Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
storaid
Contributor

FortiOS v5.2.4 is out(Unstable GUI, Bad SSLVPN)....

a little disappointed..

no enhancements..

it's just a bugs fixed release....

[size="5"]definitely 1 of terrible f/w for FOS...[/size]

 

UNSTABLE GUI

[size="6"]ANNOYING SSL VPN problem..............[/size]

 

[size="3"]fortinet, I think you must quickly push out next fixed release or give some explains.........[/size]

 

201508020844, CSB-150730-1-Partial-Config-Loss

FortiGate models listed below may lose configuration pertaining to IPsec interface, virtual access point interface, loopback interface, or virtual-switch interface after a reboot when the FortiGate is deployed with FortiOS 5.2.4 with build number 0688 and time 150722.

FGT20C3X12000161 # get sys stat

Version: FortiGate-20C v5.2.4,build0688,150722 (GA)

Potentially Affected Products:

FortiGate: FG-20C, FG-20C-ADSL, FG-30D, FG-30D-PoE, FG-40C

FortiWiFi: FW-20C, FW-20C-ADSL, FW-30D, FW-30D-PoE, FW-40C

Resolution:

FortiOS 5.2.4 software images for the models above have been rebuilt and re-posted on the customer support web site with build number 0688 and time 150730.

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2 FSW224B x1
2 Solutions
seadave
Contributor III

Why does this keep happening?  Fortinet makes such great hardware, but they have seriously burned some of us with bad firmware releases.  I'm a constant Fortinet advocate, but this kind of crap demonstrates a lack of QC and concern for the customer environment.  These type of issues should definitely be exposed by a good QC system and if the firmware has the potential to wipe a config, for godness sakes it should not be released.  Those of us who are long time Fortinet customers have learned to be wary of new releases and to always reboot the appliance, take a back up, and wait for others to expose the bugs, but it doesn't need to be that way with the right internal controls at Fortinet.  Pick up the slack guys.  You make a great product but you are tripping over your own feet when you release builds like this.

View solution in original post

GusTech

dfollis wrote:

Why does this keep happening?  Fortinet makes such great hardware, but they have seriously burned some of us with bad firmware releases.  I'm a constant Fortinet advocate, but this kind of **** demonstrates a lack of QC and concern for the customer environment.  These type of issues should definitely be exposed by a good QC system and if the firmware has the potential to wipe a config, for godness sakes it should not be released.  Those of us who are long time Fortinet customers have learned to be wary of new releases and to always reboot the appliance, take a back up, and wait for others to expose the bugs, but it doesn't need to be that way with the right internal controls at Fortinet.  Pick up the slack guys.  You make a great product but you are tripping over your own feet when you release builds like this.

Completely agree!! And this is NOT the first time this happens........

Fortigate <3

View solution in original post

Fortigate <3
111 REPLIES 111
Diabolicus23
New Contributor

I've *a lot* of issues with 5.2.4, most related to external access (administrative and SSLVPN) and some related to routing.

I've 3 ISP and changing the distance/priority settings of a route on an interface changes the behaviour of another interface.

 

Really really bad issues, trust me.

If I downgrade to 5.2.3 will I lose something important?

Paul_S
Contributor

For those in this thread with a 20/30/40 model there is a new bulletin out about serious issues with 5.2.4. There is now a new build. you must download it from fortinet again to get the fix.

 

Partial Configuration Loss running 5.2.4 https://support.fortinet....lletin.aspx?section=38

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
pcraponi
Contributor II

Someone has contacted TAC and has an official reply about route/metric issues?

Regards, Paulo Raponi

Regards, Paulo Raponi
GusTech
Contributor II

Why only new ASAP build to the small boxes... I'd be wary of running back 5.2.4 in production. Seems like a small test before them dare to do the same on the larger boxes.

 

Im also running a new setup 5.2.4(not upgraded) with FWF90D in production, and have various problems there too. especially with wifi and FAP321C..

Fortigate <3

Fortigate <3
seadave
Contributor III

Why does this keep happening?  Fortinet makes such great hardware, but they have seriously burned some of us with bad firmware releases.  I'm a constant Fortinet advocate, but this kind of crap demonstrates a lack of QC and concern for the customer environment.  These type of issues should definitely be exposed by a good QC system and if the firmware has the potential to wipe a config, for godness sakes it should not be released.  Those of us who are long time Fortinet customers have learned to be wary of new releases and to always reboot the appliance, take a back up, and wait for others to expose the bugs, but it doesn't need to be that way with the right internal controls at Fortinet.  Pick up the slack guys.  You make a great product but you are tripping over your own feet when you release builds like this.

GusTech

dfollis wrote:

Why does this keep happening?  Fortinet makes such great hardware, but they have seriously burned some of us with bad firmware releases.  I'm a constant Fortinet advocate, but this kind of **** demonstrates a lack of QC and concern for the customer environment.  These type of issues should definitely be exposed by a good QC system and if the firmware has the potential to wipe a config, for godness sakes it should not be released.  Those of us who are long time Fortinet customers have learned to be wary of new releases and to always reboot the appliance, take a back up, and wait for others to expose the bugs, but it doesn't need to be that way with the right internal controls at Fortinet.  Pick up the slack guys.  You make a great product but you are tripping over your own feet when you release builds like this.

Completely agree!! And this is NOT the first time this happens........

Fortigate <3

Fortigate <3
FatalHalt

dfollis wrote:

Why does this keep happening?  Fortinet makes such great hardware, but they have seriously burned some of us with bad firmware releases.  I'm a constant Fortinet advocate, but this kind of **** demonstrates a lack of QC and concern for the customer environment.  These type of issues should definitely be exposed by a good QC system and if the firmware has the potential to wipe a config, for godness sakes it should not be released.  Those of us who are long time Fortinet customers have learned to be wary of new releases and to always reboot the appliance, take a back up, and wait for others to expose the bugs, but it doesn't need to be that way with the right internal controls at Fortinet.  Pick up the slack guys.  You make a great product but you are tripping over your own feet when you release builds like this.

100% Agreed. I'm still running 5.0.7 because anything past that some pretty broken stuff - not that 5.0.7 is any magnificent creation mind you, but at least it's the devil I know. 

 

Unfortunately, Fortinet has really earned a botched rep around here due to some of these spectacular firmware bugs. It's become a joke. At this point I have a hard time trusting any new revision, much less want to volunteer to go on the chopping block and take a leap of faith installing them. Sure, I can load firmware in my lab and test it all I want, but I just can't create enough tests or load to cover all of the different scenarios that my production boxes encounter. To be a bit honest, I don't feel like I should have to. We love the Fortigates, but we don't trust them. That's a pretty tough position to be in for a company such as mine. 

emnoc
Esteemed Contributor III

Why does this keep happening?

 

Nobody really knows, but you need to go back a decade plus or more &  when FortiOS 2.8 was let out the box.  When fortinet left us with either none working functions or security issues or exposure. This is not new what's going on here guys and gals..

 

Fortinet has always tried to do way too much,  and add too much at one given time, and  without vetting every thing. They always been the 1st to show  product XYZ or trying to put something out on the market quickly  and speedy,  which almost always leaves somebody with a bad taste and heartburn. Than factor in they have way more products today  to support and develop versus 4, 8 or 12+ years ago.

 

You know you don't see this kind of  stuff leaking thru  in the Palo, Juniper or Cisco shop. But  these 3 big players have kept their offerings to a much smaller footprint  or rely on 3rd party or off-appliance to close the gaps in the security sector.

 

QA &  QC is always been a under fund/budget  dept in almost any software shops that I've ever worked with, and I'm betting FTNT is the same. The same hold true for MS/windows ( you see all the problems in MS offers? ) . So they will not catch everything & nobody should expect that.

 

Your best QC is really the end-user(s). And no outfit can claim everything is 100% correct or perfect. If they where perfect, they wouldn't  have a version 1 2 3  and so on. It would be done right in the 1st version.

 

FTNT has about 16 various verticals that they sell  under and within the firewall appliances the last count has it over 32 different units, &  not including the virtualized world.

 

So let help FTNT find the problems by;  1> being good end-users and opening  tickets and follow thru 2> participate in beta programs 3> meet with your local and regional sale teams 4> make fair assessment and reviews  5> contribute findings and follow-up in this forum.

 

 

 

Who pays, the end-users.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
seadave
Contributor III

emnoc wrote:

Why does this keep happening?

 

Nobody really knows, but you need to go back a decade plus or more &  when FortiOS 2.8 was let out the box.  When fortinet left us with either none working functions or security issues or exposure. This is not new what's going on here guys and gals...

I seem to have scratched a nerve here.  I should note that I'm running 5.2.3 on a 500D without major detected issues until today. I started to try and track down why a malicious macro laden DOC file that Fortinet's engine on VirusTotal later detected was let through to a few users prior to me testing it on VT.  I have SSL deep scanning enabled for the SMTP/TLS connection involved, but the file was not detected when it passed through our FG this AM.  I thinking it is an issue with TLS, but others have noted that shouldn't be the case.  Fortunately another layer did detect it and prevented compromise, but still following up on the SSL scanning and AV or lack there of. (Maybe bug 275724) (I always test with EICAR when I update and all checked out previously, but something is up or these files should have been flagged.  I guess it is possible that signature was updated between delivery to us and my scan on VT (~3Hrs), but hard to know if that is the case).

 

I've been also using FN products since ~2007.  AV scanning at the gateway was always the #1 feature for me.  As threats have evolved IDS/IPS is now more important with content filtering as a bonus (AV is still important of course).  DLP has kind of been screwed up since v5.X in my opinion as we use it more to control file types coming in than going out, and the new UI makes that nearly impossible to mange from the GUI. (Fortinet Note: we need a DLP block AND allow capability).

 

I would agree with @emnoc that casual upgrading is probably our own worst enemy here, but it does seem like terribly obvious bugs make it to the end user too easily and too often.  Shortcomings are often mentioned in the release notes, but I often find myself asking "why would you allow that out to the public in the first place?"

 

Examples from 5.2.3 supposedly fixed in 5.2.4 is:

 

"276206 urlfilter in the proxy does not handle URL patterns without a hostname" or "279677 After setting TLS 1.0, the SSL proxy still uses TLS 1.2 in the client hello handshake".   The first one seems kind of obvious, the second is the type of bug that drives one insane until realized, but GUI feedback indicating errors should make it easier for users to visualize these errors with proper development.  Maybe I'm hoping for too much :)

 

The product depth is a concern.  Too many models with too many "hidden" limitations.  For example I just purchased a 60D for a project when I was going to purchase a 90D because our vendor said the 90D does not manage FortiSwitches well.  Go figure.  Seems like Fortinet could build 50, 150, 250, 500, 1000, etc firewalls that were scaled for the number of users based on the model number, or better yet, allow us to add Fortinet provided/authorized memory upgrades when low RAM is the only limiting factor which is so often the case!

 

Because this isn't the case now, you have to be very careful when sizing because 200 is not necessarily better than 100, C/D, etc.  Gets very confusing for the customer.  Local SE is your friend in this case.

 

So to wrap this up, as @emnoc suggests:

 

1. Always try and test first.  (We all know how hard this can be especially for those folks running 10 versions of FGs or if they only have one like most small shops.)

2. Reboot your firewall before update to release memory.

3. Create at least two backup configs.

4. Have a copy of the current running firmware handy in the event you need to regress and you can't download easily because your Internet is down!

5. Upgrade after hours so you have enough time to recover, don't do it in the AM! (This can be an issue if you don't have 24x7 support though).

6. Have the cables available if you have to regress/clean OS boot, console, etc., including TFTP software. (This is a good read that goes over how to transfer a config and recover if necessary http://docs.fortinet.com/uploaded/files/1702/Transferring_a_configuration_file_from_one_model_to_ano...)

7. Wait at least a month when a build is released before installing, monitor issues via this forum.

8. READ THE RELEASE NOTES!

9. Cross your fingers :)

 

Finally, learn to use a program like Notepad++ to download and review your configs.  If you have ported the same configs across multiple versions, you'd be surprised how much crap is in the config files.  You can use "

diagnose debug config-error-log read" to display these errors also.

 

I feel like; putting the 5.0 debacle aside, Fortinet has been giving us more stable releases, but that obviously has not been the case for everyone and they can still do better.  These type of problems should increasingly be the exception and less common than they are currently.

 

GusTech
Contributor II

emnoc wrote:

Why does this keep happening?

 

Nobody really knows, but you need to go back a decade plus or more &  when FortiOS 2.8 was let out the box.  When fortinet left us with either none working functions or security issues or exposure. This is not new what's going on here guys and gals..

 

Fortinet has always tried to do way too much,  and add too much at one given time, and  without vetting every thing. They always been the 1st to show  product XYZ or trying to put something out on the market quickly  and speedy,  which almost always leaves somebody with a bad taste and heartburn. Than factor in they have way more products today  to support and develop versus 4, 8 or 12+ years ago.

 

You know you don't see this kind of  stuff leaking thru  in the Palo, Juniper or Cisco shop. But  these 3 big players have kept their offerings to a much smaller footprint  or rely on 3rd party or off-appliance to close the gaps in the security sector.

 

QA &  QC is always been a under fund/budget  dept in almost any software shops that I've ever worked with, and I'm betting FTNT is the same. The same hold true for MS/windows ( you see all the problems in MS offers? ) . So they will not catch everything & nobody should expect that.

 

Your best QC is really the end-user(s). And no outfit can claim everything is 100% correct or perfect. If they where perfect, they wouldn't  have a version 1 2 3  and so on. It would be done right in the 1st version.

 

FTNT has about 16 various verticals that they sell  under and within the firewall appliances the last count has it over 32 different units, &  not including the virtualized world.

 

So let help FTNT find the problems by;  1> being good end-users and opening  tickets and follow thru 2> participate in beta programs 3> meet with your local and regional sale teams 4> make fair assessment and reviews  5> contribute findings and follow-up in this forum.

 

 

 

Who pays, the end-users.

I do not agree at all! 

 

I'll write short

You can not mean this seriously!!... Such serious mistakes all the time really can not be justified!

This is actually not beta release!!! Had this happened in a beta relase, so maybe we should just accepted it. This release neither adds any new big functionality... It's not where it has failed and has failed up through time.

 

For example SonicOS and Mikrotik(-utm) has much more functionality than FortiOS. Which are both cheaper and do not have these problems. And for example, just look at wifi, there have Fortinet NEVER succeeded!!!. It is just full of ****!

 

Sorry, OT.

 

 

Fortigate <3

Fortigate <3
Labels
Top Kudoed Authors