FortiManager v5.4.3 issues

sw2090 · ‎06-14-2017

Hi,

I am now currently maintaining 9 FortiGates with three different Hardware Models in FMG 5.4.3. FortiGates all run 5.4.3 too.

Policy Package and Dynmic Interfaces/Objects etc. work fine so far but there are issues mostly with the device config:

[ul]

I cannot add a default route over the WLLB Interface in Manager. If I do on the FGT it does get synced into FMG but does not show the correct interface for the WLLB Interface seems not to be available in this part of FMG.

FMG does change the order of URL Filter entries by its own! It keeps setting my wildcard block entry onto top which is very contraproductive since I want to allow some few site (using an exempt rule) and then block the rest. This works fine on FGT without FMG. Alas it is untested here if that might be a v5.4.3 issue instead of a FMG one.

In one case the FMG totally screwed my priority/distance setup on static routes.

There is settings that are not available in MFG Device Settings Section. E.g. system->fortiguard shows only a part of what the same page gives you if you open it natively on the FGT.

If a FGT has PPPOE Interfaces set up then it is not possible to access the credentials etc. inside FMG. If you edit the Interface FMG only shows you role and mode and some more but no creds. Also FMG does not show you the IP of those Interfaces once they have dialled in and gotten one.

Editing VLAN Interfaces is practically useless on FMG because you can edit the interface but you cannot save your changes because it always wants to rewrite the VID (even it you didn't touch the VID at all) which is not allowed. This forces you the free the interface and delete it to then create a new one. This could however also be a v5.4.3 issue instead of a FMG one.

If you edit or add mappins of dynamic objects or interfaces inside the policy packe it seems to get set to modified for ALL devices in FMG even though the added/modified mapping does not affect all of them (or even only one)

In Webfilter Rating Overrides FMG does only allow one category per object while the FGTs do allow more than one

In some case the SNMP Community which was in the initial config when the FGT was added to FMG disappeared upon addition of FMG or when the settings/Policy Pkg was deployed to it for the first time.[/ul]

So far that is all issues I remember atm. If I find more I'll report them here.

Cheers

Sebastian

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

sw2090 · ‎06-19-2017

[ul]

In Webfilter Rating Overrides FMG does only allow one category per object while the FGTs do allow more than one[/ul]

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

scao_FTNT · ‎06-19-2017

Hi, Sebastian, many thanks for your feedbacks, we will review your comments/issues and provide some updates

Thanks

Simon

sw2090 · ‎06-27-2017

[ul]

Editing VLAN Interfaces is practically useless on FMG because you can edit the interface but you cannot save your changes because it always wants to rewrite the VID (even it you didn't touch the VID at all) which is not allowed. This forces you the free the interface and delete it to then create a new one. This could however also be a v5.4.3 issue instead of a FMG one.[/ul]

This Issue is fixed with v5.4.3 Build 1187. Editing VLANs works now.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

chall_FTNT · ‎06-27-2017

Yes, the VLAN issue fixed in FMG 5.4.3 was this one: Bug id 401234 Unable to enable/disable administrative service on VLAN interface

This actually affected any changes to VLAN interfaces. Bug was introduced in FMG 5.4.2. error message "runtime error -2: VLAN ID cannot be changed once a VLAN has been created."

Note: Bug id 401234 was not initially mentioned in the FMG 5.4.3 Release Notes because it shared the same fix as:

Bug id 400869 Copy VPN configure fails if using randomly generated pre-shared key

Chris Hall
Fortinet Technical Support