FortiManager unsets the Protected Management Frame (PMF) setting when the SSID security mode is configured to OWE-enabled in the AP Manager.

FortiManager is generating false vulnerability reports for certain FortiAPs:

• U431F

• U231F

The 802.11ax-5g AP profile is missing for all FortiAPs that support WiFi 6. This issue has been observed in FortiManager 7.6.0 and ADOM 7.6.

FortiManager is attempting to unset the FortiAP's name.

Failed to reload the configuration due to the "datasrc invalid" error message.

IPsec templates created by SDWAN Overlay does not create tunnels for all the underlay interfaces.

When using the static route template, the "SD-WAN Zone" does not appear under the Interface column.

FortiManager generates a VPN certificate that is not accepted by the FIPS-enabled FortiGate devices.

Packet Capture feature for managed FortiGates does not work; it starts but immediately stops.

When assigning a provisioning template with Admin Settings configuration, FortiManager changes the hostname of the device.

Setting up a FortiGate-HA with ZTP fails because the FortiLink is not deleted during the "HA config pushed to FGT" process.

If the "system interface speed" attribute is changed from the FortiManager, it may potentially cause an installation failure. Modifying the "system interface speed" is not currently supported on the FortiManager and must be done on the FortiGate side.

FortiManager does not support the "FortiWiFi-80F-2R-3G4G-DSL".

FortiManager ZTP installation to FortiGate versions 7.2.8 and lower may fail due to differing default "ssh-kex-algo" settings between FortiManager and FortiGate.

FortiManager is attempting to install a "PRIVATE KEY" with every installation, even after retrieving the config.

Unable to upgrade the devices using the Device Group Upgrade Firmware feature.

Workaround:

Upgrade devices individually by using the "Device Firmware Upgrade" feature or Create New Firmware Template for single devices or device groups and use the "Assign to Devices/Groups feature.

An error might be observed when the SD-WAN template health check name contains a space, displaying the following message: "Bad health check name...".

Occasionally, installations may fail on FortiGates in HA mode due to a "Serial number does NOT match" error. This can happen if the HA device's serial number on FortiManager does not immediately update after a failover.

Unable to add FortiAnalyzer to FortiManager, when "fgfm-peercert-withoutsn" is enabled.

Workaround:

Set the "fgfm-peercert-withoutsn" to disable and then add FortiAnalyzer to FortiManager.

SD-WAN Monitor does not display the members under the SD-WAN Rules (Map View or Table View). This issue is most likely to occur when "priority-zone" is configured.

The "system interface speed" attribute is incorrectly configured on the FortiManager, which may cause the installation to the FortiGate to fail.

Workaround:

Change the interface speed using CLI script and run directly on the FortiGate using the syntax "set speed auto".

FortiSwitch diagnostics tools do not display thecable test diagnose results, device information on Ports, and update Registration status.

Unable to delete FortiSwitches when central management is enabled for FortiSwitch.

Workaround:

Remove the FortiSwitch on FortiGate and retrieve on the FortiManager.

Unable to change the FortiSwitch name from the FortiSwitch Manager.

When upgrading ADOM, the upgrade process fails with the following error: "invalid value - can not find import template 'XYZ'".

Workaround:

Locate the scripts, delete them, upgrade the ADOM and then import the scripts.

During the FortiGate HA upgrade, both the primary and secondary FortiGates may reboot simultaneously, which can disrupt the network. This issue is more likely to occur in FortiGates that require disk checks, leading to longer boot times.

Workaround:

Disabling the disk check on fmupdate before the upgrade using the following command:

config fmupdate fwm-setting

set check-fgt-disk disable

end

Unable to upgrade ADOM from v6.4 to v7.0 due to "switch-controller traffic-policy" error.

MEAs cannot be enabled from FortiManager's GUI.

Workaround:

Use the following CLI command to enable them (in this example, universalconnector):

config system docker

set status enable

set universalconnector enable

end

Unable to upgrade the firmware version of the FortiGates in HA cluster by using the firmware template when HA is in-sync status. The failure to upgrade FortiGate HA cluster firmware is caused by a crash in "dmserver" daemon.

FortiProxy policies not imported if the policies have either internet service or IPv6 used in the source or destination.

When enabling Fabric Management, the "csfd" process might not start immediately.

Workaround:

Reboot the Supervisor or Member FortiManagers to initiate the "csfd" process.

The log insertion might be interrupted if FortiManager is upgraded directly from version (7.4.0/7.4.1) to 7.6.0/7.6.1. This will only occur if FortiAnalyzer Features are enabled on FortiManager.

Workaround:

To avoid this issue, upgrade the FortiManager to 7.4.2/7.4.3 first and then to 7.6.0/7.6.1.

For more details see Special Notices.

After upgrading to the latest available build, the FortiManager GUI displays the warning message: "A new firmware version is available".

Unable to upgrade the ADOMs.

FortiManager tries to unset url-map for TCP forwarding ZTNA virtual server.

The policy package feature "Export to Excel" is not functioning.

The "View Mode" button, which is used to check the interface in Pair View, is missing in the Firewall Policy under Policy Packages.

FortiManager does not able to import the Central SNAT, DNAT, DOS, local-in, and traffic shaping policies.

FortiManager still has an option to enable the "match-vip" through the policy package for "allow" policies. However, this is not supported anymore on the FortiGates.

Workaround:

Disable the option under advance option in Firewall Rule.

The installation may encounter an error related to Syntax support for the "ssh-enc-algo" command.

Workaround:

Please try manually retrieving the configurations.

The policy package status changes for all devices even when an address object is opened and saved without any modifications. This issue is particularly observed in objects utilizing the per-device mapping feature.

After upgrading to FortiManager versions 7.2.5 or 7.4.3, the installation preview may hang. However, the installation process itself can be completed successfully.

Video filter profile config is not getting pushed completely from FortiManager to FortiGate.

Configuring the SSL/SSH inspection profile may result in the following error: "The server certificate replacement mode cannot support category exemptions."

Workaroud:

1. Modify the SSL/SSH inspection profiles.

2. Toggle from Protecting SSL Server to Multiple Clients Connecting to multiple Servers.

3. Remove the categories from the Exempt from SSL inspection list.

4. Toggle back to Protecting SSL Server and click OK.

5. Install.

The Firewall Policy pane in the FortiManager GUI may occasionally display both "Standard Security Profiles" (SSL no-inspection and protocol default profiles) and "Security Profile Groups" simultaneously.

Under the "Web Application Firewall" security profiles, users are unable to disable the signatures through the GUI.

The Firewall Policy Lookup feature does not display the list of source interfaces for FortiGates.

When installing policy to a FortiGate that uses FortiSandbox inline scanning on an AV profile, FortiManager unsets the configuration on install.

During device import via multiple CSV files at same time, some devices were imported successfully, while others encountered errors and had missing metadata variables. Additionally, FortiManager forced the admin to log out. When attempting to log back in, the following error message appeared: "ADOM not found".

Unable to create the IP address object type wildcard, the following error message is displayed: "Invalid IP netmask".

Workaround:

Create CLI script and run it on ADOM DB or use Metadata variables.

In 7.4 ADOM, installation to 7.6 FortiGates may unset firewall service tcp-portrange (if a firewall policy references a firewall service).

Best Quality SDWAN rules installation may fail with the following error message: "Commit failed: Bad health check name".

FortiManager is attempting to install the "cli-cmd-audit" command on a FortiGate running version 7.2.8, which does not support this command, leading to an installation error.

FortiManager may attempt to install "ssl-ssh-profile" settings to "quic" objects. However, this syntax might not be supported on smaller FortiGate hardware platforms, particularly those with 2GB of RAM, such as the 60F/61F models.

ZTNA Server Per-Device Mapping may display a copy error failure if a new per-device mapping is created without specifying the object interface.

FortiManager does not provide any warning when there is a "deny all" policy in the middle of a Policy Package. This can be still seen on the "task monitor".

Verification of the LDAP Server through the LDAP Browser may display an "Operation Error" message.

Workaround:

If an "Operation Error" occurs during LDAP Server Browser verification, re-enter the password and attempt the verification process again.

In certain cases (currently under investigation), the License Status on FortiManager may be incorrectly displayed as "Expired" despite the license being active in the account.

Workaround:

Restart the FortiManager when feasible.

Despite unchecking the backup strategy option and receiving the "Setup Complete" message, the "Setup Wizard" continues to display during future logins on the Secondary members.

Incorrect warning message displayed in FortiManager GUI during upgrade from Feature build to Mature build.

FGFM Tunnel does not automatically come back online after disabling the "Offline Mode".

Workaround:

Reboot the FortiManager after disabling the offline mode.