Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Resolved Issues

The following issues have been fixed in 6.2.0. For inquires about a particular bug, please contact Customer Service & Support.

Bug ID

Description

356454 The Central SSL-VPN or SSL-VPN query unexpectedly shows users from all VDOMs that are managed in another ADOM.
411314 The diagnose cdb check adom-integrity command cannot recover ADOM with address name that has a leading or trailing space.
417358 Search result is lost after editing an object.
434611 Policy check should detect policies with "none" objects and report them as a specific category under Policy Consistency Check.

436774

FortiManager is missing permission settings when managing FortiAnalyzer.

443240

HA-status changes to standalone from ELBC cluster when making changes to FortiGuard server setting directly on FortiGate.

474245 The "set disk-usage log" command should not be installed for devices with log disk.
478257 VPN Manager should filter out invalid interfaces for the default VPN interface.
486445 Scheduled TCL scripts fail when executed against a single device, multiple devices, or a Device Group.
489373 Passwords should allow special characters on certificate templates in FortiManager.

489817

exec device replace fails when the target serial number already exists in database as an unregistered device.

492088

FortiManager attempts to change Chassis ID on FortiGate 7000 series when installing configuration.

496827 Unable to delete the LDAP server, if the user group is deleted before removing the LDAP members.
497179 The Monitor in the VPN Manager does not respect the units when sorting by incoming or outgoing data.

498107

When an address is a member of a dynamic address group, its Where Used results does not say which dynamic group it belongs to.

500069 DOS Policy Anomaly configuration settings are missing the Quarantine, Quarantine-Expiry, and Quarantine-Log options.
500410 FortiManager GUI should allow configuring Phase 2 Selector Local and Destination addresses with an IPv6 type with subnet, range, IP, or name.

500697

Application signature list is either empty or displayed as undefined.

500991 There should be a clear error message on why the policy package install failed after reclaimed tunnel.
501202 AP Manager Wi-Fi profiles missing LAN ports configuration settings on FortiManager GUI.

503722

FortiSwitch Manager and AP Manager reports switches and APs connected to FortiGates as online when the devices are no longer powered on.

503915 Users may not be able to change device password via JSON APIs.
504302 The IPv4 Split include option for IPSec should be available under the Range assignment mode.

504962

When creating new vdom-link from the global interface menu, all the VDOMs should be visible in the management VDOM.

506163 Device Manager GUI no longer displays interface zone members following upgrade.
506697 Under HA's port monitor, we should be able to see all port-monitored interfaces, such as aggregated, loop-back, or VLAN interface.
507044 FortiManager always overrides the device-level configured parameters to DPD default values making impossible to tune DPD settings when using VPN Manager.
507107 FortiManager should not unset the switch-controller-igmp-snooping and switch-controller-dhcp-snooping settings.

508340

With the ADOM option Perform Policy Check Before Every Install enabled and no changes to install, an install will fail with the Validation Failed message.

510665 After an interface is created, the configuration status is not updated.
511256 Policy Package status should show as modified after making changes in web filter profile.
511580 After upgrade, install may fail on web filtering profile.
511826 FortiManager should remove the mandatory requirement of having a hub-to-hub interface when two hubs are defined in a VPN community using VPN Manager.
512046 When workspace is enabled, IPv6 session based counters are synchronized with FortiGate.
513675 Policy push should not be allowed if another user has the device locked.
513763 User should be allowed to change country code in existing or cloned AP profile settings.
513799 FortiManager should only display detected rogue APs that are online.
515541 FortiManager is not updating the password of FortiGates under managed FortiAnalyzer.
516158 FortiManager should not add domain-filter syntax during ADOM upgrade.
516621 When a new profile with password/secret field, such as TACACS, Radius, etc., is created, FortiManager populates secret values with a dummy value that is longer than the allowed maximum length.
517060 User should able to change the action for multiple signatures at once.
517061 ADOM upgrade may fail when the IPs in FortiSwitch VLAN DHCP server are configured with zero.
517232 Invalid Source/Destination "Negate Cell" option for certain policy types and missing "Negate Cell" for IPv4 policy source address.
517618 Users should be able to use "Header" type Explicit Policy address as Source Address in Explicit Proxy policies.
517768 FortiManager should allow users to create routes with interface that is dedicated to management.
517874 FortiManager should be able to use 'US only' FortiGaurd servers with any license configuration.
518148 The System replacement messages for Manage Images should not be grayed out.
518680 IP Pool not imported due to an error while creating mapping failed due to "arp-intf" which is a member of a zone setting in IP pool.
518708 When viewing the devices in Device Manager, the list automatically scrolls back to the top for every heartbeat interval.
518756 When vdom-netflow is disabled, FortiManager should not push any collector-ip and source-ip settings to FortiGate.
518949 When exporting a Policy Package using CSV, it does not include Footer policies.
518984 Cluster members should show consistent results in dashboard and device settings.
519108 Scheduled Remote CLI Scripts are struck at 1%.
519229 When using workspace mode, modification to device group is not recognized as a change.
519252 After FortiManager was upgraded, cloning a policy package changes the package inspection mode.
519297 When FortiManager manages FortiGate v5.6 or earlier devices, FortiManager should not support fsso-type group for switch-controller security-policy.
519487 FortiGate fails to receive FortiGuard updates from FortiManager when ssl-static-key-ciphers is disabled.
519495 Running a script always returns the error, the script is not eligible, even though the actual error may be different.
520092 FortiManager should not update any dynamic attributes for SCEP generated objects.
520548 It should be possible to close the pop up window and see current number of successful tasks for the policy assignment of a global package.
520651 When querying a policy package, FortiManager API's response may be missing the VDOM information.

520691

FortiManager should Warn user in install wizard if there is an IP address being installed that is 0.0.0.0/0.

520976 Revision diff always shows changes with policy package settings.
521117 FortiManager should not check for empty service when internet-service is disabled, which may cause copy to fail.
521379 FortiManager may disable the reliable option for FortiAnalyzer log settings.

521649

Policy counters may not be accurately synchronized with the FortiGate devices.

521673 FortiManager does not trigger policy package status to shown as modified when LDAP configuration is changed.
521900 SD-WAN rule protocol options 'ANY' is not saved on GUI.
522025 Under Policy & Objects, the frame column width is reset to default when user refreshes or re-enters the same object list.
522206 GTP global tunnel limit is not configurable on FortiManager.
522310 Unable to edit Global ADOM DB to change global version from GUI (which will reset Global config). As a workaround, use CLI exec reset adom-settings global or upgrade global version.
522440 FortiManager should support the IPS signature syntax,--icmp.type !=.
522713 ADOM upgrade stuck at 5%.
522779 Secured backups fail due to issue with the SSH certificate.
522828 FortiManager unsets dhcp-snooping when installing from a 5.4 ADOM.
523480 IPS Filter does not include ALL if filtered based on OS.
523639 VPN Manager Monitor page stuck loading when an external gateway is defined.

523705

In webfilter profile, FortiManager should only allow configuring quota for categories set to monitor, warning, or authenticate.

523878 FortiManager should not install the CLIs, system csf {upstream-ip upstream-port group-name group-password}, which are read-only attributes on FGT-6000F.
524202 Upgrading Global Database removes all ADOMs from policy package Assignment section.
524607 FortiManager should not allow illegal change with ssl-ssh-profile causing installation to fail.
524752 IPS custom signature using protocol type ICMP is valid in FortiOS syntax and therefore should be able to import into FortiManager.
525926 The Local Users column is always empty even if a token is assigned.
526002 When having multiple hosts within an SNMP community, it's not possible to edit a host and change the status of HA-direct.
526287 Policy install may be stuck at 67%.
526642 Some SMTP/splice options under firewall profile-protocol options cannot be disabled.
526934 Web UI should not enable HTTP access under Interface Settings when a user views interface settings.
526938 Searching an IP address in interface list should show the interface and the zone in which the interface is a member of.
527140 FortiManager is unable to add multiple DHCP Relay Servers from the Device Manager System Interface Menu.
527407 Users may not be able to change the FortiGate HA management interface IP.
528633 IS-IS interfaces cannot be deleted from GUI.
528916 Users may not be able to upgrade ADOM after ADOM name has been changed.
528931 FOS-VM may be getting invalid license from FMGR-VM-Meter.
528938 FortiManager does not allow users to manually set SD-WAN member sequence ID.
528977 FortiGuard 7000 Service Status shows slave chassis with serial number instead of host name.
529036 VPN Manager should not show the options for main and aggressive mode when IKEv2 is selected.

529475

Webfilter and Application profiles are not available in the FortiClient profile GUI.

529480 Policy look-up can only list policy package installation target device but not device group member.
530207 Installing configuration after fail-over in cluster causes installation fail because of difference in management-ip.
530249 Policies that are Last Modified matched by actual traffic always shows recently modified by 'admin' even if the default admin user is not present in the FortiManager configuration.
530376 Users are unable to select Schedule Object for SSID in AP Manager.
530735 FortiManager may not be able to configure a full-mesh VPN among FortiGates with multi-VDOMs.
530749 FortiManager is unable to import policy configuration from devices with a long VDOM name.
530792 When configuring Per-Device Mappings for Real Servers, mode is missing and users cannot create multiple real servers.
530837 Users should not be allowed to delete default meta fields.
531508 When trying to add a new gateway from VPN Manager, FortiManager returns an error peer invalid value.
531573 FortiManager is not able to set Type of Service field for SD-WAN service.

531610

FortiManager is showing Create New option under script even though ADOM is not locked.

531645 FortiManager should be able to configure dynamic mappings for SD-WAN via a script.
531813 With Safari, there are two issues when user editing device group: there are two scroll bars in the Edit Device Group window and Edit Device Group window size that cannot be changed.
531963 SSL/SSH Profile should not allow the user to enable "Allow Invalid SSL Certificates" when Inspection mode is "SSL Certificate Inspection".
532075 When editing comment/description, FortiManager may display the slash character, /, as #x2F.
532275 Within the System Admin Profile, users may not be able to change access control due to JavaScript errors.
532488 Bytes/Hit/packet count should not be a parameter to consider in the diff as these are not part of the configuration.

532721

Once a Local ID value is configured for a VPN Node within VPN Manager, it can no longer be removed.

532943

FortiGate's system time is now shown on FortiManager when timezone index is set at 79, 80, or 83.

533141 Retrieving configuration under Workspace mode does not allow further changes under AP manager.
533857 FortiManager is unable to automatically register devices via Pre-Shared Key method if a revision is imported prior to registering the devices.
534559 Editing WiFi interface which is a zone member should not enable block intra-zone traffic.

534784

FSSO Agent with option "Select FSSO groups via FortiGate" does not work if the policy has no pending changes.

534784

Adding section for traffic shaping policies causes runtime error.

534927 When there is a dynamic interface and a multicast interface that has the same name within a policy package, the install wizard was not be able to create dynamic mappings.

535170

FortiManager does not accept FQDN address configuration containing the _ character.

535525

Dynamic/Dial-up Type IPSec Tunnel Interface cannot be added as an SD-WAN member.

535621

Retrieving or importing configuration revision fails if configuration contains a large number of CRLs.

535743

Downstream FortiManager does not update signature until changing the schedule setting in the second tier FortiManager's FDN.

536043

When ADOM is locked, FortiManager may display incorrect values or configurations from some objects or policies.

536805

Install fails for DoS policy quarantine-expiry.

537135

There is no GUI validation when an invalid subnet mask is used as destination for a Static Route.

537236 LDAP query failure over slow satellite connection.

537752

FortiManager tries to add full scan options while using quick scan in default AV profile.

537775

Proxy policy should not allow empty source address.

538029

Occasionally, duplicate sequence number may appear in some policy packages.

539184

FortiManager should not install forward-error-correction on VLANs.

539998

Install fails when deny rule contains DNS filter profile.

540065

FortiManager should be able to display CA certificate under 6.0 ADOM.

540095

Scheduled TCL Script intermittently fails to run on the scheduled time after upgrade.

540936

Remote wildcard users break user profile access to workflow sessions.

542823

Script fails to set accprofile on device database.

543567

FortiManager does not install new certificate obtained from FortiAuthenticator.

545457

AP Manager may not be able to show map.

545480

When attempting to remove a VDOM from a FortiGate by running a script, the script fails unexpectedly and the VDOM is not deleted.

547740

When FortiManger is running in workspace mode, FortiManager may unexpectedly delete firewall policy.

Resolved Issues

The following issues have been fixed in 6.2.0. For inquires about a particular bug, please contact Customer Service & Support.

Bug ID

Description

356454 The Central SSL-VPN or SSL-VPN query unexpectedly shows users from all VDOMs that are managed in another ADOM.
411314 The diagnose cdb check adom-integrity command cannot recover ADOM with address name that has a leading or trailing space.
417358 Search result is lost after editing an object.
434611 Policy check should detect policies with "none" objects and report them as a specific category under Policy Consistency Check.

436774

FortiManager is missing permission settings when managing FortiAnalyzer.

443240

HA-status changes to standalone from ELBC cluster when making changes to FortiGuard server setting directly on FortiGate.

474245 The "set disk-usage log" command should not be installed for devices with log disk.
478257 VPN Manager should filter out invalid interfaces for the default VPN interface.
486445 Scheduled TCL scripts fail when executed against a single device, multiple devices, or a Device Group.
489373 Passwords should allow special characters on certificate templates in FortiManager.

489817

exec device replace fails when the target serial number already exists in database as an unregistered device.

492088

FortiManager attempts to change Chassis ID on FortiGate 7000 series when installing configuration.

496827 Unable to delete the LDAP server, if the user group is deleted before removing the LDAP members.
497179 The Monitor in the VPN Manager does not respect the units when sorting by incoming or outgoing data.

498107

When an address is a member of a dynamic address group, its Where Used results does not say which dynamic group it belongs to.

500069 DOS Policy Anomaly configuration settings are missing the Quarantine, Quarantine-Expiry, and Quarantine-Log options.
500410 FortiManager GUI should allow configuring Phase 2 Selector Local and Destination addresses with an IPv6 type with subnet, range, IP, or name.

500697

Application signature list is either empty or displayed as undefined.

500991 There should be a clear error message on why the policy package install failed after reclaimed tunnel.
501202 AP Manager Wi-Fi profiles missing LAN ports configuration settings on FortiManager GUI.

503722

FortiSwitch Manager and AP Manager reports switches and APs connected to FortiGates as online when the devices are no longer powered on.

503915 Users may not be able to change device password via JSON APIs.
504302 The IPv4 Split include option for IPSec should be available under the Range assignment mode.

504962

When creating new vdom-link from the global interface menu, all the VDOMs should be visible in the management VDOM.

506163 Device Manager GUI no longer displays interface zone members following upgrade.
506697 Under HA's port monitor, we should be able to see all port-monitored interfaces, such as aggregated, loop-back, or VLAN interface.
507044 FortiManager always overrides the device-level configured parameters to DPD default values making impossible to tune DPD settings when using VPN Manager.
507107 FortiManager should not unset the switch-controller-igmp-snooping and switch-controller-dhcp-snooping settings.

508340

With the ADOM option Perform Policy Check Before Every Install enabled and no changes to install, an install will fail with the Validation Failed message.

510665 After an interface is created, the configuration status is not updated.
511256 Policy Package status should show as modified after making changes in web filter profile.
511580 After upgrade, install may fail on web filtering profile.
511826 FortiManager should remove the mandatory requirement of having a hub-to-hub interface when two hubs are defined in a VPN community using VPN Manager.
512046 When workspace is enabled, IPv6 session based counters are synchronized with FortiGate.
513675 Policy push should not be allowed if another user has the device locked.
513763 User should be allowed to change country code in existing or cloned AP profile settings.
513799 FortiManager should only display detected rogue APs that are online.
515541 FortiManager is not updating the password of FortiGates under managed FortiAnalyzer.
516158 FortiManager should not add domain-filter syntax during ADOM upgrade.
516621 When a new profile with password/secret field, such as TACACS, Radius, etc., is created, FortiManager populates secret values with a dummy value that is longer than the allowed maximum length.
517060 User should able to change the action for multiple signatures at once.
517061 ADOM upgrade may fail when the IPs in FortiSwitch VLAN DHCP server are configured with zero.
517232 Invalid Source/Destination "Negate Cell" option for certain policy types and missing "Negate Cell" for IPv4 policy source address.
517618 Users should be able to use "Header" type Explicit Policy address as Source Address in Explicit Proxy policies.
517768 FortiManager should allow users to create routes with interface that is dedicated to management.
517874 FortiManager should be able to use 'US only' FortiGaurd servers with any license configuration.
518148 The System replacement messages for Manage Images should not be grayed out.
518680 IP Pool not imported due to an error while creating mapping failed due to "arp-intf" which is a member of a zone setting in IP pool.
518708 When viewing the devices in Device Manager, the list automatically scrolls back to the top for every heartbeat interval.
518756 When vdom-netflow is disabled, FortiManager should not push any collector-ip and source-ip settings to FortiGate.
518949 When exporting a Policy Package using CSV, it does not include Footer policies.
518984 Cluster members should show consistent results in dashboard and device settings.
519108 Scheduled Remote CLI Scripts are struck at 1%.
519229 When using workspace mode, modification to device group is not recognized as a change.
519252 After FortiManager was upgraded, cloning a policy package changes the package inspection mode.
519297 When FortiManager manages FortiGate v5.6 or earlier devices, FortiManager should not support fsso-type group for switch-controller security-policy.
519487 FortiGate fails to receive FortiGuard updates from FortiManager when ssl-static-key-ciphers is disabled.
519495 Running a script always returns the error, the script is not eligible, even though the actual error may be different.
520092 FortiManager should not update any dynamic attributes for SCEP generated objects.
520548 It should be possible to close the pop up window and see current number of successful tasks for the policy assignment of a global package.
520651 When querying a policy package, FortiManager API's response may be missing the VDOM information.

520691

FortiManager should Warn user in install wizard if there is an IP address being installed that is 0.0.0.0/0.

520976 Revision diff always shows changes with policy package settings.
521117 FortiManager should not check for empty service when internet-service is disabled, which may cause copy to fail.
521379 FortiManager may disable the reliable option for FortiAnalyzer log settings.

521649

Policy counters may not be accurately synchronized with the FortiGate devices.

521673 FortiManager does not trigger policy package status to shown as modified when LDAP configuration is changed.
521900 SD-WAN rule protocol options 'ANY' is not saved on GUI.
522025 Under Policy & Objects, the frame column width is reset to default when user refreshes or re-enters the same object list.
522206 GTP global tunnel limit is not configurable on FortiManager.
522310 Unable to edit Global ADOM DB to change global version from GUI (which will reset Global config). As a workaround, use CLI exec reset adom-settings global or upgrade global version.
522440 FortiManager should support the IPS signature syntax,--icmp.type !=.
522713 ADOM upgrade stuck at 5%.
522779 Secured backups fail due to issue with the SSH certificate.
522828 FortiManager unsets dhcp-snooping when installing from a 5.4 ADOM.
523480 IPS Filter does not include ALL if filtered based on OS.
523639 VPN Manager Monitor page stuck loading when an external gateway is defined.

523705

In webfilter profile, FortiManager should only allow configuring quota for categories set to monitor, warning, or authenticate.

523878 FortiManager should not install the CLIs, system csf {upstream-ip upstream-port group-name group-password}, which are read-only attributes on FGT-6000F.
524202 Upgrading Global Database removes all ADOMs from policy package Assignment section.
524607 FortiManager should not allow illegal change with ssl-ssh-profile causing installation to fail.
524752 IPS custom signature using protocol type ICMP is valid in FortiOS syntax and therefore should be able to import into FortiManager.
525926 The Local Users column is always empty even if a token is assigned.
526002 When having multiple hosts within an SNMP community, it's not possible to edit a host and change the status of HA-direct.
526287 Policy install may be stuck at 67%.
526642 Some SMTP/splice options under firewall profile-protocol options cannot be disabled.
526934 Web UI should not enable HTTP access under Interface Settings when a user views interface settings.
526938 Searching an IP address in interface list should show the interface and the zone in which the interface is a member of.
527140 FortiManager is unable to add multiple DHCP Relay Servers from the Device Manager System Interface Menu.
527407 Users may not be able to change the FortiGate HA management interface IP.
528633 IS-IS interfaces cannot be deleted from GUI.
528916 Users may not be able to upgrade ADOM after ADOM name has been changed.
528931 FOS-VM may be getting invalid license from FMGR-VM-Meter.
528938 FortiManager does not allow users to manually set SD-WAN member sequence ID.
528977 FortiGuard 7000 Service Status shows slave chassis with serial number instead of host name.
529036 VPN Manager should not show the options for main and aggressive mode when IKEv2 is selected.

529475

Webfilter and Application profiles are not available in the FortiClient profile GUI.

529480 Policy look-up can only list policy package installation target device but not device group member.
530207 Installing configuration after fail-over in cluster causes installation fail because of difference in management-ip.
530249 Policies that are Last Modified matched by actual traffic always shows recently modified by 'admin' even if the default admin user is not present in the FortiManager configuration.
530376 Users are unable to select Schedule Object for SSID in AP Manager.
530735 FortiManager may not be able to configure a full-mesh VPN among FortiGates with multi-VDOMs.
530749 FortiManager is unable to import policy configuration from devices with a long VDOM name.
530792 When configuring Per-Device Mappings for Real Servers, mode is missing and users cannot create multiple real servers.
530837 Users should not be allowed to delete default meta fields.
531508 When trying to add a new gateway from VPN Manager, FortiManager returns an error peer invalid value.
531573 FortiManager is not able to set Type of Service field for SD-WAN service.

531610

FortiManager is showing Create New option under script even though ADOM is not locked.

531645 FortiManager should be able to configure dynamic mappings for SD-WAN via a script.
531813 With Safari, there are two issues when user editing device group: there are two scroll bars in the Edit Device Group window and Edit Device Group window size that cannot be changed.
531963 SSL/SSH Profile should not allow the user to enable "Allow Invalid SSL Certificates" when Inspection mode is "SSL Certificate Inspection".
532075 When editing comment/description, FortiManager may display the slash character, /, as #x2F.
532275 Within the System Admin Profile, users may not be able to change access control due to JavaScript errors.
532488 Bytes/Hit/packet count should not be a parameter to consider in the diff as these are not part of the configuration.

532721

Once a Local ID value is configured for a VPN Node within VPN Manager, it can no longer be removed.

532943

FortiGate's system time is now shown on FortiManager when timezone index is set at 79, 80, or 83.

533141 Retrieving configuration under Workspace mode does not allow further changes under AP manager.
533857 FortiManager is unable to automatically register devices via Pre-Shared Key method if a revision is imported prior to registering the devices.
534559 Editing WiFi interface which is a zone member should not enable block intra-zone traffic.

534784

FSSO Agent with option "Select FSSO groups via FortiGate" does not work if the policy has no pending changes.

534784

Adding section for traffic shaping policies causes runtime error.

534927 When there is a dynamic interface and a multicast interface that has the same name within a policy package, the install wizard was not be able to create dynamic mappings.

535170

FortiManager does not accept FQDN address configuration containing the _ character.

535525

Dynamic/Dial-up Type IPSec Tunnel Interface cannot be added as an SD-WAN member.

535621

Retrieving or importing configuration revision fails if configuration contains a large number of CRLs.

535743

Downstream FortiManager does not update signature until changing the schedule setting in the second tier FortiManager's FDN.

536043

When ADOM is locked, FortiManager may display incorrect values or configurations from some objects or policies.

536805

Install fails for DoS policy quarantine-expiry.

537135

There is no GUI validation when an invalid subnet mask is used as destination for a Static Route.

537236 LDAP query failure over slow satellite connection.

537752

FortiManager tries to add full scan options while using quick scan in default AV profile.

537775

Proxy policy should not allow empty source address.

538029

Occasionally, duplicate sequence number may appear in some policy packages.

539184

FortiManager should not install forward-error-correction on VLANs.

539998

Install fails when deny rule contains DNS filter profile.

540065

FortiManager should be able to display CA certificate under 6.0 ADOM.

540095

Scheduled TCL Script intermittently fails to run on the scheduled time after upgrade.

540936

Remote wildcard users break user profile access to workflow sessions.

542823

Script fails to set accprofile on device database.

543567

FortiManager does not install new certificate obtained from FortiAuthenticator.

545457

AP Manager may not be able to show map.

545480

When attempting to remove a VDOM from a FortiGate by running a script, the script fails unexpectedly and the VDOM is not deleted.

547740

When FortiManger is running in workspace mode, FortiManager may unexpectedly delete firewall policy.