Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Known Issues

Ticket #

Description

780312 FortiNAC does not integrate with Azure Active Directory due to SAML connection requirements.
641036 Multi-factor authentication (MFA) for the Administration GUI login is currently not supported.

686910

714219

Control Manager (NCM) communication issues when the NAC systems are connected through the WAN.For details see related KB article https://community.fortinet.com/t5/FortiNAC/Technical-Note-NCM-communication-issues-with-systems-across-WAN/ta-p/192434.
792968 Legacy View for Users & Hosts > Hosts does not display items in tables. Workaround: Enter “*” (asterisk) in search field.
752538 When in the Users & Hosts > Applications view, selecting an application and clicking the Show Hosts option displays a page that does not provide accurately filtered results. Workaround: Navigate Users & Hosts > Hosts and create a custom filter to list hosts associated to an application.
770091 Port changes/VLAN assignments made using Local RADIUS are not being logged as port changes.
754346 Selecting Port Changes under the Ports tab of a specific device in Network > Inventory does not display expected results. For details and workaround, see KB article https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Default-filter-for-Port-Changes-does-not-populate/ta-p/209297.
791442 Able to delete a Portal Configuration which is in use by a Portal Policy. Removal is done without warning the user.
710416 There can be a delay in updating IP addresses for isolated hosts in host and adapter view.
708936 FortiNAC will logoff SSO for sessions that remain connected to a managed FortiGate IPSec VPN tunnel after 12 hours.
708720 Policy evaluation may not be triggered after a host status update in Microsoft InTune. This can prevent the host from being moved to the proper network. For details and workaround see related KB article https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Policy-evaluation-not-triggered-after-Microsoft/ta-p/203843.
694407 Linux hosts running CrowdStrike Falcon sensor 6.11 and later are not being detected by the agent. This causes hosts running CrowdStrike Falcon to incorrectly fail scans. For details and workaround, see related KB article https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-Linux-hosts-running-CrowdStrike-Falcon/ta-p/202694.
682438 Page Unresponsive' error when exporting hosts.For details and workaround see related KB article https://community.fortinet.com/t5/FortiNAC/Technical-Note-Page-Unresponsive-error-when-exporting-hosts/ta-p/193878.
677628 Cisco WLC Port Channel not classified as Learned Uplink.For details and workaround see related KB article https://community.fortinet.com/t5/FortiNAC/Technical-Note-Cisco-WLC-Port-Channel-not-classified-as-Learned/ta-p/196208.
675180 False positive Scan Results when there are no sub-settings selected in Operating System check.
674438 "Processes" Scan Type option is not available when creating custom scans for macOS systems.
646580 Restarting FortiNAC services can generate a large number of SSH sessions with ASA. For details, refer to related KB article https://community.fortinet.com/t5/FortiNAC/Technical-Note-Restarting-services-can-generate-large-number-of/ta-p/195876.
631115 Only 50000 records display in Adapter and Host Views. Example: Adapters - Displayed: 50000Total: 57500
610581 L3 eth1 sub-interfaces are not removed after re-configuring an appliance configured for L3 Network Type to L2.
609976 Cisco WLC 9800 Model Configuration tab does not include the drop down VLAN lists under Access Value.For details and workaround see related KB article https://community.fortinet.com/t5/FortiNAC/Technical-Note-Cisco-WLC-9800-Model-Configuration-tab-does-not/ta-p/198790.
609046 A port where the master Aruba Instant AP (IAP) with VIP is connected becomes a “learned uplink”. This type of uplink is not dynamically undone / removed when the IAP (with the VIP) is disconnected from that port.
522468 Although there are fields to set the role or access value in the Authentication portal, these functions are currently not supported.

762704

After clicking the 'restart services' button when applying SSL certificates to the Admin UI Certificate Target, the prompt does not clear and there is no confirmation dialogue (even though it was successful). Clicking the 'restart services' button again generates an error.

789970

FortiNAC sends SSO login msg to only one slot on the 7000E FortiGate chassis.

768717

FortiNAC not consistently sending SSO logon messages to FortiGate.

784642

Norton Antivirus Plus (Norton 360) installed from app store not detected in endpoint compliance scan.

808523

Delete User: Admin User without Admin User Permissions is able to delete another Admin User

804519

Network Events and other Views - Filtering based on content entered in the filter field does not produce results.

Workaround: Leave filter field blank and select an object in the drop-down instead.

804913

Logical Network Host Access total count slide out shows all hosts for the logical network

803692

RADIUS GroupName – non-alphanumeric characters in group names do not get created in UI correctly

710583 L2 Polling Mist APs can result in more API requests than Mist allows per hour.
761745 Mist AP - Port Connection State NOT WAP Uplink.
767548 Register Game system with Host Inventory success page is not working.
773088 No VLAN Information for Adtran NetVanta 1638.
774048 L2 HA + VIP Pairing Process Failing.Configuration completes but leaves both appliances in a "processes down" state.Workaround: Reboot appliances.
775679 Host records manually disabled via their user record are re-enabled after a directory sync.
776077 Local Radius to Winbind connection cannot be secured at this time.
783304 DHCP responds with unexpected addresses in the DHCP-Server-Identifier attribute.This causes release/renew to fail.Affects appliances configured for seperate isolation networks (Registration, Remediation, DeadEnd, etc).
784543 403 error is displayed when sending an email from Guests and Contractors view.Affects FortiNAC admins with limited permissions.Workaround:Enable portal policy permissions in the admin profile.
793634 MDM Server Last Polled and Last Successful Poll information removed in 9.x.
795932 FortiNAC does not track the currently active LDAP server.This can cause Local RADIUS authentication to fail when the primary LDAP server is unreachable.
800255 Device Profiling IP Range Method does not include .255 when using wildcards.
806106 Juniper Change of Authorization (CoA) fails.
806936 Importing Mist devices using the CLI deviceimport tool does not add the AP's to the proper groups.

811404

807309

Admin UI showing error "You do not have permission to access this page". Workaround: Restart tomcat-admin service.
808088 Alarms stop generating notifications.Affects environments with notifications configured for high frequency alarms.
810209 Not all SSIDs are read from Aruba controllers.
810574 "Unable to scan" message when using Dissolvable agent if scan configuration label contains non US-ASCII characters.
811479 Upon failover or resuming control in a High Availability environment, the Local RADIUS service does not start on the appliance in control.Workaround:On appliance in control, either manually start the radiusd service or reboot.
811783 Links in the Persistent Agent Summary panel produce redundant results.
812581 "Duplicate user id" messages in master logs during RADIUS authentication when userID does not match the name in the email address associated with the user record.Affects Local RADIUS implementations.
812674 CoA is not being sent to Huawei wireless after host has registered.
812908 /var/log/messages not rotating.This generates large files and causes high disk utilization issues.
812930 No FSSO Tags sent to FortiGate after 9.4 FortiNAC upgrade in configurations where "Send Groups to Firewall" is not selected in Model configuration.Workaround:Select "Send Groups to Firewall" and save.
813564 FortiNAC fails to find API port from standalone Mode FSW running 7.2.
813652 Security Alarms are not generating from Security Events.
814183 Unable to view all Certificate Details in the Certificate Management view.
814493 Restarting Admin GUI may result in loss of access to GUI.Workaround:In CLI, run command "adminguitool restart".
814631 %port% variable is reading port id rather than port number.Affects FlexCLI configurations.
815352 Logical network configuration mappings can return the wrong value when host is connected via more than one interface.
816451 When importing DHCP Scopes with spaces in the names, the Configuration Wizard Summary displays blank scope data.
816871 Secondary server fails to complete OS updates in High Availability environment.
816877 Profiled device icon does not match the icon assigned by Device Profiling Rule.
817022 FortiNAC does not update Rogue record's Host Name from DHCP fingerprints.
817040 FortiNAC Manager fails to connect to pods configured for L2 High Availabilty with a virtual IP.Manager is querying eth0 IP instead of Virtual IP.
817845 L2 polling can become backlogged in environments where there are a number of hosts with Registered to userid of "NULL".
818504 Linux Persistent Agent fails to install using the .deb package.
765172 Configuration Wizard does not check whether user input subnet masks are valid.
817563 Networks Events view may not load if there are too many unique ports.
820160 Roles view is not available with a Base License.
820375 Meraki devices incorrectly managed with generic RADIUS plugin causing integration issues.
821244 Hosts fail to match Device Profiling rule configured with the FortiGuard Method because the confidence score is negative.
824088 Unable to update existing Registered Host records using Legacy View > Hosts > Import.
825436 IP addresses appended to network device names during discovery are truncated resulting in duplicate device and port names.
825920 Radius CoA fails when the radius request source ip address is the Access Point rather than the Ruckus SZ Controller.
791751 Host Import - importing same file twice results in "null" error and exception in logs.
816828 Appliances with subscription licenses are unable to retrieve entitlements. FortiNAC displays the base license.
821399 FortiGuard IoT Device Profiler method can result in an error "Request unsuccessful with no errors reported".
826155 24-bit OUIs are not added to the Vendor OUIs list for IEEE MA-M and MA-S blocks.
826653 FortiNAC supplied Dynamic Addresses on the FortiGate can become orphaned in FortiNAC High Availability environments.This can cause unintended network access.
826913 Creating a Network Device Role using Direct Configurations reverts to Logical Networks.
827283 Roaming Guest Logical Network missing from FortiGate Model Configuration.
827870 When a FortiGate device model's IP address is changed in the Inventory view, add/delete/move syslog messages from the new IP address is discarded until FortiNAC services are restarted.
828128 Unable to add Allowed Domains containing underscore symbols.
828242 Layer 3 polling Ruckus ICX7450 switches running 8.0.95g and later may result in fewer arp entries than expected.
828242 Layer 3 polling Ruckus ICX7450 switches running 8.0.95g and later may result in fewer ARP entries than expected.
828500 Attempting to modify the Allowed Domains list may result in an error "Unable to write file: /bsc/campusMgr/bin/nactmp.zones.common (Permission Denied)".
828912 MaaS360 MDM poll fails.
829019 Manager's (NCM) Resume Control button on the Dashboard in a High Availability environment does not restore control to the primary Manager.
829702 FortiGate wireless clients cannot connect after a FortiNAC software upgrade if the FortiGate device model's RADIUS secret is not populated.This is true even though the VDOM radius secret is populated.
830159 Unable to add new Roles from the Policy & Objects > Roles view without additionally defining a group.
  Not all models of all network devices can be configured to perform Physical MAC Address Filtering even though the Admin UI indicates that the configuration can be set. Resolution: Hosts can be disabled by implementing a Dead-end VLAN.
  For Portal v2 configurations, web pages that are stored in the site directory to be used for Scan Configurations will not be included when you do an Export of the Portal v2 configuration. Resolution: The files in the site directory are backed up with the Remote Backup feature, but otherwise keep a copy of these files in a safe place.
  Removing a device from the L2 Wired Devices or L2 Wireless Devices Group does not disable L2 (Hosts) Polling under the Polling tab in Topology.
  The "Set all hosts 'Risk State' to 'Safe'" button changes the status of all hosts marked At-Risk to Safe. However, the status of the individual scans for each host remain unchanged.
  In a Layer 3 High Availability (HA) environment, configWizard must have a DHCP scope defined. Running configWizard without a DHCP scope can cause a failover.
  On FortiNAC appliances with CentOS 7, duplicate log messages may appear in dhcpd.log for each sub interface (eth1, eth1:1, eth1:2, etc).
  System > Settings > Updates > Operating System will only record and display dates of OS updates that are completed through the Administrative UI. If Operating System updates are run via command line using the "yum" tool, the update is not recorded. Resolution: Execute Operating System Updates through the Administrative UI in order to maintain update history.
  Only English versions of AV/AS and their corresponding definitions are supported.
  Anti-Virus product Iolo technologies System Mechanic Professional is currently not supported.
  Sophos UTM is currently not supported.

Known Issues

Ticket #

Description

780312 FortiNAC does not integrate with Azure Active Directory due to SAML connection requirements.
641036 Multi-factor authentication (MFA) for the Administration GUI login is currently not supported.

686910

714219

Control Manager (NCM) communication issues when the NAC systems are connected through the WAN.For details see related KB article https://community.fortinet.com/t5/FortiNAC/Technical-Note-NCM-communication-issues-with-systems-across-WAN/ta-p/192434.
792968 Legacy View for Users & Hosts > Hosts does not display items in tables. Workaround: Enter “*” (asterisk) in search field.
752538 When in the Users & Hosts > Applications view, selecting an application and clicking the Show Hosts option displays a page that does not provide accurately filtered results. Workaround: Navigate Users & Hosts > Hosts and create a custom filter to list hosts associated to an application.
770091 Port changes/VLAN assignments made using Local RADIUS are not being logged as port changes.
754346 Selecting Port Changes under the Ports tab of a specific device in Network > Inventory does not display expected results. For details and workaround, see KB article https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Default-filter-for-Port-Changes-does-not-populate/ta-p/209297.
791442 Able to delete a Portal Configuration which is in use by a Portal Policy. Removal is done without warning the user.
710416 There can be a delay in updating IP addresses for isolated hosts in host and adapter view.
708936 FortiNAC will logoff SSO for sessions that remain connected to a managed FortiGate IPSec VPN tunnel after 12 hours.
708720 Policy evaluation may not be triggered after a host status update in Microsoft InTune. This can prevent the host from being moved to the proper network. For details and workaround see related KB article https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Policy-evaluation-not-triggered-after-Microsoft/ta-p/203843.
694407 Linux hosts running CrowdStrike Falcon sensor 6.11 and later are not being detected by the agent. This causes hosts running CrowdStrike Falcon to incorrectly fail scans. For details and workaround, see related KB article https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-Linux-hosts-running-CrowdStrike-Falcon/ta-p/202694.
682438 Page Unresponsive' error when exporting hosts.For details and workaround see related KB article https://community.fortinet.com/t5/FortiNAC/Technical-Note-Page-Unresponsive-error-when-exporting-hosts/ta-p/193878.
677628 Cisco WLC Port Channel not classified as Learned Uplink.For details and workaround see related KB article https://community.fortinet.com/t5/FortiNAC/Technical-Note-Cisco-WLC-Port-Channel-not-classified-as-Learned/ta-p/196208.
675180 False positive Scan Results when there are no sub-settings selected in Operating System check.
674438 "Processes" Scan Type option is not available when creating custom scans for macOS systems.
646580 Restarting FortiNAC services can generate a large number of SSH sessions with ASA. For details, refer to related KB article https://community.fortinet.com/t5/FortiNAC/Technical-Note-Restarting-services-can-generate-large-number-of/ta-p/195876.
631115 Only 50000 records display in Adapter and Host Views. Example: Adapters - Displayed: 50000Total: 57500
610581 L3 eth1 sub-interfaces are not removed after re-configuring an appliance configured for L3 Network Type to L2.
609976 Cisco WLC 9800 Model Configuration tab does not include the drop down VLAN lists under Access Value.For details and workaround see related KB article https://community.fortinet.com/t5/FortiNAC/Technical-Note-Cisco-WLC-9800-Model-Configuration-tab-does-not/ta-p/198790.
609046 A port where the master Aruba Instant AP (IAP) with VIP is connected becomes a “learned uplink”. This type of uplink is not dynamically undone / removed when the IAP (with the VIP) is disconnected from that port.
522468 Although there are fields to set the role or access value in the Authentication portal, these functions are currently not supported.

762704

After clicking the 'restart services' button when applying SSL certificates to the Admin UI Certificate Target, the prompt does not clear and there is no confirmation dialogue (even though it was successful). Clicking the 'restart services' button again generates an error.

789970

FortiNAC sends SSO login msg to only one slot on the 7000E FortiGate chassis.

768717

FortiNAC not consistently sending SSO logon messages to FortiGate.

784642

Norton Antivirus Plus (Norton 360) installed from app store not detected in endpoint compliance scan.

808523

Delete User: Admin User without Admin User Permissions is able to delete another Admin User

804519

Network Events and other Views - Filtering based on content entered in the filter field does not produce results.

Workaround: Leave filter field blank and select an object in the drop-down instead.

804913

Logical Network Host Access total count slide out shows all hosts for the logical network

803692

RADIUS GroupName – non-alphanumeric characters in group names do not get created in UI correctly

710583 L2 Polling Mist APs can result in more API requests than Mist allows per hour.
761745 Mist AP - Port Connection State NOT WAP Uplink.
767548 Register Game system with Host Inventory success page is not working.
773088 No VLAN Information for Adtran NetVanta 1638.
774048 L2 HA + VIP Pairing Process Failing.Configuration completes but leaves both appliances in a "processes down" state.Workaround: Reboot appliances.
775679 Host records manually disabled via their user record are re-enabled after a directory sync.
776077 Local Radius to Winbind connection cannot be secured at this time.
783304 DHCP responds with unexpected addresses in the DHCP-Server-Identifier attribute.This causes release/renew to fail.Affects appliances configured for seperate isolation networks (Registration, Remediation, DeadEnd, etc).
784543 403 error is displayed when sending an email from Guests and Contractors view.Affects FortiNAC admins with limited permissions.Workaround:Enable portal policy permissions in the admin profile.
793634 MDM Server Last Polled and Last Successful Poll information removed in 9.x.
795932 FortiNAC does not track the currently active LDAP server.This can cause Local RADIUS authentication to fail when the primary LDAP server is unreachable.
800255 Device Profiling IP Range Method does not include .255 when using wildcards.
806106 Juniper Change of Authorization (CoA) fails.
806936 Importing Mist devices using the CLI deviceimport tool does not add the AP's to the proper groups.

811404

807309

Admin UI showing error "You do not have permission to access this page". Workaround: Restart tomcat-admin service.
808088 Alarms stop generating notifications.Affects environments with notifications configured for high frequency alarms.
810209 Not all SSIDs are read from Aruba controllers.
810574 "Unable to scan" message when using Dissolvable agent if scan configuration label contains non US-ASCII characters.
811479 Upon failover or resuming control in a High Availability environment, the Local RADIUS service does not start on the appliance in control.Workaround:On appliance in control, either manually start the radiusd service or reboot.
811783 Links in the Persistent Agent Summary panel produce redundant results.
812581 "Duplicate user id" messages in master logs during RADIUS authentication when userID does not match the name in the email address associated with the user record.Affects Local RADIUS implementations.
812674 CoA is not being sent to Huawei wireless after host has registered.
812908 /var/log/messages not rotating.This generates large files and causes high disk utilization issues.
812930 No FSSO Tags sent to FortiGate after 9.4 FortiNAC upgrade in configurations where "Send Groups to Firewall" is not selected in Model configuration.Workaround:Select "Send Groups to Firewall" and save.
813564 FortiNAC fails to find API port from standalone Mode FSW running 7.2.
813652 Security Alarms are not generating from Security Events.
814183 Unable to view all Certificate Details in the Certificate Management view.
814493 Restarting Admin GUI may result in loss of access to GUI.Workaround:In CLI, run command "adminguitool restart".
814631 %port% variable is reading port id rather than port number.Affects FlexCLI configurations.
815352 Logical network configuration mappings can return the wrong value when host is connected via more than one interface.
816451 When importing DHCP Scopes with spaces in the names, the Configuration Wizard Summary displays blank scope data.
816871 Secondary server fails to complete OS updates in High Availability environment.
816877 Profiled device icon does not match the icon assigned by Device Profiling Rule.
817022 FortiNAC does not update Rogue record's Host Name from DHCP fingerprints.
817040 FortiNAC Manager fails to connect to pods configured for L2 High Availabilty with a virtual IP.Manager is querying eth0 IP instead of Virtual IP.
817845 L2 polling can become backlogged in environments where there are a number of hosts with Registered to userid of "NULL".
818504 Linux Persistent Agent fails to install using the .deb package.
765172 Configuration Wizard does not check whether user input subnet masks are valid.
817563 Networks Events view may not load if there are too many unique ports.
820160 Roles view is not available with a Base License.
820375 Meraki devices incorrectly managed with generic RADIUS plugin causing integration issues.
821244 Hosts fail to match Device Profiling rule configured with the FortiGuard Method because the confidence score is negative.
824088 Unable to update existing Registered Host records using Legacy View > Hosts > Import.
825436 IP addresses appended to network device names during discovery are truncated resulting in duplicate device and port names.
825920 Radius CoA fails when the radius request source ip address is the Access Point rather than the Ruckus SZ Controller.
791751 Host Import - importing same file twice results in "null" error and exception in logs.
816828 Appliances with subscription licenses are unable to retrieve entitlements. FortiNAC displays the base license.
821399 FortiGuard IoT Device Profiler method can result in an error "Request unsuccessful with no errors reported".
826155 24-bit OUIs are not added to the Vendor OUIs list for IEEE MA-M and MA-S blocks.
826653 FortiNAC supplied Dynamic Addresses on the FortiGate can become orphaned in FortiNAC High Availability environments.This can cause unintended network access.
826913 Creating a Network Device Role using Direct Configurations reverts to Logical Networks.
827283 Roaming Guest Logical Network missing from FortiGate Model Configuration.
827870 When a FortiGate device model's IP address is changed in the Inventory view, add/delete/move syslog messages from the new IP address is discarded until FortiNAC services are restarted.
828128 Unable to add Allowed Domains containing underscore symbols.
828242 Layer 3 polling Ruckus ICX7450 switches running 8.0.95g and later may result in fewer arp entries than expected.
828242 Layer 3 polling Ruckus ICX7450 switches running 8.0.95g and later may result in fewer ARP entries than expected.
828500 Attempting to modify the Allowed Domains list may result in an error "Unable to write file: /bsc/campusMgr/bin/nactmp.zones.common (Permission Denied)".
828912 MaaS360 MDM poll fails.
829019 Manager's (NCM) Resume Control button on the Dashboard in a High Availability environment does not restore control to the primary Manager.
829702 FortiGate wireless clients cannot connect after a FortiNAC software upgrade if the FortiGate device model's RADIUS secret is not populated.This is true even though the VDOM radius secret is populated.
830159 Unable to add new Roles from the Policy & Objects > Roles view without additionally defining a group.
  Not all models of all network devices can be configured to perform Physical MAC Address Filtering even though the Admin UI indicates that the configuration can be set. Resolution: Hosts can be disabled by implementing a Dead-end VLAN.
  For Portal v2 configurations, web pages that are stored in the site directory to be used for Scan Configurations will not be included when you do an Export of the Portal v2 configuration. Resolution: The files in the site directory are backed up with the Remote Backup feature, but otherwise keep a copy of these files in a safe place.
  Removing a device from the L2 Wired Devices or L2 Wireless Devices Group does not disable L2 (Hosts) Polling under the Polling tab in Topology.
  The "Set all hosts 'Risk State' to 'Safe'" button changes the status of all hosts marked At-Risk to Safe. However, the status of the individual scans for each host remain unchanged.
  In a Layer 3 High Availability (HA) environment, configWizard must have a DHCP scope defined. Running configWizard without a DHCP scope can cause a failover.
  On FortiNAC appliances with CentOS 7, duplicate log messages may appear in dhcpd.log for each sub interface (eth1, eth1:1, eth1:2, etc).
  System > Settings > Updates > Operating System will only record and display dates of OS updates that are completed through the Administrative UI. If Operating System updates are run via command line using the "yum" tool, the update is not recorded. Resolution: Execute Operating System Updates through the Administrative UI in order to maintain update history.
  Only English versions of AV/AS and their corresponding definitions are supported.
  Anti-Virus product Iolo technologies System Mechanic Professional is currently not supported.
  Sophos UTM is currently not supported.