Wednesday, June 25, 2014

Fortinet FortiOS 5.2 upgrades woes

This is a quick informal update on the new Fortinet FortiOS5.2  & the problems that I found over the first few days leading into my  5.2 GA upgrades attempts.

A lot of person are complaining of CLI console being disable after going to 5.2. I too just now found this to be true.  I did a few 60D and 90D with no problems,  and recently a  FGT110C. The console is flatout dead on the latter.

note: I had to reformat and reload the image via tftp which was horrible.

Various other problems that's being a big pain in the A$$;

The SSLVPN enabling per interface  has been a struggle and any modfications with the listening-ports nunbers can cause the  fortigate to randomly select  the numbers. So always review the configuration via cli. This new  one page WebGUI configuration page, was suppose to make things simpler,  but I have to disagree

Speaking of randomness, my FWF60D in my lab has started to revert back to it's old name. I haven't figure that one out. Maybe it has a mind of it own.

(misc )

Various other statistics like modem & fortiview  statistics are not resetting or display weirdness. I have a ip/127.0.0.x  present in my  fortiview viewer that I'm trying to figure out :)

NOTE: I was really hoping  fortiview would have a view by application and  GEO-ip

Wifi access on MacOSX seems to be problemantic upon re-establishments & we didn't have these issues before 5.2 or pre 5.X versions. It's more problematic on MACOSX 10.8.x than 10.9, so this leads me to start  using  the WifiDiagnostic utility. But so far I haven't found  the cause(s).

Also no macosx 5.2 sslvpn client. We have windows and linux covered , but Macosx missed  the boat and that just plain sucks

And the last big PITA, the WebGUI is way much slower. It has nothing todo with the firewall loading or the appliance  size. Example, a firewall with just  under  <40 sessions ( most of that is DNS and the Admin access ), and  some simple pages take a considerable time to load.
 NOTE:My FWF50B running a  3.0MR7p9 is faster :)

Stay tune, I'm sure more things will probably be found. I hope fortinet didn't rush this out the door to get the code out in the wild .

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- Socpuppets ---dot---com

   ^    ^
=( ~ ~ )=
     /  \


  1. I'm scheduled to run an upgrade soon (to 5.2.1). I noticed this post was from back in June, when I believe 5.2.1 wasn't out yet. Have you upgraded to it, if so are the issues you encountered with 5.2 gone?

    I'd appreciate the feedback, thanks!


  2. Version v5.2.1,build0618,140915 (GA)

    Eddie thanks for catching my blog

    yes 5.2.1 has been out since mid-Sept. We've upgraded a few 60Ds and 100Ds

    The webgui access is much better , and a few other issues seems resolved . I would suggest that you open a case for anything you find with TAC and post on the public support forum at URL

    My username on that site is Emnoc


    Ken Felix

  3. Ah, good to know, thanks! I wasn't aware of the Fortinet Forums, just signed up... unfortunately, I was surprised and disappointed they mailed me back my 'stock' forum password through email (plain-text, surprising for a security company). I had to go back and reset this stock password in every forum I have it on. *shakes head

    Thanks again for the info!

  4. That forum is very useful but remember if you need real support, you should have a contract an engage Fortinet TAC.

  5. Yeap, sure do... I used them constantly, they're pretty good!