Hey, who is going first ?
Some small models like 40C are not support.
Just have a quick look at release notes, there is a loooooot of know issues...
2 FGT 100D + FTK200
3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Any possibility to get old GUI back? New one is seriously ugly and hurt my eyes...
IMHO In a production business env you should not upgrade to any new release unless it's a do or die must have feature that you need.
PCNSE
NSE
StrongSwan
undocumented wrote:If you NEED the new features you might want to but on my 200D:does anyone recommend to upgrade on 200D?
1) PBR (Policy Based Routing) was non working
2) Cloud Access Security Inspection (new feature / application deep inspection rebrand-extension) definitions disappeared without reason, never managed to get them back.
3) After a reboot (trying to fix point 2), both wan interface became unresponsive, no traffic in or out while the interface where up (including PPPoE session on WAN2). Had to go on-site to reboot.
So let's put in that way, after 48 hours of xmas fun I'm back to 5.2.4 (got an issue with 5.2.5 SSL inspection causing the deamon to crash regularly) and now back in working stable state :)
And from what I saw 5.2.5 "known services" discovery (like google, adobe, etc...) is only based on IP address not certificate inspection/mapping like PaloAlto :( so virtually impossible for Fortinet to maintain properly and possible conflict if/when CDN/distributed IPs are switched around. Sounds so basic to check certificate to determine who you are talking to that I really doubt PA got a patent on that.
I have upgraded 2 FGT units with 5.4.0 but I have lost connectivity via my WAN dynamic PPPOE connections... I am able to access the gui, i have access to local network but no to the internet... after rolling back to previous version (5.2.5) I had no problems... Any idea?
It appears that the vulnerability scanner function has been stripped out of 5.4 and relegated to the forticlient. I know that vulnerability scanning was kind of just a nice bonus stuck into the firewall builds a while ago (4.2? 4.3?), but it seems like a step backwards. It appears that the function on forticlient can only be activated on a client registered to a firewall and the client can only scan itself. Vulnerability scanning on the firewall allowed an almost unlimited number of endpoints to be scanned. This new setup would limit you to 10 machines that you have to be able to install forticlient on without having to spend more money on extra forticlient licenses. Is that actually what the intent appears to be? Or is there some update looming for forticlient that would allow it to scan ip ranges?
It was nice to have the vulnerability scanner as a second set of eyes in addition to other more robust vulnerability management solutions with workflows, etc. Especially since you could arbitrarily just scan anything with an IP address on demand. It also seemed to get better detections than our other dedicated internal vulnerability assessment platform (long story).
CISSP, NSE4
Tried to upgrade 2 clusters win 5.2.4 firmware. Both failed. One node is upgraded, and after reboot there is message in console:
"HA cannot be formed because the internal ports of box-***** is in different mode with this box. In order to form HA, please make them in the same mode first"
Had to slipt cluster, manualy upgrade another nod, and join cluster again.
I think it's because Internal interface type in 5.2.4 firmware is "set type physical" and after upgrade internal interface is "set type hard-switch".
Also reset counters on policy not working correctly.
Hello,
I have 60D box with 5.4. Is it possible to disable VPN wizard? It's completly retarded and I would like to use all the adv. features of VPN.
Regards,
Piotr
Just don't use the vpn wizard and configure it manually. The wizard was a basic cfg function that was design for the junior FWengineers
PCNSE
NSE
StrongSwan
may not be the first but im dead sure I wont be the last.
Firstly to avoid any readers looking for a happy ending, you may jump ship now.
For compliance reasons, we have selected Fortinet products to provide access to our systems.
Must admit, I didn't really shop around, as the constraints of one certification or another meant it was either Fortinet, Cisco or some other Manufacturer I cant recall the name of
Immediately eliminated cisco, due to past experience with the commercial side of cisco, and general difficulty stabilising systems without overpriced "trained" experts having to tackle stuff, and mostly failing by causing knock on effects
My background has been with Zyxel USG range of firewalls, though sadly certification isn't one of their strong points, but aside that, the USG range has proven very reliable and manageable at every level.
Anyway, the pilot program is to use Fortinet 60d. in HA Active Passive mode, just 2 of them. That's all.
I received the units with 5.2.5 in late last year. Having now gotten round to "setting" them up, I entered a basic port forward configuration in, and got some external traffic coming in ok. I then install the latest 5.4.0 firmware on the second unit. Bad move. On this unit it is impossible to get ports forwarded. The GUI says yes, the actuality is no. After a week of waiting and batting CLI commands back and fourth with support, I'm going alone. I don't have that much time to waste.
This leads on to the fact that the logs show you nothing within the gui. Again, I'm used to the Zyxel range, and make strong use of the event log to track events (strangely) . This is impossible with the Fortinet. I am unable to gain any confidence ANYTHING is happening from the logs. Yes ive set the stupid tick box to show memory logs.
Ive followed numerous guides and "cookbooks" published by Fortinet. Very impressive literature, but almost completely useless with many technical ommissions, and assumptions made on the authors part, that the end user, should correctly assume fundamental settings. It is my experience that assumptions lead to ASS U ME. Hence I rely on documentation to not only tell me "what buttons to press", but ideally what effect this will have and why in good, solid technical terms. this way, the process of reading also teaches us skilled people how the thing is working. Without that, we are no more than burger flippers.
Needless to say, NONE of the "cookbooks" magically make HA work on my pair of fortinet 60d. with 5.2.5,5.2.6, or 5.4.0
I am now forced to raise a ticket for this purpose. This means a painful waiting game whilst awaiting response and drawing pictures of two fortinets, interconnected as per fortinets own documentation, and describing the problem.
The response to raising tickets is "enter this, enter that in CLI mode and send us the output". in between message exchanges we are talking 24-48 hours based on my last ticket raised because port forwarding simply wasn't working. Very disappointing.
The whole matter is so similar to my experience of CISCO products and support.
I guess if I pay for extra support they will log on, and "do it for me". sorry, not good enough. After 20 odd years developing products and working with firewalls, I really don't expect a relatively mature company to be providing software of this low quality.
Additionally, I have noticed pop up boxes on the GUI that don't close when you click on Close, HA slave units that don't appear when enabling HA, yet HA still works as if by magic. And the unit I'm looking at right now, negotiates HA then after 10 seconds rolls over and the system light goes off. Naturally the logs are completely useless.
I have wound back to firmware 5.2.5, but this presents more issues, and sadly, HA still fails to work, as far as the GUI is concerned.
Absolutely dismayed. Maybe my 12 year old daughter and hey Pi skills could be of use?
In summary, it seems like Fortinet have all the jigsaw pieces but either a split brain running the show, or no real substance on the QA side. All this for a premium product.
Thanks Fortinet for consuming yet more of my valuable time. I'm just deciding whether to give up with you, or not. Frankly I'm fearful of putting this into a production environment as I am severely struggling to do simple tasks with this box of bits and whilst I can kind of make it do what I want, I had hoped for something a little more robust. maybe I'm just being unreasonable and over expectant.
Be warned good people, as though the previous posts don't also say enough.
Disgraceful.
Hi Mark,
I'm sorry to hear you're having such a bad experience. Overall, I'm happy with the FortiGate and the tech support that follows it, so I'm a little surprised by your ordeal. :) Version 5.4. is a bit rough on the edges and I would certainly not recommend it for a serious production yet, but 5.2.5 should work pretty well, especially on the HA field.
I mostly agree with you on documentation - it is plentiful, but it is sometimes missing some key information. Especially for products other than FortiGate. Having said that, I think that most Cookbook recipes are written for people who already have some background with the Fortinet products, or just to help 'sporadic' SOHO/SMB users (to whom firewall management is a second or third job role) set up the most basic stuff. So, I wouldn't expect much of it.
These are some 'must do' things when creating an HA cluster, from the top of my head:
[ul]Hope this helps a bit. If you want, you can open a new thread on the subject, we'll be more than happy to help. Don't hesitate to send me a link to the thread in the PM or email.
NSE 7
All oppinions/statements written here are my own.
Hellow every one
I just added a Fortigate VM 5.4.0 as a devise to fortimanger
my erchiteture is winserver-2008 ----> fotigate <----->fotimanger
Tehy are allin teh same local network kind of 192 .....45, 46, 47
Everithing was working all right and i was able to manage the firewal from the Fortimanger
But i discovered that the fortigate is nether sending logs Fortimanger nor displaing them .
For exemple when i ping form the win server i discover that the log cant reach the desitnination .
You can sse the problem here in the joined picture
Could you help me to resolve this problem
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1066 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.