Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hklb
Contributor II

FortiOS 5.2.3 is out

.

4 Solutions
VicAndr
New Contributor III

...discovered another bug with v.5.2.3. Administrators who are restricted to provision guest accounts only, can't actually print those accounts (to hand over login IDs and passwords to relevant users). In attempt to do so a FortiGate responds with "Error 500: Internal Server Error".

 

...didn't have this problem before the upgrade [&:].

View solution in original post

Paul_S

hklb wrote:

 

Change your encoding in your browser (in chrome : option - more tools- encoding - western) and it works.

Support said the encoding error will be fixed in 5.2.4

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

View solution in original post

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
rwpatterson
Valued Contributor III

Also you cannot load the DNS screen.

 

When upgrading to 5.2.3, the admin accounts have changed from 'super_admin' to 'prof_admin'. We had the same issue here. We simply went into a backup, changed the admin types and restored the config. I did this remotely, hoping I wouldn't have to drive in. It worked flawlessly.

 

By the way, we got the answer from support. My guru is better than your guru!

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

View solution in original post

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
TheJaeene
Contributor

@rpetty

 

Hi,

 

 

have you checked the "ALL" Service?

 

Firewall Service Protocol Number Change 2015-04-02 Subject: Firewall Service Protocol Number Change Released: 2015-04-02 Modified: 2015-04-02  Product: FortiGate

Description:

In FortiOS v5.0.8 and v5.0.9 and v5.2.0 through v5.2.2, the default value of the firewall service protocol number was changed from a value of 0 to 6.

The most commonly observed impact of this change is that after upgrading to the affected firmware, the “ALL” service matches only TCP traffic.

Executing a factory-reset on the FortiGate device does NOT change the default value to 6.

Affected Products:

All FortiGate models.

Resolution:

FortiOS v5.0.10 and v5.2.3 has fixed the issue.  Upon upgrading the FortiGate device, the firewall service protocol number is restored to 0.

Workaround:

Those wishing not to upgrade the firmware can modify the affected firewall services to explicitly set the protocol-number to 0.  For example:

config firewall service custom

edit "ALL"

set protocol-number 0

next

 

View solution in original post

56 REPLIES 56
Simpalm
New Contributor

Yayy..... We were waiting for this update for so long and its out now, Happy!  Thanks for sharing this topic, I like it.
kinmun
New Contributor II

my FG300D is on 5.2.2.

what benefit do I get from upgrading to 5.2.3 ?

Paul_S

kinmun wrote:

my FG300D is on 5.2.2.

what benefit do I get from upgrading to 5.2.3 ?

 

emnoc is right about reading the release notes. Also, consider opening a support ticket and asking for all the known bugs that are affecting 5.2.3. I have recently installed 5.2.3 and I am affecting by two bugs in that release.

 

if the bugs are in areas you do not consider critical, then you should probably installed 5.2.3, if the bugs are in critical areas, then wait for 5.2.4.

 

5.2.3 does patch some vulnerabilities discovered recently: http://www.fortiguard.com/advisory/CVE-2014-8730--Poodle-for-TLS--vulnerability/

 

Reducing risk (improving security) is often an organizations biggest motivation when deciding when to upgrade a system.

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
hklb
Contributor II

Paul S wrote:

emnoc is right about reading the release notes. Also, consider opening a support ticket and asking for all the known bugs that are affecting 5.2.3. 

They don't update the release notes with the new know bug ?

Paul_S

hklb wrote:

 

 

They don't update the release notes with the new know bug ?

I made the assumption that they do not. However, after looking closer I am partially wrong. The release notes download page shows a document date of 3/20/15, but the document itself shows a date of 4/16/15. There is a known issues section that does appear to list more bugs than I would guess were listed on the 5.2.3 GA release date. So, they appear to update the release notes with known bugs, but not for every bug. Maybe just significant bugs or maybe they add bugs to the release notes every so many weeks/months. Both bugs I am affected by, are not listed in the release notes.

 

bug ID: 275724 Desc: B670 : IE fail to access to server behind Load Balance server (fortinet description) bug ID: 0273255 desc: GUI issue when editing a firewall address group, invalid octet in UTF-8 sequence when decoding string  (my description)

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
vladimircze
New Contributor III

Hi,

in 5.2.3 we facing issue with address objects which haves "not shown in list" attribute test.

created two address objects, created policy with these objects in destination or source.

config firewall address
   edit "00TEST1"
      set uuid 96a18994-0054-51e5-2b1a-11e70e3d16f2
     set subnet 1.2.3.4 255.255.255.255
   next
end
config firewall address
   edit "00TEST2"
     set uuid a0d35c30-0054-51e5-5fc7-95b2a39119e4
     set subnet 4.5.6.7 255.255.255.255
   next
end

config firewall policy
   edit 250
     set uuid 0e6e075e-0055-51e5-9d43-fabfa629d8cd
     set srcintf "port5"
     set dstintf "VL_ITOPS"
     set srcaddr "all"
     set dstaddr "00TEST1" "00TEST2"
     set action accept
     set schedule "always"
     set service "PING"
     set nat enable
   next
end

 

then changed visibility of one object.

config firewall address
   edit "00TEST1"
      set uuid 96a18994-0054-51e5-2b1a-11e70e3d16f2
      set visibility disable
      set subnet 1.2.3.4 255.255.255.255
   next
end

then in GUI do edit of policy. only one address object shown in destination/source.

click okay, now "hidden" object missed from policy completely. 

config firewall policy
   edit 250
      set uuid 0e6e075e-0055-51e5-9d43-fabfa629d8cd
      set srcintf "port5"
      set dstintf "VL_ITOPS"
      set srcaddr "all"
      set dstaddr "00TEST2"
      set action accept
      set schedule "always"
      set service "PING"
      set nat enable
   next
end

Created support ticket (#1407923).

anybody haves similar problems?

 

 

quick add: downloaded latest VM64 trial, default configuration repeated same steps and got same problem.

emnoc
Esteemed Contributor III

Read the  release notes for 5.2.3, everything that's fix or new or open items should be listed in the release notes.

[link]http://docs.[/link]fortinet.com/d/fortios-5.2.3-release-notes

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
storaid
Contributor

hello, anyone know the released date about next release????

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2 FSW224B x1
Paul_S

storaid wrote:

hello, anyone know the released date about next release????

6/12/15 - a comment from Fortinet on one of my support tickets indicated late july for the release of 5.2.4.

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
james512
New Contributor

I've been upgrading the FW with no issues for around 3 years on our FGT 110C unit, until going from 5.2.2 to 5.2.3. 

 

Now I can no longer see the interface page on the GUI and I'm also experiencing the 'invalid octet in UTF-8 sequence when decoding 'string'' when viewing groups. 

 

It would seem the firmware screws up our config, for now I've had to downgrade back to 5.2.2. Fortinet support have asked me to reset the unit and try again but no luck.

 

I've attached some screen grabs of the problems.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors