5.4.0 is Out

Baptiste · ‎12-22-2015

Hey, who is going first ?

Some small models like 40C are not support.

Just have a quick look at release notes, there is a loooooot of know issues...

2 FGT 100D + FTK200

3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E

Bipbaep · ‎12-28-2015

Any possibility to get old GUI back? New one is seriously ugly and hurt my eyes...

View solution in original post

emnoc · ‎12-31-2015

IMHO In a production business env you should not upgrade to any new release unless it's a do or die must have feature that you need.

PCNSE

NSE

StrongSwan

View solution in original post

SMabille · ‎12-31-2015

undocumented wrote:
does anyone recommend to upgrade on 200D?

If you NEED the new features you might want to but on my 200D:

1) PBR (Policy Based Routing) was non working

2) Cloud Access Security Inspection (new feature / application deep inspection rebrand-extension) definitions disappeared without reason, never managed to get them back.

3) After a reboot (trying to fix point 2), both wan interface became unresponsive, no traffic in or out while the interface where up (including PPPoE session on WAN2). Had to go on-site to reboot.

So let's put in that way, after 48 hours of xmas fun I'm back to 5.2.4 (got an issue with 5.2.5 SSL inspection causing the deamon to crash regularly) and now back in working stable state :)

And from what I saw 5.2.5 "known services" discovery (like google, adobe, etc...) is only based on IP address not certificate inspection/mapping like PaloAlto :( so virtually impossible for Fortinet to maintain properly and possible conflict if/when CDN/distributed IPs are switched around. Sounds so basic to check certificate to determine who you are talking to that I really doubt PA got a patent on that.

kst · ‎01-30-2016

I have upgraded 2 FGT units with 5.4.0 but I have lost connectivity via my WAN dynamic PPPOE connections... I am able to access the gui, i have access to local network but no to the internet... after rolling back to previous version (5.2.5) I had no problems... Any idea?

Kenundrum · ‎02-01-2016

It appears that the vulnerability scanner function has been stripped out of 5.4 and relegated to the forticlient. I know that vulnerability scanning was kind of just a nice bonus stuck into the firewall builds a while ago (4.2? 4.3?), but it seems like a step backwards. It appears that the function on forticlient can only be activated on a client registered to a firewall and the client can only scan itself. Vulnerability scanning on the firewall allowed an almost unlimited number of endpoints to be scanned. This new setup would limit you to 10 machines that you have to be able to install forticlient on without having to spend more money on extra forticlient licenses. Is that actually what the intent appears to be? Or is there some update looming for forticlient that would allow it to scan ip ranges?

It was nice to have the vulnerability scanner as a second set of eyes in addition to other more robust vulnerability management solutions with workflows, etc. Especially since you could arbitrarily just scan anything with an IP address on demand. It also seemed to get better detections than our other dedicated internal vulnerability assessment platform (long story).

CISSP, NSE4

Salas · ‎02-03-2016

Tried to upgrade 2 clusters win 5.2.4 firmware. Both failed. One node is upgraded, and after reboot there is message in console:

"HA cannot be formed because the internal ports of box-***** is in different mode with this box. In order to form HA, please make them in the same mode first"

Had to slipt cluster, manualy upgrade another nod, and join cluster again.

I think it's because Internal interface type in 5.2.4 firmware is "set type physical" and after upgrade internal interface is "set type hard-switch".

Also reset counters on policy not working correctly.

Piotr_Bratkowski · ‎02-04-2016

Hello,

I have 60D box with 5.4. Is it possible to disable VPN wizard? It's completly retarded and I would like to use all the adv. features of VPN.

Regards,

Piotr

emnoc · ‎02-04-2016

Just don't use the vpn wizard and configure it manually. The wizard was a basic cfg function that was design for the junior FWengineers

PCNSE

NSE

StrongSwan

mark_page · ‎02-14-2016

may not be the first but im dead sure I wont be the last.

Firstly to avoid any readers looking for a happy ending, you may jump ship now.

For compliance reasons, we have selected Fortinet products to provide access to our systems.

Must admit, I didn't really shop around, as the constraints of one certification or another meant it was either Fortinet, Cisco or some other Manufacturer I cant recall the name of

Immediately eliminated cisco, due to past experience with the commercial side of cisco, and general difficulty stabilising systems without overpriced "trained" experts having to tackle stuff, and mostly failing by causing knock on effects

My background has been with Zyxel USG range of firewalls, though sadly certification isn't one of their strong points, but aside that, the USG range has proven very reliable and manageable at every level.

Anyway, the pilot program is to use Fortinet 60d. in HA Active Passive mode, just 2 of them. That's all.

I received the units with 5.2.5 in late last year. Having now gotten round to "setting" them up, I entered a basic port forward configuration in, and got some external traffic coming in ok. I then install the latest 5.4.0 firmware on the second unit. Bad move. On this unit it is impossible to get ports forwarded. The GUI says yes, the actuality is no. After a week of waiting and batting CLI commands back and fourth with support, I'm going alone. I don't have that much time to waste.

This leads on to the fact that the logs show you nothing within the gui. Again, I'm used to the Zyxel range, and make strong use of the event log to track events (strangely) . This is impossible with the Fortinet. I am unable to gain any confidence ANYTHING is happening from the logs. Yes ive set the stupid tick box to show memory logs.

Ive followed numerous guides and "cookbooks" published by Fortinet. Very impressive literature, but almost completely useless with many technical ommissions, and assumptions made on the authors part, that the end user, should correctly assume fundamental settings. It is my experience that assumptions lead to ASS U ME. Hence I rely on documentation to not only tell me "what buttons to press", but ideally what effect this will have and why in good, solid technical terms. this way, the process of reading also teaches us skilled people how the thing is working. Without that, we are no more than burger flippers.

Needless to say, NONE of the "cookbooks" magically make HA work on my pair of fortinet 60d. with 5.2.5,5.2.6, or 5.4.0

I am now forced to raise a ticket for this purpose. This means a painful waiting game whilst awaiting response and drawing pictures of two fortinets, interconnected as per fortinets own documentation, and describing the problem.

The response to raising tickets is "enter this, enter that in CLI mode and send us the output". in between message exchanges we are talking 24-48 hours based on my last ticket raised because port forwarding simply wasn't working. Very disappointing.

The whole matter is so similar to my experience of CISCO products and support.

I guess if I pay for extra support they will log on, and "do it for me". sorry, not good enough. After 20 odd years developing products and working with firewalls, I really don't expect a relatively mature company to be providing software of this low quality.

Additionally, I have noticed pop up boxes on the GUI that don't close when you click on Close, HA slave units that don't appear when enabling HA, yet HA still works as if by magic. And the unit I'm looking at right now, negotiates HA then after 10 seconds rolls over and the system light goes off. Naturally the logs are completely useless.

I have wound back to firmware 5.2.5, but this presents more issues, and sadly, HA still fails to work, as far as the GUI is concerned.

Absolutely dismayed. Maybe my 12 year old daughter and hey Pi skills could be of use?

In summary, it seems like Fortinet have all the jigsaw pieces but either a split brain running the show, or no real substance on the QA side. All this for a premium product.

Thanks Fortinet for consuming yet more of my valuable time. I'm just deciding whether to give up with you, or not. Frankly I'm fearful of putting this into a production environment as I am severely struggling to do simple tasks with this box of bits and whilst I can kind of make it do what I want, I had hoped for something a little more robust. maybe I'm just being unreasonable and over expectant.

Be warned good people, as though the previous posts don't also say enough.

Disgraceful.

NotMine · ‎02-15-2016

Hi Mark,

I'm sorry to hear you're having such a bad experience. Overall, I'm happy with the FortiGate and the tech support that follows it, so I'm a little surprised by your ordeal. :) Version 5.4. is a bit rough on the edges and I would certainly not recommend it for a serious production yet, but 5.2.5 should work pretty well, especially on the HA field.

I mostly agree with you on documentation - it is plentiful, but it is sometimes missing some key information. Especially for products other than FortiGate. Having said that, I think that most Cookbook recipes are written for people who already have some background with the Fortinet products, or just to help 'sporadic' SOHO/SMB users (to whom firewall management is a second or third job role) set up the most basic stuff. So, I wouldn't expect much of it.

These are some 'must do' things when creating an HA cluster, from the top of my head:

[ul]

Both units must be of the same model;

Both units must have the exact same version of firmware;

On both units:[ul]

The 'switch' interface must be broken apart into individual interfaces;

All interfaces must have a static IP address (all zeroes are fine);

Devices should have different host names;

HA should be enabled on both units, in the same mode (A-P or A-A);

HA Group Name must be the same on both devices;

HA Password must be the same on both devices;

Heartbeat interfaces should be the same on both devices, so you can easily recognize and connect them.[/ul]

With only one ('master') device working, interconnect the devices through their HA Heartbeat Interfaces. Wait for at least 15 minutes (or 10 really timed minutes :)), and power on the second unit. Your HA cluster should be functioning.[/ul]

Hope this helps a bit. If you want, you can open a new thread on the subject, we'll be more than happy to help. Don't hesitate to send me a link to the thread in the PM or email.

NSE 7

All oppinions/statements written here are my own.

tuumke · ‎03-28-2016

I head from support tech that it was gonna come out between 4th and 8th of april

Sam21 · ‎11-17-2016

Hellow every one

I just added a Fortigate VM 5.4.0 as a devise to fortimanger

my erchiteture is winserver-2008 ----> fotigate <----->fotimanger

Tehy are allin teh same local network kind of 192 .....45, 46, 47

Everithing was working all right and i was able to manage the firewal from the Fortimanger

But i discovered that the fortigate is nether sending logs Fortimanger nor displaing them .

For exemple when i ping form the win server i discover that the log cant reach the desitnination .

You can sse the problem here in the joined picture

Could you help me to resolve this problem

5.4.0 is Out

Nominate a Forum Post for Knowledge Article Creation