FortiOS 6.4.1 is out

bommi · ‎06-04-2020

https://docs.fortinet.com/document/fortigate/6.4.1/fortios-release-notes/760203/introduction-and-sup...

Has someone tried this version already?

NSE 4/5/7

Jordan_Thompson_FTNT · ‎07-13-2020

Raudi wrote:
Yesterday i had a issue with 6.4.1 too, after 24 days in my homeoffice my internet access was gone, so i logged in to the 100E and the device shows "conserve mode".

I made a litte research and all the memory was used by "480" tasks with the name "node".

Now after a reboot the memory usage is going slowly straight up, so i think in a few days i must reboot the device again. At the moment i have 186 of the "node" tasks, and every few minutes i can count one more...

Thanks for the report. We are working on a fix for this issue for 6.4.2.

View solution in original post

seadave · ‎06-08-2020

Belgarioz wrote:
Me.
There are some issue solved: like ssl vpn split tunnel not working an MacOS computers.

But there are some glitches (probabily) grafical not working. Right now i am unable to set up a a fabric device 'cause the page seems "broken".

Try Firefox vs Chrome? That works sometimes.

Andj · ‎06-09-2020

Hi, just updated my lab 60E and it broke DNS. I had to turn off DNS filter to get it to work.

I spoke to tech support. Their advice is to disable fortiguard-anycast and set udp port to 8888.

Apparently the option to change SDNS has been removed in 6.4.1 and disabling anycast re-enables SDNS access.

Good thing I wasn't sipping my coffee when the rep replied to my question:

Customer(09:46:30) So is this a bug with 6.4.1?

Amr(09:47:04) well it is still under investigation it is too early to confirm

I thanked him for the laugh

seadave · ‎06-09-2020

andrew@silverw.com wrote:
Hi, just updated my lab 60E and it broke DNS. I had to turn off DNS filter to get it to work.

I spoke to tech support. Their advice is to disable fortiguard-anycast and set udp port to 8888.

Apparently the option to change SDNS has been removed in 6.4.1 and disabling anycast re-enables SDNS access.

That's interesting. I had some DNS issues also. I used two Synology NAS as my internal DNS and I thought I was blocking those. I ended up enabling a DNS listener on the LAN interface and setting my Fortigate LAN IP as the forwarder IP for my Synology DNS. That worked. Fortigate is configured with Fortinet DNS IPs.

brizvi_FTNT · ‎06-15-2020

Belgarioz wrote:
But there are some glitches (probabily) grafical not working. Right now i am unable to set up a a fabric device 'cause the page seems "broken".

Were you able to get it to work? If not, can you post some screen captures?

aagrafi · ‎06-13-2020

No time for debugging...

neonbit · ‎06-14-2020

Note a big change with 6.4.1 is that SDWAN interfaces are now added into zones. I upgraded from 6.4.0 and the interface zones got created automatically.

It's a cool feature as you can now just reference the SDWAN zones in your policies.

Still waiting for FMG 6.4.1 before I upgrade my main devices.

Magnitude_8 · ‎06-25-2020

I've just updated my first FortiGate from 6.4.0 to 6.4.1. Initial testing looks good. Feels like this should have been the 6.4.0 release. New dashboards replace FortiView and the GUI just seems much faster.

Only issue I have found so far is they way SD-WAN is upgraded to SD-WAN Zones. Rather than upgrading the old SD-WAN interface to an SD-WAN Zone, member interfaces are added to separate SD-WAN Zones (virtual-wan-link and upg-zone-wan1 in my case).

This means that the old SD-WAN interface have been replaced with two zones in all policies and Interface Pair View can no longer be activated.

I assume I can just move the secondary interface to the virtual-wan-link zone and delete upg-zone-wan1 from all the rules, but am not certain. Also, the default route is still SD-WAN, so I'm not clear how traffic is now being routed.

In general, this looks like a good update, but I wish Fortinet had provided a bit more guidance around SD-WAN. I'll post again if I experience any issues.

thuynh_FTNT · ‎07-06-2020

>Only issue I have found so far is they way SD-WAN is upgraded to SD-WAN Zones. Rather than upgrading the old SD-WAN interface to an SD-WAN Zone, member interfaces are added to separate SD-WAN Zones (virtual-wan-link and upg-zone-wan1 in my case). Hi there, did you use individual SD WAN member in firewall policy before the upgrade? If so, firmware upgrade will detect that and auto-create an "upg-zone-xxx" SD WAN zone for that member interface and move it there. If not, all SD WAN members should stay in a default "virtual-wan-link" zone. Let me know if that's not the case. If so, please send me your related SD WAN config.

owla · ‎07-06-2020

Double post

thuynh_FTNT · ‎07-10-2020

owla wrote:
Same happened with SD-WAN.
2 member interfaces belong virtual-wan-link and 1 member interface moved to upg-zone-wan1 after upgrade to 6.4.1
I moved 1 member interface from upg-zone-wan1 to virtual-wan-link and had to update all firewall polices (deleted upg-zone-wan1) and Interface Pair View is Ok now.
But still there are some more small issues:
- CLI from GUI doesnt work (lost connection).
- 'Firewall User Monitor' doesn't show 'User Group' for 'Radius Single Sign-on users' (RSSO works but just doesn't show name of 'User Group')

Decided to roll back to 6.2.4 and wait the next update.

Thanks owla for the update. The CLI console and RSSO issue should be fixed in the next release.