http://docs.fortinet.com/uploaded/files/3285/fortios-v5.2.9-release-notes.pdf
The list of the resolved issues is important IMHO, just some tips:
297421 HTTPs traffic is blocked after AV/IPS database update from FortiGuard.
306929 Fortigate memory logging is automatically enabled after reboot.
382828 When trying to access internal server through SSL VPN in web mode, the login page is not
371264 Modify user ran into lock when trying to change user's password during sslvpn connection.
376599 Keep IPSec traffic on the hardware during rekeying causes kernel panic.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I ended up opening another ticket with Fortinet because IPS engine 3.0289 still has an issue.
They ended up providing me 3.0173. I would open a ticket and ask for this ips engine.
-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
Can I downgrade from 5.2.9 to 5.2.8 by simply uploading the firmware file from the web interface? This 60D I have is in a remote place where I can't fully flash it with a tftp server...
Thanks
At least one person should warn that downgrading is always connected with a high risk of losing parts of the config, as stated in the Release Notes:
Downgrading to previous firmware versions Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained: operation mode interface IP/management IP static route table DNS settings VDOM parameters/settings admin user account session helpers system access profilesBackground: firmware updates contain the new firmware and possibly script code to change previous syntax to the new version. Sometimes, the internal HDD filesystem is reformatted. If you downgrade just by applying the older firmware, the wrong routines are run (those for upgrading) and this might result in loss of function. So, for a remote FGT, I'd be very, very cautious. Perhaps only the IPsec VPN might be broken afterwards which in this situation would be quite bad. This way or the other, downgrading is risky and needs extra effort. As you may have noted, several others have downgraded just by applying the older firmware, and it worked for them.
I opened a ticket and got the newer IPS Engine 3.173. After installing this on Fortigate 60D and 90D everything ist fine for the moment. The issues of crashing IPS Engine are gone.
So Fortios 5.2.9 running with this Engine corrected the issues for us and we will stay on 5.2.9
Open a ticket for new IPS engine is not a root for the solution, they should release a new firmware, including a new IPS engine....[>:]
Also I will always keep the config file for all units. It is very easy for me to roll back the firmware, rather than try & error the malfunction of the firmware
Yesterday after upgrading, if I enabled DLP in an explicit proxy policy the CPU would stay at 100%.
The DLP profile was configured to log all files fingerprinted as "Critical". Fingerprint database had about 350 files (I deleted it to see if that was the problem, but it wasn't).
These process where fighting for cpu (about 50% each):
dlpfpcache
sqldb
I tried again today but it seems to be working correctly now. I will rebuild fingerprint database and see what happens.
The box is a Fortigate 300C with only one explicit proxy policy and everything enabled on it.
Luckily it is not production environment so that's ok.
I take back my statement this version is running fine.
IT'S A DISASTER! Both units we were testing in production have had serious issues. I will be rolling them back to 5.2.8 tonight, hopefully that goes as planned. But 5.2.9 is a BUGGY MESS. Stick with 5.2.8 if you are on it, and wait this one out.
VPN's not working, IPS crashes, blah blah blah.
Upgraded a 240d cluster last week, no issues so far.
I do have the same IPS issue on a 60D
..... signal 11 (Segmentation fault) received, backtrace....
I've downgraded back to 5.2.8 for now
Tried also on a 200D which seems fine with 5.2.9
I can confirm that on 200Ds that 5.2.9 is working fine.
Will test it out on 100D is a few days and report back.
-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.