New Member

Solved

FortiOS 5.2.2 is out!

Forum|Forum|11 years ago
November 19, 2014
28 replies
56851 views

.

Best answer by simonorch

and still packet capture is hidden from the gui on the small boxes.

Not a big deal as it's still available by typing the url manually, but it's irritating.

Show previous replies

tojoe

New Member

I'm having severe issues with any 5.2.x on my 80C.

Depending on whether I flash it or just run it without saving the image to flash it either hangs at "System is starting..." or crashes with "ehci_hcd 5035: fatal error".

dfroe

New Member

I can also confirm that FortiOS 5.2.2 image for FortiGate 80C is broken.

Do not install it on a productive device, especially not on remotely located units, wihout further testing!

When trying to boot the image, my device gets caught in an infinite boot loop.

Press any key to display configuration menu...
......
Reading boot image 1431271 bytes.
ehci_hcd 5035: fatal error

I had to revert back to 5.2.1 by using the backup image via bootloader, which required direct serial connection.

I tried the upgrade process twice, ending up in the same fatal error boot loop each time.

techevo

New Member

dfroe wrote:
I can also confirm that FortiOS 5.2.2 image for FortiGate 80C is broken.
Do not install it on a productive device, especially not on remotely located units, wihout further testing!
When trying to boot the image, my device gets caught in an infinite boot loop.
Press any key to display configuration menu...
......
Reading boot image 1431271 bytes.
ehci_hcd 5035: fatal error
I had to revert back to 5.2.1 by using the backup image via bootloader, which required direct serial connection.
I tried the upgrade process twice, ending up in the same fatal error boot loop each time.

I had the same problem with some 80C in 5.2.1. Some would work and some not. I believe it depends on the specific hardware revision. The funny thing is it was reported to Fortinet and they told me they were aware if the issue ( bug id: 245139 ) and it would be fix in 5.2.2! I wonder if the ones that did not work in 5.2.1 are now working and the one that used to work are now broken?

dfroe

New Member

techevo wrote:
I had the same problem with some 80C in 5.2.1. Some would work and some not. I believe it depends on the specific hardware revision. The funny thing is it was reported to Fortinet and they told me they were aware if the issue ( bug id: 245139 ) and it would be fix in 5.2.2! I wonder if the ones that did not work in 5.2.1 are now working and the one that used to work are now broken?

Surprisingly I myself had no problems at all upgrading my 80C to 5.2.0 or 5.2.1.

The update from 5.2.1 to 5.2.2 is the first time I encounter this issue.

So it seems not be a general problem with the image file.

Instead the problem occurs "under certain conditions".

According to this former thread this particular error also occured with 5.0:

https://forum.fortinet.com/tm.aspx?m=95861

This sounds like upgrading via TFTP instead of Web-GUI might work but I haven't tested it yet.

arshadm

New Member

How can I get hold of a release note document

techevo

New Member

arshadm wrote:
How can I get hold of a release note document

It's in the same folder as where you get the firmware. ( under download when you sign in with your user and password on fortinet support site ). Look for a pdf in the main folder of release 5.2.2

Petras

New Member

Hey,

So what about:

"Bug ID 0255603 Remove the default profile in deep-inspection-option /ssl-ssh-profile if it is not used. Otherwise, it will be renamed to deep-inspection-5-0. "

We use default ssl inspection profile in some fw policys (FGT 800c). What will be the impact of this? How do I nee to prepare for upgrade?

BWiebe

New Member

Petras wrote:
Hey,

So what about:
"Bug ID 0255603 Remove the default profile in deep-inspection-option /ssl-ssh-profile if it is not used. Otherwise, it will be renamed to deep-inspection-5-0. "

We use default ssl inspection profile in some fw policys (FGT 800c). What will be the impact of this? How do I nee to prepare for upgrade?

From the bug notes above, it sounds like it only removes it if it's not in use. If you're using it, it just renames it to deep-inspection-5-0.

techevo

New Member

BWiebe wrote:
Petras wrote:
Hey,

So what about:
"Bug ID 0255603 Remove the default profile in deep-inspection-option /ssl-ssh-profile if it is not used. Otherwise, it will be renamed to deep-inspection-5-0. "

We use default ssl inspection profile in some fw policys (FGT 800c). What will be the impact of this? How do I nee to prepare for upgrade?

From the bug notes above, it sounds like it only removes it if it's not in use. If you're using it, it just renames it to deep-inspection-5-0.

Hi,

Not exactly ... that's what I was warning you about. It's not as described in the bug ID!

If you do use a profile called default it will be erased and it will be replaced with the new name deep-inspection-5-0 ( but with the default settings so you will loose all your customs settings ). So please rename your profile to whatever you feel like before doing the upgrade or you will end up with a bad surprise !

ISOffice

New Member

No worries, glad to hear it helped.

To be honest, I cannot see why this made the difference. Credit should really go to AJ in FortiNet Support.

JP

Carl_WallmarkAuthor

New Member

ISOffice wrote:
No worries, glad to hear it helped.
To be honest, I cannot see why this made the difference. Credit should really go to AJ in FortiNet Support.
JP

My guess is that FortiView uses the SQLlite database which is activated by "Local Report" feature.

Lucascat

New Member

What about memory usage on small model (40c, 60c, 60d) compared with 5.0.9?

GusTech

New Member

Lucascat wrote:
What about memory usage on small model (40c, 60c, 60d) compared with 5.0.9?

Hi, i check out some of my 60c`s, the memory is around 50 - 65% with no UTM, and normal small use. 100+ days uptime.

Im also running a fwf60D with 5.2.2 "testmode" this is using 18%mem

Bunce

New Member

In a policy, setting a service to 'ALL' wont pass any traffic for me. After defining each service manually it then succeeds.

Tried setting in GUI and CLI - same result.

60C Wifi - 5.2.2 - rule is applied to a software switch.. Haven't tried it on standard interface.

Bunce

New Member

Found the bug/fix for the ANY issue..

In the service specifications it had the entry ALL with protocol=6, whereas it should have been protocol=0

Must have been a strange upgrade glitch..

m_raza

New Member

We have recently upgrade the FortiOS from 5.2.1 to 5.2.2 in our infrastructure Right now, we are facing issues with Web Filter Engine and SSL inspection, both of them are heavily malfunctioning and drop our legitimate traffic. Even web filtering is not filtering any web site which is extremely prohibited in our organization. We created some ipv4 policies where we apply web filtering to block all social sites category with out applying any application filtering because we can't due to some reasons and we created three explicit proxy policies where we applied multiple level of web filtering restriction. The failure we are facing is that in ipv4 policies web filtering is not working at all and in explicit proxy policies web filtering sometime works and some time don't. Its all happened after upgrading the OS from 5.2.1 to 5.2.2. We are using FortiGate 200D If any one could help me regarding this issue Thanks.

vanc

New Member

m.raza wrote:
We have recently upgrade the FortiOS from 5.2.1 to 5.2.2 in our infrastructure Right now, we are facing issues with Web Filter Engine and SSL inspection, both of them are heavily malfunctioning and drop our legitimate traffic. Even web filtering is not filtering any web site which is extremely prohibited in our organization.

You may check the FortiGuard WebFilter License status. Make sure it's still valid.

As a matter of fact, WF is working fine for me in 5.2.2. I'm using both IPv4 and IPv6 policies.

If you have valid contract, you should contact FTNT support.

m_raza

New Member

vanc wrote:
m.raza wrote:
We have recently upgrade the FortiOS from 5.2.1 to 5.2.2 in our infrastructure Right now, we are facing issues with Web Filter Engine and SSL inspection, both of them are heavily malfunctioning and drop our legitimate traffic. Even web filtering is not filtering any web site which is extremely prohibited in our organization.

You may check the FortiGuard WebFilter License status. Make sure it's still valid.

As a matter of fact, WF is working fine for me in 5.2.2. I'm using both IPv4 and IPv6 policies.

If you have valid contract, you should contact FTNT support.

WebFilter License status,

Actually yesterday i notice that web filter engine is not filtering any site starts with HTTPS, thats mean our SSL inspection is not working. i tried it with Forti CA and also tried our local CA. i am inspection all ports in inspection method.

Zenith

New Member

FWIW I also had the boot loop when upgrading a 100D to 5.2.2. Tried from 5.0.0Patch1 all the way through 5.0.0Patch11, same thing, it wouldn't boot. I certainly would not be upgrading to 5.2.2 remotely as things stand! Also tried going from 5.0.11 to 5.2.1 and stuck at the same point...

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded