Fortinet black logo

Release Notes

Home FortiManager 7.0.12 Release Notes
7.0.12
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.3
6.2.2
6.2.1
6.2.0
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.6.0
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.10
5.2.9
5.2.7
5.2.6
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3

Special Notices

Special Notices

This section highlights some of the operational changes that administrators should be aware of in 7.0.12.

Custom certificate name verification for FortiGate connection

FortiManager 7.0.12 introduces a new verification of the CN or SAN of a custom certificate uploaded by the FortiGate admin. This custom certificate is used when a FortiGate device connects to a FortiManager unit. The FortiGate and FortiManager administrators may configure the use of a custom certificate with the following CLI commands:

FortiGate-related CLI:

config system central-management

local-cert Certificate to be used by FGFM protocol.

ca-cert CA certificate to be used by FGFM protocol.

FortiManager-related CLI:

config system global

fgfm-ca-cert set the extra fgfm CA certificates.

fgfm-cert-exclusive set if the local or CA certificates should be used exclusively.

fgfm-local-cert set the fgfm local certificate.

Upon upgrading to FortiManager 7.0.12, FortiManager will request that the FortiGate certificate must contain the FortiGate serial number either in the CN or SAN. The tunnel connection may fail if a matching serial number is not found. If the tunnel connection fails, the administrator may need to re-generate the custom certificates to include serial number.

Alternatively, FortiManager 7.0.12 provides a new CLI command to disable this verification. Fortinet recommends to keep the verification enabled.

config system global

fgfm-peercert-withoutsn set if the subject CN or SAN of peer's SSL certificate sent in FGFM should include the serial number of the device.

When the CLI setting fgfm-peercert-withoutsn is disabled (default), the FortiGate device's certificate must include the FortiGate serial number in the subject CN or SAN. When the CLI setting fgfm-peercert-withoutsn is enabled, the FortiManager unit does not perform the verification serial number in subject CN or SAN.

FortiGuard web filtering category v10 update

Fortinet has updated its web filtering categories to v10, which includes two new URL categories for AI chat and cryptocurrency web sites. In order to use the new categories, customers must upgrade their Fortinet products to one of the versions below.

  • FortiManager - Fixed in 6.0.12, 6.2.9, 6.4.7, 7.0.2, 7.2.0, 7.4.0.

  • FortiOS - Fixed in 7.2.8 and 7.4.1.

  • FortiClient - Fixed in Windows 7.2.3, macOS 7.2.3, Linux 7.2.3.

  • FortiClient EMS - Fixed in 7.2.1.

  • FortiMail - Fixed in 7.0.7, 7.2.5, 7.4.1.

  • FortiProxy - Fixed in 7.4.1.

Please read the following CSB for more information to caveats on the usage in FortiManager and FortiOS.

https://support.fortinet.com/Information/Bulletin.aspx

FortiManager 7.2.3 and later firmware on FortiGuard

Starting in FortiManager 7.2.1, a setup wizard executes to prompt the user for various configuration steps and registration with FortiCare. During the execution, the FortiManager unit attempts to communicate with FortiGuard for a list of FortiManager firmware images currently available on FortiGuard – older and newer.

In the case of FortiManager 7.2.2, a bug in the GUI prevents the wizard from completing and prevents the user from accessing the FortiManager unit. The issue has been fixed in 7.2.3 and later and a CLI command has been added to bypass the setup wizard at login time.

config system admin setting

set firmware-upgrade-check disable

end

Fortinet has not uploaded FortiManager 7.2.3 and later firmware to FortiGuard in order to work around the GUI bug, however, the firmware is available for download from the Fortinet Support web site https://support.fortinet.com.

Configuration backup requires a password

As of FortiManager 7.0.11, configuration backup files are automatically encrypted and require you to set a password. In previous versions, the encryption and password were optional.

For more information, see the FortiManager Administration Guide.

FortiClient EMS Cloud connectors must be authorized on the EMS Cloud server

Prior to FortiManager 7.0.9, it was required to provide a username and password when creating EMS Cloud connectors. However, starting from FortiManager 7.0.9, similar to versions 7.2 and 7.4, FortiManager offers the capability to connect to the FortiClient EMS Cloud without the necessity of entering a username and password. With this enhancement, once the connector is configured, FortiManager will automatically appear on the EMS Cloud server under Administration > Fabric Devices. Users are required to authorize the FortiManager on the EMS Cloud server before FortiManager can retrieve the EMS tags.

Option to enable permission check when copying policies

As of 7.0.8, a new command is added in the CLI:

config system global

set no-copy-permission-check {enable | disable}

end

By default, this is set to disable. When set to enable, a check is performed when copying policies to prevent changing global device objects if the user does not have permission.

FortiManager creates faulty dynamic mapping for VPN manager interface during PP import

If policy changes are made directly on the FortiGates, the subsequent PP import creates faulty dynamic mappings for VPN manager.

It is strongly recommended to create a fresh backup of the FortiManager's configuration prior to this workaround. Perform the following command to check & repair the FortiManager's configuration database:

diagnose cdb check policy-packages <adom>

After executing this command, FortiManager will remove the invalid mappings of vpnmgr interfaces.

FAP-831F not yet supported by AP Manager

The AP Manager module does not yet support the FAP-831F model.

Installing policy packages with 80K rules

A minimum of 32 GB of memory is required on FortiManager to support the installation of 80K rules to managed FortiGates.

Authorizing FortiGate with FortiClient EMS connected

Please follow the steps below when managing FortiClient EMS Connector's configuration via FortiManager:

  1. Add a FortiGate device to FortiManager.
  2. Create FortiClient EMS Connector's configuration on FortiManager.
  3. Install the configuration onto the FortiGate device.

If the order of the steps is not followed, FortiClient EMS may not authorize the FortiGate device.

View Mode is disabled in policies when policy blocks are used

When policy blocks are added to a policy package, the View Mode option is no longer available, and policies in the table cannot be arranged by Interface Pair View. This occurs because policy blocks typically contain multiple policies using different incoming and outgoing interfaces, however, View Mode is still disabled even when policy blocks respect the interface pair.

FortiManager upgrades from 7.0.0

When upgrading from FortiManager 7.0.0, you must first upgrade to 7.0.1 before going to 7.0.2 and later. This is required to correct an issue that causes FortiManager to download unnecessary objects from FortiGuard. Please contact FortiManager support for more information if required.

Fortinet verified publisher docker image

FortiManager docker images are available for download from Fortinet’s Verified Publisher public repository on dockerhub.

To download the FortiManager image from dockerhub:
  1. Go to dockerhub at https://hub.docker.com/.

    The dockerhub home page is displayed.

  2. In the banner, click Explore.
  3. In the search box, type Fortinet, and press Enter.

    The fortinet/fortimanager and fortinet/fortianalyzer options are displayed.

  4. Click fortinet/fortimanager.

    The fortinet/fortimanager page is displayed, and two tabs are available: Overview and Tags. The Overview tab is selected by default.

  5. On the Overview tab, copy the docker pull command, and use it to download the image.

    The CLI command from the Overview tab points to the latest available image. Use the Tags tab to access different versions when available.

Scheduling firmware upgrades for managed devices

Starting in FortiManager 7.0.0, firmware templates should be used to schedule firmware upgrades on managed FortiGates. Attempting firmware upgrade from the FortiManager GUI by using legacy methods may ignore the schedule upgrade option and result in FortiGates being upgraded immediately.

Modifying the interface status with the CLI

Starting in verion 7.0.1, the CLI to modify the interface status has been changed from up/down to enable/disable.

For example:

config system interface

edit port2

set status <enable/disable>

next

end

SD-WAN with upgrade to 7.0

Due to design change with SD-WAN Template, upgrading to FortiManager 7.0 may be unable to maintain dynamic mappings for all SD-WAN interface members. Please reconfigure all the missing interface mappings after upgrade.

Citrix XenServer default limits and upgrade

Citrix XenServer limits ramdisk to 128M by default. However the FMG-VM64-XEN image is larger than 128M. Before updating to FortiManager 6.4, increase the size of the ramdisk setting on Citrix XenServer.

To increase the size of the ramdisk setting:
  1. On Citrix XenServer, run the following command:

    xenstore-write /mh/limits/pv-ramdisk-max-size 536,870,912

  2. Confirm the setting is in effect by running xenstore-ls.

    -----------------------

    limits = ""

    pv-kernel-max-size = "33554432"

    pv-ramdisk-max-size = "536,870,912"

    boot-time = ""

    ---------------------------

  3. Remove the pending files left in /run/xen/pygrub.
Note

The ramdisk setting returns to the default value after rebooting.

Multi-step firmware upgrades

Prior to using the FortiManager to push a multi-step firmware upgrade, confirm the upgrade path matches the path outlined on our support site. To confirm the path, please run:

dia fwmanager show-dev-upgrade-path <device name> <target firmware>

Alternatively, you can push one firmware step at a time.

Hyper-V FortiManager-VM running on an AMD CPU

A Hyper-V FMG-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.

SSLv3 on FortiManager-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiManager-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global

set ssl-protocol t1sv1

end

Previous
Next

Special Notices

This section highlights some of the operational changes that administrators should be aware of in 7.0.12.

Custom certificate name verification for FortiGate connection

FortiManager 7.0.12 introduces a new verification of the CN or SAN of a custom certificate uploaded by the FortiGate admin. This custom certificate is used when a FortiGate device connects to a FortiManager unit. The FortiGate and FortiManager administrators may configure the use of a custom certificate with the following CLI commands:

FortiGate-related CLI:

config system central-management

local-cert Certificate to be used by FGFM protocol.

ca-cert CA certificate to be used by FGFM protocol.

FortiManager-related CLI:

config system global

fgfm-ca-cert set the extra fgfm CA certificates.

fgfm-cert-exclusive set if the local or CA certificates should be used exclusively.

fgfm-local-cert set the fgfm local certificate.

Upon upgrading to FortiManager 7.0.12, FortiManager will request that the FortiGate certificate must contain the FortiGate serial number either in the CN or SAN. The tunnel connection may fail if a matching serial number is not found. If the tunnel connection fails, the administrator may need to re-generate the custom certificates to include serial number.

Alternatively, FortiManager 7.0.12 provides a new CLI command to disable this verification. Fortinet recommends to keep the verification enabled.

config system global

fgfm-peercert-withoutsn set if the subject CN or SAN of peer's SSL certificate sent in FGFM should include the serial number of the device.

When the CLI setting fgfm-peercert-withoutsn is disabled (default), the FortiGate device's certificate must include the FortiGate serial number in the subject CN or SAN. When the CLI setting fgfm-peercert-withoutsn is enabled, the FortiManager unit does not perform the verification serial number in subject CN or SAN.

FortiGuard web filtering category v10 update

Fortinet has updated its web filtering categories to v10, which includes two new URL categories for AI chat and cryptocurrency web sites. In order to use the new categories, customers must upgrade their Fortinet products to one of the versions below.

  • FortiManager - Fixed in 6.0.12, 6.2.9, 6.4.7, 7.0.2, 7.2.0, 7.4.0.

  • FortiOS - Fixed in 7.2.8 and 7.4.1.

  • FortiClient - Fixed in Windows 7.2.3, macOS 7.2.3, Linux 7.2.3.

  • FortiClient EMS - Fixed in 7.2.1.

  • FortiMail - Fixed in 7.0.7, 7.2.5, 7.4.1.

  • FortiProxy - Fixed in 7.4.1.

Please read the following CSB for more information to caveats on the usage in FortiManager and FortiOS.

https://support.fortinet.com/Information/Bulletin.aspx

FortiManager 7.2.3 and later firmware on FortiGuard

Starting in FortiManager 7.2.1, a setup wizard executes to prompt the user for various configuration steps and registration with FortiCare. During the execution, the FortiManager unit attempts to communicate with FortiGuard for a list of FortiManager firmware images currently available on FortiGuard – older and newer.

In the case of FortiManager 7.2.2, a bug in the GUI prevents the wizard from completing and prevents the user from accessing the FortiManager unit. The issue has been fixed in 7.2.3 and later and a CLI command has been added to bypass the setup wizard at login time.

config system admin setting

set firmware-upgrade-check disable

end

Fortinet has not uploaded FortiManager 7.2.3 and later firmware to FortiGuard in order to work around the GUI bug, however, the firmware is available for download from the Fortinet Support web site https://support.fortinet.com.

Configuration backup requires a password

As of FortiManager 7.0.11, configuration backup files are automatically encrypted and require you to set a password. In previous versions, the encryption and password were optional.

For more information, see the FortiManager Administration Guide.

FortiClient EMS Cloud connectors must be authorized on the EMS Cloud server

Prior to FortiManager 7.0.9, it was required to provide a username and password when creating EMS Cloud connectors. However, starting from FortiManager 7.0.9, similar to versions 7.2 and 7.4, FortiManager offers the capability to connect to the FortiClient EMS Cloud without the necessity of entering a username and password. With this enhancement, once the connector is configured, FortiManager will automatically appear on the EMS Cloud server under Administration > Fabric Devices. Users are required to authorize the FortiManager on the EMS Cloud server before FortiManager can retrieve the EMS tags.

Option to enable permission check when copying policies

As of 7.0.8, a new command is added in the CLI:

config system global

set no-copy-permission-check {enable | disable}

end

By default, this is set to disable. When set to enable, a check is performed when copying policies to prevent changing global device objects if the user does not have permission.

FortiManager creates faulty dynamic mapping for VPN manager interface during PP import

If policy changes are made directly on the FortiGates, the subsequent PP import creates faulty dynamic mappings for VPN manager.

It is strongly recommended to create a fresh backup of the FortiManager's configuration prior to this workaround. Perform the following command to check & repair the FortiManager's configuration database:

diagnose cdb check policy-packages <adom>

After executing this command, FortiManager will remove the invalid mappings of vpnmgr interfaces.

FAP-831F not yet supported by AP Manager

The AP Manager module does not yet support the FAP-831F model.

Installing policy packages with 80K rules

A minimum of 32 GB of memory is required on FortiManager to support the installation of 80K rules to managed FortiGates.

Authorizing FortiGate with FortiClient EMS connected

Please follow the steps below when managing FortiClient EMS Connector's configuration via FortiManager:

  1. Add a FortiGate device to FortiManager.
  2. Create FortiClient EMS Connector's configuration on FortiManager.
  3. Install the configuration onto the FortiGate device.

If the order of the steps is not followed, FortiClient EMS may not authorize the FortiGate device.

View Mode is disabled in policies when policy blocks are used

When policy blocks are added to a policy package, the View Mode option is no longer available, and policies in the table cannot be arranged by Interface Pair View. This occurs because policy blocks typically contain multiple policies using different incoming and outgoing interfaces, however, View Mode is still disabled even when policy blocks respect the interface pair.

FortiManager upgrades from 7.0.0

When upgrading from FortiManager 7.0.0, you must first upgrade to 7.0.1 before going to 7.0.2 and later. This is required to correct an issue that causes FortiManager to download unnecessary objects from FortiGuard. Please contact FortiManager support for more information if required.

Fortinet verified publisher docker image

FortiManager docker images are available for download from Fortinet’s Verified Publisher public repository on dockerhub.

To download the FortiManager image from dockerhub:
  1. Go to dockerhub at https://hub.docker.com/.

    The dockerhub home page is displayed.

  2. In the banner, click Explore.
  3. In the search box, type Fortinet, and press Enter.

    The fortinet/fortimanager and fortinet/fortianalyzer options are displayed.

  4. Click fortinet/fortimanager.

    The fortinet/fortimanager page is displayed, and two tabs are available: Overview and Tags. The Overview tab is selected by default.

  5. On the Overview tab, copy the docker pull command, and use it to download the image.

    The CLI command from the Overview tab points to the latest available image. Use the Tags tab to access different versions when available.

Scheduling firmware upgrades for managed devices

Starting in FortiManager 7.0.0, firmware templates should be used to schedule firmware upgrades on managed FortiGates. Attempting firmware upgrade from the FortiManager GUI by using legacy methods may ignore the schedule upgrade option and result in FortiGates being upgraded immediately.

Modifying the interface status with the CLI

Starting in verion 7.0.1, the CLI to modify the interface status has been changed from up/down to enable/disable.

For example:

config system interface

edit port2

set status <enable/disable>

next

end

SD-WAN with upgrade to 7.0

Due to design change with SD-WAN Template, upgrading to FortiManager 7.0 may be unable to maintain dynamic mappings for all SD-WAN interface members. Please reconfigure all the missing interface mappings after upgrade.

Citrix XenServer default limits and upgrade

Citrix XenServer limits ramdisk to 128M by default. However the FMG-VM64-XEN image is larger than 128M. Before updating to FortiManager 6.4, increase the size of the ramdisk setting on Citrix XenServer.

To increase the size of the ramdisk setting:
  1. On Citrix XenServer, run the following command:

    xenstore-write /mh/limits/pv-ramdisk-max-size 536,870,912

  2. Confirm the setting is in effect by running xenstore-ls.

    -----------------------

    limits = ""

    pv-kernel-max-size = "33554432"

    pv-ramdisk-max-size = "536,870,912"

    boot-time = ""

    ---------------------------

  3. Remove the pending files left in /run/xen/pygrub.
Note

The ramdisk setting returns to the default value after rebooting.

Multi-step firmware upgrades

Prior to using the FortiManager to push a multi-step firmware upgrade, confirm the upgrade path matches the path outlined on our support site. To confirm the path, please run:

dia fwmanager show-dev-upgrade-path <device name> <target firmware>

Alternatively, you can push one firmware step at a time.

Hyper-V FortiManager-VM running on an AMD CPU

A Hyper-V FMG-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.

SSLv3 on FortiManager-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiManager-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global

set ssl-protocol t1sv1

end

Previous
Next