Resolved Issues
The following issues have been fixed in 6.4.8. For inquires about a particular bug, please contact Customer Service & Support.
AP Manager
Bug ID |
Description |
---|---|
691540 | Where Used should indicate that an AP is still in used in one or more FortiGate devices. |
697444 | SSID with MPSK may not pass verification during an install. |
718464 |
Firmware upgrade fails for FortiAP 421E from FortiManager. |
726287 |
Deleting Floor Map may return a blank pop-up with error. |
728372 |
Importing SSID with optional VLAN ID set creates incorrect per-device mapping. |
750255 |
FortiManager should enable DFS channels on WTP profiles for FAP234F and FAP231F with region N. |
750458 |
AP Manager should not send |
757706 |
FortiManager might downgrade FortiAP with enforced firmware version. |
763233 |
AP profile may not contain SSID when AP Manager is in central management mode. |
770234 |
5GHz DFS channels on AP Profile were not supported for FAP U231F. |
772194 |
FortiManager should not install the setting |
772213 |
FortiManager may try to delete default wtp 11ac-only profile on FortiWiFi-60F causing install to fail. |
785471 |
FortiManager was deleting |
Device Manager
Bug ID | Description |
---|---|
545239 | After adding FortiAnalyzer fabric ADOM to FortiManager, Device Manager's Log Status, Log Rate, or Device Storage columns cannot get data from FortiAnalyzer. |
587404 |
FortiManager sets incorrect |
638750 | Where Used may not work for IPsec Phase 2 allowing users to delete used objects. |
662095 |
FortiManager may take too much time to send SLA updates to one thousand or more FortiGate devices. |
673008 |
SD-WAN Rules order changes to the default order when creating a rule and moving it to the top. |
677836 |
The Client Address Range setting should allow users to configure |
691611 |
When FortiManager performs |
699893 |
SD-WAN's |
701348 |
Once VRPP instance is created, user should be able to edit or delete it. |
709214 |
System template should allow source interface to be selected when specify is activated as |
712578 |
FortiManager does not allow WiFi SSID with special characters. |
713833 |
It may not be possible to rename device zone. |
725334 |
Importing policy package shows |
726721 |
Unable to add multiple DNS domain names in Provisioning Template. |
727123 |
Meta Field is not translating values with spaces into correct scripts. |
729301 |
A managed FortiGate with assigned CLI template remains in modified state following a successful device configure installation. |
729413 |
FortiManager is missing peer options with dial up user configuration with VPN IPSec Phase 1. |
730482 |
CLI Template cannot add system DNS database entries if set domain contains the underscore character ("_"). |
731204 |
FortiManager may incorrectly display Object already exists message while creating a new Hardware Switch interface. |
732246 |
Clock format option no longer works to format date in TCL scripts. |
733379 |
FortiManager cannot edit global level configuration when management VDOM is not in the current ADOM. |
733934 |
During zero-touch-provisioning with Enforce Firmware Version enabled, upgrade task may hang if the connection is reset during the image transfer. |
735360 |
When editing a device group, search results do not show the device if VDOM name is matched by search keyword first. |
735402 |
Create a new CLI Group Template and try to add members to the CLI Group Template, but it does not allow users to select other CLI Group Templates that are already created. |
737025 |
SD-WAN monitor widget may not be loaded when multiple performance SLAs are added. |
737908 |
The install fails with verification failure displaying when trying to delete the LAN interface members. |
739369 |
When revision history is large, FortiManager may be unable to retrieve configuration. |
740893 |
Secondary IP may be purged when setting a description to VLAN interface. |
743102 |
Device & Groups > VPN Phase1/Phase2 does not show the proposal column when using FGT-VM type "FGVMIB". |
743112 |
Interface Bandwidth widget on FortiManager under Device Manager does not display any data for FortiGate. |
743267 |
FortiManager's GUI does not show the virtual-switch ports as interface members for Hardware switches. |
744628 |
After exporting system template, importing the same configuration through the CLI may fail. |
744973 |
FortiManager GUI throws an error when switching from Policy & Objects to Device Manager. |
747955 |
There may be performance issue when onboarding new SD-WAN devices. |
748240 |
When FortiAnalyzer is managed by FortiManager, new devices that are registered to FortiManager should be synchronized under the corresponding ADOM on FortiAnalyzer. |
749823 |
Named Address Static Route with SD-WAN cannot be selected on FortiManager. |
749923 |
SD-WAN logs cannot be saved for some devices when |
750303 |
Under System > Interface, the data shown on this page may be incomplete. |
750838 |
FortiManager may fail to import device list from another FortiManager due to the meta field containing prefix "_meta_". |
751427 |
Provisioning Template with empty name cannot be deleted or edited. |
753258 |
FortiManager may be unable to show SD-WAN monitor data when the rtmmond daemon is stuck. |
754465 |
FortiManager should also count promoted hidden devices. |
755519 |
Zero-touch provisioning with script installation may fail due to duplicated |
759905 |
When creating a device zone, device mapping may not be created when the zone is mapped to a normalized interface with the map as zone only option. |
760099 |
When creating EMAC VLAN from Device Manager, FortiManager should show VLAN ID field. |
760132 |
Device Manager may be unable to delete FortiGate-7000E HA cluster members. |
762082 |
When creating a Static Route, FortiManager may take a few seconds to display available Named Address. |
763797 |
Installation fails due to configuring |
764491 | Unable to configure more than
one IP addresses for vrdst under the interface vrrp
setting. |
764841 |
FortiManager is unable to use secondary IP as source IP in DNS database. |
765762 |
FortiManager is unable to install the switch controller > VLAN interface configuration during the ZTP process. |
773336 |
FortiToken provision button is grayed out in Device Manager while it is enabled on FortiGate with the same token. |
777925 | Several unregistered FGTs consume FortiManager's resources. As a result, FMG becomes very slow and unresponsive. |
779260 |
When |
779836 |
FortiManager cannot install TCP-connect using Random port for SD-WAN. |
779900 |
Administrative user GUI-dashboard information should be deleted upon VDOM deletion. |
792553 | Removing VLANs from Zone and adding a new VLAN to the same Zone deletes that Zone. |
793941 | Unable to install VPN psk with special characters through CLI template. |
795913 |
Error Probe Failure has been observed when adding FortiAnalyzer to FortiManager. |
FortiSwitch Manager
Bug ID | Description |
---|---|
684371 | Clicking OK to import FortiSwitch Template results in no response. |
748200 |
FortiSwitch monitor may show incorrect interface status for QSFP port. |
764258 |
FortiManager should not update trunk-member value as it is controlled by FortiGate. |
Global ADOM
Bug ID | Description |
---|---|
660852 |
FortiManager should not save invalid default value for |
691562 | Threat feeds global objects are not installed to destination ADOM when using the assign all objects option. |
725763 |
Automatic install to ADOM devices may fail from Global ADOM. |
728803 |
Copying global firewall policy may fail due to duplicate IPS sensors. |
737381 |
FortiManager should not allow users to delete the default reserved address object starting with "g-". |
740942 |
srcintf selector in Traffic Shaping Header or Footer Policy may not work in Global ADOM. |
741942 |
FortiManager should show clear error message for duplicated object assigned from Global ADOM. |
745772 |
FortiManager may randomly delete FortiManager IPv4 policies when assigning from the Global ADOM. |
760804 |
FortiManager may return an error when adding address object to global policy. |
743734 |
Cannot remove objects from Global Database. |
768527 |
After upgrading the global ADOM, installation failed due to the custom |
Others
Bug ID | Description |
---|---|
505795 | FortiManager should allow users to configure the list of allowed TLS cipher suites. |
657997 | Assigning device to system template may not work through JSON when FortiManager is in workspace mode. |
707911 |
FortiManager should be able to assign VLAN interface to FortiExtender. |
715601 |
Under some conditions, disk usage may reach 100% after a few days. |
718251 |
Web service with port 8080 disabled may still be in listening state. |
733078 |
FortiManager may show multiple fmgd crashes with signal 11 segmentation fault. |
733208 |
Users may be unable to log in from GUI after restored database with changed HTTP or HTTPS port number. |
738639 |
Users should be able to obtain status of the FGFM |
740523 |
Retrieve task may fail because the |
742137 |
FortiManager may return an error when running an Ansible script to configure network interfaces, zones, and policies. |
744197 |
If a VDOM is created and then gets the VDOM information from JSON API, the VDOM mode may be shown as NULL. |
744736 |
FGFM tunnel may go up and down with multiple fgfmsd crashes. |
746311 |
|
750419 |
Execution of integrity check may remove dynamic mappings. |
763635 | Unable to upgrade an ADOM from 6.2 to 6.4. |
763669 |
FortiManager Pay-As-You-Go should support connection to FortiCare through proxy. |
764674 |
Map should use the region defined by the coordinates in System Settings > Advanced Settings or the FortiManager's time zone. |
766105 |
FortiManager may be unable to upgrade ADOM from 6.2 to 6.4 due to cdb crash. |
766874 | FortiManager holds the wrong value for AP limit of the FG-80F. |
775574 |
There is a Criteria Latency field which is different between FortiGate and FortiManager when creating the manual interface option for SDWAN rules. |
776342 |
System NPU values may be different between FortiManager and FortiGate-1801F. |
776413 |
FortiManagerlock/commit operation is very slow when FortiManager HA is enabled. |
783226 |
Fabric View may keep loading. |
792887 |
Verification fail for default dnsfilter profile due to wrongly install "set category 0". |
794304 | Interface Bandwidth widget is displayed in ADOM 6.2 in FortiManager version 6.4. |
Policy and Objects
Bug ID |
Description |
---|---|
503978 |
Thread Feeds should be Threat Feeds on Fabric Connector. |
549492 |
Load-balance type VIP cannot be displayed and saved correctly. |
585177 |
FortiManager is unable to create VIPv6 virtual server objects. |
615250 |
Search by CVE may not work for both IPS signatures and IPS filters. |
644822 |
Imported SDN connector objects may change to random names. |
657534 |
SSH and MAPI should not be supported in file filter profile protocol under flow mode. |
696367 |
Hit count, first used, and last used may not get updated on FortiManager. |
699975 |
Multiple filters are missing for Azure SDN connector. |
701750 | The App Control set to Monitor in FMG causes the app to disappear from FGT. |
709908 |
When checking the status on AntiVirus profile, it may not show the correct inspection mode in list view when status stays in flow-based (Full Scan). |
713886 |
FortiManager returns error method failure, when setting a shaping profile in normalized interface using per-device mapping. |
714375 | There is no warning messages when assigning in-use normalized interfaces. |
717031 |
FortiManager doesn't update the Hit Count number. |
718223 |
Hyperscale firewall EIF shall not be enabled when IP pool with CGN overload configuration is used in a policy. |
725024 |
Proxy Policy page shows empty when the View Mode is selected as Interface Pair View. |
725132 |
When modifying IP address of Default VPN Interface of spoke in Device Manager, hub remote gateway should be modified to reflect that change. |
726328 |
SSL-SSH profile may display incorrect options when using SSL certificate inspection. |
729705 |
Installing policy requires interface validation for interfaces not being used in the policy package. |
730523 |
Unused policies tool may always generate a PDF containing all policies. |
731053 |
FortiManager may miss some Internet Service entries. |
732138 |
Non-full admin users should be able to export Policy Check and Unused Policy results. |
732199 |
FortiManager displays the group ID instead of displaying name with NSX-T Connector. |
734556 |
FQDN type firewall address object can be created with an unsupported format. |
737424 | Policy package import fails due to the Device mapping::"query failed. error. |
738475 |
Special characters within policy's comment causes all policies to disappear from the GUI. |
740944 |
Custom IPS signature script may fail to run on policy package or ADOM database. |
742257 |
NPU log servers for hyperscale does not show up in policy package. |
744049 |
Proxy policy does not accept configuration with both IPv4 and IPv6 address objects. |
744591 |
Installing or importing IPS custom signature may fail when a signature's name contains a space character. |
744766 |
FortiManager may not be able to retrieve IP address for group with NSX-T v3.1.2. |
744934 |
FortiManager may try to install undesirable changes to FortiGate-5001E, FortiGate-5001E1, and FortiGate-5001D. |
745355 |
Section labels are not visible in virtual-wire policy section. |
745884 |
FortiManager GUI may not respond when triggering policy package install wizard under Policy & Objects. |
746273 |
Column filter may be extremely slow with large policy package. |
747537 |
Where Used should show the correct object references for newly cloned objects. |
747558 |
FortiManager filters should work for Hit Counters, First Session, and Last session. |
748222 |
Cloning of a policy package is grayed out for admin users with restricted access to particular policy packager folder. |
748235 |
Filtering by hit count may not work for policies. |
748246 |
Where Used may result an empty top-left frame for policy packages. |
748467 |
FortiManager does not have the same profiles as FortiGate with explicit proxy policy. |
748498 |
There may be issue with Transparent Web Proxy when using interface pair view. |
748556 |
FortiManager should not allow users to create Explicit proxy FTP with pool name. |
749519 |
IPv4 policies in policy block may be hidden on FortiManager's GUI. |
749576 |
FortiManager may try to install hidden synproxy parameters for DOS policy to FortiGate. |
750160 |
custom-url-list may not be correctly parsed when URLs contain space characters. |
750539 |
If FortiGate allows selecting LogMeIn app using specific filter override, FortiManager should also allow it. |
750882 |
User may not be able to save changes in SSL/SSH inspection profile from GUI. |
751137 |
Installation performance issues may occur with a large number of dynamic mappings and many FortiAP or FortiSwitch devices. |
751710 |
Editing a global user FSSO object's dynamic mapping is not possible. |
751767 |
Export to Excel when filters are applied for a policy package does not work. |
752777 |
FortiManager should be able to manage valid authentication rules containing User-Agent proxy address. |
752822 |
FortiManager may not respond when adding a firewall address or group to a policy and changing the policy comment at the same time. |
754225 |
Policy package status is out of sync without changes. |
755252 |
Plus (+) sign should be added for SMS phone number when two-factor FortiToken Cloud is enabled. |
755348 |
FortiManager should support more than one thousand traffic shapers. |
757164 |
FortiManager database contains parameter webfilter-searchengine-Baidu-gb2312 that does not exist on FortiGate. |
758526 |
FortiManager should be able to delete many per-device mappings quickly. |
758809 |
When policy package in policy-based NGFW mode, FortiManager may still set action to accept, even when the policy is specified as deny. |
760869 |
Deleted objects may remain referenced in firewall policy. |
765709 |
FOS 6.4.9 syntax support. |
765793 |
Adding custom signature with _vdom-name should not prevent pushing changes to numerous devices. |
765812 |
Hyperscale policy packages do not show log server until you get into a policy. |
767317 |
Policy Hit Count may not be updated for Read-Only admin. |
768353 |
Commit action is taking too much time and it makes the FortiManager slow. |
769997 |
Selection for user SAML as member under the user group may not take effect. |
770210 |
Where Used may not report used objects properly. |
770256 |
FortiManager displays error when using push to install for objects utilized by policy blocks . |
770678 |
Changing Action from Accept to Deny should ignore all UTM profiles within the firewall policy. |
771941 |
FortiManager is unable to import or create virtual server with real servers using the same IP but different http-host . |
774435 |
Right-click menu to add object may return an error: cgn-resource-quote:out of range. |
775128 | Unable to create more than twenty (20) SAML users in policy package object. |
776361 |
Policy lookup may not work if the managed devices are in transparent mode. |
777554 |
There may be slowness when using Find Duplicate Objects with Merge tools. |
779947 |
Address group changes for per-device mapping do not apply to FortiGate when address group is used in policy route. |
779965 |
Users may be unable to export firewall header and footer policies to Excel. |
783899 |
There may not be empty lines in IPS Signature and Filters. |
786684 |
Installation fails because the virtual-wan-link did not exist. |
789957 |
Created time doesn't indicate AM or PM on the Tools > Find Unused Policies. |
791797 | Installation failed after upgrading ADOM from 6.2 to 6.4. |
Revision History
Bug ID |
Description |
---|---|
618305 | FortiManager changes configuration system csf settings. |
643101 | Copy may fail due to VIP overlapping when installing policy package. |
657424 | FortiManager may disable the "l2forward" and "stpforward" settings on virtual switch interface when installing policy package. |
660525 | When installing from FortiManager, it may unset comment, organization, and subnet-name during install. |
674094 | FortiManager may unset explicit proxy's HTTPS and PAC ports and change the value to 0 instead. |
674196 | Installation may fail after edited or created a firewall policy if reputation-minimum is set. |
691240 | FortiManager should not unset the value forward-error-correction with certain FortiGate platforms. |
700495 | FortiManager 6.2 ADOM may be sending set synproxy to FortiGate-1801F. |
713552 | If VIP address's source-filter list is too long, installation may fail. |
722604 | After removed a member of user group that is used only in XAUTH, FortiManager is not deleting the unused local user on FortiGate. |
724647 | After upgraded to 6.4, retrieve from a chassis may take a long time. |
725252 | When customer is trying to push policy package to a device group, installation window may not show any progress but a red cross. |
725557 | Install always try to delete hardware switch member interface causing installation failure. |
725717 | After upgrade, installation may fail due to mcast-session-counting. |
728447 | Installation may fail due to VIP's mapped IP as a range with two identical IP addresses. |
728918 | FortiManager should install changes applied on Global policy package and not indicate warnings like "no installing devices/no changes on package". |
729148 | Install fails when new transparent mode VDOM is added directly via FortiGate CLI and imported into FortiManager. |
735455 | FortiManager may try to delete thousands of policies during install. |
740858 | GCP project name must be set during install. |
741543 | Install may fail with unset MAC address on EMAC VLAN. |
742806 | When modifying a configuration and installing Device Setting only , FortiManager may not display the device's configuration change. |
744966 | After upgraded FortiManager, policy install verification may fail with Config status changes to Conflict due to invalid default value for log memory filter. |
745715 | FortiManager may not be able to install policy package with firewall rule using VIP group due to zone binding. |
747837 | FortiManager may try to delete interfaces lan1, lan2, and lan3 which are used by virtual-switch.sw0 on FortiGate-40F. |
748350 | Explicit proxy FTP ssl-ssh-profile application-list may not be installed. |
748462 | FortiManager should not set the HA interface IP under the central-management on FortiGate when the master unit fails. |
749587 | If a device revision is corrupted, FortiManager may be able to remove or create any revision. |
750637 | FortiGate-5001E, FortiGate-5001E1, and FortiGate-5001D may be mistakenly set to support switch-profile. |
751771 | Users may not be able to create hardware switch interface from FortiManager. |
751776 | Renaming IPSec Phase1 that is member of a zone causes all zone related rules to be re-created. |
754081 | Application Control signatures belong to Industrial Category are removed from FortiGate in split mode during policy install. |
755059 | After disabled NAT on hyperscale policy, there may be installation failure on unset action. |
755687 | FortiManager may show admin with no password when adding a new VDOM to FortiGate-2200E/2201E. |
756508 | FortiManager may unset chassis ID causing HA cluster lost. |
757716 | There may be install issue with Web Filter's "config ftgd-wf" which does not exist on NGFW policy mode on FortiGate. |
764497 | FortiManager should not create a new wildcard FQDN object while renaming it. |
767824 | FortiManager may unexpectedly delete custom signature when installing policy package. |
Script
Bug ID |
Description |
---|---|
384139 | Filter does not work on device group. |
654700 | Users need to open "View Script Execution History" to see that TCL script fails. |
740938 | Direct CLI script may fail when it contains an 'exec' command. |
757156 | When running CLI script remotely on 100+ firewalls, partial configuration is retrieved and it may cause routing to be removed from device database. |
780604 | When creating a new phase1 interface, dpd=on-idle settings may not be saved. |
787113 | TCL scripts fails to run if the admin's password is longer than 36 characters. |
Services
Bug ID |
Description |
---|---|
644021 | FortiManager should be able to use custom certificates for update-related services. |
704584 |
FortiAP firmware may not be listed and cannot be imported. |
718256 | FMG-VM64-AWSOnDemand may not retrieve the proper license when it is behind a proxy. |
725118 | FortiManager may not log FortiGuard connectivity failures. |
741846 | AP upgrade task may hang at 45%. |
748489 |
Numerous svc cdb reader processes reaching 100% CPU utilization. |
796345 |
FMG does not recognize the entitlement file for some FGTs. |
System Settings
Bug ID |
Description |
---|---|
640670 | If a user specified ADOMs, including global ADOM, workflow approval may not be able to find the same user. |
687992 | Backup that includes IPSec VPN cannot be restored. |
690926 | FortiManager is removing SD-WAN field description upon ADOM upgrade from 6.2 to 6.4. |
696554 | FortiManager may generate a lot of cdb event log for object changed event logs. |
706303 | Template assignment or save may not generate clear event logs. |
721153 | Scroll bar is missing from device drop-down list on ADOM overview page. |
727233 | ADOM license count should not count root ADOM. |
728991 | Nested group search fails with
Bad search filter , if the user DN contains characters like
"," and "()". |
729280 | Admin User with no access to management ADOM or VDOM can create a new VDOM from non-management ADOM > VDOM. |
731084 | FortiManager upgrade should not have warning when there is no upgrade path. |
734422 | The "svc sys" daemon may have high memory usage when API is used to upgrade FortiGate devices. |
735067 | When creating a local account with the Force this administrator to change password upon next log on option selected, the setting should be applied for the first login. |
737142 | FortiManager should support using the special character "@" in SNMP community name. |
738622 | ADOM upgrade from 6.0 to 6.2 may fail due to FortiExtender object. |
745333 | Remote authentication servers should not be synchronized among HA members. |
745365 | Event log may be truncated when the log contains many address objects. |
746568 | FortiManager may continuously change NTP synchronization server. |
748237 | Users may be unable to disable ADOM using GUI or CLI. |
751069 | User may be unable to disable ADOM after upgrade. |
762708 | LDAP may become stuck for twenty seconds if LDAP is not responding. |
768682 | Setting a Cluster ID for a
model HA cluster results in an invalid group ID under config system ha . |
775091 | Two factor authentication fails when special characters are used in CN. |
777726 | FortiManager may not generate event logs for meta field changes. |
778405 | Script Groups should be copied with their members when cloning an ADOM. |
783066 | If the number of FortiGate devices registered is in the upper limit of the license count, it may cause HA to become asynchronized. |
790409 | idle_timeout under admin
settings is not converted properly
after performing the upgrade. |
795655 |
FortiManager loads the Administrator list under the System Settings very slowly. |
VPN Manager
Bug ID |
Description |
---|---|
721783 | Applying Authentication or Portal Mapping changes may take several minutes. |
735417 | FortiManager may purge mac-addr-check-rule when installing to FortiGate. |
748488 | Cloned VPN Phase1 interface may have several different parameters than the original interface. |
750227 | Removing a spoke or hub from VPN community may result in partial configuration removal. |
774040 |
|
779498 | VPN monitor may not display correct information when FortiManager is in advanced ADOM mode. |
780154 | Policy package should be pushed to VPN hubs without error interface IP is 0. |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
Bug ID | CVE references |
---|---|
770575 |
FortiManager 6.4.8 is no longer vulnerable to the following CVE-Reference:
|