I had a conversation with an FTNT SE today about 6.2.4 problems. The major issues seem to boil down to below three issues:
1. DoS policy issue: It's still an known issue with 6.2.4 and not resolved, which is in the release notes.
2. IPS engine keeps crashing. A new engine is planned to be released soon. Then this would be resolved.
3. WAD memory leak issue is still not 100% resolved.
6.2.5 will fix these issues and come out relatively shortly although he couldn't tell me any target date. He recommended to wait for 6.2.5. But likely 6.0.10 comes out before 6.2.5.
By the way, FMG/FAZ 6.2.4 was to just fix vulnerabilities. They wanted to release it ASAP without waiting for bug fixes. Then 6.2.5 came out right after that with bug fixes. It was just coincidental they came out one after another.
This is consistent with the delays I've been seeing with 6.4.2 -- it was supposed to be out two weeks ago, then got pushed, then got pushed again. Still waiting to see if it comes out this week or not. If they actually do fix the issues that I have 3 tickets open about, I would suggest jumping ahead to it and forgetting this 6.2.x disaster.
Upgraded 19 FGT100E plus 2 FG300E from 6.0.8 to 6.2.4 and one FMG from 6.2.1 to 6.2.5 plus my adom(s) to 6.2.
The first FGT are up with 6.2.4 for over one week now. Only issue I had on FGTs so far was that some of them lost their dns servers upon updating. Up to now no other issues were seen or reported on the FGTs here.
The more issues were with FMG and upgrading the adoms (as it was with all updates I did up to now).
DFMG 6.2.5 has quite a load of bugs concerning the global db. This prevented me from upgrading the adom until i removed /fixed a bunch of Fortinet default profiles/thingies in global db which I never touched or used anywhere.
We just use UTM profiles/cathegories from the global db.
Accoarding to TAC those are all known Bugs.
Additionally there were some changes that seemed to have caused conflicts producing weird errors on policy package deployment. A retrieve config fixed those so far.
Also there were some changes in behavement in FMG that caused deployment to fail because there now is things that were deployed without error in 6.2.1 but now error out.
Together with TAC I've found all that concerned me and I can now deploy it all without prolems again.
MIght have annother round of FGT Upgrading when 6.2.5 comes out for bugfixing.
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
We were operating a pair of 100D Hardware Appliances (v6.2.3 build 1066 GA), running HA in an Active/Passive configuration.
I noticed that the Events Log included a lot of entries regarding application crashes, specifically the IPS Engine.
Fortinet Support advised me to upgrade to 6.2.4 as there was a known issue with the installed version of the IPS Engine. I had been hesitant to do this based on the experiences of those posting here, but felt I had no real option other than carry out the upgrade.
As of this time (16 hours after upgrade) we have had no major issues. However, immediately after the upgrade completed there was something not quite right with DHCP. Our Fortigate assigns IP Addresses to the 100 Cisco Access Points in our wireless network. After the upgrade, I checked DHCP Monitor and could see no entries (normally there were 100).
As a test I rebooted a single access point and the DHCP Monitor log then showed a lot of entries with a Status of "Removed due to conflict". It appears that the Fortigate had forgotten the IP addresses it had handed out previously as it tried several addresses from the address pool in an effort to find a free one. If an address is marked as "Removed due to conflict" in the DHCP Monitor can it no longer be used? I'm afraid that when the access points renew their leases all addresses will have been exhausted.
I'm in the process of rebooting the access points, a few at a time and manually revoking those addresses marked 'removed'. This is proving to be quite a lengthy process, but seems to be my only option to ensure that the IP address pool is not exhausted.
I probably could have run the execute dhcp lease-clear all command from the CLI but was unsure if this would have worked. Would it have just forced the 100 APs to renew their existing IP Addresses?
Just thought I'd put this out there in case someone else encounters a similar issue.
hi everyone, I also updated from 6.2.3 to 6.2.4. Everything seemed to be working. But suddenly all the VIPs exposed on the WAN1 was not working, vpn ipsec and ssl all down. Internal web browsing ok, perfectly released from wan1, without any block.
the second IPS, on the other hand, was also reachable by VIPs.
The only solution is to restart the firewall 100D in HA.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.