Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
storaid
Contributor

FortiOS v5.6.1 is released...!!

well...

after long time ago, now it's out...

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

6 Solutions
storaid
Contributor

annoying bug..

JSON string....=^=

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

View solution in original post

emnoc
Esteemed Contributor III

Other problems noted in 5.6

 

 

1: the  diag debug flow show console enable is missing as a option

 

2: still can NOT upload a  x509 certificate via GUI ( pkcs12  or  via pem cert+key )

 

3: a valid certificate self-sign  for admingui access does NOT work no matter how or what type of certificate that we try to craft standard, wildcard or SAN if we paste it in via the cli "config vpn certificate local "

 

More to come ;)

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

emnoc
Esteemed Contributor III

Again my  FWF60D has hungs up.  We thought it crashed but come to find out the  HTTP process is hung.  Since this is a remote hosted FW, I'm downgrading ....Sorry but v5.6.1 is a no-go for me ;(

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

storaid

inexplicable radius server test:

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

View solution in original post

pcraponi
Contributor II

Maybe it's a database migration? Have you tried to format log-disk?

Regards, Paulo Raponi

View solution in original post

thuynh_FTNT

keij wrote:

I can not see Local traffic (Fortigate's self traffic) in Foriview of ver5.6.1. In 5.2 were able to see the fortigate local traffic. Is it no longer visible in the 5.6 series?

Hi Keij, that is correct. We do not show local traffic in FortiView starting 5.6.0

View solution in original post

102 REPLIES 102
thuynh_FTNT

Thanks emnoc and Antonio, we've created an internal ticket to track this issue (0443713). However, we'll need the actual p12/pfx cert to debug further (include password if it's protected). Can you create a CSS ticket (if havent already) and provide the file there? You can use a dummy cert which is similar to the one that you have issue. The CSS ticket can use the above bug number as a reference.

emnoc
Esteemed Contributor III

thuynh wrote:

Thanks emnoc and Antonio, we've created an internal ticket to track this issue (0443713). However, we'll need the actual p12/pfx cert to debug further (include password if it's protected). Can you create a CSS ticket (if havent already) and provide the file there? You can use a dummy cert which is similar to the one that you have issue. The CSS ticket can use the above bug number as a reference.

 

I'm trying to get a case open but 1st our FGT100D on downgrading back down to 5.4.x seems to not take the new image and format of the disk and tftp seems to not work.

 

 

So as suport fixes that issues, I can open a ticket on the cert import. The pfx bundle btw imported fine on other FGT appliance running 5.4.3 5.4.5 and 5.2.11, so it's not the pfx bundle that's the issue.

 

Support can easily craft a self-sign cert and try to import the pfx bundle. Also if we take a CSR generate on the FGT appliance and sign the certificate, upon import of the just the certificate fails. We have our own  Entrust Intermediate CA and I tried CAcert signed certificate also.

 

 

 

 

PCNSE 

NSE 

StrongSwan  

thuynh_FTNT

emnoc wrote:

thuynh wrote:

Thanks emnoc and Antonio, we've created an internal ticket to track this issue (0443713). However, we'll need the actual p12/pfx cert to debug further (include password if it's protected). Can you create a CSS ticket (if havent already) and provide the file there? You can use a dummy cert which is similar to the one that you have issue. The CSS ticket can use the above bug number as a reference.

I'm trying to get a case open but 1st our FGT100D on downgrading back down to 5.4.x seems to not take the new image and format of the disk and tftp seems to not work.

 

So as suport fixes that issues, I can open a ticket on the cert import. The pfx bundle btw imported fine on other FGT appliance running 5.4.3 5.4.5 and 5.2.11, so it's not the pfx bundle that's the issue.

 

Support can easily craft a self-sign cert and try to import the pfx bundle. Also if we take a CSR generate on the FGT appliance and sign the certificate, upon import of the just the certificate fails. We have our own  Entrust Intermediate CA and I tried CAcert signed certificate also.

Thanks emnoc, we added some restrictions in 5.6.1 to reject unsecured/invalid certs but I'm not sure if it's related. We'll be able to tell once we have the certs.

emnoc
Esteemed Contributor III

Thanks

 

We 've tried numerous certificate std/sans/self-Signed/etc.... my ticket on  getting my FG100D backup so I can reflash  it is tkt.id  2308481 .

 

Once I get that back , I will make a re-attempt and upload all related information in a  new  case.

 

Thanks

 

PCNSE 

NSE 

StrongSwan  

emnoc
Esteemed Contributor III

One more thing that I just found, the cli cmd  diag sys checkused is not a validate command any more.

 

PCNSE 

NSE 

StrongSwan  

Jordan_Thompson_FTNT

emnoc wrote:

One more thing that I just found, the cli cmd  diag sys checkused is not a validate command any more.

As of FortiOS 5.6, the command is now "diagnose sys cmdb refcnt"

thuynh_FTNT

rojekj wrote:

thuynh wrote:

Hi Rojekj and Antonio, thank you for reporting the issue with SSL VPN. This is a known issue and should have been included in 5.6.1 release note (internal ticket 0442808). We already have a fix for it and we will update the release note shortly. Sorry for the miscommunication.

May I ask when do You plan to release this fix? I'm going to be killed by my clients at the end of next week, unless I'll fix their VPN. And You are the only ones who can prevent this and save my poor life.

Updating release notes should happen, but does not resolve our issue.

 

You must understand that crashing sslvpn daemon is a very serious bug, that should be fixed in the first place, and in my opinion release of the new firmware that fix this should occure immediately, not waiting for other fixes.

Thanks rojekj, we do understand this issue is a show stopper for SSLVPN users. We are actively reviewing it and will get back to you as soon as we can. 

SMabille

Hi Rojekj, If your customer is running D or older, revert/install 5.4.5 or 5.2.11. If your customer is running a E serie and 5.6.0 was working OK, revert to 5.6.0. Otherwise if it has a support contract (which they must have on a production box), open a P1 with support and escalate as necessary if you don't have acceptable response. Just my 2 cents...
rojekj wrote:
thuynh wrote:
Hi Rojekj and Antonio, thank you for reporting the issue with SSL VPN. This is a known issue and should have been included in 5.6.1 release note (internal ticket 0442808). We already have a fix for it and we will update the release note shortly. Sorry for the miscommunication.
May I ask when do You plan to release this fix? I'm going to be killed by my clients at the end of next week, unless I'll fix their VPN. And You are the only ones who can prevent this and save my poor life. Updating release notes should happen, but does not resolve our issue.   You must understand that crashing sslvpn daemon is a very serious bug, that should be fixed in the first place, and in my opinion release of the new firmware that fix this should occure immediately, not waiting for other fixes.
Jzhang_FTNT

Hi Rojekj,

 

sslvpn daemon crash is an known issue. it happens when tunnel mode ssl vpn user logout.

 

Thanks

Johnson

 

keij
New Contributor

I can not see Local traffic (Fortigate's self traffic) in Foriview of ver5.6.1. In 5.2 were able to see the fortigate local traffic. Is it no longer visible in the 5.6 series?