Feature Specific Considerations
Version |
Description |
---|---|
8.x |
Upgrade path requirements:
|
8.x |
Upgrading NAC from pre-8 versions to 8.x could break communication with agents running version 3.0 through 3.2. Hosts that have security disabled are not affected. In newer agent versions 3.3 and greater, the communication protocol was changed from SSLv3 to TLS to address the POODLE vulnerability (CVE-2014-3566). As of Network Sentry 8.0.0, SSLv3 has been disabled completely. Secure Agent Communication Compatibility Summary NAC 7.x: Compatible with all 3.x agents NAC 8.x: Compatible with 3.3.x (and above) agents Workaround: Re-enable SSLv3 until agents are upgraded.
|
8.3.x |
For new installs and upgrades from older than 8.2, the "Default UDP" Persistent Agent Transport Configuration (UDP 4567) will initially be disabled. Agent versions 3.x and 4.x use both TCP 4568 and UDP 4567 to communicate. Workaround: After completing upgrade, re-enable the Default UDP Transport Configuration to allow FortiNAC to communicate to agents running pre-5.x versions.
|
8.5.x and higher |
Requires CentOS 7.4 or higher. The current CentOS version installed is listed as "Distribution" in the CLI login banner or typing "sysinfo". Example:
If the CentOS version is below 7.4, run OS updates and reboot before upgrading. For instructions on updating CentOS, refer to the Fortinet Document Library. A Network Access Policy is required for the user-id to be sent to the firewall for Palo Alto SSO and FortiGate RSSO integrations. For details, refer to related KB article FD49517. |
8.8.x |
Requires access to downloads.bradfordnetworks.com from each appliance or virtual machine. The update automatically installs CentOS files for the new Local Radius Server feature on the Control Server(s). If access is blocked, the software upgrade will fail. The default transfer protocol can be changed from FTP to either HTTPS or HTTP. For instructions, refer to the Appendix of the CentOS Updates reference manual. When upgrading from a pre-8.8 version to 8.8.0 or 8.8.1, the upgrade may hang if the appliance does not have external FTP access. The upgrade introduces a new local RADIUS server feature that requires additional CentOS patches. The download and installation of the patches occur during the upgrade process. A new .repo file is written in order to download the patches and specifies FTP as the transfer protocol. Note: As of 8.8.2, the default protocol was changed to HTTP. Customers that currently do not have a README and want to upgrade themselves should do the following:
Customers that currently have a README, do not want to upgrade themselves, or cannot make the temporary firewall change should contact Support to schedule the upgrade. 802.1x implementations: Port 1813 no longer listening after upgrading from pre-8.8 version. After upgrade, re-enable by performing the following steps:
See KB Article FD50889. https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD50889 |
8.8.3 |
|
8.8.5 |
|
9.2 |
As of Persistent Agent version 5.3, there is no option to disable secure agent communications. Agents upgraded from previous versions to 5.3 or greater will communicate over TCP 4568 regardless of the "securityEnabled" Persistent Agent setting. Therefore, the following must be done prior to upgrading hosts to agent version 5.3:
|
9.2 |
The number of Operating System and Anti-Virus program options in the Scan Configuration have been reduced. Only those currently supported or commonly in use are now listed. For a list of available Operating Systems and Anti-Virus programs, see KB article 198098. |