Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
James_G
Contributor III

FortiOS 6.4 is out

https://docs.fortinet.com/product/fortigate/6.4

 

It's dropped support for the 30e / 50e, so I wont be able try and load into test lab :(

4 Solutions
brizvi_FTNT

Hi Philippe,

 

Most of the monitor pages have been moved to the dashboard and can be added as widgets. This change is mentioned in the release notes here: https://docs.fortinet.com/document/fortigate/6.4.0/fortios-release-notes/743723/new-features-or-enha...

 

550911: Consolidate Monitor and FortiView pages.

FortiView and Monitor entries have been removed from the navigation bar. Most of the pages under them now show up as widgets in several newly added default dashboards. Exceptions being: 

- WiFi Client Monitor, which has been renamed to WiFi Clients and moved to the WiFi & Switch Controller section.

- Modem and WAN OPT pages which will still show up under Monitor if the feature is enabled.

View solution in original post

andrewbailey

Hi all,

 

I've had 6.4 running on a 60E for 18 days now. No issues with the upgrade and very stable. I quite like some of the GUI rearragnements and the upgrade has resolved a few issues I was seeing in 6.2.3 so I'm impressed so far.

 

As others have commented I think a short list of features and known issues gives me more condidence in the 6.4 release going forward. Hope others have similar experience.

 

However, I had noticed today that memory usage had climbed a bit. Memory use was around 67% initialy but had crept up to 80% today- so not serious, but would have triggered "Conserve Mode" in another day or two.

 

I had seen some comments (Reddit I think?) of someone else reporting similar issues which they believed were caused by the IOT daemon.

 

So quick diag check of the iotd:-

 

diag test app iotd 2 iotd_mem_stats:     alloc 2484424 free 734627 fail 0 now 258984944 max 258984944

.........

 

and then a iod restart:-

 

diag test app iotd 99

 

gave me the following post-restart iotd memory stats:-

 

diag test app iotd 2 iotd_mem_stats:     alloc 1611 free 1 fail 0 now 253268 max 253268

.........

 

This dropped the overall memory use from 80% back to 67% again.

 

So might be one to look for, and may indicate a slow memory leak in the iotd process?

 

I'll keep an eye on it and raise a ticket if I see it continue.

 

Kind Regards,

 

 

Andy.

 

View solution in original post

Accionet

Hello.

 

I have same problem with 6.4 on 60E and VLAN with PPPoE on WAN interface. IP not received from Internet Provider.

 

I´ve downgrade to 6.2.

 

Bye.

View solution in original post

brizvi_FTNT

Tipdrill wrote:

- Vlan do not work, everything is configured correctly. I have vlans with realy dhcp for avaya phones and the traffic no longer passes. The policies are correct.

Likely encountered a known issue mentioned in the release notes here: https://docs.fortinet.com/document/fortigate/6.4.0/fortios-release-notes/236526/known-issues

VLANs on a FortiLink interface configured to use a hardware switch interface may fail to come up after upgrading or rebooting.

 

- The new GUI does not load the interface bandwidth widgets. They remain in continuous loading.

 

Can you disable `monitor-bandwidth` for the interface from the CLI (instructions below), remove the widget for it from the GUI and add it again and let me know if that helps? If it does work, then it is likely an issue that we are looking to fix in a subsequent patch. 

 

To disable `monitor-bandwidth` for an interface:

> config system interface

> edit [insert port you want to edit]

> set monitor-bandwidth disable

> end

View solution in original post

38 REPLIES 38
Tipdrill

Magnitude 8 wrote:

I've upgraded a customer's 200E to FortiOS 6.4.0 and have found that iOS devices will no longer pass HTTP/HTTPS traffic when connected to a guest VLAN. The logs indicate DNS lookups are working, but no web traffic. Strange thing is that everything works fine on the corporate VLAN.

 

A packet capture on the guest VLAN doesn't reveal any web traffic is hitting the firewall, but this issue coincides with the firmware upgrade, so I find it hard to believe the issue is elsewhere.

 

Has anyone come across any issues with iOS devices on FortiOS 6.4.0?

See bug 622812: https://docs.fortinet.com/document/fortigate/6.4.0/fortios-release-notes/236526/known-issues

Magnitude_8

Bug 622812 doesn't describe the issue. FortiLink is not used.

simonorch

brizvi wrote:

 

VLANs on a FortiLink interface configured to use a hardware switch interface may fail to come up after upgrading or rebooting.

 

 

 

Yep, i hit this on my lab setup, 60F with a couple of FSW 108E on 6.4.1, both on upgrade and reboot. Delete and reconfigure the vlans worked.

 

found an interesting little effect whilst doing so. If you delete references to a native vlan via network -> ref. in the gui, which works fine for objects and policies, you in fact delete the entire managed switch.

NSE8 Fortinet Expert partner - Norway

NSE8 Fortinet Expert partner - Norway
Magnitude_8
New Contributor II

Update: downgrading to 6.2.2 resolved the issue for me.

 

I have previously downgraded these firewalls from 6.2.3 to 6.2.2 due to other bugs. The number of bugs in new firmware seems to have increased recently. Not sure if this is generally a problem, or related to the 200E models.

Jason_Xue_FTNT

For Andy Bailey,   Your case has been recorded in mantis 628489. Developer would like to get your input if possible:   We will review the iotd code carefully to identify the issue. However, is it possible to collect log from the "diag debug app iotd -1" when observing mem leak?   Thanks, Jason
andrewbailey

JasonXue_FTNT wrote:
For Andy Bailey,   Your case has been recorded in mantis 628489. Developer would like to get your input if possible:   We will review the iotd code carefully to identify the issue. However, is it possible to collect log from the "diag debug app iotd -1" when observing mem leak?   Thanks, Jason
Hi Jason, Sure, happy to help. I’ve got a small script restarting the iotd each day- but I can stop that and let the memory use build up and pull those diag logs? What’s the best way to share the output? Kind Regards, Andy.
Jason_Xue_FTNT

Hi Andy,

 

You can either attach the log in this post, or you can email me with the attachment: jxue@fortinet.com.

 

As long as you see the memory is up significantly, you can send the log. Then developer can take a look.

 

Thanks,

Jason

guanglei_FTNT

Hi Magnitude 8,

"I've upgraded a customer's 200E to FortiOS 6.4.0 and have found that iOS devices will no longer pass HTTP/HTTPS traffic when connected to a guest VLAN. The logs indicate DNS lookups are working, but no web traffic. Strange thing is that everything works fine on the corporate VLAN."

 

So the issue is DNS traffic can pass through FGT200E but http/https can't? Could you kindly describe your topology and config of FGT200E  (Or send mail to glli@fortinet.com)? 

Thanks

Guanglei

Jason_Xue_FTNT

Hi Andrew,

 

Developer has identified the root cause: FGT can’t resolve one of Iotd server so it keep consuming memory.

 

This function requires two server:

 

globaldevcollect.fortinet.net -- 173.243.138.31

globaldevquery.fortinet.net – can’t be resolved by 208.91.112.53

 

As for now, you can use following way to avoid memory increase. In the meanwhile FortiOS will make the fix to avoid memory increase upon server is not reachable.

 

Once both DNS and Fortiguard server (globaldevquery.fortinet.net) are ready, you also need to subscribe a contract “IOTH” to make the query work. Currently Fortinet support hasn’t made this contract (SKU) available.

 

Thanks,

Jason

 

FortiGate-301E # sh sys dns-database

config system dns-database

    edit "1"

        set domain "fortinet.net"

        set authoritative disable

        config dns-entry

            edit 1

                set hostname "globaldevquery"

                set ip 173.243.138.31

            next

        end

    next

end

Top Kudoed Authors