Hello everyone,
I have a cluster of 1500D in A-P mode working and I have noticed some rare issues since we upgraded to 5.4.1.
For example, after disable and enable again a policy route rule, on the GUI it was placed as SEQ #1, but when running a "diagnose firewall proute list" it was placed at the end of the policy rules.
Another one, a policy fw rule created on FortiOS 5.2.x (rule 41) doest not match traffic that is supposed to, another rule with the same config created on FortiOS 5.4.1 (rule 121) indeed match the same traffic.
Taking a view at the rule's full-config, the change of the new rule created in FortiOS 5.4.1 is "set utm-status enable" instead of "set utm-status disable". Although we have no utm feature enabled, it adds the following sentences:
set profile-type single set av-profile '' set webfilter-profile '' set dnsfilter-profile '' set spamfilter-profile '' set dlp-sensor '' set ips-sensor '' set application-list '' set casi-profile '' set voip-profile '' set icap-profile '' set waf-profile '' set profile-protocol-options '' set ssl-ssh-profile ''
Anyway, I changed to "set utm-status enable", and it did not match the traffic neither, so now I do not trust which rules created on FortiOS 5.2 are working on 5.4.
Other isssue would be that on another cluster of 1000D, the Virtual Wire config was lost after a reboot.
I am going to open a case about the rules's issues as they have given us a some headache, but I think we should downgrade to the 5.2 branch until the 5.4 is more stable.
Has anybody found similar issues?
Regards,
Paco.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello again,
I have just noticed that my Forti detects the license correctly, although there are some differences between the License Info on the dashboard and the License Info shown on Global-Fortiguard (previously attached), and the output on the CLI.
global) # get system fortiguard-service status NAME VERSION LAST UPDATE METHOD EXPIRE AV Engine 5.234 2016-04-01 10:37:00 manual 2017-01-03 00:00:00 Virus Definitions 39.845 2016-10-05 09:37:56 manual 2017-01-03 00:00:00 Extended set 39.845 2016-10-05 09:37:56 manual 2017-01-03 00:00:00 Extreme set 1.000 2012-10-17 15:47:00 manual 2017-01-03 00:00:00 Flow-based Virus Definitions 39.844 2016-10-05 09:37:56 manual 2017-01-03 00:00:00 Attack Definitions 6.741 2015-12-01 02:30:00 manual 2017-01-03 00:00:00 Attack Extended Definitions 8.970 2016-10-05 05:07:23 scheduled 2017-01-03 00:00:00 IPS Malicious URL Database 1.427 2016-10-05 05:07:23 scheduled 2017-01-03 00:00:00 Botnet Definitions 3.206 2016-10-05 09:37:56 manual n/a IPS/FlowAV Engine 3.279 2016-05-27 17:31:00 manual 2017-01-03 00:00:00
Seeing this, more and more it looks like a bug.
Paco.
I have to kindly disagree a little bit, your using the wrong "cli cmd" to match what the webGUI shows. Try the following instead;
get system fortiguard
What I've been noticing imho;
" the above cmd matches the webgui"
" get system fortiguard-service status" always shows a value that 1-2 days more than the above cmd.
PCNSE
NSE
StrongSwan
Hello emnoc,
I think you did not catch my point, what I meant is that there are differences between different sections of the GUI, in addition of the difference shown in the output of the CLI, so maybe this caused some problem with the feature.
GUI
Dashboard License Info: shows the Mobile & Botnet C&C correctly licensed.
System Global - Fortiguard: there is no Mobile & Botnet C&C license, instead there are Botnet IP & Botnet Domains references under the Antivirus license, and there is some problem with Botnet Domains, as it is empty,.
CLI
get system fortiguard-service status: there is no Mobile & Botnet C&C license, instead there is the Botnet Definitions reference, with the expiration as N/A.
The output of "get system fortiguard" does not show the expiration dates of all the licenses, as they are shown on the GUI.
(global) # get system fortiguard port : 8888 load-balance-servers: 1 antispam-force-off : disable antispam-cache : enable antispam-cache-ttl : 1800 antispam-cache-mpercent: 2 antispam-license : Contract antispam-expiration : Mon Jan 2 2017
antispam-timeout : 7 webfilter-force-off : disable webfilter-cache : enable webfilter-cache-ttl : 3600 webfilter-license : Contract webfilter-expiration: Mon Jan 2 2017
webfilter-timeout : 15 sdns-server-ip : "80.85.69.54" sdns-server-port : 53 source-ip : 0.0.0.0 source-ip6 : :: ddns-server-ip : 0.0.0.0 ddns-server-port : 443
I do not have any news about this issue on the case.
Regards,
Paco.
@Jeremiah,
Have you run diag sys top when its hitting conserve mode to get an idea of what's using up resources?
Also, are you doing SSL Inspection? If so, and you're inspecting all ports, you might be running into the bug described in https://forum.fortinet.com/tm.aspx?m=138192#139367 or something similar.
I'm seeing a memory issue with 5.4.1 on a FG 80D. It went to conserve mode and dropped back to 72%. I could not add new policies or make changes.
Killed the reportd process and that freed up enough memory to make changes again. Rebooted last night and the memory usage went back down to 47%. Up to 50% this morning as people are starting to work. I'll keep an eye on it.
Hello Enmoc,
I think you did not undertand what this issue is. as I said that the problem arises when enabling/disabling a policy rule, which is a new feature of the FortiOS 5.4, as I have checked on several FortiOS (5.2.5, 5.2.8 and 5.4.1), so it is not a normal behaviour.
The FW places the SEQ # in the order which you apply them on the GUI, but with the command diagnose firewall proute list, the order is different that is applied on the GUI. The ID is not user given, it is seen only via CLI with diagnose firewall proute list and the SEQ# is seen only via GUI, not via CLI.
The commands you said, get router info routing-table database only returns the static routing table, not the policy routing table, and diag ip rtcache list returns all the routing cache, I suppose our PBR will be there, but applied wrongly as seen with "diagnose firewall proute list".
Anyway, thanks for the reply.
Paco.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1698 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.