New FMG implementation
We currently have several Fortigates running v6.0.4 and a FAZ also running v6.0.4. We are going to implement a FAM and looking for community experience/recommendation. Upgrade FAZ to v6.0.6 and install FMG at v6.0.6 or Upgrade FAZ to v6.2.1 and install FMG at v6.2.1.
We do not intend to upgrade the Fortigates beyond the v6.0 firmware this year. We would wait until at least patch 3 or 4 in the v6.2 train. We do intend to use the FMG to manage the device configurations.
Reading through the release notes on both Firmwares raises some concerns:FortiManager v6.0.6 Known Issues
540347 FortiManager has no option available to configure VLAN IDs under VLAN Pooling.
549001 Installation error after changing inspection mode from Proxy to Flow.
549113 In case FortiGate is in NGFW policy-based mode, URL or Application control profiles should not be visible on FortiManager.
550513 User cannot change IPSec Phase1 on an existing IPSec Phase2 interface.
553704 Find Duplicate Objects may get stuck loading.
553860 FortiManager should have public IP for remote-gw under IPSec Phase1 interface.
553985 FortiManager incorrectly sets security-external-web when external authentication is selected.
554001 Configuration may modify FQDN addresses after FortiManager and FortiGate are both upgrade to version 6.0.5.
554092 FortiManager is unable to use interface member of a zone as Source Interface filter for VIP object.
554946 Sub-admin clicks View on where Used may lead to disappearance of dual panel.
555730 Install may fail if zone member is used in a Multicast policy.
556192 FortiManager may fail to run execute fips kat all and diagnose system fips kat-error commands.
556368 FortiManager may show Device objects from another ADOM.FortiManager v6.2.1 Known Issues
546246 Restore ADOM revision does not restore removed installation targets.
547854 FortiManager cannot manage shaping profiles with the same name from multiple FortiGate.
548976 Unauthorized device alert directs to a page showing duplicate devices.
549113 In the case that FortiGate is in NGFW policy-based mode, URL/Application control profiles should not be visible on FortiManager side.
549384 FortiManager cannot show any query when FortiGate has CSF enabled but the CSF group is not established on FortiManager.
549504 Wildcard remote admin cannot run schedule install.
549566 Device Manager does not show a FortiGate in a CSF group when the FortiGate is connected to the root FortiGate's FG-Traffic VDOM.
549818 FortiManager cannot display external resource setting on consolidated policy list.
549824 Consolidated policy page is missing external resource as data source.
550344 FortiManager is unable to import firewall policy due to invalid FQDN error.
551231 Under per-device management, editing a SD-WAN rule generates duplicate entry.
552403 FortiManager does not does not reflect the negation of either source or destination fields.
556967 Re-Install policy may hang when a Security Fabric cluster is selected.
561008 Second IP in central-management may be removed by master FortiManager on re-connection.
564400 ADOM upgrade may show the error "firewall ssl-ssh-profile ssl-exempt wildcard-fqdn. detail: table limit".
564959 Creating a new neighbor should only list not-configured neighbors.
565138 Installation to FortiGate failed for passphrase and password when private-data-encryption was enabled.
565636 The global address, gall, may trigger FortiManager to display validation error.
568955 Installation may fail for consolidated policy after changed package to profile mode.
568988 Users may not be able to create access-list entries with IPv6 format based subnet mask or wild card.
post edited by Admin_FTNT - 2019/08/28 00:05:51