Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Baptiste
Contributor II

5.4.0 is Out

Hey, who is going first ?

 

Some small models like 40C are not support.

Just have a quick look at release notes, there is a loooooot of know issues...

2 FGT 100D  + FTK200

3 FGT 60E  FAZ VM  some FAP 210B/221C/223C/321C/421E

2 FGT 100D + FTK200 3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
2 Solutions
Bipbaep
New Contributor

Any possibility to get old GUI back? New one is seriously ugly and hurt my eyes...

View solution in original post

emnoc
Esteemed Contributor III

IMHO In a production business env you should not upgrade to any new release unless it's a do or die must have feature that you need.

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
69 REPLIES 69
CyberNorris
New Contributor III

I have 5.4 on a FWF60D and a FG60DPOE... both small offices without anything fancier than dialup VPN and one with a VIP to an internal server. The POE also manages a FAP221C and a FSW108POE. No problems. The FSW was easier to set up on 5.4 than on 5.2.4. The 60DPOE model had 5.4 beta from RC2.

 

Norris Carden

Fortinet XTreme Team USA (2015, 2016)

CISSP (2005), CISA (2007), NSE4 (2016)

Norris Carden Fortinet XTreme Team USA (2015, 2016) CISSP (2005), CISA (2007), NSE4 (2016)
sarvosys
New Contributor

I would agree on the interface comments.   I tried all 4 themes and none of them really worked for me.  There is no "flow" on the GUI.

 

As of features - I just updated my 100D and so far so good.

 

chibby

can someone help me how to test web application firewall?

 

If I enable default profile on my policy (internal-> wan), how can i test it?

 

(been using FGT equipment for few months now so I could use some help)!

 

Thank you all

COIN
New Contributor

I see many complaints here but none about VPN performance.. We have a 70D and get horrible performance with IPSEC VPN, when doing an iperf between two nodes the FG GUI / CLI does not even respond and speeds are hovering between 150-250 mbit/s where the connection between nodes is 1G

the process netscan seems to hog all the cpu meanwhile, even though we basically turned off all features that have to do with scanning and antivirus. 

any experience with this?

Tipdrill
New Contributor

for fgt40c and fwf40c? :(

Dipen
New Contributor III

FortiOS 5.4 - Ugly GUI...Worst GUI Ever.

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
seadave
Contributor III

I have two 500Ds.  One for production, other is for testing.  I swap them back and forth so I can fall back quickly during upgrades or an outage.  I highly recommend this model if you do not require a HA config as it makes testing much easier and less error prone.  I turned up a new 1Gb connection and decided to use 5.4 after doing a lot of testing.  I realize based on past experiences this is a risk, but I've been using FG for 11 years and this build appears way more stable than previous ones.

 

My  production 500D was running 5.2.3.  Had a problem with EC cert that after I installed it, the cert GUI went away.  I copied this config to my second 500D and upgraded to 5.2.6 and confirmed that would fixed the issue.  Took some time reading and understanding changes in 5.4.  We do not use VDOMs or HA.  Fairly standard config with one LAN, one WAN, about 40 rules and 500 address definitions, multiple security policies.  We do use some identity based policies and are working to get a FAC200D up and running to enable two factor auth for VPN.  After this is stable for a few weeks, I'm going to build a new config using WANLLB incorporating our backup 100Mbps connection, but didn't want to complicate issues during the main cutover.

 

After I had 5.2.6 running, I made sure to review "diag debug config-error-log read" to make sure no major settings were faulting after the upgrade.  It is critical you use this to know what settings in your old config log didn't port correctly during an upgrade.  I was also careful to make before and after backups of my configs when upgrading.

 

After 5.2.6 appeared stable, I upgraded to 5.4.  I had already spent a month playing with a factory default so I could be familiar with the options.  The upgrade occurred without problems.  I did decide to wipe and rebuild both my SSL and IPsec VPN configs to ensure there were no legacy options config issues.  One thing I have found is that using the CLI "show" command when reviewing configs is not as good as "show full-configuration" as it displays all of the options.  Some of the defaults can lead to problems you don't realize are there without the full command.

 

The GUI is very 8 bit, but isn't everything these days.  I really like the following:

 

[ul]
  • Being able to right click on an Address or Policy definition and choosing "Edit in CLI".  That is VERY NICE!
  • The fact that invalid Address definitions regarding WCFQDNs or FQDNs that are not able to resolve will display a red "!" is VERY NICE.  Helps you spot problems immediately.[/ul]

     

    Overall the new GUI is working well and we are getting ~850Mbps throughput with all preventative measures enabled. I've seen some others mention that memory util goes high.  Ours is sticking at 30% so that is good.  Tomorrow will be the test when 125 users start running traffic through it.  I have my second 500D running 5.2.6 ready to fall back on it if issues arise with 5.4 but so far so good.

     

    I think 5.4 is a very good release, but be careful if you have a complicated config or only a single unit to test on.  Read the 5.4 Admin Guide regarding Firmware Updates.  Have local copies of your config and current firmware so you can fall back to it if problems occur.  I would suggest that you simply reload current firmware, then factory reset, then reload your most recent pre-5.4 configuration backup to ensure the downgrade process works.  The revision feature in 5.2 and 5.4 is very nice to have during this process, but I always keep local config copies also.

     

    I have heard that 5.4.1 will be out later this month so I look forward to testing that when it is released.

  • seadave

    Two days after ISP cut-over for 500D and 5.4 and all is well so far.  Memory is stable at 34% and CPU usage is NIL.  FG has scanned over 1.2M incoming files in that time (6 malicious)!  I am doing deep inspection on many rules.  I have ~50 rules total.  I do not have HA or LLB enabled.

     

    One thing I have found is that Wildcard FQDNs are not allowed for destinations.  Not sure if that is a bug or I just never noticed that before.

     

    It does seem like with my FAZVM on 5.4 and FG on 5.4 that I am getting better App identification.  Much faster to review/lookup traffic using FAZVM than on my 100C.  I should have moved to VM a long time ago.

     

    Next step is to finish testing IPsec and SSL-VPN.  HTML5 RDP for SSL-VPN is working great so far.

     

     

    rpedrica

    Thanks @seadave for your comments and experiences. I've never used a .0 release in prod before and in fact have waited quite a few patches for a new release to settle down - this seems to be the normal behaviour of new FOS releases since I started on v2.5. Saying that, the patch release at which stability is reached has been coming down with each successive release eg. 4.3 was only stable around the 4.3.11 mark whereas 5.0 was stable around the 5.0.6 mark. 5.2.3 is not bad either ( except for the SSL inspection regression in 5.2.4 ). For a .0 release, I think 5.4.0 is pretty good although there definitely are still issues. This shows that F's development process is improving ( although not yet great ) over time.

     

    Some might ask why F are introducing FOS releases that may or do still have bugs in them? I think F will try to test all possible permutations in the lab however there is no proving ground like the real world and especially in firewall setups, the no. of permutations are endless. If you waited until you thought that your software was perfect, you'd never release. As long as you accept that early releases in a new stream could have issues and should not be used in serious prod, then the dev process seems to be working ok and improving. Some might have issue with that method and some might not. For me, I've never had an issue because I test as much as possible, check releases notes and then deploy when I think a release is stable ( enough ).

     

    I've had 5.4.0 running on 1 prod unit for a month now and no serious issues found. This is a new install though. I would think that possible issues could creep in as a result of upgrades, especially at this early stage. 5.4.x is significantly different from previous so it may be that upgrades do not ( yet ) translate/migrate as well as they could. This is where successive patches will hopefully improve upgraded installations.

     

    I'm on the fence regarding the UI at the moment. There's definitely some optimisation that should come for speed. CASI, DNS filter and WAF are interesting additions and it may take some time to understand the best use of these. I'm really going to miss vuln scan though. And I really like routing via address objects and internet services. Now we just need routing based on application ...

     

    My 2 cents ...

    tuumke

    Damnit, having troubles installing policies using the FMG....

     

    2016-03-17 10:22:35 : Start copying policy to devdb, device(FW10014-Apeldoorn), vdomid(root)

    2016-03-17 10:22:35:Compiling firewall policy (seq 1, id 1) fail : invalid value

    2016-03-17 10:22:35 : vdom copy error

    Labels
    Top Kudoed Authors