Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Known Issues

The following issues have been identified in 6.4.2. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

AP Manager

Bug ID

Description

607107 FortiManager prompts installation errors when certain channels are selected for Radio 2 in 5 GHZ band of FAP-421E.

599189

FortiManager should be able to handle upgrading more than 10 APs at once.

607170

Dynamic VLAN option is not saved in SSID in AP Manager.

633171

There may be a DFS Channel mismatch between FortiManager and FortiGate for FAP-223E.

645030

Adding FortiGate using custom admin profile may fail to list FAP in AP Manager.

645713

FortiManager is able to create SSID which cannot be deleted after.

648812

DHCP server is incorrectly created for Bridge SSID.

653329

FortiManager is sending the wrong device setting after changing the FAP name.

Device Manager

Bug ID

Description

547768 FortiManager should allow easier management of the compliance exempt lists.
552492 VAP is always loading under CLI configuration.
595058 The user sets Scheduled Updates configuration to 1 hour in FortiGuard; however, in the FortiManager Device Manager, the installation preview is configured as "set time 1:60".
598916 When creating user groups via CLI Only Objects, comma separated values are treated as a string instead of a list.
610568 FortiManager may not follow the order in CLI Script template.
627749 Admin user with device-config set as read in admin profile cannot download configuration revision.
640907 FortiManager is unable to configure FortiSwitch port mirroring.

598424

Interface cannot create more than 48 IP-MAC bindings in DHCP reservation from GUI.

602393

Device joined telemetry not showing on FortiManager under Telemetry group.

604125

FortiManager may not be able to edit VDOM link interface from VDOM level.

605688

Pac file data limited to 4000 characters under CLI Configuration.

607923

Security Fabric Connection option is removed from VLAN interface after changes are applied.

613029

SD-WAN Monitor is showing effect of exceeded SLA even if when it is disabled.

625541

Changing a certificate on FortiGate triggers auto-update that may incorrectly update partial configuration on multiple VDOMs.

627664

FortiManager cannot work with socket-size 0 and changes it to 1 automatically.

630316

After auto-conf IPv6 address is changed on FortiGate, the address is not updated into device database.

635316

Return button is not working when viewing HA mode.

636012

Importing a policy may report conflict for the default SSH CA certificates.

636357

Retrieve may fail on FortiGate cluster with "Failed to reload configuration. invalid value" error.

636638

Fabric view may stuck at loading.

638061

FortiGate 7000 may not be added and result with failure to update device information.

639854

No IPv6 format in router GUI for BGP.

644596

FortiManager is unable to deauthorize explicit proxy user(s).

645086

Policy Lookup shows an error even though device is in sync.

649157

Mapping interface containing "/" results error "Object does not exist" during import policy.

649566

CLI Template is not able to install same name interface using vpn ipsec phase1-interface and config system ipsec-aggregate.

649769

FortiManager cannot view full list of Extenders.

649785

SD-WAN > Monitor may hang for an ADOM with 1500 devices.

651560

SD-WAN monitor may stuck loading when the admin user belongs to device group.

651712

SD-WAN monitor keeps loading and not displaying anything in backup mode ADOM.

652052

FortiManager may fail to add another FortiManager in Fabric ADOM.

652427

FortiManager may not be able to configure any value on the access list prefix.

652481

Allow access is missing under interface on AWS FortiGate and may cause installation to fail.

653388

IPsec VPN Phase-1 tunnel interface is not added in VDOM interface list with long VDOM name.

653465

FortiManager may not be able to edit DHCP options function on GUI.

FortiSwitch Manager

Bug ID

Description

650453 FortiSwitch template and VLAN shall appear for firewall policy creation.

651788

FortiSwitch Manager not showing correct online or offline status.

Global ADOM

Bug ID

Description

632400 When installing global policy, FortiManager may delete policy routes and settings on an ADOM.

Others

Bug ID Description
632822 The merged_daemons process goes to 100% usage and prevents radius authentication.

647337

FortiManager fails to retrieve FSSO user groups via FortiGate

481129

FortiManager is lacking API for policy consistency check.

647156

FortiManager cannot clone any of the deep-inspection ssl-ssh-profiles using JSON API.

Policy & Objects

Bug ID

Description

523350 FortiManager does not show the default certificate under SSL/SSH Inspection within a policy.
545759 From or To column filter displays unmapped interfaces in the drop-down list.
547052 FortiManager GUI should not allow creating Security Profiles without any SSL/SSH Inspection Profile defined.
586026 FortiManager should display zone icon based on existing and non existing dynamic mappings.
611980 Policy is not installed on selected devices when one device is excluded due to Zone validation failed.
612317 FortiManager shows incorrect country code for Cyprus under User definition.
618321 FortiManager is unable to create RSSO Group if Agent is configured with custom name.
620092 Interface Pair View is not working for Security Policies.
623100 FortiManager is constantly changing UUID for firewall address object.
630431 Some application and filter overrides are not displayed on GUI.
631158 FortiManager is unable to import firewall objects of fsso fortiems-cloud user due to Server cannot be empty.
634241 VIP created using CLI script is not available to use in policy.
635966 Azure SDN connector only fetches the first page of results.
640157 Verification may fail due to wrong default setting of 'log.memory.global-setting' > 'set max-size'.

525625

When configuring web filter rating override, the configuration is pushed to all the VDOMs even when web filter is not used.

531112

Consolidated policy is missing implicit deny policy.

568482

FortiManager ADOM web filter profile configuration promoted to Global database does not rename associated FortiGuard local categories.

580880

FortiManager is unable to see dynamic mapping for Local Certificate if workflow session is created.

583151

FortiManager should not change default value of scan-mode and ssl-ssh-profile/inspection-mode when installing v6.0 policy package to v6.2.

585177

FortiManager is unable to create VIPv6 virtual server objects.

597011

Importing groups from Aruba ClearPass may fail.

599129

While editing policy from Policy Package, it is not possible to select SSL/SSH Inspection profile.

613171

FortiManager is unable to export 3000 Policies to Excel Spreadsheet and return error InternalError: "too much recursion".

617894

FortiManager is missing IPV6 none values after modifying policy.

623833

Username cannot exceed 35 characters.

631311

Promoting object groups to global may attempt to install contained objects back to ADOM upon global policy package assignment.

645058

Existing objects may disappear while editing policy and adding new one in batch mode.

647189

FortiManager dynamic object filter generator is adding a "s" at the end of tag resulting in non-working object.

648767

No connection request is sent out for ClearPass connector in ADOM.

648815

Package with address group in SSL inspection cannot be installed to FortiGate.

650339

Source or destination address may not show in policy.

652753

FortiManager may show entry IDs instead of names when an obsolete internet service is selected.

655248

Policy Consistency Check may return duplicate address object names.

615624 Firewall policy and proxy policy cannot select IP type external resource as address.
651955 Thread feed is not deleted by install even it is removed from a policy.
654562 FortiManager may fail to install profile-group and apply it on a policy.

632771

Sometimes users are not updated on FortiManager after a new session is created on ISE.

Revision History

Bug ID

Description

597650 FortiManager cannot install allowed DNS and URL threat feed configuration.
604927 FortiManager can create custom device without category which may lead to failed installation.
618305 FortiManager changes configuration system csf settings.

586275

Policy Package Diff does not show user or admin details.

496870

Fabric SDN Connector is installed on FortiGate even if it is not in used.

587682

Installing mobile token that does not belong to target FortiGate may fail.

606005

FortiManager may not show interface delta changes.

606737

User may not be able to install policy package due to change with external interface with VIP settings.

611169

Install may fail with error "Associated Interface conflict detected!"

612263

FortiManager may not install ADSL vci and VPI to FWF-60E-DSL.

623159

Zone validation in re-Install Policy is not saving the user choice and deleting all related policies.

635786

Default hbdev values may change after upgrade.

635957

Install fails for subnet overlap IP between two interfaces.

637103

Scrolling in install preview is not smooth and may get stuck.

647180

Install copy may fail with error message "ftgd-wf - - The category is already set in another filter."

650239

Installation fails with "wireless-controller vap mesh-backhaul" setting despite setting being disabled on FortiManager.

652337

VPN Manager changes may result in unnecessary FortiGate configuration changes.

654496

When installing configuration to a device after Auto link, FortiManager may send incorrect system ntp commands causing install to fail.

655246

The adom-rev-auto-delete option may not work to automatically delete revisions.

656505

Install may fail for youtube-channel-filter after creating a web filter profile.

Script

Bug ID

Description

630016 FortiGate user can see scripts from all ADOMs.
632014 When editing CLI script group, the user cannot see full CLI script name.

611396

After locked on a device, FortiManager cannot show the list of devices to run a script.

613575

After script is run directly on CLI, FortiManager may fail to reload configuration.

Services

Bug ID

Description

437935 FAD-VM license may not be validated on FortiManager.
541192 FortiManager should keep firmware image files when the files are for different FortiExtender devices.

567664

HA secondary device does not update FortiMeter license.

587730

FortiGate-VM64-AZURE may not be listed in firmware image page.

591821

FortiManager may not honor the fgd-pull-interval and adjust download times accordingly.

603414

FortiManager may show incorrect firmware upgrade path.

616320

FortiManager may ignore FortiGuard update schedule.

652764

FortiManager Enforce Firmware Version may fail to upgrade FortGate to a custom build.

654129

FortiManager may not have the correct upgrade path for FortiGate KVM.

System Settings

Bug ID Description
556334 Standard ADOM users should be able to assign system templates to FortiGate devices.
586626 Users should be able to identify who locked their assigned ADOM.
596212 SSH filter profile is unset in firewall profile group upon ADOM upgrade.
611215 SNMP Hosts in SNMP Community are not displayed in the GUI if ADOM is unlocked.
631733 Changing trusted IP can be saved and installed.

479723

FortiManager may have no control to Fabric View in admin profile.

489837

Certificate request CRS does not include the SAN DNS.

598194

FortiManager two-factor authentication admin login is missing the option for FTK Mobile push notification authentication.

614127

FortiManager should show details in the fnbamd debug if login fails due to trusted hosts.

623457

FortiManager prompts error while importing CA certificate.

625683

Changes made by ADOM upgrade may not update "Last Modified" date/time and user admin.

639099

There are many "cdb event log for object changed" in event logs after upgrade.

650326

After HA failover, the new master may have incorrect policies.

652417

FortiManager HA may go out of synchronization periodically based on the logs.

654637

Changing a non super user password may not take effect after an upgrade.

655515

FortiManager may not be able to clone the Security Fabric ADOM.

VPN Manager

Bug ID

Description

596953 The Monitor page displays a white screen when the user goes to VPN manager > Monitor, and selects a specific community from the tree menu to show only that community's tunnels.

576601

FortiManager should be able to manage phase2 selectors separately.

608221

There is no "XAUTH USER" column in VPN Manager Monitor.

620801

SSLVPN > Edit SSLVPN Settings > IP Range only shows configuration from ADOM database objects.

645093

VPN Manager error Peer type cannot be peer when authentication method is pre-share key.

647413

User should be able to select the OS to allow or deny an SSL-VPN tunnel connection.

650454

Installation may fail when Dialup VPN interface is PPPoE logical interface.

653328

FortiManager is unable to edit a SSL portal in VPN Manager containing "/" special character.

Known Issues

The following issues have been identified in 6.4.2. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

AP Manager

Bug ID

Description

607107 FortiManager prompts installation errors when certain channels are selected for Radio 2 in 5 GHZ band of FAP-421E.

599189

FortiManager should be able to handle upgrading more than 10 APs at once.

607170

Dynamic VLAN option is not saved in SSID in AP Manager.

633171

There may be a DFS Channel mismatch between FortiManager and FortiGate for FAP-223E.

645030

Adding FortiGate using custom admin profile may fail to list FAP in AP Manager.

645713

FortiManager is able to create SSID which cannot be deleted after.

648812

DHCP server is incorrectly created for Bridge SSID.

653329

FortiManager is sending the wrong device setting after changing the FAP name.

Device Manager

Bug ID

Description

547768 FortiManager should allow easier management of the compliance exempt lists.
552492 VAP is always loading under CLI configuration.
595058 The user sets Scheduled Updates configuration to 1 hour in FortiGuard; however, in the FortiManager Device Manager, the installation preview is configured as "set time 1:60".
598916 When creating user groups via CLI Only Objects, comma separated values are treated as a string instead of a list.
610568 FortiManager may not follow the order in CLI Script template.
627749 Admin user with device-config set as read in admin profile cannot download configuration revision.
640907 FortiManager is unable to configure FortiSwitch port mirroring.

598424

Interface cannot create more than 48 IP-MAC bindings in DHCP reservation from GUI.

602393

Device joined telemetry not showing on FortiManager under Telemetry group.

604125

FortiManager may not be able to edit VDOM link interface from VDOM level.

605688

Pac file data limited to 4000 characters under CLI Configuration.

607923

Security Fabric Connection option is removed from VLAN interface after changes are applied.

613029

SD-WAN Monitor is showing effect of exceeded SLA even if when it is disabled.

625541

Changing a certificate on FortiGate triggers auto-update that may incorrectly update partial configuration on multiple VDOMs.

627664

FortiManager cannot work with socket-size 0 and changes it to 1 automatically.

630316

After auto-conf IPv6 address is changed on FortiGate, the address is not updated into device database.

635316

Return button is not working when viewing HA mode.

636012

Importing a policy may report conflict for the default SSH CA certificates.

636357

Retrieve may fail on FortiGate cluster with "Failed to reload configuration. invalid value" error.

636638

Fabric view may stuck at loading.

638061

FortiGate 7000 may not be added and result with failure to update device information.

639854

No IPv6 format in router GUI for BGP.

644596

FortiManager is unable to deauthorize explicit proxy user(s).

645086

Policy Lookup shows an error even though device is in sync.

649157

Mapping interface containing "/" results error "Object does not exist" during import policy.

649566

CLI Template is not able to install same name interface using vpn ipsec phase1-interface and config system ipsec-aggregate.

649769

FortiManager cannot view full list of Extenders.

649785

SD-WAN > Monitor may hang for an ADOM with 1500 devices.

651560

SD-WAN monitor may stuck loading when the admin user belongs to device group.

651712

SD-WAN monitor keeps loading and not displaying anything in backup mode ADOM.

652052

FortiManager may fail to add another FortiManager in Fabric ADOM.

652427

FortiManager may not be able to configure any value on the access list prefix.

652481

Allow access is missing under interface on AWS FortiGate and may cause installation to fail.

653388

IPsec VPN Phase-1 tunnel interface is not added in VDOM interface list with long VDOM name.

653465

FortiManager may not be able to edit DHCP options function on GUI.

FortiSwitch Manager

Bug ID

Description

650453 FortiSwitch template and VLAN shall appear for firewall policy creation.

651788

FortiSwitch Manager not showing correct online or offline status.

Global ADOM

Bug ID

Description

632400 When installing global policy, FortiManager may delete policy routes and settings on an ADOM.

Others

Bug ID Description
632822 The merged_daemons process goes to 100% usage and prevents radius authentication.

647337

FortiManager fails to retrieve FSSO user groups via FortiGate

481129

FortiManager is lacking API for policy consistency check.

647156

FortiManager cannot clone any of the deep-inspection ssl-ssh-profiles using JSON API.

Policy & Objects

Bug ID

Description

523350 FortiManager does not show the default certificate under SSL/SSH Inspection within a policy.
545759 From or To column filter displays unmapped interfaces in the drop-down list.
547052 FortiManager GUI should not allow creating Security Profiles without any SSL/SSH Inspection Profile defined.
586026 FortiManager should display zone icon based on existing and non existing dynamic mappings.
611980 Policy is not installed on selected devices when one device is excluded due to Zone validation failed.
612317 FortiManager shows incorrect country code for Cyprus under User definition.
618321 FortiManager is unable to create RSSO Group if Agent is configured with custom name.
620092 Interface Pair View is not working for Security Policies.
623100 FortiManager is constantly changing UUID for firewall address object.
630431 Some application and filter overrides are not displayed on GUI.
631158 FortiManager is unable to import firewall objects of fsso fortiems-cloud user due to Server cannot be empty.
634241 VIP created using CLI script is not available to use in policy.
635966 Azure SDN connector only fetches the first page of results.
640157 Verification may fail due to wrong default setting of 'log.memory.global-setting' > 'set max-size'.

525625

When configuring web filter rating override, the configuration is pushed to all the VDOMs even when web filter is not used.

531112

Consolidated policy is missing implicit deny policy.

568482

FortiManager ADOM web filter profile configuration promoted to Global database does not rename associated FortiGuard local categories.

580880

FortiManager is unable to see dynamic mapping for Local Certificate if workflow session is created.

583151

FortiManager should not change default value of scan-mode and ssl-ssh-profile/inspection-mode when installing v6.0 policy package to v6.2.

585177

FortiManager is unable to create VIPv6 virtual server objects.

597011

Importing groups from Aruba ClearPass may fail.

599129

While editing policy from Policy Package, it is not possible to select SSL/SSH Inspection profile.

613171

FortiManager is unable to export 3000 Policies to Excel Spreadsheet and return error InternalError: "too much recursion".

617894

FortiManager is missing IPV6 none values after modifying policy.

623833

Username cannot exceed 35 characters.

631311

Promoting object groups to global may attempt to install contained objects back to ADOM upon global policy package assignment.

645058

Existing objects may disappear while editing policy and adding new one in batch mode.

647189

FortiManager dynamic object filter generator is adding a "s" at the end of tag resulting in non-working object.

648767

No connection request is sent out for ClearPass connector in ADOM.

648815

Package with address group in SSL inspection cannot be installed to FortiGate.

650339

Source or destination address may not show in policy.

652753

FortiManager may show entry IDs instead of names when an obsolete internet service is selected.

655248

Policy Consistency Check may return duplicate address object names.

615624 Firewall policy and proxy policy cannot select IP type external resource as address.
651955 Thread feed is not deleted by install even it is removed from a policy.
654562 FortiManager may fail to install profile-group and apply it on a policy.

632771

Sometimes users are not updated on FortiManager after a new session is created on ISE.

Revision History

Bug ID

Description

597650 FortiManager cannot install allowed DNS and URL threat feed configuration.
604927 FortiManager can create custom device without category which may lead to failed installation.
618305 FortiManager changes configuration system csf settings.

586275

Policy Package Diff does not show user or admin details.

496870

Fabric SDN Connector is installed on FortiGate even if it is not in used.

587682

Installing mobile token that does not belong to target FortiGate may fail.

606005

FortiManager may not show interface delta changes.

606737

User may not be able to install policy package due to change with external interface with VIP settings.

611169

Install may fail with error "Associated Interface conflict detected!"

612263

FortiManager may not install ADSL vci and VPI to FWF-60E-DSL.

623159

Zone validation in re-Install Policy is not saving the user choice and deleting all related policies.

635786

Default hbdev values may change after upgrade.

635957

Install fails for subnet overlap IP between two interfaces.

637103

Scrolling in install preview is not smooth and may get stuck.

647180

Install copy may fail with error message "ftgd-wf - - The category is already set in another filter."

650239

Installation fails with "wireless-controller vap mesh-backhaul" setting despite setting being disabled on FortiManager.

652337

VPN Manager changes may result in unnecessary FortiGate configuration changes.

654496

When installing configuration to a device after Auto link, FortiManager may send incorrect system ntp commands causing install to fail.

655246

The adom-rev-auto-delete option may not work to automatically delete revisions.

656505

Install may fail for youtube-channel-filter after creating a web filter profile.

Script

Bug ID

Description

630016 FortiGate user can see scripts from all ADOMs.
632014 When editing CLI script group, the user cannot see full CLI script name.

611396

After locked on a device, FortiManager cannot show the list of devices to run a script.

613575

After script is run directly on CLI, FortiManager may fail to reload configuration.

Services

Bug ID

Description

437935 FAD-VM license may not be validated on FortiManager.
541192 FortiManager should keep firmware image files when the files are for different FortiExtender devices.

567664

HA secondary device does not update FortiMeter license.

587730

FortiGate-VM64-AZURE may not be listed in firmware image page.

591821

FortiManager may not honor the fgd-pull-interval and adjust download times accordingly.

603414

FortiManager may show incorrect firmware upgrade path.

616320

FortiManager may ignore FortiGuard update schedule.

652764

FortiManager Enforce Firmware Version may fail to upgrade FortGate to a custom build.

654129

FortiManager may not have the correct upgrade path for FortiGate KVM.

System Settings

Bug ID Description
556334 Standard ADOM users should be able to assign system templates to FortiGate devices.
586626 Users should be able to identify who locked their assigned ADOM.
596212 SSH filter profile is unset in firewall profile group upon ADOM upgrade.
611215 SNMP Hosts in SNMP Community are not displayed in the GUI if ADOM is unlocked.
631733 Changing trusted IP can be saved and installed.

479723

FortiManager may have no control to Fabric View in admin profile.

489837

Certificate request CRS does not include the SAN DNS.

598194

FortiManager two-factor authentication admin login is missing the option for FTK Mobile push notification authentication.

614127

FortiManager should show details in the fnbamd debug if login fails due to trusted hosts.

623457

FortiManager prompts error while importing CA certificate.

625683

Changes made by ADOM upgrade may not update "Last Modified" date/time and user admin.

639099

There are many "cdb event log for object changed" in event logs after upgrade.

650326

After HA failover, the new master may have incorrect policies.

652417

FortiManager HA may go out of synchronization periodically based on the logs.

654637

Changing a non super user password may not take effect after an upgrade.

655515

FortiManager may not be able to clone the Security Fabric ADOM.

VPN Manager

Bug ID

Description

596953 The Monitor page displays a white screen when the user goes to VPN manager > Monitor, and selects a specific community from the tree menu to show only that community's tunnels.

576601

FortiManager should be able to manage phase2 selectors separately.

608221

There is no "XAUTH USER" column in VPN Manager Monitor.

620801

SSLVPN > Edit SSLVPN Settings > IP Range only shows configuration from ADOM database objects.

645093

VPN Manager error Peer type cannot be peer when authentication method is pre-share key.

647413

User should be able to select the OS to allow or deny an SSL-VPN tunnel connection.

650454

Installation may fail when Dialup VPN interface is PPPoE logical interface.

653328

FortiManager is unable to edit a SSL portal in VPN Manager containing "/" special character.