Lots (and lots) of bug fixes, no landslide new features, comes with IPS engine 6.032 that is designed to reduce memory usage by 50% on ips demons. Need to get testing!
The immediate impact I have noticed is the drop in memory usage- 68% before upgrade (6.4.1) and 48% after upgrade (6.4.2). Smae config, similar number of sessions before and after.
There are a huge number of bug fixes and looks like improvements from the IPS engine as James_G suggests. So far looks like a good move forward.
Hi guys, what is the recommended upgrade path? Can I go to 6.4.2 directly from 6.2.4? On the support portal in the "Upgrade Patch" section version 6.4.2. miss. Thanks Jirka
We found some problems in the use of OS6.4.2 Especially the use of Ban IP in FortiView Because the search function is cancelled in FortiView So it is extremely difficult to find a specific IP and give it a ban ip If you use the function of Indicators of Compromise Service You can even isolate its MAC and not block IP
There are also settings for SSL/SSH inspection As long as you don’t use the built-in profiles Other self-defined profiles are more or less problematic in use
We found some problems in the use of OS6.4.2 Especially the use of Ban IP in FortiView Because the search function is cancelled in FortiView So it is extremely difficult to find a specific IP and give it a ban ip If you use the function of Indicators of Compromise Service You can even isolate its MAC and not block IP
There are also settings for SSL/SSH inspection As long as you don’t use the built-in profiles Other self-defined profiles are more or less problematic in use
Can anyone have a good solution?
Hi there, thank you for your report. For banning an IP, you can also do it via Log pages > Search for the device IP, then hover over the device MAC > Tooltip pop up and there is a Ban IP action there. This Ban IP action is available on any page that has device tooltip. FYI we will be adding back support for searching for FortiView in future version.
In fact, we found that if the device is connected to FortiSwitch or FortiAP In the LOG record, only quarantine host can be done but not IP banning
If it is not connected to the FortiSwitch or FortiAP device Banning an IP can be executed by following the steps you described. Isn't this weird?
I can only look forward to replying to the original FortiView ban IP function as soon as possible.
The FortiSwitch and FortiAP case is intentional as we recommend quarantine MAC (layer 2) over ban-ip (layer 3). However, we can review this behaviour if ban-ip is still desired in this case.
Another workaround you can do is to find the device in the following pages and ban-ip from there - User & Device dashboard - Device Inventory widget, tooltip action on each entry
- From the above page, you can also right click on the device and find it in FortiView/Log and perform the action there. This can serve as a FortiView search workaround for now.
I will try the operation method you provide For some reasons we can only use Ban IP But because there are hundreds of devices I still hope that the previous management method is better Thank you anyway!
