Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Resolved Issues

The following issues have been fixed in 6.4.6. For inquires about a particular bug, please contact Customer Service & Support.

AP Manager

Bug ID Description
590098 When adding a new WTP profile, FortiManager tries to set a default handoff-sta-thresh and unset radio bands, which do not match the defaults for many of the E-series APs.
591994 AP region settings may be unset in Central Management mode.
635643 5G channels may be mismatch between FortiManager and FortiGate for radio-1 and radio-2 with FAP-231E.
648812 DHCP server is incorrectly created for Bridge SSID.
674636 SSID may be empty in AP Manager > WiFi Profiles > SSID column.
692911 FortiManager may not be able to display correct information for wireless radio in wireless profile for FortiWiFi-80F-2R.
706233 FortiManager may not detect changes in AP Manager > SSID > Pre-shared Key Password and display the message No record found.
712669 FortiManager may set darrp as enable on radio in monitor mode resulting in installation failure.

Device Manager

Bug ID Description
485037 Monitor > Map View may fail if proxy is enabled.
521976 Users may not be able to enable CSV format within system template.
544982 Policy Package Status may become out-of-sync for all devices when adding one device to Install On.
560444 FortiManager may not set pmf to enable causing install to always fails with WPA3-SAE, WPA3-Enterprise, or WPA3-SAE-Transition within 6.4 ADOM.
594211 FortiManager should be able to create new VLAN interface on fabric interface and install to FortiGate.
603820 FortiManager fails to import policy when reputation-minimum and reputation-direction are set.
610585 Device Manager cannot save DHCP for Unknown MAC address with action sets to block.
624325 Creating or editing transparent VDOM to disable may stuck at 20%.
636357 Retrieve may fail on FortiGate cluster with Failed to reload configuration. invalid value error.
649260 Device Manager may return an error when deleting VPN phase1.
654611 Under Advanced mode and within a VDOM, clicking Device Manager on the top menu returns the no permission error.
658832 FortiManager is unable to retrieve priority-members if outgoing interface is using the Manual strategy in SD-WAN rule.
659387 FortiManager should be able to provision CLI-template, SD-WAN-template, and Policy Package together to the model device.
664120 When FortiGate HA secondary unit is down, action is displayed as promote in Device Manager.
665955 FortiManager is not reflecting proper admintimeout value in CLI only object.
667738 667738
670535 Install fails when creating a new DHCP reservation due to missing MAC address.
672344 If managed FortiAnalyzer is in HA, setting Send Logs to Managed FortiAnalyzer in the system template may cause install error.
676002 FortiManager is not allowing to re-install policy when user selects all devices with VDOMs from Device Manager.
678495 FortiManager VPN L2TP may prompt invalid ip range.
680516 Host Name is truncated when name has more than 31 characters.
681627 FortiManager is accepting DNS source IP even though it is not part of the available interfaces.
683411 FortiManager may not display a FortiGate under the Device Manager > Managed Devices.
684372 When using VDOMs, Policy Package status remains in modified status after using Push to device.
684462 FortiManager truncates the device configuration when downloading from View configuration option.
684961 Registration with NSX-T may fail with error: Register service failed.
688541 FortiManager should not unset dynamic-vlan of wireless-controller VAP and gateway of router settings after import.
689014 FortiManager may return an error when changing FortiGate device log configuration from FortiManager with management VDOM moved to another VDOM.
690012 Changing the value of a meta-data field for a device should trigger the change with configuration status.
690566 Changed to the Disclaimer Page may not be saved with error.
692200 FortiManager may return conflict after a zero-touch-provisioning cluster deployment.
692669 Browser may display a message, A webpage is slowing down your browser, while checking revision difference.
693622 There may be inconsistent behavior between FortiGate and FortiManager when changing port speeds for FortiGate-3600E or FortiGate-3601E.
696136 Auto-link may fail caused by input device in SD-WAN.
696496 When Workspace is enabled, auto-link may fail.
696576 Explicit FTP proxy available certificates are not consistent with the ones available in the FortiGate.
696848 Users may not be able to retrieve configuration or import policy from managed devices with dvmcore constantly crashing.
697098 Retrieving HA configuration may fail when adding FortiGate.
697535 Device Manager should not allow user to add ssl.root to a zone.
697746 FortiManager needs to support adding FortiAnalyzer with serial number that has prefix, FAVMXX, to FortiManager.
697924 When there are many devices, all managed FortiGates may show connection down state.
698625 FortiManager may not be able to view, add, or edit software switch members.
698709 When importing policies, firewall policies may not be loaded.
699031 FortiManager may display duplicated devices when Display Device/Group tree view is enabled in Workflow mode.
699182 FortiManager may fail to add FortiGate-101F as model device.
699450 SDWAN monitor is showing historical Traffic for interface which is down in defined Time period.
701446 SD-WAN monitor take several minutes to display map if device tunnel is flapping.
702555 FortiManager may lose device admin user and geo-location information during on board process with model device.
702590 The system template may stop being displayed on the Devices & Groups page.
704197 FortiManager may fail to create a FortiSwitch in a 6.0 ADOM.
704789 SD-WAN monitor is missing Health Check Status information and probes.
705547 Route monitor may shows incorrect interface information.
706194 When editing a model device and assignigning a Policy Package, clicking the OK button may not take effect.
708937 FortiManager may randomly updating the geographical coordinates of a FortiGate device.
709302 SD-WAN monitor search function on the table view does not actually search but highlight.

710616

FortiManager may not be able to set HTTPS or SHH Port to a value higher than 63335 under Provisioning Templates.

711034 There may be issues to display meta data fields when creating or editing a device group.
713267 Searching for FortiGate name when editing a device group should display FortiGate device name with all the VDOMs.

Bug ID

Description

554251

A user may not be able to see the fabric topology of devices in the user's assigned ADOM.

FortiSwitch Manager

Bug ID

Description

667703 After added FortiSwitch, running a script to provision may fail.
676739 FortiManager may not be possible to delete VLAN interfaces created by FortiSwitch Manager.
690995 FortiSwitch Manager should not install the auto-detected setting to FortiGate.
700023 Install may fail with switch-controller managed-switch:poe-pre-standard-detection after upgrade.
700136 In FortiSwitch Manager, the Map to Normalized interface menu always displays none when editing a VLAN.
706953 Maximum one device entry can be found in device information column under FortiSwitch port.
707909 Template may be removed and Fortilink interface and comments fields may be empty.
708901 The assigned FortiSwitch template name that has more than sixteen characters may fail ADOM integrity check.
713492 In the per-device mapping of the VLANs in FortiSwitch Manager, the "Specify" for the gateway is not saved in the database.
713553 FortiSwitch Template flow counter interval value variance between 6.0 and 6.2 ADOMs.

Global ADOM

Bug ID Description
662216 Where Used in Global ADOM may not show object usage in ADOM.

689965

Replacement message type UTM is not being pushed from global ADOM to local ADOM.

695782 Connection to FortiGate may fail with multiple fgfmsd crashes.

Others

Bug ID

Description

600490 SD-WAN controller cannot load page when changing HTTPS to non default 443.
667442 FortiManager may not be able to connect to FortiGate CLI via SSH widget or execute TCL scripts.
669191 The fdssvd daemon may randomly crash.
673383

Should not allow installation of v6.0 policy package to v6.4 device.

681625 The svc cdb reader process may crash during upgrade of ADOM.
681707 The diagnose cdb upgrade check +all command may unset defmap-intf.
682404 The rtmmond process memory usage may constantly increasing.
683841 FortiManager databases may randomly lose integrity.
686460 ADOM integrity check may run slowly and it takes several minutes to response for each ADOM.
687155 FortiManager should improve the error message for running CLI Template.
688188 HA re-transmission may not work and crash.
690969 The dmworker process may consume high memory and CPU resources with failures due to busy handler.
691568 FortiManager GUI may randomly become non responsive.
695549 _created timestamp is missing in REST API return data for policy.
697132 In some occasions, FortiManager is not accessible until device is rebooted every couple of days.
697361 FortiExtender status may not be correctly displayed.
704545 When there are a lot of workflow sessions and users try to disable the workflow mode via GUI, FortiManager may stop responding.
706516 Securityconsole may crash when there are quotes around group name.
715601 Under some conditions, disk usage may reach 100% after a few days.

Policy and Objects

Bug ID Description
487186 FortiManager may install a different local category ID to FortiGate causing conflict with custom URL rating list.
587634 FortiManager may not be able to create new wildcard FQDN type address to FortiGate 6.2.
593072 After a non-Super User deletes a device, super_user admin cannot edit zone or interface with the deleted device's dynamic mappings.
617894 FortiManager is missing IPV6 none values after modifying policy.
630431 Some application and filter overrides are not displayed on GUI.
654172 There may be webfilter local category ID mismatch between FortiManager and FortiGate causing incorrect action when using Custom URL List.
659543 FortiManager is not allowing reorder between Policy Blocks.
672035 There may be an error when importing AWS credential from FortiGate to FortiManager.
673554 FortiManager should not allow policy to set destination address with a Virtual Server when inspection-mode is set as flow.
675501 Policy check may show negative values.
675509 FortiManager may randomly set IPv4 IP Pool object to overload.
683167 Policy Package single entry change may impact all Policy Package Installation Targets status.
684081 Policy Check and Find Unused Policies may not work for FortiGate in Policy-Based mode.
684728 FortiManager and FortiGate should have equivalent filter list entries.
686902 FortiManager may not be able to configure ipv4-split-exclude attribute via CLI Object.
686962 FortiManager is not allowed to rename application control profile.
687460 The same filter may behave differently between source address and destination address.
687784 FortiManager may not be able to add rule with ISDB object when a rule is created with add above or below option.
688589 Setting the Local Webfilter Category Action to Allow should not disable the action when installed on FortiGate.
690269 Newly imported Cisco ACI connector object does not appear for selection until browser is refreshed.
690509 FortiManager may fail to install ACI-Direct connector to FortiGate due to server-list command.
692114 Where Used returns no record found when IPS Custom Signature is being used.
693763 Saving address object may return error: firewall/address/organization : The data is invalid for selected url.
694605 FortiManager may not be able to push the entire Azure SDN Connector configuration.
696072 FortiManager GUI should allow users to configure HTTPS health check monitor including fields such as http-match and http-get in the monitor.
700743 Viewing Policy & Objects may be slower after upgrade.
701290 FortiManager should not allow users to create a wildcard FQDN address object with non-wildcard FQDN.
702138 NGFW security policy Application category Unknown applications is missing on FortiManager while it is present on FortiGate.
702621 When adding a remote usergroup with LDAP service unreachable, the Manually specify option is only available after a timeout.
703639 Installing a policy package for a device using CLI template may stall.
704637 Firewall policy and VIPs may get deleted on policy package installation.
705025 Find Unused Policies may report incorrect session data for security policy.
706126 The Find Unused Policies option may be missing in dual pane mode.
707953 IPS sensor may incorrectly set action to pass instead block when quarantine is set.
708877 FortiManager 6.0 ADOM should not allow users to set ISDB objects that are not supported on FortiOS 6.0.
709435 FortiManager may not be able to import existing Azure SDN Connector from FortiGate.
711121 Enabling FortiGuard Outbreak Prevention database does not match FortiGate's behavior.
712150 Search in Address may not work after upgrading to FortiManager to 6.4.5.
712900 When new folders are created and the default policy package is deleted, then the new policy package cannot be created.
713216 When policy package is large, there is slowness loading policy package, installing policy package, or viewing sessions revision diff in workflow mode.

719104

FortiManager may not be able to select Internet Service group members when creating Internet Service group.

Revision History

Bug ID Description
638060 Installing an existing revision or renaming a revision should be allowed in backup ADOM.
657344 Installing from 6.0 ADOM may try to unset inspection-mode and unset ssl-ssh-profile on FortiGate 6.2.
664284 FortiManager may not be able to configure SSH certificate.
667148 When a policy install is performed, Install preview shows a lot of firewall policies with metafield changes without any actual change been done.
673101 When set cfg-save manual is configured, FortiManager may try to delete objects that do not exist in the FortiGate configuration.
675867 The ssl-anomaly-log configuration may be incorrectly pushed by FortiManager when installing 5.6 ADOM policy to 6.0 FortiGate.
677659 FortiManager may fail to retrieve device configuration on web category with log threat-weight.
679139 When a policy package is shared between many firewalls, web rating override purge may fail in some scenarios.
683728 Installation fail due to VIP mapped IP range error when installing v6.2 policy package to v6.4 device.
685509 FortiManager may unset authmethod-remote causing install failure.
686036 FortiManager may remove allow access configurations for secondary IP when a policy package is installed.
687769 FortiManager may not be able to set auto-asic-offload to disable.
688474 FortiManager may fail to retrieve FortiGate configuration when adding device due to invalid data source with wtp-profile.
689270 The following attributes under configs vpn ssl setting may have invalid range: login-attempt-limit, login-block-time, http-request-header-timeout, http-request-body-timeout and router bgp keep-alive-timer.
691240 FortiManager should not unset the value forward-error-correction with certain FortiGate platforms.
691835 FortiManager should be able to move one VLAN to a different zone without deleting many rules or zones.
693225 FortiManager may install unset inspection-mode to Footage 6.2 device in 6.0 ADOM.
693231 FortiManager tries to purge webfilter ftgd-local-rating when directly referenced in URL Category of a policy.
694380 Installation may fail when set whitelist enable in ssl-ssh-profile is pushed to FortiGate 6.2 from a in 6.0 ADOM.
697642 Connecting unauthorized FortiSwitch to a managed FortiGate may cause issues on FortiManager when auto-update is disabled.
698350 Install may fail with error: [VPN manager ] failed to update vpn node with device info.
700495 FortiManager 6.2 ADOM may be sending set synproxy to FortiGate-1801F.
701870 Process may stall at 85% when pushing multiple policy packages from Global ADOM.
709456 FortiManager may be missing configuration revisions after performed HA failover.
714173 Policy package installation from 6.2 ADOM changes cert-validation-timeout default value to block.
715313 FortiManager may not enable the option FortiGuard Category Based Filter after FortiManager is synchronized with FortiGate.

Script

Bug ID

Description

668947 Changes using CLI Script may not be applied to devices in the container or folder.
671998 TCL scripts may not work when ssh-kex-sha1 and ssh-mac-weak are not enabled on FortiGate.
683208 Importing CLI script should be highlighted by default.
702576 Objects may not present on the corresponding device configuration after running a script to rename objects.
715305 When changing system setting opmode from nat to transparent via a script, FortiManager may return failure to commit to database stating that there is no interface.
715623 Running a script on device database may not update Save status.

Services

Bug ID

Description

680857 FortiExtender, FortiAP, or FortiSwitch upgrades can fail due to custom image being deleted during or after a failed upgrade.
691738 FortiManager may not be able to connect to FDS server via IPv6 proxy.
694903 Some firmware upgrade paths may have issues.
695685 FortiGate HA firmware upgrade may fail when both HA units need disk check.
699768 FortiManager should add 06002000NIDS02504 extend IPS database to default download list.
701341 FortiGuard Firmware Images may not show up-to-date FortiOS versions.
704584 FAP firmware may not be listed and cannot be imported.
714596 For web filter query, FortiManager should support category 9 mapping data.

714787

FortiManager should have a diagnose command to force web filtering database merge.

System Settings

Bug ID

Description

517964 FortiManager may create incorrect certificate and it cannot be deleted.
598194 FortiManager two-factor authentication admin login is missing the option for FTK Mobile push notification authentication.
625683 Changes made by ADOM upgrade may not update Last Modified date/time and user admin.
635181 FortiManager is unable to delete mail server with error message used displayed.
637377 If Manage Device Configurations is none in admin profile, user may not be able to see the interface in the policy.
652417 FortiManager HA may go out of synchronization periodically based on the logs.
667284 FortiManager should have better log message when aborting device upgrade.
677528 Address object search may not display the address group which contains the searched object within the group.
684907 Changing of FortiGuard Server Location in License Information Dashboard may not take any effect.
686569 Creating and deleting the static route may remove specific connected route.
687223 Users may not be able to upgrade ADOM because of profile-protocol-options.
688517 Upgrading ADOM may fail due to FortiExtender Object.
689917 If a policy is configured with a Proxy Options profile with HTTP Policy Redirect enabled, the ADOM upgrade should enable the related option set http-policy-redirect enable to preserve the HTTP redirect feature.
690921 ADOM upgrade from 6.0 to 6.2 should not add custom ssl-ssh-profile to policies which were not configured for SSL inspection.
695058 Radius response packets should not timeout with less of the remoteauthtimeout setting.
695360 ADOM upgrade may be slow and it may take several minutes to start.
697082 Schedule SCP backup may fail due to incorrect default port number.
699185 If Management Extension Applications (MEA) are enabled, all system settings may be lost after upgraded FortiManager.
699253 Admin profile should not need system level access to view list of time zones in Device Manager.
700142 FortiManager should allow user to configure more than eight hosts per SNMP community.
704504 License Information may keep loading for admin user with FortiGuard and System Settings with read-write permissions.
705185 ADOM upgrade may cause per device mapping of VLANs in FortiSwitch Manager change to 0.
705762 Session can be approved twice by different users of the same approval group.
708939 Dashboard is showing incorrect GB per day and device quota information when FortiManager is enabled.

711446

Copy may fail due to invalid protocol options when both FortiGate and ADOM are upgraded to v6.2.

713233 FortiManager may fail to upgrade firmware resulting in cdbupgrade task error on console and process crashes.
714210 LDAP admin group search should be done with the service or administrator bind account.
714635 FortiManager backup file size may increasing gradually when IPS package get updated.

VPN Manager

Bug ID Description
681110 VPN manager may not push any configuration on ADOM 6.0 for dial up VPN on FortiGate.
695879 Edit community may not be able to set VPN zone to off via GUI.
697308 VPN Manager is setting dst-name to all when using dst-name object group address in protected subnet.
701772 AP may not show up in AP manager after running CLI templates.
704614 FortiManager may not be able to push policy package due to VPN related error.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID CVE references
672953

FortiManager 6.4.6 is no longer vulnerable to the following CVE-Reference:

  • CVE-2021-24022

716350

FortiManager 6.4.6 is no longer vulnerable to the following CVE-Reference:

  • CVE-2021-32589

Resolved Issues

The following issues have been fixed in 6.4.6. For inquires about a particular bug, please contact Customer Service & Support.

AP Manager

Bug ID Description
590098 When adding a new WTP profile, FortiManager tries to set a default handoff-sta-thresh and unset radio bands, which do not match the defaults for many of the E-series APs.
591994 AP region settings may be unset in Central Management mode.
635643 5G channels may be mismatch between FortiManager and FortiGate for radio-1 and radio-2 with FAP-231E.
648812 DHCP server is incorrectly created for Bridge SSID.
674636 SSID may be empty in AP Manager > WiFi Profiles > SSID column.
692911 FortiManager may not be able to display correct information for wireless radio in wireless profile for FortiWiFi-80F-2R.
706233 FortiManager may not detect changes in AP Manager > SSID > Pre-shared Key Password and display the message No record found.
712669 FortiManager may set darrp as enable on radio in monitor mode resulting in installation failure.

Device Manager

Bug ID Description
485037 Monitor > Map View may fail if proxy is enabled.
521976 Users may not be able to enable CSV format within system template.
544982 Policy Package Status may become out-of-sync for all devices when adding one device to Install On.
560444 FortiManager may not set pmf to enable causing install to always fails with WPA3-SAE, WPA3-Enterprise, or WPA3-SAE-Transition within 6.4 ADOM.
594211 FortiManager should be able to create new VLAN interface on fabric interface and install to FortiGate.
603820 FortiManager fails to import policy when reputation-minimum and reputation-direction are set.
610585 Device Manager cannot save DHCP for Unknown MAC address with action sets to block.
624325 Creating or editing transparent VDOM to disable may stuck at 20%.
636357 Retrieve may fail on FortiGate cluster with Failed to reload configuration. invalid value error.
649260 Device Manager may return an error when deleting VPN phase1.
654611 Under Advanced mode and within a VDOM, clicking Device Manager on the top menu returns the no permission error.
658832 FortiManager is unable to retrieve priority-members if outgoing interface is using the Manual strategy in SD-WAN rule.
659387 FortiManager should be able to provision CLI-template, SD-WAN-template, and Policy Package together to the model device.
664120 When FortiGate HA secondary unit is down, action is displayed as promote in Device Manager.
665955 FortiManager is not reflecting proper admintimeout value in CLI only object.
667738 667738
670535 Install fails when creating a new DHCP reservation due to missing MAC address.
672344 If managed FortiAnalyzer is in HA, setting Send Logs to Managed FortiAnalyzer in the system template may cause install error.
676002 FortiManager is not allowing to re-install policy when user selects all devices with VDOMs from Device Manager.
678495 FortiManager VPN L2TP may prompt invalid ip range.
680516 Host Name is truncated when name has more than 31 characters.
681627 FortiManager is accepting DNS source IP even though it is not part of the available interfaces.
683411 FortiManager may not display a FortiGate under the Device Manager > Managed Devices.
684372 When using VDOMs, Policy Package status remains in modified status after using Push to device.
684462 FortiManager truncates the device configuration when downloading from View configuration option.
684961 Registration with NSX-T may fail with error: Register service failed.
688541 FortiManager should not unset dynamic-vlan of wireless-controller VAP and gateway of router settings after import.
689014 FortiManager may return an error when changing FortiGate device log configuration from FortiManager with management VDOM moved to another VDOM.
690012 Changing the value of a meta-data field for a device should trigger the change with configuration status.
690566 Changed to the Disclaimer Page may not be saved with error.
692200 FortiManager may return conflict after a zero-touch-provisioning cluster deployment.
692669 Browser may display a message, A webpage is slowing down your browser, while checking revision difference.
693622 There may be inconsistent behavior between FortiGate and FortiManager when changing port speeds for FortiGate-3600E or FortiGate-3601E.
696136 Auto-link may fail caused by input device in SD-WAN.
696496 When Workspace is enabled, auto-link may fail.
696576 Explicit FTP proxy available certificates are not consistent with the ones available in the FortiGate.
696848 Users may not be able to retrieve configuration or import policy from managed devices with dvmcore constantly crashing.
697098 Retrieving HA configuration may fail when adding FortiGate.
697535 Device Manager should not allow user to add ssl.root to a zone.
697746 FortiManager needs to support adding FortiAnalyzer with serial number that has prefix, FAVMXX, to FortiManager.
697924 When there are many devices, all managed FortiGates may show connection down state.
698625 FortiManager may not be able to view, add, or edit software switch members.
698709 When importing policies, firewall policies may not be loaded.
699031 FortiManager may display duplicated devices when Display Device/Group tree view is enabled in Workflow mode.
699182 FortiManager may fail to add FortiGate-101F as model device.
699450 SDWAN monitor is showing historical Traffic for interface which is down in defined Time period.
701446 SD-WAN monitor take several minutes to display map if device tunnel is flapping.
702555 FortiManager may lose device admin user and geo-location information during on board process with model device.
702590 The system template may stop being displayed on the Devices & Groups page.
704197 FortiManager may fail to create a FortiSwitch in a 6.0 ADOM.
704789 SD-WAN monitor is missing Health Check Status information and probes.
705547 Route monitor may shows incorrect interface information.
706194 When editing a model device and assignigning a Policy Package, clicking the OK button may not take effect.
708937 FortiManager may randomly updating the geographical coordinates of a FortiGate device.
709302 SD-WAN monitor search function on the table view does not actually search but highlight.

710616

FortiManager may not be able to set HTTPS or SHH Port to a value higher than 63335 under Provisioning Templates.

711034 There may be issues to display meta data fields when creating or editing a device group.
713267 Searching for FortiGate name when editing a device group should display FortiGate device name with all the VDOMs.

Bug ID

Description

554251

A user may not be able to see the fabric topology of devices in the user's assigned ADOM.

FortiSwitch Manager

Bug ID

Description

667703 After added FortiSwitch, running a script to provision may fail.
676739 FortiManager may not be possible to delete VLAN interfaces created by FortiSwitch Manager.
690995 FortiSwitch Manager should not install the auto-detected setting to FortiGate.
700023 Install may fail with switch-controller managed-switch:poe-pre-standard-detection after upgrade.
700136 In FortiSwitch Manager, the Map to Normalized interface menu always displays none when editing a VLAN.
706953 Maximum one device entry can be found in device information column under FortiSwitch port.
707909 Template may be removed and Fortilink interface and comments fields may be empty.
708901 The assigned FortiSwitch template name that has more than sixteen characters may fail ADOM integrity check.
713492 In the per-device mapping of the VLANs in FortiSwitch Manager, the "Specify" for the gateway is not saved in the database.
713553 FortiSwitch Template flow counter interval value variance between 6.0 and 6.2 ADOMs.

Global ADOM

Bug ID Description
662216 Where Used in Global ADOM may not show object usage in ADOM.

689965

Replacement message type UTM is not being pushed from global ADOM to local ADOM.

695782 Connection to FortiGate may fail with multiple fgfmsd crashes.

Others

Bug ID

Description

600490 SD-WAN controller cannot load page when changing HTTPS to non default 443.
667442 FortiManager may not be able to connect to FortiGate CLI via SSH widget or execute TCL scripts.
669191 The fdssvd daemon may randomly crash.
673383

Should not allow installation of v6.0 policy package to v6.4 device.

681625 The svc cdb reader process may crash during upgrade of ADOM.
681707 The diagnose cdb upgrade check +all command may unset defmap-intf.
682404 The rtmmond process memory usage may constantly increasing.
683841 FortiManager databases may randomly lose integrity.
686460 ADOM integrity check may run slowly and it takes several minutes to response for each ADOM.
687155 FortiManager should improve the error message for running CLI Template.
688188 HA re-transmission may not work and crash.
690969 The dmworker process may consume high memory and CPU resources with failures due to busy handler.
691568 FortiManager GUI may randomly become non responsive.
695549 _created timestamp is missing in REST API return data for policy.
697132 In some occasions, FortiManager is not accessible until device is rebooted every couple of days.
697361 FortiExtender status may not be correctly displayed.
704545 When there are a lot of workflow sessions and users try to disable the workflow mode via GUI, FortiManager may stop responding.
706516 Securityconsole may crash when there are quotes around group name.
715601 Under some conditions, disk usage may reach 100% after a few days.

Policy and Objects

Bug ID Description
487186 FortiManager may install a different local category ID to FortiGate causing conflict with custom URL rating list.
587634 FortiManager may not be able to create new wildcard FQDN type address to FortiGate 6.2.
593072 After a non-Super User deletes a device, super_user admin cannot edit zone or interface with the deleted device's dynamic mappings.
617894 FortiManager is missing IPV6 none values after modifying policy.
630431 Some application and filter overrides are not displayed on GUI.
654172 There may be webfilter local category ID mismatch between FortiManager and FortiGate causing incorrect action when using Custom URL List.
659543 FortiManager is not allowing reorder between Policy Blocks.
672035 There may be an error when importing AWS credential from FortiGate to FortiManager.
673554 FortiManager should not allow policy to set destination address with a Virtual Server when inspection-mode is set as flow.
675501 Policy check may show negative values.
675509 FortiManager may randomly set IPv4 IP Pool object to overload.
683167 Policy Package single entry change may impact all Policy Package Installation Targets status.
684081 Policy Check and Find Unused Policies may not work for FortiGate in Policy-Based mode.
684728 FortiManager and FortiGate should have equivalent filter list entries.
686902 FortiManager may not be able to configure ipv4-split-exclude attribute via CLI Object.
686962 FortiManager is not allowed to rename application control profile.
687460 The same filter may behave differently between source address and destination address.
687784 FortiManager may not be able to add rule with ISDB object when a rule is created with add above or below option.
688589 Setting the Local Webfilter Category Action to Allow should not disable the action when installed on FortiGate.
690269 Newly imported Cisco ACI connector object does not appear for selection until browser is refreshed.
690509 FortiManager may fail to install ACI-Direct connector to FortiGate due to server-list command.
692114 Where Used returns no record found when IPS Custom Signature is being used.
693763 Saving address object may return error: firewall/address/organization : The data is invalid for selected url.
694605 FortiManager may not be able to push the entire Azure SDN Connector configuration.
696072 FortiManager GUI should allow users to configure HTTPS health check monitor including fields such as http-match and http-get in the monitor.
700743 Viewing Policy & Objects may be slower after upgrade.
701290 FortiManager should not allow users to create a wildcard FQDN address object with non-wildcard FQDN.
702138 NGFW security policy Application category Unknown applications is missing on FortiManager while it is present on FortiGate.
702621 When adding a remote usergroup with LDAP service unreachable, the Manually specify option is only available after a timeout.
703639 Installing a policy package for a device using CLI template may stall.
704637 Firewall policy and VIPs may get deleted on policy package installation.
705025 Find Unused Policies may report incorrect session data for security policy.
706126 The Find Unused Policies option may be missing in dual pane mode.
707953 IPS sensor may incorrectly set action to pass instead block when quarantine is set.
708877 FortiManager 6.0 ADOM should not allow users to set ISDB objects that are not supported on FortiOS 6.0.
709435 FortiManager may not be able to import existing Azure SDN Connector from FortiGate.
711121 Enabling FortiGuard Outbreak Prevention database does not match FortiGate's behavior.
712150 Search in Address may not work after upgrading to FortiManager to 6.4.5.
712900 When new folders are created and the default policy package is deleted, then the new policy package cannot be created.
713216 When policy package is large, there is slowness loading policy package, installing policy package, or viewing sessions revision diff in workflow mode.

719104

FortiManager may not be able to select Internet Service group members when creating Internet Service group.

Revision History

Bug ID Description
638060 Installing an existing revision or renaming a revision should be allowed in backup ADOM.
657344 Installing from 6.0 ADOM may try to unset inspection-mode and unset ssl-ssh-profile on FortiGate 6.2.
664284 FortiManager may not be able to configure SSH certificate.
667148 When a policy install is performed, Install preview shows a lot of firewall policies with metafield changes without any actual change been done.
673101 When set cfg-save manual is configured, FortiManager may try to delete objects that do not exist in the FortiGate configuration.
675867 The ssl-anomaly-log configuration may be incorrectly pushed by FortiManager when installing 5.6 ADOM policy to 6.0 FortiGate.
677659 FortiManager may fail to retrieve device configuration on web category with log threat-weight.
679139 When a policy package is shared between many firewalls, web rating override purge may fail in some scenarios.
683728 Installation fail due to VIP mapped IP range error when installing v6.2 policy package to v6.4 device.
685509 FortiManager may unset authmethod-remote causing install failure.
686036 FortiManager may remove allow access configurations for secondary IP when a policy package is installed.
687769 FortiManager may not be able to set auto-asic-offload to disable.
688474 FortiManager may fail to retrieve FortiGate configuration when adding device due to invalid data source with wtp-profile.
689270 The following attributes under configs vpn ssl setting may have invalid range: login-attempt-limit, login-block-time, http-request-header-timeout, http-request-body-timeout and router bgp keep-alive-timer.
691240 FortiManager should not unset the value forward-error-correction with certain FortiGate platforms.
691835 FortiManager should be able to move one VLAN to a different zone without deleting many rules or zones.
693225 FortiManager may install unset inspection-mode to Footage 6.2 device in 6.0 ADOM.
693231 FortiManager tries to purge webfilter ftgd-local-rating when directly referenced in URL Category of a policy.
694380 Installation may fail when set whitelist enable in ssl-ssh-profile is pushed to FortiGate 6.2 from a in 6.0 ADOM.
697642 Connecting unauthorized FortiSwitch to a managed FortiGate may cause issues on FortiManager when auto-update is disabled.
698350 Install may fail with error: [VPN manager ] failed to update vpn node with device info.
700495 FortiManager 6.2 ADOM may be sending set synproxy to FortiGate-1801F.
701870 Process may stall at 85% when pushing multiple policy packages from Global ADOM.
709456 FortiManager may be missing configuration revisions after performed HA failover.
714173 Policy package installation from 6.2 ADOM changes cert-validation-timeout default value to block.
715313 FortiManager may not enable the option FortiGuard Category Based Filter after FortiManager is synchronized with FortiGate.

Script

Bug ID

Description

668947 Changes using CLI Script may not be applied to devices in the container or folder.
671998 TCL scripts may not work when ssh-kex-sha1 and ssh-mac-weak are not enabled on FortiGate.
683208 Importing CLI script should be highlighted by default.
702576 Objects may not present on the corresponding device configuration after running a script to rename objects.
715305 When changing system setting opmode from nat to transparent via a script, FortiManager may return failure to commit to database stating that there is no interface.
715623 Running a script on device database may not update Save status.

Services

Bug ID

Description

680857 FortiExtender, FortiAP, or FortiSwitch upgrades can fail due to custom image being deleted during or after a failed upgrade.
691738 FortiManager may not be able to connect to FDS server via IPv6 proxy.
694903 Some firmware upgrade paths may have issues.
695685 FortiGate HA firmware upgrade may fail when both HA units need disk check.
699768 FortiManager should add 06002000NIDS02504 extend IPS database to default download list.
701341 FortiGuard Firmware Images may not show up-to-date FortiOS versions.
704584 FAP firmware may not be listed and cannot be imported.
714596 For web filter query, FortiManager should support category 9 mapping data.

714787

FortiManager should have a diagnose command to force web filtering database merge.

System Settings

Bug ID

Description

517964 FortiManager may create incorrect certificate and it cannot be deleted.
598194 FortiManager two-factor authentication admin login is missing the option for FTK Mobile push notification authentication.
625683 Changes made by ADOM upgrade may not update Last Modified date/time and user admin.
635181 FortiManager is unable to delete mail server with error message used displayed.
637377 If Manage Device Configurations is none in admin profile, user may not be able to see the interface in the policy.
652417 FortiManager HA may go out of synchronization periodically based on the logs.
667284 FortiManager should have better log message when aborting device upgrade.
677528 Address object search may not display the address group which contains the searched object within the group.
684907 Changing of FortiGuard Server Location in License Information Dashboard may not take any effect.
686569 Creating and deleting the static route may remove specific connected route.
687223 Users may not be able to upgrade ADOM because of profile-protocol-options.
688517 Upgrading ADOM may fail due to FortiExtender Object.
689917 If a policy is configured with a Proxy Options profile with HTTP Policy Redirect enabled, the ADOM upgrade should enable the related option set http-policy-redirect enable to preserve the HTTP redirect feature.
690921 ADOM upgrade from 6.0 to 6.2 should not add custom ssl-ssh-profile to policies which were not configured for SSL inspection.
695058 Radius response packets should not timeout with less of the remoteauthtimeout setting.
695360 ADOM upgrade may be slow and it may take several minutes to start.
697082 Schedule SCP backup may fail due to incorrect default port number.
699185 If Management Extension Applications (MEA) are enabled, all system settings may be lost after upgraded FortiManager.
699253 Admin profile should not need system level access to view list of time zones in Device Manager.
700142 FortiManager should allow user to configure more than eight hosts per SNMP community.
704504 License Information may keep loading for admin user with FortiGuard and System Settings with read-write permissions.
705185 ADOM upgrade may cause per device mapping of VLANs in FortiSwitch Manager change to 0.
705762 Session can be approved twice by different users of the same approval group.
708939 Dashboard is showing incorrect GB per day and device quota information when FortiManager is enabled.

711446

Copy may fail due to invalid protocol options when both FortiGate and ADOM are upgraded to v6.2.

713233 FortiManager may fail to upgrade firmware resulting in cdbupgrade task error on console and process crashes.
714210 LDAP admin group search should be done with the service or administrator bind account.
714635 FortiManager backup file size may increasing gradually when IPS package get updated.

VPN Manager

Bug ID Description
681110 VPN manager may not push any configuration on ADOM 6.0 for dial up VPN on FortiGate.
695879 Edit community may not be able to set VPN zone to off via GUI.
697308 VPN Manager is setting dst-name to all when using dst-name object group address in protected subnet.
701772 AP may not show up in AP manager after running CLI templates.
704614 FortiManager may not be able to push policy package due to VPN related error.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID CVE references
672953

FortiManager 6.4.6 is no longer vulnerable to the following CVE-Reference:

  • CVE-2021-24022

716350

FortiManager 6.4.6 is no longer vulnerable to the following CVE-Reference:

  • CVE-2021-32589