Frustrated new Fortinet customer.

Report Inappropriate Content · ‎09-09-2010

Just got a Fortigate 60C and FortiWiFi 60C last week. Have to say as a former snapgear user, I' m disappointed. The obvious, glaring, show stopping bugs in the thing have left me shaking my head in wonder. Things like: 1. You can' t export an SSL key in PKCS#12 format because you can' t specify a password. 2. it is impossible from the CLI or GUI to change from switch to interface mode on the internal interfaces. I had to make a backup, edit the file and restore it to change the mode. What a pain in the butt! 3. The log disk complains of imminent failure every hour but never seems to fail. 4. Traffic logging seems to be a black art. Sometimes it works, sometimes it doesn' t. Sometimes erasing the logging configuration and starting over makes it work. 5. The wireless signal in the WiFi60C is pathetic. I have consumer grade stuff with a better signal/noise ratio than this. Why can' t I bridge the 802.11 interface to the internal ethernet switch interface? Having a separate network for the wireless users is not always the solution. Some software won' t work right with the devices on 2 separate networks. Also, The connectors for the antenna' s weren' t fastened to the chassis well. One of them nearly fell off as I screwed on the antenna. 6. It took 8 DAYS for support to contact me on my questions. Just now the support staff told me to upgrade my 60C' s to 4.2.2 build 291. This is not yet available for the 60C. BTW, why ISN' T it ready for the 60C? It' s just so frustrating trying to learn a new device, when the documentation and the device don' t agree. When things work and then don' t work randomly. I have no idea if I' ve made a mistake for the firmware has another bug. /rant Sorry I' ve spent a week fighting these things. To have support contact me after so long and give me wrong information just put me over the edge.

veechee · ‎09-09-2010

#2 If you have anything assigned or in use on the switch at all, you would not be able to make the change. When I was setting my new 60C up I wasn' t as smart as you - I reset my device, changed the mode, then redid all my other settings. #3 is an issue with the current 60C firmware (MR1). This should hopefully be fixed when the MR2 firmware is finally released in " mid-September" . I' ve been assured elsewhere in the forums that no, the log disk is not actually failing. I' m looking at a WF-60C for another office, so I will keep your feedback about signal strength in mind. MR2 for the WF-60C might improve things though, especially since it' s an N radio, which is relatively new to Fortinet.

emnoc · ‎09-09-2010

#4 is about normal across all fortigate products. It either works and something is works great others times horrible. The fortianalyzer seems to be the best thing going with logging and the same for syslog unless you change LOCAL facilities. #5 this has always been a complaint but the wireless interface is really a unique and individual interface. You can' t bride it to a physical interface. As far as SNR and antenaes you are 100% correct in that area. #6 is one of my biggest grips from a public company competing against cisco and juniper. I found to get support and immediately you either need live chat or get a # of the engineer and call them. My last ticket which was just a request for information, net about 3 days just to get a response & the response was not geared at my question. In ciscoland that would never happen. I feel your pain. What I would do is to contact your sales rep for your general area and voice your concerns and complaints.

PCNSE

NSE

StrongSwan

ejhardin · ‎09-10-2010

#5. You can create a software switch and include the wireless and internal interface.

TopJimmy · ‎09-10-2010

Sounds to me like you got a lemon and should send it back for a replacement or get your money back and buy something else.

ORIGINAL: ejhardin #5. You can create a software switch and include the wireless and internal interface.

+1. That is how I have my FWF60c set up. Works great. FYI to change the wireless radio settings (such as password, encryption, channels, etc) you have to use the CLI. Minor issue, but just thought I should point that out. #2: Never had a problem if I removed all references to that interface before changing it from switch to interface mode. Check your routes..I always miss that one. #5: I have the opposite experience. My FWF60c sites about 100 feet away from me in a closet. My office building uses steel wall studs and is constructed very well. With my 80CM in the same location I could get a very week signal. Windows PC' s reported it as 1 bar. With the FWF60C in the same location, I get 2 and sometimes 3 bars. Same PC, same location, etc. #8: Never had that problem until recently. I opened a ticket related to my FMG last week and still haven' t heard back concerning it. 5 business days later.... I still get very fast response on my units that have 24x7 Advanced Replacement contracts. So far, other than the firmware issues (nothing past 4.1.4 is available for the 60c....yet), it' s been a decent firewall for me.

-TJ

jpforcioli_FTNT · ‎09-10-2010

#1: The CLI command " exec vpn certificate local export tftp" is equivalent to Certificate -> Local -> Download. You will obtain the public part of the certificate. The private part of the certificate will be saved in a backup configuration file or through the CLI command display : #config global #config vpn certificate local #edit <Cert_Name> #get --> will show you the content #show full --> will show you the following structure: config vpn certificate local edit " Cert_Name" set password ENC wqG2azj2PERdUEQCcPIXftODn7Ih/CpzXqC5O0cy4OuxRAHlepROKuDzvVS/UGrK/L2FI3jfjM2My7Jd4BhSSP8yoxd8jjhnC7xAiV/+ZE0zhT8+ set comments ' ' set private-key " -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,598019D76157DECB yLm2JWlLgCrBybzZlIY0ye7IeK6Sd .../... qRKteVXmncHy1ZIhPXce6+5VpiDoViOZArfWmubl7+Ypb2swee1gVw== -----END RSA PRIVATE KEY-----" set certificate " -----BEGIN CERTIFICATE----- MIIEsDCCBBmgAwIBAgIQLSjQxObA6qtBEWBOK .../... nMRmRA== -----END CERTIFICATE-----" next end You can copy this information into a file and paste it in another FGT or into the same.

Jean-Pierre FORCIOLI

SYQUEST · ‎09-12-2010

#5 In relation to N wireless in the 5GHz range, if you know anything about radio waves, the higher the frequency the shorter the wavelength! That means to get through anything you need more power and less interference! So if that is the issue here, you might want to stay in the 2.4GHz range, or do your homework on using external antennas or reorienting them for best coverage. Hope this helps! ....JIM....

FortiGeek · ‎09-13-2010

Fortinet have just updated special build for using all Fortigates with the FortiAP EXCLUDING 60C! Its like the 60C is not even their own product and they won' t support it...

1 FortiAP v4.0 MR2 Patch Release 1 This document provides information on issues and caveats in FortiAPTM v4.0 MR2 Patch Release 1. The following outlines the release status. This document covers ONLY those changes between the v4.0 MR2 release and Patch Release 1. If you need additional documentation, please obtain the release notes for v4.0 MR2 and also visit http://docs.fortinet.com. Model FortiAP v4.0 Release Status FAP-220A FAP-210B FAP-220B The FortiAP software branch introduced here is FortiAP build 112. This FortiAP build requires a special FortiOS image as described below. FortiOS The FortiAP device must be supported by a special FortiOS branch image for FortiGate model 60B and above, excluding any FortiWiFi models and FortiGate-60C.

Report Inappropriate Content · ‎09-18-2010

Some good tips. Thanks all! I took a week off from the device and that seems to have helped. 1. The docs say I can export with the exec vpn certificate command. The example even shows setting the password. The FWF60C won' t accept a password paramter. I can download the file, but I can' t import it as It requires a password I didn' t set and don' t know. I just gave up and asked for a re-key. 2. I reset the device to factory defaults. Did NOT run the wizard and was unable to change the mode by any method. Maybe I missed a route, but as I hadn' t configured ANYTHING yet, why should any routes exist? This isn' t about who is most clever. If something has to be changed SPELL IT OUT. Failing with a cryptic error helps no one. 3. This one still chaps my butt. There is no way in hell ANY device should have shipped with such an OBVIOUS bug. I mean come on! The thing bitches every hour. Every hour! How hard is that to find. FNT QA should be ashamed. 4. Nothing new here pilgrim. I don' t know exactly what the fortianalyzer costs, but I bet it is more that the FWF60C. That' s gonna be a tough sell for my clients. I will probably push the remote service. I wonder if that was intentional? 5. I' ve put a different antenna on the thing. I thought 802.11n required at minimum of 3 antennas. Everything doing 802.11n I' ve seen has had 3 discrete elements. I am going to set it back to 802.11g and see what the range looks like. Hell, for all I know the wires inside are disconnected. Certainly the retaining bolts were loose enough. The snapgears and microtiks allowed me to choose. Not so much with Fortinet. 6. I have my issues with Watchguard. We won' t be selling their products any more. But they answered faster than this. If not for the members of this community I would not have been able to make this work. I' ve worked with cisco, sonicwall, netscreen, snapgear, smoothwall, and gnatbox. I can make all of them perform pretty well. I have never had such a hard time on so many fundamental issues. I like the thing. For the price, it delivers an amazing amount of performance. But like FortiGeek says, the 60C product seems to be a red headed step child. Support doesn' t know it, development isn' t even TRYING to keep it up to date with their other units and I am tired of working around bugs that other products don' t have. As I said before any time I make a change and problems occur, I never know where to start. I have no confidence in the fortios as shipped and I don' t have enough experience with the product to know what works.

ede_pfau · ‎09-20-2010

LAN Guy, ad 2. reset to factory defaults configures an IP (or two) for the internal interface (192.168.1.99). If you remove this, you can switch the switch. Configure via the serial port CLI. ad rant. I can wholly understand your view. When I was new to Fortigates, I got the sweats every time I changed a parameter. Once, I configured a lousy static route, and it would just not " take" . Only after a reboot. And I searched for the fault on my side for a day. From experience I can assure you, with time you' ll get more confident in which features just work and which are, em, experimental or " in development" . If customers would only use the basics (firewalling, maybe AV, some local logging) I' d have a 100% satisfaction rate, regardless of model. But you' ll find that with every innovative company in the IT business - new features, new hassles. As the 60C introduces a complete new system design (SoC=CPU with NPU and CP integrated) there are obvious bumps in stability and firmware upgrades. At the moment I wouldn' t put it into projects - which is a shame as the 60B has been dropped and the 80C, while being a fine machine for a ridiculous low price, is nearly unbearable due to the annoying fan. Maybe there wouldn' t be a forum like this if support was immediate and products flawless. But then I suspect Fortigates weren' t reasonably priced and/or offering mid-1990s features like so many competitors. At least, the attitude and quality of the posts in the forum is downright professional. Which might be a relief for the time being.

Ede

"Kernel panic: Aiee, killing interrupt handler!"