Helpful ReplyHot!FortiOS 6.2.3 is out

Page: < 123 > Showing page 2 of 3
Author
James_G
Gold Member
  • Total Posts : 247
  • Scores: 11
  • Reward points: 0
  • Joined: 2016/02/28 02:55:47
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/01/12 04:58:48 (permalink)
0
Ede, do you want me to check on a 51e with 6.2.3 tomorrow?
#21
Jirka
Gold Member
  • Total Posts : 167
  • Scores: 7
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/01/12 07:02:27 (permalink) ☄ Helpfulby rete@meteoam.it 2020/01/22 03:53:59
4 (1)
Hi Ede,

yes, they do



 
Jirka

Attached Image(s)

#22
James_G
Gold Member
  • Total Posts : 247
  • Scores: 11
  • Reward points: 0
  • Joined: 2016/02/28 02:55:47
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/01/12 08:03:03 (permalink) ☄ Helpfulby ipranger 2020/01/19 04:43:46
0
Awesome!
#23
justme
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/13 06:19:33
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/01/13 06:29:57 (permalink)
0
Upgraded FGT-92D from 6.2.2 build 1010 to 6.2.3 build 1066 and had a few issues.
1. SSL management stopped working - there were no logs regarding httpsd startup failiure; system global admin-server-cert was empty - had to reconfigure it from SSH;
2. Ever since the update (and later downgrade to 6.2.2) SSH key is recreated after a reboot. Can't find a log regarding it either;
3. The system is using PPPoE on uplink, had to manually change MTU on an email server behind it; downgrading back to 6.2.2 resolved the issue;
4. Have some issues with ipsec site2site connection, still looking what might be the cause.
#24
James_G
Gold Member
  • Total Posts : 247
  • Scores: 11
  • Reward points: 0
  • Joined: 2016/02/28 02:55:47
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/01/13 08:29:25 (permalink)
0
Re IPSEC - it might be the same as issue I found - had to add the following to config vpn ipsec phase1-interface
 
set net-device disable
 
I think 6.2.3 has an undocumented change in default behavior and now enabled the setting by default
#25
JaapHoetmer
Bronze Member
  • Total Posts : 59
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/08/09 02:06:53
  • Location: Geneva, Switzerland
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/01/14 04:18:29 (permalink) ☄ Helpfulby Tamiraa 2020/04/21 01:58:47
0
Hi there,
 
I have found an issue with 6.2.3 where emails with attachments sent from Outlook using SMTPS (465) were blocked. After disabling the UTM checks on the outbound policy the email functions returned to normal.
 
This firewall was upgraded Sunday the 12th, and the problem appeared on Monday morning the 13th. No other changes were performed on the firewall apart from the upgrade.
 

Kind regards,

Jaap
#26
Hosemacht
Silver Member
  • Total Posts : 76
  • Scores: 3
  • Reward points: 0
  • Joined: 2017/04/18 04:06:13
  • Location: Upper Austria
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/01/14 08:21:35 (permalink)
0
Hi there,
 
are there any news about the device enforcement in Policies for FortiOS 6.2.3 or higher?

sudo apt-get-rekt
#27
Jirka
Gold Member
  • Total Posts : 167
  • Scores: 7
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/01/14 08:23:57 (permalink)
0
the_giraffe_that_wasnt_president
Hi there,
 
are there any news about the device enforcement in Policies for FortiOS 6.2.3 or higher?


Unfortunately, no
#28
rete@meteoam.it
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/09/08 05:39:27
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/01/16 08:26:03 (permalink)
0
sigmasoftcz
Hi Ede,

yes, they do



 
Jirka




Can you check if they now have "Redundant Interfaces" also?
Adding LACP support, that is technically way more complicated, but not simple port redundancy would be illogical.
#29
justme
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/13 06:19:33
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/01/17 05:19:52 (permalink)
0
I am pretty much sure there's an issue or a change in packet processing defaults regarding packet size/mtu/fragmentation between FortiOS 6.2.2 and 6.2.3. I am using FGT92D with PPPoE uplink (8 bytes of overhead) on an ordinary Ethernet link (1500 MTU). The system is a gateway for some TCP baced services (SSH, SMTP, POP3, IMAP, HTTPS, RDP, ...) behind a NAT (RFC1918 network) and when updating from 6.2.2 to 6.2.3 the connection drops when trying to let's say send an email over TLS, or even doing a "show full-configuration" over couple of SSH connections. I opened a ticket and did multiple tests with TAC Engineer and I am able to reproduce the issue every time when upgrading to 6.2.3. I could change tcp-mss-* values in every policy and/or set tcp-mss on an interface, but i'd really like the system would have the same processing of packets as it did in 6.2.2. Could someone that has a lab environment confirm this?
#30
ede_pfau
Expert Member
  • Total Posts : 6351
  • Scores: 537
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/01/19 03:24:53 (permalink)
0
@Jirka:
Hi Ede,

yes, they do
great! Good news for us desktop model users. Thanks a lot for testing.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#31
patrickdg
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/02/28 02:53:31
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/01/20 03:07:52 (permalink)
0
justme
I am pretty much sure there's an issue or a change in packet processing defaults regarding packet size/mtu/fragmentation between FortiOS 6.2.2 and 6.2.3. 



I've the same behaviour with a 100F and PPPoE WAN Connection. Back to 6.2.2 and it's working again.
#32
Jannik
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/23 02:46:26
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/01/23 03:10:35 (permalink)
0
So how is your experience with 6.2.3 so far? I run it on an active-active 61E HA Cluster. I notcied DNS Filter Server is "unreachable" under Network>DNS. This occured on several FG models with customers units... FG61E, FG30E, FG80E, I have an open case with fortinet about that. Also very high memory usage while cpu is very low, <5% most of the time. FG enters conserve mode frequently.
post edited by Jannik - 2020/01/23 05:48:28
#33
Jackk
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/23 10:01:40
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/01/23 10:05:23 (permalink)
0
i need the iso feel of fortigate
#34
JaapHoetmer
Bronze Member
  • Total Posts : 59
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/08/09 02:06:53
  • Location: Geneva, Switzerland
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/01/23 12:06:50 (permalink)
0
Further to my earlier message, the release notes have been updated with a known issue that looks like it matches the issue we've seen with one of the firewalls we're managing. We have also fallen back to 6.2.2 and the problems have disappeared as a result.
 
https://docs.fortinet.com/document/fortigate/6.2.3/fortios-release-notes/236526/known-issues
 
605950
RDP and other applications affected (freezing, disconnecting) after upgrading to 6.2.3 due to no session match error.
 
We'll wait for a fix and remain on 6.2.2 until this issue has been fixed.

Kind regards,

Jaap
#35
Magnitude 8
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/23 16:27:06
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/01/23 16:43:54 (permalink)
0
My experience with 6.2.3 hasn't been great.  I've upgraded two customers with 200E clusters from 6.2.2 and had intermittent issues with web pages not loading and Outlook disconnections from Exchange Online.  Have rolled one back to 6.2.2, which resolved the issues.  Might roll back the other one as well, but this will reintroduce issues with RDP of SSL VPN, so I'm a little reluctant.
#36
justme
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/13 06:19:33
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/01/25 00:00:50 (permalink)
0
This is a response for my open ticket regarding connection drops on pppoe links... As the one I manage is a production system there's a procedure to deploy the solution, it's gonna take some time to upgrade from 6.2.2 to 6.2.3 (for the third or fifth attempt).
 
I have analyzed the logs provided and noticed the following(and I am also attaching the wireshark captures ) :
- for FortiOS 6.2.3 the packet length increases so you have 1514 packet size which is not being fragmented by FGT.
- in both captures the flag of the packets sent is set to 1 : Don't fragment.
- in both 6.2.2 and 6.2.3 the option # set honor-df is enabled on FGT however it seems to be working as expected only on 6.2.3

So my conclusion would be that Honor-df was not working as expected in 6.2.2 but it does in 6.2.3(that's why the packets are not being transmitted anymore). If enabled, "set honor-df" honors the information already set on DF-Bit and not change it. If the honor-df is set to disable, then FortiOS will ignore the packet’s DF flag by encapsulating and encrypting it.

I have researched internally for similar situation and and found a few known issues related to # set honor-df but on previous versions : 6.0. and 5.4

If you want to upgrade to 6.2.3 you will have to disable this option in order to avoid any error.
#37
justme
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/13 06:19:33
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/02/04 11:15:35 (permalink)
0
Another ticket update... I suggested FGT should probably respond with ICMP Fragmentation Needed (Type 3, Code 4) instead of dropping the packet.. and guess what - it got the WaitGArelease status :) 
Here's the followup 
Currently there is interim build that has the fix, the fix should be available in 6.2.4, currently scheduled for April.
#38
tanr
Platinum Member
  • Total Posts : 802
  • Scores: 36
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/02/04 12:34:42 (permalink)
0
@justme, looks like this is the same as the MTU / ICMP issues described in https://www.reddit.com/r/fortinet/comments/eqpctk/fortios_622_to_623_fortigate_80e_poe/?
 
Did Fortinet say if the interim build actually has the full ICMP message handling fix, or if it is just a workaround as you describe above?
#39
justme
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/13 06:19:33
  • Status: offline
Re: FortiOS 6.2.3 is out 2020/02/04 12:41:22 (permalink)
0
@tanr unfortunately that's all I know. Pretty much pasted the essence of the ticket response.
#40
Page: < 123 > Showing page 2 of 3
Jump to:
© 2020 APG vNext Commercial Version 5.5