Fortinet black logo

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Release Notes

Resolved Issues

The following issues have been fixed in 6.2.3. For inquires about a particular bug, please contact Customer Service & Support.

AP Manager

Bug ID Description

521404

Refresh or close button does not work in the AP Health Monitor widget.

561911

FortiManager may take over two minutes to display map in AP Manager.

578123

Multiple dhcp-relay-ip cannot be defined.

570937 AP Manager is missing the option to configure individual LAN Ports.
593366 AP Manager may not be able to search for a SSID.

Device Manager

Bug ID

Description

500037

FortiManager FortiToken provision may not work.

523463

Firmware version not displayed in backup ADOM.

533941

CLI-Only configuration with Optional options cannot be deselected on GUI.

540502

Installation may fail due to interface's address mode changes to PPPoE.

541911

When workspace is enabled, FortiManager cannot run CLI template after it is assigned to a device.

544562

The "Force this Admin to Change Password Next Time He/She Logs on" option on administrator is not installed to FortiGate.

580485

After defined per-device mapping to model device, all policy packages status are changed to Modified.

584046

Device Manager's License information for FortiAnalyzer is not correct.

584463

CLI Template's comment field cannot be saved.

595589

When running a script on a device with large configuration, dmworker may crash with high CPU spike.

598230

Removing per-device mapping causes all referenced Policy Packages status to become modified.

547528 FortiManager may be slow viewing large device revisions on Firefox.
568626 FortiManager can only modify the order of DNS forwarder only if the IP addresses are in quotes ("") and when the IP addresses are not separated by comma.
571581 FortiManager may not show Zone changes in Policy Package Diff.
574988 CLI only Object cannot create router BGP AS-path list and community list, and prompt the error entry does not exist.
580533 Saving configuration with incorrect IP/mask format does not display an error for inner configurations.
581812 Sorting Extenders by Device Name does not work.
585480 FortiManager should be able to display Performance SLA statistics.
586550 Device manager does not detect newly joined Telemetry group on FortiGate.
587513 FortiManager should not unset the IPv6 configuration on FortiGate when registering with the "Add Model Device" method.
587693 Users should able to delete interfaces from aggregate interface.
589826 Device Manager cannot create EMAC VLAN interfaces over VLAN interface created in root VDOM.
590064 Device view > VDOM GUI should show which VDOM is the management VDOM.
590321 Sorting filtered static routes list does not work.
590385 FortiManager should not have a limit of 1024 characters for VPN local certificates.
590602 Zero in seconds is lost in Web Filter Override expire time.
591894 User should be able to specify PAC or HTTPS port on GUI after upgrade.
592279 AP Manager does not accept certain wtp-profile settings when switching country.
593244 User may not be able to change the option, "Send logs to FortiAnalyzer/Manager" under Provisioning Template.
594211 FortiManager should be able to create new VLAN interface on fabric interface and install to FortiGate.
594853 FortiManager may create duplicate VDOMs when retrieving configuration for multiple devices.

FortiClient Manager

Bug ID

Description

548572 FortiManager shows unclear message in FortiClient Profile with "Response with errors" instead of "Device groups cannot be empty".

FortiSwitch Manager

Bug ID

Description

586557 User group for FortiSwitch Security Policy should not be removed once work flow session is created and submitted.
573043 Saving FSW VLANs configuration may trigger an error and lead to data loss in Per Device Mapping.

Global ADOM

Bug ID

Description

578089

Address objects cannot be deleted from the FortiManager's Global ADOM if they are not being used anywhere.

582171

FortiManager may not be able to assign all objects from 5.6 global ADOM to a 6.0 ADOM.

580600 FortiManager may not respond when assigning Global Objects.
587511 SSO_Guest_User should work the same as predefined SSO_Guest_User.

Others

Bug ID

Description

550140

The system-support-fgt configuration is lost if a version lower than 5.4 is selected prior to upgrade.

579648

FortiManager may generate "fgfmsd" crashes when FortiGate sends registration request to FortiManager.

592315

Installation of Policy Package against a device group may generate copy fail error for one FortiGate device.

594556

Admin user may not able to authorize FortiGate.

551937 FortiManager should only allow the browser to save and paste credentials at the log on prompt only.
552085 FortiManager live migration fails with Microsoft Hyper-V and it is not accessible via GUI and SSH.
565515 User may not be able to create a new SNMP host under System Templates. Workaround: Please add a new SNMP host for System Templates under CLI Configurations within Device Manager.
571235 Enabling policy hit count may lock ADOM and provoke GUI slowness.
580832 FortiManager may show disk unused under LVM.
586991 "Logver" field is missing when FortiAnalzyer is enabled affecting report related features.
589805 Installing policy package via JSON API with missing interface in zone definition deletes zone and corresponding firewall policies on FortiGate.
590649 On FortiClient or FortiDDoS ADOM, the SOC page may refresh constantly.
593245 FortiManager may show incorrect warning when changing admin profile via CLI.

Policy and Objects

Bug ID

Description

582042

FortiManager should support wildcard SDN connectors in filter configurations.

566446

With a 5.6 ADOM and install to 6.0 FortiGate needs to keep the configured multicast policies and zone on FortiGate.

578086

"Where Used" may not show the correct ADOM name on all objects.

595646

After selecting a proxy policy and using the "Insert Above/Below" button, the new policy should be created with the same proxy type of the selected policy.

488897

SSL VPN policy can be created with a FSSO user group assigned to the policy.

538293

Installing policy package may take a long time when there are multiple VDOMs on FortiGate.

573250

Find Duplicate Objects may show inaccurate results due to obj-id.

581607

FortiManager 6.2.2 may not be able to install class-id to a FortiOS 6.2.1 device.

584662

[Performance] Optus: VPN-IPsec1 in DVM takes over 20 seconds to load up the competed form.

593819

FortiManager may generate several fmgd crash logs.

593853

Certificate generation fails if the CA certificate does not match ADOM name.

597284

When creating a new switch through a script, all configuration is visible in Device Manager but no port configuration is installed.

598230

Removing per-device mapping causes all referenced Policy Packages status to become modified.

598493

FortiManager should get all data-center information from exsi vm info.

491813 FortiManager should group IPS Sensor entries with same filters as one rule.
528881 Users are not able to remove all FSSO objects from selected list that has a large number of entries.
544404 A remote user approves a session, session list shows zero session.
548573 FortiManager changes UUIDs of existing objects after policy install.
563629 Clicking on "+" function should allow users to add Wildcard FQDN objects.
569576 1121: Web rating override category change is not reflected in GUI.
580484 Signature, "Apache.Optionsbleed.Scanner", cannot be selected as IPS Signature but only as "Rate based Signature".
581481 FortiManager should allow adding a custom Application Control signature with the same attack ID as an existing one.
581495 Interface Validation should prompt only once per unmapped interface.
583387 Creating an already existing interface loses interface or zone mapping in ADOM.
585021 Adding or modifying rate based signature on IPS profile resets all rate based signature to default settings.
587624 Application Control profile page is blank for User with read-write permissions on Policy & Objects.
588548 Under workspace, addresses may be removed from a firewall policy when merging duplicated addresses.
588869 Re-installing policy package on FortiGate with multiple VDOMs may wipe out configuration on a VDOM that belongs to a different policy package.
589645 GUI disables FSSO status after removing one of the FSSO user groups with a policy.
589771 Policy Package installation fails when a Firewall Policy contains a VIP Group mapped to a zone interface.
589775 Entry without content should not be created when creating an Application Control Profile.
589795 User should be allowed to create a new tag in a firewall policy or select an existing tag.
589808 After editing a policy in policy package, the screen view should remain on the edited policy.
590322 When an Internet Service Database object is used in the destination field on proxy rule, the field is displayed as an empty field.
590896 FortiManager has no source interface column in the general view of Proxy Policy.
594811 Using copy and paste on multiple proxy policies may insert rules in reversed order.
594866 Internet Services may not match between FortiManager and FortiGate.

Revision History

Bug ID

Description

513317

FortiManager may fail to install policy after FortiGate failover on Azure.

556967

Re-Install policy hangs when Security Fabric line is selected.

560638

When checking the Revision Diff between two revisions multiple times, the result may not consistent.

590889

Using the search bar to assign devices under provisioning templates clears the previous selected device list.

539994 Installing to FortiGate fails when wildcard-fqdn address is used in SSL profile.
549001 Installation may fail after changed inspection mode from Proxy to Flow.
560689 Auto-Update revision is missing "set stp-bpdu-guard enabled".
578231 FortiManager tries to push "casi-profile" on a Deny Policy.
582882 Switch interface should not have duplicate members during device install.
583833 Auto Link Install skips installation for VLAN interface.
586979 FortiManager may report duplicate tags and fail to install policy package.
586992 FortiManager does not install broadcast-forward enabled on "Virtual Switch" to managed FortiGate.
587005 FortiManager should support the radius-server-vdom setting and be able to install it.
588937 Installation may get stuck when there is no FortiSwitch's IPv6 VLAN template.
589858 The BGP "scan-time" value of 0 can be set on FortiGate, but FortiManager resets it to default by "unset scan-time" on the next policy push.

Script

Bug ID Description

572524

Users may not be able to create admin user via a Script due to long password.

588684

Central SNAT option is missing under Policy Package menu when mode is NGFW policy-based.

587015 When user tries to set signature with non escaped quotes from script, the signature becomes separate strings, and the installed string may not be what it is expected.
594238 FortiManager should be able to create overlapping secondary IPs via a script if interfaces are assigned to different VDOMs.

Services

Bug ID

Description

520875 FortiManager should keep the same FortiGate On-Demand contract as FortiGuard.
588276 User should be able to filter devices in Firmware Manager based on connectivity status.
589269 When upgrading FortiGate, FortiManager may upgrade the device to version 6.0.3 prior to upgrading to version 6.2.2.

System Settings

Bug ID

Description

535607

Upgrading ADOM may take a long time due to hit count statistics.

570266

When saving the values of the administrative access, the values do not save when deselecting HTTPS first before any other value.

594549

Editing Per-Device mapping for zone containing slash in the name generates "Method failure" error message.

597668

FortiManager should be able to install the scheduled policy package even though it is scheduled by wildcard user.

576098 Event log may not show the correct username when changing a non-policy related object.
597765 ADOM upgrade may get stuck when "svc cdb reader" crashes.
584392 Admin user with read-only profile should not be allowed to "Revoke Release" in DHCP query and "Bring Tunnel Down/Up" in Query IPsec.
584749 System Settings may not show the ADOM-VDOM association.
587242 [b349] HA Cluster fails after upgrading to 6.0.6 with peer IP using IPv6.
587295 Admin users with prof_admin_regional profile should be allowed to see all application signatures.
588884 Event log for merging duplicated objects is missing object name.
595660 FortiManager should generate event logs for imported images.
596562 Administrators allowed to access to only specific ADOMs cannot see "Managed Devices" in those ADOMs.

VPN Manager

Bug ID

Description

586613

VPN Manager randomly installs incorrect phase1 proposal settings.

575265

VPN Manager's Monitor for phase1 status and multiple phase2 may not display correctly.

562729

VPN Manager SSL VPN monitor's Active Connections column may be blank.

574727 VPN Manager may not display SSL-VPN settings for some devices.
589101 VPN Manager prompts the copy error "no hub configured for vpn" if the hub is external gateway with no device assigned.
589240 FortiManager should be able to select a VDOM while adding a managed gateway into a community.
589669 FortiManager shows installation error when there are two Hubs in VPN community where Hub-to-Hub Interface is set to 'None'.
590765 The tunnel-search and net-device attributes are not being installed if device role is set as spoke.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID CVE references
568791

FortiManager 6.2.3 is no longer vulnerable to the following CVE-Reference(s):

  • CVE-2019-17657

569307

FortiManager 6.2.3 is no longer vulnerable to the following CVE-Reference(s):

  • CVE-2019-17654

Resolved Issues

The following issues have been fixed in 6.2.3. For inquires about a particular bug, please contact Customer Service & Support.

AP Manager

Bug ID Description

521404

Refresh or close button does not work in the AP Health Monitor widget.

561911

FortiManager may take over two minutes to display map in AP Manager.

578123

Multiple dhcp-relay-ip cannot be defined.

570937 AP Manager is missing the option to configure individual LAN Ports.
593366 AP Manager may not be able to search for a SSID.

Device Manager

Bug ID

Description

500037

FortiManager FortiToken provision may not work.

523463

Firmware version not displayed in backup ADOM.

533941

CLI-Only configuration with Optional options cannot be deselected on GUI.

540502

Installation may fail due to interface's address mode changes to PPPoE.

541911

When workspace is enabled, FortiManager cannot run CLI template after it is assigned to a device.

544562

The "Force this Admin to Change Password Next Time He/She Logs on" option on administrator is not installed to FortiGate.

580485

After defined per-device mapping to model device, all policy packages status are changed to Modified.

584046

Device Manager's License information for FortiAnalyzer is not correct.

584463

CLI Template's comment field cannot be saved.

595589

When running a script on a device with large configuration, dmworker may crash with high CPU spike.

598230

Removing per-device mapping causes all referenced Policy Packages status to become modified.

547528 FortiManager may be slow viewing large device revisions on Firefox.
568626 FortiManager can only modify the order of DNS forwarder only if the IP addresses are in quotes ("") and when the IP addresses are not separated by comma.
571581 FortiManager may not show Zone changes in Policy Package Diff.
574988 CLI only Object cannot create router BGP AS-path list and community list, and prompt the error entry does not exist.
580533 Saving configuration with incorrect IP/mask format does not display an error for inner configurations.
581812 Sorting Extenders by Device Name does not work.
585480 FortiManager should be able to display Performance SLA statistics.
586550 Device manager does not detect newly joined Telemetry group on FortiGate.
587513 FortiManager should not unset the IPv6 configuration on FortiGate when registering with the "Add Model Device" method.
587693 Users should able to delete interfaces from aggregate interface.
589826 Device Manager cannot create EMAC VLAN interfaces over VLAN interface created in root VDOM.
590064 Device view > VDOM GUI should show which VDOM is the management VDOM.
590321 Sorting filtered static routes list does not work.
590385 FortiManager should not have a limit of 1024 characters for VPN local certificates.
590602 Zero in seconds is lost in Web Filter Override expire time.
591894 User should be able to specify PAC or HTTPS port on GUI after upgrade.
592279 AP Manager does not accept certain wtp-profile settings when switching country.
593244 User may not be able to change the option, "Send logs to FortiAnalyzer/Manager" under Provisioning Template.
594211 FortiManager should be able to create new VLAN interface on fabric interface and install to FortiGate.
594853 FortiManager may create duplicate VDOMs when retrieving configuration for multiple devices.

FortiClient Manager

Bug ID

Description

548572 FortiManager shows unclear message in FortiClient Profile with "Response with errors" instead of "Device groups cannot be empty".

FortiSwitch Manager

Bug ID

Description

586557 User group for FortiSwitch Security Policy should not be removed once work flow session is created and submitted.
573043 Saving FSW VLANs configuration may trigger an error and lead to data loss in Per Device Mapping.

Global ADOM

Bug ID

Description

578089

Address objects cannot be deleted from the FortiManager's Global ADOM if they are not being used anywhere.

582171

FortiManager may not be able to assign all objects from 5.6 global ADOM to a 6.0 ADOM.

580600 FortiManager may not respond when assigning Global Objects.
587511 SSO_Guest_User should work the same as predefined SSO_Guest_User.

Others

Bug ID

Description

550140

The system-support-fgt configuration is lost if a version lower than 5.4 is selected prior to upgrade.

579648

FortiManager may generate "fgfmsd" crashes when FortiGate sends registration request to FortiManager.

592315

Installation of Policy Package against a device group may generate copy fail error for one FortiGate device.

594556

Admin user may not able to authorize FortiGate.

551937 FortiManager should only allow the browser to save and paste credentials at the log on prompt only.
552085 FortiManager live migration fails with Microsoft Hyper-V and it is not accessible via GUI and SSH.
565515 User may not be able to create a new SNMP host under System Templates. Workaround: Please add a new SNMP host for System Templates under CLI Configurations within Device Manager.
571235 Enabling policy hit count may lock ADOM and provoke GUI slowness.
580832 FortiManager may show disk unused under LVM.
586991 "Logver" field is missing when FortiAnalzyer is enabled affecting report related features.
589805 Installing policy package via JSON API with missing interface in zone definition deletes zone and corresponding firewall policies on FortiGate.
590649 On FortiClient or FortiDDoS ADOM, the SOC page may refresh constantly.
593245 FortiManager may show incorrect warning when changing admin profile via CLI.

Policy and Objects

Bug ID

Description

582042

FortiManager should support wildcard SDN connectors in filter configurations.

566446

With a 5.6 ADOM and install to 6.0 FortiGate needs to keep the configured multicast policies and zone on FortiGate.

578086

"Where Used" may not show the correct ADOM name on all objects.

595646

After selecting a proxy policy and using the "Insert Above/Below" button, the new policy should be created with the same proxy type of the selected policy.

488897

SSL VPN policy can be created with a FSSO user group assigned to the policy.

538293

Installing policy package may take a long time when there are multiple VDOMs on FortiGate.

573250

Find Duplicate Objects may show inaccurate results due to obj-id.

581607

FortiManager 6.2.2 may not be able to install class-id to a FortiOS 6.2.1 device.

584662

[Performance] Optus: VPN-IPsec1 in DVM takes over 20 seconds to load up the competed form.

593819

FortiManager may generate several fmgd crash logs.

593853

Certificate generation fails if the CA certificate does not match ADOM name.

597284

When creating a new switch through a script, all configuration is visible in Device Manager but no port configuration is installed.

598230

Removing per-device mapping causes all referenced Policy Packages status to become modified.

598493

FortiManager should get all data-center information from exsi vm info.

491813 FortiManager should group IPS Sensor entries with same filters as one rule.
528881 Users are not able to remove all FSSO objects from selected list that has a large number of entries.
544404 A remote user approves a session, session list shows zero session.
548573 FortiManager changes UUIDs of existing objects after policy install.
563629 Clicking on "+" function should allow users to add Wildcard FQDN objects.
569576 1121: Web rating override category change is not reflected in GUI.
580484 Signature, "Apache.Optionsbleed.Scanner", cannot be selected as IPS Signature but only as "Rate based Signature".
581481 FortiManager should allow adding a custom Application Control signature with the same attack ID as an existing one.
581495 Interface Validation should prompt only once per unmapped interface.
583387 Creating an already existing interface loses interface or zone mapping in ADOM.
585021 Adding or modifying rate based signature on IPS profile resets all rate based signature to default settings.
587624 Application Control profile page is blank for User with read-write permissions on Policy & Objects.
588548 Under workspace, addresses may be removed from a firewall policy when merging duplicated addresses.
588869 Re-installing policy package on FortiGate with multiple VDOMs may wipe out configuration on a VDOM that belongs to a different policy package.
589645 GUI disables FSSO status after removing one of the FSSO user groups with a policy.
589771 Policy Package installation fails when a Firewall Policy contains a VIP Group mapped to a zone interface.
589775 Entry without content should not be created when creating an Application Control Profile.
589795 User should be allowed to create a new tag in a firewall policy or select an existing tag.
589808 After editing a policy in policy package, the screen view should remain on the edited policy.
590322 When an Internet Service Database object is used in the destination field on proxy rule, the field is displayed as an empty field.
590896 FortiManager has no source interface column in the general view of Proxy Policy.
594811 Using copy and paste on multiple proxy policies may insert rules in reversed order.
594866 Internet Services may not match between FortiManager and FortiGate.

Revision History

Bug ID

Description

513317

FortiManager may fail to install policy after FortiGate failover on Azure.

556967

Re-Install policy hangs when Security Fabric line is selected.

560638

When checking the Revision Diff between two revisions multiple times, the result may not consistent.

590889

Using the search bar to assign devices under provisioning templates clears the previous selected device list.

539994 Installing to FortiGate fails when wildcard-fqdn address is used in SSL profile.
549001 Installation may fail after changed inspection mode from Proxy to Flow.
560689 Auto-Update revision is missing "set stp-bpdu-guard enabled".
578231 FortiManager tries to push "casi-profile" on a Deny Policy.
582882 Switch interface should not have duplicate members during device install.
583833 Auto Link Install skips installation for VLAN interface.
586979 FortiManager may report duplicate tags and fail to install policy package.
586992 FortiManager does not install broadcast-forward enabled on "Virtual Switch" to managed FortiGate.
587005 FortiManager should support the radius-server-vdom setting and be able to install it.
588937 Installation may get stuck when there is no FortiSwitch's IPv6 VLAN template.
589858 The BGP "scan-time" value of 0 can be set on FortiGate, but FortiManager resets it to default by "unset scan-time" on the next policy push.

Script

Bug ID Description

572524

Users may not be able to create admin user via a Script due to long password.

588684

Central SNAT option is missing under Policy Package menu when mode is NGFW policy-based.

587015 When user tries to set signature with non escaped quotes from script, the signature becomes separate strings, and the installed string may not be what it is expected.
594238 FortiManager should be able to create overlapping secondary IPs via a script if interfaces are assigned to different VDOMs.

Services

Bug ID

Description

520875 FortiManager should keep the same FortiGate On-Demand contract as FortiGuard.
588276 User should be able to filter devices in Firmware Manager based on connectivity status.
589269 When upgrading FortiGate, FortiManager may upgrade the device to version 6.0.3 prior to upgrading to version 6.2.2.

System Settings

Bug ID

Description

535607

Upgrading ADOM may take a long time due to hit count statistics.

570266

When saving the values of the administrative access, the values do not save when deselecting HTTPS first before any other value.

594549

Editing Per-Device mapping for zone containing slash in the name generates "Method failure" error message.

597668

FortiManager should be able to install the scheduled policy package even though it is scheduled by wildcard user.

576098 Event log may not show the correct username when changing a non-policy related object.
597765 ADOM upgrade may get stuck when "svc cdb reader" crashes.
584392 Admin user with read-only profile should not be allowed to "Revoke Release" in DHCP query and "Bring Tunnel Down/Up" in Query IPsec.
584749 System Settings may not show the ADOM-VDOM association.
587242 [b349] HA Cluster fails after upgrading to 6.0.6 with peer IP using IPv6.
587295 Admin users with prof_admin_regional profile should be allowed to see all application signatures.
588884 Event log for merging duplicated objects is missing object name.
595660 FortiManager should generate event logs for imported images.
596562 Administrators allowed to access to only specific ADOMs cannot see "Managed Devices" in those ADOMs.

VPN Manager

Bug ID

Description

586613

VPN Manager randomly installs incorrect phase1 proposal settings.

575265

VPN Manager's Monitor for phase1 status and multiple phase2 may not display correctly.

562729

VPN Manager SSL VPN monitor's Active Connections column may be blank.

574727 VPN Manager may not display SSL-VPN settings for some devices.
589101 VPN Manager prompts the copy error "no hub configured for vpn" if the hub is external gateway with no device assigned.
589240 FortiManager should be able to select a VDOM while adding a managed gateway into a community.
589669 FortiManager shows installation error when there are two Hubs in VPN community where Hub-to-Hub Interface is set to 'None'.
590765 The tunnel-search and net-device attributes are not being installed if device role is set as spoke.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID CVE references
568791

FortiManager 6.2.3 is no longer vulnerable to the following CVE-Reference(s):

  • CVE-2019-17657

569307

FortiManager 6.2.3 is no longer vulnerable to the following CVE-Reference(s):

  • CVE-2019-17654