Hi All
I am fairly new to FMG altogether, but I'm sitting my FCP-FMG7.4 soon, so figured I would install and play around with this version.
My (limited) experience so far has been riddled with issues simply with pushing out policy packages.
On FMG 7.4.2 (VM) installing a policy package to FGT 7.4.3 (VM), I ran into the bug where FortiManager attempts to delete the "edm-keyword" - bug ID 983219.
I couldn't find any work around on this, so downgraded FMG to 7.4.1.
This version came with another bug where under firewall ssl-ssh-profile -> quic only has two options in 7.4.1 (enable/disable) but in 7.4.3 it has (inspect/bypass/block), so policy package fails on validating devices - bug ID 938115
Ultimately, I've installed 7.4.1 on my FGT and can finally install policy package but this version has a critical vulnerability, which is resolved in 7.4.3 by the looks.
What are my options? Am I missing something? Has anyone else come across any of this?
Seeing as recommended version atm is 7.2.5, I'm assuming very few people have deployed these versions to prod.
Cheers!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @ashm ,
error dot quic- inspect:-999 - invalid value - prop[quic]: binary option(inspect)
Install error you see when on FMG v7.4.1 is because some of the object syntax are not supported FGT v7.4.3. Generally it is due to unsupported version between the two, please refer compatibility matrix below:
You should maintain FMG v7.4.2 with FGT v7.4.3, and rectify bug ID 983219, the workaround for now is to disable the "Verify Installation" in System Settings > Advanced.
Nevertheless, the bug are fixed and will release in FMG v7.4.3 GA by this week, subject to change
After you upgraded the FGT, did you do a import of the config in FMG ?
Yeah, which also failed.
"firewall policy",FAIL,"(name=1, oid=3100, reason=invalid value - prop[quic]: binary option(inspect))"
"firewall ssl-ssh-profile",FAIL,"(name=no-inspection, oid=3053, reason=invalid value - prop[quic]: binary option(inspect))"
I saw this with our new config too. The sync error with the edm-keyboard was a validation only fault, didn't effect operation. In our case re-retrieving the config from the unit resolved it, with FTM 7.4.2 and FGT 7.4.3.
Created on 05-06-2024 02:50 AM Edited on 05-06-2024 02:51 AM
Yeah, you're right, the policies still go through but puts the firewall in a conflict state where you have to retrieve config to clear.
In a mass deployment, I can see problems. As far as I'm aware, the only way to do this enmasse is via the API.
I believe the other error that I'm getting prevented from being able to install the policy package, since it failed on the validate (before you click install). I can't verify that's the case at the moment but I'm fairly certain.
Hi @ashm ,
error dot quic- inspect:-999 - invalid value - prop[quic]: binary option(inspect)
Install error you see when on FMG v7.4.1 is because some of the object syntax are not supported FGT v7.4.3. Generally it is due to unsupported version between the two, please refer compatibility matrix below:
You should maintain FMG v7.4.2 with FGT v7.4.3, and rectify bug ID 983219, the workaround for now is to disable the "Verify Installation" in System Settings > Advanced.
Nevertheless, the bug are fixed and will release in FMG v7.4.3 GA by this week, subject to change
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.