Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ergotherego
Contributor II

FMG 5.6.6 issues experienced

We recently upgraded to FMG 5.6.6 and here are some issues experienced the resolution path I took. In my case, these were 150 FortiGates in a single ADOM, all running 5.6.5. Most HA, some not. Most with VDOMs, some not.

 

These were all "endless pushes" - FMG "successfully" pushed these changes down, but they never stuck and so FMG kept wantint to push them over and over again. The bigger issue we experienced, is that our FGTs running ADOMs would trip the Config Modified flag against the device (not a VDOM) after pushing policy changes. So you would push PP changes to a VDOM, then the device would show modified with these pending changes. And the only way to temporarily clear the flag was to do an Install Config - Install Wizard wouldn't clear the flag.

 

-------

Issue #1: Entrust CA certificate

 

FMG kept wanting to push down an apparently new Entrust CA certificate - the name of the certificate actually had Entrust in the name. I didn't save the config's it wanted to push, but it was tied in to FortiGuard. Issue is that the push showed successful, but FMG kept wanting to push it anyway. I couldn't find this certificate in FMG or on the affected FGTs.

 

Solution #1: Retrieve config from the FGT within FMG

 

Note #1: Possible related issue was length of cert name. I didn't count the characters, but it was pretty long. And I have seen issues with long certificate names before failing to push.

-------

 

-------

Issue #2: FortiAnalyzer upload settings

 

FMG kept wanting to change the FAZ upload settings. The FGT would have real-time set, but FMG would want to reset it to 5 minutes.

 

Solution #2: Within FMG, (re-)adjust your FAZ settings to what is desired. In my case, FGT locally showed real-time upload, but FMG had 5 minutes. I reset FMG for every firewall to be real-time and changes stuck.

-------

 

-------

Issue #3: FMG wanting to reset the admin-server-cert to Fortinet_Factory

 

Both FMG and FGT had the built-in Fortinet_Factory set for WebUI access. But FMG kept wanting to reset that setting. I couldn't find a certificate with that name in FMG, and if I tried to create it, it complained about a duplicate object. This was the biggest issue to solve.

 

Solution #3: We already had FortiAuth setup as an internal CA. So I created certs, uploaded locally to each firewall, and then within FMG told each firewall to use that cert under Admin Settings.

 

Note #3: I have seen issues like this in previous new releases of FMG. My hunch is that the Devs are working on adding actual/proper certificate management/storage capabilities into FMG, and this an interim code update towards that goal. They did the same thing back in early releases of FMG 5.4, when they moved local-in-policy from being a CLI-Only object to being handled by a Policy Package. There was an interim release where you couldn't manage LIPs at all from FMG.

-------

3 REPLIES 3
chall_FTNT
Staff
Staff

The Entrust CA certificate issue is likely due to the recent certificate bundle update via FortiGuard: http://kb.fortinet.com/kb...amp;externalId=FD43659

Chris Hall
Fortinet Technical Support
yforti

I encountered something bizarre when i was doing a cut-over for a client, albeit i am not certain if its a bug or not in 5.6.6. The customer already had FortiGate 111C in production but those units are EOL so we proposed to replace them with FortiGate 100E.

 

I upgraded the HA pair FortiGate 100E to 5.6.6 before deploying them into the production network and after bringing the units online, whatever (outbound/inound NAT, IPSEC tunnels) was using secondary Public IP configured on the WAN interface just stopped working. I could see traffic leaving the Fortigate but couldn't see anything coming back. I verified if routes, IP-Pools, VIP, Tunnels & policy were configured correctly and all was good.

 

I am still perplexed that why is it all working on old FGTs but unable to traverse to & from new devices

chall_FTNT

Looks like your issue is more a FortiGate one.  Best to post in a FortiGate forum, perhaps "Routing and Transparent Mode".

Chris Hall
Fortinet Technical Support
Labels
Top Kudoed Authors