Skip to main content
Best answer by Kevin_Shanus

My issue was that I upgraded 200E to 6.2.4 , 80E to 6.2.4 and FAZ to 6.2.5. 

 

6.2.4 has DoS issue which breaks VIPs

6.2.X changes SSL Inspection w/ SSH which broke DUO 2FA for me, fix was easy, had to exclude url from inspection but took a bit to track down

FAZ 6.2.5 had to have some reliability feature turned off to work with <100E Fortigates

 

I also patched about 45 windows servers the same weekend. #neveragain

7 replies

James_G
James_G
New Member
May 13, 2020

High hopes

 

Will await feedback to see if Fortinet got it right this time

Sebastiaan_Koopmans
Sebastiaan_Koopmans
New Member
May 13, 2020

Tonight we have upgraded our 300D and 500E Fortigate clusters to 6.2.4 (previous 6.0.8).

 

Keep you posted :)

emnoc
emnoc
New Member
May 13, 2020

We will do a few FGT100E and FWF51E in the next few days.

 

Ken Felix

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
May 18, 2020

What version did you upgraded those FWF50Es from? Have you compare the WTP profile for the FAP221E you are using before and after the upgrade?

lobstercreed
lobstercreed
New Member
May 19, 2020

It seems most folks are working on smaller boxes.  Has anyone run this on a 1500D yet? 

 

I've been holding out on 6.0.9 for months now and was really looking forward to getting on 6.2 but I use tons of VIPs and SSL-VPN is one of the most important things we run since COVID, so I can't afford these bugs.  Guess I'll have to wait again.  :(

DirkDuesentrieb
DirkDuesentrieb
New Member
May 19, 2020

It makes a difference if the rules are collapsed or the interface sections are expanded.

I updated a lab 50E with only 4 rules and it takes over 10 seconds to load the IPv4 policy if all rules are shown. Doh!

 

Dirk

RonnyS_DD
RonnyS_DD
New Member
May 19, 2020

Hi,

i've updated our 100D-HA-Cluster yesterday, 6.2.3 -> 6.2.4, everthing worked fine, i tought.

 

After 7 hours the cluster-ip went offline, no access to the cluster-frontend or to both boxes directly!

Also there was no communication possible, tunnels (s2s, sslvpn, wifi), all "services" stopped.

 

We had to power off both via hardwareswitch, after bringing them online again all seems to work as great as in the first 7 hours, no problems where reported.

 

4 hours later same error occured, cluster offline, firewalls unreachable, had to hard turn off both boxes.

 

I've returned to 6.2.3, which still is annoying because of instable s2s-tunnels while remote gateway isnt a fortigate device, randomly turning down and up the tunnelinterfaces.

 

Connection loses while returning to older firmware icluded, someone asked in another thread.

 

mjcrevier
mjcrevier
New Member
May 19, 2020

For your IPSec tunnels to non-fortigate devices, do you have "set auto-negotiate enable" configured under the phase2?

 

For the 6.2.4 connection issues, disable DoS sensor if configured.

Kevin_Shanus
Kevin_Shanus
New Member
May 20, 2020

Hello Everyone, I wish I found this post before upgrading to 6.2.4 but at-least I know now I'm not going crazy with the VIP's not working on my 200E. 

 

I'm running 6.2.3 and it takes two attempts to connect to SSL VPN via Forticlient 6.0.9. Does anyone know if this is a known bug with 6.2.3? 

 

Thanks

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
May 19, 2020

@rpedrica, so you're still seeing "Status: Online" in the grayed GUI then.

rpedrica
rpedrica
Visitor III
May 19, 2020

Correct yes - please see attached for a screenshot.

 

 You can see that the R icons next to each radio are grey as well the Managed(1) icon to the right of the display.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
May 19, 2020

@rpedrica, I think that grey icons are intentional. I thought you meant the entire row was greyed/dimmed out. I have 2.4Ghz disabled on my FAP221B. As the result both R1 and R2 are grey but R2 is dimmed. So if it's not dimmed, it's active.

mjcrevier
mjcrevier
New Member
May 19, 2020

If you're having connectivity issues, check if DoS sensor is enabled. If so, disable it completely. That should resolve the issue you're seeing.

 

 

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
May 27, 2020

I had a conversation with an FTNT SE today about 6.2.4 problems. The major issues seem to boil down to below three issues:

1. DoS policy issue: It's still an known issue with 6.2.4 and not resolved, which is in the release notes.

2. IPS engine keeps crashing. A new engine is planned to be released soon. Then this would be resolved.

3. WAD memory leak issue is still not 100% resolved.

6.2.5 will fix these issues and come out relatively shortly although he couldn't tell me any target date. He recommended to wait for 6.2.5. But likely 6.0.10 comes out before 6.2.5.

 

By the way, FMG/FAZ 6.2.4 was to just fix vulnerabilities. They wanted to release it ASAP without waiting for bug fixes. Then 6.2.5 came out right after that with bug fixes. It was just coincidental they came out one after another.

Kevin_Shanus
Kevin_ShanusAnswer
New Member
May 27, 2020

My issue was that I upgraded 200E to 6.2.4 , 80E to 6.2.4 and FAZ to 6.2.5. 

 

6.2.4 has DoS issue which breaks VIPs

6.2.X changes SSL Inspection w/ SSH which broke DUO 2FA for me, fix was easy, had to exclude url from inspection but took a bit to track down

FAZ 6.2.5 had to have some reliability feature turned off to work with <100E Fortigates

 

I also patched about 45 windows servers the same weekend. #neveragain

MikePruett
MikePruett
New Member
May 27, 2020

Kevin Shanus wrote:

My issue was that I upgraded 200E to 6.2.4 , 80E to 6.2.4 and FAZ to 6.2.5. 

 

6.2.4 has DoS issue which breaks VIPs

6.2.X changes SSL Inspection w/ SSH which broke DUO 2FA for me, fix was easy, had to exclude url from inspection but took a bit to track down

FAZ 6.2.5 had to have some reliability feature turned off to work with <100E Fortigates

 

I also patched about 45 windows servers the same weekend. #neveragain

I almost had a stroke reading your comment. Man, that makes for a long weekend.

Billgazz
Billgazz
New Member
May 28, 2020
hi everyone, I also updated from 6.2.3 to 6.2.4. Everything seemed to be working. But suddenly all the VIPs exposed on the WAN1 was not working, vpn ipsec and ssl all down.
Internal web browsing ok, perfectly released from wan1, without any block.

the second IPS, on the other hand, was also reachable by VIPs.

The only solution is to restart the firewall
100D in HA.

I opened a ticket in T3

Claudio
Terms & ConditionsAccessibility statement