Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Release Notes

Resolved Issues

The following issues have been fixed in 6.2.5. For inquires about a particular bug, please contact Customer Service & Support.

AP Manager

Bug ID

Description

553985 FortiManager incorrectly sets "security-external-web" when external authentication is selected.
555159 AP Manager still shows the SSID after it is deleted from Device Manager.
568631 Per-Device Mapping for FortiAP SSID in Bridge mode should not have IP and is missing the VLAN field.
585157 FortiManager is missing 802.11ax/ac related settings on FAPU431F and FAPU433F.
595674 When attempting to place an AP on a map, there is a considerable border around map image where it is not possible to place an AP to the far right or complete bottom of the floor.
597818 ADOM upgrade may delete Floor Map in AP Manager.
600899 FortiManager is unable to delete WiFi profile with a forward slash in the name.
603511 AP Manager may try to unset authentication for SSID when the device is configured under per-device mapping.
604642 Changing SSID Groups makes changes on all member SSIDs.
620117 AP Manager needs to support of FortiAP-U431F and FortiAP-U433F.

Device Manager

Bug ID

Description

627351

System Templates is unable to apply or import a certificate in syslog settings for v6.0 ADOMs.

411914 System Template's Enable FortiGuard Security Updates option should check if antispam-force-off and webfilter-force-off are disabled.
459895 FortiManager may not configure an IPS profile on a One-Arm sniffer interface.
525051 Automation stitch cannot add FortiGates to automation.
541911 When workspace is enabled, FortiManager cannot run CLI template after it is assigned to a device.
544222 In the device configuration's log setting, both local traffic log and event logging have Enable All buttons that may not work.
544337 FortiManager is missing Firmware information when creating or editing a device group.
544982 Policy Package Status may get out-of-sync for all devices when adding one device to Install On.
555635 Certificate is not visible in GUI after restoring the configuration, which was exported from FortiManager.
563373 FortiManager should support FortiGate-VM FNDN.
572337 Config Status may display Modified instead of Conflict status following a failed policy package install.
573293 After upgrade, FortiManager may not be able to import policy package in Workflow mode.
576850 VDOM names may be inconsistent between FortiManager and FortiGate.
589453 Application group of type category should not be used for SD-WAN rules.
589814 User should be able to make interface changes using CLI Configuration.
591981 After modified set max-revs value, the change is not immediately reflected on GUI.
592646 When creating an SD-WAN and disabling its status, both Monitor map view and table view cannot be displayed.
593480 When there is no interface assigned to SD-WAN, both map view and table view cannot be shown.
593505 Provisioning Template sets incorrect syslog severity level under log settings.
594324 Model FortiGate device connects to FortiManager may unset all configurations.
594348 FortiManager should show buttons to create, edit, and delete TACACS+ on the CLI Configuration page.
594709 Device Manager may not be able to generate Policy Package Diff result.
594905 FortiManager may take a long time to load system interface.
595683 Modifying anything on a policy ID does not modify status of Policy Package when using workflow mode.
595803 When configuring PPPoE from CLI Configuration, installation fails with unexpected deletion of system-interface.
595941 Importing policy package may unexpectedly convert regular address objects to dynamic address objects.
598650 SD-WAN monitor table view may not show data for FortiGate 5.6 device.
599141 After upgrade, the Policy Route menu no longer displays Source Addresses or Destination Addresses.
599768 FortiManager may not be able to display the second shelf manager.
599769 FortiManager may not be able to Enable Security Fabric on some FortiGate platforms.
601223 Device database configuration may mismatch with FortiGate even if auto-update happens.
602275 FortiManager may not be able to remove VDOM or device when FortiAnalyzer Features are enabled.
602706 SD-WAN Template may keep loading.
603215 Fabric is not enabled in allowaccess after enabling fortilink on an interface.
603286 Device Manager's dashboard System Time and HA Mode buttons have no effect.
603405 FortiManager cannot set radio-2 band to 802.11ax under CLI Configuration.
603522 Fabric should be shown as an option for administrative access.
603542 Password field should not be deleted when making changes to PPPoE interface.
603606 FortiManager should accept volume ratio value of 0 within SD-WAN configuration.
603820 FortiManager fails to import policy when reputation-minimum and reputation-direction are set.
604269 FortiManager should permit Virtual Wire Pair to use Aggregate interface.
604808 Verification may fail on system interface tc-mode or phy-mode when installing to FortiGate-60E-DSLJ.
605178 FortiManager should be able to set None interface under Policy Route.
605946 Import may fail where there are objects with truncated names.
606628 FortiManager may fail to retrieve configuration with SAML SP IDP certificate.
607672 Import may fail with error user group match is not a member.
608642 Importing policy should not make dynamic mapping for policy object when there is only a change on hidden attributes.
609757 Adding a new device on SD-WAN Template may cause Config status to change to Modified on all devices.
610015 Scroll bar is not working well in install preview pop-up.
610585 Device Manager cannot save DHCP for Unknown MAC address with action set to block.
610937 In non-root management VDOM, FortiManager prompts no permission error when accessing device interface.
613426 VDOMs may show up twice in Device Manager.
615092 FortiManager should allow using FQDN for FortiAnalyzer logging.
616264 IPv6 extra-address may not convert properly.
616606 IPSec Phase 1 does not have all encryption proposals listed.
616619 When using a script or CLI only page, a user can create interface-policy without setting srcaddr, dstaddr, or service even though they are required fields.
619377 FortiManager cannot retrieve FortiGate-800D containing more than 2048 Firewall custom services.
620029 Deleting a VDOM may prompt Internal Error.
622353 Cloning VPN Phase1-Interface does not clone Phase1 proposals.
625691 FortiManager does not allow DHCP lease time to be disabled.
626152 Adding FortiGate-100E may fail at user group.guest.

FortiSwitch Manager

Bug ID

Description

503722 FortiSwitch Manager and AP Manager reports switches and APs connected to FortiGates as online when the devices are no longer powered on.
597715 Under FortiSwitch Manager Per device mode, FortiManager may prompt error [object Object] when trying to create a VLAN with VLAN ID.
601242 Installation may fail due to qtn.fortilink configuration cannot be deleted.
601712 In Workflow mode, FortiManager may lose FortiSwitch templates and VLAN configuration.

615472

DHCP exclude range is not stored in FortiSwitch Manager central mode.

624143

FortiSwitch Manager may not install VLAN to FortiGate.

Others

Bug ID

Description

364541 The command, diagnose dvm support list, should include all supported platforms.
574731 Builds 0349 and 1121: Some hardware specific SNMP traps are missing from the device SNMP settings and the system provisioning templates.
581140 The SNMP, FmDeviceEntPolicyPackageState, always returns (-1), which indicates never installed, regardless of the actual policy package status.
584053 FortiManager may show fmgd crashes after switched among pages.
590037 FortiManager CPU usage may spike when going to interface and VPN Phase1 or Phase2 page.
591206 The SNMP trap, fmDeviceTable, should show VDOM information as well.
593421 Running ADOM integrity check may cause cdb reader to crash.
601978 Diagnostic command may fail to repair database when device is in standalone mode but there are entries in HA member table.
602216 FortiManager is unable to add SNMP hosts when set alias is configured on a port.
609040 Device manager may be empty after upgrade.
611548 dbcache.db file size may keep increasing.
622411 Valid zone and interface mappings are deleted after running the diag cdb check policy-packages command.

Policy and Objects

Bug ID

Description

629412

ADOM v6.0 ssl-ssh-profile with deep inspection disabled is changed with deep inspection when installing to a FortiGate v6.2 device.

505887 Internet Service should separate into source and destination
545605 Searching on Created Time or Last Modified does not work on policy table.
574560 Installation from FortiManager may fail with the error, "No response from remote" FortiGate.
577201 Next button should be inactive until zone validation is fixed in the case of 'Re-Install Policy'.
577816 Policy-based rule shows NAT status as disabled or empty.
577818 When a policy package in an ADOM v6.0 is enabled with policy-based mode, the rules do not show the application column.
578004 The policy interface colors are different between Device Manager and Policy & Objects.
580166 Bulk installation may become stuck with fake policy package.
581825 In workflow mode, changes to the SSL VPN portals do not trigger "Modified" status on the policy package.
582255 FortiManager is unable to lock an ADOM if another admin is installing a policy to the same FortiGate in a different ADOM.
594957 SSL/SSH Inspection profile should not allow "Untrusted SSL Certificates" to be set to Block.
597879 Policy package installation fails with commit check error on system interface dhcp-relay-type.
598656 When long-vdom-name is enabled on FortiGate, installing from FortiManager may show nothing to install.
599780 If one or more devices has a policy validation error, FortiManager does not show devices that are "ready to install".
601073 When renaming an address object, the error "invalid value" is prompted when it should be "object already exists".
601081 FortiManager is missing the feature to change IPS Signatures status.
601320 FortiManager should be able to display IPv4 policies in Interface Pair View mode.
602600 FortiManager may show any duplicate sections in the policy page.
602871 FortiManager may show zero on First use, Last used, and Byte count on policy.
604159 Cloning an existing policy package adds the "clone_of_" to the name even when the feature is disabled.
604577 When logged in as a Restricted Admin or regular User, it is not possible to reference "Web content filter" in a web profile.
605947 FortiManager is unable to configure holddown-interval for Virtual Server.
606721 FortiManager should not allow users to create firewall address with a name which is conflicted with the name of existing wildcard-fqdn addresses.
607281 pxgrid connector on FortiManager may not work with Cisco ISE version 2.7.
607370 When workspace is enabled, auto-install fails with error "no write permission".
607958 FortiManager should be able to modify Per-device mapping for global VIP in local ADOM.
608105 When making changes to Virtual server or Health check for load balance, it should be detected and installed to FortiGate properly.
608236 FortiManager is unable to install ssl-ssh-profile policy updates when disabling protocols on a policy.
612672 The policy block hit count stays at zero even if the counter increments properly on the FortiGate side.
615823 VPN tunnel is not unset when changing the action of firewall policy from IPSEC to Accept.
618711 Installation to FortiGate may fail for dhcp-relay-agent-option.
623104 FortiManager may not be able to promote the Web Filter object from any ADOM to Global ADOM.
624561 Changing an Accept policy with proxy-based inspection mode to Deny may lead to installation failure.
624586 FortiManager may try to unset server-identity-check while pushing a new LDAP server.
628830 FortiManager should be able to select a device to install after adding a group object member to a nested group.

Revision History

Bug ID

Description

492088 FortiManager attempts to change Chassis ID on FortiGate 7000 series when installing configuration.
543507 Install fails for newly defined transparent VDOM's management IP.
555796 Installing policy on 6K series FortiGate may remove the interface setting "set forward-error-correction rs-fec".
560888 FortiManager may unexpectedly reset some parameters for IPS sensor entry.
584118 Router access-list rule's default value is mismatched causing installation failure.
590325 Installing EMAC-VLAN may fail on verifying device-identification setting.
592062 Custom Internet Service created on FortiManager systematically fails to be installed on target FortiGate
594147 FortiManager does not perform interface binding contradiction check when the firewall policy is using an address group and the user changes an address group member.
597353 Policy install may remove auth-redirect-addr when disclaimer is set.
598173 When changing the "User Group Source" from Local to Collector Agent, FortiManager should automatically unset the undesired commands.
599413 Policy Package Diff is showing differences for passwords when there is no actual difference.
600085 Some special characters may prevent revision history from being saved with a full tmp folder.
600833 When trying to create a local certificate, and assign and install it for remote administration, the install operation fails due to incorrect order of configurations.
601668 FortiManager may install overlapping VIP objects to FortiGate.
602272 Installing UUIDs from local-in policies for FortiGate-60F may cause installation failure.
604738 Verification fails for replacemsg auth-authorization-fail after upgraded FortiManager and installed to FortiGate with system template assigned.
605187 FortiManager may fail to add members into a zone.
605899 FortiManager should not mandate the use of the access key, secret key, and region fields for SDN Connector.
607216 When a primary-device is set on a custom device, the type should not be available on FortiManager.
608051 Policy package install time increases when using policy package diff option.
609110 Config revision created by Script_manager causes an error when restored onto the FortiGate directly.
610687 FortiManager should not unset forward-error-correct during install.
612781 FortiManager should try to remove any referenced policies prior to creating a zone interface.
613057 During install verification, FortiManager changes the IP of uni-cast heartbeat interfaces after FortiGate cluster failover.
624583 When pushing a new configuration, FortiManager may try to change the Kerberos keytab on the FortiGate causing install failure.

Script

Bug ID

Description

593217 FortiManager is unable to delete Virtual-Switch members via script if the remaining members of interfaces is less than two.
608828 Script's timestamp under Template and Template group does not follow the correct data format YYYY-MM-DD

Services

Bug ID

Description

591519

FortiManager adds upgrade support for FortiAP-231E.

563624 FortiManager dbcontract updated with the entitlement file shows different contracts compared to FortiManager dbcontract updated from FDS.
577875 FortiManager may not correctly group firmware images.
597656 FortiManager may not be able to upgrade firmware on some FortiGate platforms, such as FGT-50E or FGT-30E.
598940 Pop-up window on license status may not be closed and stay on the screen.
601222 HTTP 1.1 host header may be missing in FortiGuard web proxy requests.
604677 When attempting to delete a selected firmware image, FortiManager randomly deletes a non selected image instead.
604744 Upgrading FortiGate firmware may fail when choosing an image downloaded from FortiGuard.

634732

When upgrading FortGate firmware from v5.4 to v5.6 or v5.6 to v6.0, it may fail with incorrect firmware version and it may cause retrieve to fail.

System Settings

Bug ID

Description

202924 FortiManager should be able to restore large backup files via web interface.
571181 An admin user with read-write system permissions and restricted to one ADOM can change their permission to All ADOMs.
588852 Idle time is constantly reset for inactive users.
592156 Upgrade task for managed devices in Task Monitor always shows Pending status with 0.
599812 Stager or pusher admin has no permission to view VDOM interface mapping.
599847 FortiManager may not be able to move VDOMs with long names among different ADOMs.
604069 IPv6 communication fails after setting interface status between down and up.
606545 There may be an HA synchronization issue when policy hit count is disabled.
608378 FortiManager is unable to upgrade ADOM due to name conflicts in wildcard FQDN address.
611637 Policies are not visible when workflow session is created in an ADOM that is upgraded.
611825 FortiManager fails to edit device interface when FortiSwitch is set to RO within admin profile.

623149

The list to select device is not consistent with All except ADOMs list restriction.

VPN Manager

Bug ID

Description

621187

When a route is added in the Portal of SSL VPN, policy package is shown as "Modified" but install preview shows "No command to install".

554080 VPN monitor may not list all mesh tunnels if the remote VPN peer has a dynamically assigned IP address and subscribes to a dynamic DNS service.
587760 Address group dynamic mapping is ignored when it is used as a protected subnet with VPN Manager.
599242 For Dialup tunnels, auto-negotiate should only be applied to spokes.
616352 FortiManager may show empty value for phase1 and phase2 proposals.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID Description

511903

FortiManager 6.2.5 is no longer vulnerable to the following CVE-reference:

  • CVE-2004-0230

476783

FortiManager 6.2.5 is no longer vulnerable to the following CVE-reference:

  • CVE-2020-9289

597311

FortiManager 6.2.5 is no longer vulnerable to the following CVE-Reference:

  • CVE-2004-1653

606144

FortiManager 6.2.5 is no longer vulnerable to the following CVE-Reference:

  • CVE-2019-9193

Resolved Issues

The following issues have been fixed in 6.2.5. For inquires about a particular bug, please contact Customer Service & Support.

AP Manager

Bug ID

Description

553985 FortiManager incorrectly sets "security-external-web" when external authentication is selected.
555159 AP Manager still shows the SSID after it is deleted from Device Manager.
568631 Per-Device Mapping for FortiAP SSID in Bridge mode should not have IP and is missing the VLAN field.
585157 FortiManager is missing 802.11ax/ac related settings on FAPU431F and FAPU433F.
595674 When attempting to place an AP on a map, there is a considerable border around map image where it is not possible to place an AP to the far right or complete bottom of the floor.
597818 ADOM upgrade may delete Floor Map in AP Manager.
600899 FortiManager is unable to delete WiFi profile with a forward slash in the name.
603511 AP Manager may try to unset authentication for SSID when the device is configured under per-device mapping.
604642 Changing SSID Groups makes changes on all member SSIDs.
620117 AP Manager needs to support of FortiAP-U431F and FortiAP-U433F.

Device Manager

Bug ID

Description

627351

System Templates is unable to apply or import a certificate in syslog settings for v6.0 ADOMs.

411914 System Template's Enable FortiGuard Security Updates option should check if antispam-force-off and webfilter-force-off are disabled.
459895 FortiManager may not configure an IPS profile on a One-Arm sniffer interface.
525051 Automation stitch cannot add FortiGates to automation.
541911 When workspace is enabled, FortiManager cannot run CLI template after it is assigned to a device.
544222 In the device configuration's log setting, both local traffic log and event logging have Enable All buttons that may not work.
544337 FortiManager is missing Firmware information when creating or editing a device group.
544982 Policy Package Status may get out-of-sync for all devices when adding one device to Install On.
555635 Certificate is not visible in GUI after restoring the configuration, which was exported from FortiManager.
563373 FortiManager should support FortiGate-VM FNDN.
572337 Config Status may display Modified instead of Conflict status following a failed policy package install.
573293 After upgrade, FortiManager may not be able to import policy package in Workflow mode.
576850 VDOM names may be inconsistent between FortiManager and FortiGate.
589453 Application group of type category should not be used for SD-WAN rules.
589814 User should be able to make interface changes using CLI Configuration.
591981 After modified set max-revs value, the change is not immediately reflected on GUI.
592646 When creating an SD-WAN and disabling its status, both Monitor map view and table view cannot be displayed.
593480 When there is no interface assigned to SD-WAN, both map view and table view cannot be shown.
593505 Provisioning Template sets incorrect syslog severity level under log settings.
594324 Model FortiGate device connects to FortiManager may unset all configurations.
594348 FortiManager should show buttons to create, edit, and delete TACACS+ on the CLI Configuration page.
594709 Device Manager may not be able to generate Policy Package Diff result.
594905 FortiManager may take a long time to load system interface.
595683 Modifying anything on a policy ID does not modify status of Policy Package when using workflow mode.
595803 When configuring PPPoE from CLI Configuration, installation fails with unexpected deletion of system-interface.
595941 Importing policy package may unexpectedly convert regular address objects to dynamic address objects.
598650 SD-WAN monitor table view may not show data for FortiGate 5.6 device.
599141 After upgrade, the Policy Route menu no longer displays Source Addresses or Destination Addresses.
599768 FortiManager may not be able to display the second shelf manager.
599769 FortiManager may not be able to Enable Security Fabric on some FortiGate platforms.
601223 Device database configuration may mismatch with FortiGate even if auto-update happens.
602275 FortiManager may not be able to remove VDOM or device when FortiAnalyzer Features are enabled.
602706 SD-WAN Template may keep loading.
603215 Fabric is not enabled in allowaccess after enabling fortilink on an interface.
603286 Device Manager's dashboard System Time and HA Mode buttons have no effect.
603405 FortiManager cannot set radio-2 band to 802.11ax under CLI Configuration.
603522 Fabric should be shown as an option for administrative access.
603542 Password field should not be deleted when making changes to PPPoE interface.
603606 FortiManager should accept volume ratio value of 0 within SD-WAN configuration.
603820 FortiManager fails to import policy when reputation-minimum and reputation-direction are set.
604269 FortiManager should permit Virtual Wire Pair to use Aggregate interface.
604808 Verification may fail on system interface tc-mode or phy-mode when installing to FortiGate-60E-DSLJ.
605178 FortiManager should be able to set None interface under Policy Route.
605946 Import may fail where there are objects with truncated names.
606628 FortiManager may fail to retrieve configuration with SAML SP IDP certificate.
607672 Import may fail with error user group match is not a member.
608642 Importing policy should not make dynamic mapping for policy object when there is only a change on hidden attributes.
609757 Adding a new device on SD-WAN Template may cause Config status to change to Modified on all devices.
610015 Scroll bar is not working well in install preview pop-up.
610585 Device Manager cannot save DHCP for Unknown MAC address with action set to block.
610937 In non-root management VDOM, FortiManager prompts no permission error when accessing device interface.
613426 VDOMs may show up twice in Device Manager.
615092 FortiManager should allow using FQDN for FortiAnalyzer logging.
616264 IPv6 extra-address may not convert properly.
616606 IPSec Phase 1 does not have all encryption proposals listed.
616619 When using a script or CLI only page, a user can create interface-policy without setting srcaddr, dstaddr, or service even though they are required fields.
619377 FortiManager cannot retrieve FortiGate-800D containing more than 2048 Firewall custom services.
620029 Deleting a VDOM may prompt Internal Error.
622353 Cloning VPN Phase1-Interface does not clone Phase1 proposals.
625691 FortiManager does not allow DHCP lease time to be disabled.
626152 Adding FortiGate-100E may fail at user group.guest.

FortiSwitch Manager

Bug ID

Description

503722 FortiSwitch Manager and AP Manager reports switches and APs connected to FortiGates as online when the devices are no longer powered on.
597715 Under FortiSwitch Manager Per device mode, FortiManager may prompt error [object Object] when trying to create a VLAN with VLAN ID.
601242 Installation may fail due to qtn.fortilink configuration cannot be deleted.
601712 In Workflow mode, FortiManager may lose FortiSwitch templates and VLAN configuration.

615472

DHCP exclude range is not stored in FortiSwitch Manager central mode.

624143

FortiSwitch Manager may not install VLAN to FortiGate.

Others

Bug ID

Description

364541 The command, diagnose dvm support list, should include all supported platforms.
574731 Builds 0349 and 1121: Some hardware specific SNMP traps are missing from the device SNMP settings and the system provisioning templates.
581140 The SNMP, FmDeviceEntPolicyPackageState, always returns (-1), which indicates never installed, regardless of the actual policy package status.
584053 FortiManager may show fmgd crashes after switched among pages.
590037 FortiManager CPU usage may spike when going to interface and VPN Phase1 or Phase2 page.
591206 The SNMP trap, fmDeviceTable, should show VDOM information as well.
593421 Running ADOM integrity check may cause cdb reader to crash.
601978 Diagnostic command may fail to repair database when device is in standalone mode but there are entries in HA member table.
602216 FortiManager is unable to add SNMP hosts when set alias is configured on a port.
609040 Device manager may be empty after upgrade.
611548 dbcache.db file size may keep increasing.
622411 Valid zone and interface mappings are deleted after running the diag cdb check policy-packages command.

Policy and Objects

Bug ID

Description

629412

ADOM v6.0 ssl-ssh-profile with deep inspection disabled is changed with deep inspection when installing to a FortiGate v6.2 device.

505887 Internet Service should separate into source and destination
545605 Searching on Created Time or Last Modified does not work on policy table.
574560 Installation from FortiManager may fail with the error, "No response from remote" FortiGate.
577201 Next button should be inactive until zone validation is fixed in the case of 'Re-Install Policy'.
577816 Policy-based rule shows NAT status as disabled or empty.
577818 When a policy package in an ADOM v6.0 is enabled with policy-based mode, the rules do not show the application column.
578004 The policy interface colors are different between Device Manager and Policy & Objects.
580166 Bulk installation may become stuck with fake policy package.
581825 In workflow mode, changes to the SSL VPN portals do not trigger "Modified" status on the policy package.
582255 FortiManager is unable to lock an ADOM if another admin is installing a policy to the same FortiGate in a different ADOM.
594957 SSL/SSH Inspection profile should not allow "Untrusted SSL Certificates" to be set to Block.
597879 Policy package installation fails with commit check error on system interface dhcp-relay-type.
598656 When long-vdom-name is enabled on FortiGate, installing from FortiManager may show nothing to install.
599780 If one or more devices has a policy validation error, FortiManager does not show devices that are "ready to install".
601073 When renaming an address object, the error "invalid value" is prompted when it should be "object already exists".
601081 FortiManager is missing the feature to change IPS Signatures status.
601320 FortiManager should be able to display IPv4 policies in Interface Pair View mode.
602600 FortiManager may show any duplicate sections in the policy page.
602871 FortiManager may show zero on First use, Last used, and Byte count on policy.
604159 Cloning an existing policy package adds the "clone_of_" to the name even when the feature is disabled.
604577 When logged in as a Restricted Admin or regular User, it is not possible to reference "Web content filter" in a web profile.
605947 FortiManager is unable to configure holddown-interval for Virtual Server.
606721 FortiManager should not allow users to create firewall address with a name which is conflicted with the name of existing wildcard-fqdn addresses.
607281 pxgrid connector on FortiManager may not work with Cisco ISE version 2.7.
607370 When workspace is enabled, auto-install fails with error "no write permission".
607958 FortiManager should be able to modify Per-device mapping for global VIP in local ADOM.
608105 When making changes to Virtual server or Health check for load balance, it should be detected and installed to FortiGate properly.
608236 FortiManager is unable to install ssl-ssh-profile policy updates when disabling protocols on a policy.
612672 The policy block hit count stays at zero even if the counter increments properly on the FortiGate side.
615823 VPN tunnel is not unset when changing the action of firewall policy from IPSEC to Accept.
618711 Installation to FortiGate may fail for dhcp-relay-agent-option.
623104 FortiManager may not be able to promote the Web Filter object from any ADOM to Global ADOM.
624561 Changing an Accept policy with proxy-based inspection mode to Deny may lead to installation failure.
624586 FortiManager may try to unset server-identity-check while pushing a new LDAP server.
628830 FortiManager should be able to select a device to install after adding a group object member to a nested group.

Revision History

Bug ID

Description

492088 FortiManager attempts to change Chassis ID on FortiGate 7000 series when installing configuration.
543507 Install fails for newly defined transparent VDOM's management IP.
555796 Installing policy on 6K series FortiGate may remove the interface setting "set forward-error-correction rs-fec".
560888 FortiManager may unexpectedly reset some parameters for IPS sensor entry.
584118 Router access-list rule's default value is mismatched causing installation failure.
590325 Installing EMAC-VLAN may fail on verifying device-identification setting.
592062 Custom Internet Service created on FortiManager systematically fails to be installed on target FortiGate
594147 FortiManager does not perform interface binding contradiction check when the firewall policy is using an address group and the user changes an address group member.
597353 Policy install may remove auth-redirect-addr when disclaimer is set.
598173 When changing the "User Group Source" from Local to Collector Agent, FortiManager should automatically unset the undesired commands.
599413 Policy Package Diff is showing differences for passwords when there is no actual difference.
600085 Some special characters may prevent revision history from being saved with a full tmp folder.
600833 When trying to create a local certificate, and assign and install it for remote administration, the install operation fails due to incorrect order of configurations.
601668 FortiManager may install overlapping VIP objects to FortiGate.
602272 Installing UUIDs from local-in policies for FortiGate-60F may cause installation failure.
604738 Verification fails for replacemsg auth-authorization-fail after upgraded FortiManager and installed to FortiGate with system template assigned.
605187 FortiManager may fail to add members into a zone.
605899 FortiManager should not mandate the use of the access key, secret key, and region fields for SDN Connector.
607216 When a primary-device is set on a custom device, the type should not be available on FortiManager.
608051 Policy package install time increases when using policy package diff option.
609110 Config revision created by Script_manager causes an error when restored onto the FortiGate directly.
610687 FortiManager should not unset forward-error-correct during install.
612781 FortiManager should try to remove any referenced policies prior to creating a zone interface.
613057 During install verification, FortiManager changes the IP of uni-cast heartbeat interfaces after FortiGate cluster failover.
624583 When pushing a new configuration, FortiManager may try to change the Kerberos keytab on the FortiGate causing install failure.

Script

Bug ID

Description

593217 FortiManager is unable to delete Virtual-Switch members via script if the remaining members of interfaces is less than two.
608828 Script's timestamp under Template and Template group does not follow the correct data format YYYY-MM-DD

Services

Bug ID

Description

591519

FortiManager adds upgrade support for FortiAP-231E.

563624 FortiManager dbcontract updated with the entitlement file shows different contracts compared to FortiManager dbcontract updated from FDS.
577875 FortiManager may not correctly group firmware images.
597656 FortiManager may not be able to upgrade firmware on some FortiGate platforms, such as FGT-50E or FGT-30E.
598940 Pop-up window on license status may not be closed and stay on the screen.
601222 HTTP 1.1 host header may be missing in FortiGuard web proxy requests.
604677 When attempting to delete a selected firmware image, FortiManager randomly deletes a non selected image instead.
604744 Upgrading FortiGate firmware may fail when choosing an image downloaded from FortiGuard.

634732

When upgrading FortGate firmware from v5.4 to v5.6 or v5.6 to v6.0, it may fail with incorrect firmware version and it may cause retrieve to fail.

System Settings

Bug ID

Description

202924 FortiManager should be able to restore large backup files via web interface.
571181 An admin user with read-write system permissions and restricted to one ADOM can change their permission to All ADOMs.
588852 Idle time is constantly reset for inactive users.
592156 Upgrade task for managed devices in Task Monitor always shows Pending status with 0.
599812 Stager or pusher admin has no permission to view VDOM interface mapping.
599847 FortiManager may not be able to move VDOMs with long names among different ADOMs.
604069 IPv6 communication fails after setting interface status between down and up.
606545 There may be an HA synchronization issue when policy hit count is disabled.
608378 FortiManager is unable to upgrade ADOM due to name conflicts in wildcard FQDN address.
611637 Policies are not visible when workflow session is created in an ADOM that is upgraded.
611825 FortiManager fails to edit device interface when FortiSwitch is set to RO within admin profile.

623149

The list to select device is not consistent with All except ADOMs list restriction.

VPN Manager

Bug ID

Description

621187

When a route is added in the Portal of SSL VPN, policy package is shown as "Modified" but install preview shows "No command to install".

554080 VPN monitor may not list all mesh tunnels if the remote VPN peer has a dynamically assigned IP address and subscribes to a dynamic DNS service.
587760 Address group dynamic mapping is ignored when it is used as a protected subnet with VPN Manager.
599242 For Dialup tunnels, auto-negotiate should only be applied to spokes.
616352 FortiManager may show empty value for phase1 and phase2 proposals.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID Description

511903

FortiManager 6.2.5 is no longer vulnerable to the following CVE-reference:

  • CVE-2004-0230

476783

FortiManager 6.2.5 is no longer vulnerable to the following CVE-reference:

  • CVE-2020-9289

597311

FortiManager 6.2.5 is no longer vulnerable to the following CVE-Reference:

  • CVE-2004-1653

606144

FortiManager 6.2.5 is no longer vulnerable to the following CVE-Reference:

  • CVE-2019-9193