Description
This article describes three issues that may arise after firmware upgrade from 6.4.9+ to 7.0.8.
The upgrade path from FortiOS 6.4.9 and higher to 7.0.8 is a direct hop; however, there is a known issue that can cause the following behavior:
- HA to be out-of-sync because of a mismatch of the configuration under # config endpoint-control fctems.
- Prevent FortiClient EMS Fabric Connector from being added.
- FortiManager policy package installation failure.
Scope
Firmware upgrade from FortiOS 6.4.9+ directly to 7.0.8 when there is no FortiClient EMS Fabric Connector configured and FortiGate is deployed in HA Cluster (A-P or A-A).
Solution
Starting with FortiOS 7.0.8 and 7.2.1, to implement EMS multi-tenancy support, a new syntax is implemented for the EMS Fabric Connector. This creates 5 EMS connector entries as per BUG ID 799987 published in the Release notes below (entries with IDs 1 to 5):
Related documents:
New features or enhancements
New features or enhancements
When there is no EMS Fabric Connector configured in FortiOS 6.4.9, 6.4.10, or 6.4.11, and the upgrade is performed directly to 7.0.8, the following is configured with an invalid index ID 0:
config endpoint-control fctems
edit 0
set https-port 0
set pull-sysinfo disable
set pull-vulnerabilities disable
set pull-avatars disable
set pull-tags disable
set pull-malware-hash disable
set call-timeout 0
set out-of-sync-threshold 0
next
edit 2
next
edit 3
next
edit 4
next
edit 5
next
end
This may cause the issues listed below:
- HA cluster out-of-sync.
If one of the nodes is rebooted, the invalid entry is cleared out from the unit that has been rebooted.
This will cause a mismatch in the configuration and checksum for key-value endpoint-control.fctems.
Because the index value of '0' is invalid, this configuration is not synchronized to the auxiliary node, causing the cluster to be out-of-sync.
- Unable to add or configure EMS Connector.
From the GUI, the first EMS Connector entry is incorrectly mapped to invalid ID 0, which causes a failure when trying to save a config for either On-Prem or Cloud EMS instance.
Entries from 2 to 5 can still be configured from CLI; however, when editing from GUI, those entries will be empty.
- FortiManager policy package fails to be installed.
It also causes FortiManager to fail to install a policy package after the upgrade because the maximum number of entries is 5, and because ID 0 is installed, the index '1' pushed by the FortiManager policy will be seen as the 6th entry.
Workaround.
FortiOS:
- If devices have been already upgraded from 6.4.9+ to 7.0.8, a reboot of FortiGates is required.
- If the upgrade has not been applied yet, perform the upgrade from FortiOS 6.4.9+ to 7.0.7, and then 7.0.8.
FortiManager:
- After the settings are corrected in FortiOS by rebooting the FortiGate units, retrieve the policy and re-install.
The issue is addressed and resolved in the below firmware versions:
- version 7.0.10 or above.
- version 7.2.4 or above.
- version 7.4.0 or above.
