well...
after long time ago, now it's out...
FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2
FSW224B x1
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
annoying bug..
JSON string....=^=
FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2
FSW224B x1
Other problems noted in 5.6
1: the diag debug flow show console enable is missing as a option
2: still can NOT upload a x509 certificate via GUI ( pkcs12 or via pem cert+key )
3: a valid certificate self-sign for admingui access does NOT work no matter how or what type of certificate that we try to craft standard, wildcard or SAN if we paste it in via the cli "config vpn certificate local "
More to come ;)
PCNSE
NSE
StrongSwan
Again my FWF60D has hungs up. We thought it crashed but come to find out the HTTP process is hung. Since this is a remote hosted FW, I'm downgrading ....Sorry but v5.6.1 is a no-go for me ;(
PCNSE
NSE
StrongSwan
inexplicable radius server test:
FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2
FSW224B x1
Maybe it's a database migration? Have you tried to format log-disk?
Regards, Paulo Raponi
keij wrote:I can not see Local traffic (Fortigate's self traffic) in Foriview of ver5.6.1. In 5.2 were able to see the fortigate local traffic. Is it no longer visible in the 5.6 series?
Hi Keij, that is correct. We do not show local traffic in FortiView starting 5.6.0
anyone have tried to import PFX certificate???..
importing pfx certificate always does not work for me....
FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2
FSW224B x1
Other problems noted in 5.6
1: the diag debug flow show console enable is missing as a option
2: still can NOT upload a x509 certificate via GUI ( pkcs12 or via pem cert+key )
3: a valid certificate self-sign for admingui access does NOT work no matter how or what type of certificate that we try to craft standard, wildcard or SAN if we paste it in via the cli "config vpn certificate local "
More to come ;)
PCNSE
NSE
StrongSwan
1. diag debug flow show console enable
This option was deprecated. No need to enable it during debug flow any more
emnoc wrote:Other problems noted in 5.6
1: the diag debug flow show console enable is missing as a option
2: still can NOT upload a x509 certificate via GUI ( pkcs12 or via pem cert+key )
3: a valid certificate self-sign for admingui access does NOT work no matter how or what type of certificate that we try to craft standard, wildcard or SAN if we paste it in via the cli "config vpn certificate local "
More to come ;)
>disabling all utm features by Feature Visibility menu may experience this problem...
Hi storaid, thank you for reporting the issue. We have opened an internal ticket to track (0443647). A workaround is to enable Application Control visibility in Feature Visibility, which should allow the page to show the fields properly. We will fix it for 5.6.2
Again my FWF60D has hungs up. We thought it crashed but come to find out the HTTP process is hung. Since this is a remote hosted FW, I'm downgrading ....Sorry but v5.6.1 is a no-go for me ;(
PCNSE
NSE
StrongSwan
Hi Rojekj and Antonio, thank you for reporting the issue with SSL VPN. This is a known issue and should have been included in 5.6.1 release note (internal ticket 0442808). We already have a fix for it and we will update the release note shortly. Sorry for the miscommunication.
thuynh wrote:Hi Rojekj and Antonio, thank you for reporting the issue with SSL VPN. This is a known issue and should have been included in 5.6.1 release note (internal ticket 0442808). We already have a fix for it and we will update the release note shortly. Sorry for the miscommunication.
May I ask when do You plan to release this fix? I'm going to be killed by my clients at the end of next week, unless I'll fix their VPN. And You are the only ones who can prevent this and save my poor life.
Updating release notes should happen, but does not resolve our issue.
You must understand that crashing sslvpn daemon is a very serious bug, that should be fixed in the first place, and in my opinion release of the new firmware that fix this should occure immediately, not waiting for other fixes.
What was your reason for not staying with 5.4.5?
NSE 4/5/7
5.6.0 was released before 5.4.5 and it fixed some bugs. Most desired function for me was the domain (ldap) password change via web portal/forticlient, which was not working for 2FA users.
Hi All, @thuynh_FTNT I did a new quick test : the original certificate was a wildcard + wildcard san signed by a Windows 2012 R2 Ent CA: i'm unable to import p12/pfx from gui even if i convert it using openssl/XCA generating a new cert using openssl/XCA works (without CDP,CRL) maybe it's something related to custom OIDs/CDP/CRL inserted by Windows CA Regards openssl cert config (working)
oid_section = xca_oids [ xca_oids ] dom = 1.3.6.1.4.1.311.20.2 MsCaV = 1.3.6.1.4.1.311.21.1 msEFSFR = 1.3.6.1.4.1.311.10.3.4.1 iKEIntermediate = 1.3.6.1.5.5.8.2.2 nameDistinguisher = 0.2.262.1.10.7.20 id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13 id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14 id-pkkdcekuoid = 1.3.6.1.5.2.3.5 [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = xca_dn x509_extensions = xca_extensions req_extensions = xca_extensions string_mask = MASK:0x2002 utf8 = yes prompt = no [ xca_dn ] 0.C=IT 1.ST=MI 2.L=MI 3.O=ICT 4.OU=OCP Org 5.CN=*.xdomain.local 6.emailAddress=sysadmin@xdomain.local [ xca_extensions ] nsCertType=server subjectAltName=DNS:*.xxxxxx.com keyUsage=digitalSignature, nonRepudiation, keyEncipherment subjectKeyIdentifier=hash basicConstraints=critical,CA:FALSE like Windows 2012 R2 cert (XCA imported, not working): oid_section = xca_oids [ xca_oids ] dom = 1.3.6.1.4.1.311.20.2 MsCaV = 1.3.6.1.4.1.311.21.1 msEFSFR = 1.3.6.1.4.1.311.10.3.4.1 iKEIntermediate = 1.3.6.1.5.5.8.2.2 nameDistinguisher = 0.2.262.1.10.7.20 id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13 id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14 id-pkkdcekuoid = 1.3.6.1.5.2.3.5 [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = xca_dn x509_extensions = xca_extensions req_extensions = xca_extensions string_mask = MASK:0x2002 utf8 = yes prompt = no [ xca_dn ] 0.CN=*.xdomain.local [ xca_extensions ] authorityInfoAccess=@authorityInfoAccess_sect crlDistributionPoints=crlDistributionPoint0_sect authorityKeyIdentifier=keyid subjectAltName=DNS:*.xdomain.local, DNS:*.XXXXXX.com subjectKeyIdentifier=hash extendedKeyUsage=serverAuth keyUsage=critical,digitalSignature, keyEncipherment 1.3.6.1.4.1.311.21.10=DER:30:0c:30:0a:06:08:2b:06:01:05:05:07:03:01 1.3.6.1.4.1.311.21.7=DER:30:2f:06:27:2b:06:01:04:01:82:37:15:08:81:bd:cc:71:86:96:82:07:87:a1:89:17:81:85:88:17:85:83:a5:06:81:51:87:8e:e3:2e:87:d2:82:64:02:01:66:02:01:04 [crlDistributionPoint0_sect] fullname=@crlDistributionPoint0_sect_fullname_sect [crlDistributionPoint0_sect_fullname_sect] URI.0=ldap:///CN=VM-SUBCA-XXXXX,CN=VM-SUBCA-XXXXX,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xdomain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint [authorityInfoAccess_sect] caIssuers;URI.0=ldap:///CN=VM-SUBCA-XXXXX,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xdomain,DC=local?cACertificate?base?objectClass=certificationAuthority
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1519 | |
1019 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.