FortiOS 5.2: should we wait or should we go?

FortiASIC offload is broken for my FWF60C here. CPU loads are high and platform performance takes a serious hit as a consequence Trying to work up the enthusiasm to do a clean factory reset and load of a clean empty policy to see if that sorts it.

upgraded my 100D to FortiOS 5.2 a few days ago. No problems as of now. I have Application Control in my environment ,,Glad they introduced a block-page for Application control as well. My users are happy..at least they now know that application is blocked by " security-people" . fortiview wasn' t much impressive. Impressive changes to VPN GUI though with all Wizards... but again IPSEC Wizard dosent customize Phase1 / Phase 2 parameters in Wizard only.

Hi, i can confirm that it' s not a good idea to upgrade one of the old 512 MB FortiGates! Upgraded an old FG60C from 5.0.7 to 5.2.0 five days ago and the memory utilization was soon at ~85%. If you nedd to test 5.2.0, i would recommend to change the global ips algorithm to low. This has decreased the Memory utilization to 78-80%. But i would NOT recommend to install this release on a productive 512 MB FortiGate.

Unwritten IS policy #1: Never on a Friday! (unless you want to spend the better part of your weekend fixing it...)

op Just have a fall back plan. I upgrade 2 low critical devices and had problems one requiring a format, reboot, tftp upgrade. I found a slew of problems some cosmetic to service impacting. What you should do, is to look at the risk involved if something goes wrong. On one site I was pushed with having to send a spare unit out form a nearby office. The other side was in my control so it wasn' t greatly impact. I personally would wait for 1-2months unless you " just have to upgrade " and see what else is found and posted by this forum , TAC and other members. My rule of thumbs matches that of rwpatterson , but I also typically don' t upgrade into a new release until there' s a minor release for that release so a 5.2.1

I would wait. because in 5.2 when you edit existing a security policy or create a new one SSL inspection will be enabled and you can' t disable it. This will cause issues for mail servers like Novell Groupwise that can' t listen on port 465 and incomming mail needs port 25 without SSL. I hope that Fortinet will put out an update to let you enable or disable SSL inspection.

The same here, not a problem with editing an existing policy.

I upgraded from V5.0 build 4459 on a 60D I found this in the What' s New for FortiOS 5.2.0 guide. SSL Inspection There have been several changes to how SSL Inspection is handled on a FortiGate unit. Automatic Inspection When Security Profiles are Used If any security profile is used in a security policy, SSL inspection will automatically be enabled, at which point an SSL mode must be selected (see below for more details). HTTPS Scanning Without Deep Inspection The following changes have been made in order to allow HTTPS traffic to be scanned without enabling deep inspection: • There are now two modes for SSL inspection: certificate inspection (certificate-inspection in the CLI), which only inspects the SSL handshake, and deep inspection (deep-inspection in the CLI), which enables full deep inspection of SSL traffic (this was previously the default mode for SSL inspection). • The CLI command https-url-scan has been removed. • deep-inspection-options has been renamed ssl-ssh-profile. • The SSL inspect-all option and the https status option now have three states: disable, certificate-inspection, and deep-inspection. The status option for the other protocols now use deep-inspection instead of enabled. When a new policy or profile group is created, the SSL inspection profile certificate-inspection is automatically added. SSL/Deep Inspection Exemptions The options for configuring exemptions to SSL/Deep Inspection is now configured as part of the deep inspection options, rather than FortiGuard web filtering. Exemptions can be added to SSL inspection by going to Policy & Objects > Policy > SSL Inspection or through the CLI. Certain applications, such as iTunes and Dropbox, require a specific certificate to be used, rather than using the use the system' s certifciate store. Because of this, the default deep inspection profile, deep-inspection, has exemptions configured for these applications by default in FortiOS 5.2. Syntax config firewall ssl-ssh-profile edit <name> config ssl-exempt edit <id> set type {fortiguard-category | address | address6} set category <id> set address <string> end end end end

No he' s not 100% correct & he wasn' t 100% clear fwiw:Here' s a TIP if you don' t want SSL inspection screwing anything up, just create a SSL inspection with nothing enabled Also take a look at profile-protocol-options also edit " noinspection1" config https set ports 443 set status disable end config ftps set ports 990 set status disable end config imaps set ports 993 set status disable end config pop3s set ports 995 set status disable end config smtps set ports 465 set status disable end next end and you can re-edit the fwpolicy via the gui or cli and change the policy to one of the other inspection as required of a later date if you need inspection TESTFW01 (10) # show config firewall policy edit 1089 set uuid 7603f088-fce9-51e3-167d-df80cb5c7757 set srcintf " wifi" set dstintf " virtual-wan-link" set srcaddr " all" set dstaddr " all" set action accept set schedule " always" set service " skype_ports" set utm-status enable set logtraffic disable set profile-protocol-options " default" set ssl-ssh-profile " certificate-inspection" set traffic-shaper " guarantee-100kbps" set nat enable next end TESTFW01 (10) # set ssl-ssh-profile <string> please input string value certificate-inspection ssl-ssh-profile deep-inspection ssl-ssh-profile default ssl-ssh-profile noinspection ssl-ssh-profile noinspection1 ssl-ssh-profile TESTFW01 (10) # set ssl-ssh-profile noinspection1 TESTFW01 (10) # end and we can change the profile-prot-opts config firewall profile-protocol-options edit " nosinpection" config http set ports 80 set status disable set options no-content-summary unset post-lang end config ftp set ports 21 set status disable set options no-content-summary splice end config imap set ports 143 set status disable set options fragmail no-content-summary end config mapi set ports 135 set status disable set options fragmail no-content-summary end config pop3 set ports 110 set status disable set options fragmail no-content-summary end config smtp set ports 25 set status disable set options fragmail no-content-summary splice end config nntp set ports 119 set status disable set options no-content-summary splice end config dns set ports 53 set status disable end next end and then you apply this to the firewall policies(s) config firewall policy edit 1089 set profile-protocol-options " noinspection" end

Man you are really making this more harder than what it is. Just click the button in the oval screensshot , edit the profile and then disable ssl inspection if not required. If you enable application control, than the SSL inspection tab is greyed out. Not very hard or too much extra work or difficult or at least I don' t think so. If you don' t want SSL inspection messing anything up. Define the default with all items disable or create a noispection profile ( like mention above ) and apply the same logic. Once again a minor convenience, but really to much difficult or impacting. remember you need application controls enable for fortiview to identify Applications