v6.0 is here

emnoc · ‎03-29-2018

I hope it 's all good ;)

PCNSE

NSE

StrongSwan

romanr · ‎04-04-2018

Andy Bailey wrote:
I've getting a "Failed to save some changes: Input value is invalid" message (showing in the attachment) when I try and modify a policy (for example add an anti-spam to an existing policy).

Hey,

I don't have that problem - works fine for me since Beta 3.

Can you run the following on a Command Line, while you try to modify a policy:

diag deb reset

diag deb ena

diag deb cli 8

... and post the output

Br,

Roman

View solution in original post

Jordan_Thompson_FTNT · ‎04-04-2018

romanr wrote:
Andy Bailey wrote:
I've getting a "Failed to save some changes: Input value is invalid" message (showing in the attachment) when I try and modify a policy (for example add an anti-spam to an existing policy).

Can you run the following on a Command Line, while you try to modify a policy:

diag deb reset
diag deb ena
diag deb cli 8

... and post the output

In addition, please enable "diag debug app httpsd -1" and include that output.

View solution in original post

thuynh_FTNT · ‎04-11-2018

Andy Bailey wrote:
I've attached the output your requested Roman and Jordan. Thanks for your help.

Nothing really obvious for me. I tried opening the policy and then clicking ok (no changes) and again (no changes) same result both times. I tried Edge instread of Firefox too- no changes there either.

The key lines seem to be:-

[httpsd 9510 - 1522869450 error] cmdb_commit_from_json[1426] -- error saving request object to CLI (-651) [httpsd 9510 - 1522869450 error] _api_cmdb_v2_config[1137] -- error editing object (nret=-651) [httpsd 9510 - 1522869450 error] api_return_http_result[516] -- API error -651 raised
Interestingly I can delete policies- I just tried deleting a couple of unused policies and that worked fine (highlighted from the "IPv4 Policy" list and then just delete.

Any other ideas?

Hi Andy, we've tried with several FGTs and were unable to reproduce your issue. Looks like it's specific to your config after upgrade. From your CLI debug output, the CLI is rejecting the change (any policy edit save) from the GUI.

0: config firewall policy 0: edit 15 0: set ssl-ssh-profile "SSL Certs-Block Untrusted\\Invalid" -651: end

Here are a few other things to try:

1. Can you use the CLI to edit a policy? You can use the above commands to see further error reported by the CLI

2. Can you use the GUI to create new Policy? if not, please also include CLI and httpsd debug message

3. Does this happen to any policy edit via the GUI? 4. Can you check if your interfaces are correctly upgraded?

5. Which FGT model are you using? if possible, can you share your full config with us? you can email me the config at thuynh@fortinet.com

Tri

View solution in original post

sam91 · ‎05-02-2018

X-HUB (root) # diag ip router bgp show
BGP debugging status:
  BGP debugging is on
  BGP nsm debugging is on
  BGP events debugging is on
  BGP keepalives debugging is on
  BGP updates debugging is on
  BGP fsm debugging is on
  BGP filter debugging is on
  BGP Route Flap Dampening debugging is on
  BGP debug level: INFO



X-HUB (root) # exec router clear bgp all
BGP: 169.254.255.2-Outgoing [FSM] State: Idle Event: 35

X-HUB (root) # BGP: 169.254.255.6-Outgoing [FSM] State: Idle Event: 35
BGP: 172.23.255.1-Outgoing [FSM] State: Active Event: 35
BGP: 172.23.255.32-Outgoing [FSM] State: Active Event: 35
BGP: 172.23.255.1-Outgoing [FSM] State: Idle Event: 3
BGP: 172.23.255.1-Outgoing [NETWORK] FD=24, Sock Status: 113-No route to host
BGP: 172.23.255.1-Outgoing [FSM] State: Connect Event: 18
BGP: [RIB] Scanning BGP Network Routes...
BGP: NSM Message Header
BGP: VR ID: 4
BGP: VRF ID: 0
BGP: Message type: IPv4 Route (31)
BGP: Message length: 44
BGP: Message ID: 0x000001c3
BGP: NSM IPv4 route add
BGP: Flags: 1
BGP: Route: 10.30.1.0/24
BGP: Type: 2
BGP: Metric: 0
BGP: Distance: 0
BGP: Nexthop: 0.0.0.0 ifindex 10
BGP: [RIB] Scanning BGP RIB...
BGP: 172.23.255.32-Outgoing [FSM] State: Idle Event: 3
BGP: 169.254.255.6-Outgoing [FSM] State: Idle Event: 3
BGP: 169.254.255.2-Outgoing [FSM] State: Idle Event: 3
BGP: 172.23.255.32-Outgoing [NETWORK] FD=24, Sock Status: 113-No route to host
BGP: 172.23.255.32-Outgoing [FSM] State: Connect Event: 18
BGP: [RIB] Scanning BGP Network Routes...
BGP: NSM Message Header
BGP: VR ID: 4
BGP: VRF ID: 0
BGP: Message type: IPv4 Route (31)
BGP: Message length: 44
BGP: Message ID: 0x000001c4
BGP: NSM IPv4 route add
BGP: Flags: 1
BGP: Route: 10.30.1.0/24
BGP: Type: 2
BGP: Metric: 0
BGP: Distance: 0
BGP: Nexthop: 0.0.0.0 ifindex 10

X-HUB (root) # get router info routing-table all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S* 0.0.0.0/0 [10/0] via 200.200.1.254, port6
S 10.6.255.2/32 [10/0] via 10.6.255.62, port5
C 10.6.255.48/28 is directly connected, port5
S 10.30.0.0/16 [10/0] via 10.30.1.100, port8
R 10.30.0.0/24 [120/2] via 10.30.1.100, port8, 01:40:20
C 10.30.1.0/24 is directly connected, port8
C 169.254.255.0/30 is directly connected, root-INETv40
C 169.254.255.1/32 is directly connected, root-INETv40
C 169.254.255.4/30 is directly connected, root-MPLS0
C 169.254.255.5/32 is directly connected, root-MPLS0
C 200.200.1.0/24 is directly connected, port6


X-HUB (root) #

:(

kurtli_FTNT · ‎05-02-2018

Hi SEI,

I am trying to reproduce your issues in lab. But firstly, I want to make sure what the diagram is. For issues #1~5, is there only a 1200D-HA a-a in the middle, or traffic goes to 1200DHA first, then 500E as well? Or 500E first then 1200D? If latter two cases, any type of tunnels are used between 1200D-HA and 500E?

As to "finally we found the FGT1200D is actively closing connections!", any diagnostics you did that can share to us? e.g. captures of 'diag sniffer', or session table and other debug msgs and so on.

Thanks

SEI · ‎05-03-2018

Hello kurtli_FTNT

please find attached the diagram.

All 3 Branches connecting with their WAN Ports over "Private Ethernet" 1GBit/s lines to dedicated Ports on the Edge 1200D Cluster (no Tunnels, Encryption,... involved).

Unfortunately I can not provide you with any diagnostics/debugs - as I mentioned, nothing pointed to the FortiGate's.

Finally, since our UPS's are connected to the network, their connection drops (port-closures) was easy to analyze. As they connect to the monitoring Server in another VLAN we just had to "bypass" the FGT and the problem disappeared.

(That is also the reason why we did not open a ticket - we can not reproduce as we downgraded to 5.6.3 and have no diagnostics to provide)

Thank YOU

kurtli_FTNT · ‎05-03-2018

Hi SEI,

Thanks. I think I can simplify it to 'branch----500E-----1200HA----Internet'. I will get back to you once I get the results.

Regards

kurtli_FTNT · ‎04-18-2018

Hi ghorchem,

Regarding "When I did the upgrade from 5.6.2 SSL VPN host check failed using the latest web browsers", I suppose you were using the host check with webmode,right? Since build0060, when 'skip-check-for-unsupport-browser' is enabled, FGT doesn't do the host check for browsers anymore. This change only applies to webmode, not tunnel mode.

Regards

ghorchem · ‎04-20-2018

I have it disabled skip-check-for-unsupport-browser it won’t let login from any web browser including the most update versions of IE 11 on Windows 7/10 and Edge on Windows 10. So I have to enable it even though I’m using a supported web browser.

kurtli_FTNT · ‎04-20-2018

Yes, like I said before, this feature is now for tunnel mode only. For web-mode, due to the phasing out of Java support on modern browsers, disable it then no browsers will be allowed while enable it means all browsers can pass thru.

kurtli_FTNT · ‎04-20-2018

Hi Storaid,

Thanks for your findings. Regarding below "1. can not add additional MACs for device object"

---This is a known issue and we already have a bug to track it. "2. device type: Windows Device"

---This usually depends on how much/what kind of traffic is sent out from client. The more traffic is sent out, the better FGT can recognize. On my ENV, I can see the windows 10 can be recognized well in "OS" by surfing youtube and yahoo in a couple of minutes.

===

category 6 'Windows Device' src quic id 29 gen 13 type 17 'Windows PC' src quic id 29 gen 13 os 'Windows 10 / 2016' version '' src quic id 29

===

kurtli_FTNT · ‎04-18-2018

Hi rkhair,

When the "web Rating overrides" is not working, what the inspection-mode you're using? flow or proxy? If it's flow, can you try to use proxy, see if it works.

Regards

SMabille · ‎04-19-2018

Hi,

I,m having web rating overrides not working in Proxy mode, didn't test flow mode.

Best regards,

Stephane

kurtli_FTNT wrote:
Hi rkhair,
When the "web Rating overrides" is not working, what the inspection-mode you're using? flow or proxy? If it's flow, can you try to use proxy, see if it works.

Regards