well...
after long time ago, now it's out...
FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2
FSW224B x1
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
annoying bug..
JSON string....=^=
FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2
FSW224B x1
Other problems noted in 5.6
1: the diag debug flow show console enable is missing as a option
2: still can NOT upload a x509 certificate via GUI ( pkcs12 or via pem cert+key )
3: a valid certificate self-sign for admingui access does NOT work no matter how or what type of certificate that we try to craft standard, wildcard or SAN if we paste it in via the cli "config vpn certificate local "
More to come ;)
PCNSE
NSE
StrongSwan
Again my FWF60D has hungs up. We thought it crashed but come to find out the HTTP process is hung. Since this is a remote hosted FW, I'm downgrading ....Sorry but v5.6.1 is a no-go for me ;(
PCNSE
NSE
StrongSwan
inexplicable radius server test:
FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2
FSW224B x1
Maybe it's a database migration? Have you tried to format log-disk?
Regards, Paulo Raponi
keij wrote:I can not see Local traffic (Fortigate's self traffic) in Foriview of ver5.6.1. In 5.2 were able to see the fortigate local traffic. Is it no longer visible in the 5.6 series?
Hi Keij, that is correct. We do not show local traffic in FortiView starting 5.6.0
Thanks emnoc and Antonio, we've created an internal ticket to track this issue (0443713). However, we'll need the actual p12/pfx cert to debug further (include password if it's protected). Can you create a CSS ticket (if havent already) and provide the file there? You can use a dummy cert which is similar to the one that you have issue. The CSS ticket can use the above bug number as a reference.
thuynh wrote:Thanks emnoc and Antonio, we've created an internal ticket to track this issue (0443713). However, we'll need the actual p12/pfx cert to debug further (include password if it's protected). Can you create a CSS ticket (if havent already) and provide the file there? You can use a dummy cert which is similar to the one that you have issue. The CSS ticket can use the above bug number as a reference.
I'm trying to get a case open but 1st our FGT100D on downgrading back down to 5.4.x seems to not take the new image and format of the disk and tftp seems to not work.
So as suport fixes that issues, I can open a ticket on the cert import. The pfx bundle btw imported fine on other FGT appliance running 5.4.3 5.4.5 and 5.2.11, so it's not the pfx bundle that's the issue.
Support can easily craft a self-sign cert and try to import the pfx bundle. Also if we take a CSR generate on the FGT appliance and sign the certificate, upon import of the just the certificate fails. We have our own Entrust Intermediate CA and I tried CAcert signed certificate also.
PCNSE
NSE
StrongSwan
emnoc wrote:thuynh wrote:I'm trying to get a case open but 1st our FGT100D on downgrading back down to 5.4.x seems to not take the new image and format of the disk and tftp seems to not work.Thanks emnoc and Antonio, we've created an internal ticket to track this issue (0443713). However, we'll need the actual p12/pfx cert to debug further (include password if it's protected). Can you create a CSS ticket (if havent already) and provide the file there? You can use a dummy cert which is similar to the one that you have issue. The CSS ticket can use the above bug number as a reference.
So as suport fixes that issues, I can open a ticket on the cert import. The pfx bundle btw imported fine on other FGT appliance running 5.4.3 5.4.5 and 5.2.11, so it's not the pfx bundle that's the issue.
Support can easily craft a self-sign cert and try to import the pfx bundle. Also if we take a CSR generate on the FGT appliance and sign the certificate, upon import of the just the certificate fails. We have our own Entrust Intermediate CA and I tried CAcert signed certificate also.
Thanks emnoc, we added some restrictions in 5.6.1 to reject unsecured/invalid certs but I'm not sure if it's related. We'll be able to tell once we have the certs.
Thanks
We 've tried numerous certificate std/sans/self-Signed/etc.... my ticket on getting my FG100D backup so I can reflash it is tkt.id 2308481 .
Once I get that back , I will make a re-attempt and upload all related information in a new case.
Thanks
PCNSE
NSE
StrongSwan
One more thing that I just found, the cli cmd diag sys checkused is not a validate command any more.
PCNSE
NSE
StrongSwan
emnoc wrote:One more thing that I just found, the cli cmd diag sys checkused is not a validate command any more.
As of FortiOS 5.6, the command is now "diagnose sys cmdb refcnt"
rojekj wrote:thuynh wrote:Hi Rojekj and Antonio, thank you for reporting the issue with SSL VPN. This is a known issue and should have been included in 5.6.1 release note (internal ticket 0442808). We already have a fix for it and we will update the release note shortly. Sorry for the miscommunication.
May I ask when do You plan to release this fix? I'm going to be killed by my clients at the end of next week, unless I'll fix their VPN. And You are the only ones who can prevent this and save my poor life.
Updating release notes should happen, but does not resolve our issue.
You must understand that crashing sslvpn daemon is a very serious bug, that should be fixed in the first place, and in my opinion release of the new firmware that fix this should occure immediately, not waiting for other fixes.
Thanks rojekj, we do understand this issue is a show stopper for SSLVPN users. We are actively reviewing it and will get back to you as soon as we can.
rojekj wrote:
thuynh wrote:May I ask when do You plan to release this fix? I'm going to be killed by my clients at the end of next week, unless I'll fix their VPN. And You are the only ones who can prevent this and save my poor life. Updating release notes should happen, but does not resolve our issue. You must understand that crashing sslvpn daemon is a very serious bug, that should be fixed in the first place, and in my opinion release of the new firmware that fix this should occure immediately, not waiting for other fixes.
Hi Rojekj and Antonio, thank you for reporting the issue with SSL VPN. This is a known issue and should have been included in 5.6.1 release note (internal ticket 0442808). We already have a fix for it and we will update the release note shortly. Sorry for the miscommunication.
Hi Rojekj,
sslvpn daemon crash is an known issue. it happens when tunnel mode ssl vpn user logout.
Thanks
Johnson
I can not see Local traffic (Fortigate's self traffic) in Foriview of ver5.6.1. In 5.2 were able to see the fortigate local traffic. Is it no longer visible in the 5.6 series?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.