Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Resolved Issues

The following issues have been fixed in 6.4.7. To inquire about a particular bug, please contact Customer Service & Support.

AP Manager

Bug ID

Description

633171 There may be DFS Channel mismatch between FortiManager and FortiGate for FAP-223E.
677419 FortiManager may show installation error on dual-5G radio band while pushing wireless-controller configuration.
682443 FortiManager should allow setting the index floor value and AP location should not be lost.
689325 FortiManager may not be able to configure Channel 13 for Germany AP profile.
698004 When installing to a 6.4 FortiGate device from a 6.2 ADOM, there may be issue with set vap-all manual within the AP Profile.
702114 FortiManager is unable to see 5Ghz Clients in Health Monitor.
716135 There may be verification error when trying to install FortiAP with 2.4GHZ Radio 1 channel disabled.

Device Manager

Bug ID Description
563690 Device Manager fails to add FortiAnalyzer which contains a FortiGate HA device with error: serial number does not match database.
615044 Configuration status may be shown as modified after adding FortiGate to FortiManager.
640907 FortiManager is unable to configure FortiSwitch port mirroring.
665207 FortiManager needs IPv6 support on Syslog server setting.
670577 When creating an API admin from CLI Configuration, the trusted host section is missing.
674123 SD-WAN template > SD-WAN Rules options for Load Balance Mode do not match that on FortiOS.
690493 License check setting may not be saved.
692200 FortiManager may return conflict after a zero-touch-provisioning cluster deployment.
696730 FortiManager is unable to promote Secondary FortiGate as Primary in a HA Cluster.
697148 Interfaces that are members of SD-WAN and with interface-based traffic shaping applied should be displayed in the Traffic Shaping widget.
697596 Advanced Options is not displayed when creating a new interface.
702906 DHCP Relay Service may not be deleted when it is configured on VLAN interface.
705448 Device connection status may remain Up after shutting down device port and update device status.
709214 System template should allow Source Interface to be selected when specify is activated as interface-select-method.
711005 Under backup ADOM, FortiManager should hide the selection for Provisioning Templates" and Policy Packages in the Add Device wizard, device Dashboard, and device Edit page.
711713 DHCP relay is displayed as DHCP server when Workspace is unlocked.
711888 FortiManager is not retrieving and saving the vdom-exception configuration.
714036 SD-WAN widget cannot be loaded when a rule uses a specific SLA target.
714208 Device Manager may not be able to save scan-botnet-connections option in interface settings page.
714611 Creating interface from VDOM may return No Match Found error.
714710 Secondary interface configuration may not show on Device Manager.
718184 AutoUpdate with unset options & unset post-lang may cause device database and policy package status to show OUT-OF-SYNC.
719028 FortiManager may not update FortiGate's VDOM license information when it is changed.
719968 SD-WAN Monitor should show the proper Map View of all devices.
726359 After upgrade, Device Manager may not show managed devices after switching from Table View to Map View.
726990 When an administrator has access to a specified device group, FortiManager may remove devices that do not belong to the group when synchronizing device list to FortiAnalyzer.
728655 Configuration status may not be shown as Synchronized after installation.
728687 Policy package status may change to Modified on all FortiGate devices when a dynamic address group changes.
729301 A managed FortiGate with assigned CLI template remains in modified state following a successful device configure installation.
731551 FortiManager may return error, Failed to synchronize FortiAnalyzer with current ADOM data.Fail(errno=-3):Object does not exist, when adding FortiAnalyzer device.
733076 Model device links to real device may not work.
733080 Device status appears in the GUI even though there is no activity for the session between FortiManager and FortiGate.
735106 Delete is spelled incorrectly when attempting to delete invalid host cluster device.

FortiSwitch Manager

Bug ID Description
700023 Install may fail with switch-controller managed-sweatshop-pre-standard-detection after upgrade.
716277 FortiSwitch Manager > Managed Switches tab is not in place after re-sorted.

740936

FortiSwitch VLAN template creates unknown interface platform mapping.

Global ADOM

Bug ID Description

667197

Users should not be able to delete global object when ADOM is not locked.

680798 FortiManager may return error, Could not read zone validation results, when assigning global ADOM changes with Automatically Install Policies to ADOM Devices.
693510 Display Options for Object Config will reset to default after sometime.
710963 FortiManager may show unclear error message when trying to promote an object from an ADOM to Global database under Workspace or Workflow mode.
722562 Users may not be able to filter ADOM when assigning Global Policy.
724229 Global ADOM display options may be reset to default after reboot.

Others

Bug ID Description
697361 FortiExtender status may not be correctly displayed.
724470 dmworker may crash on device retrieve or revision import.
728375 JSON API may return "runtime error 0: invalid value" error when getting dynamic mapping with "fields" attribute.
732144 A CA certificate may be missing from some older FortiManager platforms causing failure to login with FortiCloud SSO.

679163

Execute tac report launched in CLI Widget fills the /tmp and prevents retrieval of FortiGate's configuration.

Policy and Objects

Bug ID Description
487186 FortiManager may install a different local category ID to FortiGate causing conflict with custom URL rating list.
569446 Interface subnet address object may show any as interface instead of the selected interface.
636537 CLI Only Objects > User > peergrp is not able to delete peergrp.
642708 View Mode may unexpectedly change from Interface Pair View to By Sequence mode.
654172 There may be webfilter local category ID mismatch between FortiManager and FortiGate causing incorrect action when using Custom URL List.
663109 FortiManager should not allow user to select a profile group in a flow-based policy that uses a proxy-based feature.
666091 After cloning a policy package, the cloned policy package loses the installation targets.
666258 User should not be able to create a firewall policy with an Internet service with Destination direction in Source by using drag and drop.
677528 Address object search may not display the address group which contains the searched object within the group.
679282 Editing a global object in an ADOM is not possible and generathe s te error, "undefined is not iterable".
686911 Workflow session may not be able to compare with error: "Can not compare because of invalid Revision Diff data".
690231 Where-used may fail to display references to certificate-inspection that were added to firewall policies in previous versions.
690295 FortiManager may be slow when multiple users access GUI at the same time.
696489 URL Filter under Web Filter profile may not be enabled properly.
701526 There may be issue to scroll down to view policy consistency results.
704148 FortiManager is missing some IPS signatures while they are available on FortiGate.
704637

FortiManager allows VIP to be configured without default value or dynamic mapping.

705189 "config authentication scheme" policy is not available for more than one FortiGate on the same policy package.
712213 Users may not be able to filter policy using Inspection Mode field.
715269 CVE-2021-26857 default action should be Drop on the FortiManager when the IPS version is greater than 18.028.
715275 FortiManager may not be able to show a specific signature.
715722 Users may not be able to delete a Global Object.
716114 FortiManager should push changed in ssl-ssh-profile with Untrusted SSL Certificates setting reverted from Block to Allow.
719698 Performance for policy install may be slightly degraded after upgrading from 6.4.5 to 6.4.6.
719700 FortiManager may have incorrect IPS default action entries in database.
719981 Where Used function may return no result for Internet Service objects.
720896 SSO admin with a Restricted Admin profile should be able to view Web Filter, Application Control, or IPS objects.
722087 Edit user group with remote members on FortiManager GUI may cause unexpected change in set group-name.
723409 After upgrade, installing to policy to FortiOS 6.0 devices may fail.
724718 When FortiManager's NSX-T connector is executing an API request, it should not be limited to 50 records.
725132 When modifying the IP address of Default VPN Interface of spoke in Device Manager, the hub remote gateway should be modified to reflect that change.
725274 GUI may be slow when filtering many entries with DNS filter.
726424 IPS signature list may be empty after upgrade.
727329 FortiManager may fail to identify case sensitivity with an interface that has a similar name for the Normalized Interface settings.
729287 User may not be able to edit DNAT.
730487 Copy procedure may stall at 67% with securityconsole crashes when copying policy package.
730523 Unused policies tool may always generate a PDF containing all policies.
732208 The ip_addresses from NSX-T are incorrectly Resolved To in FortiManager.
738109 FortiManager may not install auth-cert from policy package to device.
738745 When an object is renamed, the new name must be used on all policies.

738595

FortiManager may not correctly push AWS connector credentials.

Revision History

Bug ID

Description

642878 FortiManager should return a clear copy fail log for dynamic interface check error.
683728 Installation fails due to VIP mapped IP range error when installing v6.2 policy package to v6.4 device.
691240 FortiManager should not unset the value of forward-error-correction with certain FortiGate platforms.
708913 FortiManager may try to set sflow-counter-interval and unset trunk-member resulting in installation failure.
711314 VDOM specific Disclaimer Page configuration is purged from default replacemsg-group during Policy Package installation.
724340 FortiManager may unset forward-error-correction from FortiGate 7060E devices.
724976 In Zero Touch Provisioning deployment, device database may get wiped by an AutoRetreive task.
725717 After upgrade, installation may fail due to mcast-session-counting.
728117 After upgrade, install may fail due to set pri-type-max 1000000.
728422 Policy validation may fail due to dynamic mapping for global object that is for FortiGate 6.2 device but it is in 6.0 ADOM.
733518 FortiManager may incorrectly move DNAT objects.
735988 Switch and AP names may be reverted by controller status update from FortiGate.

742242

Install fails after upgrade due to set server-identity-check enable on LDAP server configuration.

Script

Bug ID

Description

630016 FortiGate users can see scripts from all ADOMs.
689775 Users may not be able to edit an empty CLI Script Group.
707952 Copying of CLI Script Group from one ADOM to another ADOM may not work.
715632 Script configuring AntiVirus quarantine may fail.
721740 FortiManager may fail to run CLI script on Device DB after dmworker crash.
729571 TCL script commands run on device no longer show in the script log.

Services

Bug ID

Description

567664 HA secondary device does not update FortiMeter license.
673302 FDS updates may fail with TLS v1.3.
685678 When FortiMail FIPS mode is enabled, FortiManager should be able to validate its license.
688498 FortiSwitch version shown in the FortiGuard package page is not seen on FortiGate.
700579 FortiManager should be able to provide the license information for isolated FortiSanbox.
702001 When receiving valid FCP updates, FortiManager should remove model flag for non FortiGate platforms.

704057

FOS-VM may not be able to update ISDB due to no contract on FortiManager.

725721 FortiManager may not be able to recognize all FortiGate units within an HA cluster, and it may not be able to update services to all units.
733174 FortiManager may not be able to recognize the object id 06002000NIDS02604as IPS Signature Database(Extended).

System Settings

Bug ID

Description

663185 Search may not work for event logs in text mode.
672954 Users should not be able to disable ADOM when there is non-root ADOM.
687968 FortiManager should not change to ipv6-autoconf to disable when management access is changed to the ipv6-autoconf enable state.

700608

The variable from meta data that is shown as not case sensitive, whereas the variable is case sensitive when using in a CLI template.

705145 Username is truncated to 49 characters in the notification Emails sent by FortiManager for workflow approvals.
709873 Global task assignment time may not be accurate.
711686 Workflow approval does not work when admin name has more than 49 characters.
722320 The NOT search in advanced/text mode search is not working for system event logs.
723117 Admin user may not be able to see who has locked an ADOM.
726007 Admin User systematically gets access to Root ADOM in case of RADIUS authentication and "Fortinet-Vdom-Name" VSA not set.
726138 After upgrade, FortiSwitch Template setting 'poe-pre-standard-detection' may cause installation failure.
727458 FortiManager may not allow users to access all the VDOMs within an ADOM.
738395 FortiManager tasks' time used should not be increased by timezone.

VPN Manager

Bug ID Description
712861 Policy Package Status stays Synchronized despite SSL-VPN Portal configuration is changed using VPN Manager.

Resolved Issues

The following issues have been fixed in 6.4.7. To inquire about a particular bug, please contact Customer Service & Support.

AP Manager

Bug ID

Description

633171 There may be DFS Channel mismatch between FortiManager and FortiGate for FAP-223E.
677419 FortiManager may show installation error on dual-5G radio band while pushing wireless-controller configuration.
682443 FortiManager should allow setting the index floor value and AP location should not be lost.
689325 FortiManager may not be able to configure Channel 13 for Germany AP profile.
698004 When installing to a 6.4 FortiGate device from a 6.2 ADOM, there may be issue with set vap-all manual within the AP Profile.
702114 FortiManager is unable to see 5Ghz Clients in Health Monitor.
716135 There may be verification error when trying to install FortiAP with 2.4GHZ Radio 1 channel disabled.

Device Manager

Bug ID Description
563690 Device Manager fails to add FortiAnalyzer which contains a FortiGate HA device with error: serial number does not match database.
615044 Configuration status may be shown as modified after adding FortiGate to FortiManager.
640907 FortiManager is unable to configure FortiSwitch port mirroring.
665207 FortiManager needs IPv6 support on Syslog server setting.
670577 When creating an API admin from CLI Configuration, the trusted host section is missing.
674123 SD-WAN template > SD-WAN Rules options for Load Balance Mode do not match that on FortiOS.
690493 License check setting may not be saved.
692200 FortiManager may return conflict after a zero-touch-provisioning cluster deployment.
696730 FortiManager is unable to promote Secondary FortiGate as Primary in a HA Cluster.
697148 Interfaces that are members of SD-WAN and with interface-based traffic shaping applied should be displayed in the Traffic Shaping widget.
697596 Advanced Options is not displayed when creating a new interface.
702906 DHCP Relay Service may not be deleted when it is configured on VLAN interface.
705448 Device connection status may remain Up after shutting down device port and update device status.
709214 System template should allow Source Interface to be selected when specify is activated as interface-select-method.
711005 Under backup ADOM, FortiManager should hide the selection for Provisioning Templates" and Policy Packages in the Add Device wizard, device Dashboard, and device Edit page.
711713 DHCP relay is displayed as DHCP server when Workspace is unlocked.
711888 FortiManager is not retrieving and saving the vdom-exception configuration.
714036 SD-WAN widget cannot be loaded when a rule uses a specific SLA target.
714208 Device Manager may not be able to save scan-botnet-connections option in interface settings page.
714611 Creating interface from VDOM may return No Match Found error.
714710 Secondary interface configuration may not show on Device Manager.
718184 AutoUpdate with unset options & unset post-lang may cause device database and policy package status to show OUT-OF-SYNC.
719028 FortiManager may not update FortiGate's VDOM license information when it is changed.
719968 SD-WAN Monitor should show the proper Map View of all devices.
726359 After upgrade, Device Manager may not show managed devices after switching from Table View to Map View.
726990 When an administrator has access to a specified device group, FortiManager may remove devices that do not belong to the group when synchronizing device list to FortiAnalyzer.
728655 Configuration status may not be shown as Synchronized after installation.
728687 Policy package status may change to Modified on all FortiGate devices when a dynamic address group changes.
729301 A managed FortiGate with assigned CLI template remains in modified state following a successful device configure installation.
731551 FortiManager may return error, Failed to synchronize FortiAnalyzer with current ADOM data.Fail(errno=-3):Object does not exist, when adding FortiAnalyzer device.
733076 Model device links to real device may not work.
733080 Device status appears in the GUI even though there is no activity for the session between FortiManager and FortiGate.
735106 Delete is spelled incorrectly when attempting to delete invalid host cluster device.

FortiSwitch Manager

Bug ID Description
700023 Install may fail with switch-controller managed-sweatshop-pre-standard-detection after upgrade.
716277 FortiSwitch Manager > Managed Switches tab is not in place after re-sorted.

740936

FortiSwitch VLAN template creates unknown interface platform mapping.

Global ADOM

Bug ID Description

667197

Users should not be able to delete global object when ADOM is not locked.

680798 FortiManager may return error, Could not read zone validation results, when assigning global ADOM changes with Automatically Install Policies to ADOM Devices.
693510 Display Options for Object Config will reset to default after sometime.
710963 FortiManager may show unclear error message when trying to promote an object from an ADOM to Global database under Workspace or Workflow mode.
722562 Users may not be able to filter ADOM when assigning Global Policy.
724229 Global ADOM display options may be reset to default after reboot.

Others

Bug ID Description
697361 FortiExtender status may not be correctly displayed.
724470 dmworker may crash on device retrieve or revision import.
728375 JSON API may return "runtime error 0: invalid value" error when getting dynamic mapping with "fields" attribute.
732144 A CA certificate may be missing from some older FortiManager platforms causing failure to login with FortiCloud SSO.

679163

Execute tac report launched in CLI Widget fills the /tmp and prevents retrieval of FortiGate's configuration.

Policy and Objects

Bug ID Description
487186 FortiManager may install a different local category ID to FortiGate causing conflict with custom URL rating list.
569446 Interface subnet address object may show any as interface instead of the selected interface.
636537 CLI Only Objects > User > peergrp is not able to delete peergrp.
642708 View Mode may unexpectedly change from Interface Pair View to By Sequence mode.
654172 There may be webfilter local category ID mismatch between FortiManager and FortiGate causing incorrect action when using Custom URL List.
663109 FortiManager should not allow user to select a profile group in a flow-based policy that uses a proxy-based feature.
666091 After cloning a policy package, the cloned policy package loses the installation targets.
666258 User should not be able to create a firewall policy with an Internet service with Destination direction in Source by using drag and drop.
677528 Address object search may not display the address group which contains the searched object within the group.
679282 Editing a global object in an ADOM is not possible and generathe s te error, "undefined is not iterable".
686911 Workflow session may not be able to compare with error: "Can not compare because of invalid Revision Diff data".
690231 Where-used may fail to display references to certificate-inspection that were added to firewall policies in previous versions.
690295 FortiManager may be slow when multiple users access GUI at the same time.
696489 URL Filter under Web Filter profile may not be enabled properly.
701526 There may be issue to scroll down to view policy consistency results.
704148 FortiManager is missing some IPS signatures while they are available on FortiGate.
704637

FortiManager allows VIP to be configured without default value or dynamic mapping.

705189 "config authentication scheme" policy is not available for more than one FortiGate on the same policy package.
712213 Users may not be able to filter policy using Inspection Mode field.
715269 CVE-2021-26857 default action should be Drop on the FortiManager when the IPS version is greater than 18.028.
715275 FortiManager may not be able to show a specific signature.
715722 Users may not be able to delete a Global Object.
716114 FortiManager should push changed in ssl-ssh-profile with Untrusted SSL Certificates setting reverted from Block to Allow.
719698 Performance for policy install may be slightly degraded after upgrading from 6.4.5 to 6.4.6.
719700 FortiManager may have incorrect IPS default action entries in database.
719981 Where Used function may return no result for Internet Service objects.
720896 SSO admin with a Restricted Admin profile should be able to view Web Filter, Application Control, or IPS objects.
722087 Edit user group with remote members on FortiManager GUI may cause unexpected change in set group-name.
723409 After upgrade, installing to policy to FortiOS 6.0 devices may fail.
724718 When FortiManager's NSX-T connector is executing an API request, it should not be limited to 50 records.
725132 When modifying the IP address of Default VPN Interface of spoke in Device Manager, the hub remote gateway should be modified to reflect that change.
725274 GUI may be slow when filtering many entries with DNS filter.
726424 IPS signature list may be empty after upgrade.
727329 FortiManager may fail to identify case sensitivity with an interface that has a similar name for the Normalized Interface settings.
729287 User may not be able to edit DNAT.
730487 Copy procedure may stall at 67% with securityconsole crashes when copying policy package.
730523 Unused policies tool may always generate a PDF containing all policies.
732208 The ip_addresses from NSX-T are incorrectly Resolved To in FortiManager.
738109 FortiManager may not install auth-cert from policy package to device.
738745 When an object is renamed, the new name must be used on all policies.

738595

FortiManager may not correctly push AWS connector credentials.

Revision History

Bug ID

Description

642878 FortiManager should return a clear copy fail log for dynamic interface check error.
683728 Installation fails due to VIP mapped IP range error when installing v6.2 policy package to v6.4 device.
691240 FortiManager should not unset the value of forward-error-correction with certain FortiGate platforms.
708913 FortiManager may try to set sflow-counter-interval and unset trunk-member resulting in installation failure.
711314 VDOM specific Disclaimer Page configuration is purged from default replacemsg-group during Policy Package installation.
724340 FortiManager may unset forward-error-correction from FortiGate 7060E devices.
724976 In Zero Touch Provisioning deployment, device database may get wiped by an AutoRetreive task.
725717 After upgrade, installation may fail due to mcast-session-counting.
728117 After upgrade, install may fail due to set pri-type-max 1000000.
728422 Policy validation may fail due to dynamic mapping for global object that is for FortiGate 6.2 device but it is in 6.0 ADOM.
733518 FortiManager may incorrectly move DNAT objects.
735988 Switch and AP names may be reverted by controller status update from FortiGate.

742242

Install fails after upgrade due to set server-identity-check enable on LDAP server configuration.

Script

Bug ID

Description

630016 FortiGate users can see scripts from all ADOMs.
689775 Users may not be able to edit an empty CLI Script Group.
707952 Copying of CLI Script Group from one ADOM to another ADOM may not work.
715632 Script configuring AntiVirus quarantine may fail.
721740 FortiManager may fail to run CLI script on Device DB after dmworker crash.
729571 TCL script commands run on device no longer show in the script log.

Services

Bug ID

Description

567664 HA secondary device does not update FortiMeter license.
673302 FDS updates may fail with TLS v1.3.
685678 When FortiMail FIPS mode is enabled, FortiManager should be able to validate its license.
688498 FortiSwitch version shown in the FortiGuard package page is not seen on FortiGate.
700579 FortiManager should be able to provide the license information for isolated FortiSanbox.
702001 When receiving valid FCP updates, FortiManager should remove model flag for non FortiGate platforms.

704057

FOS-VM may not be able to update ISDB due to no contract on FortiManager.

725721 FortiManager may not be able to recognize all FortiGate units within an HA cluster, and it may not be able to update services to all units.
733174 FortiManager may not be able to recognize the object id 06002000NIDS02604as IPS Signature Database(Extended).

System Settings

Bug ID

Description

663185 Search may not work for event logs in text mode.
672954 Users should not be able to disable ADOM when there is non-root ADOM.
687968 FortiManager should not change to ipv6-autoconf to disable when management access is changed to the ipv6-autoconf enable state.

700608

The variable from meta data that is shown as not case sensitive, whereas the variable is case sensitive when using in a CLI template.

705145 Username is truncated to 49 characters in the notification Emails sent by FortiManager for workflow approvals.
709873 Global task assignment time may not be accurate.
711686 Workflow approval does not work when admin name has more than 49 characters.
722320 The NOT search in advanced/text mode search is not working for system event logs.
723117 Admin user may not be able to see who has locked an ADOM.
726007 Admin User systematically gets access to Root ADOM in case of RADIUS authentication and "Fortinet-Vdom-Name" VSA not set.
726138 After upgrade, FortiSwitch Template setting 'poe-pre-standard-detection' may cause installation failure.
727458 FortiManager may not allow users to access all the VDOMs within an ADOM.
738395 FortiManager tasks' time used should not be increased by timezone.

VPN Manager

Bug ID Description
712861 Policy Package Status stays Synchronized despite SSL-VPN Portal configuration is changed using VPN Manager.