- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NOW! FortiOS v5.2.5...
build701
Appeared in the download portal....
but [size="5"]no enhancements?????[/size]
FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2
FSW224B x1
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jeez....
no enhancements! Fortinet finally keeps it's promise and just fixes things. Lo and behold. Keep up the good work, give us a rock solid v5.2 and put all the fancy new stuff into v5.4.
just my 2ct
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Problems occurs with SSL Inspection on 5.2.5. If you use SSL Inspection, it's better to run 5.2.3 (stable).
Regards,
HA
- « Previous
- Next »
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I bet you have SSL inspection enabled. Did you open a ticket for TAC?
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
as a nice happy new years present one of our customers had a total blackout of a 300D cluster on new years day. only after a couple of days uptime with 5.2.5. This installation was working properly with 5.2.4 - so lets see.
TAC is working on that case - I will update, if there is any thing of interest.
Br
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:Yes I had SSL inspection enabled but I don't think this blackout was because of that.I bet you have SSL inspection enabled. Did you open a ticket for TAC?
I haven't opened ticket yet because last two tickets support couldn't resolve, but I will try again with support.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
Be careful with 5.2.5.
We face two major issues with it
Application crash (proxyworker process) occurs.
SSL Inspection exclusion (based on domain name or IP) does not work anymore !
Here's the feedback from the support.
I have done some researching and this is a known issue, for the moment no fix, but I would like you to try this workaround and let me know if the unit stabilizes: config firewall ssl-ssh-profile edit "SSL-INSPECTION" config ssl set inspect-all disable
Regards,
HA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HA wrote:Hello all,
Be careful with 5.2.5.
We face two major issues with it
Application crash (proxyworker process) occurs.
SSL Inspection exclusion (based on domain name or IP) does not work anymore !
Here's the feedback from the support.
I have done some researching and this is a known issue, for the moment no fix, but I would like you to try this workaround and let me know if the unit stabilizes: config firewall ssl-ssh-profile edit "SSL-INSPECTION" config ssl set inspect-all disable
Regards,
HA
I've been trying to establish whether we have a similar issue with SSL Inspection exclusion on our test 60D which has 5.2.5 loaded. Can I ask whether you were able to confirm this in the CLI, as I seem to be able to access our inspection-excluded sites from within the test network without the issues that lead us to exclude them.
I seem to recall that on 5.2.3 you could debug ssl inspection using
diagnose debug application ssl -1
however if I try to that on 5.2.5 it sets the SSLVPN to debug.
# diagnose debug reset
# diagnose debug application ssl -1
# diagnose debug info
debug output: enable
console timestamp: enable
console no user log message: disable
sslvpn debug level: -1 (0xffffffff)
CLI debug level: 3
We are currently trying to schedule in moving our live 60d from 5.2.3 to 5.2.5 - if SSL Inspection exclusions aren't working then we need to hold fire, so any hints would be really helpful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You can try with the command diag test app sslworker.
By the way, it seems that we face this issue only with Fortigate 100D (3 customers). With 240D, no issue...
I didn't test the workaround. I just rolled back to 5.2.3...
Regards,
HA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HA wrote:Hello,
You can try with the command diag test app sslworker.
By the way, it seems that we face this issue only with Fortigate 100D (3 customers). With 240D, no issue...
I didn't test the workaround. I just rolled back to 5.2.3...
Regards,
HA
Thanks for the response.
I've had no luck with the diag test app sslworker on the 60D but was able to test by removing one of the excluded sites and checking the displayed certificate in the client browser.
Looks like the 60D is unaffected so we should be good to rollout.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bono wrote:tony8304 wrote:Hi All,
about the GUI access issue in 5.2.4, is this still exist in 5.2.5?
Thanks
Tony
If you are talking about System tab which disappears, bug is still here.
AHAHAHAHAHHHHH!!! FIX THIS!!!!!!
300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.
Over 100 WiFi AP's and growing.
FAZ-200D
FAC-VM 2 node cluster
Friends don't let friends FWF!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We upgraded our 2 FG500D (3000k users, 200Mbps Internet traffic, HA A-P, IPS, AV, Web Filtering, Application Control, SSL/SSH inspection) last week from 5.2.3 to 5.2.5. Configuration file did not change. Just after the upgrade we noticed http/http traffic problems (from and to Internet) related to SSH/SSL inspection feature.
To get the http/https traffic back, we had first to activate SSH/SSL inspection in the policies affected (no SSH/SSL inspection activated before the upgrade). With other policies this workaround did not work. In the end we had to avoid any IPS, AV, Application control, SSH/SSL inspection configuration. Web Filtering was fine.
One week later (yesterday) we upgraded from 5.2.5 to 5.2.7. So far, so good. No problems noticed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry. Just 3K users!!
- « Previous
- Next »