I'm testing the upgrade process on my 1000C. After upgrading I suddenly have CAPWAP admin access enabled on ALL of my interfaces. Does anyone have an idea of how to fix this short of manually editing the config file to remove those entries? I'm not using the wireless controller.
Has anyone else experienced this?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
As far as I can remember it, upgrading to the 5.0.x track should've been done via 4.3.18 as an intermediary track. Also, if you can afford it and you want to stick to the 5.0.x track rather than go for 5.2.x I would go to 5.0.11 - 5.0.7 had some issues with the IPS engine that you might want to stay away from if you're running that issue. But regardless, the recommended track is via 4.3.18 - now whether that happened because the upgrade path wasn't followed or it's a bug in the upgrade itself, that I cannot tell at a glance.
I thought I read somewhere that the upgrade path I took was acceptable but I'm struggling to find a reference to back that up.
I appreciate your comments about upgrading to 5.0.11. I'm restricted to 5.0.7 for other reasons but I hope to upgrade again to the 5.2 train once they get a few more issues sorted.
TAC is telling me this is just a standard 5.0 behavior and there isn't much that can be done besides submitting it as a bug.
I know support for most/all models acting as wireless controllers to FortiAPs was dramatically expanded between OS 4.3 and OS 5.0. That may account for CAPWAP being enabled as an administrative access method by default, namely ports UDP/5246-5247.
A quick and dirty way to remove it from all interfaces at once would be to find/replace the 'set allowaccess...' line for each interface, or delete any instance of 'CAPWAP' and restore the configuration from backup.
Regards, Chris McMullan Fortinet Ottawa
Chris,
I'm running an A/P HA cluster. Can you give me an idea of what behavior I should expect when restoring a config? I also just considered scripting the changes to avoid having to reload a config.
Enabling CAPWAP on all interfaces is standard when upgrading from 4.3.x to 5.0. No bug, but no sense in it either. I'd say it's downright dangerous as even WAN ports are opened up.
If I configure the FGT to be a WiFi controller I have to enable CAPWAP on that specific interface, full stop. I've got to do that as well when using a FortiExtender. I really cannot see why a general "decoration" of all ports would make sense.
Frankly, I doubt that opening a ticket with TAC will make any difference. Maybe one of the FTNT employees know where to send a notice on this.
Best to just script the changes. Restoring a configuration would likely cause a reboot, or at least a failover.
Regards, Chris McMullan Fortinet Ottawa
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1536 | |
1029 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.