FortiManager 7.4.2 and FortiOS 7.2.8 compatibility issues
This section identifies interoperability issues that have been identified with FortiManager 7.4.2 and FortiOS 7.2.8.
FortiOS 7.2.8 includes two new webfilter categories that are not supported by FortiManager 7.4.2. Thus, adding a device running FortiOS 7.2.8 may cause syntax issues. The new categories are category 100 and category 101. These categories are used in the default webfilter profiles sniffer-profile
and monitor-all
. Before adding a device running FortiOS 7.2.8, you must delete the filter entires that contain these categories from the FortiGate CLI using the following command:
config webfilter profile
edit sniffer-profile
config ftgd-wf
config filters
delete 92
delete 93
end
end
edit monitor-all
config ftgd-wf
config filters
delete 92
delete 93
end
end
FortiOS 7.2.8 includes the following syntax changes not supported by FortiManager 7.4.2.
When specific platforms are indicated, the syntax change applies to both the FortiGate and FortiCarrier platform for the model. For example, |
The following objects were added:
-
(attr) firewall central-snat-map dst-port
-
(attr) firewall interface-policy uuid
-
(attr) firewall interface-policy uuid-idx
-
(attr) firewall interface-policy6 uuid
-
(attr) firewall interface-policy6 uuid-idx
-
(attr) firewall sniffer uuid
-
(attr) firewall sniffer uuid-idx
-
(attr) log fortianalyzer override-setting alt-server
-
(attr) log fortianalyzer override-setting fallback-to-primary
-
(attr) log fortianalyzer override-setting server-cert-ca
-
(attr) log fortianalyzer setting alt-server
-
(attr) log fortianalyzer setting fallback-to-primary
-
(attr) log fortianalyzer setting server-cert-ca
-
(attr) log fortianalyzer2 override-setting alt-server
-
(attr) log fortianalyzer2 override-setting fallback-to-primary
-
(attr) log fortianalyzer2 override-setting server-cert-ca
-
(attr) log fortianalyzer2 setting alt-server
-
(attr) log fortianalyzer2 setting fallback-to-primary
-
(attr) log fortianalyzer2 setting server-cert-ca
-
(attr) log fortianalyzer3 override-setting alt-server
-
(attr) log fortianalyzer3 override-setting fallback-to-primary
-
(attr) log fortianalyzer3 override-setting server-cert-ca
-
(attr) log fortianalyzer3 setting alt-server
-
(attr) log fortianalyzer3 setting fallback-to-primary
-
(attr) log fortianalyzer3 setting server-cert-ca
-
(node) rule fmwp
-
(attr) system csf source-ip
-
(attr) system csf upstream-interface
-
(attr) system csf upstream-interface-select-method
-
(attr) system global gui-auto-upgrade-setup-warning
-
(attr) system global ipv6-allow-local-in-silent-drop
-
(attr) system global npu-neighbor-update
-
(attr) system interface mediatype (2 platforms: 101F,100F)
-
(node) system netflow collectors
-
(attr) system np6xlite congestion-handling-mode (2 platforms: 201F,200F)
-
(attr) system npu fp-anomaly sctp-csum-err (11 platforms: 3700F,3701F,400F,1000F,3201F,600F,3200F)
-
(attr) system npu ip-fragment-offload (14 platforms: 3701F,3200F,400F,1001F,1000F,601F,3201F,401F,3700F,600F)
-
(attr) system npu split-ipsec-engines (27 platforms: 60F,100F,40F,80F,200F,80F-2R,61F,81F,81F-2R-3G4G-POE,60F-3G4G,80F-POE,81F-2R-POE,40F-3G4G,71F,101F,80F-BYPASS,81F-POE,201F,70F-3G4G,70F,81F-2R)
-
(attr) system npu tunnel-over-vlink (43 platforms: 3301E,3200D,401E,3300E,3401E,1100E,3960E,3400E,800D,2000E,2500E,1101E,501E,2200E,1500D,3000D,600E,500E,5001E,300E,3100D,3600E,1000D,5001E1,301E,2201E,400E,601E,400E-BYPASS,3601E,900D)
-
(attr) system snmp sysinfo append-index
-
(node) system vdom-netflow collectors
-
(node) user external-identity-provider
-
(attr) vpn ipsec phase1 azure-ad-autoconnect
-
(node) vpn ipsec phase1 internal-domain-list
-
(attr) vpn ipsec phase1-interface azure-ad-autoconnect
-
(attr) vpn ipsec phase1-interface cert-trust-store
-
(attr) vpn ipsec phase1-interface ems-sn-check
-
(node) vpn ipsec phase1-interface internal-domain-list
-
(attr) vpn ipsec phase1-interface remote-gw-country
-
(attr) vpn ipsec phase1-interface remote-gw-end-ip
-
(attr) vpn ipsec phase1-interface remote-gw-match
-
(attr) vpn ipsec phase1-interface remote-gw-start-ip
-
(attr) vpn ipsec phase1-interface remote-gw-subnet
-
(attr) vpn ipsec phase1-interface remote-gw6-country
-
(attr) vpn ipsec phase1-interface remote-gw6-end-ip
-
(attr) vpn ipsec phase1-interface remote-gw6-match
-
(attr) vpn ipsec phase1-interface remote-gw6-start-ip
-
(attr) vpn ipsec phase1-interface remote-gw6-subnet
-
(attr) web-proxy global log-policy-pending
-
(attr) web-proxy global policy-category-deep-inspect
The following objects were removed:
-
(attr) switch-controller managed-switch ports link-status (98 platforms: excludes 5001E1,5001E)
-
(attr) system console baudrate
-
(attr) system global gui-allow-default-hostname
-
(attr) system global ipv6-allow-local-in-slient-drop
-
(attr) system netflow collector-ip
-
(attr) system netflow collector-port
-
(attr) system netflow interface
-
(attr) system netflow interface-select-method
-
(attr) system netflow source-ip
-
(attr) system vdom-netflow collector-ip
-
(attr) system vdom-netflow collector-port
-
(attr) system vdom-netflow interface
-
(attr) system vdom-netflow interface-select-method
-
(attr) system vdom-netflow source-ip
The following default values changed:
-
system fortiguard auto-firmware-upgrade-start-hour (2 -> 1)
-
system global ssh-enc-algo (chacha20-poly1305@openssh.com aes256-ctr aes256-gcm@openssh.com -> aes256-ctr aes256-gcm@openssh.com)
-
system interface ipv6 nd-cga-modifier (0000007264702F6C69627264705F7373 -> 0065636473612D776974682D73686132)
-
system interface pvc-atm-qos (cbr -> ubr)
Additional option changes:
switch-controller 802-1X-settings tx-period
int-range (tag|lmt): 4,60 -> 12,60 (98 platforms: excludes 5001E1,5001E)
switch-controller managed-switch 802-1X-settings tx-period
int-range (tag|lmt): 4,60 -> 12,60 (98 platforms: excludes 5001E1,5001E)
switch-controller managed-switch ports speed
option-list (tag|opt): None -> ["2500full", "40000auto"] (98 platforms: excludes 5001E1,5001E)
switch-controller system tunnel-mode
option-list (tag|opt): None -> ["moderate"] (98 platforms: excludes 5001E1,5001E)
system dnp3-proxy term-baudrate
option-list (tag|opt): None -> ["9600"] (4 platforms: 60F,60F-3G4G,70F-3G4G,70F)
system interface pvc-atm-qos
option-list (tag|opt): None -> ["ubr"] (11 platforms: 60F,70F-3G4G,81F,70F,81F-2R-3G4G-POE,60F-3G4G,80F-BYPASS,80F,80F-POE,81F-POE,81F-2R-POE)
system interface speed
option-list (tag|opt): None -> ["100Gauto", "100Gfull", "100auto", "200Gauto", "200Gfull", "25000auto", "25000full", "2500auto", "40000auto", "40000full", "400Gauto", "400Gfull", "50000auto", "50000full", "5000auto"] (2 platforms: 101F,100F)
vpn ssl web portal bookmark-group bookmarks keyboard-layout
option-list (tag|opt): None -> ["la-am"]
vpn ssl web user-bookmark bookmarks keyboard-layout
option-list (tag|opt): None -> ["la-am"]
vpn ssl web user-group-bookmark bookmarks keyboard-layout
option-list (tag|opt): None -> ["la-am"]
wireless-controller wtp-group platform-type
option-list (tag|opt): None -> ["234G", "432G"]
wireless-controller wtp-profile platform type
option-list (tag|opt): None -> ["234G", "432G"]
Table changes:
-
The
system.interface
table limit was changed from 0 (unlimited) to 1036.