Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
storaid
Contributor

FortiOS v5.6.1 is released...!!

well...

after long time ago, now it's out...

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

6 Solutions
storaid
Contributor

annoying bug..

JSON string....=^=

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

View solution in original post

emnoc
Esteemed Contributor III

Other problems noted in 5.6

 

 

1: the  diag debug flow show console enable is missing as a option

 

2: still can NOT upload a  x509 certificate via GUI ( pkcs12  or  via pem cert+key )

 

3: a valid certificate self-sign  for admingui access does NOT work no matter how or what type of certificate that we try to craft standard, wildcard or SAN if we paste it in via the cli "config vpn certificate local "

 

More to come ;)

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

emnoc
Esteemed Contributor III

Again my  FWF60D has hungs up.  We thought it crashed but come to find out the  HTTP process is hung.  Since this is a remote hosted FW, I'm downgrading ....Sorry but v5.6.1 is a no-go for me ;(

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

storaid

inexplicable radius server test:

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

View solution in original post

pcraponi
Contributor II

Maybe it's a database migration? Have you tried to format log-disk?

Regards, Paulo Raponi

View solution in original post

thuynh_FTNT

keij wrote:

I can not see Local traffic (Fortigate's self traffic) in Foriview of ver5.6.1. In 5.2 were able to see the fortigate local traffic. Is it no longer visible in the 5.6 series?

Hi Keij, that is correct. We do not show local traffic in FortiView starting 5.6.0

View solution in original post

102 REPLIES 102
SMabille

My 2 cents rant:

 

FG-200D, no HA, no VDOM, upgraded from 5.4.5:

- FortiView / Cloud App:

      . Without FAZ: FortiView / Cloud app: httpsd crash often and 100% reproductible when trying to dig YouTube

      . With FAZ: No crash but YouTube completely ignored

- xfer-fas file drops still unclear what files: IPS upload off, Fortisandbox cloud working, issue present with or without FAZ, (looks like a widespread issue)

- httpsd and wad unstable (crashlog). FAZ improve httpsd stability vs local disk logging. 

- unclear when/how internet service database is updated and support process is. Netflix addresses already out of date.

- FAZ mandatory to be able to enforce FortiClient telemetry (was not the casse under 5.4.x)

 

Upgrade process relatively painful (lots of entries on diag debug config-error read):

- Conversion from multiple CASI profiles not/badly supported

- Wildcard FQDN part of address group used on policies, not enforced/checked under 5.4.x and now rejected)

But also basic configuration options:

>>> "set" "service-expire-notification" "disable" @ global.system.global:command parse error (error -61) >>> "set" "enc-offload-antireplay" "enable" @ global.system.npu:command parse error (error -61) >>> "set" "offload-ipsec-host" "enable" @ global.system.npu:command parse error (error -61)

>>> "set" "polling-id" "1" @ root.user.adgrp.CN=Domain Users,CN=Users,DC=....:command parse error (error -61) >>> "set" "polling-id" "2" @ root.user.adgrp.CN=Domain Admins,CN=Users,DC=...:command parse error (error -61) >>> "config" "webfilter" "override-user" @ root:command parse error (error 1) >>> "config" "webfilter" "ftgd-warning" @ root:command parse error (error 1)

>>> "set" "certname" "Fortinet_SSLProxy" @ root.firewall.ssl-ssh-profile.deep-inspection:command parse error (error -61) >>> "set" "certname" "Fortinet_SSLProxy" @ root.firewall.ssl-ssh-profile.certificate-inspection:command parse error (error -61)

 

 

In my opinion still nowhere close to production ready (and some widespread issues should have been picked up by QA), still unsure if I'll downgrade my home lab.

 

Rant over!

jnliu_FTNT

SMabille wrote:

But also basic configuration options:

>>> "set" "service-expire-notification" "disable" @ global.system.global:command parse error (error -61) >>> "set" "enc-offload-antireplay" "enable" @ global.system.npu:command parse error (error -61) >>> "set" "offload-ipsec-host" "enable" @ global.system.npu:command parse error (error -61)

>>> "set" "polling-id" "1" @ root.user.adgrp.CN=Domain Users,CN=Users,DC=....:command parse error (error -61) >>> "set" "polling-id" "2" @ root.user.adgrp.CN=Domain Admins,CN=Users,DC=...:command parse error (error -61) >>> "config" "webfilter" "override-user" @ root:command parse error (error 1) >>> "config" "webfilter" "ftgd-warning" @ root:command parse error (error 1)

>>> "set" "certname" "Fortinet_SSLProxy" @ root.firewall.ssl-ssh-profile.deep-inspection:command parse error (error -61) >>> "set" "certname" "Fortinet_SSLProxy" @ root.firewall.ssl-ssh-profile.certificate-inspection:command parse error (error -61)

 

@ SMabille

By cmdb daemon checking, it normally prints out what configuration lost during upgrading. Therefore, it displays "diag debug config-error-log" in the console. However, most of them are removed by design and command change. 

In your case, all errors are removed by design and command change.

 

Jining

jnliu_FTNT

SMabille wrote:

FG-200D, no HA, no VDOM, upgraded from 5.4.5:

- FortiView / Cloud App:

      . Without FAZ: FortiView / Cloud app: httpsd crash often and 100% reproductible when trying to dig YouTube

  

 

@SMabille,

This is a known Fortiview issue and will be fixed on FOS5.6.2.

 

Thanks for your test.

Jining

brycemd

Andy Bailey wrote:

 

The second issue is:-

 

Existing anti-virus profiles seem to have lost their "Suspicious Files Only" for "Send Files to FortiSandbox Cloud for Inspection". It looks like I need to recreate the AV profiles and update all the policies currently using the old profile.

 

Not sure why that would be?

 

I have however noticed my first file ever being sent to FortiSandbox Cloud- which I guess is positive?

 

Kind Regards,

 

 

Andy.

I believe that was removed earlier than this firmware. At least I don't have the option on 5.6.0, maybe a legacy policy would have. If the fortigate is sending files it already deems suspicious it kind of defeats the purpose of the sandbox. The sandbox is supposed to catch files the fortigate missed/didn't know about.

 

storaid

weird ipv6 command display:

 

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

emnoc
Esteemed Contributor III

My FWF60D  crashed and need  a hard reboot.Very sad that it seems like every upgrade leads into bigger problems.

 

ken

 

 

PCNSE 

NSE 

StrongSwan  

Jzhang_FTNT

Thank you for your feedback. I can reproduce this issue on my device.

 

storaid wrote:

weird ipv6 command display:

 

andrewbailey

storaid wrote:
weird ipv6 command display:  
I'm seeing exactly the same issue- also on a FG-60E. My IPv6 connectivity is completely broken on 5.6.1 now, but I've not diagnosed where the problem lies. Certainly "unset" ing the ip6-manage-flag and the resetting it to enable still gives the enable/ disable weirdness. I'm seriously think I may have to roll back to 5.6.0. Too many issues in a software version which should only really be fixing bugs. Andy.
bommi

My IPv6 connectivity using an delegated prefix works on 5.6.1 with my FortiWifi 30E.

NSE 4/5/7

andrewbailey

bommi wrote:
My IPv6 connectivity using an delegated prefix works on 5.6.1 with my FortiWifi 30E.
Are using stateless IPv6 config? I'm using a stateful config with DHCPv6 and I think the manage flag issue (mentioned earlier by myself and one other person) means the advertisements aren't working as expected. In my config I can see connectivity is there from the Fortigate to other internal and external devices. However most of my devices aren't requesting IPv6 addresses- presumably because they aren't seeing the manage flag correctly? It did all work correctly under 5.6.0. Kind Regards, Andy.