Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Resolved Issues

The following issues have been fixed in 6.4.8. For inquires about a particular bug, please contact Customer Service & Support.

AP Manager

Bug ID

Description

691540 Where Used should indicate that an AP is still in used in one or more FortiGate devices.
697444 SSID with MPSK may not pass verification during an install.

718464

Firmware upgrade fails for FortiAP 421E from FortiManager.

726287

Deleting Floor Map may return a blank pop-up with error.

728372

Importing SSID with optional VLAN ID set creates incorrect per-device mapping.

750255

FortiManager should enable DFS channels on WTP profiles for FAP234F and FAP231F with region N.

750458

AP Manager should not send local-authentication for VAP with wpa-enterprise and Radius to managed FortiGate.

757706

FortiManager might downgrade FortiAP with enforced firmware version.

763233

AP profile may not contain SSID when AP Manager is in central management mode.

770234

5GHz DFS channels on AP Profile were not supported for FAP U231F.

772194

FortiManager should not install the setting set security-redirect-url without making any such change.

772213

FortiManager may try to delete default wtp 11ac-only profile on FortiWiFi-60F causing install to fail.

785471

FortiManager was deleting wireless-controller wtp and the objects referenced by wtp during the first installation after the upgrade.

Device Manager

Bug ID Description
545239 After adding FortiAnalyzer fabric ADOM to FortiManager, Device Manager's Log Status, Log Rate, or Device Storage columns cannot get data from FortiAnalyzer.

587404

FortiManager sets incorrect captive-portal-port value when installing v6.0 policy package to v6.2 devices.

638750 Where Used may not work for IPsec Phase 2 allowing users to delete used objects.

662095

FortiManager may take too much time to send SLA updates to one thousand or more FortiGate devices.

673008

SD-WAN Rules order changes to the default order when creating a rule and moving it to the top.

677836

The Client Address Range setting should allow users to configure assign-IPs from firewall address or group.

691611

When FortiManager performs auto-retrieve, it causes all policy package statuses to become unknown after a new VDOM is created on FortiGate.

699893

SD-WAN's priority-members is missing from CLI configuration page.

701348

Once VRPP instance is created, user should be able to edit or delete it.

709214

System template should allow source interface to be selected when specify is activated as interface-select-method.

712578

FortiManager does not allow WiFi SSID with special characters.

713833

It may not be possible to rename device zone.

725334

Importing policy package shows ngfw-mode policy-based with the inspection-mode set to proxy.

726721

Unable to add multiple DNS domain names in Provisioning Template.

727123

Meta Field is not translating values with spaces into correct scripts.

729301

A managed FortiGate with assigned CLI template remains in modified state following a successful device configure installation.

729413

FortiManager is missing peer options with dial up user configuration with VPN IPSec Phase 1.

730482

CLI Template cannot add system DNS database entries if set domain contains the underscore character ("_").

731204

FortiManager may incorrectly display Object already exists message while creating a new Hardware Switch interface.

732246

Clock format option no longer works to format date in TCL scripts.

733379

FortiManager cannot edit global level configuration when management VDOM is not in the current ADOM.

733934

During zero-touch-provisioning with Enforce Firmware Version enabled, upgrade task may hang if the connection is reset during the image transfer.

735360

When editing a device group, search results do not show the device if VDOM name is matched by search keyword first.

735402

Create a new CLI Group Template and try to add members to the CLI Group Template, but it does not allow users to select other CLI Group Templates that are already created.

737025

SD-WAN monitor widget may not be loaded when multiple performance SLAs are added.

737908

The install fails with verification failure displaying when trying to delete the LAN interface members.

739369

When revision history is large, FortiManager may be unable to retrieve configuration.

740893

Secondary IP may be purged when setting a description to VLAN interface.

743102

Device & Groups > VPN Phase1/Phase2 does not show the proposal column when using FGT-VM type "FGVMIB".

743112

Interface Bandwidth widget on FortiManager under Device Manager does not display any data for FortiGate.

743267

FortiManager's GUI does not show the virtual-switch ports as interface members for Hardware switches.

744628

After exporting system template, importing the same configuration through the CLI may fail.

744973

FortiManager GUI throws an error when switching from Policy & Objects to Device Manager.

747955

There may be performance issue when onboarding new SD-WAN devices.

748240

When FortiAnalyzer is managed by FortiManager, new devices that are registered to FortiManager should be synchronized under the corresponding ADOM on FortiAnalyzer.

749823

Named Address Static Route with SD-WAN cannot be selected on FortiManager.

749923

SD-WAN logs cannot be saved for some devices when sdwan-monitor-history is set as enabled.

750303

Under System > Interface, the data shown on this page may be incomplete.

750838

FortiManager may fail to import device list from another FortiManager due to the meta field containing prefix "_meta_".

751427

Provisioning Template with empty name cannot be deleted or edited.

753258

FortiManager may be unable to show SD-WAN monitor data when the rtmmond daemon is stuck.

754465

FortiManager should also count promoted hidden devices.

755519

Zero-touch provisioning with script installation may fail due to duplicated snmp-index.

759905

When creating a device zone, device mapping may not be created when the zone is mapped to a normalized interface with the map as zone only option.

760099

When creating EMAC VLAN from Device Manager, FortiManager should show VLAN ID field.

760132

Device Manager may be unable to delete FortiGate-7000E HA cluster members.

762082

When creating a Static Route, FortiManager may take a few seconds to display available Named Address.

763797

Installation fails due to configuring forward-error-correction on FGT's interfaces.

764491 Unable to configure more than one IP addresses for vrdst under the interface vrrp setting.

764841

FortiManager is unable to use secondary IP as source IP in DNS database.

765762

FortiManager is unable to install the switch controller > VLAN interface configuration during the ZTP process.

773336

FortiToken provision button is grayed out in Device Manager while it is enabled on FortiGate with the same token.

777925 Several unregistered FGTs consume FortiManager's resources. As a result, FMG becomes very slow and unresponsive.

779260

When sdwan-monitor-history is enabled, replace last 5 minutes with last 10 minutes.

779836

FortiManager cannot install TCP-connect using Random port for SD-WAN.

779900

Administrative user GUI-dashboard information should be deleted upon VDOM deletion.

792553 Removing VLANs from Zone and adding a new VLAN to the same Zone deletes that Zone.
793941 Unable to install VPN psk with special characters through CLI template.

795913

Error Probe Failure has been observed when adding FortiAnalyzer to FortiManager.

FortiSwitch Manager

Bug ID Description
684371 Clicking OK to import FortiSwitch Template results in no response.

748200

FortiSwitch monitor may show incorrect interface status for QSFP port.

764258

FortiManager should not update trunk-member value as it is controlled by FortiGate.

Global ADOM

Bug ID Description

660852

FortiManager should not save invalid default value for ssl-ssh-profile in global database.

691562 Threat feeds global objects are not installed to destination ADOM when using the assign all objects option.

725763

Automatic install to ADOM devices may fail from Global ADOM.

728803

Copying global firewall policy may fail due to duplicate IPS sensors.

737381

FortiManager should not allow users to delete the default reserved address object starting with "g-".

740942

srcintf selector in Traffic Shaping Header or Footer Policy may not work in Global ADOM.

741942

FortiManager should show clear error message for duplicated object assigned from Global ADOM.

745772

FortiManager may randomly delete FortiManager IPv4 policies when assigning from the Global ADOM.

760804

FortiManager may return an error when adding address object to global policy.

743734

Cannot remove objects from Global Database.

768527

After upgrading the global ADOM, installation failed due to the custom ssl-ssh-profile config.

Others

Bug ID Description
505795 FortiManager should allow users to configure the list of allowed TLS cipher suites.
657997 Assigning device to system template may not work through JSON when FortiManager is in workspace mode.

707911

FortiManager should be able to assign VLAN interface to FortiExtender.

715601

Under some conditions, disk usage may reach 100% after a few days.

718251

Web service with port 8080 disabled may still be in listening state.

733078

FortiManager may show multiple fmgd crashes with signal 11 segmentation fault.

733208

Users may be unable to log in from GUI after restored database with changed HTTP or HTTPS port number.

738639

Users should be able to obtain status of the FGFM reclaim-dev-tunnel through an API call.

740523

Retrieve task may fail because the autoupdate file has already been deleted by FGFM.

742137

FortiManager may return an error when running an Ansible script to configure network interfaces, zones, and policies.

744197

If a VDOM is created and then gets the VDOM information from JSON API, the VDOM mode may be shown as NULL.

744736

FGFM tunnel may go up and down with multiple fgfmsd crashes.

746311

fgdsvr process may crash when URL length is longer than 1024 characters.

750419

Execution of integrity check may remove dynamic mappings.

763635 Unable to upgrade an ADOM from 6.2 to 6.4.

763669

FortiManager Pay-As-You-Go should support connection to FortiCare through proxy.

764674

Map should use the region defined by the coordinates in System Settings > Advanced Settings or the FortiManager's time zone.

766105

FortiManager may be unable to upgrade ADOM from 6.2 to 6.4 due to cdb crash.

766874 FortiManager holds the wrong value for AP limit of the FG-80F.

775574

There is a Criteria Latency field which is different between FortiGate and FortiManager when creating the manual interface option for SDWAN rules.

776342

System NPU values may be different between FortiManager and FortiGate-1801F.

776413

FortiManagerlock/commit operation is very slow when FortiManager HA is enabled.

783226

Fabric View may keep loading.

792887

Verification fail for default dnsfilter profile due to wrongly install "set category 0".

794304 Interface Bandwidth widget is displayed in ADOM 6.2 in FortiManager version 6.4.

Policy and Objects

Bug ID

Description

503978

Thread Feeds should be Threat Feeds on Fabric Connector.

549492

Load-balance type VIP cannot be displayed and saved correctly.

585177

FortiManager is unable to create VIPv6 virtual server objects.

615250

Search by CVE may not work for both IPS signatures and IPS filters.

644822

Imported SDN connector objects may change to random names.

657534

SSH and MAPI should not be supported in file filter profile protocol under flow mode.

696367

Hit count, first used, and last used may not get updated on FortiManager.

699975

Multiple filters are missing for Azure SDN connector.
701750 The App Control set to Monitor in FMG causes the app to disappear from FGT.

709908

When checking the status on AntiVirus profile, it may not show the correct inspection mode in list view when status stays in flow-based (Full Scan).

713886

FortiManager returns error method failure, when setting a shaping profile in normalized interface using per-device mapping.
714375 There is no warning messages when assigning in-use normalized interfaces.

717031

FortiManager doesn't update the Hit Count number.

718223

Hyperscale firewall EIF shall not be enabled when IP pool with CGN overload configuration is used in a policy.

725024

Proxy Policy page shows empty when the View Mode is selected as Interface Pair View.

725132

When modifying IP address of Default VPN Interface of spoke in Device Manager, hub remote gateway should be modified to reflect that change.

726328

SSL-SSH profile may display incorrect options when using SSL certificate inspection.

729705

Installing policy requires interface validation for interfaces not being used in the policy package.

730523

Unused policies tool may always generate a PDF containing all policies.

731053

FortiManager may miss some Internet Service entries.

732138

Non-full admin users should be able to export Policy Check and Unused Policy results.

732199

FortiManager displays the group ID instead of displaying name with NSX-T Connector.

734556

FQDN type firewall address object can be created with an unsupported format.
737424 Policy package import fails due to the Device mapping::"query failed. error.

738475

Special characters within policy's comment causes all policies to disappear from the GUI.

740944

Custom IPS signature script may fail to run on policy package or ADOM database.

742257

NPU log servers for hyperscale does not show up in policy package.

744049

Proxy policy does not accept configuration with both IPv4 and IPv6 address objects.

744591

Installing or importing IPS custom signature may fail when a signature's name contains a space character.

744766

FortiManager may not be able to retrieve IP address for group with NSX-T v3.1.2.

744934

FortiManager may try to install undesirable changes to FortiGate-5001E, FortiGate-5001E1, and FortiGate-5001D.

745355

Section labels are not visible in virtual-wire policy section.

745884

FortiManager GUI may not respond when triggering policy package install wizard under Policy & Objects.

746273

Column filter may be extremely slow with large policy package.

747537

Where Used should show the correct object references for newly cloned objects.

747558

FortiManager filters should work for Hit Counters, First Session, and Last session.

748222

Cloning of a policy package is grayed out for admin users with restricted access to particular policy packager folder.

748235

Filtering by hit count may not work for policies.

748246

Where Used may result an empty top-left frame for policy packages.

748467

FortiManager does not have the same profiles as FortiGate with explicit proxy policy.

748498

There may be issue with Transparent Web Proxy when using interface pair view.

748556

FortiManager should not allow users to create Explicit proxy FTP with pool name.

749519

IPv4 policies in policy block may be hidden on FortiManager's GUI.

749576

FortiManager may try to install hidden synproxy parameters for DOS policy to FortiGate.

750160

custom-url-list may not be correctly parsed when URLs contain space characters.

750539

If FortiGate allows selecting LogMeIn app using specific filter override, FortiManager should also allow it.

750882

User may not be able to save changes in SSL/SSH inspection profile from GUI.

751137

Installation performance issues may occur with a large number of dynamic mappings and many FortiAP or FortiSwitch devices.

751710

Editing a global user FSSO object's dynamic mapping is not possible.

751767

Export to Excel when filters are applied for a policy package does not work.

752777

FortiManager should be able to manage valid authentication rules containing User-Agent proxy address.

752822

FortiManager may not respond when adding a firewall address or group to a policy and changing the policy comment at the same time.

754225

Policy package status is out of sync without changes.

755252

Plus (+) sign should be added for SMS phone number when two-factor FortiToken Cloud is enabled.

755348

FortiManager should support more than one thousand traffic shapers.

757164

FortiManager database contains parameter webfilter-searchengine-Baidu-gb2312 that does not exist on FortiGate.

758526

FortiManager should be able to delete many per-device mappings quickly.

758809

When policy package in policy-based NGFW mode, FortiManager may still set action to accept, even when the policy is specified as deny.

760869

Deleted objects may remain referenced in firewall policy.

765793

Adding custom signature with _vdom-name should not prevent pushing changes to numerous devices.

765812

Hyperscale policy packages do not show log server until you get into a policy.

767317

Policy Hit Count may not be updated for Read-Only admin.

768353

Commit action is taking too much time and it makes the FortiManager slow.

769997

Selection for user SAML as member under the user group may not take effect.

770210

Where Used may not report used objects properly.

770256

FortiManager displays error when using push to install for objects utilized by policy blocks .

770678

Changing Action from Accept to Deny should ignore all UTM profiles within the firewall policy.

771941

FortiManager is unable to import or create virtual server with real servers using the same IP but different http-host.

774435

Right-click menu to add object may return an error: cgn-resource-quote:out of range.
775128 Unable to create more than twenty (20) SAML users in policy package object.

776361

Policy lookup may not work if the managed devices are in transparent mode.

777554

There may be slowness when using Find Duplicate Objects with Merge tools.

779947

Address group changes for per-device mapping do not apply to FortiGate when address group is used in policy route.

779965

Users may be unable to export firewall header and footer policies to Excel.

783899

There may not be empty lines in IPS Signature and Filters.

786684

Installation fails because the virtual-wan-link did not exist.

789957

Created time doesn't indicate AM or PM on the Tools > Find Unused Policies.
791797 Installation failed after upgrading ADOM from 6.2 to 6.4.

Revision History

Bug ID

Description

618305 FortiManager changes configuration system csf settings.
643101 Copy may fail due to VIP overlapping when installing policy package.
657424 FortiManager may disable the "l2forward" and "stpforward" settings on virtual switch interface when installing policy package.
660525 When installing from FortiManager, it may unset comment, organization, and subnet-name during install.
674094 FortiManager may unset explicit proxy's HTTPS and PAC ports and change the value to 0 instead.
674196 Installation may fail after edited or created a firewall policy if reputation-minimum is set.
691240 FortiManager should not unset the value forward-error-correction with certain FortiGate platforms.
700495 FortiManager 6.2 ADOM may be sending set synproxy to FortiGate-1801F.
713552 If VIP address's source-filter list is too long, installation may fail.
722604 After removed a member of user group that is used only in XAUTH, FortiManager is not deleting the unused local user on FortiGate.
724647 After upgraded to 6.4, retrieve from a chassis may take a long time.
725252 When customer is trying to push policy package to a device group, installation window may not show any progress but a red cross.
725557 Install always try to delete hardware switch member interface causing installation failure.
725717 After upgrade, installation may fail due to mcast-session-counting.
728447 Installation may fail due to VIP's mapped IP as a range with two identical IP addresses.
728918 FortiManager should install changes applied on Global policy package and not indicate warnings like "no installing devices/no changes on package".
729148 Install fails when new transparent mode VDOM is added directly via FortiGate CLI and imported into FortiManager.
735455 FortiManager may try to delete thousands of policies during install.
740858 GCP project name must be set during install.
741543 Install may fail with unset MAC address on EMAC VLAN.
742806 When modifying a configuration and installing Device Setting only , FortiManager may not display the device's configuration change.
744966 After upgraded FortiManager, policy install verification may fail with Config status changes to Conflict due to invalid default value for log memory filter.
745715 FortiManager may not be able to install policy package with firewall rule using VIP group due to zone binding.
747837 FortiManager may try to delete interfaces lan1, lan2, and lan3 which are used by virtual-switch.sw0 on FortiGate-40F.
748350 Explicit proxy FTP ssl-ssh-profile application-list may not be installed.
748462 FortiManager should not set the HA interface IP under the central-management on FortiGate when the master unit fails.
749587 If a device revision is corrupted, FortiManager may be able to remove or create any revision.
750637 FortiGate-5001E, FortiGate-5001E1, and FortiGate-5001D may be mistakenly set to support switch-profile.
751771 Users may not be able to create hardware switch interface from FortiManager.
751776 Renaming IPSec Phase1 that is member of a zone causes all zone related rules to be re-created.
754081 Application Control signatures belong to Industrial Category are removed from FortiGate in split mode during policy install.
755059 After disabled NAT on hyperscale policy, there may be installation failure on unset action.
755687 FortiManager may show admin with no password when adding a new VDOM to FortiGate-2200E/2201E.
756508 FortiManager may unset chassis ID causing HA cluster lost.
757716 There may be install issue with Web Filter's "config ftgd-wf" which does not exist on NGFW policy mode on FortiGate.
764497 FortiManager should not create a new wildcard FQDN object while renaming it.
767824 FortiManager may unexpectedly delete custom signature when installing policy package.

Script

Bug ID

Description

384139 Filter does not work on device group.
654700 Users need to open "View Script Execution History" to see that TCL script fails.
740938 Direct CLI script may fail when it contains an 'exec' command.
757156 When running CLI script remotely on 100+ firewalls, partial configuration is retrieved and it may cause routing to be removed from device database.
780604 When creating a new phase1 interface, dpd=on-idle settings may not be saved.
787113 TCL scripts fails to run if the admin's password is longer than 36 characters.

Services

Bug ID

Description

644021 FortiManager should be able to use custom certificates for update-related services.

704584

FortiAP firmware may not be listed and cannot be imported.

718256 FMG-VM64-AWSOnDemand may not retrieve the proper license when it is behind a proxy.
725118 FortiManager may not log FortiGuard connectivity failures.
741846 AP upgrade task may hang at 45%.

748489

Numerous svc cdb reader processes reaching 100% CPU utilization.

796345

FMG does not recognize the entitlement file for some FGTs.

System Settings

Bug ID

Description

640670 If a user specified ADOMs, including global ADOM, workflow approval may not be able to find the same user.
687992 Backup that includes IPSec VPN cannot be restored.
690926 FortiManager is removing SD-WAN field description upon ADOM upgrade from 6.2 to 6.4.
696554 FortiManager may generate a lot of cdb event log for object changed event logs.
706303 Template assignment or save may not generate clear event logs.
721153 Scroll bar is missing from device drop-down list on ADOM overview page.
727233 ADOM license count should not count root ADOM.
728991 Nested group search fails with Bad search filter, if the user DN contains characters like "," and "()".
729280 Admin User with no access to management ADOM or VDOM can create a new VDOM from non-management ADOM > VDOM.
731084 FortiManager upgrade should not have warning when there is no upgrade path.
734422 The "svc sys" daemon may have high memory usage when API is used to upgrade FortiGate devices.
735067 When creating a local account with the Force this administrator to change password upon next log on option selected, the setting should be applied for the first login.
737142 FortiManager should support using the special character "@" in SNMP community name.
738622 ADOM upgrade from 6.0 to 6.2 may fail due to FortiExtender object.
745333 Remote authentication servers should not be synchronized among HA members.
745365 Event log may be truncated when the log contains many address objects.
746568 FortiManager may continuously change NTP synchronization server.
748237 Users may be unable to disable ADOM using GUI or CLI.
751069 User may be unable to disable ADOM after upgrade.
762708 LDAP may become stuck for twenty seconds if LDAP is not responding.
768682 Setting a Cluster ID for a model HA cluster results in an invalid group ID under config system ha.
775091 Two factor authentication fails when special characters are used in CN.
777726 FortiManager may not generate event logs for meta field changes.
778405 Script Groups should be copied with their members when cloning an ADOM.
783066 If the number of FortiGate devices registered is in the upper limit of the license count, it may cause HA to become asynchronized.
790409 idle_timeout under admin settings is not converted properly after performing the upgrade.

795655

FortiManager loads the Administrator list under the System Settings very slowly.

VPN Manager

Bug ID

Description

721783 Applying Authentication or Portal Mapping changes may take several minutes.
735417 FortiManager may purge mac-addr-check-rule when installing to FortiGate.
748488 Cloned VPN Phase1 interface may have several different parameters than the original interface.
750227 Removing a spoke or hub from VPN community may result in partial configuration removal.

774040

keyboard-layout configuration in VPN SSL web portal predefined RDP bookmark generates incorrect commands.

779498 VPN monitor may not display correct information when FortiManager is in advanced ADOM mode.
780154 Policy package should be pushed to VPN hubs without error interface IP is 0.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID CVE references
770575

FortiManager 6.4.8 is no longer vulnerable to the following CVE-Reference:

  • CVE-2022-22300

Resolved Issues

The following issues have been fixed in 6.4.8. For inquires about a particular bug, please contact Customer Service & Support.

AP Manager

Bug ID

Description

691540 Where Used should indicate that an AP is still in used in one or more FortiGate devices.
697444 SSID with MPSK may not pass verification during an install.

718464

Firmware upgrade fails for FortiAP 421E from FortiManager.

726287

Deleting Floor Map may return a blank pop-up with error.

728372

Importing SSID with optional VLAN ID set creates incorrect per-device mapping.

750255

FortiManager should enable DFS channels on WTP profiles for FAP234F and FAP231F with region N.

750458

AP Manager should not send local-authentication for VAP with wpa-enterprise and Radius to managed FortiGate.

757706

FortiManager might downgrade FortiAP with enforced firmware version.

763233

AP profile may not contain SSID when AP Manager is in central management mode.

770234

5GHz DFS channels on AP Profile were not supported for FAP U231F.

772194

FortiManager should not install the setting set security-redirect-url without making any such change.

772213

FortiManager may try to delete default wtp 11ac-only profile on FortiWiFi-60F causing install to fail.

785471

FortiManager was deleting wireless-controller wtp and the objects referenced by wtp during the first installation after the upgrade.

Device Manager

Bug ID Description
545239 After adding FortiAnalyzer fabric ADOM to FortiManager, Device Manager's Log Status, Log Rate, or Device Storage columns cannot get data from FortiAnalyzer.

587404

FortiManager sets incorrect captive-portal-port value when installing v6.0 policy package to v6.2 devices.

638750 Where Used may not work for IPsec Phase 2 allowing users to delete used objects.

662095

FortiManager may take too much time to send SLA updates to one thousand or more FortiGate devices.

673008

SD-WAN Rules order changes to the default order when creating a rule and moving it to the top.

677836

The Client Address Range setting should allow users to configure assign-IPs from firewall address or group.

691611

When FortiManager performs auto-retrieve, it causes all policy package statuses to become unknown after a new VDOM is created on FortiGate.

699893

SD-WAN's priority-members is missing from CLI configuration page.

701348

Once VRPP instance is created, user should be able to edit or delete it.

709214

System template should allow source interface to be selected when specify is activated as interface-select-method.

712578

FortiManager does not allow WiFi SSID with special characters.

713833

It may not be possible to rename device zone.

725334

Importing policy package shows ngfw-mode policy-based with the inspection-mode set to proxy.

726721

Unable to add multiple DNS domain names in Provisioning Template.

727123

Meta Field is not translating values with spaces into correct scripts.

729301

A managed FortiGate with assigned CLI template remains in modified state following a successful device configure installation.

729413

FortiManager is missing peer options with dial up user configuration with VPN IPSec Phase 1.

730482

CLI Template cannot add system DNS database entries if set domain contains the underscore character ("_").

731204

FortiManager may incorrectly display Object already exists message while creating a new Hardware Switch interface.

732246

Clock format option no longer works to format date in TCL scripts.

733379

FortiManager cannot edit global level configuration when management VDOM is not in the current ADOM.

733934

During zero-touch-provisioning with Enforce Firmware Version enabled, upgrade task may hang if the connection is reset during the image transfer.

735360

When editing a device group, search results do not show the device if VDOM name is matched by search keyword first.

735402

Create a new CLI Group Template and try to add members to the CLI Group Template, but it does not allow users to select other CLI Group Templates that are already created.

737025

SD-WAN monitor widget may not be loaded when multiple performance SLAs are added.

737908

The install fails with verification failure displaying when trying to delete the LAN interface members.

739369

When revision history is large, FortiManager may be unable to retrieve configuration.

740893

Secondary IP may be purged when setting a description to VLAN interface.

743102

Device & Groups > VPN Phase1/Phase2 does not show the proposal column when using FGT-VM type "FGVMIB".

743112

Interface Bandwidth widget on FortiManager under Device Manager does not display any data for FortiGate.

743267

FortiManager's GUI does not show the virtual-switch ports as interface members for Hardware switches.

744628

After exporting system template, importing the same configuration through the CLI may fail.

744973

FortiManager GUI throws an error when switching from Policy & Objects to Device Manager.

747955

There may be performance issue when onboarding new SD-WAN devices.

748240

When FortiAnalyzer is managed by FortiManager, new devices that are registered to FortiManager should be synchronized under the corresponding ADOM on FortiAnalyzer.

749823

Named Address Static Route with SD-WAN cannot be selected on FortiManager.

749923

SD-WAN logs cannot be saved for some devices when sdwan-monitor-history is set as enabled.

750303

Under System > Interface, the data shown on this page may be incomplete.

750838

FortiManager may fail to import device list from another FortiManager due to the meta field containing prefix "_meta_".

751427

Provisioning Template with empty name cannot be deleted or edited.

753258

FortiManager may be unable to show SD-WAN monitor data when the rtmmond daemon is stuck.

754465

FortiManager should also count promoted hidden devices.

755519

Zero-touch provisioning with script installation may fail due to duplicated snmp-index.

759905

When creating a device zone, device mapping may not be created when the zone is mapped to a normalized interface with the map as zone only option.

760099

When creating EMAC VLAN from Device Manager, FortiManager should show VLAN ID field.

760132

Device Manager may be unable to delete FortiGate-7000E HA cluster members.

762082

When creating a Static Route, FortiManager may take a few seconds to display available Named Address.

763797

Installation fails due to configuring forward-error-correction on FGT's interfaces.

764491 Unable to configure more than one IP addresses for vrdst under the interface vrrp setting.

764841

FortiManager is unable to use secondary IP as source IP in DNS database.

765762

FortiManager is unable to install the switch controller > VLAN interface configuration during the ZTP process.

773336

FortiToken provision button is grayed out in Device Manager while it is enabled on FortiGate with the same token.

777925 Several unregistered FGTs consume FortiManager's resources. As a result, FMG becomes very slow and unresponsive.

779260

When sdwan-monitor-history is enabled, replace last 5 minutes with last 10 minutes.

779836

FortiManager cannot install TCP-connect using Random port for SD-WAN.

779900

Administrative user GUI-dashboard information should be deleted upon VDOM deletion.

792553 Removing VLANs from Zone and adding a new VLAN to the same Zone deletes that Zone.
793941 Unable to install VPN psk with special characters through CLI template.

795913

Error Probe Failure has been observed when adding FortiAnalyzer to FortiManager.

FortiSwitch Manager

Bug ID Description
684371 Clicking OK to import FortiSwitch Template results in no response.

748200

FortiSwitch monitor may show incorrect interface status for QSFP port.

764258

FortiManager should not update trunk-member value as it is controlled by FortiGate.

Global ADOM

Bug ID Description

660852

FortiManager should not save invalid default value for ssl-ssh-profile in global database.

691562 Threat feeds global objects are not installed to destination ADOM when using the assign all objects option.

725763

Automatic install to ADOM devices may fail from Global ADOM.

728803

Copying global firewall policy may fail due to duplicate IPS sensors.

737381

FortiManager should not allow users to delete the default reserved address object starting with "g-".

740942

srcintf selector in Traffic Shaping Header or Footer Policy may not work in Global ADOM.

741942

FortiManager should show clear error message for duplicated object assigned from Global ADOM.

745772

FortiManager may randomly delete FortiManager IPv4 policies when assigning from the Global ADOM.

760804

FortiManager may return an error when adding address object to global policy.

743734

Cannot remove objects from Global Database.

768527

After upgrading the global ADOM, installation failed due to the custom ssl-ssh-profile config.

Others

Bug ID Description
505795 FortiManager should allow users to configure the list of allowed TLS cipher suites.
657997 Assigning device to system template may not work through JSON when FortiManager is in workspace mode.

707911

FortiManager should be able to assign VLAN interface to FortiExtender.

715601

Under some conditions, disk usage may reach 100% after a few days.

718251

Web service with port 8080 disabled may still be in listening state.

733078

FortiManager may show multiple fmgd crashes with signal 11 segmentation fault.

733208

Users may be unable to log in from GUI after restored database with changed HTTP or HTTPS port number.

738639

Users should be able to obtain status of the FGFM reclaim-dev-tunnel through an API call.

740523

Retrieve task may fail because the autoupdate file has already been deleted by FGFM.

742137

FortiManager may return an error when running an Ansible script to configure network interfaces, zones, and policies.

744197

If a VDOM is created and then gets the VDOM information from JSON API, the VDOM mode may be shown as NULL.

744736

FGFM tunnel may go up and down with multiple fgfmsd crashes.

746311

fgdsvr process may crash when URL length is longer than 1024 characters.

750419

Execution of integrity check may remove dynamic mappings.

763635 Unable to upgrade an ADOM from 6.2 to 6.4.

763669

FortiManager Pay-As-You-Go should support connection to FortiCare through proxy.

764674

Map should use the region defined by the coordinates in System Settings > Advanced Settings or the FortiManager's time zone.

766105

FortiManager may be unable to upgrade ADOM from 6.2 to 6.4 due to cdb crash.

766874 FortiManager holds the wrong value for AP limit of the FG-80F.

775574

There is a Criteria Latency field which is different between FortiGate and FortiManager when creating the manual interface option for SDWAN rules.

776342

System NPU values may be different between FortiManager and FortiGate-1801F.

776413

FortiManagerlock/commit operation is very slow when FortiManager HA is enabled.

783226

Fabric View may keep loading.

792887

Verification fail for default dnsfilter profile due to wrongly install "set category 0".

794304 Interface Bandwidth widget is displayed in ADOM 6.2 in FortiManager version 6.4.

Policy and Objects

Bug ID

Description

503978

Thread Feeds should be Threat Feeds on Fabric Connector.

549492

Load-balance type VIP cannot be displayed and saved correctly.

585177

FortiManager is unable to create VIPv6 virtual server objects.

615250

Search by CVE may not work for both IPS signatures and IPS filters.

644822

Imported SDN connector objects may change to random names.

657534

SSH and MAPI should not be supported in file filter profile protocol under flow mode.

696367

Hit count, first used, and last used may not get updated on FortiManager.

699975

Multiple filters are missing for Azure SDN connector.
701750 The App Control set to Monitor in FMG causes the app to disappear from FGT.

709908

When checking the status on AntiVirus profile, it may not show the correct inspection mode in list view when status stays in flow-based (Full Scan).

713886

FortiManager returns error method failure, when setting a shaping profile in normalized interface using per-device mapping.
714375 There is no warning messages when assigning in-use normalized interfaces.

717031

FortiManager doesn't update the Hit Count number.

718223

Hyperscale firewall EIF shall not be enabled when IP pool with CGN overload configuration is used in a policy.

725024

Proxy Policy page shows empty when the View Mode is selected as Interface Pair View.

725132

When modifying IP address of Default VPN Interface of spoke in Device Manager, hub remote gateway should be modified to reflect that change.

726328

SSL-SSH profile may display incorrect options when using SSL certificate inspection.

729705

Installing policy requires interface validation for interfaces not being used in the policy package.

730523

Unused policies tool may always generate a PDF containing all policies.

731053

FortiManager may miss some Internet Service entries.

732138

Non-full admin users should be able to export Policy Check and Unused Policy results.

732199

FortiManager displays the group ID instead of displaying name with NSX-T Connector.

734556

FQDN type firewall address object can be created with an unsupported format.
737424 Policy package import fails due to the Device mapping::"query failed. error.

738475

Special characters within policy's comment causes all policies to disappear from the GUI.

740944

Custom IPS signature script may fail to run on policy package or ADOM database.

742257

NPU log servers for hyperscale does not show up in policy package.

744049

Proxy policy does not accept configuration with both IPv4 and IPv6 address objects.

744591

Installing or importing IPS custom signature may fail when a signature's name contains a space character.

744766

FortiManager may not be able to retrieve IP address for group with NSX-T v3.1.2.

744934

FortiManager may try to install undesirable changes to FortiGate-5001E, FortiGate-5001E1, and FortiGate-5001D.

745355

Section labels are not visible in virtual-wire policy section.

745884

FortiManager GUI may not respond when triggering policy package install wizard under Policy & Objects.

746273

Column filter may be extremely slow with large policy package.

747537

Where Used should show the correct object references for newly cloned objects.

747558

FortiManager filters should work for Hit Counters, First Session, and Last session.

748222

Cloning of a policy package is grayed out for admin users with restricted access to particular policy packager folder.

748235

Filtering by hit count may not work for policies.

748246

Where Used may result an empty top-left frame for policy packages.

748467

FortiManager does not have the same profiles as FortiGate with explicit proxy policy.

748498

There may be issue with Transparent Web Proxy when using interface pair view.

748556

FortiManager should not allow users to create Explicit proxy FTP with pool name.

749519

IPv4 policies in policy block may be hidden on FortiManager's GUI.

749576

FortiManager may try to install hidden synproxy parameters for DOS policy to FortiGate.

750160

custom-url-list may not be correctly parsed when URLs contain space characters.

750539

If FortiGate allows selecting LogMeIn app using specific filter override, FortiManager should also allow it.

750882

User may not be able to save changes in SSL/SSH inspection profile from GUI.

751137

Installation performance issues may occur with a large number of dynamic mappings and many FortiAP or FortiSwitch devices.

751710

Editing a global user FSSO object's dynamic mapping is not possible.

751767

Export to Excel when filters are applied for a policy package does not work.

752777

FortiManager should be able to manage valid authentication rules containing User-Agent proxy address.

752822

FortiManager may not respond when adding a firewall address or group to a policy and changing the policy comment at the same time.

754225

Policy package status is out of sync without changes.

755252

Plus (+) sign should be added for SMS phone number when two-factor FortiToken Cloud is enabled.

755348

FortiManager should support more than one thousand traffic shapers.

757164

FortiManager database contains parameter webfilter-searchengine-Baidu-gb2312 that does not exist on FortiGate.

758526

FortiManager should be able to delete many per-device mappings quickly.

758809

When policy package in policy-based NGFW mode, FortiManager may still set action to accept, even when the policy is specified as deny.

760869

Deleted objects may remain referenced in firewall policy.

765793

Adding custom signature with _vdom-name should not prevent pushing changes to numerous devices.

765812

Hyperscale policy packages do not show log server until you get into a policy.

767317

Policy Hit Count may not be updated for Read-Only admin.

768353

Commit action is taking too much time and it makes the FortiManager slow.

769997

Selection for user SAML as member under the user group may not take effect.

770210

Where Used may not report used objects properly.

770256

FortiManager displays error when using push to install for objects utilized by policy blocks .

770678

Changing Action from Accept to Deny should ignore all UTM profiles within the firewall policy.

771941

FortiManager is unable to import or create virtual server with real servers using the same IP but different http-host.

774435

Right-click menu to add object may return an error: cgn-resource-quote:out of range.
775128 Unable to create more than twenty (20) SAML users in policy package object.

776361

Policy lookup may not work if the managed devices are in transparent mode.

777554

There may be slowness when using Find Duplicate Objects with Merge tools.

779947

Address group changes for per-device mapping do not apply to FortiGate when address group is used in policy route.

779965

Users may be unable to export firewall header and footer policies to Excel.

783899

There may not be empty lines in IPS Signature and Filters.

786684

Installation fails because the virtual-wan-link did not exist.

789957

Created time doesn't indicate AM or PM on the Tools > Find Unused Policies.
791797 Installation failed after upgrading ADOM from 6.2 to 6.4.

Revision History

Bug ID

Description

618305 FortiManager changes configuration system csf settings.
643101 Copy may fail due to VIP overlapping when installing policy package.
657424 FortiManager may disable the "l2forward" and "stpforward" settings on virtual switch interface when installing policy package.
660525 When installing from FortiManager, it may unset comment, organization, and subnet-name during install.
674094 FortiManager may unset explicit proxy's HTTPS and PAC ports and change the value to 0 instead.
674196 Installation may fail after edited or created a firewall policy if reputation-minimum is set.
691240 FortiManager should not unset the value forward-error-correction with certain FortiGate platforms.
700495 FortiManager 6.2 ADOM may be sending set synproxy to FortiGate-1801F.
713552 If VIP address's source-filter list is too long, installation may fail.
722604 After removed a member of user group that is used only in XAUTH, FortiManager is not deleting the unused local user on FortiGate.
724647 After upgraded to 6.4, retrieve from a chassis may take a long time.
725252 When customer is trying to push policy package to a device group, installation window may not show any progress but a red cross.
725557 Install always try to delete hardware switch member interface causing installation failure.
725717 After upgrade, installation may fail due to mcast-session-counting.
728447 Installation may fail due to VIP's mapped IP as a range with two identical IP addresses.
728918 FortiManager should install changes applied on Global policy package and not indicate warnings like "no installing devices/no changes on package".
729148 Install fails when new transparent mode VDOM is added directly via FortiGate CLI and imported into FortiManager.
735455 FortiManager may try to delete thousands of policies during install.
740858 GCP project name must be set during install.
741543 Install may fail with unset MAC address on EMAC VLAN.
742806 When modifying a configuration and installing Device Setting only , FortiManager may not display the device's configuration change.
744966 After upgraded FortiManager, policy install verification may fail with Config status changes to Conflict due to invalid default value for log memory filter.
745715 FortiManager may not be able to install policy package with firewall rule using VIP group due to zone binding.
747837 FortiManager may try to delete interfaces lan1, lan2, and lan3 which are used by virtual-switch.sw0 on FortiGate-40F.
748350 Explicit proxy FTP ssl-ssh-profile application-list may not be installed.
748462 FortiManager should not set the HA interface IP under the central-management on FortiGate when the master unit fails.
749587 If a device revision is corrupted, FortiManager may be able to remove or create any revision.
750637 FortiGate-5001E, FortiGate-5001E1, and FortiGate-5001D may be mistakenly set to support switch-profile.
751771 Users may not be able to create hardware switch interface from FortiManager.
751776 Renaming IPSec Phase1 that is member of a zone causes all zone related rules to be re-created.
754081 Application Control signatures belong to Industrial Category are removed from FortiGate in split mode during policy install.
755059 After disabled NAT on hyperscale policy, there may be installation failure on unset action.
755687 FortiManager may show admin with no password when adding a new VDOM to FortiGate-2200E/2201E.
756508 FortiManager may unset chassis ID causing HA cluster lost.
757716 There may be install issue with Web Filter's "config ftgd-wf" which does not exist on NGFW policy mode on FortiGate.
764497 FortiManager should not create a new wildcard FQDN object while renaming it.
767824 FortiManager may unexpectedly delete custom signature when installing policy package.

Script

Bug ID

Description

384139 Filter does not work on device group.
654700 Users need to open "View Script Execution History" to see that TCL script fails.
740938 Direct CLI script may fail when it contains an 'exec' command.
757156 When running CLI script remotely on 100+ firewalls, partial configuration is retrieved and it may cause routing to be removed from device database.
780604 When creating a new phase1 interface, dpd=on-idle settings may not be saved.
787113 TCL scripts fails to run if the admin's password is longer than 36 characters.

Services

Bug ID

Description

644021 FortiManager should be able to use custom certificates for update-related services.

704584

FortiAP firmware may not be listed and cannot be imported.

718256 FMG-VM64-AWSOnDemand may not retrieve the proper license when it is behind a proxy.
725118 FortiManager may not log FortiGuard connectivity failures.
741846 AP upgrade task may hang at 45%.

748489

Numerous svc cdb reader processes reaching 100% CPU utilization.

796345

FMG does not recognize the entitlement file for some FGTs.

System Settings

Bug ID

Description

640670 If a user specified ADOMs, including global ADOM, workflow approval may not be able to find the same user.
687992 Backup that includes IPSec VPN cannot be restored.
690926 FortiManager is removing SD-WAN field description upon ADOM upgrade from 6.2 to 6.4.
696554 FortiManager may generate a lot of cdb event log for object changed event logs.
706303 Template assignment or save may not generate clear event logs.
721153 Scroll bar is missing from device drop-down list on ADOM overview page.
727233 ADOM license count should not count root ADOM.
728991 Nested group search fails with Bad search filter, if the user DN contains characters like "," and "()".
729280 Admin User with no access to management ADOM or VDOM can create a new VDOM from non-management ADOM > VDOM.
731084 FortiManager upgrade should not have warning when there is no upgrade path.
734422 The "svc sys" daemon may have high memory usage when API is used to upgrade FortiGate devices.
735067 When creating a local account with the Force this administrator to change password upon next log on option selected, the setting should be applied for the first login.
737142 FortiManager should support using the special character "@" in SNMP community name.
738622 ADOM upgrade from 6.0 to 6.2 may fail due to FortiExtender object.
745333 Remote authentication servers should not be synchronized among HA members.
745365 Event log may be truncated when the log contains many address objects.
746568 FortiManager may continuously change NTP synchronization server.
748237 Users may be unable to disable ADOM using GUI or CLI.
751069 User may be unable to disable ADOM after upgrade.
762708 LDAP may become stuck for twenty seconds if LDAP is not responding.
768682 Setting a Cluster ID for a model HA cluster results in an invalid group ID under config system ha.
775091 Two factor authentication fails when special characters are used in CN.
777726 FortiManager may not generate event logs for meta field changes.
778405 Script Groups should be copied with their members when cloning an ADOM.
783066 If the number of FortiGate devices registered is in the upper limit of the license count, it may cause HA to become asynchronized.
790409 idle_timeout under admin settings is not converted properly after performing the upgrade.

795655

FortiManager loads the Administrator list under the System Settings very slowly.

VPN Manager

Bug ID

Description

721783 Applying Authentication or Portal Mapping changes may take several minutes.
735417 FortiManager may purge mac-addr-check-rule when installing to FortiGate.
748488 Cloned VPN Phase1 interface may have several different parameters than the original interface.
750227 Removing a spoke or hub from VPN community may result in partial configuration removal.

774040

keyboard-layout configuration in VPN SSL web portal predefined RDP bookmark generates incorrect commands.

779498 VPN monitor may not display correct information when FortiManager is in advanced ADOM mode.
780154 Policy package should be pushed to VPN hubs without error interface IP is 0.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID CVE references
770575

FortiManager 6.4.8 is no longer vulnerable to the following CVE-Reference:

  • CVE-2022-22300