Known issues
Known issues are organized into the following categories:
To inquire about a particular bug or to report a bug, please contact Fortinet Customer Service & Support.
New known issues
The following issues have been identified in version 7.6.2.
Global ADOM
|
Bug ID |
Description |
|---|---|
| 1111249 | Unable to assign Global Policy to any ADOM when firewall address with metadata variables has been used. |
Other
|
Bug ID |
Description |
|---|---|
| 1143100 |
Unable to add physical FortiProxy to FortiManager. |
Policy & Objects
|
Bug ID |
Description |
|---|---|
| 1112011 | When a policy package contains a globally assigned policy, installing a local ADOM policy package (with the "Install On" feature enabled for a specific device) may not function properly. The policy could be installed on all devices instead of the intended one. |
Existing known issues
The following issues have been identified in a previous version of FortiManager and remain in FortiManager 7.6.2.
AP Manager
|
Bug ID |
Description |
|---|---|
| 1086946 |
The FortiAP upgrade via FortiManager may fail (on FGT 7.6.1). The process could stop at the controller_download_image step or experience a prolonged stall, eventually resulting in a timeout. |
|
1083224 |
FortiManager attempts to install 'port1-mode > bridge-to-wan' when 'Override LAN Port' is enabled and 'LAN Port Bridge' is set to 'Bridge to LAN'. |
Device Manager
|
Bug ID |
Description |
|---|---|
| 932579 | Assigning a BGP template is purging the previously existing BGP config from the target FortiGates |
| 995919 | Cannot config system password-policy expire-day for FortiGates. |
| 1004220 | The SD-WAN Overlay template creates route-map names that exceed the 35-character limit. |
| 1041265 | While using a Device Blueprint to apply a pre-run cli template and creating model devices via CSV import, the pre-run does not show applied in Device Manager. |
| 1073479 | Install preview does not function properly. |
| 1079654 | Firewall address entries are incorrectly generated when creating a bridge/mesh-type SSID. |
| 1080940 | In an IPSEC tunnel template, deleting an IPSEC tunnel that is not the last one in the template causes the configuration of the last remaining tunnel to disappear when you revisit the template. |
| 1085385 | Importing SD-WAN configuration previously completed on a FortiGate as a provisioning template in FortiManager returns "Response format error" message. |
|
1086303 |
An installation error may occur when binding and installing the created VLAN interface to the software switch due to Workaround: Use a script (CLI template) on device database on FortiManager to unset " |
| 1089102 | Metadata variable value cannot be emptied (value deleted) after a value has been set via Edit Variable Mapping for a model device. |
| 1094451 | If the Timezone field in the System Template is left blank, FortiManager may apply its default timezone and overwrite the existing timezone on the FortiGates. |
| 1099270 | Unable to upgrade of FortiGate HA devices via Firmware Templates. |
| 1103166 | Installation wizard might stuck at 50% if the device has Jinja CLI template assigned. |
| 1110780 |
FortiManager does not allow creating the local-in policy with SD-WAN zone. Workaround: Delete the local-in policy from policy package and use CLI template instead to add the policy. |
| 1115014 | FortiManager fails to install SSID configuration in FortiGate when captive portal is enabled with error "Must set selected-usergroups". |
| 1119280 | Firmware Template assignment does not work properly. |
|
1122481 |
When a FortiGate HA failover occurs, making any configuration changes on the FortiGate HA may cause FortiManager to attempt to purge the firewall policies on the device during the installation (Install Device Settings (only)). Workaround: Always install Policy Package and Device Settings, even when only device config is changed. Review the Installation preview carefully. |
| 1124171 |
FortiManager retrieves the device configuration from the ZTP FortiGate after the image upgrade is performed, due to the Enforce Firmware feature. This action erases all settings in the device database on the FortiManager side, and as a result, AutoLink installation will not be completed successfully. Workaround: config fmupdate fwm-setting
set retrieve disable
end
|
| 1126321 | When creating a VLAN with "LAN" Role, an object is created even if "Create Address Object Matching Subnet" is disabled. |
|
1136080 |
Starting from FortiOS version 7.2.11, FortiGate devices use a different password type for the administrator's password field. FortiManager versions released before this change cannot verify the administrator password when installing to a FortiGate, which may result in an installation failure. |
FortiSwitch Manager
|
Bug ID |
Description |
|---|---|
| 1026433 | When navigating to FortiSwitch Manager > FSW VLAN > "BUILD-VLAN" and enabling the DHCP Server, the Advanced options are missing the filename field. |
| 1097467 | There is a mismatch in the per-VDOM limit between the Managed FortiSwitch on the FortiManager and the actual FortiGate, causing a copy failure error when installing the configuration. So far, this issue has been observed on the FGT-90G. |
| 1077058 | IPv4 allow access for VLAN interface over Per-Device Mapping cannot be set. |
Others
|
Bug ID |
Description |
|---|---|
|
1009848 |
Support ISE distributed deployment: PAN/MnT Nodes up to 2, Pxgrid Nodes up to 4. |
|
1049457 |
When FortiAnalyzer is added as a managed device, users may encounter an issue in the FortiManager GUI when expanding the log details. |
|
1052341 |
Not able to select Address type MAC in SD-WAN rule source address. |
| 1053830 |
Not possible to enable any of the MEAs from GUI (when MEA is visible and at least one app is running ). Workaround:
Use the following CLI command to
enable them (in this example, config system docker set status enable set universalconnector enable end |
| 1091375 | When the install is waiting for a session, it neither updates nor completes the task. |
|
1105387 |
The upgrade task failed when the FortiManager attempted to send the image to the FortiGates. The image file transfer between FortiManager and FortiGate appeared to fail over the FGFM tunnel. FortiManager timed out and was unable to retrieve the FGT version (first observed in FGT version 7.6.1). Workaround: Enable option Let Device Download Firmware From FortiGuard on the FortiManager side. |
|
1106312 |
The Table View and Device History sections under the SD-WAN Manager's Network tab do not properly display all detailed information, such as Interfaces, Link Mode, and other relevant data. (This issue was initially reported in relation to FGT 7.6.1) |
| 1114809 |
After upgrading the FortiManager using the "Upgrade Image via FortiGuard" feature, the FortiManagerJSON API login may fail, leading to service disruptions. This issue is important for FortiPortal and other FortiManager API clients. Workaround: If the JSON API login failure is observed, reboot the FortiManager. |
| 1117603 |
Some compatibility issues have been encounteredwith FortiOS 7.4.7, please review FortiManager 7.6.2 and FortiOS 7.4.7 compatibility issues. |
| 1124007 | 'Ok' button does not save the settings. Navigate to Device Manager > Device & Groups > Right click on FGT > Firmware upgrade > Schedule > Custom > Define time > Press OK. |
|
1136765 |
The PxGrid connector should support Fully Qualified Domain Names (FQDN). |
|
1254367 |
FortiManager instances deployed on Azure may lose all data—including configuration, logs, and reports—if the VM is deallocated and subsequently reallocated. This may occur during Azure-level operations such as VM stop (deallocate) or SKU/size changes. Please refer to the Special Notices for more information. |
Policy & Objects
|
Bug ID |
Description |
|---|---|
| 958923 | Installing policy packages that utilize an SSL/SSH Inspection profile may fail with the error message "Server certificate replace mode cannot support category exempt." |
| 968149 | Unable to export policy package to CSV. |
| 1030914 | Copy and paste function in GUI removes name of the policy rule and adds unwanted default security profiles (SSL-SSH no-inspection and default PROTOCOL OPTIONS). |
| 1073463 | Installation is failed with error, "VIP entry cannot be moved when central-nat is disabled." |
|
1077964 |
After ZTNA server real server address type changes from FQDN to IP, the policy installation may fail; FortiManager pushes ZTNA server config with wrong order. |
| 1086705 | Multicast policy table Log column shows wrong info and right click update does not work properly. |
| 1101436 | The sni-server-cert-check
cannot be disabled on SSL-SSH inspection profile for ftps, pop3s, and smtps. |
| 1101919 | Changes to a Virtual IP global settings are not applied when a per-device mapping exists. |
| 1108159 | IP address list for an ISDB object differ between FortiManager and managed FortiGate while both devices have installed the same ISDB definitions. |
| 1109061 | FortiManager tries to set the inspection mode for the deny policies. |
| 1119299 | Installation fails due to syntax compatibility issues between FortiManager and FortiGate version 7.2.10. Specifically, the issue occurs when FortiManager attempts to unset the
servercert in the vpn ssl settings. |
| 1130475 | FortiManager starts appending an ID to the global-label associated with policies. This can cause a problem if global labels are being used to group policies together. |
| 1131552 | Import fails due to an invalid remote certificate, even though the certificate is available on the FortiGate. |
| 1132984 | FortiManager is not updating SSL inspection settings. |
| 1133553 | Unused policy tool showing No hit count report for this policy package message when policy block is added to policy package. |
| 1139220 | FortiManager does not prevent users to mix ISDB and destination addresses. |
Script
|
Bug ID |
Description |
|---|---|
| 1085374 |
FortiManager does not support exporting the TCL scripts via CLI. |
Services
|
Bug ID |
Description |
|---|---|
| 1104925 | FortiManager in Cascade mode may fail to display accurate license information/contracts for FortiGate retrieved from the FDS server, as it is not listed in the FortiGate's authlist. |
| 1108706 |
When updating query service packages from the global anycast server (globalupdate.fortinet.net), medium-sized IoTS packages may encounter checksum errors. These errors can prevent the proper updating of SPAM and URL databases, potentially impacting the FortiManager's FortiGuard Services. |
| 1138715 | FortiManager does not auto-download the FortiClient signature from FortiGuard. |
System Settings
|
Bug ID |
Description |
|---|---|
| 1081463 | The encrypted backup file cannot be easily correlated with the backup details, as the date and time are not included. |
| 1108205 | ADOM lock override does notwork
even though lock-preempt has been enabled. |
| 1115464 |
When any interfaces have the serviceaccess feature enabled (fgtupdates, fclupdates, and webfilter-antispam), changing the IP address on the desired interfaces may not immediately affect the listing port for that IP. As a result, the user might not be able to access the GUI using the newly configured IP address (assuming default port 443 is being used). Workaround:
|
| 1121608 | Under the Dashboard > Sessions widget, the number of current sessions presented in FortiManager does not match the number of sessions in the FortiGate. |
VPN Manager
|
Bug ID |
Description |
|---|---|
| 1084434 | Unable to rename the address objects (either source and/or destination) used in Phase2 quick selectors in IPSec VPN without an installation error. |
| 1090636 | Unable to edit VPN communitydue to the following error message: "vpnmgr/vpntable/: cannot be edited". |