1. diag debug flow show console enable

This option was deprecated. No need to enable it during debug flow any more

emnoc wrote:

Other problems noted in 5.6

 

 

1: the  diag debug flow show console enable is missing as a option

 

2: still can NOT upload a  x509 certificate via GUI ( pkcs12  or  via pem cert+key )

 

3: a valid certificate self-sign  for admingui access does NOT work no matter how or what type of certificate that we try to craft standard, wildcard or SAN if we paste it in via the cli "config vpn certificate local "

 

More to come ;)

 

>disabling all utm features by Feature Visibility menu may experience this problem...

Hi storaid, thank you for reporting the issue. We have opened an internal ticket to track (0443647). A workaround is to enable Application Control visibility in Feature Visibility, which should allow the page to show the fields properly. We will fix it for 5.6.2

Hi Rojekj and Antonio, thank you for reporting the issue with SSL VPN. This is a known issue and should have been included in 5.6.1 release note (internal ticket 0442808). We already have a fix for it and we will update the release note shortly. Sorry for the miscommunication.

thuynh wrote:

Hi Rojekj and Antonio, thank you for reporting the issue with SSL VPN. This is a known issue and should have been included in 5.6.1 release note (internal ticket 0442808). We already have a fix for it and we will update the release note shortly. Sorry for the miscommunication.

May I ask when do You plan to release this fix? I'm going to be killed by my clients at the end of next week, unless I'll fix their VPN. And You are the only ones who can prevent this and save my poor life.

Updating release notes should happen, but does not resolve our issue.

You must understand that crashing sslvpn daemon is a very serious bug, that should be fixed in the first place, and in my opinion release of the new firmware that fix this should occure immediately, not waiting for other fixes.

What was your reason for not staying with 5.4.5?

5.6.0 was released before 5.4.5 and it fixed some bugs. Most desired function for me was the domain (ldap) password change via web portal/forticlient, which was not working for 2FA users.

Hi All, @thuynh_FTNT I did a new quick test : the original certificate was a wildcard + wildcard san signed by a Windows 2012 R2 Ent CA: i'm unable to import p12/pfx from gui even if i convert it using openssl/XCA generating a new cert using openssl/XCA works (without CDP,CRL) maybe it's something related to custom OIDs/CDP/CRL inserted by Windows CA Regards openssl cert config (working)

oid_section = xca_oids [ xca_oids ] dom = 1.3.6.1.4.1.311.20.2 MsCaV = 1.3.6.1.4.1.311.21.1 msEFSFR = 1.3.6.1.4.1.311.10.3.4.1 iKEIntermediate = 1.3.6.1.5.5.8.2.2 nameDistinguisher = 0.2.262.1.10.7.20 id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13 id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14 id-pkkdcekuoid = 1.3.6.1.5.2.3.5 [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = xca_dn x509_extensions = xca_extensions req_extensions = xca_extensions string_mask = MASK:0x2002 utf8 = yes prompt = no [ xca_dn ] 0.C=IT 1.ST=MI 2.L=MI 3.O=ICT 4.OU=OCP Org 5.CN=*.xdomain.local 6.emailAddress=sysadmin@xdomain.local [ xca_extensions ] nsCertType=server subjectAltName=DNS:*.xxxxxx.com keyUsage=digitalSignature, nonRepudiation, keyEncipherment subjectKeyIdentifier=hash basicConstraints=critical,CA:FALSE like Windows 2012 R2 cert (XCA imported, not working): oid_section = xca_oids [ xca_oids ] dom = 1.3.6.1.4.1.311.20.2 MsCaV = 1.3.6.1.4.1.311.21.1 msEFSFR = 1.3.6.1.4.1.311.10.3.4.1 iKEIntermediate = 1.3.6.1.5.5.8.2.2 nameDistinguisher = 0.2.262.1.10.7.20 id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13 id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14 id-pkkdcekuoid = 1.3.6.1.5.2.3.5 [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = xca_dn x509_extensions = xca_extensions req_extensions = xca_extensions string_mask = MASK:0x2002 utf8 = yes prompt = no [ xca_dn ] 0.CN=*.xdomain.local [ xca_extensions ] authorityInfoAccess=@authorityInfoAccess_sect crlDistributionPoints=crlDistributionPoint0_sect authorityKeyIdentifier=keyid subjectAltName=DNS:*.xdomain.local, DNS:*.XXXXXX.com subjectKeyIdentifier=hash extendedKeyUsage=serverAuth keyUsage=critical,digitalSignature, keyEncipherment 1.3.6.1.4.1.311.21.10=DER:30:0c:30:0a:06:08:2b:06:01:05:05:07:03:01 1.3.6.1.4.1.311.21.7=DER:30:2f:06:27:2b:06:01:04:01:82:37:15:08:81:bd:cc:71:86:96:82:07:87:a1:89:17:81:85:88:17:85:83:a5:06:81:51:87:8e:e3:2e:87:d2:82:64:02:01:66:02:01:04 [crlDistributionPoint0_sect] fullname=@crlDistributionPoint0_sect_fullname_sect [crlDistributionPoint0_sect_fullname_sect] URI.0=ldap:///CN=VM-SUBCA-XXXXX,CN=VM-SUBCA-XXXXX,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xdomain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint [authorityInfoAccess_sect] caIssuers;URI.0=ldap:///CN=VM-SUBCA-XXXXX,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xdomain,DC=local?cACertificate?base?objectClass=certificationAuthority