Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
storaid
Contributor

FortiOS v5.2.4 is out(Unstable GUI, Bad SSLVPN)....

a little disappointed..

no enhancements..

it's just a bugs fixed release....

[size="5"]definitely 1 of terrible f/w for FOS...[/size]

 

UNSTABLE GUI

[size="6"]ANNOYING SSL VPN problem..............[/size]

 

[size="3"]fortinet, I think you must quickly push out next fixed release or give some explains.........[/size]

 

201508020844, CSB-150730-1-Partial-Config-Loss

FortiGate models listed below may lose configuration pertaining to IPsec interface, virtual access point interface, loopback interface, or virtual-switch interface after a reboot when the FortiGate is deployed with FortiOS 5.2.4 with build number 0688 and time 150722.

FGT20C3X12000161 # get sys stat

Version: FortiGate-20C v5.2.4,build0688,150722 (GA)

Potentially Affected Products:

FortiGate: FG-20C, FG-20C-ADSL, FG-30D, FG-30D-PoE, FG-40C

FortiWiFi: FW-20C, FW-20C-ADSL, FW-30D, FW-30D-PoE, FW-40C

Resolution:

FortiOS 5.2.4 software images for the models above have been rebuilt and re-posted on the customer support web site with build number 0688 and time 150730.

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2 FSW224B x1
2 Solutions
seadave
Contributor III

Why does this keep happening?  Fortinet makes such great hardware, but they have seriously burned some of us with bad firmware releases.  I'm a constant Fortinet advocate, but this kind of crap demonstrates a lack of QC and concern for the customer environment.  These type of issues should definitely be exposed by a good QC system and if the firmware has the potential to wipe a config, for godness sakes it should not be released.  Those of us who are long time Fortinet customers have learned to be wary of new releases and to always reboot the appliance, take a back up, and wait for others to expose the bugs, but it doesn't need to be that way with the right internal controls at Fortinet.  Pick up the slack guys.  You make a great product but you are tripping over your own feet when you release builds like this.

View solution in original post

GusTech

dfollis wrote:

Why does this keep happening?  Fortinet makes such great hardware, but they have seriously burned some of us with bad firmware releases.  I'm a constant Fortinet advocate, but this kind of **** demonstrates a lack of QC and concern for the customer environment.  These type of issues should definitely be exposed by a good QC system and if the firmware has the potential to wipe a config, for godness sakes it should not be released.  Those of us who are long time Fortinet customers have learned to be wary of new releases and to always reboot the appliance, take a back up, and wait for others to expose the bugs, but it doesn't need to be that way with the right internal controls at Fortinet.  Pick up the slack guys.  You make a great product but you are tripping over your own feet when you release builds like this.

Completely agree!! And this is NOT the first time this happens........

Fortigate <3

View solution in original post

Fortigate <3
111 REPLIES 111
emnoc
Esteemed Contributor III

So to wrap this up, as @emnoc suggests:   1. Always try and test first.  (We all know how hard this can be especially for those folks running 10 versions of FGs or if they only have one like most small shops.) 2. Reboot your firewall before update to release memory. 3. Create at least two backup configs. 4. Have a copy of the current running firmware handy in the event you need to regress and you can't download easily because your Internet is down! 5. Upgrade after hours so you have enough time to recover, don't do it in the AM! (This can be an issue if you don't have 24x7 support though). 6. Have the cables available if you have to regress/clean OS boot, console, etc., including TFTP software. (This is a good read that goes over how to transfer a config and recover if necessary http://docs.fortinet.com/uploaded/files/1702/Transferring_a_configuration_file_from_one_model_to_ano...) 7. Wait at least a month when a build is released before installing, monitor issues via this forum. 8. READ THE RELEASE NOTES! 9. Cross your fingers :)

 

 

You said it better than I ,  but that about all that we can do & a great summary

 

Now on this reply;

 

I do not agree at all!    I'll write short You can not mean this seriously!!... Such serious mistakes all the time really can not be justified! This is actually not beta release!!! Had this happened in a beta relase, so maybe we should just accepted it. This release neither adds any new big functionality... It's not where it has failed and has failed up through time.   For example SonicOS and Mikrotik(-utm) has much more functionality than FortiOS. Which are both cheaper and do not have these problems. And for example, just look at wifi, there have Fortinet NEVER succeeded!!!. It is just full of ****!   Sorry, OT.

 

You can't be serious or taken serious  if your comparing a dell sonicwall or mikrotik to a fortinet or any other major firewall vendor.

 

Neither of these 2 are true contenders or even sit in the same magic quadrant within the security sector. Like you said , they are cheaper and gear'd a for a totally different market & end-user. These SOHO/SMB end user appliance are comparitive to a linksys or dell device, but nowhere in the same camp or forest of a FTNT JNPR CSCO PANW etc...

 

Even the dellSonicWall has increased in the last  2 years due to the intergration of more UTM fetaures. FWIW, Even dell or Hp network has problems that crop up and they don't release code or features as quickly as  FTNT JNPR PANW , and if I had to guess they have a bigger ( the former two  ) than the later 3.

 

Is FTNT QA process 100% fault free no, In no way or shape I 'am I saying the fortinet products are best or flaw-less but they spend  a lot to try to stay ahead of the game. For the hassle and the number of new products they support they do pretty good if you sit down and compare apples and apples and no  oranges or pears.

 

 

I do agree with this tho;

 

This is actually not beta release!!! Had this happened in a beta relase, so maybe we should just accepted it.

 

FTNT needs to up it's game, competition is tight.

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
GusTech
Contributor II

emnoc wrote:

 

You can't be serious or taken serious  if your comparing a dell sonicwall or mikrotik to a fortinet or any other major firewall vendor.

 

 Neither of these 2 are true contenders or even sit in the same magic quadrant within the security sector. Like you said , they are cheaper and gear'd a for a totally different market & end-user. These SOHO/SMB end user appliance are comparitive to a linksys or dell device, but nowhere in the same camp or forest of a FTNT JNPR CSCO PANW etc...

 

Even the dellSonicWall has increased in the last  2 years due to the intergration of more UTM fetaures. FWIW, Even dell or Hp network has problems that crop up and they don't release code or features as quickly as  FTNT JNPR PANW , and if I had to guess they have a bigger ( the former two  ) than the later 3.

 

 

The reason I compare with them is that those actually better because those works! For example * 60C * over 50% of all those I have sold have died due HW fault!! And in addition I have spent hundreds of hours with customer due . Because of tremendously FW updates . I've never done that with customers I supports with Mikrotik , Checkpoint or SonicWALL. If we disregard the UTM, Mikrotik has more core functionality.

 

Fortigate <3

Fortigate <3
emnoc
Esteemed Contributor III

Okay I will give  you  that, but there's leaders and challengers, and neither  have  mikrotik or sonicwall listed, I don't think they every been listed in the same quadrant, and that's what " I was trying to say" and point out. So it's alittle silly to compare fortigate to these 2 vendors.

 

The Fortinet real contenders are Juniper and Cisco, they ALL are behind  PaloAlto ( imho ) on many things and areas, but than again   they ( PANW ) is  targeting a different market and have a smaller footprint to maintain. I think under 10 units if you  take out the PA-2000s.

 

Either way, I've wasted enough bits-n-bytes in this thread.

 

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
GusTech
Contributor II

I completely agree that there is a difference between these. But, my point is that these actually deliver good solutions that work... It is not silly to compare, I encounter these questions from my clients all the time! Especially all those self-created problems Fortinet creates by them self..  It's terribly bad of a large "professional" supplier that Fortinet want to be. 

 

When there is so much trouble there is a huge problem. And we should expect that things work better.. We have to defend Fortinet with tooth and nail every single day! Outside these issues, I personally love Fortinet Hardware/FortiOS, and want it to be the best!.

Fortigate <3

Fortigate <3
seadave

BrUz wrote:

I completely agree that there is a difference between these. But, my point is that these actually deliver good solutions that work... It is not silly to compare, I encounter these questions from my clients all the time! Especially all those self-created problems Fortinet creates by them self..  It's terribly bad of a large "professional" supplier that Fortinet want to be. 

 

When there is so much trouble there is a huge problem. And we should expect that things work better.. We have to defend Fortinet with tooth and nail every single day! Outside these issues, I personally love Fortinet Hardware/FortiOS, and want it to be the best!.

Here, here.  Even with all of the frustration we are experiencing, I'd still take Fortinet over all due the performance/features/price as compared to everyone else.  But that doesn't mean I won't consider a more stable or capable solution if I find it.  I never stop looking.  I'm loyal but not devout :)

 

I once had a Cisco team in my office before the Sourcefire purchase, and I asked them why the ASA still didn't have AV capability.  Their response was that they didn't think AV was important at the gateway.  I almost laughed them out of the office.  I've never had a major breach or malware infection in 8 years and AV on the Fortinet is one of the key reasons in my opinion.

Paul_S
Contributor

I agree with the comments on quality control lacking. New firmware releases seem to be hit or miss. Good QC should produce consistently stable and good quality firmware releases. 

 

My very first firmware upgrade in 2010 caused 20% of my policies to disappear!  I hold my breath during all Foritgate upgrades ever since!  Not all, but many of the upgrades since then have left me with the post update dilemma that I am sadly getting used to: do I live with major bug X in the new release or downgrade back to living with major bug Y?  I try to weigh risks and choose the one that impacts me the least, but often the choices are horrible.

 

I accept bugs and an imperfect world, but that does mean I should expect major bugs to slip past beta testing in most releases! Only minor bugs should get past beta testing!

 

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
FatalHalt

Paul S wrote:

Not all, but many of the upgrades since then have left me with the post update dilemma that I am sadly getting used to: do I live with major bug X in the new release or downgrade back to living with major bug Y?  I try to weigh risks and choose the one that impacts me the least, but often the choices are horrible.

Exactly. We've internally discussed (but not yet built) a reference sheet for working features. I have a number of diffeent customers, each with specific needs and pain points. Customer X might need SSLVPN, but would also like a few of the features in the 5.2 code, while Customer Y is using Radius, and Customer Z needs to have a read-only admin account for some auditing purposes.

 

Normally, I would like to just pick one firmware version and stick with it. But inevitably something seems to be amiss in any given release. 5.2.4 is SSLVPN and etc, 5.2.2 was the all service bug (fixable), 5.0.9-11(?) allowed a read only admin to make changes. 

emnoc
Esteemed Contributor III

 

Here, here.  Even with all of the frustration we are experiencing, I'd still take Fortinet over all due the performance/features/price as compared to everyone else.  But that doesn't mean I won't consider a more stable or capable solution if I find it.  I never stop looking.  I'm loyal but not devout :)

 

 

I agreed and have to laugh that 5.2.x has only been out for  a year  and we are  already heart broken. I can only hope that 5.2.5  is better, and 5.3.x is even more better.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
GusTech
Contributor II

+ Google Chrome is unstable on all devices running 5.2.4.

Fortigate <3

Fortigate <3
Jordan_Thompson_FTNT

BrUz wrote:

+ Google Chrome is unstable on all devices running 5.2.4.

You are likely running into this Google Chrome issue that causes certificate exemptions to be reset:-

 

https://code.google.com/p/chromium/issues/detail?id=513903

https://code.google.com/p/chromium/issues/detail?id=473390

 

It is not a FortiOS bug. Using a trusted certificate would solve the problem.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors