Created on 11-12-2022 11:56 PM Edited on 12-20-2023 09:08 PM By Anthony_E
Description
This article describes three issues that may arise after firmware upgrade from 6.4.9+ to 7.0.8.
The upgrade path from FortiOS 6.4.9 and higher to 7.0.8 is a direct hop; however, there is a known issue that can cause the following behavior:
Scope
Firmware upgrade from FortiOS 6.4.9+ directly to 7.0.8 when there is no FortiClient EMS Fabric Connector configured and FortiGate is deployed in HA Cluster (A-P or A-A).
Solution
Starting with FortiOS 7.0.8 and 7.2.1, to implement EMS multi-tenancy support, a new syntax is implemented for the EMS Fabric Connector. This creates 5 EMS connector entries as per BUG ID 799987 published in the Release notes below (entries with IDs 1 to 5):
Related documents:
When there is no EMS Fabric Connector configured in FortiOS 6.4.9, 6.4.10, or 6.4.11, and the upgrade is performed directly to 7.0.8, the following is configured with an invalid index ID 0:
config endpoint-control fctems
edit 0
set https-port 0
set pull-sysinfo disable
set pull-vulnerabilities disable
set pull-avatars disable
set pull-tags disable
set pull-malware-hash disable
set call-timeout 0
set out-of-sync-threshold 0
next
edit 2
next
edit 3
next
edit 4
next
edit 5
next
end
This may cause the issues listed below:
If one of the nodes is rebooted, the invalid entry is cleared out from the unit that has been rebooted.
This will cause a mismatch in the configuration and checksum for key-value endpoint-control.fctems.
Because the index value of '0' is invalid, this configuration is not synchronized to the auxiliary node, causing the cluster to be out-of-sync.
From the GUI, the first EMS Connector entry is incorrectly mapped to invalid ID 0, which causes a failure when trying to save a config for either On-Prem or Cloud EMS instance.
Entries from 2 to 5 can still be configured from CLI; however, when editing from GUI, those entries will be empty.
It also causes FortiManager to fail to install a policy package after the upgrade because the maximum number of entries is 5, and because ID 0 is installed, the index '1' pushed by the FortiManager policy will be seen as the 6th entry.
Workaround.
FortiOS:
FortiManager:
The issue is addressed and resolved in the below firmware versions:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.