Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
storaid
Contributor

FortiOS v5.6.1 is released...!!

well...

after long time ago, now it's out...

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

6 Solutions
storaid
Contributor

annoying bug..

JSON string....=^=

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

View solution in original post

emnoc
Esteemed Contributor III

Other problems noted in 5.6

 

 

1: the  diag debug flow show console enable is missing as a option

 

2: still can NOT upload a  x509 certificate via GUI ( pkcs12  or  via pem cert+key )

 

3: a valid certificate self-sign  for admingui access does NOT work no matter how or what type of certificate that we try to craft standard, wildcard or SAN if we paste it in via the cli "config vpn certificate local "

 

More to come ;)

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

emnoc
Esteemed Contributor III

Again my  FWF60D has hungs up.  We thought it crashed but come to find out the  HTTP process is hung.  Since this is a remote hosted FW, I'm downgrading ....Sorry but v5.6.1 is a no-go for me ;(

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

storaid

inexplicable radius server test:

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

View solution in original post

pcraponi
Contributor II

Maybe it's a database migration? Have you tried to format log-disk?

Regards, Paulo Raponi

View solution in original post

thuynh_FTNT

keij wrote:

I can not see Local traffic (Fortigate's self traffic) in Foriview of ver5.6.1. In 5.2 were able to see the fortigate local traffic. Is it no longer visible in the 5.6 series?

Hi Keij, that is correct. We do not show local traffic in FortiView starting 5.6.0

View solution in original post

102 REPLIES 102
Yongzhang_FTNT

Vanessa6 wrote:

Hey guys,

 

we are running FortiOS 5.6.1 on a 200D-Cluster (active/standby). Since the upgrade we are experiencing some serious problems with WiFI and cluster synchronisation.

WiFi with radius-authentication doesn't work correctly anymore. It seems that our apple devices (iPhone and mac) are affected much more than android-devices and windows-clients. Some clients can't connect to the WiFI (although authentication on radius server is successful. After switching the iPhone off and on in the morning, it is working for the rest of the day.) Others do have a lot of connection loss and some don't have any problems at all.

As a temporary workaround I set up a second WiFi with PSK authentication which is working for all devices.

 

The second problem with ha synchronization is very annoying. Randomly after configuration changes the slave can't sync with the master anymore. About every minute it logs 'in-sync' and 'out-of-sync'. Sometimes I can fix it via cli command 'execute ha sync stop/start'; the other time the slave needs a reboot to be able to sync again.

Unfortunately 'diag sys ha checksum' and 'diag sys ha hadiff' don't show anything (but I can see on the gui that both checksums differ).

 

With FortiOS 5.4.5 everything was working fine.

Anyone here with ideas how to fix the WiFi and especially the cluster problems? I guess upgrading to 5.6.2 won't help because according to the release notes they just fixed 3 (!) bugs...and no one of these on wifi or cluster setup...

 

Thanks for your time and help

Vanessa

 

 

Hi Vanessa, 

 

We will wait for your ticket and if possible, can you attach your configuration to ticket and we will use it to  reproduce the problem on our side. 

 

Regards,

 

Yong 

Antonio_Milanese

Hi Vanessa,

 

Vanessa6 wrote:

The second problem with ha synchronization is very annoying. Randomly after configuration changes the slave can't sync with the master anymore. About every minute it logs 'in-sync' and 'out-of-sync'. Sometimes I can fix it via cli command 'execute ha sync stop/start'; the other time the slave needs a reboot to be able to sync again.

Unfortunately 'diag sys ha checksum' and 'diag sys ha hadiff' don't show anything (but I can see on the gui that both checksums differ).

 

same problem with two 100D /200D A-A cluster (no vdoms) since the castomers upgrade to 5.6.0 GA;

randomly cluster it's going out-of-sync on the gui and from cli diag sys ha checksum cluster show differnces on root/all checksum:

 

it's driving me crazy since:

- it's random sometime after a config change sometime after fortiguard updates

 

diag sys ha checksum show global/root == identical

 

issuing a diag sys ha checksum recalculate on subsidiary unit fix immediatly the checksum problem on cli and sometime later (?!) on gui, since that recalc the cluster seams to stay in-sync for some random days!

 

Upgrade to 5.6.2 but same (less frequent apparently ) problem.

 

I'm unable to spot any error from hatalk and hasync so maybe it's time to open a ticket as per Yong suggestion.

 

Regards,

 

Antonio

 

Vanessa6

Thank you guys!

Ok, I'm going to open a ticket and will let you know about it.

 

Kind regards,

Vanessa

andrewbailey

Interesting! I hadn't spotted that being the case in 5.6.0?

 

Certainly the new "default" AV Profile in 5.6.1 includes the "Suspicious Files Only" option. Has it been added back again perhaps?

 

Kind Regards,

 

 

Andy.

andrewbailey

brycemd wrote:

Andy Bailey wrote:

 

The second issue is:-

 

Existing anti-virus profiles seem to have lost their "Suspicious Files Only" for "Send Files to FortiSandbox Cloud for Inspection". It looks like I need to recreate the AV profiles and update all the policies currently using the old profile.

 

Not sure why that would be?

 

I have however noticed my first file ever being sent to FortiSandbox Cloud- which I guess is positive?

 

Kind Regards,

 

 

Andy.

I believe that was removed earlier than this firmware. At least I don't have the option on 5.6.0, maybe a legacy policy would have. If the fortigate is sending files it already deems suspicious it kind of defeats the purpose of the sandbox. The sandbox is supposed to catch files the fortigate missed/didn't know about.

 

Interesting! I hadn't spotted that being the case in 5.6.0?   Certainly the new "default" AV Profile in 5.6.1 includes the "Suspicious Files Only" option. Has it been added back again perhaps?   Kind Regards,     Andy.

brycemd

Hm, I'm not sure then. On my 60E on both 5.6.0 and now 5.6.1 the only options I have are 'None' or 'All Supported Files'

bommi

The option to only send "suspicious files" has been removed in 5.4.x.

 

Regards

bommi

NSE 4/5/7

Antonio_Milanese

Hi All, segfault 11 on sslvpnd even here with a 50E and 51E..i'll try a spare 100D tomorrow but this build has some really serios QA issues! I'm really disappointed with the course of things..every new release seems to include a step forward and two backwards with big regression on basic features! Regards

rojekj

Antonio Milanese wrote:

Hi All, segfault 11 on sslvpnd even here with a 50E and 51E..i'll try a spare 100D tomorrow but this build has some really serios QA issues! I'm really disappointed with the course of things..every new release seems to include a step forward and two backwards with big regression on basic features! Regards

Please let us know if segfaults will be present on 100D. Now we know for sure that 200D, 50E and 51E do have this issue...

storaid

ssl-vpn policy with windows-pc identification added is not working fine for registered forticlient ssl-vpn windows user...

I have opened ticket to ask this problem with tech support...

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1