Helpful ReplyHot!FortiOS 6.4.1 is out

Page: < 12 Showing page 2 of 2
Author
Magnitude 8
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/23 16:27:06
  • Status: offline
Re: FortiOS 6.4.1 is out 2020/07/07 05:16:57 (permalink)
0
I don't think there were any policies with SD-WAN members before the upgrade (is that even possible when they are members of an SD-WAN?). However, I would have used VIPs on individual members. Could that be the cause of the issue?
 
Sorry, I'm not in a position to share the config in this case.
#21
owla
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/07/06 21:57:16
  • Status: offline
Re: FortiOS 6.4.1 is out 2020/07/07 15:54:21 (permalink)
0
We didn't have individual SD-WAN members in firewall policies as well. But you are right we used the members in VIPs as well and I remember after upgrade VIPs had a warning signs.
post edited by owla - 2020/07/07 16:03:09
#22
owla
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/07/06 21:57:16
  • Status: offline
Re: FortiOS 6.4.1 is out 2020/07/07 16:59:45 (permalink)
0
We had one more issue with 6.4.1 
All firewall policies with Flow-based Inspection mode had a warning signs, You can not use inspection mode with current settings. We didn't find the cause of that messages (probably there are new requirements for flow-based mode)
There are not messages in 6.4.2.  6.2.4
 
post edited by owla - 2020/07/13 21:29:24
#23
seadave
Expert Member
  • Total Posts : 359
  • Scores: 56
  • Reward points: 0
  • Joined: 2004/11/03 18:02:09
  • Location: Seattle, WA
  • Status: offline
Re: FortiOS 6.4.1 is out 2020/07/07 17:09:49 (permalink)
0
owla
We had one more issue with 6.4.1 
All firewall policies with Flow-based Inspection mode had a warning signs, You can not use inspection mode with current settings. We didn't find the cause of that messages (probably there are new requirements for flow-based mode)
There are not messages in 6.4.2.
 


Do you mean 6.2.4?  I don't see 6.4.2 released unless you are beta testing?
#24
seadave
Expert Member
  • Total Posts : 359
  • Scores: 56
  • Reward points: 0
  • Joined: 2004/11/03 18:02:09
  • Location: Seattle, WA
  • Status: offline
Re: FortiOS 6.4.1 is out 2020/07/07 17:11:53 (permalink)
0
One other point of note, is I assume you upgraded from 6.2.4 to 6.4.0 and then 6.4.1?  Going from 6.2.4 to 6.4.1 isn't supported if I recall.  I just took at 500D from 5.6.4 to 6.4.1 (going to 6.4.0 first was part of the process) and it is running fine, but we are only using it as a one arm sniffer without any other policies so the config is very simple.
 
#25
owla
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/07/06 21:57:16
  • Status: offline
Re: FortiOS 6.4.1 is out 2020/07/07 19:37:49 (permalink)
0
Sorry, of course to 6.2.4 (roll back)
#26
owla
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/07/06 21:57:16
  • Status: offline
Re: FortiOS 6.4.1 is out 2020/07/07 19:43:45 (permalink)
0
We followed the update path 6.2.4 -> 6.4.0 -> 6.4.1
 
Our config is complicated. Couple extra VDOMs, SD-WAN, VPN, VIPs, Explicit proxy, 100 firewall rules, deep inspection....
We would like to use new version 6.4.1 because there is new feature 'Upstream proxy authentication in transparent proxy mode'.
#27
seadave
Expert Member
  • Total Posts : 359
  • Scores: 56
  • Reward points: 0
  • Joined: 2004/11/03 18:02:09
  • Location: Seattle, WA
  • Status: offline
Re: FortiOS 6.4.1 is out 2020/07/08 08:59:17 (permalink)
0
Ah.  Yes I appreciate the complexity now.  Good on you for having a good backup so you could revert.  Far too few folks keep that option viable due to their processes.  Last year we migrated from 500D to 501E.  We used the script import section to import our rules and policies with updated interface names.  It was a lot of work but got us to a stable config.  You have to think through the logical dependancies for it to work.  Configure interfaces, then addresses, then security policies, and finally firewall rules.  It is tricky but it worked after some false starts. 
 
One other suggestion is after each upgrade have the console online with a laptop via serial so you can watch the process.  Use the diag debug config-error-log read to see what it indicates didn't convert properly or is a source or error.  One other thing I've done in the past is keep a pre upgrade config and a post upgrade config and use a diff feature such as Notepadd++ or Sublime Editor to look for the differences.  Can help pinpoint the problem.
#28
JollyJohn
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/20 18:13:33
  • Status: offline
Re: FortiOS 6.4.1 is out 2020/07/09 00:34:16 (permalink)
0
@bommi I'm running v6.4.1 build1637 (GA) on two 60E-DSL units. One has 2x 128POE switches, the other has 1x AP221. So far so good. Everything came up, though I elected to config from scratch. The GUI is nicer and more responsive. After about a week the only issue I've really hit is about not being able to create address objects - just doesn't work through the GUI. Tonight I'll try CLI and see if I can figure out what's happening. 
Tomorrow I'll be adding 3 more APs and on Monday we get about 60 users starting. Fingers crossed!
#29
thuynh_FTNT
Silver Member
  • Total Posts : 62
  • Scores: -2
  • Reward points: 0
  • Joined: 2014/02/05 09:30:09
  • Status: offline
Re: FortiOS 6.4.1 is out 2020/07/10 14:27:29 (permalink)
0
owla
Same happened with SD-WAN. 
2 member interfaces belong virtual-wan-link and 1 member interface moved to upg-zone-wan1 after upgrade to 6.4.1
I moved 1 member interface from upg-zone-wan1 to virtual-wan-link and had to update all firewall polices (deleted upg-zone-wan1) and Interface Pair View is Ok now.
But still there are some more small issues:
- CLI from GUI doesnt work (lost connection).
- 'Firewall User Monitor' doesn't show 'User Group' for 'Radius Single Sign-on users' (RSSO works but just doesn't show name of 'User Group')
 
Decided to roll back to 6.2.4 and wait the next update.


Thanks owla for the update. The CLI console and RSSO issue should be fixed in the next release.
#30
thuynh_FTNT
Silver Member
  • Total Posts : 62
  • Scores: -2
  • Reward points: 0
  • Joined: 2014/02/05 09:30:09
  • Status: offline
Re: FortiOS 6.4.1 is out 2020/07/10 14:33:45 (permalink)
0
Magnitude 8
I don't think there were any policies with SD-WAN members before the upgrade (is that even possible when they are members of an SD-WAN?). However, I would have used VIPs on individual members. Could that be the cause of the issue?
 
Sorry, I'm not in a position to share the config in this case.


Yes, we do allow using individual SD WAN member in firewall policy in 6.4.0. However, that design is now converted to SD WAN zone in 6.4.1.
 
Having an inactive VIP on your member interface should not trigger the zone separation. But if the VIP is being used in a policy, this means your policy must have used the member interface since the VIP depends on it, then the member interface will be put in a separate zone. Also worth noting that this is for all policy type, not just IPv4 Firewall.

If you still think your SD WAN member should not be put in a separate Zone automatically, please report it to customer service so we can properly follow up on your case there.
#31
thuynh_FTNT
Silver Member
  • Total Posts : 62
  • Scores: -2
  • Reward points: 0
  • Joined: 2014/02/05 09:30:09
  • Status: offline
Re: FortiOS 6.4.1 is out 2020/07/10 14:36:46 (permalink)
0
owla
We had one more issue with 6.4.1 
All firewall policies with Flow-based Inspection mode had a warning signs, You can not use inspection mode with current settings. We didn't find the cause of that messages (probably there are new requirements for flow-based mode)
There are not messages in 6.4.2.


Can you provide a screenshot? In 6.4.1, we added warning message for mismatched feature between flow-based policy and proxy-based UTM profile. For example, if your policy is flow-based, but it uses a proxy-based UTM profile, then some proxy feature will not work, and we'll highlight them.
#32
Raudi
Bronze Member
  • Total Posts : 49
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/01 14:01:53
  • Location: Germany
  • Status: offline
Re: FortiOS 6.4.1 is out 2020/07/11 06:22:34 (permalink)
0
Yesterday i had a issue with 6.4.1 too, after 24 days in my homeoffice my internet access was gone, so i logged in to the 100E and the device shows "conserve mode".
 
I made a litte research and all the memory was used by "480" tasks with the name "node".
 
Now after a reboot the memory usage is going slowly straight up, so i think in a few days i must reboot the device again. At the moment i have 186 of the "node" tasks, and every few minutes i can count one more...
post edited by Raudi - 2020/07/11 06:32:29
#33
Jordan_Thompson_FTNT
optimizzz
  • Total Posts : 487
  • Scores: 18
  • Reward points: 0
  • Joined: 2011/10/17 21:30:20
  • Location: Canada
  • Status: offline
Re: FortiOS 6.4.1 is out 2020/07/13 09:36:44 (permalink) ☄ Helpfulby Raudi 2020/07/14 01:14:16
0
Raudi
Yesterday i had a issue with 6.4.1 too, after 24 days in my homeoffice my internet access was gone, so i logged in to the 100E and the device shows "conserve mode".
 
I made a litte research and all the memory was used by "480" tasks with the name "node".
 
Now after a reboot the memory usage is going slowly straight up, so i think in a few days i must reboot the device again. At the moment i have 186 of the "node" tasks, and every few minutes i can count one more...


 
Thanks for the report. We are working on a fix for this issue for 6.4.2.
#34
Raudi
Bronze Member
  • Total Posts : 49
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/01 14:01:53
  • Location: Germany
  • Status: offline
Re: FortiOS 6.4.1 is out 2020/08/01 04:54:28 (permalink)
0
Looks better now, after a few hours with 6.4.2 running sill only one "node" process.
#35
Page: < 12 Showing page 2 of 2
Jump to:
© 2020 APG vNext Commercial Version 5.5