Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Special Notices

This section highlights some of the operational changes that administrators should be aware of in 6.0.5.

Configuration changes to FQDN addresses after upgrade

After upgrading both FortiManager and FortiOS from 6.0.4 to 6.0.5, the configuration changes for some of the default FQDN addresses that have been moved under Wildcard FQDN addresses. To avoid a conflict that causes installation failure, rename the affected addresses, for example, google-play changes to fqdn_google-play after upgrading to 6.0.5.

Workaround:
  1. Retrieve the configuration on the affected FortiGate.
  2. Run a script on the policy package or ADOM database for the affected addresses:

    config firewall address

    rename "swscan.apple.com" to "fqdn_swscan.apple.com"

    rename "update.microsoft.com" to "fqdn_update.microsoft.com"

    rename "google-play" to "fqdn_google-play"

    rename "autoupdate.opera.com" to "fqdn_autoupdate.opera.com"

    end

Managing FortiGate with VDOMs that use Global Profiles

Because of changes made to FortiOS 6.0.0 and later, FortiGate units with VDOMs enabled that are running FortiOS 6.0.0 and later cannot be successfully added to FortiManager without a workaround. Before adding the FortiGate units to FortiManager, perform the following steps to unset default configurations. After the default configurations are unset, you can successfully add the FortiGate units to FortiManager.

  1. On the Fortigate for each VDOM, unset the following default configurations by using the CLI:
    config wireless-controller utm-profile
        edit "wifi-default"
            set comment "Default configuration for offloading WiFi traffic."
        next
        edit "g-wifi-default"
            set comment "Default configuration for offloading WiFi traffic."
            set ips-sensor "g-wifi-default"
            set application-list "g-wifi-default"
            set antivirus-profile "g-wifi-default"
            set webfilter-profile "g-wifi-default"
            set firewall-profile-protocol-options "g-wifi-default"
            set firewall-ssl-ssh-profile "g-wifi-default"
        next
    end
    
    FGVMULCV30310000 (utm-profile) # ed g-wifi-default
    
    FGVMULCV30310000 (g-wifi-default) # unset ips-sensor
    
    FGVMULCV30310000 (g-wifi-default) # unset application-list
    
    FGVMULCV30310000 (g-wifi-default) # unset antivirus-profile
    
    FGVMULCV30310000 (g-wifi-default) # unset webfilter-profile
    
    FGVMULCV30310000 (g-wifi-default) # unset firewall-profile-protocol-options
    
    FGVMULCV30310000 (g-wifi-default) # unset firewall-ssl-ssh-profile
    
    FGVMULCV30310000 (g-wifi-default) # sh
    config wireless-controller utm-profile
        edit "g-wifi-default"
            set comment "Default configuration for offloading WiFi traffic."
        next
    end
    
  2. After the default configurations are unset, you can add the FortiGate unit to FortiManager.

IOC Support on FortiManager

Please note that FortiManager does not support IOC related features even when FortiAnalyzer mode is enabled.

FortiManager 6.0.2 support for FortiOS 6.0.3

FortiManager 6.0.2 treats the status field of firewall policies as a mandatory field, and it is set to enable by default. FortiOS 6.0.3 has reverted this change. As a result, FortiManager may report verification failures on installations. The verification report shows that the policy status field has to be installed with the enable setting:

"---> generating verification report

(vdom root: firewall policy 1:status)

remote original:

to be installed: enable

 

<--- done generating verification report

 

install failed"

Reconfigure SD-WAN after Upgrade

The SD-WAN module has been fully redesigned in FortiManager v6.0 to provide granular monitor and control. Upgrading SD-WAN settings from 5.6 to 6.0 is not supported. Please reconfigure SD-WAN after upgraded to v6.0.

FortiGate VM 16/32/UL license support

FortiOS 5.4.4 introduces new VM license types to support additional vCPUs. FortiManager 5.6.0 supports these new licenses with the prefixes of FGVM16, FGVM32, and FGVMUL.

Hyper-V FortiManager-VM running on an AMD CPU

A Hyper-V FMG-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.

VM License (VM-10K-UG) Support

FortiManager 5.4.2 introduces a new VM license (VM-10K-UG) that supports 10,000 devices. It is recommended to upgrade to FortiManager 5.4.2 or later before applying the new license to avoid benign GUI issues.

Recreate Guest List for Guest user group

After upgrading to FortiManager 6.0.3, recreate the guest list for the Guest user group in ADOM Policy Object before installing device settings to FortiGate devices. For more information, see Bug ID 499568 in Resolved Issues.

FortiOS 5.4.0 Support

With the enhancement in password encryption, FortiManager 5.4.2 and later no longer supports FortiOS 5.4.0. Please upgrade FortiGate to 5.4.2 or later.

note icon

The following ADOM versions are not affected: 5.0 and 5.2.

SSLv3 on FortiManager-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiManager-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global

set ssl-protocol t1sv1

end

Special Notices

This section highlights some of the operational changes that administrators should be aware of in 6.0.5.

Configuration changes to FQDN addresses after upgrade

After upgrading both FortiManager and FortiOS from 6.0.4 to 6.0.5, the configuration changes for some of the default FQDN addresses that have been moved under Wildcard FQDN addresses. To avoid a conflict that causes installation failure, rename the affected addresses, for example, google-play changes to fqdn_google-play after upgrading to 6.0.5.

Workaround:
  1. Retrieve the configuration on the affected FortiGate.
  2. Run a script on the policy package or ADOM database for the affected addresses:

    config firewall address

    rename "swscan.apple.com" to "fqdn_swscan.apple.com"

    rename "update.microsoft.com" to "fqdn_update.microsoft.com"

    rename "google-play" to "fqdn_google-play"

    rename "autoupdate.opera.com" to "fqdn_autoupdate.opera.com"

    end

Managing FortiGate with VDOMs that use Global Profiles

Because of changes made to FortiOS 6.0.0 and later, FortiGate units with VDOMs enabled that are running FortiOS 6.0.0 and later cannot be successfully added to FortiManager without a workaround. Before adding the FortiGate units to FortiManager, perform the following steps to unset default configurations. After the default configurations are unset, you can successfully add the FortiGate units to FortiManager.

  1. On the Fortigate for each VDOM, unset the following default configurations by using the CLI:
    config wireless-controller utm-profile
        edit "wifi-default"
            set comment "Default configuration for offloading WiFi traffic."
        next
        edit "g-wifi-default"
            set comment "Default configuration for offloading WiFi traffic."
            set ips-sensor "g-wifi-default"
            set application-list "g-wifi-default"
            set antivirus-profile "g-wifi-default"
            set webfilter-profile "g-wifi-default"
            set firewall-profile-protocol-options "g-wifi-default"
            set firewall-ssl-ssh-profile "g-wifi-default"
        next
    end
    
    FGVMULCV30310000 (utm-profile) # ed g-wifi-default
    
    FGVMULCV30310000 (g-wifi-default) # unset ips-sensor
    
    FGVMULCV30310000 (g-wifi-default) # unset application-list
    
    FGVMULCV30310000 (g-wifi-default) # unset antivirus-profile
    
    FGVMULCV30310000 (g-wifi-default) # unset webfilter-profile
    
    FGVMULCV30310000 (g-wifi-default) # unset firewall-profile-protocol-options
    
    FGVMULCV30310000 (g-wifi-default) # unset firewall-ssl-ssh-profile
    
    FGVMULCV30310000 (g-wifi-default) # sh
    config wireless-controller utm-profile
        edit "g-wifi-default"
            set comment "Default configuration for offloading WiFi traffic."
        next
    end
    
  2. After the default configurations are unset, you can add the FortiGate unit to FortiManager.

IOC Support on FortiManager

Please note that FortiManager does not support IOC related features even when FortiAnalyzer mode is enabled.

FortiManager 6.0.2 support for FortiOS 6.0.3

FortiManager 6.0.2 treats the status field of firewall policies as a mandatory field, and it is set to enable by default. FortiOS 6.0.3 has reverted this change. As a result, FortiManager may report verification failures on installations. The verification report shows that the policy status field has to be installed with the enable setting:

"---> generating verification report

(vdom root: firewall policy 1:status)

remote original:

to be installed: enable

 

<--- done generating verification report

 

install failed"

Reconfigure SD-WAN after Upgrade

The SD-WAN module has been fully redesigned in FortiManager v6.0 to provide granular monitor and control. Upgrading SD-WAN settings from 5.6 to 6.0 is not supported. Please reconfigure SD-WAN after upgraded to v6.0.

FortiGate VM 16/32/UL license support

FortiOS 5.4.4 introduces new VM license types to support additional vCPUs. FortiManager 5.6.0 supports these new licenses with the prefixes of FGVM16, FGVM32, and FGVMUL.

Hyper-V FortiManager-VM running on an AMD CPU

A Hyper-V FMG-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.

VM License (VM-10K-UG) Support

FortiManager 5.4.2 introduces a new VM license (VM-10K-UG) that supports 10,000 devices. It is recommended to upgrade to FortiManager 5.4.2 or later before applying the new license to avoid benign GUI issues.

Recreate Guest List for Guest user group

After upgrading to FortiManager 6.0.3, recreate the guest list for the Guest user group in ADOM Policy Object before installing device settings to FortiGate devices. For more information, see Bug ID 499568 in Resolved Issues.

FortiOS 5.4.0 Support

With the enhancement in password encryption, FortiManager 5.4.2 and later no longer supports FortiOS 5.4.0. Please upgrade FortiGate to 5.4.2 or later.

note icon

The following ADOM versions are not affected: 5.0 and 5.2.

SSLv3 on FortiManager-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiManager-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global

set ssl-protocol t1sv1

end