Fortinet black logo

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Special Notices

This section highlights some of the operational changes that administrators should be aware of in 7.2.1.

FMG-VM acquires incorrect certificate after upgrade

FortiManager virtual machines with an older perpetual license only use one certificate. After upgrading FMG-VMs with a perpetual license to FortiManager 7.2.1, a second, default certificate with a serial number (in the CLI) or common name (in the GUI) of FAZ-VM0000000001 is automatically added to the FMG-VM, and FortiManager attempts to use the default certificate with the incorrect value for FGFM tunnels with managed FortiGates.

Note

This issue does not affect FMG-VMs with a subscription license and FMG-VMs with a newer perpetual that uses two certificates.

You can use either of the following workarounds:

  1. Use the CLI to configure the FGFM tunnel to use the certificate with the correct serial number or CN value.
  2. Go to FortiCloud, download the license file again, which includes two local certificates, and apply the license to FortiManager. The new local certificates automatically overwrite the existing local certificates.
Workaround 1:
  1. Go to System Settings > Certificates > Local Certificates, and check the CN (common name) field for the local certificates.

    In the following example, the incorrect SN value of FAZ-VM0000000001 is displayed:

  2. Configure the FGFM tunnel to use the default certificate with the correct serial number or CN value:

    In this example, the Fortinet_Local certificate has the correct value:

    config system global

    set fgfm-local-cert "Fortinet_Local"

  3. If the FMG-VMs are in an HA cluster, configure the cluster to use the default certificate with the correct serial number or CN value:

    In this example, the Fortinet_Local certificate has the correct value:

    config system ha

    set local-cert Fortinet_Local

Workaround 2:
  1. In FortiCloud (https://support.fortinet.com/), go to Products > Product List, and click the FMG-VM product.

    The product details are displayed.

  2. Click License File Download to download the license file with two default certificates.
  3. In FortiManager, go to System Settings > Dashboard > License Information, and click the Upload License button to upload the license and the two local certificates.

    The new local certificates automatically overwrite the existing local certificates.

SD-WAN Orchestrator removed in 7.2

Starting in 7.2.0, the SD-WAN Orchestrator is no longer available in FortiManager. Instead, you can use the SD-WAN Overlay Template wizard to configure your SD-WAN overlay network.

For more information, see SD-WAN Overlay Templates in the FortiManager Administration Guide.

Changes to FortiManager meta fields

Beginning in 7.2.0, FortiManager supports policy object metadata variables.

When upgrading from FortiManager 7.0 to 7.2.0 and later, FortiManager will automatically create ADOM-level metadata variable policy objects for meta fields previously configured in System Settings that have per-device mapping configurations detected. Objects using the meta field, for example CLI templates, are automatically updated to use the new metadata variable policy objects.

Meta fields in System Settings can continue to be used as comments/tags for configurations.

For more information, see ADOM-level meta variables for general use in scripts, templates, and model devices.

Setup wizard requires FortiCare registration

Starting in FortiManager 7.2.1, the FortiManager Setup wizard requires you to complete the Register with FortiCare step before you can access the FortiManager appliance or VM. Previously the step was optional.

For FortiManager units operating in a closed environment, contact customer service to receive an entitlement file, and then load the entitlement file to FortiManager by using the CLI.

Access lists as ADOM-level objects

Starting in 7.2.0, FortiManager supports IPv4 and IPv6 access lists as ADOM-level object configurations from FortiGate. Previously, access lists were controlled by the device database/FortiGate configuration.

After upgrading to 7.2.0 from an earlier release, the next time you install changes to a FortiGate device with an IPv4 or IPv6 access list, FortiManager will purge the device database/FortiGate configuration which may have previously contained the access list. To address this, administrators can re-import the FortiGate policy configuration to an ADOM's policy package or re-create the IPv4/IPv6 access list in the original package.

View Mode is disabled in policies when policy blocks are used

When policy blocks are added to a policy package, the View Mode option is no longer available, and policies in the table cannot be arranged by Interface Pair View. This occurs because policy blocks typically contain policies with multiple interfaces, however, View Mode is still disabled even when policy blocks respect the interface pair.

Reconfiguring Virtual Wire Pairs (VWP)

A conflict can occur between the ADOM database and device database when a Virtual Wire Pair (VWP) is installed on a managed FortiGate that already has a configured VWP in the device database. This can happen when an existing VWP has been reconfigured or replaced.

Before installing the VWP, you must first remove the old VWP from the device's database, otherwise a policy and object validation error may occur during installation. You can remove the VWP from the device database by going to Device Manager > Device & Groups, selecting the managed device, and removing the VWP from System > Interface.

Fortinet verified publisher docker image

FortiManager 7.0.1 docker image is available for download from Fortinet’s Verified Publisher public repository on dockerhub.

To download the FortiManager image from dockerhub:
  1. Go to dockerhub at https://hub.docker.com/.

    The dockerhub home page is displayed.

  2. In the banner, click Explore.
  3. In the search box, type Fortinet, and press Enter.

    The fortinet/fortimanager and fortinet/fortianalyzer options are displayed.

  4. Click fortinet/fortimanager.

    The fortinet/fortimanager page is displayed, and two tabs are available: Overview and Tags. The Overview tab is selected by default.

  5. On the Overview tab, copy the docker pull command, and use it to download the image.

    The CLI command from the Overview tab points to the latest available image. Use the Tags tab to access different versions when available.

Scheduling firmware upgrades for managed devices

Starting in FortiManager 7.0.0, firmware templates should be used to schedule firmware upgrades on managed FortiGates. Attempting firmware upgrade from the FortiManager GUI by using legacy methods may ignore the schedule upgrade option and result in FortiGates being upgraded immediately.

Modifying the interface status with the CLI

Starting in version 7.0.1, the CLI to modify the interface status has been changed from up/down to enable/disable.

For example:

config system interface

edit port2

set status <enable/disable>

next

end

SD-WAN with upgrade to 7.0

Due to design change with SD-WAN Template, upgrading to FortiManager 7.0 may be unable to maintain dynamic mappings for all SD-WAN interface members. Please reconfigure all the missing interface mappings after upgrade.

Citrix XenServer default limits and upgrade

Citrix XenServer limits ramdisk to 128M by default. However the FMG-VM64-XEN image is larger than 128M. Before updating to FortiManager 6.4, increase the size of the ramdisk setting on Citrix XenServer.

To increase the size of the ramdisk setting:
  1. On Citrix XenServer, run the following command:

    xenstore-write /mh/limits/pv-ramdisk-max-size 536,870,912

  2. Confirm the setting is in effect by running xenstore-ls.

    -----------------------

    limits = ""

    pv-kernel-max-size = "33554432"

    pv-ramdisk-max-size = "536,870,912"

    boot-time = ""

    ---------------------------

  3. Remove the pending files left in /run/xen/pygrub.
Note

The ramdisk setting returns to the default value after rebooting.

Multi-step firmware upgrades

Prior to using the FortiManager to push a multi-step firmware upgrade, confirm the upgrade path matches the path outlined on our support site. To confirm the path, please run:

dia fwmanager show-dev-upgrade-path <device name> <target firmware>

Alternatively, you can push one firmware step at a time.

Hyper-V FortiManager-VM running on an AMD CPU

A Hyper-V FMG-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.

SSLv3 on FortiManager-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiManager-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global

set ssl-protocol t1sv1

end

Special Notices

This section highlights some of the operational changes that administrators should be aware of in 7.2.1.

FMG-VM acquires incorrect certificate after upgrade

FortiManager virtual machines with an older perpetual license only use one certificate. After upgrading FMG-VMs with a perpetual license to FortiManager 7.2.1, a second, default certificate with a serial number (in the CLI) or common name (in the GUI) of FAZ-VM0000000001 is automatically added to the FMG-VM, and FortiManager attempts to use the default certificate with the incorrect value for FGFM tunnels with managed FortiGates.

Note

This issue does not affect FMG-VMs with a subscription license and FMG-VMs with a newer perpetual that uses two certificates.

You can use either of the following workarounds:

  1. Use the CLI to configure the FGFM tunnel to use the certificate with the correct serial number or CN value.
  2. Go to FortiCloud, download the license file again, which includes two local certificates, and apply the license to FortiManager. The new local certificates automatically overwrite the existing local certificates.
Workaround 1:
  1. Go to System Settings > Certificates > Local Certificates, and check the CN (common name) field for the local certificates.

    In the following example, the incorrect SN value of FAZ-VM0000000001 is displayed:

  2. Configure the FGFM tunnel to use the default certificate with the correct serial number or CN value:

    In this example, the Fortinet_Local certificate has the correct value:

    config system global

    set fgfm-local-cert "Fortinet_Local"

  3. If the FMG-VMs are in an HA cluster, configure the cluster to use the default certificate with the correct serial number or CN value:

    In this example, the Fortinet_Local certificate has the correct value:

    config system ha

    set local-cert Fortinet_Local

Workaround 2:
  1. In FortiCloud (https://support.fortinet.com/), go to Products > Product List, and click the FMG-VM product.

    The product details are displayed.

  2. Click License File Download to download the license file with two default certificates.
  3. In FortiManager, go to System Settings > Dashboard > License Information, and click the Upload License button to upload the license and the two local certificates.

    The new local certificates automatically overwrite the existing local certificates.

SD-WAN Orchestrator removed in 7.2

Starting in 7.2.0, the SD-WAN Orchestrator is no longer available in FortiManager. Instead, you can use the SD-WAN Overlay Template wizard to configure your SD-WAN overlay network.

For more information, see SD-WAN Overlay Templates in the FortiManager Administration Guide.

Changes to FortiManager meta fields

Beginning in 7.2.0, FortiManager supports policy object metadata variables.

When upgrading from FortiManager 7.0 to 7.2.0 and later, FortiManager will automatically create ADOM-level metadata variable policy objects for meta fields previously configured in System Settings that have per-device mapping configurations detected. Objects using the meta field, for example CLI templates, are automatically updated to use the new metadata variable policy objects.

Meta fields in System Settings can continue to be used as comments/tags for configurations.

For more information, see ADOM-level meta variables for general use in scripts, templates, and model devices.

Setup wizard requires FortiCare registration

Starting in FortiManager 7.2.1, the FortiManager Setup wizard requires you to complete the Register with FortiCare step before you can access the FortiManager appliance or VM. Previously the step was optional.

For FortiManager units operating in a closed environment, contact customer service to receive an entitlement file, and then load the entitlement file to FortiManager by using the CLI.

Access lists as ADOM-level objects

Starting in 7.2.0, FortiManager supports IPv4 and IPv6 access lists as ADOM-level object configurations from FortiGate. Previously, access lists were controlled by the device database/FortiGate configuration.

After upgrading to 7.2.0 from an earlier release, the next time you install changes to a FortiGate device with an IPv4 or IPv6 access list, FortiManager will purge the device database/FortiGate configuration which may have previously contained the access list. To address this, administrators can re-import the FortiGate policy configuration to an ADOM's policy package or re-create the IPv4/IPv6 access list in the original package.

View Mode is disabled in policies when policy blocks are used

When policy blocks are added to a policy package, the View Mode option is no longer available, and policies in the table cannot be arranged by Interface Pair View. This occurs because policy blocks typically contain policies with multiple interfaces, however, View Mode is still disabled even when policy blocks respect the interface pair.

Reconfiguring Virtual Wire Pairs (VWP)

A conflict can occur between the ADOM database and device database when a Virtual Wire Pair (VWP) is installed on a managed FortiGate that already has a configured VWP in the device database. This can happen when an existing VWP has been reconfigured or replaced.

Before installing the VWP, you must first remove the old VWP from the device's database, otherwise a policy and object validation error may occur during installation. You can remove the VWP from the device database by going to Device Manager > Device & Groups, selecting the managed device, and removing the VWP from System > Interface.

Fortinet verified publisher docker image

FortiManager 7.0.1 docker image is available for download from Fortinet’s Verified Publisher public repository on dockerhub.

To download the FortiManager image from dockerhub:
  1. Go to dockerhub at https://hub.docker.com/.

    The dockerhub home page is displayed.

  2. In the banner, click Explore.
  3. In the search box, type Fortinet, and press Enter.

    The fortinet/fortimanager and fortinet/fortianalyzer options are displayed.

  4. Click fortinet/fortimanager.

    The fortinet/fortimanager page is displayed, and two tabs are available: Overview and Tags. The Overview tab is selected by default.

  5. On the Overview tab, copy the docker pull command, and use it to download the image.

    The CLI command from the Overview tab points to the latest available image. Use the Tags tab to access different versions when available.

Scheduling firmware upgrades for managed devices

Starting in FortiManager 7.0.0, firmware templates should be used to schedule firmware upgrades on managed FortiGates. Attempting firmware upgrade from the FortiManager GUI by using legacy methods may ignore the schedule upgrade option and result in FortiGates being upgraded immediately.

Modifying the interface status with the CLI

Starting in version 7.0.1, the CLI to modify the interface status has been changed from up/down to enable/disable.

For example:

config system interface

edit port2

set status <enable/disable>

next

end

SD-WAN with upgrade to 7.0

Due to design change with SD-WAN Template, upgrading to FortiManager 7.0 may be unable to maintain dynamic mappings for all SD-WAN interface members. Please reconfigure all the missing interface mappings after upgrade.

Citrix XenServer default limits and upgrade

Citrix XenServer limits ramdisk to 128M by default. However the FMG-VM64-XEN image is larger than 128M. Before updating to FortiManager 6.4, increase the size of the ramdisk setting on Citrix XenServer.

To increase the size of the ramdisk setting:
  1. On Citrix XenServer, run the following command:

    xenstore-write /mh/limits/pv-ramdisk-max-size 536,870,912

  2. Confirm the setting is in effect by running xenstore-ls.

    -----------------------

    limits = ""

    pv-kernel-max-size = "33554432"

    pv-ramdisk-max-size = "536,870,912"

    boot-time = ""

    ---------------------------

  3. Remove the pending files left in /run/xen/pygrub.
Note

The ramdisk setting returns to the default value after rebooting.

Multi-step firmware upgrades

Prior to using the FortiManager to push a multi-step firmware upgrade, confirm the upgrade path matches the path outlined on our support site. To confirm the path, please run:

dia fwmanager show-dev-upgrade-path <device name> <target firmware>

Alternatively, you can push one firmware step at a time.

Hyper-V FortiManager-VM running on an AMD CPU

A Hyper-V FMG-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.

SSLv3 on FortiManager-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiManager-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global

set ssl-protocol t1sv1

end