Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bommi
Contributor III

FortiOS 6.0.2 is out!

NSE 4/5/7
2 Solutions
cryptochrome

Wow, this release is a true bug fest. I don't even know where to begin.

 

[ul]
  • DNAT Static NAT without port forwarding (e.g. 1:1 NAT) not working, broken
  • Enable a rule with URL Filtering: Firewall doesn't forward traffic for other rules (packets disappear in Nirvana)
  • Rule with URL Filtering set to DENY logs completely unrelated allowed traffic (it logs session close for allowed traffic of other rules)
  • Web Filter log is not working (it logs nothing) - blocked/allowed URLs appear in App Filter log instead[/ul]

     

    Those are just a few things that I noticed. 

    Arent's they ashamed of themselves putting something like that out in the wild? I would be.

  • View solution in original post

    SecurityPlus

    Yes, we encountered these two issues on a FortiGate 60E. In spite of my previous statement, I think that both errors occurred on the same firewall. We upgraded another ForthGate 60D with no other problems noted.

     

    1. Log & Report / System Events / Application crashed

    application: ipsengine 04.021

    I was told that this has been reported in bug id: 0506672 and that this requires an upgrade to the IPS engine to version 4.0023

    I made the upgrade to 4.0023 but prior to the upgrade the system event crashes stopped appearing

    No further issues with this issue have been noticed

     

    2. https://www.gotoassist.me certificate warning. Using deep inspection. Forti_ssl certificate was installed on the browser. The certificate for this website was signed by Fort_CA_untrusted. I was told that the Fortiguard team is working on the certificate bundle. They are saying it will be added in certificate bundle 1.00013.

    I was told that I could run:

    You can run the following command to update your bundle : execute update-now To check if it is updated then run diagnose autoupdate versions

    I have not tested this issue further.

     

    No additional issues with 6.0.2 noticed.

    View solution in original post

    25 REPLIES 25
    bommi
    Contributor III

    You can now use the packet capture on gui also on small machines without an log-disk!

    The packet capture will use an ram-disk.

    This is the best new feature so far :D

    NSE 4/5/7

    NSE 4/5/7
    simonorch

    Very happy indeed to get packet capture back in the gui on the lower end non-disk boxes.

    That one feature has kept some of our customers on 5.2

    NSE8 Fortinet Expert partner - Norway

    NSE8 Fortinet Expert partner - Norway
    SMabille

    But not impressed with stability.

    FGT60E, IPS Engine (4.021) keep crashing, massive performance issues (even on rules without UTM).

    Will have to downgrade to 6.0.1.

    Been a long time I haven't been so disappointed by lack of QA so quickly (less than 24 hours) - back to good old buggy Fortinet!

    bommi
    Contributor III

    At least on my FWF30E no ips engine crashes are logged in the crashlog.

    NSE 4/5/7

    NSE 4/5/7
    emnoc
    Esteemed Contributor III

    Had trouble upgrading a FWF60D  with the new image had to rollback, still investigating

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    storaid

    'sslvpnd' process causes high cpu loading....

       PID      RSS  ^CPU% MEM%   FDS     TIME+  NAME
     * 133      16M   96.9  0.9    31  35:29.83  sslvpnd [x4]
       132      16M   19.4  0.9    11  00:01.64  httpclid [x3]
       121      28M    8.6  1.5    27  02:17.48  httpsd [x5]
       124     323M    7.8 17.3   369  54:50.38  ipsmonitor [x6]
       141      12M    4.8  0.7    13  09:57.30  updated
       119      39M    0.8  2.1    38  22:51.74  miglogd [x3]
       128      14M    0.0  0.8    22  04:32.30  forticron
       131       6M    0.0  0.3    24  00:00.43  foauthd
       129       7M    0.0  0.4    15  00:24.66  forticldd
       136       6M    0.0  0.3    10  00:00.90  guacd
       137     808K    0.0  0.0     4  00:00.10  smbcd
       138       6M    0.0  0.3    24  00:10.90  voipd
       140      66M    0.0  3.5   173  02:25.64  wad [x8]
       130       9M    0.0  0.5    47  06:31.97  authd [x3]
       142       5M    0.0  0.3    12  01:05.58  snmpd
       143       5M    0.0  0.3    23  00:17.17  dhcpd
       144       4M    0.0  0.3     8  01:46.27  ipldbd
       145       9M    0.0  0.5    17  01:43.32  src-vis
       146       4M    0.0  0.3    16  00:08.83  ntpd
       147       5M    0.0  0.3     5  00:00.30  sshd

    FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

    FSW224B x1

    FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2 FSW224B x1
    andrewbailey

    So far my FT60E is table and performing normally (although using higher average memory than before the update).

     

    I agree it's great to see Packet Capture back in the GUI.

    cryptochrome

    Wow, this release is a true bug fest. I don't even know where to begin.

     

    [ul]
  • DNAT Static NAT without port forwarding (e.g. 1:1 NAT) not working, broken
  • Enable a rule with URL Filtering: Firewall doesn't forward traffic for other rules (packets disappear in Nirvana)
  • Rule with URL Filtering set to DENY logs completely unrelated allowed traffic (it logs session close for allowed traffic of other rules)
  • Web Filter log is not working (it logs nothing) - blocked/allowed URLs appear in App Filter log instead[/ul]

     

    Those are just a few things that I noticed. 

    Arent's they ashamed of themselves putting something like that out in the wild? I would be.

  • SecurityPlus

    Upgraded 60E from 5.6.5 to 6.0.2.

     

    Upgrade was successful the first time.

     

    Twice the ipsengine 04.021 has crashed, 30 minutes apart.

     

    Memory usage is about 60%. CPU utilization is about 3%.

     

    Noticed two errors after the firmware upgrade (diag debug config-error-log read):

    1. set type security audit and 2. set location forticloud. The engineer thought that these errors could be ignored and that they were due to changed features in 6.0.2.

     

    Called Fortinet tech support. Was unable to start a GoToAssist session without encountering a security warning. The engineer thought that the security certificate use by GoToAssist was not in the trusted certificates in the FortiGate. This FortiGate is using Full SSL Inspection on the IPv4 policy. He said that he would investigate. Would be curious if others running 6.0.2 and using Full SSL Inspection can open GoToAssist without getting a certificate warning.

     

    Otherwise things seem OK with 6.0.2 so far.

    Labels
    Top Kudoed Authors