User cannot use LDAP credentials to authenticate for REST API.

LDAP authentication fails sporadically.

Some event log entries in threat hunting display logged event values in incorrect logged event fields .

In Fortinet pre-defined applications, selecting a group checkbox selects only the first page.

Application Control and Exclusion validation error messages regarding the usage of wildcards in the application name/path are not

accurate.

In Fortinet pre-defined applications, application name is missing from audit logs.

Collectors with a deleted registration password are marked as expired.

Incorrect threat hunting profile order of Fortinet pre-defined application profiles.

REST API file scan: unclear error when "organization" is not sent in multi-tenancy setup.

REST API file scan: no errors with invalid input for scanSelection.

Inventory Collectors display has a column style issue when no Collectors exist.

The "Organization" field is a mandatory field when using the File Scan Rest API when the environment includes no organizations.

Workaround: When using this API, provide the "Organization" field with the value from Administration > Licensing > Name.

Log does not contain concrete helpful errors for API.

The API for moving a Collector to a high security group can be triggered when the Collector has already been moved.

Spaces should not be allowed at the beginning or end of exclusion list names.

Missing Fortinet pre-defined applications fields in REST API.

Cannot close the Import/Export Exclusion window using the Close (X) button.

Incorrect path length display in error message when importing or exporting exclusions.

Cannot move a Collector to a different group via Rest API.

Disconnected Collectors using an old registration password that was deleted from the Console are incorrectly classified as expired (with a status of "Disconnected (Expired)" instead of "Disconnected") and are excluded from license count.

Component Backward Compatibility: v6.0 Central Manager has the following limitations in backward compatibility:

• Collectors from older versions are supported with limited functionality. Some new features introduced in later versions may not be available.

• Only the following Core versions are supported:

  • 6.0.1 builds

  • 5.2.0.4189 or later

  • 5.2.2.2043 or later

In the Investigation View, the message is wrong in the Block address on firewall window when you click Firewall Block.

Unarchiving all events in large environments might cause the Central Manager to malfunction.

Workaround: Filter events before unarchiving to reduce unarchive size.

Failure to edit a Hoster user when a local user has the same name.

Remote shell does not work on Windows XP and Windows Server 2003.

In Threat Hunting, clicking Retrieve Target File for "File Rename" events retrieves the old file name instead of the renamed one.

Unable to filter by empty registry names in facets in Threat Hunting.

Remote shell connection cannot be established if collector connects to aggregator via a proxy server.

Rest API is not enforcing users roles permissions.

Application Control cannot remove multiple tags in one action.

Raw data IDs appearing in the Collector tray and Event Viewer may differ.

It is not possible to redirect FortiEDR web to a URL that is different than the one provided by Fortinet.

FortiEDR Connect session may be disconnected due to inactivity of the FortiEDR Console, even though the Connect session is active.

Application Control search only works by exact match

Rest API does not support LDAP users.

Windows security center registration is not supported with Windows servers 2019 and above.

Linux Collector content file is large and uploads slowly to the Central Manager.

In Windows Security Center > Virus and Threat Protection, when you click "open app", end-user notification is presented instead of the FortiEDR tray app.

Device internal and external IP is missing from Threat Hunting events of Linux devices.

Organization filter under Threat Hunting Hoster view malfunctions.

SAML authentication cannot work with different organizations that use the same SAML Azure account.

Workaround: Use different Azure accounts for different FortiEDR organizations.

In the presence of an email filtering system and/or a mail transfer agent that modifies the URL content, the installer download URL might include space(s) or %20s in it, which are added by the system/agent. This results in a signature error message from the installer storage.

Workaround: In such cases, the URL should be amended to drop the redundant space/%20 before it can be used.

Threat hunting exclusions cannot be set on log events coming from Linux devices

Collector upgrade via custom installer requires password.

FortiEDR Connect cannot be used to run commands that are user-interactive.

Downgrading the Collector Version: When downgrading and restarting a device, the Collector does not start.

Workaround: Uninstall the Collector, reboot the device and then install the older version.

Isolation and communication control connection denial are not supported with Oracle Linux Collectors.

A newly created API user cannot connect to the system via the API.

Workaround: Before sending API commands, a new user with the API role should log into the system at least once in order to set the user’s password.

Safari 11.1 on macOS malfunctions when viewing events.

Limited support when accessing the Manager Console with Internet Explorer, EdgeHTML and Safari 13 or above. Chromium Edge is supported, as well as Chrome, FireFox and Safari 11 and above.

Number of destinations under communication control is limited to 100 IP addresses.

SAML Authentication can fail when used with Azure SSO due to exceeded time skew.

Workaround: Sign out and then sign in again to Azure so that the date and time provided to FortiEDR are refreshed.

Some AV Products, including Windows Defender and some versions of FortiClient, require that their realtime protection be disabled in order to be installed alongside a FortiEDR Collector.

This is the result of FortiEDR registration as an antivirus (AV) in the Microsoft Security Center that was introduced in V4.0. Although there is no need for more than a single AV product to be installed on a device, FortiEDR can be smoothly installed, even if there is another AV already running. However, there are some other products whose installation fails when there are other AV products already registered.

Workaround: Disable realtime protection on the other product, or remove FortiEDR’s AV registration with Microsoft Security Centervia UI.

A Collector may fail to install or upgrade on old Windows 7 and Server 2008 devices that cannot decrypt strong ciphers with which FortiEDR Collector is signed.

Workaround: Patch Windows with Microsoft KB that provides SHA-256 code sign support.