This section highlights some of the operational changes that administrators should be aware of in 7.0.8.
FortiManager fails to retrieve FortiGate's configuration when external-resource objects include a "g-" prefix
Scenario: Multi-VDOM is enabled on FGTs version 6.4 and external-resource objects are created globally; these objects are being used in webfilter and firewall policies. After upgarding the FGTs to v7.0, the FGTs automatically add a "g-" prefix to the global external-resource. However, FMG has not supported this prefix yet, so FMG fails to retrieve FGT's configuration to DB.
Workaround: There are two workarounds; use the approach that works best for your environment. If it is possible, create a new backup of your FMG and FGT(s) before making any changes.
First workaround approach:
Re-create all threat feeds locally in VDOM configuration and update policies and security profiles that reference them to the local threat feed vs. the global feed.
Delete the global threat feed objects.
Second workaround approach:
Perform policy reinstallation. FMG adds original threat feed objects within the VDOM configuration without the 'g' prefix.
FMG reports 'install OK/verify FAIL' at the end of the policy installation.
Run scripts to delete the global threat feed objects (objects with the 'g' prefix) from the FGT.
Retrieve the FGT configuration from FMG.
Perform another policy installation to update the configuration synchronization status between the FGT and FMG. No commands are pushed during this stage according to the install wizard.
If policy changes are made directly on the FortiGates, the subsequent PP import creates faulty dynamic mappings for VPN manager.
It is strongly recommended to create a fresh backup of the FortiManager's configuration prior to this workaround. Perform the following command to check & repair the FortiManager's configuration database:
diagnose cdb check policy-packages <adom>
After executing this command, FortiManager will remove the invalid mappings of vpnmgr interfaces.
The AP Manager module does not yet support the FAP-831F model.
A minimum of 32 GB of memory is required on FortiManager to support the installation of 80K rules to managed FortiGates.
Please follow the steps below when managing FortiClient EMS Connector's configuration via FortiManager:
- Add a FortiGate device to FortiManager.
- Create FortiClient EMS Connector's configuration on FortiManager.
- Install the configuration onto the FortiGate device.
If the order of the steps is not followed, FortiClient EMS may not authorize the FortiGate device.
When policy blocks are added to a policy package, the View Mode option is no longer available, and policies in the table cannot be arranged by Interface Pair View. This occurs because policy blocks typically contain multiple policies using different incoming and outgoing interfaces, however, View Mode is still disabled even when policy blocks respect the interface pair.
When upgrading from FortiManager 7.0.0, you must first upgrade to 7.0.1 before going to 7.0.2 and later. This is required to correct an issue that causes FortiManager to download unnecessary objects from FortiGuard. Please contact FortiManager support for more information if required.
FortiManager docker images are available for download from Fortinet’s Verified Publisher public repository on dockerhub.
- Go to dockerhub at https://hub.docker.com/.
The dockerhub home page is displayed.
- In the banner, click Explore.
- In the search box, type Fortinet, and press Enter.
The fortinet/fortimanager and fortinet/fortianalyzer options are displayed.
- Click fortinet/fortimanager.
The fortinet/fortimanager page is displayed, and two tabs are available: Overview and Tags. The Overview tab is selected by default.
- On the Overview tab, copy the docker pull command, and use it to download the image.
The CLI command from the Overview tab points to the latest available image. Use the Tags tab to access different versions when available.
Starting in FortiManager 7.0.0, firmware templates should be used to schedule firmware upgrades on managed FortiGates. Attempting firmware upgrade from the FortiManager GUI by using legacy methods may ignore the schedule upgrade option and result in FortiGates being upgraded immediately.
Starting in verion 7.0.1, the CLI to modify the interface status has been changed from
config system interface
set status <enable/disable>
Due to design change with SD-WAN Template, upgrading to FortiManager 7.0 may be unable to maintain dynamic mappings for all SD-WAN interface members. Please reconfigure all the missing interface mappings after upgrade.
Citrix XenServer limits ramdisk to 128M by default. However the FMG-VM64-XEN image is larger than 128M. Before updating to FortiManager 6.4, increase the size of the ramdisk setting on Citrix XenServer.
- On Citrix XenServer, run the following command:
xenstore-write /mh/limits/pv-ramdisk-max-size 536,870,912
- Confirm the setting is in effect by running
limits = ""
pv-kernel-max-size = "33554432"
pv-ramdisk-max-size = "536,870,912"
boot-time = ""
- Remove the pending files left in
The ramdisk setting returns to the default value after rebooting.
Prior to using the FortiManager to push a multi-step firmware upgrade, confirm the upgrade path matches the path outlined on our support site. To confirm the path, please run:
dia fwmanager show-dev-upgrade-path <device name> <target firmware>
Alternatively, you can push one firmware step at a time.
A Hyper-V FMG-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.
Due to known vulnerabilities in the SSLv3 protocol, FortiManager-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:
config system global
set ssl-protocol t1sv1