Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
storaid
Contributor

FortiOS v5.6.1 is released...!!

well...

after long time ago, now it's out...

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

6 Solutions
storaid
Contributor

annoying bug..

JSON string....=^=

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

View solution in original post

emnoc
Esteemed Contributor III

Other problems noted in 5.6

 

 

1: the  diag debug flow show console enable is missing as a option

 

2: still can NOT upload a  x509 certificate via GUI ( pkcs12  or  via pem cert+key )

 

3: a valid certificate self-sign  for admingui access does NOT work no matter how or what type of certificate that we try to craft standard, wildcard or SAN if we paste it in via the cli "config vpn certificate local "

 

More to come ;)

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

emnoc
Esteemed Contributor III

Again my  FWF60D has hungs up.  We thought it crashed but come to find out the  HTTP process is hung.  Since this is a remote hosted FW, I'm downgrading ....Sorry but v5.6.1 is a no-go for me ;(

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

storaid

inexplicable radius server test:

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

View solution in original post

pcraponi
Contributor II

Maybe it's a database migration? Have you tried to format log-disk?

Regards, Paulo Raponi

View solution in original post

thuynh_FTNT

keij wrote:

I can not see Local traffic (Fortigate's self traffic) in Foriview of ver5.6.1. In 5.2 were able to see the fortigate local traffic. Is it no longer visible in the 5.6 series?

Hi Keij, that is correct. We do not show local traffic in FortiView starting 5.6.0

View solution in original post

102 REPLIES 102
andrewbailey

bommi wrote:

The option to only send "suspicious files" has been removed in 5.4.x.

 

Regards

bommi

Ummm, well I have it 5.6.1

 

The default profile I have shows it as an option- but when I create a new profile I'm not getting that choice.

 

I guess perhaps my "default" might be a carry over from an older version of the software.......

 

 

bommi
gsarica

Hesitant to upgrade to 5.6.1 since the general consensus here so far seems to be every time they fix something, something else breaks and I'm inclined to agree with that.

 

5.6.0 broke our SSL-VPN connections, everyone disconnects after 5-10 minutes of RDP use. I had to flip all our remote users to an IPSec tunnel which seems to be stable for now. 5.6.1 promises to fix two issues that we've had for over a year now but who knows what else might break?

emnoc
Esteemed Contributor III

Can somebody test importing an existing certificate for  access the webgui admin ? If I do it from the webgui it fails every time, but if it's pasted in via set priv-key and certificate it's accepted.

 

 

After the certificate is set for admin-server-cert, both FF and Safari fails to load the  WebGUI login page.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

Antonio_Milanese

Hi All,

 

@rojekj sslvpnd segfault does not seem to afflict 100D platform, tried with both Forticlient 5.4 and 5.6

 

HA sync status : we have already encountered this problem with 5.6 GA on 2 HA setups 100D,200D with dedicated HA ports.. i was hoping that it has been fixed in the 5.6.1 under bugid 414336 and 392677..too sad to know that it's still here!! @emnoc i can confirm that the certificate import GUI does not work (seams the same issue that was present IIRC in the earlies 5.x)..copy&paste to cli works and once assigned to admin all working here.. My 2cent conclusions..testing 5.6.1 it's another waste of time..too awfull release :\ Regards

SMabille

Hi,  

 

You definitely still can add it via CLI

>con antivirus profiles

>edit XXXX

>set ftgd-analytics suspicious

 

But even on 5.4.5 hasn't sent any file ever... but I discovered that heuristic is disabled by default, re-enabled it 24 hours ago, but no submission to fsbt cloud. 

 

 

 

Andy Bailey wrote:

brycemd wrote:

Andy Bailey wrote:

 

The second issue is:-

 

Existing anti-virus profiles seem to have lost their "Suspicious Files Only" for "Send Files to FortiSandbox Cloud for Inspection". It looks like I need to recreate the AV profiles and update all the policies currently using the old profile.

 

Not sure why that would be?

 

I have however noticed my first file ever being sent to FortiSandbox Cloud- which I guess is positive?

 

Kind Regards,

 

 

Andy.

I believe that was removed earlier than this firmware. At least I don't have the option on 5.6.0, maybe a legacy policy would have. If the fortigate is sending files it already deems suspicious it kind of defeats the purpose of the sandbox. The sandbox is supposed to catch files the fortigate missed/didn't know about.

 

Interesting! I hadn't spotted that being the case in 5.6.0? Certainly the new "default" AV Profile in 5.6.1 includes the "Suspicious Files Only" option. Has it been added back again perhaps? Kind Regards, Andy.

zeki893
New Contributor II

My FortiAP-223c running 5.6.0 stopped working with 5.6.1. It looks normal in Fortigate and when I connect to the SSID I still get an IP but I can't ping out or go out to the internet for anything. Nothing shows up in the Traffic logs either.  It was working before I updated.  [&:]

 

UPDATE: I downgraded to 5.6.0 and FortiAP works again. I guess I'll have to wait for 5.6.3

hop_FTNT

Hi zeki893,

 

Please provide following information so that we can further follow up: 1. What is the image version of FAP223C? 2. Use "show wireless-controller vap" to get the configuration of the vap interface which the client connected 3. Can your wifi client reach gateway?

 

zeki893 wrote:

My FortiAP-223c running 5.6.0 stopped working with 5.6.1. It looks normal in Fortigate and when I connect to the SSID I still get an IP but I can't ping out or go out to the internet for anything. Nothing shows up in the Traffic logs either.  It was working before I updated.  [&:]

 

UPDATE: I downgraded to 5.6.0 and FortiAP works again. I guess I'll have to wait for 5.6.3

thuynh_FTNT

>i can confirm that the certificate import GUI does not work (seams the same issue that was present IIRC in the earlies 5.x)..copy&paste to cli works and once assigned to admin all working here..

 

Hi Antonio and emnoc, importing local certificate via GUI should work as we tested it on 5.6.1 GA. However, the certificate will be rejected if it is missing some required fields to ensure best security practice. We will need to take a closer look at your case to find out what happened. >Can somebody test importing an existing certificate for  access the webgui admin ? If I do it from the webgui it fails every time, but if it's pasted in via set priv-key and certificate it's accepted.

What do you mean by "existing certificate"? ie. the certificate is already imported on the FGT and you are importing it again with the same name? In that case, GUI should return with duplicate error. Again, will need to take a look at each specific case.

emnoc
Esteemed Contributor III

What do you mean by "existing certificate"?

 

I should have said a previous signed-cert. It 's being used in a Fgt200D under 5.2.7  but if I import it via he  gui it fails. If I paste the priv-key and cert in via cli it works, BUT when I select it under  global cfg , FF IE Opera Chrome does not load.

 

 

 I should alsoadd, if I generate  CSR on  the appliance, and try to import the signed_back in, it also fails.

 

 

PCNSE 

NSE 

StrongSwan