Resolved Issues
The following issues have been fixed in 6.4.0. For inquires about a particular bug, please contact Customer Service & Support.
AP Manager
|
Bug ID |
Description |
|---|---|
|
588096 |
FortiManager removes the Multiple Pre-shared Key entry after it is edited. |
|
604642 |
Changing SSID Groups makes changes on all member SSIDs. |
| 521404 | Refresh or close button does not work in the AP Health Monitor widget. |
| 553985 | FortiManager incorrectly sets "security-external-web" when external authentication is selected. |
| 561911 | FortiManager may take over two minutes to display map in AP Manager. |
| 568631 | Per-Device Mapping for FortiAP SSID in Bridge mode should not have IP and it is missing VLAN field. |
| 570937 | AP Manager should allow individual configure LAN Ports. |
| 578123 | Multiple dhcp-relay-ip cannot be defined. |
| 585157 | FortiManager is missing 802.11ax/ac related settings on FAPU431F and FAPU433F. |
| 593366 | AP Manager may not be able to search for a SSID. |
| 595674 | When attempting to place an AP on a map, there is a considerable border around map image where it is not possible to place an AP to the far right or complete bottom of the floor. |
| 597818 | ADOM upgrade may delete Floor Map in AP Manager. |
| 600899 | FortiManager is unable to delete WiFi profile with forward slash in the name. |
| 603511 | AP Manager may try to unset authentication for SSID when device is configured under per-device mapping. |
Device Manager
| Bug ID | Description |
|---|---|
|
619377 |
FortiManager cannot retrieve FortiGate-800D containing more than 2048 Firewall custom services. |
|
576850 |
There may be possible VDOM Name inconsistencies between FortiManager and FortiGate. |
|
594905 |
FortiManager may take longer to load a system interface. |
|
610015 |
Scroll bar in the install preview pop-up is not working properly. |
|
544222 |
In device configuration's log setting, both local traffic log and event logging have Enable All buttons that may not work. |
|
544337 |
FortiManager is missing Firmware information when creating or editing a device group. |
|
555635 |
Certificate is not visible on GUI after restoring the configuration, which was exported from FortiManager. |
|
563373 |
FortiManager should support FortiGate-VM FNDN. |
|
593505 |
Provisioning Template sets incorrect syslog severity level under log settings. |
|
601223 |
Device database configuration may mismatch with FortiGate even if auto-update happens. |
|
602706 |
SD-wan Template may keep loading. |
|
616619 |
Using script or CLI only page, user can create interface-policy without setting srcaddr, dstaddr, or service even though they are required fields. |
| 411914 | System Template's "Enable FortiGuard Security Updates" option should check if "antispam-force-off" and "webfilter-force-off" are disabled. |
| 459895 | FortiManager may not configure an IPS profile on an One-Arm sniffer interface. |
| 523463 | Firmware version not displayed in backup ADOM. |
| 540502 | Installation may fail due to interface's address mode changes to PPPoE. |
| 541911 | When workspace is enabled, FortiManager cannot run CLI template after it is assigned to a device. |
| 544562 | The "Force this Admin to Change Password Next Time He/She Logs on" option on administrator is not installed to FortiGate. |
| 568626 | FortiManager can only modify the order of DNS forwarder only if the IP addresses are in quotes ("") and when the IP addresses are not separated by comma. |
| 572337 | Config Status may display Modified instead of Conflict status following a failed policy package install. |
| 573293 | After upgrade, FortiManager may not be able to import policy package in Workflow mode. |
| 580485 | After defined per-device mapping a to model device, all policy packages status are changed to Modified. |
| 580533 | Build 0349: Saving configuration with incorrect IP/mask format does not display an error for inner configurations. |
| 581812 | Sorting Extenders by Device Name does not work. |
| 584463 | CLI Template's comment field cannot be saved. |
| 586550 | Device Manager does not detect newly joined Telemetry group on FortiGate. |
| 587513 | FortiManager should not unset the IPv6 configuration on FortiGate when registering with the "Add Model Device" method. |
| 587610 | FortiManager is unable to show policy package diff of Security Policy. |
| 587693 | Users should able to delete interfaces from aggregate interface. |
| 589814 | User should be able to make interface changes using CLI Configuration. |
| 589826 | Device Manager cannot create EMAC VLAN interfaces over VLAN interface created in root VDOM. |
| 590064 | Device view > VDOM GUI should show which VDOM is the management VDOM. |
| 590321 | Sorting filtered static routes list does not work. |
| 590385 | FortiManager should not have limit of 1024 for VPN local certificate. |
| 590602 | Zero in seconds is lost in Web Filter Override expire time. |
| 591517 | FortiManager should not change VDOM configuration scope with CLI Template. |
| 591894 | User should be able to specify PAC or HTTPS port on GUI after upgrade. |
| 591981 | After modified "set max-revs" value, the change is not immediately reflected on GUI. |
| 592279 | AP Manager does not accept certain wtp-profile settings when switching country. |
| 592646 | When creating a SD-WAN and disabling its status, it causes neither monitor map view nor table view can be displayed. |
| 593244 | User may not be able to change the option, "Send logs to FortiAnalyzer/Manager" under Provisioning Template. |
| 593480 | When there is no interface assigned to SD-WAN, neither map view nor table view can be shown. |
| 594211 | FortiManager should be able to create new VLAN interface on fabric interface and install to FortiGate. |
| 594348 | FortiManager should show buttons to create, edit, and delete TACACS+ on the CLI Configuration page. |
| 594709 | Device Manager may not be able to generate Policy Package Diff result. |
| 594853 | FortiManager may create duplicate VDOMs when retrieve configuration for multiple devices. |
| 595683 | When using workflow mode, changing anything on a policy ID does not modify status of Policy Package. |
| 595803 | When configuring PPPoE from CLI Configuration, installation fails with unexpected deletion of system-interface. |
| 595941 | Importing policy package may unexpectedly convert regular address objects to dynamic address objects. |
| 597284 | When creating a new switch through a script, all configuration is visible in Device Manager but no port configuration is installed. |
| 598230 | Removing Per-device mapping causes all referenced Policy Packages status to become modified. |
| 598650 | SD-WAN monitor table view may not show data for FortiGate 5.6 device. |
| 598912 | Device Manager may not be able to display newly created VDOMs. |
| 599141 | After upgrade, Policy Route menu no longer displays Source Addresses or Destination Addresses. |
| 599768 | FortiManager may not be able to display the second shelf manager. |
| 599769 | FortiManager may not be able to "Enable Security Fabric" on some FortiGate platforms. |
| 602275 | FortiManager may not be able to remove VDOM or device when FortiAnalyzer feature is enabled. |
| 603215 | Fabric is not enabled in allow access after enabling FortiLink on an interface. |
| 603405 | FortiManager cannot set radio-2 band to "802.11ax" under CLI Configuration. |
| 603522 | Fabric should be shown as an option for administrative access. |
| 603542 | Password field should not be deleted when making changes to PPPoE interface. |
| 603606 | FortiManager should accept volume ratio value of 0 within SD-WAN configuration. |
| 603820 | FortiManager fails to import policy when reputation-minimum and reputation-direction are set. |
| 604269 | FortiManager should permit Virtual Wire Pair to use Aggregate interface. |
| 604808 | Verification may fail on system interface tc-mode or phy-mode when installing to FortiGate-60E-DSLJ. |
| 605178 | FortiManager should be able to set "None" interface under on Policy Route. |
| 605946 | Import may fail where there are objects with truncated names. |
| 606628 | FortiManager may fail to retrieve configuration with SAML SP IDP certificate. |
| 607672 | Import may fail with error "user group match is not a member". |
| 608642 | Importing policy should not make dynamic mapping for policy object when there is only change on hidden attributes. |
| 609757 | Adding a new device on SD-WAN Template may cause Config status to change to Modified on all devices. |
FortiClient Manager
| Bug ID | Description |
|---|---|
| 548572 | FortiManager shows unclear message in FortiClient Profile with "Response with errors" instead of "Device groups cannot be empty". |
FortiSwitch Manager
|
Bug ID |
Description |
|---|---|
| 503722 | FortiSwitch Manager and AP Manager reports switches and APs connected to FortiGates as online when the devices are no longer powered on. |
| 573043 | Saving FSW VLANs configuration may trigger error and lead to data loss in Per Device Mapping. |
| 587526 | VLANs in FortiSwitch templates must support per-device secondary IP. |
| 597715 | Under FortiSwitch Manager Per device mode, FortiManager may prompt error [object Object] when trying to create a VLAN with in use VLAN ID. |
| 601242 | Installation may fail due to qtn.fortilink configuration cannot be deleted. |
| 601712 | Under Workflow mode, FortiManager may lose FortiSwitch templates and VLAN configuration. |
Global ADOM
|
Bug ID |
Description |
|---|---|
| 578089 | Address objects cannot be deleted from the FortiManager's Global ADOM if they are not being used anywhere. |
| 582171 | FortiManager may not be able to assign all objects from 5.6 global ADOM to a 6.0 ADOM. |
| 587511 | gSSO_Guest_User should work the same as predefined SSO_Guest_User. |
Others
|
Bug ID |
Description |
|---|---|
|
609040 |
Device manager may be empty after upgrade. |
| 364541 | The command, diagnose dvm support list, should include all supported platforms. |
| 581140 | The SNMP, FmDeviceEntPolicyPackageState, always returns (-1), which indicates never installed, regardless of the actual policy package status. |
| 591206 | The SNMP trap, fmDeviceTable, should show VDOM information as well. |
| 611548 | The dbcache.db file size may keep increasing. |
| 550140 | The system-support-fgt configuration is lost if there is a version lower than 5.4 selected prior to upgrade. |
| 551937 | FortiManager should only allow the browser to save and paste credentials at the logon prompt only. |
| 552085 | FortiManager live migration fails with Microsoft Hyper-V and it is not accessible via GUI and SSH. |
| 565515 |
User may not be able to create a new SNMP host under System Templates. Workaround: Please add a new SNMP host for System Templates under CLI Configurations within Device Manager. |
| 571235 | Enabling policy hit count may lock ADOM and provoke GUI slowness. |
| 574731 | Builds 0349 and 1121: Some hardware specific SNMP traps are missing from the device SNMP settings and the system provisioning templates. |
| 579648 | FortiManager may generate "fgfmsd" crashes when FortiGate sends registration request to FortiManager. |
| 584053 | FortiManager may show fmgd crashes after switched among pages. |
| 586991 | "Logver" field is missing when FortiAnalyzer is enabled affecting report related features. |
| 589805 | Installing policy package via JSON API with missing interface in zone definition deletes zone and corresponding firewall policies on FortiGate. |
| 590037 | FortiManager CPU usage may spike when going to interface and VPN Phase1 or Phase2 page. |
| 590649 | On FortiClient or FortiDDoS ADOM, the SOC page may refresh constantly. |
| 593245 | FortiManager may show incorrect warning when changing admin profile via CLI. |
| 593421 | Running ADOM integrity check may cause cdb reader to crash. |
| 593819 | FortiManager may generate several fmgd crash logs. |
| 595589 | When running a script on a device with large configuration, dmworker may crash with high CPU spike. |
| 595741 | After ADOM upgrade, FortiManager may report an error on reaching the max limit of firewall-service-custom. |
| 601978 | Diagnostic command may fail to repair database when device is in standalone mode but there are entries in HA member table. |
| 602216 | FortiManager is unable to add SNMP hosts when set alias is configured on a port. |
Policy and Objects
| Bug ID | Description |
|---|---|
|
622040 |
Security Policy is missing Implicit Deny policy. |
|
615823 |
VPN tunnel is not unset when changing the action of the firewall policy from IPSEC to Accept. |
|
598938 |
FortiManager should allow setting wildcard-fqdn type firewall address as destination on proxy policy. |
|
602176 |
Creating a proxy policy with a profile group adds additional security profile. |
|
604577 |
When logged in as a Restricted Admin or regular User, it is not possible to reference "Web content filter" in a web profile. |
|
612672 |
The policy block hit count stays at zero even if the counter increments properly on the FortiGate side. |
| 488897 | SSL VPN policy can be created with a FSSO user group assigned to the policy. |
| 491813 | FortiManager should group IPS Sensor entries with same filters as one rule. |
| 505887 | Internet Service should separate into source and destination |
| 528881 | Users are not able to remove all FSSO objects from selected list that has a large number of entries. |
| 544404 | When a remote user approves a session, session list shows zero sessions. |
| 545605 | Searching on Created Time or Last Modified does not work on policy table. |
| 548573 | FortiManager changes UUIDs of existing objects after policy install. |
| 563629 | Clicking on "+" function should allow users to add Wildcard FQDN objects. |
| 566446 | With a 5.6 ADOM and install to 6.0 FortiGate needs to keep the configured multicast policies and zone on FortiGate. |
| 569576 | Build 1121: Web rating override category change is not reflected in GUI. |
| 571473 | FortiManager should have "Configure Default Value" option for IP Pool. |
| 573250 | Find Duplicate Objects may show inaccurate results due to obj-id. |
| 574560 | Installation from FortiManager may fail with the error, "No response from remote" FortiGate. |
| 578004 | The policy interface colors are different between Device Manager and Policy & Objects. |
| 580484 | Signature, "Apache.Optionsbleed.Scanner", cannot be selected as IPS Signature but only as "Rate based Signature". |
| 581495 | Interface Validation should prompt only once per unmapped interface. |
| 581607 | FortiManager 6.2.2 may not be able to install class-id to a FortiOS 6.2.1 device. |
| 581825 | In workflow mode, changes to the SSL VPN portals do not trigger "Modified" status on the policy package. |
| 585021 | Adding or modifying rate based signature on IPS profile resets all rate based signature to default settings. |
| 587624 | Application Control profile page is blank for User with read-write permissions on Policy & Objects. |
| 588548 | Under workspace, addresses may be removed from a firewall policy when merging duplicated addresses. |
| 588684 | Central SNAT option in missing under Policy Package menu when mode is NGFW policy-based. |
| 589645 | GUI disables FSSO status after its removed one of the FSSO user groups with a policy. |
| 589771 | Policy Package installation fails when a Firewall Policy contains a VIP Group mapped to a zone interface. |
| 589775 | Entry without content should not be created when creating an Application Control Profile. |
| 589795 | User should be allowed to create a new tag in firewall policy or select an existing tag. |
| 589808 | After edited policy in policy package, the screen view should remain on the edited policy. |
| 590322 | When an Internet Service Database object is used in the destination field on proxy rule, the field is displayed as an empty field. |
| 590896 | FortiManager has no source interface column in the general view of Proxy Policy. |
| 593853 | Certificate generation fails if the CA certificate does not match ADOM name. |
| 594549 | Editing Per-Device mapping for zone containing slash in the name generates "Method failure" error message. |
| 594811 | Using copy and paste on multiple proxy policies may insert rules in reverse order. |
| 594866 | Internet Services may not match between FortiManager and FortiGate. |
| 594957 | SSL/SSH Inspection profile should not allow "Untrusted SSL Certificates" to be set to Block. |
| 595646 | After selecting a proxy policy and using the "Insert Above/Below" button, the new policy should be created with the same proxy type of the selected policy. |
| 597668 | FortiManager should be able to install the scheduled policy package even though it is scheduled by wildcard user. |
| 597879 | Policy package installation fails with commit check error on system interface dhcp-relay-type. |
| 598493 | FortiManager should get all datacenter information from exsi vm info. |
| 598656 | When long-vdom-name is enabled on FortiGate, installing from FortiManager may show nothing to install. |
| 601073 | When renaming address object, the error "invalid value" is prompted when it should be "object already exists". |
| 601081 | FortiManager is missing the feature to change IPS Signatures status. |
| 602600 | FortiManager may show any duplicate sections in the policy page. |
| 602871 | FortiManager may show zero on First use, Last used, and Byte count on policy. |
| 604159 | Cloning an existing policy package adds the "clone_of_" to the name even the feature is disabled. |
| 605947 | FortiManager is unable to configure hold down-interval for Virtual Server. |
| 606721 | FortiManager should not allow users to create firewall address with a name which is in conflict with the name of existing wildcard-fqdn addresses. |
| 607370 | When workspace is enabled, auto-install fails with error "no write permission". |
| 607958 | FortiManager should be able to modify Per-device mapping for global VIP in local ADOM. |
| 608105 | When making changes to Virtual server or Health check for load balance, should be detected and installed to FortiGate properly. |
| 608236 | FortiManager is unable to install ssl-ssh-profile policy updates when disabling protocols on a policy. |
Revision History
|
Bug ID |
Description |
|---|---|
|
612781 |
FortiManager should try to remove any referenced policies prior to creating a zone interface. |
|
492088 |
FortiManager attempts to change Chassis ID on FortiGate 7000 series when installing configuration. |
|
543507 |
Install fails for newly defined transparent VDOM's management IP. |
|
555796 |
Installing policy on 6K series FortiGate may remove the interface setting "set forward-error-correction rs-fec". |
|
560888 |
FortiManager may unexpectedly reset some parameters for IPS sensor entry. |
|
605899 |
FortiManager should not mandate the use of the access key, secret key, and region fields for SDN Connector. |
|
609110 |
Config revision created by Script_manager causes error when restored onto the FortiGate directly. |
|
610687 |
FortiManager should not unset forward-error-correct during install. |
|
613057 |
During install verification, FortiManager is changing the IP of uni-cast heartbeat interfaces after FortiGate cluster failover. |
| 513317 | FortiManager may fail to install a policy after FortiGate failover on Azure. |
| 539829 | FortiManager should be able to delete FortiGate default admin user from FortiManager. |
| 539994 | Installing to FortiGate fails when wildcard-fqdn address is used in SSL profile. |
| 560638 | When checking the Revision Diff between two revisions for multiple times, the result may not be consistent. |
| 560689 | Auto-Update revision is missing "set stp-bpdu-guard enabled". |
| 578231 | FortiManager tries to push "casi-profile" on a Deny Policy. |
| 582882 | Switch interface should not have duplicate members during device install. |
| 583833 | Auto Link Install skips installation for VLAN interface. |
| 584118 | Router access-list rule's default value is mismatched causing installation failure. |
| 586979 | FortiManager may complain about duplicate tags and fail to install policy package. |
| 586992 | FortiManager does not install broadcast-forward enabled on "Virtual Switch" to managed FortiGate. |
| 587005 | FortiManager should support the radius-server-vdom setting and be able to install it. |
| 589858 | The BGP "scan-time" value of 0 can be set on FortiGate, but FortiManager resets it to default by "unset scan-time" on the next policy push. |
| 590325 | Installing EMAC-VLAN may fail on verifying device-identification setting. |
| 592062 | Custom Internet Service created on FortiManager systematically fails to be installed on the target FortiGate. |
| 592315 | Installation of Policy Package against a device group may generate copy fail error for one FortiGate device. |
| 594147 |
FortiManager does not perform interface binding contradiction check when a firewall policy is using an address group and the user changes an address group member. |
| 597353 | Policy install may remove auth-redirect-addr when disclaimer is set. |
| 598173 | When changing the "User Group Source" from Local to Collector Agent, FortiManager should automatically unset the undesired commands. |
| 599413 | Policy Package Diff is showing differences for passwords when there is no actual difference. |
| 600085 | Some special characters may cause revision history not saved with a full tmp folder. |
| 600833 | When trying to create a local certificate, and assign and install it for remote administration, the install operation fails due to incorrect order of configurations. |
| 601668 | FortiManager may install overlapping VIP objects to FortiGate. |
| 602272 | Installing UUIDs from local-in policies for FortiGate-60F may cause installation failure. |
| 605187 | FortiManager may fail add members into a zone. |
| 607216 | When master-device is set on custom device, type should not be available on FortiManager. |
Script
| Bug ID | Description |
|---|---|
|
593217 |
FortiManager is unable to delete Virtual-Switch members via script if the remaining members of interfaces is less than two. |
|
535066 |
Task Monitor for script task shows browser 500 error if the return button is selected. |
|
587015 |
When user tries to set signature with non escaped quotes from script, the signature becomes separate strings, and the installed string may not be what is expected. |
|
590889 |
Using the search bar to assign devices under provisioning templates clears the previous selected device list. |
|
594238 |
FortiManager should be able to create overlapping secondary IPs via a script if interfaces are assigned to different VDOMs. |
| 594238 | FortiManager should be able to create overlapping secondary IPs via a script if interfaces are assigned to different VDOMs. |
Services
|
Bug ID |
Description |
|---|---|
|
563624 |
FortiManager dbcontract updated with the entitlement file shows different contracts compared to FortiManager dbcontract updated from FDS. |
| 535066 | Task Monitor for script task shows browser 500 error if the return button is selected. |
| 587015 | When user tries to set signature with non escaped quotes from script, the signature becomes separate strings, and the installed string may not be what it is expected. |
| 590889 | Using the search bar to assign devices under provisioning templates clears the previous selected device list. |
| 594238 | FortiManager should be able to create overlapping secondary IPs via a script if interfaces are assigned to different VDOMs. |
System Settings
|
Bug ID |
Description |
|---|---|
|
611825 |
FortiManager fails to edit the device interface when FortiSwitch is set to RO within admin profile. |
|
592156 |
Upgrade task for managed devices in Task Monitor always shows Pending status with 0. |
|
599812 |
Stager or pusher admin has no permission to view VDOM interface mapping. |
| 202924 | FortiManager should be able to restore a large backup file via web interface. |
| 535607 | Upgrading ADOM may take a long time due to hit count statistics. |
| 570266 | When saving the values of the administrative access, the values do not save when unchecking HTTPS first before any other value. |
| 571181 | An admin user with read-write system permissions and restricted to one ADOM can change their permission to All ADOMs. |
| 576098 | Event log may not show the correct username when changing a non policy related object. |
| 581450 | ADOM upgrade may hang when DNS or URL filter name is null. |
| 584392 | Admin user with read-only profile should not be allowed to "Revoke Release" in DHCP query and "Bring Tunnel Down/Up" in Query IPsec. |
| 584749 | System Settings may not show the ADOM-VDOM association. |
| 587242 | Build 349: HA Cluster fails after upgrading to 6.0.6 with peer IP using IPv6. |
| 587295 | Admin users with prof_admin_regional profile should be allowed to see all application signatures. |
| 588852 | Idle time is constantly reset for inactive users. |
| 588884 | Event log for merging duplicated objects is missing object name. |
| 594556 | Admin user may not able to authorize FortiGate. |
| 595660 | FortiManager should generate event logs for imported images. |
| 596562 | Administrators allowed to access to only specific ADOMs cannot see "Managed Devices" in those ADOMs. |
| 596580 | Upgrade ADOM may fail on FSSO/SSO. |
| 597765 | ADOM upgrade may stuck with "svc cdb reader" crashes. |
| 599847 | FortiManager may not be able to move VDOMs with long names among different ADOMs. |
| 604069 | IPv6 communication fails after setting interface status between down and up. |
| 606545 | There may be HA synchronization issues when policy hit count is disabled. |
| 608378 | FortiManager is unable to upgrade ADOM due to name conflicts in wildcard FQDN address. |
| 611637 | Policies are not visible when workflow session is created in an ADOM that is upgraded. |
VPN Manager
|
Bug ID |
Description |
|---|---|
|
616352 |
FortiManager may show empty value for phase1 and phase2 proposals. |
| 554080 | VPN monitor may not list all mesh tunnels if the remote VPN peer has a dynamically assigned IP address and subscribes to a dynamic DNS service. |
| 562729 | VPN Manager SSL VPN monitor's Active Connections column may be blank. |
| 574727 | VPN Manager may not display SSL-VPN settings for some devices. |
| 586613 | FortiManager may randomly install incorrect Phase1 proposal settings. |
| 587760 | Address group dynamic mapping is ignored when it is used as a protected subnet with VPN Manager. |
| 589101 | VPN Manager prompts the copy error "no hub configured for vpn" if the hub is external gateway with no device assigned. |
| 589669 | FortiManager shows installation error when there are two Hubs in VPN community where Hub-to-Hub Interface is set to 'None'. |
| 590765 | The tunnel-search and net-device attributes are not being installed if device role is set as spoke. |
| 599242 | For Dialup tunnels, auto-negotiate should only be applied to spokes. |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
| Bug ID | CVE references |
|---|---|
| 476783 |
FortiManager 6.4.0 is no longer vulnerable to the following CVE-Reference:
|
|
511903 |
FortiManager 6.4.0 is no longer vulnerable to the following CVE-Reference:
|
|
597311 |
FortiManager 6.4.0 is no longer vulnerable to the following CVE-Reference:
|
|
606144 |
FortiManager 6.4.0 is no longer vulnerable to the following CVE-Reference:
|
|
603256 |
FortiManager 6.4.0 is no longer vulnerable to the following CVE-Reference:
|