Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
storaid
Contributor

FortiOS v5.6.1 is released...!!

well...

after long time ago, now it's out...

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

6 Solutions
storaid
Contributor

annoying bug..

JSON string....=^=

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

View solution in original post

emnoc
Esteemed Contributor III

Other problems noted in 5.6

 

 

1: the  diag debug flow show console enable is missing as a option

 

2: still can NOT upload a  x509 certificate via GUI ( pkcs12  or  via pem cert+key )

 

3: a valid certificate self-sign  for admingui access does NOT work no matter how or what type of certificate that we try to craft standard, wildcard or SAN if we paste it in via the cli "config vpn certificate local "

 

More to come ;)

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

emnoc
Esteemed Contributor III

Again my  FWF60D has hungs up.  We thought it crashed but come to find out the  HTTP process is hung.  Since this is a remote hosted FW, I'm downgrading ....Sorry but v5.6.1 is a no-go for me ;(

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

storaid

inexplicable radius server test:

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

View solution in original post

pcraponi
Contributor II

Maybe it's a database migration? Have you tried to format log-disk?

Regards, Paulo Raponi

View solution in original post

thuynh_FTNT

keij wrote:

I can not see Local traffic (Fortigate's self traffic) in Foriview of ver5.6.1. In 5.2 were able to see the fortigate local traffic. Is it no longer visible in the 5.6 series?

Hi Keij, that is correct. We do not show local traffic in FortiView starting 5.6.0

View solution in original post

102 REPLIES 102
storaid

anyone have tried to import PFX certificate???..

importing pfx certificate always does not work for me....

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

emnoc
Esteemed Contributor III

Other problems noted in 5.6

 

 

1: the  diag debug flow show console enable is missing as a option

 

2: still can NOT upload a  x509 certificate via GUI ( pkcs12  or  via pem cert+key )

 

3: a valid certificate self-sign  for admingui access does NOT work no matter how or what type of certificate that we try to craft standard, wildcard or SAN if we paste it in via the cli "config vpn certificate local "

 

More to come ;)

 

PCNSE 

NSE 

StrongSwan  

Jzhang_FTNT

1. diag debug flow show console enable

This option was deprecated. No need to enable it during debug flow any more

 

emnoc wrote:

Other problems noted in 5.6

 

 

1: the  diag debug flow show console enable is missing as a option

 

2: still can NOT upload a  x509 certificate via GUI ( pkcs12  or  via pem cert+key )

 

3: a valid certificate self-sign  for admingui access does NOT work no matter how or what type of certificate that we try to craft standard, wildcard or SAN if we paste it in via the cli "config vpn certificate local "

 

More to come ;)

 

thuynh_FTNT

>disabling all utm features by Feature Visibility menu may experience this problem...

Hi storaid, thank you for reporting the issue. We have opened an internal ticket to track (0443647). A workaround is to enable Application Control visibility in Feature Visibility, which should allow the page to show the fields properly. We will fix it for 5.6.2

emnoc
Esteemed Contributor III

Again my  FWF60D has hungs up.  We thought it crashed but come to find out the  HTTP process is hung.  Since this is a remote hosted FW, I'm downgrading ....Sorry but v5.6.1 is a no-go for me ;(

 

 

PCNSE 

NSE 

StrongSwan  

thuynh_FTNT

Hi Rojekj and Antonio, thank you for reporting the issue with SSL VPN. This is a known issue and should have been included in 5.6.1 release note (internal ticket 0442808). We already have a fix for it and we will update the release note shortly. Sorry for the miscommunication.

rojekj
New Contributor III

thuynh wrote:

Hi Rojekj and Antonio, thank you for reporting the issue with SSL VPN. This is a known issue and should have been included in 5.6.1 release note (internal ticket 0442808). We already have a fix for it and we will update the release note shortly. Sorry for the miscommunication.

May I ask when do You plan to release this fix? I'm going to be killed by my clients at the end of next week, unless I'll fix their VPN. And You are the only ones who can prevent this and save my poor life.

Updating release notes should happen, but does not resolve our issue.

 

You must understand that crashing sslvpn daemon is a very serious bug, that should be fixed in the first place, and in my opinion release of the new firmware that fix this should occure immediately, not waiting for other fixes.

bommi
Contributor III

What was your reason for not staying with 5.4.5?

NSE 4/5/7

rojekj
New Contributor III

5.6.0 was released before 5.4.5 and it fixed some bugs. Most desired function for me was the domain (ldap) password change via web portal/forticlient, which was not working for 2FA users.

Antonio_Milanese

Hi All, @thuynh_FTNT I did a new quick test : the original certificate was a wildcard + wildcard san signed by a Windows 2012 R2 Ent CA: i'm unable to import p12/pfx from gui even if i convert it using openssl/XCA generating a new cert using openssl/XCA works (without CDP,CRL) maybe it's something related to custom OIDs/CDP/CRL inserted by Windows CA Regards openssl cert config (working)

 

oid_section = xca_oids [ xca_oids ] dom = 1.3.6.1.4.1.311.20.2 MsCaV = 1.3.6.1.4.1.311.21.1 msEFSFR = 1.3.6.1.4.1.311.10.3.4.1 iKEIntermediate = 1.3.6.1.5.5.8.2.2 nameDistinguisher = 0.2.262.1.10.7.20 id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13 id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14 id-pkkdcekuoid = 1.3.6.1.5.2.3.5 [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = xca_dn x509_extensions = xca_extensions req_extensions = xca_extensions string_mask = MASK:0x2002 utf8 = yes prompt = no [ xca_dn ] 0.C=IT 1.ST=MI 2.L=MI 3.O=ICT 4.OU=OCP Org 5.CN=*.xdomain.local 6.emailAddress=sysadmin@xdomain.local [ xca_extensions ] nsCertType=server subjectAltName=DNS:*.xxxxxx.com keyUsage=digitalSignature, nonRepudiation, keyEncipherment subjectKeyIdentifier=hash basicConstraints=critical,CA:FALSE like Windows 2012 R2 cert (XCA imported, not working): oid_section = xca_oids [ xca_oids ] dom = 1.3.6.1.4.1.311.20.2 MsCaV = 1.3.6.1.4.1.311.21.1 msEFSFR = 1.3.6.1.4.1.311.10.3.4.1 iKEIntermediate = 1.3.6.1.5.5.8.2.2 nameDistinguisher = 0.2.262.1.10.7.20 id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13 id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14 id-pkkdcekuoid = 1.3.6.1.5.2.3.5 [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = xca_dn x509_extensions = xca_extensions req_extensions = xca_extensions string_mask = MASK:0x2002 utf8 = yes prompt = no [ xca_dn ] 0.CN=*.xdomain.local [ xca_extensions ] authorityInfoAccess=@authorityInfoAccess_sect crlDistributionPoints=crlDistributionPoint0_sect authorityKeyIdentifier=keyid subjectAltName=DNS:*.xdomain.local, DNS:*.XXXXXX.com subjectKeyIdentifier=hash extendedKeyUsage=serverAuth keyUsage=critical,digitalSignature, keyEncipherment 1.3.6.1.4.1.311.21.10=DER:30:0c:30:0a:06:08:2b:06:01:05:05:07:03:01 1.3.6.1.4.1.311.21.7=DER:30:2f:06:27:2b:06:01:04:01:82:37:15:08:81:bd:cc:71:86:96:82:07:87:a1:89:17:81:85:88:17:85:83:a5:06:81:51:87:8e:e3:2e:87:d2:82:64:02:01:66:02:01:04 [crlDistributionPoint0_sect] fullname=@crlDistributionPoint0_sect_fullname_sect [crlDistributionPoint0_sect_fullname_sect] URI.0=ldap:///CN=VM-SUBCA-XXXXX,CN=VM-SUBCA-XXXXX,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xdomain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint [authorityInfoAccess_sect] caIssuers;URI.0=ldap:///CN=VM-SUBCA-XXXXX,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xdomain,DC=local?cACertificate?base?objectClass=certificationAuthority