FMG 7.4.2 Policy Package Install Failures

ashm · ‎05-04-2024

Hi All

I am fairly new to FMG altogether, but I'm sitting my FCP-FMG7.4 soon, so figured I would install and play around with this version.

My (limited) experience so far has been riddled with issues simply with pushing out policy packages.

On FMG 7.4.2 (VM) installing a policy package to FGT 7.4.3 (VM), I ran into the bug where FortiManager attempts to delete the "edm-keyword" - bug ID 983219.

I couldn't find any work around on this, so downgraded FMG to 7.4.1.

This version came with another bug where under firewall ssl-ssh-profile -> quic only has two options in 7.4.1 (enable/disable) but in 7.4.3 it has (inspect/bypass/block), so policy package fails on validating devices - bug ID 938115

Ultimately, I've installed 7.4.1 on my FGT and can finally install policy package but this version has a critical vulnerability, which is resolved in 7.4.3 by the looks.

What are my options? Am I missing something? Has anyone else come across any of this?

Seeing as recommended version atm is 7.2.5, I'm assuming very few people have deployed these versions to prod.

Cheers!

smkml · ‎05-06-2024

Hi @ashm ,

error dot quic- inspect:-999 - invalid value - prop[quic]: binary option(inspect)

Install error you see when on FMG v7.4.1 is because some of the object syntax are not supported FGT v7.4.3. Generally it is due to unsupported version between the two, please refer compatibility matrix below:

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/caebfdf7-dec0-11ed-8e6d-fa163e...

You should maintain FMG v7.4.2 with FGT v7.4.3, and rectify bug ID 983219, the workaround for now is to disable the "Verify Installation" in System Settings > Advanced.

Nevertheless, the bug are fixed and will release in FMG v7.4.3 GA by this week, subject to change

View solution in original post

funkylicious · ‎05-04-2024

After you upgraded the FGT, did you do a import of the config in FMG ?

"jack of all trades, master of none"

ashm · ‎05-05-2024

Yeah, which also failed.

"firewall policy",FAIL,"(name=1, oid=3100, reason=invalid value - prop[quic]: binary option(inspect))"

"firewall ssl-ssh-profile",FAIL,"(name=no-inspection, oid=3053, reason=invalid value - prop[quic]: binary option(inspect))"

David_Karpinski · ‎05-05-2024

I saw this with our new config too. The sync error with the edm-keyboard was a validation only fault, didn't effect operation. In our case re-retrieving the config from the unit resolved it, with FTM 7.4.2 and FGT 7.4.3.

ashm · ‎05-06-2024

Yeah, you're right, the policies still go through but puts the firewall in a conflict state where you have to retrieve config to clear.

In a mass deployment, I can see problems. As far as I'm aware, the only way to do this enmasse is via the API.

I believe the other error that I'm getting prevented from being able to install the policy package, since it failed on the validate (before you click install). I can't verify that's the case at the moment but I'm fairly certain.

smkml · ‎05-06-2024