Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Resolved Issues

The following issues have been fixed in 6.4.0. For inquires about a particular bug, please contact Customer Service & Support.

AP Manager

Bug ID

Description

588096

FortiManager removes the Multiple Pre-shared Key entry after it is edited.

604642

Changing SSID Groups makes changes on all member SSIDs.

521404 Refresh or close button does not work in the AP Health Monitor widget.
553985 FortiManager incorrectly sets "security-external-web" when external authentication is selected.
561911 FortiManager may take over two minutes to display map in AP Manager.
568631 Per-Device Mapping for FortiAP SSID in Bridge mode should not have IP and it is missing VLAN field.
570937 AP Manager should allow individual configure LAN Ports.
578123 Multiple dhcp-relay-ip cannot be defined.
585157 FortiManager is missing 802.11ax/ac related settings on FAPU431F and FAPU433F.
593366 AP Manager may not be able to search for a SSID.
595674 When attempting to place an AP on a map, there is a considerable border around map image where it is not possible to place an AP to the far right or complete bottom of the floor.
597818 ADOM upgrade may delete Floor Map in AP Manager.
600899 FortiManager is unable to delete WiFi profile with forward slash in the name.
603511 AP Manager may try to unset authentication for SSID when device is configured under per-device mapping.

Device Manager

Bug ID Description

619377

FortiManager cannot retrieve FortiGate-800D containing more than 2048 Firewall custom services.

576850

There may be possible VDOM Name inconsistencies between FortiManager and FortiGate.

594905

FortiManager may take longer to load a system interface.

610015

Scroll bar in the install preview pop-up is not working properly.

544222

In device configuration's log setting, both local traffic log and event logging have Enable All buttons that may not work.

544337

FortiManager is missing Firmware information when creating or editing a device group.

555635

Certificate is not visible on GUI after restoring the configuration, which was exported from FortiManager.

563373

FortiManager should support FortiGate-VM FNDN.

593505

Provisioning Template sets incorrect syslog severity level under log settings.

601223

Device database configuration may mismatch with FortiGate even if auto-update happens.

602706

SD-wan Template may keep loading.

616619

Using script or CLI only page, user can create interface-policy without setting srcaddr, dstaddr, or service even though they are required fields.

411914 System Template's "Enable FortiGuard Security Updates" option should check if "antispam-force-off" and "webfilter-force-off" are disabled.
459895 FortiManager may not configure an IPS profile on an One-Arm sniffer interface.
523463 Firmware version not displayed in backup ADOM.
540502 Installation may fail due to interface's address mode changes to PPPoE.
541911 When workspace is enabled, FortiManager cannot run CLI template after it is assigned to a device.
544562 The "Force this Admin to Change Password Next Time He/She Logs on" option on administrator is not installed to FortiGate.
568626 FortiManager can only modify the order of DNS forwarder only if the IP addresses are in quotes ("") and when the IP addresses are not separated by comma.
572337 Config Status may display Modified instead of Conflict status following a failed policy package install.
573293 After upgrade, FortiManager may not be able to import policy package in Workflow mode.
580485 After defined per-device mapping a to model device, all policy packages status are changed to Modified.
580533 Build 0349: Saving configuration with incorrect IP/mask format does not display an error for inner configurations.
581812 Sorting Extenders by Device Name does not work.
584463 CLI Template's comment field cannot be saved.
586550 Device Manager does not detect newly joined Telemetry group on FortiGate.
587513 FortiManager should not unset the IPv6 configuration on FortiGate when registering with the "Add Model Device" method.
587610 FortiManager is unable to show policy package diff of Security Policy.
587693 Users should able to delete interfaces from aggregate interface.
589814 User should be able to make interface changes using CLI Configuration.
589826 Device Manager cannot create EMAC VLAN interfaces over VLAN interface created in root VDOM.
590064 Device view > VDOM GUI should show which VDOM is the management VDOM.
590321 Sorting filtered static routes list does not work.
590385 FortiManager should not have limit of 1024 for VPN local certificate.
590602 Zero in seconds is lost in Web Filter Override expire time.
591517 FortiManager should not change VDOM configuration scope with CLI Template.
591894 User should be able to specify PAC or HTTPS port on GUI after upgrade.
591981 After modified "set max-revs" value, the change is not immediately reflected on GUI.
592279 AP Manager does not accept certain wtp-profile settings when switching country.
592646 When creating a SD-WAN and disabling its status, it causes neither monitor map view nor table view can be displayed.
593244 User may not be able to change the option, "Send logs to FortiAnalyzer/Manager" under Provisioning Template.
593480 When there is no interface assigned to SD-WAN, neither map view nor table view can be shown.
594211 FortiManager should be able to create new VLAN interface on fabric interface and install to FortiGate.
594348 FortiManager should show buttons to create, edit, and delete TACACS+ on the CLI Configuration page.
594709 Device Manager may not be able to generate Policy Package Diff result.
594853 FortiManager may create duplicate VDOMs when retrieve configuration for multiple devices.
595683 When using workflow mode, changing anything on a policy ID does not modify status of Policy Package.
595803 When configuring PPPoE from CLI Configuration, installation fails with unexpected deletion of system-interface.
595941 Importing policy package may unexpectedly convert regular address objects to dynamic address objects.
597284 When creating a new switch through a script, all configuration is visible in Device Manager but no port configuration is installed.
598230 Removing Per-device mapping causes all referenced Policy Packages status to become modified.
598650 SD-WAN monitor table view may not show data for FortiGate 5.6 device.
598912 Device Manager may not be able to display newly created VDOMs.
599141 After upgrade, Policy Route menu no longer displays Source Addresses or Destination Addresses.
599768 FortiManager may not be able to display the second shelf manager.
599769 FortiManager may not be able to "Enable Security Fabric" on some FortiGate platforms.
602275 FortiManager may not be able to remove VDOM or device when FortiAnalyzer feature is enabled.
603215 Fabric is not enabled in allow access after enabling FortiLink on an interface.
603405 FortiManager cannot set radio-2 band to "802.11ax" under CLI Configuration.
603522 Fabric should be shown as an option for administrative access.
603542 Password field should not be deleted when making changes to PPPoE interface.
603606 FortiManager should accept volume ratio value of 0 within SD-WAN configuration.
603820 FortiManager fails to import policy when reputation-minimum and reputation-direction are set.
604269 FortiManager should permit Virtual Wire Pair to use Aggregate interface.
604808 Verification may fail on system interface tc-mode or phy-mode when installing to FortiGate-60E-DSLJ.
605178 FortiManager should be able to set "None" interface under on Policy Route.
605946 Import may fail where there are objects with truncated names.
606628 FortiManager may fail to retrieve configuration with SAML SP IDP certificate.
607672 Import may fail with error "user group match is not a member".
608642 Importing policy should not make dynamic mapping for policy object when there is only change on hidden attributes.
609757 Adding a new device on SD-WAN Template may cause Config status to change to Modified on all devices.

FortiClient Manager

Bug ID Description
548572 FortiManager shows unclear message in FortiClient Profile with "Response with errors" instead of "Device groups cannot be empty".

FortiSwitch Manager

Bug ID

Description

503722 FortiSwitch Manager and AP Manager reports switches and APs connected to FortiGates as online when the devices are no longer powered on.
573043 Saving FSW VLANs configuration may trigger error and lead to data loss in Per Device Mapping.
587526 VLANs in FortiSwitch templates must support per-device secondary IP.
597715 Under FortiSwitch Manager Per device mode, FortiManager may prompt error [object Object] when trying to create a VLAN with in use VLAN ID.
601242 Installation may fail due to qtn.fortilink configuration cannot be deleted.
601712 Under Workflow mode, FortiManager may lose FortiSwitch templates and VLAN configuration.

Global ADOM

Bug ID

Description

578089 Address objects cannot be deleted from the FortiManager's Global ADOM if they are not being used anywhere.
582171 FortiManager may not be able to assign all objects from 5.6 global ADOM to a 6.0 ADOM.
587511 gSSO_Guest_User should work the same as predefined SSO_Guest_User.

Others

Bug ID

Description

609040

Device manager may be empty after upgrade.

364541 The command, diagnose dvm support list, should include all supported platforms.
581140 The SNMP, FmDeviceEntPolicyPackageState, always returns (-1), which indicates never installed, regardless of the actual policy package status.
591206 The SNMP trap, fmDeviceTable, should show VDOM information as well.
611548 The dbcache.db file size may keep increasing.
550140 The system-support-fgt configuration is lost if there is a version lower than 5.4 selected prior to upgrade.
551937 FortiManager should only allow the browser to save and paste credentials at the logon prompt only.
552085 FortiManager live migration fails with Microsoft Hyper-V and it is not accessible via GUI and SSH.
565515

User may not be able to create a new SNMP host under System Templates.

Workaround: Please add a new SNMP host for System Templates under CLI Configurations within Device Manager.

571235 Enabling policy hit count may lock ADOM and provoke GUI slowness.
574731 Builds 0349 and 1121: Some hardware specific SNMP traps are missing from the device SNMP settings and the system provisioning templates.
579648 FortiManager may generate "fgfmsd" crashes when FortiGate sends registration request to FortiManager.
584053 FortiManager may show fmgd crashes after switched among pages.
586991 "Logver" field is missing when FortiAnalyzer is enabled affecting report related features.
589805 Installing policy package via JSON API with missing interface in zone definition deletes zone and corresponding firewall policies on FortiGate.
590037 FortiManager CPU usage may spike when going to interface and VPN Phase1 or Phase2 page.
590649 On FortiClient or FortiDDoS ADOM, the SOC page may refresh constantly.
593245 FortiManager may show incorrect warning when changing admin profile via CLI.
593421 Running ADOM integrity check may cause cdb reader to crash.
593819 FortiManager may generate several fmgd crash logs.
595589 When running a script on a device with large configuration, dmworker may crash with high CPU spike.
595741 After ADOM upgrade, FortiManager may report an error on reaching the max limit of firewall-service-custom.
601978 Diagnostic command may fail to repair database when device is in standalone mode but there are entries in HA member table.
602216 FortiManager is unable to add SNMP hosts when set alias is configured on a port.

Policy and Objects

Bug ID Description

622040

Security Policy is missing Implicit Deny policy.

615823

VPN tunnel is not unset when changing the action of the firewall policy from IPSEC to Accept.

598938

FortiManager should allow setting wildcard-fqdn type firewall address as destination on proxy policy.

602176

Creating a proxy policy with a profile group adds additional security profile.

604577

When logged in as a Restricted Admin or regular User, it is not possible to reference "Web content filter" in a web profile.

612672

The policy block hit count stays at zero even if the counter increments properly on the FortiGate side.

488897 SSL VPN policy can be created with a FSSO user group assigned to the policy.
491813 FortiManager should group IPS Sensor entries with same filters as one rule.
505887 Internet Service should separate into source and destination
528881 Users are not able to remove all FSSO objects from selected list that has a large number of entries.
544404 When a remote user approves a session, session list shows zero sessions.
545605 Searching on Created Time or Last Modified does not work on policy table.
548573 FortiManager changes UUIDs of existing objects after policy install.
563629 Clicking on "+" function should allow users to add Wildcard FQDN objects.
566446 With a 5.6 ADOM and install to 6.0 FortiGate needs to keep the configured multicast policies and zone on FortiGate.
569576 Build 1121: Web rating override category change is not reflected in GUI.
571473 FortiManager should have "Configure Default Value" option for IP Pool.
573250 Find Duplicate Objects may show inaccurate results due to obj-id.
574560 Installation from FortiManager may fail with the error, "No response from remote" FortiGate.
578004 The policy interface colors are different between Device Manager and Policy & Objects.
580484 Signature, "Apache.Optionsbleed.Scanner", cannot be selected as IPS Signature but only as "Rate based Signature".
581495 Interface Validation should prompt only once per unmapped interface.
581607 FortiManager 6.2.2 may not be able to install class-id to a FortiOS 6.2.1 device.
581825 In workflow mode, changes to the SSL VPN portals do not trigger "Modified" status on the policy package.
585021 Adding or modifying rate based signature on IPS profile resets all rate based signature to default settings.
587624 Application Control profile page is blank for User with read-write permissions on Policy & Objects.
588548 Under workspace, addresses may be removed from a firewall policy when merging duplicated addresses.
588684 Central SNAT option in missing under Policy Package menu when mode is NGFW policy-based.
589645 GUI disables FSSO status after its removed one of the FSSO user groups with a policy.
589771 Policy Package installation fails when a Firewall Policy contains a VIP Group mapped to a zone interface.
589775 Entry without content should not be created when creating an Application Control Profile.
589795 User should be allowed to create a new tag in firewall policy or select an existing tag.
589808 After edited policy in policy package, the screen view should remain on the edited policy.
590322 When an Internet Service Database object is used in the destination field on proxy rule, the field is displayed as an empty field.
590896 FortiManager has no source interface column in the general view of Proxy Policy.
593853 Certificate generation fails if the CA certificate does not match ADOM name.
594549 Editing Per-Device mapping for zone containing slash in the name generates "Method failure" error message.
594811 Using copy and paste on multiple proxy policies may insert rules in reverse order.
594866 Internet Services may not match between FortiManager and FortiGate.
594957 SSL/SSH Inspection profile should not allow "Untrusted SSL Certificates" to be set to Block.
595646 After selecting a proxy policy and using the "Insert Above/Below" button, the new policy should be created with the same proxy type of the selected policy.
597668 FortiManager should be able to install the scheduled policy package even though it is scheduled by wildcard user.
597879 Policy package installation fails with commit check error on system interface dhcp-relay-type.
598493 FortiManager should get all datacenter information from exsi vm info.
598656 When long-vdom-name is enabled on FortiGate, installing from FortiManager may show nothing to install.
601073 When renaming address object, the error "invalid value" is prompted when it should be "object already exists".
601081 FortiManager is missing the feature to change IPS Signatures status.
602600 FortiManager may show any duplicate sections in the policy page.
602871 FortiManager may show zero on First use, Last used, and Byte count on policy.
604159 Cloning an existing policy package adds the "clone_of_" to the name even the feature is disabled.
605947 FortiManager is unable to configure hold down-interval for Virtual Server.
606721 FortiManager should not allow users to create firewall address with a name which is in conflict with the name of existing wildcard-fqdn addresses.
607370 When workspace is enabled, auto-install fails with error "no write permission".
607958 FortiManager should be able to modify Per-device mapping for global VIP in local ADOM.
608105 When making changes to Virtual server or Health check for load balance, should be detected and installed to FortiGate properly.
608236 FortiManager is unable to install ssl-ssh-profile policy updates when disabling protocols on a policy.

Revision History

Bug ID

Description

612781

FortiManager should try to remove any referenced policies prior to creating a zone interface.

492088

FortiManager attempts to change Chassis ID on FortiGate 7000 series when installing configuration.

543507

Install fails for newly defined transparent VDOM's management IP.

555796

Installing policy on 6K series FortiGate may remove the interface setting "set forward-error-correction rs-fec".

560888

FortiManager may unexpectedly reset some parameters for IPS sensor entry.

605899

FortiManager should not mandate the use of the access key, secret key, and region fields for SDN Connector.

609110

Config revision created by Script_manager causes error when restored onto the FortiGate directly.

610687

FortiManager should not unset forward-error-correct during install.

613057

During install verification, FortiManager is changing the IP of uni-cast heartbeat interfaces after FortiGate cluster failover.

513317 FortiManager may fail to install a policy after FortiGate failover on Azure.
539829 FortiManager should be able to delete FortiGate default admin user from FortiManager.
539994 Installing to FortiGate fails when wildcard-fqdn address is used in SSL profile.
560638 When checking the Revision Diff between two revisions for multiple times, the result may not be consistent.
560689 Auto-Update revision is missing "set stp-bpdu-guard enabled".
578231 FortiManager tries to push "casi-profile" on a Deny Policy.
582882 Switch interface should not have duplicate members during device install.
583833 Auto Link Install skips installation for VLAN interface.
584118 Router access-list rule's default value is mismatched causing installation failure.
586979 FortiManager may complain about duplicate tags and fail to install policy package.
586992 FortiManager does not install broadcast-forward enabled on "Virtual Switch" to managed FortiGate.
587005 FortiManager should support the radius-server-vdom setting and be able to install it.
589858 The BGP "scan-time" value of 0 can be set on FortiGate, but FortiManager resets it to default by "unset scan-time" on the next policy push.
590325 Installing EMAC-VLAN may fail on verifying device-identification setting.
592062 Custom Internet Service created on FortiManager systematically fails to be installed on the target FortiGate.
592315 Installation of Policy Package against a device group may generate copy fail error for one FortiGate device.
594147

FortiManager does not perform interface binding contradiction check when a firewall policy is using an address group and the user changes an address group member.

597353 Policy install may remove auth-redirect-addr when disclaimer is set.
598173 When changing the "User Group Source" from Local to Collector Agent, FortiManager should automatically unset the undesired commands.
599413 Policy Package Diff is showing differences for passwords when there is no actual difference.
600085 Some special characters may cause revision history not saved with a full tmp folder.
600833 When trying to create a local certificate, and assign and install it for remote administration, the install operation fails due to incorrect order of configurations.
601668 FortiManager may install overlapping VIP objects to FortiGate.
602272 Installing UUIDs from local-in policies for FortiGate-60F may cause installation failure.
605187 FortiManager may fail add members into a zone.
607216 When master-device is set on custom device, type should not be available on FortiManager.

Script

Bug ID Description

593217

FortiManager is unable to delete Virtual-Switch members via script if the remaining members of interfaces is less than two.

535066

Task Monitor for script task shows browser 500 error if the return button is selected.

587015

When user tries to set signature with non escaped quotes from script, the signature becomes separate strings, and the installed string may not be what is expected.

590889

Using the search bar to assign devices under provisioning templates clears the previous selected device list.

594238

FortiManager should be able to create overlapping secondary IPs via a script if interfaces are assigned to different VDOMs.

594238 FortiManager should be able to create overlapping secondary IPs via a script if interfaces are assigned to different VDOMs.

Services

Bug ID

Description

563624

FortiManager dbcontract updated with the entitlement file shows different contracts compared to FortiManager dbcontract updated from FDS.

535066 Task Monitor for script task shows browser 500 error if the return button is selected.
587015 When user tries to set signature with non escaped quotes from script, the signature becomes separate strings, and the installed string may not be what it is expected.
590889 Using the search bar to assign devices under provisioning templates clears the previous selected device list.
594238 FortiManager should be able to create overlapping secondary IPs via a script if interfaces are assigned to different VDOMs.

System Settings

Bug ID

Description

611825

FortiManager fails to edit the device interface when FortiSwitch is set to RO within admin profile.

592156

Upgrade task for managed devices in Task Monitor always shows Pending status with 0.

599812

Stager or pusher admin has no permission to view VDOM interface mapping.

202924 FortiManager should be able to restore a large backup file via web interface.
535607 Upgrading ADOM may take a long time due to hit count statistics.
570266 When saving the values of the administrative access, the values do not save when unchecking HTTPS first before any other value.
571181 An admin user with read-write system permissions and restricted to one ADOM can change their permission to All ADOMs.
576098 Event log may not show the correct username when changing a non policy related object.
581450 ADOM upgrade may hang when DNS or URL filter name is null.
584392 Admin user with read-only profile should not be allowed to "Revoke Release" in DHCP query and "Bring Tunnel Down/Up" in Query IPsec.
584749 System Settings may not show the ADOM-VDOM association.
587242 Build 349: HA Cluster fails after upgrading to 6.0.6 with peer IP using IPv6.
587295 Admin users with prof_admin_regional profile should be allowed to see all application signatures.
588852 Idle time is constantly reset for inactive users.
588884 Event log for merging duplicated objects is missing object name.
594556 Admin user may not able to authorize FortiGate.
595660 FortiManager should generate event logs for imported images.
596562 Administrators allowed to access to only specific ADOMs cannot see "Managed Devices" in those ADOMs.
596580 Upgrade ADOM may fail on FSSO/SSO.
597765 ADOM upgrade may stuck with "svc cdb reader" crashes.
599847 FortiManager may not be able to move VDOMs with long names among different ADOMs.
604069 IPv6 communication fails after setting interface status between down and up.
606545 There may be HA synchronization issues when policy hit count is disabled.
608378 FortiManager is unable to upgrade ADOM due to name conflicts in wildcard FQDN address.
611637 Policies are not visible when workflow session is created in an ADOM that is upgraded.

VPN Manager

Bug ID

Description

616352

FortiManager may show empty value for phase1 and phase2 proposals.

554080 VPN monitor may not list all mesh tunnels if the remote VPN peer has a dynamically assigned IP address and subscribes to a dynamic DNS service.
562729 VPN Manager SSL VPN monitor's Active Connections column may be blank.
574727 VPN Manager may not display SSL-VPN settings for some devices.
586613 FortiManager may randomly install incorrect Phase1 proposal settings.
587760 Address group dynamic mapping is ignored when it is used as a protected subnet with VPN Manager.
589101 VPN Manager prompts the copy error "no hub configured for vpn" if the hub is external gateway with no device assigned.
589669 FortiManager shows installation error when there are two Hubs in VPN community where Hub-to-Hub Interface is set to 'None'.
590765 The tunnel-search and net-device attributes are not being installed if device role is set as spoke.
599242 For Dialup tunnels, auto-negotiate should only be applied to spokes.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID CVE references
476783

FortiManager 6.4.0 is no longer vulnerable to the following CVE-Reference:

  • CVE-2020-9289

511903

FortiManager 6.4.0 is no longer vulnerable to the following CVE-Reference:

  • CVE-2004-0230

597311

FortiManager 6.4.0 is no longer vulnerable to the following CVE-Reference:

  • CVE-2004-1653

606144

FortiManager 6.4.0 is no longer vulnerable to the following CVE-Reference:

  • CVE-2019-9193

603256

FortiManager 6.4.0 is no longer vulnerable to the following CVE-Reference:

  • CVE-2020-12811

Resolved Issues

The following issues have been fixed in 6.4.0. For inquires about a particular bug, please contact Customer Service & Support.

AP Manager

Bug ID

Description

588096

FortiManager removes the Multiple Pre-shared Key entry after it is edited.

604642

Changing SSID Groups makes changes on all member SSIDs.

521404 Refresh or close button does not work in the AP Health Monitor widget.
553985 FortiManager incorrectly sets "security-external-web" when external authentication is selected.
561911 FortiManager may take over two minutes to display map in AP Manager.
568631 Per-Device Mapping for FortiAP SSID in Bridge mode should not have IP and it is missing VLAN field.
570937 AP Manager should allow individual configure LAN Ports.
578123 Multiple dhcp-relay-ip cannot be defined.
585157 FortiManager is missing 802.11ax/ac related settings on FAPU431F and FAPU433F.
593366 AP Manager may not be able to search for a SSID.
595674 When attempting to place an AP on a map, there is a considerable border around map image where it is not possible to place an AP to the far right or complete bottom of the floor.
597818 ADOM upgrade may delete Floor Map in AP Manager.
600899 FortiManager is unable to delete WiFi profile with forward slash in the name.
603511 AP Manager may try to unset authentication for SSID when device is configured under per-device mapping.

Device Manager

Bug ID Description

619377

FortiManager cannot retrieve FortiGate-800D containing more than 2048 Firewall custom services.

576850

There may be possible VDOM Name inconsistencies between FortiManager and FortiGate.

594905

FortiManager may take longer to load a system interface.

610015

Scroll bar in the install preview pop-up is not working properly.

544222

In device configuration's log setting, both local traffic log and event logging have Enable All buttons that may not work.

544337

FortiManager is missing Firmware information when creating or editing a device group.

555635

Certificate is not visible on GUI after restoring the configuration, which was exported from FortiManager.

563373

FortiManager should support FortiGate-VM FNDN.

593505

Provisioning Template sets incorrect syslog severity level under log settings.

601223

Device database configuration may mismatch with FortiGate even if auto-update happens.

602706

SD-wan Template may keep loading.

616619

Using script or CLI only page, user can create interface-policy without setting srcaddr, dstaddr, or service even though they are required fields.

411914 System Template's "Enable FortiGuard Security Updates" option should check if "antispam-force-off" and "webfilter-force-off" are disabled.
459895 FortiManager may not configure an IPS profile on an One-Arm sniffer interface.
523463 Firmware version not displayed in backup ADOM.
540502 Installation may fail due to interface's address mode changes to PPPoE.
541911 When workspace is enabled, FortiManager cannot run CLI template after it is assigned to a device.
544562 The "Force this Admin to Change Password Next Time He/She Logs on" option on administrator is not installed to FortiGate.
568626 FortiManager can only modify the order of DNS forwarder only if the IP addresses are in quotes ("") and when the IP addresses are not separated by comma.
572337 Config Status may display Modified instead of Conflict status following a failed policy package install.
573293 After upgrade, FortiManager may not be able to import policy package in Workflow mode.
580485 After defined per-device mapping a to model device, all policy packages status are changed to Modified.
580533 Build 0349: Saving configuration with incorrect IP/mask format does not display an error for inner configurations.
581812 Sorting Extenders by Device Name does not work.
584463 CLI Template's comment field cannot be saved.
586550 Device Manager does not detect newly joined Telemetry group on FortiGate.
587513 FortiManager should not unset the IPv6 configuration on FortiGate when registering with the "Add Model Device" method.
587610 FortiManager is unable to show policy package diff of Security Policy.
587693 Users should able to delete interfaces from aggregate interface.
589814 User should be able to make interface changes using CLI Configuration.
589826 Device Manager cannot create EMAC VLAN interfaces over VLAN interface created in root VDOM.
590064 Device view > VDOM GUI should show which VDOM is the management VDOM.
590321 Sorting filtered static routes list does not work.
590385 FortiManager should not have limit of 1024 for VPN local certificate.
590602 Zero in seconds is lost in Web Filter Override expire time.
591517 FortiManager should not change VDOM configuration scope with CLI Template.
591894 User should be able to specify PAC or HTTPS port on GUI after upgrade.
591981 After modified "set max-revs" value, the change is not immediately reflected on GUI.
592279 AP Manager does not accept certain wtp-profile settings when switching country.
592646 When creating a SD-WAN and disabling its status, it causes neither monitor map view nor table view can be displayed.
593244 User may not be able to change the option, "Send logs to FortiAnalyzer/Manager" under Provisioning Template.
593480 When there is no interface assigned to SD-WAN, neither map view nor table view can be shown.
594211 FortiManager should be able to create new VLAN interface on fabric interface and install to FortiGate.
594348 FortiManager should show buttons to create, edit, and delete TACACS+ on the CLI Configuration page.
594709 Device Manager may not be able to generate Policy Package Diff result.
594853 FortiManager may create duplicate VDOMs when retrieve configuration for multiple devices.
595683 When using workflow mode, changing anything on a policy ID does not modify status of Policy Package.
595803 When configuring PPPoE from CLI Configuration, installation fails with unexpected deletion of system-interface.
595941 Importing policy package may unexpectedly convert regular address objects to dynamic address objects.
597284 When creating a new switch through a script, all configuration is visible in Device Manager but no port configuration is installed.
598230 Removing Per-device mapping causes all referenced Policy Packages status to become modified.
598650 SD-WAN monitor table view may not show data for FortiGate 5.6 device.
598912 Device Manager may not be able to display newly created VDOMs.
599141 After upgrade, Policy Route menu no longer displays Source Addresses or Destination Addresses.
599768 FortiManager may not be able to display the second shelf manager.
599769 FortiManager may not be able to "Enable Security Fabric" on some FortiGate platforms.
602275 FortiManager may not be able to remove VDOM or device when FortiAnalyzer feature is enabled.
603215 Fabric is not enabled in allow access after enabling FortiLink on an interface.
603405 FortiManager cannot set radio-2 band to "802.11ax" under CLI Configuration.
603522 Fabric should be shown as an option for administrative access.
603542 Password field should not be deleted when making changes to PPPoE interface.
603606 FortiManager should accept volume ratio value of 0 within SD-WAN configuration.
603820 FortiManager fails to import policy when reputation-minimum and reputation-direction are set.
604269 FortiManager should permit Virtual Wire Pair to use Aggregate interface.
604808 Verification may fail on system interface tc-mode or phy-mode when installing to FortiGate-60E-DSLJ.
605178 FortiManager should be able to set "None" interface under on Policy Route.
605946 Import may fail where there are objects with truncated names.
606628 FortiManager may fail to retrieve configuration with SAML SP IDP certificate.
607672 Import may fail with error "user group match is not a member".
608642 Importing policy should not make dynamic mapping for policy object when there is only change on hidden attributes.
609757 Adding a new device on SD-WAN Template may cause Config status to change to Modified on all devices.

FortiClient Manager

Bug ID Description
548572 FortiManager shows unclear message in FortiClient Profile with "Response with errors" instead of "Device groups cannot be empty".

FortiSwitch Manager

Bug ID

Description

503722 FortiSwitch Manager and AP Manager reports switches and APs connected to FortiGates as online when the devices are no longer powered on.
573043 Saving FSW VLANs configuration may trigger error and lead to data loss in Per Device Mapping.
587526 VLANs in FortiSwitch templates must support per-device secondary IP.
597715 Under FortiSwitch Manager Per device mode, FortiManager may prompt error [object Object] when trying to create a VLAN with in use VLAN ID.
601242 Installation may fail due to qtn.fortilink configuration cannot be deleted.
601712 Under Workflow mode, FortiManager may lose FortiSwitch templates and VLAN configuration.

Global ADOM

Bug ID

Description

578089 Address objects cannot be deleted from the FortiManager's Global ADOM if they are not being used anywhere.
582171 FortiManager may not be able to assign all objects from 5.6 global ADOM to a 6.0 ADOM.
587511 gSSO_Guest_User should work the same as predefined SSO_Guest_User.

Others

Bug ID

Description

609040

Device manager may be empty after upgrade.

364541 The command, diagnose dvm support list, should include all supported platforms.
581140 The SNMP, FmDeviceEntPolicyPackageState, always returns (-1), which indicates never installed, regardless of the actual policy package status.
591206 The SNMP trap, fmDeviceTable, should show VDOM information as well.
611548 The dbcache.db file size may keep increasing.
550140 The system-support-fgt configuration is lost if there is a version lower than 5.4 selected prior to upgrade.
551937 FortiManager should only allow the browser to save and paste credentials at the logon prompt only.
552085 FortiManager live migration fails with Microsoft Hyper-V and it is not accessible via GUI and SSH.
565515

User may not be able to create a new SNMP host under System Templates.

Workaround: Please add a new SNMP host for System Templates under CLI Configurations within Device Manager.

571235 Enabling policy hit count may lock ADOM and provoke GUI slowness.
574731 Builds 0349 and 1121: Some hardware specific SNMP traps are missing from the device SNMP settings and the system provisioning templates.
579648 FortiManager may generate "fgfmsd" crashes when FortiGate sends registration request to FortiManager.
584053 FortiManager may show fmgd crashes after switched among pages.
586991 "Logver" field is missing when FortiAnalyzer is enabled affecting report related features.
589805 Installing policy package via JSON API with missing interface in zone definition deletes zone and corresponding firewall policies on FortiGate.
590037 FortiManager CPU usage may spike when going to interface and VPN Phase1 or Phase2 page.
590649 On FortiClient or FortiDDoS ADOM, the SOC page may refresh constantly.
593245 FortiManager may show incorrect warning when changing admin profile via CLI.
593421 Running ADOM integrity check may cause cdb reader to crash.
593819 FortiManager may generate several fmgd crash logs.
595589 When running a script on a device with large configuration, dmworker may crash with high CPU spike.
595741 After ADOM upgrade, FortiManager may report an error on reaching the max limit of firewall-service-custom.
601978 Diagnostic command may fail to repair database when device is in standalone mode but there are entries in HA member table.
602216 FortiManager is unable to add SNMP hosts when set alias is configured on a port.

Policy and Objects

Bug ID Description

622040

Security Policy is missing Implicit Deny policy.

615823

VPN tunnel is not unset when changing the action of the firewall policy from IPSEC to Accept.

598938

FortiManager should allow setting wildcard-fqdn type firewall address as destination on proxy policy.

602176

Creating a proxy policy with a profile group adds additional security profile.

604577

When logged in as a Restricted Admin or regular User, it is not possible to reference "Web content filter" in a web profile.

612672

The policy block hit count stays at zero even if the counter increments properly on the FortiGate side.

488897 SSL VPN policy can be created with a FSSO user group assigned to the policy.
491813 FortiManager should group IPS Sensor entries with same filters as one rule.
505887 Internet Service should separate into source and destination
528881 Users are not able to remove all FSSO objects from selected list that has a large number of entries.
544404 When a remote user approves a session, session list shows zero sessions.
545605 Searching on Created Time or Last Modified does not work on policy table.
548573 FortiManager changes UUIDs of existing objects after policy install.
563629 Clicking on "+" function should allow users to add Wildcard FQDN objects.
566446 With a 5.6 ADOM and install to 6.0 FortiGate needs to keep the configured multicast policies and zone on FortiGate.
569576 Build 1121: Web rating override category change is not reflected in GUI.
571473 FortiManager should have "Configure Default Value" option for IP Pool.
573250 Find Duplicate Objects may show inaccurate results due to obj-id.
574560 Installation from FortiManager may fail with the error, "No response from remote" FortiGate.
578004 The policy interface colors are different between Device Manager and Policy & Objects.
580484 Signature, "Apache.Optionsbleed.Scanner", cannot be selected as IPS Signature but only as "Rate based Signature".
581495 Interface Validation should prompt only once per unmapped interface.
581607 FortiManager 6.2.2 may not be able to install class-id to a FortiOS 6.2.1 device.
581825 In workflow mode, changes to the SSL VPN portals do not trigger "Modified" status on the policy package.
585021 Adding or modifying rate based signature on IPS profile resets all rate based signature to default settings.
587624 Application Control profile page is blank for User with read-write permissions on Policy & Objects.
588548 Under workspace, addresses may be removed from a firewall policy when merging duplicated addresses.
588684 Central SNAT option in missing under Policy Package menu when mode is NGFW policy-based.
589645 GUI disables FSSO status after its removed one of the FSSO user groups with a policy.
589771 Policy Package installation fails when a Firewall Policy contains a VIP Group mapped to a zone interface.
589775 Entry without content should not be created when creating an Application Control Profile.
589795 User should be allowed to create a new tag in firewall policy or select an existing tag.
589808 After edited policy in policy package, the screen view should remain on the edited policy.
590322 When an Internet Service Database object is used in the destination field on proxy rule, the field is displayed as an empty field.
590896 FortiManager has no source interface column in the general view of Proxy Policy.
593853 Certificate generation fails if the CA certificate does not match ADOM name.
594549 Editing Per-Device mapping for zone containing slash in the name generates "Method failure" error message.
594811 Using copy and paste on multiple proxy policies may insert rules in reverse order.
594866 Internet Services may not match between FortiManager and FortiGate.
594957 SSL/SSH Inspection profile should not allow "Untrusted SSL Certificates" to be set to Block.
595646 After selecting a proxy policy and using the "Insert Above/Below" button, the new policy should be created with the same proxy type of the selected policy.
597668 FortiManager should be able to install the scheduled policy package even though it is scheduled by wildcard user.
597879 Policy package installation fails with commit check error on system interface dhcp-relay-type.
598493 FortiManager should get all datacenter information from exsi vm info.
598656 When long-vdom-name is enabled on FortiGate, installing from FortiManager may show nothing to install.
601073 When renaming address object, the error "invalid value" is prompted when it should be "object already exists".
601081 FortiManager is missing the feature to change IPS Signatures status.
602600 FortiManager may show any duplicate sections in the policy page.
602871 FortiManager may show zero on First use, Last used, and Byte count on policy.
604159 Cloning an existing policy package adds the "clone_of_" to the name even the feature is disabled.
605947 FortiManager is unable to configure hold down-interval for Virtual Server.
606721 FortiManager should not allow users to create firewall address with a name which is in conflict with the name of existing wildcard-fqdn addresses.
607370 When workspace is enabled, auto-install fails with error "no write permission".
607958 FortiManager should be able to modify Per-device mapping for global VIP in local ADOM.
608105 When making changes to Virtual server or Health check for load balance, should be detected and installed to FortiGate properly.
608236 FortiManager is unable to install ssl-ssh-profile policy updates when disabling protocols on a policy.

Revision History

Bug ID

Description

612781

FortiManager should try to remove any referenced policies prior to creating a zone interface.

492088

FortiManager attempts to change Chassis ID on FortiGate 7000 series when installing configuration.

543507

Install fails for newly defined transparent VDOM's management IP.

555796

Installing policy on 6K series FortiGate may remove the interface setting "set forward-error-correction rs-fec".

560888

FortiManager may unexpectedly reset some parameters for IPS sensor entry.

605899

FortiManager should not mandate the use of the access key, secret key, and region fields for SDN Connector.

609110

Config revision created by Script_manager causes error when restored onto the FortiGate directly.

610687

FortiManager should not unset forward-error-correct during install.

613057

During install verification, FortiManager is changing the IP of uni-cast heartbeat interfaces after FortiGate cluster failover.

513317 FortiManager may fail to install a policy after FortiGate failover on Azure.
539829 FortiManager should be able to delete FortiGate default admin user from FortiManager.
539994 Installing to FortiGate fails when wildcard-fqdn address is used in SSL profile.
560638 When checking the Revision Diff between two revisions for multiple times, the result may not be consistent.
560689 Auto-Update revision is missing "set stp-bpdu-guard enabled".
578231 FortiManager tries to push "casi-profile" on a Deny Policy.
582882 Switch interface should not have duplicate members during device install.
583833 Auto Link Install skips installation for VLAN interface.
584118 Router access-list rule's default value is mismatched causing installation failure.
586979 FortiManager may complain about duplicate tags and fail to install policy package.
586992 FortiManager does not install broadcast-forward enabled on "Virtual Switch" to managed FortiGate.
587005 FortiManager should support the radius-server-vdom setting and be able to install it.
589858 The BGP "scan-time" value of 0 can be set on FortiGate, but FortiManager resets it to default by "unset scan-time" on the next policy push.
590325 Installing EMAC-VLAN may fail on verifying device-identification setting.
592062 Custom Internet Service created on FortiManager systematically fails to be installed on the target FortiGate.
592315 Installation of Policy Package against a device group may generate copy fail error for one FortiGate device.
594147

FortiManager does not perform interface binding contradiction check when a firewall policy is using an address group and the user changes an address group member.

597353 Policy install may remove auth-redirect-addr when disclaimer is set.
598173 When changing the "User Group Source" from Local to Collector Agent, FortiManager should automatically unset the undesired commands.
599413 Policy Package Diff is showing differences for passwords when there is no actual difference.
600085 Some special characters may cause revision history not saved with a full tmp folder.
600833 When trying to create a local certificate, and assign and install it for remote administration, the install operation fails due to incorrect order of configurations.
601668 FortiManager may install overlapping VIP objects to FortiGate.
602272 Installing UUIDs from local-in policies for FortiGate-60F may cause installation failure.
605187 FortiManager may fail add members into a zone.
607216 When master-device is set on custom device, type should not be available on FortiManager.

Script

Bug ID Description

593217

FortiManager is unable to delete Virtual-Switch members via script if the remaining members of interfaces is less than two.

535066

Task Monitor for script task shows browser 500 error if the return button is selected.

587015

When user tries to set signature with non escaped quotes from script, the signature becomes separate strings, and the installed string may not be what is expected.

590889

Using the search bar to assign devices under provisioning templates clears the previous selected device list.

594238

FortiManager should be able to create overlapping secondary IPs via a script if interfaces are assigned to different VDOMs.

594238 FortiManager should be able to create overlapping secondary IPs via a script if interfaces are assigned to different VDOMs.

Services

Bug ID

Description

563624

FortiManager dbcontract updated with the entitlement file shows different contracts compared to FortiManager dbcontract updated from FDS.

535066 Task Monitor for script task shows browser 500 error if the return button is selected.
587015 When user tries to set signature with non escaped quotes from script, the signature becomes separate strings, and the installed string may not be what it is expected.
590889 Using the search bar to assign devices under provisioning templates clears the previous selected device list.
594238 FortiManager should be able to create overlapping secondary IPs via a script if interfaces are assigned to different VDOMs.

System Settings

Bug ID

Description

611825

FortiManager fails to edit the device interface when FortiSwitch is set to RO within admin profile.

592156

Upgrade task for managed devices in Task Monitor always shows Pending status with 0.

599812

Stager or pusher admin has no permission to view VDOM interface mapping.

202924 FortiManager should be able to restore a large backup file via web interface.
535607 Upgrading ADOM may take a long time due to hit count statistics.
570266 When saving the values of the administrative access, the values do not save when unchecking HTTPS first before any other value.
571181 An admin user with read-write system permissions and restricted to one ADOM can change their permission to All ADOMs.
576098 Event log may not show the correct username when changing a non policy related object.
581450 ADOM upgrade may hang when DNS or URL filter name is null.
584392 Admin user with read-only profile should not be allowed to "Revoke Release" in DHCP query and "Bring Tunnel Down/Up" in Query IPsec.
584749 System Settings may not show the ADOM-VDOM association.
587242 Build 349: HA Cluster fails after upgrading to 6.0.6 with peer IP using IPv6.
587295 Admin users with prof_admin_regional profile should be allowed to see all application signatures.
588852 Idle time is constantly reset for inactive users.
588884 Event log for merging duplicated objects is missing object name.
594556 Admin user may not able to authorize FortiGate.
595660 FortiManager should generate event logs for imported images.
596562 Administrators allowed to access to only specific ADOMs cannot see "Managed Devices" in those ADOMs.
596580 Upgrade ADOM may fail on FSSO/SSO.
597765 ADOM upgrade may stuck with "svc cdb reader" crashes.
599847 FortiManager may not be able to move VDOMs with long names among different ADOMs.
604069 IPv6 communication fails after setting interface status between down and up.
606545 There may be HA synchronization issues when policy hit count is disabled.
608378 FortiManager is unable to upgrade ADOM due to name conflicts in wildcard FQDN address.
611637 Policies are not visible when workflow session is created in an ADOM that is upgraded.

VPN Manager

Bug ID

Description

616352

FortiManager may show empty value for phase1 and phase2 proposals.

554080 VPN monitor may not list all mesh tunnels if the remote VPN peer has a dynamically assigned IP address and subscribes to a dynamic DNS service.
562729 VPN Manager SSL VPN monitor's Active Connections column may be blank.
574727 VPN Manager may not display SSL-VPN settings for some devices.
586613 FortiManager may randomly install incorrect Phase1 proposal settings.
587760 Address group dynamic mapping is ignored when it is used as a protected subnet with VPN Manager.
589101 VPN Manager prompts the copy error "no hub configured for vpn" if the hub is external gateway with no device assigned.
589669 FortiManager shows installation error when there are two Hubs in VPN community where Hub-to-Hub Interface is set to 'None'.
590765 The tunnel-search and net-device attributes are not being installed if device role is set as spoke.
599242 For Dialup tunnels, auto-negotiate should only be applied to spokes.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID CVE references
476783

FortiManager 6.4.0 is no longer vulnerable to the following CVE-Reference:

  • CVE-2020-9289

511903

FortiManager 6.4.0 is no longer vulnerable to the following CVE-Reference:

  • CVE-2004-0230

597311

FortiManager 6.4.0 is no longer vulnerable to the following CVE-Reference:

  • CVE-2004-1653

606144

FortiManager 6.4.0 is no longer vulnerable to the following CVE-Reference:

  • CVE-2019-9193

603256

FortiManager 6.4.0 is no longer vulnerable to the following CVE-Reference:

  • CVE-2020-12811