Fortinet black logo

Special Notices

Special Notices

This section highlights some of the operational changes that administrators should be aware of in 6.4.11.

Trusted Hosts

In FortiManager 6.4.11 and higher, when you set trusted hosts for all administrators, the FortiManager unit cannot be pinged from any other hosts. For more information, see Trusted Hosts the FortiManager Administration Guide.

FortiManager 6.4.11 GUI issues in Google Chrome and Microsoft Edge

The FortiManager 6.4.11 GUI may not work properly in Google Chrome version 114 (114.0.5735.91) and Microsoft Edge version 114 (114.0.1823.37).

For information about supported web browsers, see Web browsers.

FortiManager creates faulty dynamic mapping for VPN manager interface during PP import

If policy changes are made directly on the FortiGates, the subsequent PP import creates faulty dynamic mappings for VPN manager.

It is strongly recommended to create a fresh backup of the FortiManager's configuration prior to this workaround. Perform the following command to check & repair the FortiManager's configuration database:

diagnose cdb check policy-packages <adom>

After executing this command, FortiManager will remove the invalid mappings of vpnmgr interfaces.

View Mode is disabled in policies when policy blocks are used

When policy blocks are added to a policy package, the View Mode option is no longer available, and policies in the table cannot be arranged by Interface Pair View. This occurs because policy blocks typically contain multiple policies using different incoming and outgoing interfaces, however, View Mode is still disabled even when policy blocks respect the interface pair.

Custom signature filenames

Custom signature filenames are limited to a maximum of 50 characters because FortiManager appends the VDOM suffix to custom signature filenames when FortiGate uses VDOMs.

SDN fabric connectors

According to the current design, SDN fabric connectors are installed on all FortiGates in an ADOM, even if the fabric connectors are not in use. See also bug ID 496870 in Known Issues.

Workaround: Place FortiGates in another ADOM when you do not want to install SDN fabric connectors to the devices.

ADOM version enforcement

Starting in FortiManager 6.4.6, ADOM versions are enforced. ADOM version N and N+1 are allowed, and the enforcement affects policy package installation.

For example, if you have ADOM version 6.0, and it contains a FortiGate running FortiOS 6.4, you cannot install a version 6.0 policy package to the FortiGate. The policy package installation fails with the following error message: Device preparation failed: version mismatched,adom:6.0; dev:6.4.

Management Extension Applications (MEA) and upgrade

Upgrading FortiManager when Management Extension Applications (MEA) are enabled may reset your System Settings to the default settings.

To prevent your System Settings from being lost, please disable all Management Extension Applications (MEA) prior to upgrading FortiManager.

Policy Hit Count on unused policy

FortiManager 6.4.3 and later no longer displays policy hit count information on the Policy & Objects > Policy Packages pane. However, you can view hit count information by using the Unused Policies feature and clearing the Unused Only checkbox. For more information, see the FortiManager 6.4 New Features Guide.

Wireless Manager (FortiWLM) not accessible

If Wireless Manager was enabled in FortiManager 6.4.0, you can no longer access it in the FortiManager GUI when you upgrade FortiManager to 6.4.2. When you try to access FortiWLM, you are redirected to the FortiManager dashboard.

SD-WAN Orchestrator not accessible

If SD-WAN Orchestrator was enabled in FortiManager 6.4.1, you can no longer access it in the FortiManager GUI after upgrading to FortiManager 6.4.2.

To workaround this issue, run the following CLI command to manually trigger an update of SD-WAN Orchestrator to 6.4.1 r2:

diagnose docker upgrade sdwancontroller

Support for FortiOS 6.4 SD-WAN Zones

In 6.4 ADOMs, SD-WAN member interfaces are grouped into SD-WAN zones. These zones can be imported as normalized interfaces and used in firewall policies.

Note

Customers upgrading FortiGates from FortiOS 6.2 to 6.4 who cannot upgrade the ADOM are advised to temporarily disable SD-WAN central management until they can upgrade the ADOM to 6.4. This is to prevent FortiManager from attempting to delete the newly created SD-WAN zones on the FortiGate.

FortiGuard Rating Services with FortiGate 6.4.1 or Later

FortiManager 6.4.1 or later is the supported version to provide FortiGuard rating services to FortiGate 6.4.1 or later.

Citrix XenServer default limits and upgrade

Citrix XenServer limits ramdisk to 128M by default. However the FMG-VM64-XEN image is larger than 128M. Before updating to FortiManager 6.4, increase the size of the ramdisk setting on Citrix XenServer.

To increase the size of the ramdisk setting:
  1. On Citrix XenServer, run the following command:

    xenstore-write /mh/limits/pv-ramdisk-max-size 536,870,912

  2. Confirm the setting is in effect by running xenstore-ls.

    -----------------------

    limits = ""

    pv-kernel-max-size = "33554432"

    pv-ramdisk-max-size = "536,870,912"

    boot-time = ""

    ---------------------------

  3. Remove the pending files left in /run/xen/pygrub.
Note

The ramdisk setting returns to the default value after rebooting.

Multi-step firmware upgrades

Prior to using the FortiManager to push a multi-step firmware upgrade, confirm the upgrade path matches the path outlined on our support site. To confirm the path, please run:

dia fwmanager show-dev-upgrade-path <device name> <target firmware>

Alternatively, you can push one firmware step at a time.

Hyper-V FortiManager-VM running on an AMD CPU

A Hyper-V FMG-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.

SSLv3 on FortiManager-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiManager-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global

set ssl-protocol t1sv1

end

Special Notices

This section highlights some of the operational changes that administrators should be aware of in 6.4.11.

Trusted Hosts

In FortiManager 6.4.11 and higher, when you set trusted hosts for all administrators, the FortiManager unit cannot be pinged from any other hosts. For more information, see Trusted Hosts the FortiManager Administration Guide.

FortiManager 6.4.11 GUI issues in Google Chrome and Microsoft Edge

The FortiManager 6.4.11 GUI may not work properly in Google Chrome version 114 (114.0.5735.91) and Microsoft Edge version 114 (114.0.1823.37).

For information about supported web browsers, see Web browsers.

FortiManager creates faulty dynamic mapping for VPN manager interface during PP import

If policy changes are made directly on the FortiGates, the subsequent PP import creates faulty dynamic mappings for VPN manager.

It is strongly recommended to create a fresh backup of the FortiManager's configuration prior to this workaround. Perform the following command to check & repair the FortiManager's configuration database:

diagnose cdb check policy-packages <adom>

After executing this command, FortiManager will remove the invalid mappings of vpnmgr interfaces.

View Mode is disabled in policies when policy blocks are used

When policy blocks are added to a policy package, the View Mode option is no longer available, and policies in the table cannot be arranged by Interface Pair View. This occurs because policy blocks typically contain multiple policies using different incoming and outgoing interfaces, however, View Mode is still disabled even when policy blocks respect the interface pair.

Custom signature filenames

Custom signature filenames are limited to a maximum of 50 characters because FortiManager appends the VDOM suffix to custom signature filenames when FortiGate uses VDOMs.

SDN fabric connectors

According to the current design, SDN fabric connectors are installed on all FortiGates in an ADOM, even if the fabric connectors are not in use. See also bug ID 496870 in Known Issues.

Workaround: Place FortiGates in another ADOM when you do not want to install SDN fabric connectors to the devices.

ADOM version enforcement

Starting in FortiManager 6.4.6, ADOM versions are enforced. ADOM version N and N+1 are allowed, and the enforcement affects policy package installation.

For example, if you have ADOM version 6.0, and it contains a FortiGate running FortiOS 6.4, you cannot install a version 6.0 policy package to the FortiGate. The policy package installation fails with the following error message: Device preparation failed: version mismatched,adom:6.0; dev:6.4.

Management Extension Applications (MEA) and upgrade

Upgrading FortiManager when Management Extension Applications (MEA) are enabled may reset your System Settings to the default settings.

To prevent your System Settings from being lost, please disable all Management Extension Applications (MEA) prior to upgrading FortiManager.

Policy Hit Count on unused policy

FortiManager 6.4.3 and later no longer displays policy hit count information on the Policy & Objects > Policy Packages pane. However, you can view hit count information by using the Unused Policies feature and clearing the Unused Only checkbox. For more information, see the FortiManager 6.4 New Features Guide.

Wireless Manager (FortiWLM) not accessible

If Wireless Manager was enabled in FortiManager 6.4.0, you can no longer access it in the FortiManager GUI when you upgrade FortiManager to 6.4.2. When you try to access FortiWLM, you are redirected to the FortiManager dashboard.

SD-WAN Orchestrator not accessible

If SD-WAN Orchestrator was enabled in FortiManager 6.4.1, you can no longer access it in the FortiManager GUI after upgrading to FortiManager 6.4.2.

To workaround this issue, run the following CLI command to manually trigger an update of SD-WAN Orchestrator to 6.4.1 r2:

diagnose docker upgrade sdwancontroller

Support for FortiOS 6.4 SD-WAN Zones

In 6.4 ADOMs, SD-WAN member interfaces are grouped into SD-WAN zones. These zones can be imported as normalized interfaces and used in firewall policies.

Note

Customers upgrading FortiGates from FortiOS 6.2 to 6.4 who cannot upgrade the ADOM are advised to temporarily disable SD-WAN central management until they can upgrade the ADOM to 6.4. This is to prevent FortiManager from attempting to delete the newly created SD-WAN zones on the FortiGate.

FortiGuard Rating Services with FortiGate 6.4.1 or Later

FortiManager 6.4.1 or later is the supported version to provide FortiGuard rating services to FortiGate 6.4.1 or later.

Citrix XenServer default limits and upgrade

Citrix XenServer limits ramdisk to 128M by default. However the FMG-VM64-XEN image is larger than 128M. Before updating to FortiManager 6.4, increase the size of the ramdisk setting on Citrix XenServer.

To increase the size of the ramdisk setting:
  1. On Citrix XenServer, run the following command:

    xenstore-write /mh/limits/pv-ramdisk-max-size 536,870,912

  2. Confirm the setting is in effect by running xenstore-ls.

    -----------------------

    limits = ""

    pv-kernel-max-size = "33554432"

    pv-ramdisk-max-size = "536,870,912"

    boot-time = ""

    ---------------------------

  3. Remove the pending files left in /run/xen/pygrub.
Note

The ramdisk setting returns to the default value after rebooting.

Multi-step firmware upgrades

Prior to using the FortiManager to push a multi-step firmware upgrade, confirm the upgrade path matches the path outlined on our support site. To confirm the path, please run:

dia fwmanager show-dev-upgrade-path <device name> <target firmware>

Alternatively, you can push one firmware step at a time.

Hyper-V FortiManager-VM running on an AMD CPU

A Hyper-V FMG-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.

SSLv3 on FortiManager-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiManager-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global

set ssl-protocol t1sv1

end