Fortinet black logo

Release Notes

Home FortiNAC 9.4.6 Release Notes
9.4.6
9.4.6
9.4.5
9.4.4
9.4.3
9.4.2
9.4.1
9.4.0
9.2.8
9.2.7
9.2.6
9.2.5
9.2.4
9.2.3
9.2.2
9.2.1
9.2.0
9.1.10
9.1.9
9.1.8
9.1.7
9.1.6
9.1.5
9.1.4
9.1.3
9.1.2
9.1.0
8.8.11
8.8.10
8.8.9
8.8.8
8.8.7
8.8.6
8.8.5
8.8.4
8.8.3
8.8.2
8.8.1
8.8.0
8.7.6
8.7.5
8.7.4
8.7.2
8.7.1
8.7.0
8.6.5
8.6.4
8.6.3
8.6.2
8.6.1
8.6.0
8.5.4
8.5.3
8.5.2
8.5.1
8.3.7
8.3.6

Upgrade Requirements

Upgrade Requirements

Ticket #

Description

931408

Under Portal > Portal SSL the "Disabled" option is no longer available as of FortiNAC v9.4.5, vF7.2.5 and vF7.4.0. If using this option, install SSL certificates in the Portal target prior to upgrade. See Certificate management in the Administration Guide.

Upgrade Path Requirements

Systems on version 9.1.6 must upgrade to either:

- Higher version of 9.1 (e.g. 9.1.7)

- 9.2.4 or higher

Systems on versions 8.2 or lower must upgrade to 8.3 before upgrading to 8.4 or higher.

Legacy SSH Ciphers

Vulnerable Diffie-Hellman SSH Ciphers were removed from versions 9.2.8, 9.4.4. F7.2.3 and greater. The removal of these ciphers can cause SSH communication to fail between FortiNAC and network infrastructure devices still using these legacy ciphers. Depending upon the device, resulting behavior can vary from failing L2 and L3 polling to failing VLAN switching. The following events would be generated for the affected device:

  • L2 Poll Failed

  • L3 Poll Failed

  • VLAN Switch Failure

The legacy ciphers must be re-added to FortiNAC via the CLI after upgrade. For details, see KB article https://community.fortinet.com/t5/FortiNAC-F/Troubleshooting-Tip-SSH-communication-fails-after-upgrade-due-to/ta-p/281029
FortiNAC License Key: Upgrading to this release requires the FortiNAC License. It is possible, however unlikely, older appliances may not have this specific type of license key installed. In such cases, an error will display during the upgrade. For additional details, see KB article https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-Upgrade-fails-with-license-requirement-error/ta-p/246324
892856

High Availability and FortiNAC Manager Environments: The following are required as of 9.4.3:

  • Key files containing certificates are installed in all FortiNAC servers. License keys with certificates were introduced on January 1st 2020. Appliances registered after January 1st should have certificates. To confirm, login to the UI of each appliance and review the System Summary Dashboard widget (Certificates = Yes). If there are no certificates, see Importing License Key Certificates in the applicable FortiNAC Manager Guide.

  • Allowed serial numbers: Due to enhancements in communication between FortiNAC servers, a list of allowed FortiNAC appliance serial numbers must be set. This can be configured prior to upgrade to avoid communication interruption. For instructions, see Pre-upgrade Procedures.

885056 All devices managed by FortiNAC must have a unique IP address. This includes FortiSwitches in Link Mode: Managed FortiSwitch interface IP addresses must be unique. Otherwise, they will not be properly managed by FortiNAC and inconsistencies may occur. This is also noted in the FortiSwitch Integration reference manual.

9.2

As of Persistent Agent version 5.3, there is no option to disable secure agent communications. Agents upgraded from previous versions to 5.3 or greater will communicate over TCP 4568 regardless of the "securityEnabled" Persistent Agent setting. Therefore, the following must be done prior to upgrading hosts to agent version 5.3:

Ensure valid SSL certificates are installed in the Persistent Agent Certificate Target. For details see section Certificate Management in the Administration Guide.

Packet Transport Configurations must have TCP 4568 listed. For instructions see section Transport configurations in the Administration Guide.

9.2

The number of Operating System and Anti-Virus program options in the Scan Configuration have been reduced. Only those currently supported or commonly in use are now listed. For a list of available Operating Systems and Anti-Virus programs, see KB article 198098.

834826

As of FortiNAC versions 9.4.2 & vF7.x, Persistent Agent communication using UDP 4567 is no longer supported.

It is recommended the following be checked prior to upgrade to avoid agent communication disruptions:

SSL certificates are installed for the Persistent Agent target

Persistent Agents are running a minimum version of 5.3

For additional details see KB article 251359.

https://community.fortinet.com/t5/FortiNAC/Technical-Note-Agent-communication-using-UDP-4567-no-longer/ta-p/251359
Previous
Next

Upgrade Requirements

Ticket #

Description

931408

Under Portal > Portal SSL the "Disabled" option is no longer available as of FortiNAC v9.4.5, vF7.2.5 and vF7.4.0. If using this option, install SSL certificates in the Portal target prior to upgrade. See Certificate management in the Administration Guide.

Upgrade Path Requirements

Systems on version 9.1.6 must upgrade to either:

- Higher version of 9.1 (e.g. 9.1.7)

- 9.2.4 or higher

Systems on versions 8.2 or lower must upgrade to 8.3 before upgrading to 8.4 or higher.

Legacy SSH Ciphers

Vulnerable Diffie-Hellman SSH Ciphers were removed from versions 9.2.8, 9.4.4. F7.2.3 and greater. The removal of these ciphers can cause SSH communication to fail between FortiNAC and network infrastructure devices still using these legacy ciphers. Depending upon the device, resulting behavior can vary from failing L2 and L3 polling to failing VLAN switching. The following events would be generated for the affected device:

  • L2 Poll Failed

  • L3 Poll Failed

  • VLAN Switch Failure

The legacy ciphers must be re-added to FortiNAC via the CLI after upgrade. For details, see KB article https://community.fortinet.com/t5/FortiNAC-F/Troubleshooting-Tip-SSH-communication-fails-after-upgrade-due-to/ta-p/281029
FortiNAC License Key: Upgrading to this release requires the FortiNAC License. It is possible, however unlikely, older appliances may not have this specific type of license key installed. In such cases, an error will display during the upgrade. For additional details, see KB article https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-Upgrade-fails-with-license-requirement-error/ta-p/246324
892856

High Availability and FortiNAC Manager Environments: The following are required as of 9.4.3:

  • Key files containing certificates are installed in all FortiNAC servers. License keys with certificates were introduced on January 1st 2020. Appliances registered after January 1st should have certificates. To confirm, login to the UI of each appliance and review the System Summary Dashboard widget (Certificates = Yes). If there are no certificates, see Importing License Key Certificates in the applicable FortiNAC Manager Guide.

  • Allowed serial numbers: Due to enhancements in communication between FortiNAC servers, a list of allowed FortiNAC appliance serial numbers must be set. This can be configured prior to upgrade to avoid communication interruption. For instructions, see Pre-upgrade Procedures.

885056 All devices managed by FortiNAC must have a unique IP address. This includes FortiSwitches in Link Mode: Managed FortiSwitch interface IP addresses must be unique. Otherwise, they will not be properly managed by FortiNAC and inconsistencies may occur. This is also noted in the FortiSwitch Integration reference manual.

9.2

As of Persistent Agent version 5.3, there is no option to disable secure agent communications. Agents upgraded from previous versions to 5.3 or greater will communicate over TCP 4568 regardless of the "securityEnabled" Persistent Agent setting. Therefore, the following must be done prior to upgrading hosts to agent version 5.3:

Ensure valid SSL certificates are installed in the Persistent Agent Certificate Target. For details see section Certificate Management in the Administration Guide.

Packet Transport Configurations must have TCP 4568 listed. For instructions see section Transport configurations in the Administration Guide.

9.2

The number of Operating System and Anti-Virus program options in the Scan Configuration have been reduced. Only those currently supported or commonly in use are now listed. For a list of available Operating Systems and Anti-Virus programs, see KB article 198098.

834826

As of FortiNAC versions 9.4.2 & vF7.x, Persistent Agent communication using UDP 4567 is no longer supported.

It is recommended the following be checked prior to upgrade to avoid agent communication disruptions:

SSL certificates are installed for the Persistent Agent target

Persistent Agents are running a minimum version of 5.3

For additional details see KB article 251359.

https://community.fortinet.com/t5/FortiNAC/Technical-Note-Agent-communication-using-UDP-4567-no-longer/ta-p/251359
Previous
Next