New FMG implementation

Author
OneOfUs
Bronze Member
  • Total Posts : 30
  • Scores: 4
  • Reward points: 0
  • Joined: 2019/07/16 06:32:59
  • Status: offline
2019/08/27 13:02:28 (permalink)
0

New FMG implementation

We currently have several Fortigates running v6.0.4 and a FAZ also running v6.0.4.  We are going to implement a FAM and looking for community experience/recommendation.  Upgrade FAZ to v6.0.6 and install FMG at v6.0.6 or Upgrade FAZ to v6.2.1 and install FMG at v6.2.1. 
 
We do not intend to upgrade the Fortigates beyond the v6.0 firmware this year.  We would wait until at least patch 3 or 4 in the v6.2 train.  We do intend to use the FMG to manage the device configurations.
 
Reading through the release notes on both Firmwares raises some concerns:
FortiManager v6.0.6 Known Issues
540347 FortiManager has no option available to configure VLAN IDs under VLAN Pooling. 
549001 Installation error after changing inspection mode from Proxy to Flow. 
549113 In case FortiGate is in NGFW policy-based mode, URL or Application control profiles should not be visible on FortiManager. 
550513 User cannot change IPSec Phase1 on an existing IPSec Phase2 interface. 
553704 Find Duplicate Objects may get stuck loading. 
553860 FortiManager should have public IP for remote-gw under IPSec Phase1 interface. 
553985 FortiManager incorrectly sets security-external-web when external authentication is selected. 
554001 Configuration may modify FQDN addresses after FortiManager and FortiGate are both upgrade to version 6.0.5.
554092 FortiManager is unable to use interface member of a zone as Source Interface filter for VIP object.
554946 Sub-admin clicks View on where Used may lead to disappearance of dual panel. 
555730 Install may fail if zone member is used in a Multicast policy. 
556192 FortiManager may fail to run execute fips kat all and diagnose system fips kat-error commands. 
556368 FortiManager may show Device objects from another ADOM.

FortiManager v6.2.1 Known Issues
546246 Restore ADOM revision does not restore removed installation targets. 
547854 FortiManager cannot manage shaping profiles with the same name from multiple FortiGate. 
548976 Unauthorized device alert directs to a page showing duplicate devices. 
549113 In the case that FortiGate is in NGFW policy-based mode, URL/Application control profiles should not be visible on FortiManager side. 
549384 FortiManager cannot show any query when FortiGate has CSF enabled but the CSF group is not established on FortiManager. 
549504 Wildcard remote admin cannot run schedule install. 
549566 Device Manager does not show a FortiGate in a CSF group when the FortiGate is connected to the root FortiGate's FG-Traffic VDOM. 
549818 FortiManager cannot display external resource setting on consolidated policy list. 
549824 Consolidated policy page is missing external resource as data source. 
550344 FortiManager is unable to import firewall policy due to invalid FQDN error. 
551231 Under per-device management, editing a SD-WAN rule generates duplicate entry.
552403 FortiManager does not does not reflect the negation of either source or destination fields.
556967 Re-Install policy may hang when a Security Fabric cluster is selected. 
561008 Second IP in central-management may be removed by master FortiManager on re-connection.
564400 ADOM upgrade may show the error "firewall ssl-ssh-profile ssl-exempt wildcard-fqdn. detail: table limit".
564959 Creating a new neighbor should only list not-configured neighbors.
565138 Installation to FortiGate failed for passphrase and password when private-data-encryption was enabled.
565636 The global address, gall, may trigger FortiManager to display validation error.
568955 Installation may fail for consolidated policy after changed package to profile mode.
568988 Users may not be able to create access-list entries with IPv6 format based subnet mask or wild card.
 
 
post edited by Admin_FTNT - 2019/08/28 00:05:51
#1
OneOfUs
Bronze Member
  • Total Posts : 30
  • Scores: 4
  • Reward points: 0
  • Joined: 2019/07/16 06:32:59
  • Status: offline
Re: New FMG implementation 2019/09/05 06:29:39 (permalink)
0
We decided to go with v6.0.6.  I opened a ticket with support and got a response on some of the bugs I was most concerned with.  Nothing appears to be a show stopper, thought I would share the info in case someone comes across one of these in their deployments:
 
******************************************** 
******************************************** 

549001 Installation error after changing inspection mode from Proxy to Flow. 

FortiManager 6.0.4 using has ADOMs with FortiOS 5.2 devices in them, after upgrading the FortiGates to 5.6 and then upgrading some devices in the ADOM to 5.6, they start to see this issue. 

ISSUE: Device settings appear correct for 5.2 and 5.6 VDOMs, but after changing inspection setting from (default) proxy to flow, three system settings that relate to proxy inspection are not disabled and cause installation error. 

WORKAROUND: Disabling these settings solves the installation problem. 

AFFECTED VERSIONS: Only if using ADOMs in FortiManager and your FortiGates are running 5.2 

[Reproduction Scenario] 
1) Install FMG 6.0.4 
2) Create a 5.2 version ADOM and install several 5.2 FortiGates 
3) Upgrade some of the FortiGates to 5.6 
4) Switch the VDOM inspection mode to flow 
5) Observe that installation fails 

[More Information] 
-- This affected the upgrade of a very large customer who also happened to be very far behind on updates, thus it was added as a feature request. 


******************************************** 
******************************************** 


550513 User cannot change IPSec Phase1 on an existing IPSec Phase2 interface. 
AFFECTED VERSIONS: Only two versions, FMG-VM 6.0.4 B0292 and special build 6.0.4 B8112, ADOM v5.6, user can't change IPsec phase1 in existing IPsec phase2 

WORKAROUND: Can use CLI script on FMG 6.0.x as a workaround 

[More Information] 
This was by design to prevent placement of non-matching information into the IPSec configuration. One of the reasons is that there can be complication if a user changes, for example, an interface mode VPN-P2 with a tunnel mode VPN-P1. This is also the same reason why FortiOS does not allow the change of VPN-P1 on their GUI. 

This was changed per customer request (very large customer). 


******************************************** 
******************************************** 


554092 FortiManager is unable to use interface member of a zone as Source Interface filter for VIP object. 

-- Create a zone called "zone1" with members "port1" and "port2" 
-- Try to use "port1" as srcintf-filter on the VIP object on FortiManager > not possible 
-- When checking this VIP on the FortiManager CLI Configurations on ADOM DB the srcintf-filter is blank and cannot select the zone member. 

[Workaround] 
Run the Script against ADOM DB and configure the srcintf-filter under dynamic mapping 

config firewall vip 
edit "VIP_name" 
config dynamic_mapping 
edit "FortiGate_name"-"VDOM_name" 
set extintf "any" 
set srcintf-filter port1 
set extip x.x.x.x 
set mappedip x.x.x.x 
end 
end 
end 

[Expected Behavior] 
FortiManager should follow FortiGate logic and allow using zone member for srcintf-filter under VIP 


******************************************** 
******************************************** 


556192 FortiManager may fail to run execute fips kat all and diagnose system fips kat-error commands. 

AFFECTED VERSION: FortiManager 1000D w/ FortiOS v6.0.5-B341 (no issue on prior FortiOS versions) 

[More Information] 
KAT test (known-answer test) is a self-test for FIPS-approved operational mode which is used to validate the output of a cryptographic message for FIPS-approved algorithms. 

The KAT test during boot process runs successfully, as it should on any FIPS-enabled device. 
The issue is that running the test manually from CLI in this particular release shows no output. 

******************************************** 
******************************************** 
#2
Jump to:
© 2019 APG vNext Commercial Version 5.5