Fortimanager v6.4.6 Release Notes
Fortimanager v6.4.6 Release Notes
Fortimanager v6.4.6 Release Notes
Version 6.4.6
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://fortiguard.com/
FEEDBACK
Email: [email protected]
July 8, 2021
FortiManager 6.4.6 Release Notes
02-646-721291-20210708
TABLE OF CONTENTS
Change Log 5
FortiManager 6.4.6 Release 6
Supported models 6
FortiManager VM subscription license 6
Management extension applications 7
Supported models for MEA 7
Minimum system requirements 7
Special Notices 8
ADOM version enforcement 8
Management Extension Applications (MEA) and upgrade 8
Policy Hit Count on unused policy 8
Wireless Manager (FortiWLM) not accessible 8
SD-WAN Orchestrator not accessible 9
Support for FortiOS 6.4 SD-WAN Zones 9
FortiGuard Rating Services with FortiGate 6.4.1 or Later 9
Citrix XenServer default limits and upgrade 9
Multi-step firmware upgrades 10
Hyper-V FortiManager-VM running on an AMD CPU 10
SSLv3 on FortiManager-VM64-AWS 10
Upgrade Information 11
Downgrading to previous firmware versions 11
Firmware image checksums 11
FortiManager VM firmware 11
SNMP MIB files 13
Product Integration and Support 14
FortiManager 6.4.6 support 14
Web browsers 15
FortiOS/FortiOS Carrier 15
FortiADC 15
FortiAnalyzer 15
FortiAuthenticator 15
FortiCache 15
FortiClient 16
FortiDDoS 16
FortiMail 16
FortiSandbox 16
FortiSOAR 17
FortiSwitch ATCA 17
FortiWeb 17
Virtualization 17
Feature support 18
Language support 18
2021-06-17 Updated Resolved Issues on page 30 and Known Issues on page 41.
2021-06-18 Updated Resolved Issues on page 30 and Known Issues on page 41.
2021-06-21 Updated Resolved Issues on page 30 and FortiGate special branch models on page 22.
2021-07-08 Added support for FortiSandbox 3.2 and 4.0 to FortiSandbox on page 16 and FortiSandbox
models on page 27.
This document provides information about FortiManager version 6.4.6 build 2363.
The recommended minimum screen resolution for the FortiManager GUI is 1920 x 1080.
Please adjust the screen resolution accordingly. Otherwise, the GUI may not display properly.
Supported models
The FortiManager VM subscription license supports FortiManager version 6.4.1 and later. For information about
supported firmware, see FortiManager VM firmware on page 11.
See also Appendix B - Default and maximum number of ADOMs supported on page 46.
You can use the FortiManager VM subscription license with new FMG-VM installations.
For existing FMG-VM installations, you cannot upgrade to a FortiManager VM subscription
license. Instead, you must migrate data from the existing FMG-VM to a new FMG-VM with
subscription license.
The following section describes supported models and minimum system requirements for management extension
applications (MEA) in FortiManager 6.4.6.
FortiManager uses port TCP/4443 to connect to the Fortinet registry and download MEAs.
Ensure that the port is also open on any upstream FortiGates. For more information about
incoming and outgoing ports, see the FortiManager 6.4 Ports and Protocols Guide.
You can use any of the following FortiManager models as a host for management extension applications:
Some management extension applications supported by FortiManager 6.4.6 have minimum system requirements. See
the following table:
Wireless Manager (WLM) A minimum of 4 CPU cores and 8 GB RAM is typically required. Depending on the
number of running applications, the allocated resources should be increased.
This section highlights some of the operational changes that administrators should be aware of in 6.4.6.
Starting in FortiManager 6.4.6, ADOM versions are enforced. ADOM version N and N+1 are allowed, and the
enforcement affects policy package installation.
For example, if you have ADOM version 6.0, and it contains a FortiGate running FortiOS 6.4, you cannot install a version
6.0 policy package to the FortiGate. The policy package installation fails with the following error message: Device
preparation failed: version mismatched,adom:6.0; dev:6.4.
Upgrading FortiManager when Management Extension Applications (MEA) are enabled may reset your System Settings
to the default settings.
To prevent your System Settings from being lost, please disable all Management Extension Applications (MEA) prior to
upgrading FortiManager.
FortiManager 6.4.3 and later no longer displays policy hit count information on the Policy & Objects > Policy Packages
pane. However, you can view hit count information by using the Unused Policies feature and clearing the Unused Only
checkbox. For more information, see the FortiManager 6.4 New Features Guide.
If Wireless Manager was enabled in FortiManager 6.4.0, you can no longer access it in the FortiManager GUI when you
upgrade FortiManager to 6.4.2. When you try to access FortiWLM, you are redirected to the FortiManager dashboard.
If SD-WAN Orchestrator was enabled in FortiManager 6.4.1, you can no longer access it in the FortiManager GUI after
upgrading to FortiManager 6.4.2.
To workaround this issue, run the following CLI command to manually trigger an update of SD-WAN Orchestrator to
6.4.1 r2:
diagnose docker upgrade sdwancontroller
In 6.4 ADOMs, SD-WAN member interfaces are grouped into SD-WAN zones. These zones can be imported as
normalized interfaces and used in firewall policies.
Customers upgrading FortiGates from FortiOS 6.2 to 6.4 who cannot upgrade the ADOM are
advised to temporarily disable SD-WAN central management until they can upgrade the
ADOM to 6.4. This is to prevent FortiManager from attempting to delete the newly created SD-
WAN zones on the FortiGate.
FortiManager 6.4.1 or later is the supported version to provide FortiGuard rating services to FortiGate 6.4.1 or later.
Citrix XenServer limits ramdisk to 128M by default. However the FMG-VM64-XEN image is larger than 128M. Before
updating to FortiManager 6.4, increase the size of the ramdisk setting on Citrix XenServer.
Prior to using the FortiManager to push a multi-step firmware upgrade, confirm the upgrade path matches the path
outlined on our support site. To confirm the path, please run:
dia fwmanager show-dev-upgrade-path <device name> <target firmware>
A Hyper-V FMG-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running
VMs on an Intel-based PC.
SSLv3 on FortiManager-VM64-AWS
Due to known vulnerabilities in the SSLv3 protocol, FortiManager-VM64-AWS only enables TLSv1 by default. All other
models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:
config system global
set ssl-protocol t1sv1
end
For other upgrade paths and details about upgrading your FortiManager device, see the
FortiManager Upgrade Guide.
FortiManager does not provide a full downgrade path. You can downgrade to a previous firmware release via the GUI or
CLI, but doing so results in configuration loss. In addition the local password is erased.
A system reset is required after the firmware downgrading process has completed. To reset the system, use the
following CLI commands via a console port connection:
execute reset {all-settings | all-except-ip}
execute format {disk | disk-ext4 | disk-ext3}
The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support
portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file
name including the extension, and select Get Checksum Code.
FortiManager VM firmware
Fortinet provides FortiManager VM firmware images for Amazon AWS, Citrix and Open Source XenServer, Linux KVM,
Microsoft Hyper-V Server, and VMware ESX/ESXi virtualization environments.
Aliyun
l .out: Download the 64-bit firmware image to upgrade your existing FortiManager VM installation.
l .out.kvm.zip: Download the 64-bit package for a new FortiManager VM installation. This package contains
QCOW2 that can be used by qemu.
l The 64-bit Amazon Machine Image (AMI) is available on the AWS marketplace.
l .out: Download the 64-bit firmware image to upgrade your existing FortiManager VM installation.
l .out.OpenXen.zip: Download the 64-bit package for a new FortiManager VM installation. This package contains
the QCOW2 file for the Open Source Xen Server.
l .out.CitrixXen.zip: Download the 64-bit package for a new FortiManager VM installation. This package
contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.
Linux KVM
l .out: Download the 64-bit firmware image to upgrade your existing FortiManager VM installation.
l .out.kvm.zip: Download the 64-bit package for a new FortiManager VM installation. This package contains
QCOW2 that can be used by qemu.
Microsoft Azure
The files for Microsoft Azure have AZURE in the filenames, for example FMG_VM64_AZURE-v<number>-
build<number>-FORTINET.out.hyperv.zip.
l .out: Download the firmware image to upgrade your existing FortiManager VM installation.
The files for Microsoft Hyper-V Server have HV in the filenames, for example, FMG_VM64_HV-v<number>-
build<number>-FORTINET.out.hyperv.zip.
l .out: Download the firmware image to upgrade your existing FortiManager VM installation.
l .hyperv.zip: Download the package for a new FortiManager VM installation. This package contains a Virtual
Hard Disk (VHD) file for Microsoft Hyper-V Server.
VMware ESX/ESXi
l .out: Download the 64-bit firmware image to upgrade your existing VM installation.
l .ovf.zip: Download either the 64-bit package for a new VM installation. This package contains an Open
Virtualization Format (OVF) file for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file
during deployment.
For more information see the FortiManager Data Sheet available on the Fortinet web site. VM
installation guides are available in the Fortinet Document Library.
You can download the FORTINET-FORTIMANAGER-FORTIANALYZER.mib MIB file in the firmware image file folder.
The Fortinet Core MIB file is located in the main FortiManager version 5.00 file folder.
This section lists FortiManager 6.4.6 support of other Fortinet products. It also identifies what FortiManager features are
supported for managed platforms and what languages FortiManager supports. It also lists which Fortinet models can be
managed by FortiManager.
The section contains the following topics:
l FortiManager 6.4.6 support on page 14
l Feature support on page 18
l Language support on page 18
l Supported models on page 19
This section identifies FortiManager 6.4.6 product integration and support information:
l Web browsers on page 15
l FortiOS/FortiOS Carrier on page 15
l FortiADC on page 15
l FortiAnalyzer on page 15
l FortiAuthenticator on page 15
l FortiCache on page 15
l FortiClient on page 16
l FortiDDoS on page 16
l FortiMail on page 16
l FortiSandbox on page 16
l FortiSOAR on page 17
l FortiSwitch ATCA on page 17
l FortiWeb on page 17
l Virtualization on page 17
To confirm that a device model or firmware version is supported by the current firmware
version running on FortiManager, run the following CLI command:
diagnose dvm supported-platforms list
Always review the Release Notes of the supported platform firmware version before upgrading
your device.
Web browsers
This section lists FortiManager 6.4.6 product integration and support for web browsers:
l Microsoft Edge 80 (80.0.361 or later)
l Mozilla Firefox version 88
l Google Chrome version 91
Other web browsers may function correctly, but are not supported by Fortinet.
FortiOS/FortiOS Carrier
This section lists FortiManager 6.4.6 product integration and support for FortiOS/FortiOS Carrier:
l 6.4.0 to 6.4.6
l 6.2.0 to 6.2.9
l 6.0.0 to 6.0.12
FortiADC
This section lists FortiManager 6.4.6 product integration and support for FortiADC:
l 6.0.1
l 5.4.4
FortiAnalyzer
This section lists FortiManager 6.4.6 product integration and support for FortiAnalyzer:
l 6.4.0 and later
l 6.2.0 and later
l 6.0.0 and later
l 5.6.0 and later
l 5.4.0 and later
FortiAuthenticator
This section lists FortiManager 6.4.6 product integration and support for FortiAuthenticator:
l 6.0. to 6.2
l 5.0 to 5.5
l 4.3 and later
FortiCache
This section lists FortiManager 6.4.6 product integration and support for FortiCache:
l 4.2.9
l 4.1.6
l 4.0.4
FortiClient
This section lists FortiManager 6.4.6 product integration and support for FortiClient:
l 6.4.0 and later
l 6.2.8
l 5.6.6
l 5.4.0 and later
FortiDDoS
This section lists FortiManager 6.4.6 product integration and support for FortiDDoS:
l 5.4.1
l 5.3.1
l 5.2.0
l 5.1.0
l 5.0.0
l 4.7.0
l 4.6.0
l 4.5.0
l 4.4.2
l 4.3.2
l 4.2.3
Limited support. For more information, see Feature support on page 18.
FortiMail
This section lists FortiManager 6.4.6 product integration and support for FortiMail:
l 6.4 or later
l 6.2 or later
l 6.0.10
l 5.4.11
l 5.3.13
FortiSandbox
This section lists FortiManager 6.4.6 product integration and support for FortiSandbox:
l 4.0.0
l 3.2.2
l 3.1.4
l 3.0.6
l 2.5.2
l 2.4.1
l 2.3.3
l 2.2.2
FortiSOAR
This section lists FortiManager 6.4.6 product integration and support for FortiSOAR:
l 6.4.0 and later
l 6.0.0 and later
FortiSwitch ATCA
This section lists FortiManager 6.4.6 product integration and support for FortiSwitch ATCA:
l 5.2.3
l 5.0.0 and later
FortiWeb
This section lists FortiManager 6.4.6 product integration and support for FortiWeb:
l 6.3.10
l 6.2.4
l 6.1.2
l 6.0.7
l 5.9.1
l 5.8.6
l 5.7.2
l 5.6.1
l 5.5.6
l 5.4.1
Virtualization
This section lists FortiManager 6.4.6 product integration and support for virtualization:
l Amazon Web Services (AWS)
l Citrix XenServer 6.0+ and Open Source Xen 4.1+
l Linux KVM
l Microsoft Azure
Feature support
The following table lists FortiManager feature support for managed platforms.
FortiGate ✓ ✓ ✓ ✓
FortiCarrier ✓ ✓ ✓ ✓
FortiADC ✓
FortiAnalyzer ✓ ✓
FortiAuthenticator ✓
FortiCache ✓ ✓
FortiClient ✓ ✓ ✓
FortiDDoS ✓ ✓
FortiMail ✓ ✓ ✓
FortiSandbox ✓ ✓ ✓
FortiSOAR ✓
FortiSwitch ATCA ✓
FortiWeb ✓ ✓ ✓
Syslog ✓
Language support
English ✓ ✓
Chinese (Simplified) ✓ ✓
Chinese (Traditional) ✓ ✓
French ✓
Japanese ✓ ✓
Korean ✓ ✓
Portuguese ✓
Spanish ✓
To change the FortiManager language setting, go to System Settings > Admin > Admin Settings, in Administrative
Settings > Language select the desired language on the drop-down menu. The default value is Auto Detect.
Russian, Hebrew, and Hungarian are not included in the default report languages. You can create your own language
translation files for these languages by exporting a predefined language from FortiManager, modifying the text to a
different language, saving the file as a different language name, and then importing the file into FortiManager. For more
information, see the FortiAnalyzer Administration Guide.
Supported models
The following tables list which FortiGate, FortiCarrier, FortiDDoS, FortiAnalyzer, FortiMail, FortiSandbox, FortiSwitch
ATCA, FortiWeb, FortiCache, FortiProxy, and FortiAuthenticator models and firmware versions that can be managed by
a FortiManager or send logs to a FortiManager running version 6.4.6.
Software license activated LENC devices are supported, if their platforms are in the
supported models list. For example, support of FG-3200D indicates support of FG-
3200D-LENC.
FortiGate models
Model Firmware
Version
Model Firmware
Version
Model Firmware
Version
The following FortiGate models are released on a special branch of FortiOS. FortiManager supports these models.
Model Firmware
Version
Model Firmware
Version
FortiCarrier models
FortiADC models
FortiAnalyzer models
FortiAuthenticator models
FortiAuthenticator: FAC-200D, FAC-200E, FAC-400C, FAC-400E, FAC-1000C, FAC- 4.3, 5.0-5.5, 6.0
1000D, FAC-2000E, FAC-3000B, FAC-3000D, FAC-3000E
FortiAuthenticator VM: FAC-VM
FortiCache models
FortiCache: FCH-400C, FCH-400E, FCH-1000C, FCH-1000D, FCH-3000C, FCH-3000D, 4.0, 4.1, 4.2
FCH-3000E, FCH-3900E
FortiCache VM: FCH-VM64, FCH-KVM
FortiDDoS models
FortiDDoS: FI-200B, FI-400B, FI-600B, FI-800B, FI-900B, FI-1000B, FI-1200B, FI-1500B, FI- 5.1
2000B, FI-2000E
FortiDDoS: FI-200B, FI400B, FI-600B, FI-800B, FI-900B, FI-1000B, FI-1200B, FI-2000B, FI- 4.0, 4.1, 4.2, 4.3, 4.4,
3000B 4.5, 4.7
FortiMail models
FortiMail: FE-60D, FE-200D, FE-200E, FE-400E, FE-1000D, FE-2000E, FE-3000D, FE- 6.0
3000E, FE-3200E, FE-VM, FML-200F, FML-400F, FML-900F
FortiMail: FE-60D, FE-200D, FE-200E, FE-400C, FE-400E, FE-1000D, FE-2000B, FE- 5.4
2000E, FE-3000C, FE-3000E, FE-3200E
FortiMail Low Encryption: FE-3000C-LENC
FortiMail: FE-60D, FE-200D, FE-200E, FE-400C, FE-400E, FE-1000D, FE-2000B, FE- 5.3
2000E, FE-3000C, FE-3000D, FE-3000E, FE-3200E, FE-5002B
FortiMail Low Encryption: FE-3000C-LENC
FortiMail VM: FE-VM64, FE-VM64-HV, FE-VM64-XEN
FortiMail: FE-60D, FE-200D, FE-200E, FE-400C, FE-400E, FE-1000D, FE-2000B, FE- 5.2
3000C, FE-3000D, FE-5002B
FortiMail VM: FE-VM64, FE-VM64-HV, FE-VM64-XEN
FortiMail: FE-100C, FE-200D, FE-200E, FE-400B, FE-400C, FE-400E, FE-1000D, FE- 5.1
2000B, FE-3000C, FE-3000D, FE-5001A, FE-5002B
FortiMail VM: FE-VM64
FortiMail: FE-100C, FE-200D, FE-200E, FE-400B, FE-400C, FE-1000D, FE-2000A, FE- 5.0
2000B, FE-3000C, FE-3000D, FE-4000A, FE-5001A, FE-5002B
FortiMail VM: FE-VM64
FortiProxy models
FortiSandbox models
FortiSOAR models
FortiWeb models
The following issues have been fixed in 6.4.6. For inquires about a particular bug, please contact Customer Service &
Support.
AP Manager
Bug ID Description
590098 When adding a new WTP profile, FortiManager tries to set a default handoff-sta-thresh
and unset radio bands, which do not match the defaults for many of the E-series APs.
635643 5G channels may be mismatch between FortiManager and FortiGate for radio-1 and radio-2
with FAP-231E.
674636 SSID may be empty in AP Manager > WiFi Profiles > SSID column.
692911 FortiManager may not be able to display correct information for wireless radio in wireless
profile for FortiWiFi-80F-2R.
706233 FortiManager may not detect changes in AP Manager > SSID > Pre-shared Key Password
and display the message No record found.
712669 FortiManager may set darrp as enable on radio in monitor mode resulting in installation
failure.
Device Manager
Bug ID Description
521976 Users may not be able to enable CSV format within system template.
544982 Policy Package Status may become out-of-sync for all devices when adding one device to
Install On.
560444 FortiManager may not set pmf to enable causing install to always fails with WPA3-SAE,
WPA3-Enterprise, or WPA3-SAE-Transition within 6.4 ADOM.
594211 FortiManager should be able to create new VLAN interface on fabric interface and install to
FortiGate.
Bug ID Description
603820 FortiManager fails to import policy when reputation-minimum and reputation-direction are set.
610585 Device Manager cannot save DHCP for Unknown MAC address with action sets to block.
636357 Retrieve may fail on FortiGate cluster with Failed to reload configuration. invalid value error.
649260 Device Manager may return an error when deleting VPN phase1.
654611 Under Advanced mode and within a VDOM, clicking Device Manager on the top menu returns
the no permission error.
658832 FortiManager is unable to retrieve priority-members if outgoing interface is using the Manual
strategy in SD-WAN rule.
664120 When FortiGate HA secondary unit is down, action is displayed as promote in Device
Manager.
665955 FortiManager is not reflecting proper admintimeout value in CLI only object.
667738 667738
670535 Install fails when creating a new DHCP reservation due to missing MAC address.
672344 If managed FortiAnalyzer is in HA, setting Send Logs to Managed FortiAnalyzer in the system
template may cause install error.
676002 FortiManager is not allowing to re-install policy when user selects all devices with VDOMs
from Device Manager.
680516 Host Name is truncated when name has more than 31 characters.
681627 FortiManager is accepting DNS source IP even though it is not part of the available interfaces.
683411 FortiManager may not display a FortiGate under the Device Manager > Managed Devices.
684372 When using VDOMs, Policy Package status remains in modified status after using Push to
device.
684462 FortiManager truncates the device configuration when downloading from View configuration
option.
684961 Registration with NSX-T may fail with error: Register service failed.
688541 FortiManager should not unset dynamic-vlan of wireless-controller VAP and gateway of
router settings after import.
689014 FortiManager may return an error when changing FortiGate device log configuration from
FortiManager with management VDOM moved to another VDOM.
690012 Changing the value of a meta-data field for a device should trigger the change with
configuration status.
Bug ID Description
690566 Changed to the Disclaimer Page may not be saved with error.
692669 Browser may display a message, A webpage is slowing down your browser, while checking
revision difference.
693622 There may be inconsistent behavior between FortiGate and FortiManager when changing
port speeds for FortiGate-3600E or FortiGate-3601E.
696576 Explicit FTP proxy available certificates are not consistent with the ones available in the
FortiGate.
696848 Users may not be able to retrieve configuration or import policy from managed devices with
dvmcore constantly crashing.
697535 Device Manager should not allow user to add ssl.root to a zone.
697746 FortiManager needs to support adding FortiAnalyzer with serial number that has prefix,
FAVMXX, to FortiManager.
697924 When there are many devices, all managed FortiGates may show connection down state.
698625 FortiManager may not be able to view, add, or edit software switch members.
699031 FortiManager may display duplicated devices when Display Device/Group tree view is
enabled in Workflow mode.
699450 SDWAN monitor is showing historical Traffic for interface which is down in defined Time
period.
701446 SD-WAN monitor take several minutes to display map if device tunnel is flapping.
702555 FortiManager may lose device admin user and geo-location information during on board
process with model device.
702590 The system template may stop being displayed on the Devices & Groups page.
704789 SD-WAN monitor is missing Health Check Status information and probes.
706194 When editing a model device and assignigning a Policy Package, clicking the OK button may
not take effect.
Bug ID Description
708937 FortiManager may randomly updating the geographical coordinates of a FortiGate device.
709302 SD-WAN monitor search function on the table view does not actually search but highlight.
710616 FortiManager may not be able to set HTTPS or SHH Port to a value higher than 63335 under
Provisioning Templates.
711034 There may be issues to display meta data fields when creating or editing a device group.
713267 Searching for FortiGate name when editing a device group should display FortiGate device
name with all the VDOMs.
Bug ID Description
554251 A user may not be able to see the fabric topology of devices in the user's assigned ADOM.
FortiSwitch Manager
Bug ID Description
676739 FortiManager may not be possible to delete VLAN interfaces created by FortiSwitch Manager.
690995 FortiSwitch Manager should not install the auto-detected setting to FortiGate.
700136 In FortiSwitch Manager, the Map to Normalized interface menu always displays none when
editing a VLAN.
706953 Maximum one device entry can be found in device information column under FortiSwitch port.
707909 Template may be removed and Fortilink interface and comments fields may be empty.
708901 The assigned FortiSwitch template name that has more than sixteen characters may fail
ADOM integrity check.
713492 In the per-device mapping of the VLANs in FortiSwitch Manager, the "Specify" for the gateway
is not saved in the database.
713553 FortiSwitch Template flow counter interval value variance between 6.0 and 6.2 ADOMs.
Global ADOM
Bug ID Description
662216 Where Used in Global ADOM may not show object usage in ADOM.
689965 Replacement message type UTM is not being pushed from global ADOM to local ADOM.
Others
Bug ID Description
600490 SD-WAN controller cannot load page when changing HTTPS to non default 443.
667442 FortiManager may not be able to connect to FortiGate CLI via SSH widget or execute TCL
scripts.
673383 Should not allow installation of v6.0 policy package to v6.4 device.
681625 The svc cdb reader process may crash during upgrade of ADOM.
681707 The diagnose cdb upgrade check +all command may unset defmap-intf.
686460 ADOM integrity check may run slowly and it takes several minutes to response for each
ADOM.
687155 FortiManager should improve the error message for running CLI Template.
690969 The dmworker process may consume high memory and CPU resources with failures due to
busy handler.
695549 _created timestamp is missing in REST API return data for policy.
697132 In some occasions, FortiManager is not accessible until device is rebooted every couple of
days.
704545 When there are a lot of workflow sessions and users try to disable the workflow mode via GUI,
FortiManager may stop responding.
706516 Securityconsole may crash when there are quotes around group name.
715601 Under some conditions, disk usage may reach 100% after a few days.
Bug ID Description
487186 FortiManager may install a different local category ID to FortiGate causing conflict with
custom URL rating list.
587634 FortiManager may not be able to create new wildcard FQDN type address to FortiGate 6.2.
593072 After a non-Super User deletes a device, super_user admin cannot edit zone or interface with
the deleted device's dynamic mappings.
630431 Some application and filter overrides are not displayed on GUI.
654172 There may be webfilter local category ID mismatch between FortiManager and FortiGate
causing incorrect action when using Custom URL List.
672035 There may be an error when importing AWS credential from FortiGate to FortiManager.
673554 FortiManager should not allow policy to set destination address with a Virtual Server when
inspection-mode is set as flow.
683167 Policy Package single entry change may impact all Policy Package Installation Targets status.
684081 Policy Check and Find Unused Policies may not work for FortiGate in Policy-Based mode.
684728 FortiManager and FortiGate should have equivalent filter list entries.
686902 FortiManager may not be able to configure ipv4-split-exclude attribute via CLI Object.
687460 The same filter may behave differently between source address and destination address.
687784 FortiManager may not be able to add rule with ISDB object when a rule is created with add
above or below option.
688589 Setting the Local Webfilter Category Action to Allow should not disable the action when
installed on FortiGate.
690269 Newly imported Cisco ACI connector object does not appear for selection until browser is
refreshed.
690509 FortiManager may fail to install ACI-Direct connector to FortiGate due to server-list
command.
692114 Where Used returns no record found when IPS Custom Signature is being used.
693763 Saving address object may return error: firewall/address/organization : The data is invalid for
selected url.
Bug ID Description
694605 FortiManager may not be able to push the entire Azure SDN Connector configuration.
696072 FortiManager GUI should allow users to configure HTTPS health check monitor including
fields such as http-match and http-get in the monitor.
701290 FortiManager should not allow users to create a wildcard FQDN address object with non-
wildcard FQDN.
702138 NGFW security policy Application category Unknown applications is missing on FortiManager
while it is present on FortiGate.
702621 When adding a remote usergroup with LDAP service unreachable, the Manually specify
option is only available after a timeout.
703639 Installing a policy package for a device using CLI template may stall.
704637 Firewall policy and VIPs may get deleted on policy package installation.
705025 Find Unused Policies may report incorrect session data for security policy.
706126 The Find Unused Policies option may be missing in dual pane mode.
707953 IPS sensor may incorrectly set action to pass instead block when quarantine is set.
708877 FortiManager 6.0 ADOM should not allow users to set ISDB objects that are not supported on
FortiOS 6.0.
709435 FortiManager may not be able to import existing Azure SDN Connector from FortiGate.
711121 Enabling FortiGuard Outbreak Prevention database does not match FortiGate's behavior.
712150 Search in Address may not work after upgrading to FortiManager to 6.4.5.
712900 When new folders are created and the default policy package is deleted, then the new policy
package cannot be created.
713216 When policy package is large, there is slowness loading policy package, installing policy
package, or viewing sessions revision diff in workflow mode.
719104 FortiManager may not be able to select Internet Service group members when creating
Internet Service group.
Revision History
Bug ID Description
623159 Zone validation in Re-Install Policy is not saving the user choice and deleting all related
policies.
638060 Installing an existing revision or renaming a revision should be allowed in backup ADOM.
657344 Installing from 6.0 ADOM may try to unset inspection-mode and unset ssl-ssh-profile on
Bug ID Description
FortiGate 6.2.
667148 When a policy install is performed, Install preview shows a lot of firewall policies with metafield
changes without any actual change been done.
673101 When set cfg-save manual is configured, FortiManager may try to delete objects that do not
exist in the FortiGate configuration.
677659 FortiManager may fail to retrieve device configuration on web category with log threat-weight.
679139 When a policy package is shared between many firewalls, web rating override purge may fail
in some scenarios.
683728 Installation fail due to VIP mapped IP range error when installing v6.2 policy package to v6.4
device.
686036 FortiManager may remove allow access configurations for secondary IP when a policy
package is installed.
688474 FortiManager may fail to retrieve FortiGate configuration when adding device due to invalid
data source with wtp-profile.
689270 The following attributes under configs vpn ssl setting may have invalid range: login-attempt-
limit, login-block-time, http-request-header-timeout, http-request-body-timeout and router bgp
keep-alive-timer.
691240 FortiManager should not unset the value forward-error-correction with certain FortiGate
platforms.
691835 FortiManager should be able to move one VLAN to a different zone without deleting many
rules or zones.
693225 FortiManager may install unset inspection-mode to Footage 6.2 device in 6.0 ADOM.
693231 FortiManager tries to purge webfilter ftgd-local-rating when directly referenced in URL
Category of a policy.
694380 Installation may fail when set whitelist enable in ssl-ssh-profile is pushed to
FortiGate 6.2 from a in 6.0 ADOM.
698350 Install may fail with error: [VPN manager ] failed to update vpn node with device info.
Bug ID Description
701870 Process may stall at 85% when pushing multiple policy packages from Global ADOM.
714173 Policy package installation from 6.2 ADOM changes cert-validation-timeout default
value to block.
715313 FortiManager may not enable the option FortiGuard Category Based Filter after FortiManager
is synchronized with FortiGate.
Script
Bug ID Description
668947 Changes using CLI Script may not be applied to devices in the container or folder.
671998 TCL scripts may not work when ssh-kex-sha1 and ssh-mac-weak are not enabled on
FortiGate.
702576 Objects may not present on the corresponding device configuration after running a script to
rename objects.
715305 When changing system setting opmode from nat to transparent via a script, FortiManager
may return failure to commit to database stating that there is no interface.
715623 Running a script on device database may not update Save status.
Services
Bug ID Description
680857 FortiExtender, FortiAP, or FortiSwitch upgrades can fail due to custom image being deleted
during or after a failed upgrade.
691738 FortiManager may not be able to connect to FDS server via IPv6 proxy.
695685 FortiGate HA firmware upgrade may fail when both HA units need disk check.
699768 FortiManager should add 06002000NIDS02504 extend IPS database to default download list.
701341 FortiGuard Firmware Images may not show up-to-date FortiOS versions.
Bug ID Description
714596 For web filter query, FortiManager should support category 9 mapping data.
714787 FortiManager should have a diagnose command to force web filtering database merge.
System Settings
Bug ID Description
598194 FortiManager two-factor authentication admin login is missing the option for FTK Mobile push
notification authentication.
625683 Changes made by ADOM upgrade may not update Last Modified date/time and user admin.
635181 FortiManager is unable to delete mail server with error message used displayed.
637377 If Manage Device Configurations is none in admin profile, user may not be able to see the
interface in the policy.
667284 FortiManager should have better log message when aborting device upgrade.
677528 Address object search may not display the address group which contains the searched object
within the group.
684907 Changing of FortiGuard Server Location in License Information Dashboard may not take any
effect.
686569 Creating and deleting the static route may remove specific connected route.
689917 If a policy is configured with a Proxy Options profile with HTTP Policy Redirect enabled, the
ADOM upgrade should enable the related option set http-policy-redirect enable
to preserve the HTTP redirect feature.
690921 ADOM upgrade from 6.0 to 6.2 should not add custom ssl-ssh-profile to policies which were
not configured for SSL inspection.
695058 Radius response packets should not timeout with less of the remoteauthtimeout setting.
695360 ADOM upgrade may be slow and it may take several minutes to start.
697082 Schedule SCP backup may fail due to incorrect default port number.
699185 If Management Extension Applications (MEA) are enabled, all system settings may be lost
after upgraded FortiManager.
699253 Admin profile should not need system level access to view list of time zones in Device
Manager.
Bug ID Description
700142 FortiManager should allow user to configure more than eight hosts per SNMP community.
704504 License Information may keep loading for admin user with FortiGuard and System Settings
with read-write permissions.
705185 ADOM upgrade may cause per device mapping of VLANs in FortiSwitch Manager change to
0.
705762 Session can be approved twice by different users of the same approval group.
708939 Dashboard is showing incorrect GB per day and device quota information when FortiManager
is enabled.
711446 Copy may fail due to invalid protocol options when both FortiGate and ADOM are upgraded to
v6.2.
713233 FortiManager may fail to upgrade firmware resulting in cdbupgrade task error on console and
process crashes.
714210 LDAP admin group search should be done with the service or administrator bind account.
714635 FortiManager backup file size may increasing gradually when IPS package get updated.
VPN Manager
Bug ID Description
681110 VPN manager may not push any configuration on ADOM 6.0 for dial up VPN on FortiGate.
695879 Edit community may not be able to set VPN zone to off via GUI.
697308 VPN Manager is setting dst-name to all when using dst-name object group address in
protected subnet.
704614 FortiManager may not be able to push policy package due to VPN related error.
The following issues have been identified in 6.4.6. For inquires about a particular bug or to report a bug, please contact
Customer Service & Support.
AP Manager
Bug ID Description
633171 There may be DFS Channel mismatch between FortiManager and FortiGate for FAP-223E.
673020 Creating SSID interface with central AP Manager automatically generates normalized
interface name that has no default mapping configuration.
701487 FortiManager may not be able to assign AP profile after upgraded firmware.
Device Manager
Bug ID Description
545239 After adding FortiAnalyzer fabric ADOM to FortiManager,Device Manager's Log Status, Log
Rate, or Device Storage column cannot get data from FortiAnalyzer.
563690 Device Manager fails to add FortiAnalyzer which contains a FortiGate HA device with error:
Serial number does not match database.
596711 FortiManager CLI Configuration shows incorrect default wildcard value for router access-list.
610568 FortiManager may not follow the order in CLI Script template.
615044 Configuration status may appear modified after adding FortiGate to FortiManager.
660491 Device Manager system interface should not allow duplicated secondary IP address.
670577 When creating an API admin from CLI Configuration, the Trusted Host section is missing.
673548 FortiManager may not be able to make changes to the FortiGate interface settings when the
interface type is Software Switch.
674904 FortiManager may not be able to import a policy with interface binding contradiction on srcintf
error.
Bug ID Description
701348 Once VRPP instance is created, user should be able to edit or delete it.
702906 DHCP Relay Service may not be deleted when it is configured on VLAN interface.
709214 System template should allow source interface to be selected when specify is activated as
interface-select-method.
725717 The mcast-session-counting command causes the install to fail after upgracing 6.4.6
728117 Install fails after upgrading FortiManager to 6.4.6 due to set pri-type-max 1000000.
Workaround: Perform a Retrieve and then re-attempt the Install.
Global ADOM
Bug ID Description
667197 User should not be able to delete global object when ADOM is not locked.
680798 FortiManager may return error, Could not read zone validation results, when assigning global
ADOM changes with Automatically Install Policies to ADOM Devices.
693510 Display Options for Object Config will reset to default after some time.
Others
Bug ID Description
657997 Assigning device to system template may not work via JSON when FortiManager is in
Workspace mode.
727458 FortiManager 6.4.6 does not allow access to all VDOMs if Workspace mode is disabled while
a lock is still active.
Bug ID Description
584288 FortiManager may not be able to load configuration of virtual server on policy page.
636537 CLI Only Objects > user > peergrp is not able to delete peergrp.
642708 View Mode may unexpectedly changed from Interface Pair View to By Sequence mode.
652753 When an obsolete internet service is selected, FortiManager may show entries IDs instead of
names.
655601 FortiManager may be slow to add or remove a URL entry on web filter with a large list.
659296 FortiManager may take a lot of time to update web filter URL filter list.
663109 FortiManager should not allow users to select a profile group in a flow-based policy that uses
a proxy-based feature.
666258 User should not be able to create a firewall policy with an Internet service with Destination
direction in Source by using drag and drop.
679282 Editing a global object in an ADOM is not possible generating error, undefined is not iterable.
686911 Workflow session may not be able to compare with error: Can not compare because of invalid
Revision Diff data.
688586 Exporting Policy Package to CSV shows certificate-inspection in the ssl-ssh-profile column
even when the profile is not in use.
689589 Internet Services may not match between FortiManager and FortiGate.
716114 FortiManager should push changed in ssl-ssh-profile with Untrusted SSL Certificates
setting reverted from Block to Allow.
719774 IP reputation for the policies are not working without source or destination.
Revision History
Bug ID Description
606737 User may not be able to install policy package due to change with external interface with VIP
settings.
Services
Bug ID Description
System Settings
Bug ID Description
579964 FMGVM64-Cloud needs to provide GUI support for ADOM upgrade in system information
dashboard.
690926 FortiManager is removing SD-WAN field description upon ADOM upgrading from 6.2 to 6.4.
VPN Manager
Bug ID Description
699759 When installing a policy package, per-device mapped object used in SSL VPN cannot be
installed.
712633 VPN Manager pushes default dpd-retrycount and dpd-retryinterval, but it cannot
display them.
In order for the FortiManager to request and retrieve updates from FDS, and for FortiManager to serve as a FDS, please
configure the necessary settings on all devices between FortiManager and FDS, or between FortiManager and
FortiGate devices based on the items listed below:
l FortiManager accesses FDS for antivirus and attack updates through TCP/SSL port 443.
l If there is a proxy server between FortiManager and FDS, FortiManager uses port 80 to communicate with the proxy
server by default and connects to the proxy server using HTTP protocol.
l If FortiManager manages a FortiGate device located behind a proxy server, the proxy server permits TCP/SSL
traffic to pass through via port 443.
You can configure FortiManager as a local FDS to provide FortiGuard updates to other Fortinet devices and agents on
your network. The following table lists which updates are available per platform/version:
FortiClient ✓ ✓ ✓ ✓
(Windows)
FortiClient ✓ ✓
(Mac OS X)
FortiMail ✓
FortiSandbox ✓
FortiWeb ✓
To enable FortiGuard Center updates for FortiMail version 4.2 enter the following CLI
command:
config fmupdate support-pre-fgt-43
set status enable
end
This section identifies the supported number of ADOMs for FortiManager hardware models and virtual machines.
Hardware models
The following table identifies the default number of ADOMs supported for FortiManager hardware models G series and
later. It also identifies the hardware models that support the ADOM subscription license and the maximum number of
ADOMs supported.
For FortiManager F series and earlier, the maximum number of ADOMs is equal to the maximum devices/VDOMs as
described in the FortiManager Data Sheet.
Virtual Machines
FortiManager VM subscription license includes five (5) ADOMs. Licenses are non-stackable. Additional ADOMs can be
purchased with an ADOM subscription license.
For FortiManager VM perpetual license, the maximum number of ADOMs is equal to the maximum number of
Devices/VDOMs listed in the FortiManager Data Sheet.