(Central Manager - Build 3195 or later) Unable to reset a two-factor authentication token for LDAP users.

FortiSandbox integration test does not work as expected.

No support for organization-specific Aggregators in multi-tenancy setups.

(On-premise) Error when uploading a server certificate in the Central Manager, resulting in failure or the manager being down (application fails to start).

Workaround: Use the POST REST API (https://[host-ip]/maintenance/upload-certificate) with admin user or contact Fortinet Support to load it via admin user.

Security events fully covered by an exception retains the full coverage indication icon even after new uncovered raw data items come in.

In some cases, the communication control feature does not work due to unforeseen technical issues.

Workaround: Troubleshoot and upgrade the Central Manager.

When you run a Threat Hunting query, the response time can vary depending on the selected "Time" and the amount of collected data. When the time is set to 30 days, the query can run for a few minutes.

Cannot move a Collector to a different group via Rest API.

Disconnected Collectors using an old registration password that was deleted from the Console are incorrectly classified as expired (with a status of "Disconnected (Expired)" instead of "Disconnected") and are excluded from license count.

Upgrade to Central Manager build 5.2.0.3051 might fail in case of LDAP settings with no gateway.

Central Manager version 5.2.0.2387 or below does not work with Threat Hunting Repository version 5.2.0.2524.

Workaround: Upgrade the Central Manager, preferably to the GA version.

Remote shell does not work on Windows XP and Windows server 2003.

In some network configurations, a rare issue might cause collectors to be detected as IoT devices.

The Advanced Search feature for Applications retrieves an application even if only some, rather than all, of the search parameters match specific versions of the application, which results in an empty application dropdown in some cases.

No on-premise support before Central Manager build 5.2.0.2325.

FortiEDR Connect cannot be used to run commands that are user-interactive

It is not possible to redirect FortiEDR web to a URL that is different than the one provided by Fortinet.

FortiEDR Connect session may be disconnected due to inactivity of the FortiEDR Console, even though the Connect session is active.

Application Control search only works by exact match

FortiEDR Connect cannot be used with 32-bit devices

Windows security center registration is not supported with Windows servers 2019 and above.

Linux Collector content file is large and uploads slowly to the Central Manager.

Execution Prevention Events are missing Device users.

In Windows Security Center > Virus and Threat Protection, when you click "open app", end-user notification is presented instead of the FortiEDR tray app.

OS indication is missing under Inventory and Dashboard for Linux Collector for Centos 6.

Device internal and external IP is missing from Threat Hunting events of Linux devices.

Organization filter under Threat Hunting Hoster view malfunctions.

SAML authentication cannot work with different organizations that use the same SAML Azure account.

Workaround: Use different Azure accounts for different FortiEDR organizations.

In the presence of an email filtering system and/or a mail transfer agent that modifies the URL content, the installer download URL might include space(s) or %20s in it, which are added by the system/agent. This results in a signature error message from the installer storage.

Workaround: In such cases, the URL should be amended to drop the redundant space/%20 before it can be used.

On Linux, threat hunting exclusions only work in kernel space mode, not in user space mode.

Collector upgrade via custom installer requires password.

Linux Threat Hunting Activity Events are missing the process hash.

NGAV scan of specific Collectors/Groups scan all Collectors.

Downgrading the Collector Version: When downgrading and restarting a device, the Collector does not start.

Workaround: Uninstall the Collector, reboot the device and then install the older version.

Isolation and communication control connection denial are not supported with Oracle Linux Collectors.

A newly created API user cannot connect to the system via the API.

Workaround: Before sending API commands, a new user with the API role should log into the system at least once in order to set the user’s password.

Safari 11.1 on MacOS malfunctions when viewing events.

Limited support when accessing the Manager Console with Internet Explorer, EdgeHTML and Safari 13 or above. Chromium Edge is supported, as well as Chrome, FireFox and Safari 11 and above.

Number of destinations under communication control is limited to 100 IP addresses.

SAML Authentication can fail when used with Azure SSO due to exceeded time skew.

Workaround: Sign out and then sign in again to Azure so that the date and time provided to FortiEDR are refreshed.

Some AV Products, including Windows Defender and some versions of FortiClient, require that their realtime protection be disabled in order to be installed alongside a FortiEDR Collector.

This is the result of FortiEDR registration as an antivirus (AV) in the Microsoft Security Center that was introduced in V4.0. Although there is no need for more than a single AV product to be installed on a device, FortiEDR can be smoothly installed, even if there is another AV already running. However, there are some other products whose installation fails when there are other AV products already registered.

Workaround: Disable realtime protection on the other product, or remove FortiEDR’s AV registration with Microsoft Security Centervia UI.

A Collector may fail to install or upgrade on old Windows 7 and Server 2008 devices that cannot decrypt strong ciphers with which FortiEDR Collector is signed.

Workaround: Patch Windows with Microsoft KB that provides SHA-256 code sign support.

Upgrading from Older Versions: A direct upgrade path for backend components (Central Manager, Aggregator, Core, Threat Hunting Repository) of V5.0.2 or earlier is not supported.

Workaround: Upgrade the older environment to V5.0.3 before upgrading it to V5.2.

Component Backward Compatibility: v5.2 Central Manager supports Cores/Collectors from older versions with limited functionality. Some new features introduced in later versions may not be available.

An issue with suspicious driver FP events caused by the Core 5.2.0.2293 build.

Workaround: Upgrade the Core to build 5.2.0.2300 or upgrade Content to 7431.