Helpful ReplyHot!FortiOS 6.0.5 is out!

Page: 12 > Showing page 1 of 2
Author
Hosemacht
Bronze Member
  • Total Posts : 48
  • Scores: 1
  • Reward points: 0
  • Joined: 2017/04/18 04:06:13
  • Location: Austria
  • Status: offline
2019/05/14 23:31:51 (permalink)
0

FortiOS 6.0.5 is out!

Many Bugfixes but no TLS 1.3 mentioned.
 
https://docs.fortinet.com.../fortios-release-notes
#1
kerya
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/05/13 05:08:53
  • Status: offline
Re: FortiOS 6.0.5 is out! 2019/05/15 03:09:52 (permalink)
0
Does it has WFQ and WRED?
#2
Hosemacht
Bronze Member
  • Total Posts : 48
  • Scores: 1
  • Reward points: 0
  • Joined: 2017/04/18 04:06:13
  • Location: Austria
  • Status: offline
Re: FortiOS 6.0.5 is out! 2019/05/15 03:59:43 (permalink)
0
WFQ and WRED?
#3
streeb2021
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/19 00:50:09
  • Status: offline
Re: FortiOS 6.0.5 is out! 2019/05/15 04:44:55 (permalink)
0
Is anyone else slightly concerned about the number of bug fixes in this release - despite it being the fifth point release on 6.0.x. This erodes confidence somewhat when you have nearly thirty fixes in the SSL VPN module alone. 
 
I actually had a FTNT account manager in a previous role tell me not to touch code for production until the fourth point release but maybe we are looking at the fifth now? Less releases but sounder code would be my preference - or maybe I am being naive. 
 
 
#4
ddskier
Gold Member
  • Total Posts : 396
  • Scores: 16
  • Reward points: 0
  • Joined: 2007/04/10 08:18:06
  • Location: Chicago, IL
  • Status: offline
Re: FortiOS 6.0.5 is out! 2019/05/15 07:28:37 (permalink)
0
I would agree with the account manager.   I have been using Fortigate since version 2.8 and it always took to patch 4 or 5 to become stable enough for production use.   Heck v5.2 took to patch 8.

-DDSkier

FCNSA, FCNSP
FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
#5
tanr
Platinum Member
  • Total Posts : 678
  • Scores: 31
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: FortiOS 6.0.5 is out! 2019/05/15 07:55:15 (permalink)
0
Looks promising.  Two gotchas to be aware of for those upgrading:
 
473075
When upgrading, multicast policies are lost when there is a zone member as interface.
481408
When upgrading from 5.6.3 to 6.0.0, the IPv6 policy is lost if there is SD-WAN member as interface.
#6
Mosabon
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/02/02 01:31:38
  • Status: offline
Re: FortiOS 6.0.5 is out! 2019/05/15 09:49:45 (permalink)
0
TLS 1.3 is supported starting from FortiOS v6.2 - I heard but haven't checked so far
#7
simonorch
Gold Member
  • Total Posts : 320
  • Scores: 12
  • Reward points: 0
  • Joined: 2009/06/05 00:05:08
  • Location: Norway
  • Status: offline
Re: FortiOS 6.0.5 is out! 2019/05/15 12:49:41 (permalink)
0
With regard to the question about 'stable' releases, in my experience the answer is, it depends. I've rolled out a 600+ 60D deployment that we piloted on 5.2.0 and went into production on 5.2.1 with no issues whatsoever, it all depends on your use case. If you're not going to use ssl vpn then a buggy ssl vpn is irrelevant to you.
 
Depending on the scenario and potential risks of upgrading to a new MR later on, I would much prefer to roll out an earlier version of a major release, after testing, with a view that it will stay on that MR for several years.

NSE8
Fortinet platinum partner - Norway
#8
seadave
Platinum Member
  • Total Posts : 315
  • Scores: 45
  • Reward points: 0
  • Joined: 2004/11/03 18:02:09
  • Location: Seattle, WA
  • Status: offline
Re: FortiOS 6.0.5 is out! 2019/05/15 18:37:57 (permalink)
0
streeb2021
Is anyone else slightly concerned about the number of bug fixes in this release - despite it being the fifth point release on 6.0.x. This erodes confidence somewhat when you have nearly thirty fixes in the SSL VPN module alone. 
 
I actually had a FTNT account manager in a previous role tell me not to touch code for production until the fourth point release but maybe we are looking at the fifth now? Less releases but sounder code would be my preference - or maybe I am being naive. 


I totally agree that more recent releases seem to contain more known issues than fixes which is disconcerting.  You are absolutely right to wait until at least .3 or .4 and to TEST with backups!  My experience; YMMV, is that I have a FWF-60E at home.  6.0.4 caused it to lose DNS for some reason and only resolution I could find was to migrate back to 6.0.3 and it has been stable ever since.  BUT this is a very low traffic device NOT doing SSL inspection NOR VPN.  Only basic Firewall tasks with one FSW-108D-POE and FortiAP-221C.
 
At work we just deployed 501Es in Active/Passive mode with DPI and ~100 policies.  We took a config from 5.6.8 on a 500D and upgraded it to 6.0.3 on the 501Es.  NOT A TASK FOR THE FAINT OF HEART.  But we have lots of CLI experience and have done so in the past.  It has been running very well with two issues. 
 
For whatever reason, Chrome does not like to display screens with lists such as policies, addresses, or logs in our instance of 6.0.3.  Kind of an issue!  The workaround for us is to use Firefox and that works fine.
 
The other issue is we have a legacy app that requires IE11.  If a user is using the SSLVPN Portal and a RDP connection, clicking on an IE11 tab will kill the session.  A VERY ODD issue, but TAC indicates a known problem.
 
I found an internal ticket referencing this issue (Mantis #0519121). As confirmed by our DEV/QA SSLVPN web mode does not support/handle IE very well on 6.0 FortiOS. This is something that will improve and get fixed in future patches.
 
It does not appear to be fixed in 6.0.5.  So other than these two issues, two 501Es in HA with 6.0.3 has been very stable.  We have approximately 300 users accessing a 1G connection with lots of filters and controls enabled.  We also have lots of users using VPN.
 
I think too few folks consider the horsepower of their unit when considering updates.  The bigger firewalls with D or E chips will run better than a smaller D.  Use the feature selection gui and disable things like Wifi and Switch control if you are not using them.  It is frustrating but sometimes you just have to sit back and wait for a later, more stable release than what is currently available.  I'd love to try 6.2 but I'm not touching it until .4 or .5 comes out.  Release notes and these forums will indicate when the time is right.
 
#9
thuynh_FTNT
Bronze Member
  • Total Posts : 44
  • Scores: -2
  • Reward points: 0
  • Joined: 2014/02/05 09:30:09
  • Status: offline
Re: FortiOS 6.0.5 is out! 2019/05/16 21:49:21 (permalink)
0
Hi Seadave, thank you for your constructive feedbacks.

>For whatever reason, Chrome does not like to display screens with lists such as policies, addresses, or logs in our instance of 6.0.3.  Kind of an issue!  The workaround for us is to use Firefox and that works fine.

Yes, this is a known issue in 6.0.3 (M0527700) and we already fixed it in 6.0.4
#10
ddskier
Gold Member
  • Total Posts : 396
  • Scores: 16
  • Reward points: 0
  • Joined: 2007/04/10 08:18:06
  • Location: Chicago, IL
  • Status: offline
Re: FortiOS 6.0.5 is out! 2019/05/21 07:10:48 (permalink)
0
Any further feedback on 6.0.5?   Does the community feel that this stable enough?  (SSLVPN, BGP, AV, etc.)

-DDSkier

FCNSA, FCNSP
FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
#11
James_G
Silver Member
  • Total Posts : 80
  • Scores: 4
  • Reward points: 0
  • Joined: 2016/02/28 02:55:47
  • Status: offline
Re: FortiOS 6.0.5 is out! 2019/05/24 01:57:09 (permalink)
0
Patched a couple of FGT50e units that I had issues with hitting conserve mode on 6.0.4, after 48 hours memory is still 37% on the units, so looking good.
 
Will be scheduling in patching the rest of the estate to from 6.0.4 to 6.0.5
#12
streeb2021
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/19 00:50:09
  • Status: offline
Re: FortiOS 6.0.5 is out! 2019/05/24 08:02:52 (permalink)
0
We have hit an issue with matching on multiple RADIUS fortinet-groups returned from a FortiAuthenticator instance for SSL VPN users. Basically 6.0.5 appears to be only accepting one group and ignoring the rest. FTNT has reproduced on their side and tied it to known bug 0554529 seen in 6.2.0 and fixed in 6.2.1. 
 
#13
tanr
Platinum Member
  • Total Posts : 678
  • Scores: 31
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: FortiOS 6.0.5 is out! 2019/05/24 08:26:48 (permalink)
0
Hi streeb2021.
So the bug is only if a single user gets multiple fortinet-groups returned? 
Wanted to clarify as I'm planning to move us from 5.6.9 to 6.0.5 soon.
#14
ddskier
Gold Member
  • Total Posts : 396
  • Scores: 16
  • Reward points: 0
  • Joined: 2007/04/10 08:18:06
  • Location: Chicago, IL
  • Status: offline
Re: FortiOS 6.0.5 is out! 2019/05/28 12:40:12 (permalink)
0
tanr
Hi streeb2021.
So the bug is only if a single user gets multiple fortinet-groups returned? 
Wanted to clarify as I'm planning to move us from 5.6.9 to 6.0.5 soon.





I'm interested to, as 5.6.9 has a new vulnerability with the only known resolution is to go to 6+
https://fortiguard.com/psirt/FG-IR-19-034

-DDSkier

FCNSA, FCNSP
FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
#15
Rami
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/02 23:21:26
  • Status: offline
Re: FortiOS 6.0.5 is out! 2019/06/03 04:13:23 (permalink)
0
ddskier
tanr
Hi streeb2021.
So the bug is only if a single user gets multiple fortinet-groups returned? 
Wanted to clarify as I'm planning to move us from 5.6.9 to 6.0.5 soon.





I'm interested to, as 5.6.9 has a new vulnerability with the only known resolution is to go to 6+
https://fortiguard.com/psirt/FG-IR-19-034


How come I have no option to upgrade to 6.0.5 from 5.6.9 , only those with invalid upgrade paths appear
Is there something I am doing wrong?
#16
tanr
Platinum Member
  • Total Posts : 678
  • Scores: 31
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: FortiOS 6.0.5 is out! 2019/06/03 07:34:04 (permalink)
0
Are you checking the valid upgrade paths shown by the widget at https://support.fortinet.com/Download/FirmwareImages.aspx?
#17
seadave
Platinum Member
  • Total Posts : 315
  • Scores: 45
  • Reward points: 0
  • Joined: 2004/11/03 18:02:09
  • Location: Seattle, WA
  • Status: offline
Re: FortiOS 6.0.5 is out! 2019/06/03 16:27:48 (permalink)
0
We moved to 6.0.5 from 6.0.3 for an A-P HA pair of 501Es.  We did this mainly because of the CVE notice related to SSL access vulns:
 
FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests
https://fortiguard.com/psirt/FG-IR-18-384
 
Unauthenticated SSL VPN users password modification
https://fortiguard.com/psirt/FG-IR-18-389
 
We are using most features related to advanced routing and NGFW proxy mode, but not switch/wifi controller, Device ID, or spam filtering.  Two things I have seen:
 
My security rating went from +85 to -425.  Seems mainly to be related to logging which relates to our other issue.
We were logging all DNS traffic via a DNS filter applied to traffic from our DNS servers.  This worked fine in 6.0.3, but has stopped cold in 6.0.5.  I have tried to disable/re-enable but no logs.  FAZ shows last event received right after update.  Using Splunk and a timechart I can clearly see a decrease in the amount and specific types of logs.
 
Release notes indicate there is a similar bug:  412649 In NGFW Policy mode, FortiGate does not create web filter logs.
 
but we still see webfilter logs.  We have a decrease in all logs, but mainly the subtypes:
 
app-ctrl
dns-query
dns-response
 
I have opened ticket 3316524 with the TAC.
post edited by seadave - 2019/06/03 16:40:08
#18
Hosemacht
Bronze Member
  • Total Posts : 48
  • Scores: 1
  • Reward points: 0
  • Joined: 2017/04/18 04:06:13
  • Location: Austria
  • Status: offline
Re: FortiOS 6.0.5 is out! 2019/06/04 08:01:02 (permalink)
0
we moved our AA Cluster from 5.6.8 to 6.0.5 last week, no issues regarding dns filter logs.
the only issue i saw was about a decreased forti ap performance after we moved them to 6.0.5 too.
The solution was to disable on-wire Rouge ap scanning.
 
Maybe you mixed something up regarding NGFW Policy and DNS Filter, if you did not set your Cluster in FLOW mode you
cannot create NGFW Policies.
Anyway this is a known issue since 5.6 i guess and still an issue even in 6.2.
 
 

sudo apt-get-rekt
#19
seadave
Platinum Member
  • Total Posts : 315
  • Scores: 45
  • Reward points: 0
  • Joined: 2004/11/03 18:02:09
  • Location: Seattle, WA
  • Status: offline
Re: FortiOS 6.0.5 is out! 2019/06/04 09:29:18 (permalink)
0
Hmm.  That is interesting.  It was working fine for us in 6.0.3.  We had a very clean config as we had to move from 500D to 501E and thus we upgraded our 500D from 5.6 to 6.03 and then diffed, importing policy stanzas into the 501E before deploying in HA.  We monitor our logs in splunk.  Before upgrading to 6.0.5, we were logging ~2G/day.  Now ~1G/day.  Will see what TAC says as I have sent them our config.
 
I don't understand this statement:
 
"Maybe you mixed something up regarding NGFW Policy and DNS Filter, if you did not set your Cluster in FLOW mode you cannot create NGFW Policies."
 
We do not use flow and have always used NGFW policies.  We are in AP and not AA mode, so perhaps that is the difference?
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2019 APG vNext Commercial Version 5.5