Floor Map shows wrong AP status and does not show the rest of APs when adding a new AP.

FMG is generating false vulnerability reports for certain FAPs:

• U431F

• U231F

FortiManager does not display the IP addresses of FortiGate interfaces configured with DHCP addressing mode.

Workaround:

Disable Addressing Mode from DHCP to Manual in the FortiManager Device DB, then Retrieve from FortiGate and IP will be updated.

The Firmware Version column in Device Manager incorrectly shows 'Upgrading FortiGate from V1 to V2' even after a successful upgrade has been completed.

The SD-WAN Overlay template creates route-map names that exceed the 35-character limit.

Unable to edit interface with dhcp reservation.

Unable to export metadata variables if the metadata's per-device-mapping value is empty.

Setting up a FortiGate-HA with ZTP fails because the FortiLink is not deleted during the "HA config pushed to FGT" process.

If the "system interface speed" attribute is changed from the FortiManager, it may potentially cause an installation failure. Modifying the "system interface speed" is not currently supported on the FortiManager and must be done on the FortiGate side.

When using the backslash "\" in the preshared key of IPSEC settings, the install may fail.

FMG does not support the "FortiWiFi-80F-2R-3G4G-DSL".

FortiManager ZTP installation to FortiGate versions 7.2.8 and lower may fail due to differing default "ssh-kex-algo" settings between FortiManager and FortiGate.

FortiManager is attempting to install a "PRIVATE KEY" with every installation, even after retrieving the config.

Unable to upgrade the devices via Device Group Upgrade Firmware feature.

Workaround:

Upgrade devices individually by using the "Device Firmware Upgrade" feature or Create New Firmware Template for single devices or device groups and use the "Assign to Devices/Groups" feature.

An error might be observed when the SD-WAN template health check name contains a space, displaying the following message: "Bad health check name...".

Occasionally, installations may fail on FortiGates in HA mode due to a "Serial number does NOT match" error. This can happen if the HA device's serial number on FortiManager does not immediately update after a failover.

FortiManager may return 'Connection aborted' error with JSON API request.

When FortiAnalyzer is added as a managed device to FortiManager, "Incident & Event" Tile will be displayed instead of the "FortiSoC".

On the LogView (when FortiAnalyzer is added to FortiManager) changing time filters, first request always fails but second one is successful.

Workaround:

Use FortiAnalyzer's LogView to view logs.

When upgrading ADOM, the upgrade process fails with the following error: "invalid value - can not find import template 'XYZ' ".

Workaround:

Locate the scripts, delete them, upgrade the ADOM and then import the scripts.

Unable to upgrade ADOM from 7.0 to 7.2, due to the error "Do not support urlfilter-table for global scope webfilter profile".

c

Run the following script against the ADOM DB:

config webfilter profile

edit "g-default"

config web

unset urlfilter-table

end

next

end

ZTP Enforce firmware Version doesn't upgrade the secondary cluster member.

Unable to upgrade ADOM from v6.4 to v7.0 due to global scope error in webfilter profile.

Workaround:

Rename the "g-default" to "g-test" -> save. It can be deleted after that. Once ADOM upgraded, new g-default is created.

SDN Connector failed to import objects from VMWare VSphere.

Installation failed when trying to remove firewall internet-service-name objects.

When the number of Custom Internet Services exceeds 256, installation fails due to this limitation.

Occasionally, installation may fail due to an error message, "Waiting for another session", which prevents policies from being installed from FMG. During this issue, the following message may also appear: "Blocked by session id(XYZ) username(n/a)". This issue may be caused by a signal loss between the child and parent security console processes, leading the parent process to continue waiting for a copy result.

Workaround:

The main securityconsole process should be killed. Ensure no other installations are running, and confirm that only one securityconsole process is active. Then, terminate this process by using the following commands:

diag sys process list

diag sys process kill 12 <main_securityconsole_pid>

FortiManager still has an option to enable the "match-vip" through the policy package for "allow" policies. However, this is not supported anymore on the FortiGates.

Workaround:

Disable the option under advance option in Firewall Rule.

FortiManager removes the Web Filter Profile from the Profile Group for Policy-Based FortiGates.

Workaround:

Use individual profiles in the policy instead of the profile group.

The policy package status changes for all devices even when an address object is opened and saved without any modifications. This issue is particularly observed in objects utilizing the per-device mapping feature.

The Firewall Policy pane in the FortiManager GUI may occasionally display both "Standard Security Profiles" (SSL no-inspection and protocol default profiles) and "Security Profile Groups" simultaneously.

Under the "Web Application Firewall" security profiles, users are unable to disable the signatures via GUI.

Copy and paste function in GUI removes name of the policy rule and adds unwanted default security profiles (SSL-SSH no-inspection and default PROTOCOL OPTIONS).

During device import via multiple CSV files at same time, some devices were imported successfully, while others encountered errors and had missing metadata variables. Additionally, FortiManager forced the admin to log out. When attempting to log back in, the following error message appeared: "ADOM not found".

FortiManager is attempting to install the "cli-cmd-audit" command on a FortiGate running version 7.2.8, which does not support this command, leading to an installation error.

Policy Lookup is not showing result as highlighted when the sections are not expended.

When policy package configured with policy block, installation to multiple devices may have copy fail errors if combined length of the Policy Block name and Policy name is greater than 35 characters and if the total number of such policies exceeds 1000.

The "internet-service-id" attribute is configurable in the FMG, whereas this attribute cannot be modified on the FortiGate.

If policy changes are made directly on the FortiGates, the subsequent PP import creates faulty dynamic mappings for VPN manager.

Workaround:

It is strongly recommended to create a fresh backup of the FortiManager's configuration prior to the workaround. Perform the following command to check & repair the FortiManager's configuration database.

diagnose cdb check policy-packages <adom>

After running this command, FortiManager will remove the invalid mappings of vpnmgr interfaces.