.5 dla FortiManager, koncentrując się na poprawie funkcjonalności i rozwiązaniu problemów zidentyfikowanych w poprzednich wydaniach. Aktualizacja ta przynosi ulepszenia w zarządzaniu urządzeniami, politykami i obiektami. Szczególną uwagę poświęcono poprawie zarządzania punktami dostępu, rozwiązywaniu błędów w zarządzaniu urządzeniami i ulepszaniu procesów instalacji pakietów polityk. Wśród kluczowych błędów rozwiązanych w tej aktualizacji znalazły się: nieefektywne wyświetlanie listy rogue AP przy dużej ich liczbie, próba instalacji profilu „arrp-profile” przy wyłączonym „darrp”, oraz znaczące opóźnienia przy przydzielaniu profilu do FortiAPs. Dla dokładniejszego zrozumienia wprowadzonych zmian i nowości, zachęcamy do zapoznania się z dokładnymi informacjami zawartymi w notatkach do wydania.
Aktualnie wspierane modele:
| FortiManager | FMG-200F, FMG-200G, FMG-300F, FMG-400E, FMG-400G, FMG-1000F, FMG2000E, FMG-3000F, FMG-3000G, FMG-3700F, and FMG-3700G. |
| FortiManager VM | FMG_DOCKER, FMG_VM64, FMG_VM64_ALI, FMG_VM64_AWS, FMG_ VM64_AWSOnDemand, FMG_VM64_Azure, FMG_VM64_GCP, FMG_VM64_ IBM, FMG_VM64_HV (including Hyper-V 2016, 2019), FMG_VM64_KVM, FMG_ VM64_OPC, FMG_VM64_XEN (for both Citrix and Open Source Xen). |
Rozwiązane problemy:
AP Manager
| Bug ID | Description |
|---|---|
| 736930 | FortiManager is unable to efficiently display rogue AP lists for FortiGates with a high volume of rogue APs. |
| 861941 | FortiManager attempts to install „arrp-profile” even if „darrp” is disabled. |
| 906061 | It takes a significant amount of time to assign a profile to each FortiAPs. |
| 974444 | DNS server for SSIDs gets resets after Importing AP Profile. |
| 982548 | FortiGate configuration install may fail with a reason „Need to unset channel list in radio-1 first.” |
| 1002043 | AP Manager view does not show SSIDs and Radio Channels. |
Device Manager
| Bug ID | Description |
|---|---|
| 723720 | The „strong-crypto” feature change under the CLI configuration cannot be installed to FortiGate. |
| 777693 | Provisioning templates change meta data’s values. |
| 778131 | FortiManager did not support the per device mapping for user SAML configurations. |
| 811104 | Import policy package fails after installing web-proxy through CLI configurations |
| 838462 | Adding device using „Add Model HA Cluster” feature failed as FortiManager does not allow „virtual switch interfaces” being used as „heartbeat interfaces”. |
| 871334
973064 |
Installation to FortiGate with NP7 Acceleration feature enabled might fail when FortiManager attempted to modify the QoS settings. Changing the „default-qos-type” to values other than its default may result in a FortiGate reboot (FOS Behavior). |
| 880934 | FortiManager reverts Syslog mode settings on local FortiGates (when FortiGates are in FIPS mode). |
| 902577 | The status of the FortiLink split-interface radio button under FortiManager’s Device Manager does not match the configuration in FortiGates. |
| 920394 | Installation failed due to the incorrect install order during ZTP. |
| 923808 | Even with the „set dhcp-relay-request-all-server enable” option enabled, FortiManager does not keep the DHCP server & relay configurations on the same interface. |
| 935586 | When managed devices go down/appear offline, not all FGFM tunnels are automatically recovered by FortiManager. |
| 936168 | Unable to assign Device Group to the Firmware Template. |
| 936544 | When importing CLI Templates, GUI displays a blank page. |
| 939804 | Creating/Modifying the IPSEC Phase1 Interface Mode might trigger the following error message: „The string contains XSS vulnerability characters.” This ONLY occurs when devid = ''.
Workaround: Manually removing the value |
| 939921 | The firmware upgrade in ADOM mode backup is not allowed. |
| 949546 | When zones have identical names except for case, only 1 of the zones may be visible in Device Manager. |
| 949612 | The SD-WAN monitor table-view takes too long to load/display information. |
| 952404 | FortiManager cannot install the Static Route config under the Provisioning Template due to a static route template error after upgrading to FortiManager 7.2.4/7.4.1. |
| 954610 | FortiManager does not show objects under the „named address” options in IPsec VPN Phase 2 definitions. |
| 956567 | Not able to edit/delete Logging Devices Group. |
| 956920 | Monitor Health Check graphs return incomplete or no value. |
| 961447 | After upgrading FortiManager (VMs & FortiManager Cloud) to versions 7.2.4 or 7.4.1, devices may not be able to be retrieved or refreshed.
Workarounds: A) Reduce the license use (delete one device). B) Request/purchase a license upgrade. C) On the already managed FortiGates that need to be retrieved, run: D) When adding a new FortiGate to the last license seat, it will initially fail on the retrieve step, but the device is added to DVM and within about 120 seconds an auto-retrieve is triggered and the first revision of the new device is created normally. |
| 966118 | FortiManager tries to purge all entries under table „system global split-port-mode” for its System Template . |
| 967611 | Device Manager interface link status is blank for various Interface type (Tunnel, Aggregate, VDOM Link, Software Switch). |
| 969542 | Sometimes IPsec Tunnel Template displaying „Response with errors” message when editing the template. |
| 969698 | FortiManager allows the creation of an empty service value for Internet Service routes. |
| 975310 | Unable to unset interface IP for a VLAN interface in Device Manager. |
| 1009883 | Unable to set the Radius-Server addresses as FQDN.
Workaround: Run the script directly on the FortiGate and then retrieve config back to the FortiManager. |
FortiSwitch Manager
| Bug ID | Description |
|---|---|
| 940419 | When adding FortiSwitch on FortiManager Error message, „Import error – invalid port number” is displayed. |
| 947651 | Per Device under the FortiSwitch Manager cannot edit FortiSwitch name and GUI returns error „invalid value”. |
| 967213 | While attempting to deploy a FortiSwitch template to a model device, FortiManager generates the following error message: „VLAN interface does not match FortiLink.” |
Global ADOM
| Bug ID | Description |
|---|---|
| 906058 | Firewall address cannot be deleted from Global ADOM; it displays an error message indicating that the object is being used in ADOM root. |
| 925188 | The per-device mapping for any assigned global objects cannot be modified. |
| 969182 | Under the Global ADOM, the assignment of specific policy packages does not function properly. |
Others
| Bug ID | Description |
|---|---|
| 583349 | FortiManager does not provide support for image upgrades on „ONDEMAND” devices. |
| 796858 | Subject Key Identifier extension is missing on FortiManager ADOM CA certificate. |
| 874052 | After upgrade ADOM from v7.0 to v7.2, when installing a policy package to FGT-v7.2 device, FortiManager tries to change „match-vip” from „disabled” to „enabled”. |
| 875584 | FortiManager cannot upgrade ADOMs to 7.2 due to error, „copy system replacemsg spam.smtp-spam-emailblock”.
Workaround: Delete replacement message „smtp-spam-emailblock” from System Templates. |
| 891253 | The firmware upgrade is successful; however, the task line does not get updated for the retrieve action when device names exceed the predefined character limit. |
| 897157 | Unexpected changes in existing static routes, created by static route template after upgrade to 7.0.7, 7.2.2, 7.4.0. |
| 900512 | FortiManager ADOM Upgrade fails with the error message, „Peer type cannot be peer when authentication method is pre-share key”. |
| 922957 | The „fmgd” process may crash while loading the ADOM when multiple Policy Packages are locked. |
| 924201 | Jinja templates does not identify new variables automatically when a new variable is added. |
| 930305 | Firmware template upgrade preview shows incorrect versions for the upgrade. |
| 935430 | When FortiAnalyzer is managed by FortiManager and FortiManager’s local logs are being sent to FortiAnalyzer, installing PP to FortiGates may display the message, „Confirm Deletion FortiManager is going to sync the following device deletion to FortiAnalyzer,…”. |
| 941203 | FortiManager does not support the use of Certificate Templates to create certificates with a „range=global” setting for FortiGates operating in multi-vdom mode. |
| 957433 | When creating the FortiManager/FortiAnalyzer docker instances, UUID is missing under the „diagnose debug vminfo„. |
| 960796 | FortiExtenders are not displayed under the FortiExtender Manager for all FortiGates. |
| 961155 | Event Logs cannot be downloaded via GUI. |
| 963490 | Installation fails as FortiManager attempts to „set role primary” feature for the „lan-extension backhaul” under the „extender-controller„ |
| 971122 | FortiManager does not support all authentication types that are supported by FortiOS, leading to a certificate error in the FortiClient EMS connector. |
| 982564 | When upgrading the root ADOM, the process might fail with the following error message: „…The string contains XSS vulnerability characters…”. |
Policy and Objects
| Bug ID | Description |
|---|---|
| 630648 | A FortiManager instance running on Microsoft Azure is unable to import the SDN connector for a dynamic firewall address and is displaying an error message stating, „wrong input parameter.” |
| 696367 | Hit count, first used, and last used may not get updated on FortiManager. |
| 725427 | Policy package install skips the policy where destination interface is set as SD-WAN zone and policy is IPSEC policy. |
| 751443 | FortiManager displays policy installation copy failures error when IPsec template gets unassigned. |
| 804160 | FortiManager does not remove „Radius Server” on the FortiGate when it becomes unused. |
| 817289 | FortiManager only accepts IPv6 Compressed Notation format for the Policy & Objects. |
| 830640 | „Send files to FortiSandbox for inspection” option is being enabled when creating an antivirus profile. |
| 854359 | An installation error occurs when FortiManager attempts to install wildcard FQDN addresses „mzstatic-apple” and „cdn-apple” within the „custom-deep-inspection” SSL-SSH profile. |
| 855073 | The „where used” feature (under the Source & Destination objects) incorrectly displays „No Record Found” even when these objects are in use. |
| 875103 | Local categories gets purged if used in Profile Mode Security Profiles. |
| 888798 | Changing deep inspection ssl-ssh-profile to „inspect all ports” may cause installation error. |
| 894597 | Default value for „unsupported-ssl-version” in ssl-ssh-profile gets modified during the installation. |
| 899226 | Unable to create Central SNAT explicit port translations on FortiManager. |
| 900229 | In policy-based policy packaged, application IDs are displayed instead of their names. |
| 901324 | Change entries in FortiGuard Category Based Filter table from „Monitor” to „Allow” cannot be saved. |
| 904751 | WebRating overrides can’t be deployed or deleted via FortiManager. |
| 905377 | Threat Feeds with name starting with „g-” do not get installed to FortiGates without VDOM enabled. |
| 907925 | IPS profile/Signature tab is not visible for admins with non-default admin profile. |
| 908353 | When ISDB name changed, FortiManager is not automatically updating the new ISDB object name. |
| 908445 | FortiManager does not display correct edit page for virtual server VIP when edit object in policy table. |
| 917225 | FortiManager is unable to install policy packages to multiple devices due to „security console” crashes. |
| 920983 | The policy blocks using a group object do not get updated when the objects within the group are modified. |
| 924680 | Policy packages containing geo-based ISDB objects may not be successfully installed to the FortiGates. |
| 924900 | Wrong date format is displayed for „first used” and „last used” column. |
| 938019 | Policy Package Status not changed on modification of nested group used in policy block. |
| 939979 | After editing authentication-rule/portal mapping, FortiManager installs unexpected changes to these rules. |
| 942659 | Syncing EMS tags from FortiManager fails when the EMS Connector is configured in multi-site mode. |
| 945632 | Modifying the Policy Installation Target does not trigger a status change in the Policy Package when adding an „install on” to a single policy. |
| 945853 | FortiManager doesn’t sync previously deleted EMS tags. |
| 948559 | Policy blocks doesn’t load properly. |
| 949515 | Security Policy Installation Verification fails because the „internet-service-negate” feature gets enabled every time after modifying the policy. |
| 954399 | Cloning Webfilter profiles does not save the FortiGuard Category Based Filter action. |
| 955010 | Comments on policies may be cleared when a blank area within the text field is clicked. |
| 957225 | ADOM admin users not able to view the managed FortiGate in the policy push wizard |
| 958923 | Installing policy packages that utilize an SSL/SSH Inspection profile may fail with the error message, „Server certificate replace mode cannot support category exempt.” |
| 959116 | The timestamps displayed for 'First/Last Used’ under the Hit Count for Firewall Policies within the Policy & Objects section are invalid. |
| 959166 | Export to Excel does not work. |
| 959877 | The timestamps displayed for „First/Last Used” under the Hit Count for Firewall Policies within the Policy & Objects section are invalid. |
| 959890 | Per-device mapping search for VDOMs is not possible for users. |
| 960660 | The Clone Reverse feature is not functioning when the firewall policy includes an Internet service address object. |
| 960778 | Installation failed because FortiManager attempts to remove a static entry, „QuarantinedDevices.” |
| 963008 | Impossible to merge duplicate objects. |
| 963536 | The policy package feature „Export to Excel” is not functioning. |
| 965670 | Creating a new interface type „vlan„; changing VDOM results in the removal of the selected interface. |
| 965719 | FortiManager is unable to enable the log setting for implicit deny rule under the policy package. |
| 972392 | Users do not receive a proper warning when creating a firewall address with the IP address „0.0.0.0/0.” |
| 978814 | When attempting to use the „Export to Excel” feature under the Firewall Policy with extensive rules, GUI may slow down and become unresponsive for some time. |
| 986262 | EMS Cloud tags are not updated on FortiManager. |
| 1002551 | FortiManager is pushing the web-proxy profile configuration without space between domains. |
Revision History
| Bug ID | Description |
|---|---|
| 513317 | FortiManager may fail to install policy after FortiGate failover on Azure. |
| 894523 | Object revision timestamp is taken from previous revision. |
| 904710 | Restoring a revision of a policy removes the information of all the SD-WAN rules. |
Script
| Bug ID | Description |
|---|---|
| 923966 | When FortiManager is operating in Workspace mode, there are no options to save changes after executing a CLI script. |
| 937528 | Unable to send DHCP options „set value” using CLI template and using Script. |
Services
| Bug ID | Description |
|---|---|
| 863094 | The query status is not functioning correctly, and the „Top 10 Unrated Sites” section actually displays ratings. |
| 938365 | FortiManager’s GUI does not display an option under FortiGuard Settings to support the 7.2 version for Forticlient and FortiMail. |
| 980334 | „Download to Excel” option on Licensing Status under the FortiGuard does not work. |
System Settings
| Bug ID | Description |
|---|---|
| 733279 | After changing the http or https port, FortiManager displays an „Unknown Error.” error message. |
| 842732 | FortiManager does not display the Secondary HA member’s status correctly. |
| 853429 | Creating FortiManager’s configuration backup via scp cannot be done. |
| 871633 | The configuration that is not synchronized among HA members cannot be modified on secondary devices. |
| 881309 | In SSO configuration, whether the settings for „ext-auth-accprofile-override” and „ext-auth-adom-override” are enabled or disabled, the users are granted an adom/accprofile override, if the IdP sends valid ADOMs and „profilename” attributes. |
| 930200 | Unable to change the time and timezone from the GUI. |
| 930449 | Testing the syslog server displays the message, „Failed to send a test log to syslog server”. |
| 936694 | After removing a device, FortiManager generates repeated „sync dvmdb to faz” tasks for all logged-in administrative users. |
| 941082 | A password prompt is consistently requested with each new login attempt when applying password policies to a local account linked to FortiToken Cloud Mobile for multi-factor authentication (MFA). |
| 957308 | After enabling FortiAnalyzer features, the new Event Logs are not displayed in Event Log under the system settings. |
| 966148 | RADIUS remote users are unable to successfully install changes to FortiGates. |
VPN Manager
| Bug ID | Description |
|---|---|
| 678319 | Once „os-check” option is enabled, „os-check-list” table is not loaded. |
| 897574 | Address Objects with Meta Variables do not function correctly when creating Static routes using the VPN Manager. |
| 906097 | VPN Manager IPsec community Phase 2 encryption setting can’t be changed to AES256GCM from the GUI. |
| 923221 | Provision Template – IPsec Tunnel: cannot Activate IPsec_Fortinet_Recommended; GUI returns error. |
| 942222 | The configuration settings for the „peergroup” are not being retained properly |
Notatki producenta: FortiManager 7.2.5
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
