Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
storaid
Contributor

NOW! FortiOS v5.2.5...

build701

Appeared in the download portal....

but [size="5"]no enhancements?????[/size]

 

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2 FSW224B x1
2 Solutions
ede_pfau
Esteemed Contributor III

Jeez....

 

no enhancements! Fortinet finally keeps it's promise and just fixes things. Lo and behold. Keep up the good work, give us a rock solid v5.2 and put all the fancy new stuff into v5.4.

 

just my 2ct


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
HA
Contributor

Hello,

 

Problems occurs with SSL Inspection on 5.2.5. If you use SSL Inspection, it's better to run 5.2.3 (stable).

 

Regards,

 

HA

 

View solution in original post

69 REPLIES 69
emnoc
Esteemed Contributor III

I bet you have SSL inspection enabled. Did you open a ticket for TAC?

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
romanr
Valued Contributor

Hey,

 

as a nice happy new years present one of our customers had a total blackout of a 300D cluster on new years day. only after a couple of days uptime with 5.2.5. This installation was working properly with 5.2.4 - so lets see.

 

TAC is working on that case - I will update, if there is any thing of interest.

 

Br

Bono
New Contributor

emnoc wrote:

I bet you have SSL inspection enabled. Did you open a ticket for TAC?

 

Yes I had SSL inspection enabled but I don't think this blackout was because of that.

I haven't opened ticket yet because last two tickets support couldn't resolve, but I will try again with support.

HA
Contributor

Hello all,

 

Be careful with 5.2.5.

We face two major issues with it

Application crash (proxyworker process) occurs.

SSL Inspection exclusion (based on domain name or IP) does not work anymore !

 

Here's the feedback from the support.

I have done some researching and this is a known issue, for the moment no fix, but I would like you to try this workaround and let me know if the unit stabilizes:  config firewall ssl-ssh-profile  edit "SSL-INSPECTION"  config ssl  set inspect-all disable

 

Regards,

 

HA 

x_member

HA wrote:

Hello all,

 

Be careful with 5.2.5.

We face two major issues with it

Application crash (proxyworker process) occurs.

SSL Inspection exclusion (based on domain name or IP) does not work anymore !

 

Here's the feedback from the support.

I have done some researching and this is a known issue, for the moment no fix, but I would like you to try this workaround and let me know if the unit stabilizes:  config firewall ssl-ssh-profile  edit "SSL-INSPECTION"  config ssl  set inspect-all disable

 

Regards,

 

HA 

I've been trying to establish whether we have a similar issue with SSL Inspection exclusion on our test 60D which has 5.2.5 loaded. Can I ask whether you were able to confirm this in the CLI, as I seem to be able to access our inspection-excluded sites from within the test network without the issues that lead us to exclude them.

I seem to recall that on 5.2.3 you could debug ssl inspection using 

diagnose debug application ssl -1

however if I try to that on 5.2.5 it sets the SSLVPN to debug.

 

# diagnose debug reset
# diagnose debug application ssl -1
# diagnose debug info
debug output: enable
console timestamp: enable
console no user log message: disable
sslvpn debug level: -1 (0xffffffff)
CLI debug level: 3

 

We are currently trying to schedule in moving our live 60d from 5.2.3 to 5.2.5 - if SSL Inspection exclusions aren't working then we need to hold fire, so any hints would be really helpful.

 

HA

Hello,

 

You can try with the command diag test app sslworker.

By the way, it seems that we face this issue only with Fortigate 100D (3 customers). With 240D, no issue... 

I didn't test the workaround. I just rolled back to 5.2.3...

 

Regards,

 

HA

x_member

HA wrote:

Hello,

 

You can try with the command diag test app sslworker.

By the way, it seems that we face this issue only with Fortigate 100D (3 customers). With 240D, no issue... 

I didn't test the workaround. I just rolled back to 5.2.3...

 

Regards,

 

HA

Thanks for the response.

 

I've had no luck with the diag test app sslworker on the 60D but was able to test by removing one of the excluded sites and checking the displayed certificate in the client browser.

 

Looks like the 60D is unaffected so we should be good to rollout.

bartman10

Bono wrote:

tony8304 wrote:

Hi All,

about the GUI access issue in 5.2.4, is this still exist in 5.2.5?

 

Thanks 

Tony

If you are talking about System tab which disappears, bug is still here.

 

AHAHAHAHAHHHHH!!! FIX THIS!!!!!!

300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.

Over 100 WiFi AP's and growing.

FAZ-200D

FAC-VM 2 node cluster

Friends don't let friends FWF!

300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track. Over 100 WiFi AP's and growing. FAZ-200D FAC-VM 2 node cluster Friends don't let friends FWF!
IAC
New Contributor

We upgraded our 2 FG500D (3000k users, 200Mbps Internet traffic, HA A-P, IPS, AV, Web Filtering, Application Control, SSL/SSH inspection) last week from 5.2.3 to 5.2.5. Configuration file did not change. Just after the upgrade we noticed http/http traffic problems (from and to Internet) related to SSH/SSL inspection feature.

 

To get the http/https traffic back, we had first to activate SSH/SSL inspection in the policies affected (no SSH/SSL inspection activated before the upgrade). With other policies this workaround did not work. In the end we had to avoid any IPS, AV, Application control, SSH/SSL inspection configuration. Web Filtering was fine.

 

One week later (yesterday) we upgraded from 5.2.5 to 5.2.7. So far, so good. No problems noticed.

IAC
New Contributor

Sorry. Just 3K users!!

Labels
Top Kudoed Authors