Fortinet black logo

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Special Notices

This section highlights some of the operational changes that administrators should be aware of in 5.6.11.

Recreate Guest List for Guest user group

After upgrading to FortiManager 5.6.7, recreate the guest list for the Guest user group in ADOM Policy Object before installing device settings to FortiGate devices.

FortiAP Manager per-device management option

FortiAP Manager now supports a new per-device AP management option. When this option is enabled, the WiFi settings are managed at each FortiGate device level. The Central WiFi settings of the ADOM are not applied to the per-device managed APs.

Traffic Shaping Policies

Starting from FortiManager 5.6.0, configuration for traffic shaping policies has been moved from individual FortiGate devices (the device database) to the ADOM database Policy Package. For FortiManager units that are upgraded from a previous release, a one-time operation of Importing all traffic shaping policies into the ADOM must performed (a one-time manual or scripted reconfiguration can also be performed). Otherwise, the FortiManager will delete (purge) all existing traffic shaping policies on the FortiGate when installing the original policy package.

WebSocket Implementation

As of version 5.6.0, WebSocket protocol has been implemented to allow for more efficient communication between the FortiManager and the browser. WebSocket protocol uses the standard TCP 80/443 browser ports, and is transparent to the operator. If your browser is using a proxy to access the FortiManager, ensure there are no limitations or restrictions on the using WebSocket.

Virtual Wire Pair Support after Upgrade to 5.6.2 or Later

FortiManager 5.6.2 or later supports Virtual Wire Pair policies. After you upgrade FortiManager, you should import all policies and objects again from FortiGate units that use Virtual Wire Pair policies. Otherwise, a subsequent install may delete all policies on FortiGate units that reference a Virtual Wire Pair.

FortiGate VM 16/32/UL license support

FortiOS 5.4.4 introduces new VM license types to support additional vCPUs. FortiManager 5.6.0 supports these new licenses with the prefixes of FGVM16, FGVM32, and FGVMUL.

Hyper-V FortiManager-VM running on an AMD CPU

A Hyper-V FMG-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.

IPsec connection to FortiOS for logging

FortiManager 5.4.2 and later does not support an IPsec connection with FortiOS 5.0/5.2. However UDP or TCP + reliable are supported.

Instead of IPsec, you can use the FortiOS reliable logging feature to encrypt logs and send them to FortiManager. You can enable the reliable logging feature on FortiOS by using the configure log fortianalyzer setting command. You can also control the encryption method on FortiOS by using the set enc-algorithm default/high/low/disable command.

VM License (VM-10K-UG) Support

FortiManager 5.4.2 introduces a new VM license (VM-10K-UG) that supports 10,000 devices. It is recommended to upgrade to FortiManager 5.4.2 or later before applying the new license to avoid benign GUI issues.

System Configuration or VM License is Lost after Upgrade

When upgrading FortiManager from 5.4.0 or 5.4.1 to 5.4.x or 5.6.0, it is imperative to reboot the unit before installing the 5.4.x or 5.6.0 firmware image. Please see the FortiManager Upgrade Guide for details about upgrading. Otherwise, FortiManager may lose system configuration or VM license after upgrade. There are two options to recover the FortiManager unit:

  1. Reconfigure the system configuration or add VM license via CLI with execute add-vm-license <vm license>.
  2. Restore the 5.4.0 backup and upgrade to 5.4.2.

FortiOS 5.4.0 Support

With the enhancement in password encryption, FortiManager 5.4.2 and later no longer supports FortiOS 5.4.0. Please upgrade FortiGate to 5.4.2 or later.

note icon

The following ADOM versions are not affected: 5.0 and 5.2.

Local in-policy after upgrade

After upgrading to FortiManager 5.4.1 or later, you must import or reconfigure local in-policy entries. Otherwise, the subsequent install of policy packages to FortiGate will purge the local in-policy entries on FortiGate.

ADOM for FortiGate 4.3 Devices

FortiManager 5.4 and later no longer supports FortiGate 4.3 devices. FortiManager cannot manage the devices after the upgrade. To continue managing those devices, please upgrade all FortiGate 4.3 to a supported version, retrieve the latest configuration from the devices, and move the devices to an ADOM database with the corresponding version.

SSLv3 on FortiManager-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiManager-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global

set ssl-protocol t1sv1

end

Port 8443 reserved

Port 8443 is reserved for https-logging from FortiClient EMS for Chromebooks.

Special Notices

This section highlights some of the operational changes that administrators should be aware of in 5.6.11.

Recreate Guest List for Guest user group

After upgrading to FortiManager 5.6.7, recreate the guest list for the Guest user group in ADOM Policy Object before installing device settings to FortiGate devices.

FortiAP Manager per-device management option

FortiAP Manager now supports a new per-device AP management option. When this option is enabled, the WiFi settings are managed at each FortiGate device level. The Central WiFi settings of the ADOM are not applied to the per-device managed APs.

Traffic Shaping Policies

Starting from FortiManager 5.6.0, configuration for traffic shaping policies has been moved from individual FortiGate devices (the device database) to the ADOM database Policy Package. For FortiManager units that are upgraded from a previous release, a one-time operation of Importing all traffic shaping policies into the ADOM must performed (a one-time manual or scripted reconfiguration can also be performed). Otherwise, the FortiManager will delete (purge) all existing traffic shaping policies on the FortiGate when installing the original policy package.

WebSocket Implementation

As of version 5.6.0, WebSocket protocol has been implemented to allow for more efficient communication between the FortiManager and the browser. WebSocket protocol uses the standard TCP 80/443 browser ports, and is transparent to the operator. If your browser is using a proxy to access the FortiManager, ensure there are no limitations or restrictions on the using WebSocket.

Virtual Wire Pair Support after Upgrade to 5.6.2 or Later

FortiManager 5.6.2 or later supports Virtual Wire Pair policies. After you upgrade FortiManager, you should import all policies and objects again from FortiGate units that use Virtual Wire Pair policies. Otherwise, a subsequent install may delete all policies on FortiGate units that reference a Virtual Wire Pair.

FortiGate VM 16/32/UL license support

FortiOS 5.4.4 introduces new VM license types to support additional vCPUs. FortiManager 5.6.0 supports these new licenses with the prefixes of FGVM16, FGVM32, and FGVMUL.

Hyper-V FortiManager-VM running on an AMD CPU

A Hyper-V FMG-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.

IPsec connection to FortiOS for logging

FortiManager 5.4.2 and later does not support an IPsec connection with FortiOS 5.0/5.2. However UDP or TCP + reliable are supported.

Instead of IPsec, you can use the FortiOS reliable logging feature to encrypt logs and send them to FortiManager. You can enable the reliable logging feature on FortiOS by using the configure log fortianalyzer setting command. You can also control the encryption method on FortiOS by using the set enc-algorithm default/high/low/disable command.

VM License (VM-10K-UG) Support

FortiManager 5.4.2 introduces a new VM license (VM-10K-UG) that supports 10,000 devices. It is recommended to upgrade to FortiManager 5.4.2 or later before applying the new license to avoid benign GUI issues.

System Configuration or VM License is Lost after Upgrade

When upgrading FortiManager from 5.4.0 or 5.4.1 to 5.4.x or 5.6.0, it is imperative to reboot the unit before installing the 5.4.x or 5.6.0 firmware image. Please see the FortiManager Upgrade Guide for details about upgrading. Otherwise, FortiManager may lose system configuration or VM license after upgrade. There are two options to recover the FortiManager unit:

  1. Reconfigure the system configuration or add VM license via CLI with execute add-vm-license <vm license>.
  2. Restore the 5.4.0 backup and upgrade to 5.4.2.

FortiOS 5.4.0 Support

With the enhancement in password encryption, FortiManager 5.4.2 and later no longer supports FortiOS 5.4.0. Please upgrade FortiGate to 5.4.2 or later.

note icon

The following ADOM versions are not affected: 5.0 and 5.2.

Local in-policy after upgrade

After upgrading to FortiManager 5.4.1 or later, you must import or reconfigure local in-policy entries. Otherwise, the subsequent install of policy packages to FortiGate will purge the local in-policy entries on FortiGate.

ADOM for FortiGate 4.3 Devices

FortiManager 5.4 and later no longer supports FortiGate 4.3 devices. FortiManager cannot manage the devices after the upgrade. To continue managing those devices, please upgrade all FortiGate 4.3 to a supported version, retrieve the latest configuration from the devices, and move the devices to an ADOM database with the corresponding version.

SSLv3 on FortiManager-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiManager-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global

set ssl-protocol t1sv1

end

Port 8443 reserved

Port 8443 is reserved for https-logging from FortiClient EMS for Chromebooks.