Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tanr
Valued Contributor II
3 Solutions
mjcrevier

If you're having connectivity issues, check if DoS sensor is enabled. If so, disable it completely. That should resolve the issue you're seeing.

 

 

View solution in original post

Toshi_Esumi
Esteemed Contributor II

I had a conversation with an FTNT SE today about 6.2.4 problems. The major issues seem to boil down to below three issues:

1. DoS policy issue: It's still an known issue with 6.2.4 and not resolved, which is in the release notes.

2. IPS engine keeps crashing. A new engine is planned to be released soon. Then this would be resolved.

3. WAD memory leak issue is still not 100% resolved.

6.2.5 will fix these issues and come out relatively shortly although he couldn't tell me any target date. He recommended to wait for 6.2.5. But likely 6.0.10 comes out before 6.2.5.

 

By the way, FMG/FAZ 6.2.4 was to just fix vulnerabilities. They wanted to release it ASAP without waiting for bug fixes. Then 6.2.5 came out right after that with bug fixes. It was just coincidental they came out one after another.

View solution in original post

Kevin_Shanus

My issue was that I upgraded 200E to 6.2.4 , 80E to 6.2.4 and FAZ to 6.2.5. 

 

6.2.4 has DoS issue which breaks VIPs

6.2.X changes SSL Inspection w/ SSH which broke DUO 2FA for me, fix was easy, had to exclude url from inspection but took a bit to track down

FAZ 6.2.5 had to have some reliability feature turned off to work with <100E Fortigates

 

I also patched about 45 windows servers the same weekend. #neveragain

View solution in original post

74 REPLIES 74
darwin_FTNT

Could be due to mantis 0635589: "When running FortiOS 6.2.4 DoS policies may incorrectly drop traffic that has a destination to the FortiGate"

 

It is due to new big feature merged supporting new fgt-F platforms. Unfortunately, some platform specific code is incorrectly merged.  Packets are dropped after DoS policy memory not allocated.  Can verify by 'diag debug flow' commands.

 

Work around is disabling DoS policy.  Please contact TAC / support for more details, fix schedule or custom firmware. Thanks.

poundy

darwin wrote:

Could be ...

that at least answers part of my question :)  Thanks for coming in on this 

 

Kevin_Shanus

 

Hi @Kevin Shanus

 

Can you give more specifics about the faz feature that needed to be turned off?

 

Robby

Second this request. Having a fit ATM trying to track down why logs from a pair of 61Es and a 60F running 6.2.4 sending logs to a FAZ running 6.2.5 are not showing up.

Sorry for the delay - here is from the ticket I opened Ticket Number: 4056965 4. Further checked and found it is known issue with bug id 635070 and all models less than 100 series are affected.

5. As workaround we disable reliable so that connection can established for logging. 6. After disabling reliable, we could to find logs are coming.

Kevin_Shanus

I was told ETA for 6.2.5 is July 28th , we'll see

MikePruett

Kevin Shanus wrote:

I was told ETA for 6.2.5 is July 28th , we'll see

The fact that 6.2.4 caused so many problems and the fix is that far away is saddening.

rpedrica

toshiesumi wrote:

I had a conversation with an FTNT SE today about 6.2.4 problems. The major issues seem to boil down to below three issues:

1. DoS policy issue: It's still an known issue with 6.2.4 and not resolved, which is in the release notes.

2. IPS engine keeps crashing. A new engine is planned to be released soon. Then this would be resolved.

3. WAD memory leak issue is still not 100% resolved.

6.2.5 will fix these issues and come out relatively shortly although he couldn't tell me any target date. He recommended to wait for 6.2.5. But likely 6.0.10 comes out before 6.2.5.

 

By the way, FMG/FAZ 6.2.4 was to just fix vulnerabilities. They wanted to release it ASAP without waiting for bug fixes. Then 6.2.5 came out right after that with bug fixes. It was just coincidental they came out one after another.

Thanks for the feedback @toshiesumi.

 

From my side, and apart from the Wifi radio icons that are now grey (confused me initially as I thought the radios were inactive), everything seems good in testing on a bunch of 60e's and 50e's. I'm not using DoS sensor on those devices so no VIP issues. Memory utilisation is looking very good compared to 6.2.2. I also don't seem to have issues with WAD or IPS engine but haven't been looking that closely.

 

So far so good on 6.2.4 ...

 

 

visk
New Contributor III

Hi,

 

After disabled DoS policy on FG-60F i have 2 days without issues. Before with DoS policy problems appears after few hours (VIP, VPN, etc..).

tanr
Valued Contributor II

@Toshi, from your talk with FTNT SE, did it sound like they were on track to fix the WAD memory leak before releasing 6.2.5? 

 

Toshi_Esumi
Esteemed Contributor II

@tanr, sounded they intended cleaning up those major issues before releasing 6.2.5, including WAN memory leak issue. We need to wait and see how it would turn out.

Toshi_Esumi
Esteemed Contributor II

Just FYI: I just heard a news that the current target release date for 6.2.5 falls into the week started with the 17th of August. The same source told me they fixed totally 5 WAD memory leak/crash issues.