Feature Specific Considerations

9.1.0

Copy Link

Copy Doc ID 152e0729-7782-11eb-9995-00505692583a:180656

Download PDF

Feature Specific Considerations

Version	Description
8.x/9.x	Upgrade path requirements: Systems on version 9.1.6 must upgrade to either: Higher version of 9.1 (e.g. 9.1.7) 9.2.4 or higher Systems on versions 8.2 or lower must upgrade to 8.3 before upgrading to 8.4 or higher. Systems on version 7 must upgrade to 8.0 before upgrading to 8.1 or higher.
8.x	Upgrading NAC from pre-8 versions to 8.x could break communication with agents running version 3.0 through 3.2. Hosts that have security disabled are not affected. In newer agent versions 3.3 and greater, the communication protocol was changed from SSLv3 to TLS to address the POODLE vulnerability (CVE-2014-3566). As of Network Sentry 8.0.0, SSLv3 has been disabled completely. In newer agent versions 3.3 and greater, the communication protocol was changed from SSLv3 to TLS to address the POODLE vulnerability (CVE-2014-3566). As of Network Sentry 8.0.0, SSLv3 has been disabled completely. For details and workaround for the above, see KB article 194426.
8.3.x	For new installs and upgrades from older than 8.2, the "Default UDP" Persistent Agent Transport Configuration (UDP 4567) will initially be disabled. Agent versions 3.x and 4.x use both TCP 4568 and UDP 4567 to communicate. . For details and workaround for the above, see KB article 196082.
8.5.x and higher	Requires CentOS 7.4 or higher. The current CentOS version installed is listed as "Distribution" in the CLI login banner or typing "sysinfo". Example: `> sysinfo` `**************************************************` `Recognized platform: Linux` `Distribution: CentOS Linux release 7.6.1810 (Core)` If the CentOS version is below 7.4, run OS updates and reboot before upgrading. For instructions refer to the CentOS Updates reference manual. A Network Access Policy is required for the user-id to be sent to the firewall for Palo Alto SSO and FortiGate RSSO integrations. For details, refer to related KB article 194071.
8.8.x	Requires access to downloads.bradfordnetworks.com from each appliance or virtual machine. The update automatically installs CentOS files for the new Local Radius Server feature on the Control Server(s). If access is blocked, the software upgrade will fail. The default transfer protocol can be changed from FTP to either HTTPS or HTTP. For instructions, refer to the Appendix of the CentOS Updates reference manual. When upgrading from a pre-8.8 version to 8.8.0 or 8.8.1, the upgrade may hang if the appliance does not have external FTP access. For details see KB article 196282. Note: As of 8.8.2, the default protocol was changed to HTTP. Customers that currently do not have a README and want to upgrade themselves should do the following: Modify firewall to allow FTP access for the eth0 IP address for each appliance until upgrade is completed Once completed, modify the repo files to the desired protocol for future OS updates. For instructions, see section Change Transfer Protocol to HTTP/HTTPS in the CentOS Updates document in the Fortinet Document Library. Customers that currently have a README, do not want to upgrade themselves, or cannot make the temporary firewall change should contact Support to schedule the upgrade.
8.8.3	Important: Customers with 10.x XenMobile integrations must ensure XenMobile is running 10.10 or higher before upgrading FortiNAC. As of this version, FortiNAC no longer supports earlier 10.x XenMobile versions due to changes in API schema. This change does not affect 9.x versions of XenMobile.
8.8.5	Functionality to register hosts using SNMP traps (LogOn Script) is disabled. After upgrading to 8.8.5 or later from a pre-8.8.5 version, re-enable the functionality. Contact Support for assistance. See KB article 197946.
9.2	As of Persistent Agent version 5.3, there is no option to disable secure agent communications. Agents upgraded from previous versions to 5.3 or greater will communicate over TCP 4568 regardless of the "securityEnabled" Persistent Agent setting. Therefore, the following must be done prior to upgrading hosts to agent version 5.3: Ensure valid SSL certificates are installed in the Persistent Agent Certificate Target. For details see section Certificate Management in the Administration Guide. Packet Transport Configurations must have TCP 4568 listed. For instructions see section Transport configurations in the Administration Guide.
9.2	The number of Operating System and Anti-Virus program options in the Scan Configuration have been reduced. Only those currently supported or commonly in use are now listed. For a list of available Operating Systems and Anti-Virus programs, see KB article 198098.
9.2.7	SSH keyboard-interactive is disabled by default starting with versions 9.2.7, 9.4.2 and F7.2. This may affect FortiNAC's CLI access to a limited number of devices (like Arista switches). For details and workaround see KB article 244979. https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-SSH-login-fails-due-to-SSH-keyboard/ta-p/244979
Versions 9.4, 7.2 and greater	See Upgrade Requirements in the appropriate release notes for additional considerations.

Feature Specific Considerations

Version

Description

8.x/9.x

Upgrade path requirements:

Systems on version 9.1.6 must upgrade to either:
- Higher version of 9.1 (e.g. 9.1.7)
- 9.2.4 or higher
Systems on versions 8.2 or lower must upgrade to 8.3 before upgrading to 8.4 or higher.
Systems on version 7 must upgrade to 8.0 before upgrading to 8.1 or higher.

8.x

Upgrading NAC from pre-8 versions to 8.x could break communication with agents running version 3.0 through 3.2. Hosts that have security disabled are not affected.

In newer agent versions 3.3 and greater, the communication protocol was changed from SSLv3 to TLS to address the POODLE vulnerability (CVE-2014-3566). As of Network Sentry 8.0.0, SSLv3 has been disabled completely.

For details and workaround for the above, see KB article 194426.

8.3.x

For new installs and upgrades from older than 8.2, the "Default UDP" Persistent Agent Transport Configuration (UDP 4567) will initially be disabled. Agent versions 3.x and 4.x use both TCP 4568 and UDP 4567 to communicate. .

For details and workaround for the above, see KB article 196082.

8.5.x and higher

Requires CentOS 7.4 or higher. The current CentOS version installed is listed as "Distribution" in the CLI login banner or typing "sysinfo".

Example:

> sysinfo

**************************************************

Recognized platform: Linux

Distribution: CentOS Linux release 7.6.1810 (Core)

If the CentOS version is below 7.4, run OS updates and reboot before upgrading. For instructions refer to the CentOS Updates reference manual.
A Network Access Policy is required for the user-id to be sent to the firewall for Palo Alto SSO and FortiGate RSSO integrations. For details, refer to related KB article 194071.

8.8.x

Requires access to downloads.bradfordnetworks.com from each appliance or virtual machine. The update automatically installs CentOS files for the new Local Radius Server feature on the Control Server(s). If access is blocked, the software upgrade will fail. The default transfer protocol can be changed from FTP to either HTTPS or HTTP. For instructions, refer to the Appendix of the CentOS Updates reference manual.
When upgrading from a pre-8.8 version to 8.8.0 or 8.8.1, the upgrade may hang if the appliance does not have external FTP access. For details see KB article 196282.

Note: As of 8.8.2, the default protocol was changed to HTTP.

Customers that currently do not have a README and want to upgrade themselves should do the following:

Modify firewall to allow FTP access for the eth0 IP address for each appliance until upgrade is completed
Once completed, modify the repo files to the desired protocol for future OS updates. For instructions, see section Change Transfer Protocol to HTTP/HTTPS in the CentOS Updates document in the Fortinet Document Library.

Customers that currently have a README, do not want to upgrade themselves, or cannot make the temporary firewall change should contact Support to schedule the upgrade.

8.8.3

Important: Customers with 10.x XenMobile integrations must ensure XenMobile is running 10.10 or higher before upgrading FortiNAC. As of this version, FortiNAC no longer supports earlier 10.x XenMobile versions due to changes in API schema. This change does not affect 9.x versions of XenMobile.

8.8.5

Functionality to register hosts using SNMP traps (LogOn Script) is disabled. After upgrading to 8.8.5 or later from a pre-8.8.5 version, re-enable the functionality. Contact Support for assistance. See KB article 197946.

9.2

As of Persistent Agent version 5.3, there is no option to disable secure agent communications. Agents upgraded from previous versions to 5.3 or greater will communicate over TCP 4568 regardless of the "securityEnabled" Persistent Agent setting. Therefore, the following must be done prior to upgrading hosts to agent version 5.3:

Ensure valid SSL certificates are installed in the Persistent Agent Certificate Target. For details see section Certificate Management in the Administration Guide.

Packet Transport Configurations must have TCP 4568 listed. For instructions see section Transport configurations in the Administration Guide.

9.2

The number of Operating System and Anti-Virus program options in the Scan Configuration have been reduced. Only those currently supported or commonly in use are now listed. For a list of available Operating Systems and Anti-Virus programs, see KB article 198098.

9.2.7

SSH keyboard-interactive is disabled by default starting with versions 9.2.7, 9.4.2 and F7.2. This may affect FortiNAC's CLI access to a limited number of devices (like Arista switches). For details and workaround see KB article 244979.

https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-SSH-login-fails-due-to-SSH-keyboard/ta-p/244979

Versions 9.4, 7.2 and greater

See Upgrade Requirements in the appropriate release notes for additional considerations.

Upgrade Instructions and Considerations

Feature Specific Considerations

Feature Specific Considerations

Feature Specific Considerations