Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Carl_Wallmark
Valued Contributor

FortiOS 5.2.7 is out

.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
3 Solutions
vladimircze
New Contributor III

Hi,

12 hours ago upgraded 100D cluster from 5.2.3 to 5.2.7 (using 5.2.5 as intermediate version in upgrade path).

Features used:

A-A cluster,

web filter,

IPS,A/V, APPL Sensors, content SSL Inspection

WiFi (WPA2-enterprise and WPA2-Personal)

SSL VPN, IPSEC VPN

OSPF, LACP

5 VDOM.

 

So far so good.

 

Vladimir, Prague, Czech Republic.

View solution in original post

netmin
Contributor II

I don't believe this is a bug. I remember having seen a changelog or release note referring to the built-in account "FGT_ha_admin", which was originally used for exec ha manage:

 

"You log into the subordinate unit using the FGT_ha_admin administrator account. This built-in administrator account gives you read and write permission on the subordinate unit. Normally this built-in administrative account is not visible, however FGT_ha_admin does appear in event log messages."

 

I think the account was removed (for security reasons) ... [strike]I can't find the corresponding document anymore, maybe a later document revision had this piece of information removed as well.[/strike]

 

Edit: found it - the release notes downloaded from the support portal provide(d) this information.

 

View solution in original post

x_member

FYI:

5.2.7 contains ipsengine 3.0164 that does not play well with deep packet inspection and Chrome browser: https://forum.fortinet.com/tm.aspx?m=137615

 

View solution in original post

19 REPLIES 19
romanr
Valued Contributor

AtiT wrote:

Now when I want to connect to the subordinary unit with command #execute ha manage <id> the username and password needed to be entered. Is it a new feature?

Hi,

i can confirm the same behaviour on a couple of clusters (400d and 600d's) we deployed last weekend...All of them came up with this. Seems to be a bug in 5.2.7

 

Besides this - everything works fine.

 

br,

Roman

netmin
Contributor II

I don't believe this is a bug. I remember having seen a changelog or release note referring to the built-in account "FGT_ha_admin", which was originally used for exec ha manage:

 

"You log into the subordinate unit using the FGT_ha_admin administrator account. This built-in administrator account gives you read and write permission on the subordinate unit. Normally this built-in administrative account is not visible, however FGT_ha_admin does appear in event log messages."

 

I think the account was removed (for security reasons) ... [strike]I can't find the corresponding document anymore, maybe a later document revision had this piece of information removed as well.[/strike]

 

Edit: found it - the release notes downloaded from the support portal provide(d) this information.

 

JohnAgora

Is there a release date for 5.2.8?

There are some bugs with dialup VPNs...

Diko
New Contributor

Hi,

We updated our Fortigate 300C to 5.2.7 version. I don't know about older version, but on 5.2.7 we have issue.

We created IPS sensor for block attacks to one of interface. Firewall show that some unwanted traffic is dropped, but in reality situation is strange. On attacked server in logs we saw, that it is not dropped and traffic go to server without troubles. So we have DOS attack and firewall show maybe not correct info. I checked IPS sensor three times and found signature that hackers use to DOS our network. All this signatures is in block mode. IPS signatures updated to last versions.

So I don't know it is bug or not. We register case for this situation and now second level support trying to check this thing. Maybe somebody have same situation?

 

Next question about versions, I didn't find anywhere information about Fortigate 300C plan to support 5.4 Fortios. I hope that new version coming son. 

 

 

 

x_member

FYI:

5.2.7 contains ipsengine 3.0164 that does not play well with deep packet inspection and Chrome browser: https://forum.fortinet.com/tm.aspx?m=137615

 

billtbyhand

I upgraded our 100D over the weekend from 5.2.5 to 5.2.7.

The main thing I saw in the release notes was that the conserve mode threshold for memory had been increased to 95%.  I was seeing occasional "FortiGate has reached system connection limit for x seconds", so I thought changing the memory threshold may help this situation.

Yesterday afternoon I get the call "The internet isn't working".  5 minutes later, they call back and tell me it's ok.

I get back to the office, and login to our Fortigate, and see where it has entered conserve mode for about 15 minutes.  Looking at my network flows, it looks like the fortigate had dropped ALL data on ALL ports (internal and external) during that time.

While I'm researching this issue, about an hour later, it happens again.  My fortigate web page drops me out, and I can't log back in.  Another 15 minutes later, and I get back in, and see where it has again dropped all data flow from all interfaces.

Well, time to roll back the firmware 

I waited until this morning because some people had things the needed to get done.  This morning (with nobody in the office, and network usage pretty much nil), it dropped all connections again for about 10 minutes.

I went ahead and rolled back to 5.2.5, and all has been well since then.

I did open a ticket with Fortinet, and sent them a copy of my config files to look at.  Hopefully they can give me some idea of what's going on.

I had made no changes to our configuration after the upgrade.

 

PS.  I had tried 5.4, and really liked some of the Fortiview stuff, but had almost immediate crippling issues and had to roll back within 24 hours.

 

All i can say it, I don't envy the engineers and programmers at Fortinet.  As the capabilities have grown, and the depth of their product line has expanded, trying to get the same software running properly across all those products has got to be a bitch.

Bill Hand Network Administrator D.L. Lee & Sons Inc. 927 Highway 32 E, Alma, GA 31510 (912) 632-4406 Ext. 1131 Bill.hand@dllee.com

Bill Hand Network Administrator D.L. Lee & Sons Inc. 927 Highway 32 E, Alma, GA 31510 (912) 632-4406 Ext. 1131 Bill.hand@dllee.com
IAC
New Contributor

We upgraded our 2 FG500D (3000k users, 200Mbps Internet traffic, HA A-P, IPS, AV, Web Filtering, Application Control, SSL/SSH inspection) last week from 5.2.3 to 5.2.5. Configuration file did not change. Just after the upgrade we noticed http/https traffic problems (from and to Internet) related to SSH/SSL inspection feature.

 

To get the http/https traffic back, we had first to activate SSH/SSL inspection in the policies affected (no SSH/SSL inspection activated before the upgrade). With other policies this workaround did not work. In the end we had to avoid any IPS, AV, Application control, SSH/SSL inspection configuration. Web Filtering was fine.

 

One week later (yesterday) we upgraded from 5.2.5 to 5.2.7. So far, so good. No problems noticed.

ede_pfau
Esteemed Contributor III

really, 3 million users on a 200 Mbps line?

 

Just out of curiosity, why did you not upgrade to v5.2.8 right away? (we've got a "FortiOS 5.2.8 is out" thread as well)


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
IAC
New Contributor

Thank you for your reply and your suggestion!

 

Sorry for the confusion. Just 3k users!. Regarding upgrade to 5.2.8 we prefer avoid frequent updates in a short period of time (too risky). Besides, from the upgrade path we have checked that 5.2.7 is ready to go to 5.4.1, as well as 5.2.8. There seem to be no relevant bugs fixed in 5.2.8. At some point next year we assume 5.4.x will be stable enough, so we will plan to go to 5.4.x from 5.2.7.

 

By the way, thanks for this forum. It is quite more useful than Fortinet technical tickets (we did not get any response in 4-5 days after the upgrade to 5.2.5 that seriously affected UTM features ; one week without AV, IPS, applicacion control, SSH/SSL inspection...)

Thanks.

Ignacio.

ede_pfau
Esteemed Contributor III

Sorry to hear that Support was of little help to you. Experiences vary. A lot of support tickets should have been resolved by your FTNT partner in place, they have low priority and sometimes useless return. When I had serious trouble I got very helpful solutions, especially if I had the luck to be reassigned to the warriors in Sopia Antipolis :)


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors