Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
storaid
Contributor

NOW! FortiOS v5.2.5...

build701

Appeared in the download portal....

but [size="5"]no enhancements?????[/size]

 

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2 FSW224B x1
2 Solutions
ede_pfau

Jeez....

 

no enhancements! Fortinet finally keeps it's promise and just fixes things. Lo and behold. Keep up the good work, give us a rock solid v5.2 and put all the fancy new stuff into v5.4.

 

just my 2ct

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

Ede Kernel panic: Aiee, killing interrupt handler!
HA
Contributor

Hello,

 

Problems occurs with SSL Inspection on 5.2.5. If you use SSL Inspection, it's better to run 5.2.3 (stable).

 

Regards,

 

HA

 

View solution in original post

69 REPLIES 69
Rn34
New Contributor

Baptiste wrote:

Hello, I'm running 100D on 5.2.2, I saw on release notes that upgrade to 5.2.5 is only support from 5.2.3.

My question : is upgrade to 5.2.3 buggy ? or I can safely upgrade to 5.2.3 and then to 5.2.5 ? 

My 100d's are running 5.2.3 (dunno what they upgraded from, probably in the 5.0 range) but the upgrade went fine and they run 5.2.3 just fine. I've not had any specific bugs with 5.2.3 on them that I know about.

Paul_S

Rn34 wrote:

 

My 100d's are running 5.2.3 (dunno what they upgraded from, probably in the 5.0 range) but the upgrade went fine and they run 5.2.3 just fine. I've not had any specific bugs with 5.2.3 on them that I know about.

do you get UTF errors when editing a firewall address group?

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Rn34
New Contributor

Paul S wrote:

Rn34 wrote:

 

My 100d's are running 5.2.3 (dunno what they upgraded from, probably in the 5.0 range) but the upgrade went fine and they run 5.2.3 just fine. I've not had any specific bugs with 5.2.3 on them that I know about.

do you get UTF errors when editing a firewall address group?

 

No, but most changes are through Fortimanager so something like that probably wouldn't apply.

mlohmiller

Ok so I just completed update from 5.2.4 to 5.2.5 yesterday and today all our web rating overrides seem to not be working.  We use a custome web rating category and mark that category exempt in ssl_ssh inspection.  Even though it's marked exempt in that rating it was still being decrypted.  After 2 support technicians and 2 hours on the phone. One of them believed it was a bug in 5.2.5.    This isn't the first time I had an issue with local categories and web rating overrides but it wasn't as big of an impact.  Right now we are using objects added to an object group to exempt the most critical sites.  In the past there we had an issue and the system (on 5.2.4) would identify the site as "Found in cache" I have been trying to find how to purge and reload the web CATEGORIES. NOT the web cache. I only have actual web proxy cache testing on one rule using 40MBytes. If that's were it's stored, please let me know.  Please let me know if anyone else is having any issues or can recommend any course of action.  I asked for my ticket to be escalated, the tech seemed to ignore that request. 

 

Everything else seems to functional in 5.2.5 for those not using web filtering.

 

I just read the previous post reguarding ssl inspection.  I never ran on 5.2.3 and last I asked reverting would require us per the tech. To backup the config, wipe the device, downgrade, and reload the config.  Not really anxious to do that.

shah

ok noted HA thanks. 

 

can i just remove ( temporary ) the ssl inspection from the policy filtering ?

 

 

mlohmiller

You can remove it but you will not be able to filter websites and application control for MOST sites without it.  Along with any DLP requirements.  If you don't have that issue, go ahead and remove it.

lord_amarant

so if i don't need the ssl inspection is bettere to choose 5.2.4 or the 5.2.5?

shah

hi...

 

i have reverted from 5.2.5 to 5.2.4 build688

because yesterday night we are having internet access issue due to bugs in 5.2.5 ( ssl inspection error )

 

i have checked through command line that the ssl inspection already disable

 

but suddenly my clients can't get into internet access, the firewall seems working fine and successfully ping to internet.

 

access to https and also http not working.

 

so, i can't detect either the my client is having internet problem.

 

can u guys guide me on how to create a logs notifications for this kind of error. thanks

mlohmiller

Ok ladies and gentlement.  I just got off the phone with a great Level 2 TAC.  I am on 5.2.5 and our custom web categories are working properly.  There is a KNOWN bug slated for fix in 5.2.6 where the SSL_SSH Inspect engine is not progressing custome web categories in it's exemption list.   Our work around is exempting an OBJECT GROUP, creating FQDN objects and adding them to that group.   Let me know if any one has any questions regarding this.

HA

Hello,

 

Do we need to defined full FQN (like update.microsoft.com) or can we use wildcard (*.microsoft.com) ?

 

Regards,

 

HA

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors