Fortinet udostępnił aktualizację FortiManagera do wersji 7.6.3. Rozwiązano między innymi problem z czyszczeniem konfiguracji BGP przy przypisywaniu szablonów, co wcześniej prowadziło do utraty ustawień na zarządzanych FortiGate’ach. Usprawniono również działanie szablonów IPsec – usunięcie tunelu nie powoduje już nieoczekiwanych zmian w pozostałych wpisach. Naprawiono także działanie mechanizmu instalacji konfiguracji w przypadku polityk ZTNA i centralnego NAT – wcześniejsze błędy powodowały niepowodzenia instalacji lub błędne zachowanie. 

Rozwiązane problemy:

AP Manager

Bug ID	Description
1083224	FortiManager attempts to install 'port1-mode > bridge-to-wan’ when 'Override LAN Port’ is enabled and 'LAN Port Bridge’ is set to 'Bridge to LAN’.

Device Manager

Bug ID	Description
932579	Assigning a BGP template is purging the previously existing BGP config from the target FortiGates.
995919	Cannot config system password-policy expire-day for FortiGates.
1004220	The SD-WAN Overlay template creates route-map names that exceed the 35-character limit.
1041265	While using a Device Blueprint to apply a pre-run cli template and creating model devices via CSV import, the pre-run does not show applied in Device Manager.
1073479	Install preview does not function properly.
1079654	Firewall address entries are incorrectly generated when creating a bridge/mesh-type SSID.
1080940	In an IPSEC tunnel template, deleting an IPSEC tunnel that is not the last one in the template causes the configuration of the last remaining tunnel to disappear when you revisit the template.
1085385	Importing SD-WAN configuration previously completed on a FortiGate as a provisioning template in FortiManager returns „Response format error” message.
1086303	An installation error may occur when binding and installing the created VLAN interface to the software switch due to ip-managed-by-fortiipam. No issues have been observed with the installation of VLAN interfaces or physical interfaces.
1089102	Metadata variable value cannot be emptied (value deleted) after a value has been set via Edit Variable Mapping for a model device.
1094451	If the Timezone field in the System Template is left blank, FortiManager may apply its default timezone and overwrite the existing timezone on the FortiGates.
1099270	Unable to upgrade of FortiGate HA devices via Firmware Templates.
1103166	Installation wizard might stuck at 50% if the device has Jinja CLI template assigned.
1110780	FortiManager does not allow creating the local-in policy with SD-WAN zone.
1115014	FortiManager fails to install SSID configuration in FortiGate when captive portal is enabled with error, „Must set selected-usergroups”.
1119280	Firmware Template assignment does not work properly.
1122481	When an FortiGate HA failover occurs, making any changes to the SD-WAN configuration on the FortiGate HA may cause FortiManager to attempt to purge the firewall policies on the device during the installation (Install Device Settings (only)).
1124171	FortiManager retrieves the device configuration from the ZTP FortiGate after the image upgrade is performed, due to the 'Enforce Firmware’ feature. This action erases all settings in the device database on the FortiManager side, and as a result, AutoLink installation will not be completed successfully.
1126321	When creating a VLAN with „LAN” Role, an object is created even if „Create Address Object Matching Subnet” is disabled.
1128094	After upgrading to v7.2.10, the entries under Network Monitor > Routing (Static & Dynamic) no longer appear.

FortiSwitch Manager

Bug ID	Description
1026433	When navigating to FortiSwitch Manager > FortiSwitch VLAN > „BUILD-VLAN” and enabling the DHCP Server, the Advanced options are missing the „filename” field.
1089719	FortiSwitch 110G is not supported.
1097467	There is a mismatch in the per-VDOM limit between the Managed FortiSwitch on the FortiManager and the actual FortiGate, causing a copy failure error when installing the configuration. So far, this issue has been observed on the FGT-90G.
1077058	IPv4 allow access for VLAN interface over Per-Device Mapping cannot be set.

Global ADOM

Bug ID	Description
1111249	Unable to assign Global Policy to any ADOM, when firewall address with metadata variables has been used.

Others

Bug ID	Description
1009848	Support ISE distributed deployment: PAN/MnT Nodes up to 2, Pxgrid Nodes up to 4.
1052341	Not able to select Address type MAC in SD-WAN rule source address.
1091375	When the install is waiting for a session, it neither updates nor completes the task.
1104486	Configuring auto-virtual-mac-interface from FortiManager may unexpectedly unset the virtual-mac in the interface during verification.
1106312	The Table View and Device History sections under the SD-WAN Manager’s Network tab do not properly display all detailed information, such as Interfaces, Link Mode, and other relevant data. (This issue was initially reported in relation to FortiGate 7.6.1).
1114809	After upgrading the FortiManager using the „Upgrade Image via FortiGuard” feature, the FortiManager JSON API login may fail, leading to service disruptions. This issue is important for FortiPortal and other FortiManager API clients.
1117603	Some compatibility issues have been encounteredwith FortiOS 7.4.7, please review the Release Notes.
1124007	OK button does not save the settings. Navigate to Device Manager > Device & Groups > right-click on FortiGate > Firmware upgrade > Schedule > Custom > Define time > Press OK.
1136765	The PxGrid connector should support Fully Qualified Domain Names (FQDN).

Policy and Objects

Bug ID	Description
968149	Unable to export policy package to CSV.
986256	When creating the application list on the FortiManager, if the Category ID is set to 33 or 34, the installation does not display any errors. However, these invalid categories cannot be set on the FortiGate. Consequently, the assigned application list entry will be created without a specific category and will default to the „block” action. This behavior may cause network interruptions.
1030914	Copy and paste function in GUI removes name of the policy rule and adds unwanted default security profiles (SSL-SSH no-inspection and default PROTOCOL OPTIONS).
1047850	Error occurs when modifying any route maps: 'Cannot save route maps: rule/[id]/set-priority: out of range…’.
1073463	Installation is failed with error „VIP entry cannot be moved when central-nat is disabled.”
1077964	After ZTNA server real server address type changes from FQDN to IP, the policy installation may fail; FortiManager pushes ZTNA server config with wrong order.
1078598	Unable to import policy due to issues related to the protocol-options feature.
1086705	Multicast policy table Log column shows wrong info and right-click update does not work properly.
1101436	The „sni-server-cert-check” cannot be disabled on SSL-SSH inspection profile for „ftps” „pop3s” and „smtps”.
1101919	Changes to a Virtual IP global settings are not applied when a per-device mapping exists.
1108159	IP address list for an ISDB object differ between FortiManager and managed FortiGate while both devices have installed the same ISDB definitions.
1109061	FortiManager tries to set the inspection mode for the deny policies.
1112011	When a policy package contains a globally assigned policy, installing a local ADOM policy package (with the „Install On” feature enabled for a specific device) may not function properly. The policy could be installed on all devices instead of the intended one.
1113129	FortiManager is treating implicit-deny local-in policy incorrectly, denying any traffic.
1119299	Installation fails due to syntax compatibility issues between FortiManager and FortiGate version 7.2.10. Specifically, the issue occurs when FortiManager attempts to unset the servercert in the vpn ssl settings.
1130475	FortiManager starts appending an ID to the global-label associated with policies. This can cause a problem if global labels are being used to group policies together.
1131552	Import fails due to an invalid remote certificate, even though the certificate is available on the FortiGate.
1132984	FortiManager is not updating SSL inspection settings.
1133553	Unused policy tool showing No hit count report for this policy package message when policy block is added to policy package.
1139220	FortiManager does not prevent users to mix ISDB and destination addresses.

Script

Bug ID	Description
1085374	FortiManager does not support exporting the TCL scripts via CLI.

Services

Bug ID	Description
1104925	FortiManager in Cascade mode may fail to display accurate license information/contracts for FortiGate retrieved from the FDS server, as it is not listed in the FortiGate’s authlist.
1138715	FortiManager does not auto-download the FortiClient signature from FortiGuard.

System Settings

Bug ID	Description
1108205	ADOM lock override does not work even though lock-preempt has been enabled.
1115464	When any interfaces have the serviceaccess feature enabled (fgtupdates, fclupdates, and webfilter-antispam), changing the IP address on the desired interfaces may not immediately affect the listing port for that IP. As a result, the user might not be able to access the GUI using the newly configured IP address (assuming default port 443 is being used).
1121608	Under the Dashboard > Sessions widget, the number of current sessions presented in FortiManager does not match the number of sessions in the FortiGate.

VPN Manager

Bug ID	Description
1084434	Unable to rename the address objects (either source and/or destination) used in Phase2 quick selectors in IPSec VPN without an installation error.
1090636	Unable to edit VPN community due to the following error message: „vpnmgr/vpntable/: cannot be edited”.

Notatki producenta: FortiManager 7.6.3 Release Notes

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

7.6.3 FortiManager FortiManager 7.6.3 Fortinet