Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Alby23
Contributor II

FortiOS 5.2.9 is out

http://docs.fortinet.com/uploaded/files/3285/fortios-v5.2.9-release-notes.pdf

 

The list of the resolved issues is important IMHO, just some tips:

297421 HTTPs traffic is blocked after AV/IPS database update from FortiGuard.

306929 Fortigate memory logging is automatically enabled after reboot.

382828 When trying to access internal server through SSL VPN in web mode, the login page is not

371264 Modify user ran into lock when trying to change user's password during sslvpn connection.

376599 Keep IPSec traffic on the hardware during rekeying causes kernel panic.

1 Solution
ddskier

I ended up opening another ticket with Fortinet because IPS engine 3.0289 still has an issue.

 

They ended up providing me 3.0173.   I would open a ticket and ask for this ips engine.

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

View solution in original post

43 REPLIES 43
vgatti
New Contributor

Can I downgrade from 5.2.9 to 5.2.8 by simply uploading the firmware file from the web interface? This 60D I have is in a remote place where I can't fully flash it with a tftp server...

 

Thanks

kckong
New Contributor III

Yes, I also reflash 5.2.8 directly
ede_pfau
Esteemed Contributor III

At least one person should warn that downgrading is always connected with a high risk of losing parts of the config, as stated in the Release Notes:

Downgrading to previous firmware versions   Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained: operation mode interface IP/management IP static route table DNS settings VDOM parameters/settings admin user account session helpers system access profiles
Background: firmware updates contain the new firmware and possibly script code to change previous syntax to the new version. Sometimes, the internal HDD filesystem is reformatted. If you downgrade just by applying the older firmware, the wrong routines are run (those for upgrading) and this might result in loss of function.   So, for a remote FGT, I'd be very, very cautious. Perhaps only the IPsec VPN might be broken afterwards which in this situation would be quite bad. This way or the other, downgrading is risky and needs extra effort. As you may have noted, several others have downgraded just by applying the older firmware, and it worked for them.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
mas1971
New Contributor III

I opened a ticket and got the newer IPS Engine 3.173. After installing this on Fortigate 60D and 90D everything ist fine for the moment. The issues of crashing IPS Engine are gone.

 

So Fortios 5.2.9 running with this Engine corrected the issues for us and we will stay on 5.2.9

Best wishes out of Germany
kckong
New Contributor III

Open a ticket for new IPS engine is not a root for the solution, they should release a new firmware, including a new IPS engine....[>:]

 

Also I will always keep the config file for all units.  It is very easy for me to roll back the firmware, rather than try & error the malfunction of the firmware

MrGuga
New Contributor

Yesterday after upgrading, if I enabled DLP in an explicit proxy policy the CPU would stay at 100%. 

The DLP profile was configured to log all files fingerprinted as "Critical". Fingerprint database had about 350 files (I deleted it to see if that was the problem, but it wasn't).

 

These process where fighting for cpu (about 50% each):

dlpfpcache 

sqldb

 

I tried again today but it seems to be working correctly now. I will rebuild fingerprint database and see what happens. 

 

The box is a Fortigate 300C with only one explicit proxy policy and everything enabled on it.

 

Luckily it is not production environment so that's ok.

 

Itguy
New Contributor

I take back my statement this version is running fine.

 

IT'S A DISASTER!  Both units we were testing in production have had serious issues. I will be rolling them back to 5.2.8 tonight, hopefully that goes as planned. But 5.2.9 is a BUGGY MESS. Stick with 5.2.8 if you are on it, and wait this one out.

 

VPN's not working, IPS crashes, blah blah blah.

Ralph1973

Upgraded a 240d cluster last week, no issues so far.

ramboris

I do have the same IPS issue on a 60D

..... signal 11 (Segmentation fault) received, backtrace....

I've downgraded back to 5.2.8 for now

 

Tried also on a 200D which seems fine with 5.2.9

ddskier

I can confirm that on 200Ds that 5.2.9 is working fine.

 

Will test it out on 100D is a few days and report back.

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D