Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wcbenyip
New Contributor III

Found issues in v3mr3 (b400)

It would be great to post any issues found in the latest firmware after testing.....
Just upgraded my fg60 from v3mr1 to v3mr3(b400) and found something wrong... 1/ In the existing fw policy or add a new fw policy, NO ADDRESS could be found in the source or destination address name.... 2/ Comparing with the memory allocated before firmware upgrade, the memory usuage is increased around 30% !!! (Before firmware upgrade, the memory usage in office hour is around 65%, and that in non-office hour is around 35%, but now in the non-office hour, it becomes 75%~)
Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
32 REPLIES 32
kevanbrown
New Contributor

Submitted support cases for the Web GUI and SSL VPN bugs. Here' s the info on the Web GUI bugs: Q) Drag-and-drop in the policy grid appears to be no longer supported (as AKrause said). This is not mentioned in the release notes, so I assume it is unintentional. A) They say drag-and-drop policy reordering was removed because of a potential performance impact on the Web GUI. I assume this has something to do with the new policy " section" feature. In any case, they say they will redesign/rewrite the drag-and-drop policy reordering for a future release. Q) In Mozilla Firefox 1.5.0.7, when you click the drop-down arrow on the right side of the " Create New" button above the policy grid, the drop-down menu never goes away; even after clicking cancel on the pop-up screen. A) They say this is pending bug fix. Q) In both Mozilla Firefox 1.5.0.7 and Microsoft Internet Explorer 6.0 SP1, when you click the drop-down arrow on the right side of the " Create New" button above the policy grid, all of the text for the sources, destinations, and services disappears from the policy grid below. A) They say this is pending bug fix.
Not applicable

wcbenyip, Any solution for the " In the existing fw policy or add a new fw policy, NO ADDRESS could be found in the source or destination address name.... " issue? I upgraded without any problem my A-P cluster from MR2 to MR3, after editing labels, I' m now in the situation you described. Thanks!
Not applicable

Support: Dear customer, it is a known issue when you have a special character as " &" in the address name or address group name Please remove thos characters and it should fix the issue until the next build will be released Sorry for the inconvenience and thank you for your comprehension
pcraponi
Contributor II

HTTPS Web Filter don' t work. step by step: Enter in your Protection Profile: Enable the options: - Web Filtering -> Web URL Filter - FortiGuard Web Filtering -> Enable FortiGuard Web Filtering (HTTP and HTTPS) - Category -> General Interest -> Personal Relationships (Enable BLOCK) Save and go to WebFilter -> URL Filter in the left menu: Create new filter: URL: orkut.* Type: Regex Action: Block Enable True and save... Visit www.orkut.com in your browser. Now you won' t be blocked (??) and redirected to google account page. Complete the login and password and click to sign in. You will be redirected and blocked by FortiGuard Web Filtering (Category: Personal Relationships) But, the cookie was already accepted and stored in your browser. In the addresse bar, change the URL for https://www.orkut.com and GO...... The FortiGuard Web Filtering HTTPS/URL Filter don' t work. Solution: Create a block in the Firewall -> Policy. Drop all destination to FQDN orkut.com Problem: Always have another https sites...

Regards, Paulo Raponi

Regards, Paulo Raponi
kevanbrown
New Contributor

Two more issues with the SSL VPN portal; both with the Samba proxy: 1) When using the Samba proxy through the SSL VPN portal, the pop-up login screen does not close after you' ve provided the required credentials and have been authenticated. However, while the pop-up window remains, the main window does show the contents of the Samba share; indicating that connection was successful. This does not happen if the web site is in the Trusted Sites security zone in Internet Explorer. 2) When using the Samba proxy, filenames which contain an apostraphe (' ) are inaccessible. If you hover your mouse cursor over the link and look at the JavaScript link in the status bar of the web browser, you see that the link' s syntax is incomplete. Also, does anyone know how you are supposed to return to the main portal page after clicking on a portal bookmark? The back button in the browser is the only way I' ve found so far, but that' s not so convenient if you' ve been using the Samba proxy and are drilled down into some deeply-nested folder hierarchy.
wcbenyip
New Contributor III

RedHead, I have upgraded all of our box (60x2, 300Ax1, 100Ax1) and I found that only one of the 60 box has this situation.... so I think this is somewhat a bug in it..... Anyway, I have fixed this problem... or you can say that I have found a way to make it becomes " normal" ~
it is a known issue when you have a special character as " &" in the address name or address group name
Remark: I have no special characters in any address name or group name at all~ => After the firmware upgrade, if you do found that when editing or creating a new policy... all of the addresses on the interface are gone, then don' t worry! All you need to do is just change the individual address name from any interface to the interface it should be!! Say, if you created an address name " Internal_ALL" , then just change the interface field from *any* to *internal*, after that, you could found your box become NORMAL~
Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
wcbenyip
New Contributor III

Even though many ppl found the v3mr3b400 still got many negative issues or... yes...bugs~ I have to say that, this build is the best one I found in v3, at least the framework is ok... more stable than v3mr2~ Hoping that the coming new release would be more more stable and giving us more *positive* surprise!
Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
Not applicable

in the ipsec vpn monitor, the username on dialup connections is no longer displayed.
AKrause

I noticed a problem with address objects and zones: address objects can be bound to interfaces, but not to zones. This leads to an error as you use zones and not interfaces in the firewall policies. 1) Put any interfaces (i.e. vlan1 and vlan2) into a zone (zone1). 2) Bind an address object ao1 to the interface vlan1. 3) Insert a new policy and choose zone1 as interface. You can now select ao1 as address object. But the policy is not created after applying the dialog. However, in CLI you cannot choose the ao1 at all. So there is a need to bind interfaces to a zone or better: to allow address objects for a zone, if they are connected to at one interface of the zone. regards, Andreas
Not applicable

Keep a very watchfull eye on Memory Utilization on MR3 --On our primary WFW-60A, we have a number of ipsec vpn tunnels, SSL-VPN portals, virus/spam filtering etc. When the memory utilization is in the mid to high 80% range the viruschecker will cause problems with the SMTP service. We have found when this happens, incoming email with attachments as small as 1meg in size are dropped. That is the email does not come through! Be sure to have only the required items enabled in Protection Profiles, Logging to memory turned off, and ISP kept to a minimum, etc, etc.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors