Rn34 wrote:

 

My 100d's are running 5.2.3 (dunno what they upgraded from, probably in the 5.0 range) but the upgrade went fine and they run 5.2.3 just fine. I've not had any specific bugs with 5.2.3 on them that I know about.

do you get UTF errors when editing a firewall address group?

Paul S wrote:

Rn34 wrote:

 

My 100d's are running 5.2.3 (dunno what they upgraded from, probably in the 5.0 range) but the upgrade went fine and they run 5.2.3 just fine. I've not had any specific bugs with 5.2.3 on them that I know about.

do you get UTF errors when editing a firewall address group?

No, but most changes are through Fortimanager so something like that probably wouldn't apply.

Ok so I just completed update from 5.2.4 to 5.2.5 yesterday and today all our web rating overrides seem to not be working.  We use a custome web rating category and mark that category exempt in ssl_ssh inspection.  Even though it's marked exempt in that rating it was still being decrypted.  After 2 support technicians and 2 hours on the phone. One of them believed it was a bug in 5.2.5.    This isn't the first time I had an issue with local categories and web rating overrides but it wasn't as big of an impact.  Right now we are using objects added to an object group to exempt the most critical sites.  In the past there we had an issue and the system (on 5.2.4) would identify the site as "Found in cache" I have been trying to find how to purge and reload the web CATEGORIES. NOT the web cache. I only have actual web proxy cache testing on one rule using 40MBytes. If that's were it's stored, please let me know.  Please let me know if anyone else is having any issues or can recommend any course of action.  I asked for my ticket to be escalated, the tech seemed to ignore that request. 

Everything else seems to functional in 5.2.5 for those not using web filtering.

I just read the previous post reguarding ssl inspection.  I never ran on 5.2.3 and last I asked reverting would require us per the tech. To backup the config, wipe the device, downgrade, and reload the config.  Not really anxious to do that.

ok noted HA thanks. 

can i just remove ( temporary ) the ssl inspection from the policy filtering ?

You can remove it but you will not be able to filter websites and application control for MOST sites without it.  Along with any DLP requirements.  If you don't have that issue, go ahead and remove it.

so if i don't need the ssl inspection is bettere to choose 5.2.4 or the 5.2.5?

hi...

i have reverted from 5.2.5 to 5.2.4 build688

because yesterday night we are having internet access issue due to bugs in 5.2.5 ( ssl inspection error )

i have checked through command line that the ssl inspection already disable

but suddenly my clients can't get into internet access, the firewall seems working fine and successfully ping to internet.

access to https and also http not working.

so, i can't detect either the my client is having internet problem.

can u guys guide me on how to create a logs notifications for this kind of error. thanks

Ok ladies and gentlement.  I just got off the phone with a great Level 2 TAC.  I am on 5.2.5 and our custom web categories are working properly.  There is a KNOWN bug slated for fix in 5.2.6 where the SSL_SSH Inspect engine is not progressing custome web categories in it's exemption list.   Our work around is exempting an OBJECT GROUP, creating FQDN objects and adding them to that group.   Let me know if any one has any questions regarding this.

Hello,

Do we need to defined full FQN (like update.microsoft.com) or can we use wildcard (*.microsoft.com) ?

Regards,

HA