DOCUMENT LIBRARY

FortiGate / FortiOS

Release Notes

Home FortiNAC 9.2.8 Release Notes

9.2.8

Upgrade Requirements

Upgrade Requirements

Ticket #	Description
Upgrade Path Requirements	Systems on version 9.1.6 must upgrade to either: - Higher version of 9.1 (e.g. 9.1.7) - 9.2.4 or higher Systems on versions 8.2 or lower must upgrade to 8.3 before upgrading to 8.4 or higher.
Legacy SSH Ciphers	Vulnerable Diffie-Hellman SSH Ciphers were removed from versions 9.2.8, 9.4.4. F7.2.3 and greater. The removal of these ciphers can cause SSH communication to fail between FortiNAC and network infrastructure devices still using these legacy ciphers. Depending upon the device, resulting behavior can vary from failing L2 and L3 polling to failing VLAN switching. The following events would be generated for the affected device: L2 Poll Failed L3 Poll Failed VLAN Switch Failure The legacy ciphers must be re-added to FortiNAC via the CLI after upgrade. For details, see KB article https://community.fortinet.com/t5/FortiNAC-F/Troubleshooting-Tip-SSH-communication-fails-after-upgrade-due-to/ta-p/281029
892856	High Availability and FortiNAC Manager Environments: The following are required as of 9.2.8: Key files containing certificates are installed in all FortiNAC servers. License keys with certificates were introduced on January 1st 2020. Appliances registered after January 1st should have certificates. To confirm, login to the UI of each appliance and review the System Summary Dashboard widget (Certificates = Yes). If there are no certificates, see Importing License Key Certificates in the applicable FortiNAC Manager Guide. Allowed serial numbers: Due to enhancements in communication between servers, a list of allowed FortiNAC appliance serial numbers must be set. This can be configured prior to upgrade to avoid communication interruption. For instructions, see Pre-upgrade Procedures.
885056	All devices managed by FortiNAC must have a unique IP address. This includes FortiSwitches in Link Mode: Managed FortiSwitch interface IP addresses must be unique. Otherwise, they will not be properly managed by FortiNAC and inconsistencies may occur. This is also noted in the FortiSwitch Integration reference manual.
9.2	As of Persistent Agent version 5.3, there is no option to disable secure agent communications. Agents upgraded from previous versions to 5.3 or greater will communicate over TCP 4568 regardless of the "securityEnabled" Persistent Agent setting. Therefore, the following must be done prior to upgrading hosts to agent version 5.3: Ensure valid SSL certificates are installed in the Persistent Agent Certificate Target. For details see section Certificate Management in the Administration Guide. Packet Transport Configurations must have TCP 4568 listed. For instructions see section Transport configurations in the Administration Guide.
9.2	The number of Operating System and Anti-Virus program options in the Scan Configuration have been reduced. Only those currently supported or commonly in use are now listed. For a list of available Operating Systems and Anti-Virus programs, see KB article 198098.

Previous

Next

Upgrade Requirements

Upgrade Requirements

Ticket #	Description
Upgrade Path Requirements	Systems on version 9.1.6 must upgrade to either: - Higher version of 9.1 (e.g. 9.1.7) - 9.2.4 or higher Systems on versions 8.2 or lower must upgrade to 8.3 before upgrading to 8.4 or higher.
Legacy SSH Ciphers	Vulnerable Diffie-Hellman SSH Ciphers were removed from versions 9.2.8, 9.4.4. F7.2.3 and greater. The removal of these ciphers can cause SSH communication to fail between FortiNAC and network infrastructure devices still using these legacy ciphers. Depending upon the device, resulting behavior can vary from failing L2 and L3 polling to failing VLAN switching. The following events would be generated for the affected device: L2 Poll Failed L3 Poll Failed VLAN Switch Failure The legacy ciphers must be re-added to FortiNAC via the CLI after upgrade. For details, see KB article https://community.fortinet.com/t5/FortiNAC-F/Troubleshooting-Tip-SSH-communication-fails-after-upgrade-due-to/ta-p/281029
892856	High Availability and FortiNAC Manager Environments: The following are required as of 9.2.8: Key files containing certificates are installed in all FortiNAC servers. License keys with certificates were introduced on January 1st 2020. Appliances registered after January 1st should have certificates. To confirm, login to the UI of each appliance and review the System Summary Dashboard widget (Certificates = Yes). If there are no certificates, see Importing License Key Certificates in the applicable FortiNAC Manager Guide. Allowed serial numbers: Due to enhancements in communication between servers, a list of allowed FortiNAC appliance serial numbers must be set. This can be configured prior to upgrade to avoid communication interruption. For instructions, see Pre-upgrade Procedures.
885056	All devices managed by FortiNAC must have a unique IP address. This includes FortiSwitches in Link Mode: Managed FortiSwitch interface IP addresses must be unique. Otherwise, they will not be properly managed by FortiNAC and inconsistencies may occur. This is also noted in the FortiSwitch Integration reference manual.
9.2	As of Persistent Agent version 5.3, there is no option to disable secure agent communications. Agents upgraded from previous versions to 5.3 or greater will communicate over TCP 4568 regardless of the "securityEnabled" Persistent Agent setting. Therefore, the following must be done prior to upgrading hosts to agent version 5.3: Ensure valid SSL certificates are installed in the Persistent Agent Certificate Target. For details see section Certificate Management in the Administration Guide. Packet Transport Configurations must have TCP 4568 listed. For instructions see section Transport configurations in the Administration Guide.
9.2	The number of Operating System and Anti-Virus program options in the Scan Configuration have been reduced. Only those currently supported or commonly in use are now listed. For a list of available Operating Systems and Anti-Virus programs, see KB article 198098.

Previous

Next