FortiOS 5.2: should we wait or should we go?

VicAndr · ‎06-19-2014

Questions to those who had been brave enough to upgrade their units to FortiOS v5.2.0: How did it handle complex configurations in the course of upgrade (I mean " in-place upgrade" )? Are there any pitfalls to watch for? Does v5.2 work stable? Is there anything to loose in the jump to v5.2? Are you still there on v5.2 or had to go back to v5.0 for one reason or another? What are your overall experiences so far? We have a pure FortiOS v5.0.7 in our environment. It generally works fine but our main headache is new FortiAPs supporting 802.11ac - they are practically unusable on v5.0.7 (we do not want to go with " interim" FortiOS build as it raises a whole bunch of other questions). Thank you all for any feedback, VA

ejhardin · ‎07-02-2014

By default the SSL profile is " certificate-inspection" . In this mode the FortiGate is basically just reading the dns name from the certificate during the SSL handshake. Question... Has anyone really had an issues with SSL connections while using " certificate-inspection" ? I haven' t had an issue and I like the fact that the " certificate-inspection" is on by default. Other firewall companies are doing the same thing.

View solution in original post

Jordan_Thompson_FTNT · ‎07-08-2014

I was disappointed to see that the ability to make DHCP reservations was removed from the WebUI in 5.2.0. In 5.0.x, it was simple to turn a bunch of leases into reservations, but I just had to do this all through CLI, where it is much easier to make a typo on a MAC address. Â

This is still available in two places:- 1) System -> Network -> Interface: There is a " MAC Reservation + Access Control" option under Advanced. The following CLI option should be enabled first:- config system global set gui-advanced-dhcp enable 2) System -> Monitor -> DHCP Monitor: You can right click to create/edit a DHCP reservation from an existing lease.

netmin · ‎07-08-2014

some first observations on 5.2.0 (after upgrade): (performed exec formatlogdisk; extended ips db; extended av-db, now flow-based) - dhcp reservations can be handled via System->Monitor->DHCP Monitor->right-click any lease to revoke/create/edit a lease - banned user list is sortable and (up to now) does no longer contain duplicates - webfilter performs now rating on .js and .css files (and blocks those as needed, which it did not before) - local out logging was enabled upon upgrade - as already stated, the " default" ssl/ssh inspection profile was active on policies that previously did not have ssl/ssh inspection enabled, but different application control profiles attached; since " default" is a full inspection profile, these needed to be changed to omit ssl errors - we had to rework the application control profiles as single application overrides (traffic shaping) from the previous configuration resulted in the complete category being changed to traffic shaping - logging (fortiview) appears to work - Dashboard->top sources->Threat History widget doesn' t show any data (' generate' button clicked, but does not appear to finish) - Dashboard->Traffic History->Traffic History widget doesn' t show any data - once again, device detection did not work on the VLAN subinterfaces (on 2-port hard-switch interfaces), after firmware upgrade/restart - testing now if additionally enabling device detection on the parent hard-switch interfaces makes a difference (tested devices: 100D Gen3 A/P)

Warren_Olson_FTNT · ‎07-20-2014

Nihas I ran into the exact same issue which causes problems when you' re trying to do client mode WIFI...I ended up doing a factoryreset and I was then able to remove the default fortinet wifi ssid.

Nihas · ‎07-21-2014

Okay thanks! So are you using fresh entries every where after the Factory reset?

Nihas [\b]

Warren_Olson_FTNT · ‎07-21-2014

My issue was just that I couldn' t remove the default ssid which is a necessity for doing client mode WIFI(I was connected my fortiwifi to another wireless device over wifi). So I didn' t create any new entries after.

Nihas · ‎07-21-2014

Okay Thanks! In my case, The SSID is not a default one ( I had created one for guest users) It' s not making any problem, and I can simply create a new SSID with Tunnel. But I would like to delete the unwanted stuff from the interface list.. And I found one more issue in 5.2 In report the amount of DATA in few areas like IPSec VPN , and Top Users in TBs.. :D

Nihas [\b]

CorneJvV · ‎07-21-2014

I upgraded my client' s 200B' s from FortiOS4.3.15 to FortiOS 5.0.7 and then FortiOS 5.2. I had to format the devices as the FortiTokens of the SSL VPN stopped working. Has anyone else received this issue?

FCNSA FortiGate 60C, 110C, 200B, 310B FortiAnalyzer 100C FortiMail 100 FortiManager 100

Nihas · ‎07-23-2014

We were trying to implement captive portal ( Custom one with guidelines) for wired users instead of the legacy 802.1X authentication. But... 5.2 doesn' t have that option in policies. Now captive portal is only available for Wifi interface?? Why?---

Nihas [\b]

emnoc · ‎07-23-2014

Yes it does and it' s easy to miss

See screenshot you have to toggle it on.

PCNSE

NSE

StrongSwan

rwdorman · ‎07-23-2014

FYI - I have a TAC acknowledged bug that the current version of Forticlient for Android will not connect. We had to roll back to using the built in IPSec client.

-rd 2x 200D Clusters 1x 100D

1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D