Created on 05-12-2020 04:53 PM
If you're having connectivity issues, check if DoS sensor is enabled. If so, disable it completely. That should resolve the issue you're seeing.
Created on 05-26-2020 05:57 PM
I had a conversation with an FTNT SE today about 6.2.4 problems. The major issues seem to boil down to below three issues:
1. DoS policy issue: It's still an known issue with 6.2.4 and not resolved, which is in the release notes.
2. IPS engine keeps crashing. A new engine is planned to be released soon. Then this would be resolved.
3. WAD memory leak issue is still not 100% resolved.
6.2.5 will fix these issues and come out relatively shortly although he couldn't tell me any target date. He recommended to wait for 6.2.5. But likely 6.0.10 comes out before 6.2.5.
By the way, FMG/FAZ 6.2.4 was to just fix vulnerabilities. They wanted to release it ASAP without waiting for bug fixes. Then 6.2.5 came out right after that with bug fixes. It was just coincidental they came out one after another.
My issue was that I upgraded 200E to 6.2.4 , 80E to 6.2.4 and FAZ to 6.2.5.
6.2.4 has DoS issue which breaks VIPs
6.2.X changes SSL Inspection w/ SSH which broke DUO 2FA for me, fix was easy, had to exclude url from inspection but took a bit to track down
FAZ 6.2.5 had to have some reliability feature turned off to work with <100E Fortigates
I also patched about 45 windows servers the same weekend. #neveragain
It makes a difference if the rules are collapsed or the interface sections are expanded.
I updated a lab 50E with only 4 rules and it takes over 10 seconds to load the IPv4 policy if all rules are shown. Doh!
Hi @Toshi Esumi
The FWF50E was upgraded from 6.2.2 where FortiAPs were working correctly.
I've had some more feedback - it appears that the APs are in fact working, it's just that the FortiOS UI is showing them as grey whereas previously they were blue (2.4) and green (5).
Created on 05-19-2020 06:07 AM
i've updated our 100D-HA-Cluster yesterday, 6.2.3 -> 6.2.4, everthing worked fine, i tought.
After 7 hours the cluster-ip went offline, no access to the cluster-frontend or to both boxes directly!
Also there was no communication possible, tunnels (s2s, sslvpn, wifi), all "services" stopped.
We had to power off both via hardwareswitch, after bringing them online again all seems to work as great as in the first 7 hours, no problems where reported.
4 hours later same error occured, cluster offline, firewalls unreachable, had to hard turn off both boxes.
I've returned to 6.2.3, which still is annoying because of instable s2s-tunnels while remote gateway isnt a fortigate device, randomly turning down and up the tunnelinterfaces.
Connection loses while returning to older firmware icluded, someone asked in another thread.
For your IPSec tunnels to non-fortigate devices, do you have "set auto-negotiate enable" configured under the phase2?
For the 6.2.4 connection issues, disable DoS sensor if configured.
Hello Everyone, I wish I found this post before upgrading to 6.2.4 but at-least I know now I'm not going crazy with the VIP's not working on my 200E.
I'm running 6.2.3 and it takes two attempts to connect to SSL VPN via Forticlient 6.0.9. Does anyone know if this is a known bug with 6.2.3?
Did anybody who had problems with connectivity issues on 6.2.4 tried to disable DoS sensor, as it was suggested? Is this the reason for VIP, IPSEC VPN, Interfaces being non functional after some time ?
If we are speaking about "Phase 2 Selectors -> Advanced -> Auto-negotiate", this isnt set active by now.
But there wasnt such an problem in older ones, is this a new feature in 6.2.3?