Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Missing Firewall Policies after Firmware Upgra...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Missing Firewall Policies after Firmware Upgrade or Restarts
Hi all!
A department on the company that I work are having issues with some FortiGates. This department is charge to the maintenance of the client's fortigates. Today they had two issues with "missing policies", one with a FG200D and another with a FortiWiFi 90D. The FG200D is installed on our office and it had "missing policies" after a Firmware upgrade following the upgrade path from FortiOS 5.6.3 to 5.6.6 and finally 6.0.3. The other device is a FortiWiFi 90D owned by one of our clients and this one also had "missing policies", but in this case it happened after a power disruption.
We had this type of issue on the past on other devices, but were few. The department of maintenance tells me that they are following the recommendations of FortiNet for upgrades by reading the release notes and following the upgrade paths. My concern is that this is happening more often and we are scheduling to do a firmware upgrade to a core 1000D that manage the security on our DataCenter. Missed policies on this FortiGate will cause me a huge stress.
I had been looking on the forum if someone else had this problem, but I didn't find nothig. Some one faced or is facing with this "missing policies" issue? Do they are missing something? Can they do something to mitigate this? I had also hear them say that "policies are getting corrupted" after an upgrade.
Regards,
Harry
Solved! Go to Solution.
Labels:
- Labels:
-
6.0
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
4 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This hasn't happen with recent firmwares, but back in the 4.2.x days, the "conversion scripts" that ran during the firmware upgrade process didn't properly handle white space characters in object names/labels, would truncate them at the first space character, so it pretty much missed up the config rather badly.
These days, I make it a habit to run the unencypted backup of the configs (before and after the firmware upgrade) to see what has changed.
I suggest doing the above, as well, run "diagnose debug config-error-log read" at the CLI following the firmware upgrade.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same here, never seen that issues b4. I would suspect that maybe manual save might be a issue. If you login into the Fortigate and look and diff the rev b4 and after the changes, what that system revision shows ? FWIW
In big firewall deployments I've always make a backup, and save the cfg, and check the revisions prior to any changes and run the webgui rev-diff
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Way back when dirt was invented, Fortigates would sometime run into memory issues if run for too long. If the device has been up for a while, try rebooting it prior to starting the upgrade. That adds a few minutes to the procedure, but may alleviate some issues.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:Same here, never seen that issues b4. I would suspect that maybe manual save might be a issue. If you login into the Fortigate and look and diff the rev b4 and after the changes, what that system revision shows ? FWIW
In big firewall deployments I've always make a backup, and save the cfg, and check the revisions prior to any changes and run the webgui rev-diff
Ken Felix
Ken,
I did the rev-diff comparing two backup files. The first two were the last backup on version 5.6.3 and the first (and only) on 5.6.6. This presented that a lot of policies were deleted. This doesn't happened when I did the second comparison between the last backup of 5.6.3 and the first of 6.0.3. This last comparison showed policies that the first comparison showed them as deleted. The last comparison (5.6.3 and 6.0.3) showed clearly that the policies that affected the services attached to their interfaces were no longer on 6.0.3.
Thanks for your suggestions about the tasks for before and after upgrading a device.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This hasn't happen with recent firmwares, but back in the 4.2.x days, the "conversion scripts" that ran during the firmware upgrade process didn't properly handle white space characters in object names/labels, would truncate them at the first space character, so it pretty much missed up the config rather badly.
These days, I make it a habit to run the unencypted backup of the configs (before and after the firmware upgrade) to see what has changed.
I suggest doing the above, as well, run "diagnose debug config-error-log read" at the CLI following the firmware upgrade.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dave,
They have a habit of putting spaces in the names of objects. In the FortiGate of our office I just executed the command "diagnose debug config-error-log read", but showed nothing. I do not know if it's because the upgrade was a few hours ago.
Thank you for answering. I will pass your suggestion to them.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same here, never seen that issues b4. I would suspect that maybe manual save might be a issue. If you login into the Fortigate and look and diff the rev b4 and after the changes, what that system revision shows ? FWIW
In big firewall deployments I've always make a backup, and save the cfg, and check the revisions prior to any changes and run the webgui rev-diff
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Way back when dirt was invented, Fortigates would sometime run into memory issues if run for too long. If the device has been up for a while, try rebooting it prior to starting the upgrade. That adds a few minutes to the procedure, but may alleviate some issues.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:Same here, never seen that issues b4. I would suspect that maybe manual save might be a issue. If you login into the Fortigate and look and diff the rev b4 and after the changes, what that system revision shows ? FWIW
In big firewall deployments I've always make a backup, and save the cfg, and check the revisions prior to any changes and run the webgui rev-diff
Ken Felix
Ken,
I did the rev-diff comparing two backup files. The first two were the last backup on version 5.6.3 and the first (and only) on 5.6.6. This presented that a lot of policies were deleted. This doesn't happened when I did the second comparison between the last backup of 5.6.3 and the first of 6.0.3. This last comparison showed policies that the first comparison showed them as deleted. The last comparison (5.6.3 and 6.0.3) showed clearly that the policies that affected the services attached to their interfaces were no longer on 6.0.3.
Thanks for your suggestions about the tasks for before and after upgrading a device.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Chrome Extension for VPN blocked by... 104 Views
- Entra Only Joined Windows 11 Computers... 427 Views
- planning to move away from using... 235 Views
- Nat on FortiGate 60F 901 Views
- Trial licence problems Failed to download... 679 Views
Labels
-
FortiGate
8,501 -
FortiClient
1,722 -
5.2
801 -
FortiManager
715 -
5.4
639 -
FortiAnalyzer
548 -
Fortiswitch
460 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
310 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
223 -
FortiWeb
200 -
5.0
196 -
IPsec
188 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
40 -
DNS
40 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
27 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.