Hot!FortiOS 6.4.2 is out!

Author
James_G
Gold Member
  • Total Posts : 247
  • Scores: 11
  • Reward points: 0
  • Joined: 2016/02/28 02:55:47
  • Status: offline

15 Replies Related Threads

    James_G
    Gold Member
    • Total Posts : 247
    • Scores: 11
    • Reward points: 0
    • Joined: 2016/02/28 02:55:47
    • Status: offline
    Re: FortiOS 6.4.2 is out! 2020/07/30 14:12:51 (permalink)
    0
    Lots (and lots) of bug fixes, no landslide new features, comes with IPS engine 6.032 that is designed to reduce memory usage by 50% on ips demons. Need to get testing!
    #2
    Andy Bailey
    Silver Member
    • Total Posts : 90
    • Scores: 14
    • Reward points: 0
    • Joined: 2016/06/27 11:21:22
    • Status: offline
    Re: FortiOS 6.4.2 is out! 2020/07/30 17:02:58 (permalink)
    0
    Hi folks,
     
    I've pushed it out on a 60E.
     
    The immediate impact I have noticed is the drop in memory usage- 68% before upgrade (6.4.1) and 48% after upgrade (6.4.2). Smae config, similar number of sessions before and after.
     
    There are a huge number of bug fixes and looks like improvements from the IPS engine as James_G suggests. So far looks like a good move forward.
     
    Kind Regards,
     
     
    Andy.
    #3
    Jirka
    Gold Member
    • Total Posts : 167
    • Scores: 7
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: FortiOS 6.4.2 is out! 2020/07/31 00:34:12 (permalink)
    0
    Hi guys,

    what is the recommended upgrade path? Can I go to 6.4.2 directly from 6.2.4?
    On the support portal in the "Upgrade Patch" section version 6.4.2. miss.

    Thanks
    Jirka
    #4
    TheJaeene
    Silver Member
    • Total Posts : 113
    • Scores: 10
    • Reward points: 0
    • Joined: 2010/01/06 00:56:49
    • Status: offline
    Re: FortiOS 6.4.2 is out! 2020/07/31 02:32:53 (permalink)
    0
    AAAAARGHHHHHH!!!!! FORTINET WHAT ARE YOU DOING!??!?
     
    After upgrading my Lab 81E-PoE from 6.4.1 to 6.4.2 the hostapd daemon keeps crashing.

     
    Edit: WPA3 SAE SSIDs will crash the hostapd process every time a WPA3 client tries to connect. Strangely when using WPA3 SAE Transition on the SSID the process does not crash, although the client connects via WPA3.
     
    Fortinet: FIX IT!!!!! What happened to you QC? 
    post edited by TheJaeene - 2020/07/31 22:07:48
    #5
    thuynh_FTNT
    Silver Member
    • Total Posts : 65
    • Scores: -2
    • Reward points: 0
    • Joined: 2014/02/05 09:30:09
    • Status: offline
    Re: FortiOS 6.4.2 is out! 2020/08/17 15:08:41 (permalink)
    0
    Edit: WPA3 SAE SSIDs will crash the hostapd process every time a WPA3 client tries to connect. Strangely when using WPA3 SAE Transition on the SSID the process does not crash, although the client connects via WPA3.

    Hi there, sorry for the trouble and thank you for reporting the issue. We were able to track down the issue and fixed it for the next release. We'll update our Release Note to reflect this as well.
     
    Tri
    #6
    PeterK
    New Member
    • Total Posts : 19
    • Scores: 2
    • Reward points: 0
    • Joined: 2018/01/24 08:55:45
    • Status: offline
    Re: FortiOS 6.4.2 is out! 2020/08/18 03:09:15 (permalink)
    0
    We are currently on 6.0.9 and looking to upgrade.  Need to be able to wildcard policies which is in versions 6.2.2 and above.  Thinking of doing a double firmware jump up to 6.4.2.  Worried as this is our production environment in a hospital and would normally jump to higher revision of the previous firmware branch.  However the 6.2.x range seems to have had awful reviews, especially 6.2.4.
     
    On the while 6.4.x in generally seems to be a lot better reviewed than previous branches.  On the whole would people recommend this firmware despite still being in an early release?  If we do a double jump though we will not be able to downgrade the standard way of switching partitions.  But if we are going to upgrade I cannot see the benefits of moving to 6.2.x.  I assume 6.4.x has been released so close to it due to issues with that branch.
     
    #7
    James_G
    Gold Member
    • Total Posts : 247
    • Scores: 11
    • Reward points: 0
    • Joined: 2016/02/28 02:55:47
    • Status: offline
    Re: FortiOS 6.4.2 is out! 2020/08/18 03:36:16 (permalink)
    0
    peterkoszarek@nhs.net
    We are currently on 6.0.9 and looking to upgrade.  Need to be able to wildcard policies which is in versions 6.2.2 and above.  Thinking of doing a double firmware jump up to 6.4.2.  Worried as this is our production environment in a hospital and would normally jump to higher revision of the previous firmware branch.  However the 6.2.x range seems to have had awful reviews, especially 6.2.4.
     
    On the while 6.4.x in generally seems to be a lot better reviewed than previous branches.  On the whole would people recommend this firmware despite still being in an early release?  If we do a double jump though we will not be able to downgrade the standard way of switching partitions.  But if we are going to upgrade I cannot see the benefits of moving to 6.2.x.  I assume 6.4.x has been released so close to it due to issues with that branch.
     


    I think 6.4.2 is better then 6.2.4, but possibly neither a ideal
     
    Be careful about the wildcard policies, they might not work as you expect, they don't work for all traffic
    #8
    PeterK
    New Member
    • Total Posts : 19
    • Scores: 2
    • Reward points: 0
    • Joined: 2018/01/24 08:55:45
    • Status: offline
    Re: FortiOS 6.4.2 is out! 2020/08/18 03:43:09 (permalink)
    0
    Thanks, unfortunately Microsoft have listed some wildcards so need to try but they are messy then can often negate other policies.
    #9
    James_G
    Gold Member
    • Total Posts : 247
    • Scores: 11
    • Reward points: 0
    • Joined: 2016/02/28 02:55:47
    • Status: offline
    Re: FortiOS 6.4.2 is out! 2020/08/18 06:11:36 (permalink)
    0
    Have you looked into ISDB entries - we had some success with then for MS sources / destinations.
    #10
    PeterK
    New Member
    • Total Posts : 19
    • Scores: 2
    • Reward points: 0
    • Joined: 2018/01/24 08:55:45
    • Status: offline
    Re: FortiOS 6.4.2 is out! 2020/09/09 06:51:16 (permalink)
    0
    May have to although hate you cannot see what is being defined in them or control the ports.  Makes it difficult if you have done part of the config through published documentation.  Thanks for the suggestion.
     
    Was hoping more would have left feedback on this firmware by now.  Hesitant to move up to 6.2 as has had some awful problems but this is still so recent hesitant on something that may still require a lot more patching although have not seen many negative comments on it either and people tend to moan if there are issues.
    #11
    M.M.SW
    Bronze Member
    • Total Posts : 40
    • Scores: 2
    • Reward points: 0
    • Joined: 2012/12/20 19:50:24
    • Status: offline
    Re: FortiOS 6.4.2 is out! 2020/09/09 21:18:13 (permalink)
    0
     
    We found some problems in the use of OS6.4.2
    Especially the use of Ban IP in FortiView
    Because the search function is cancelled in FortiView
    So it is extremely difficult to find a specific IP and give it a ban ip
    If you use the function of Indicators of Compromise Service
    You can even isolate its MAC and not block IP
     
    There are also settings for SSL/SSH inspection
    As long as you don’t use the built-in profiles
    Other self-defined profiles are more or less problematic in use
     
    Can anyone have a good solution?
     
    #12
    thuynh_FTNT
    Silver Member
    • Total Posts : 65
    • Scores: -2
    • Reward points: 0
    • Joined: 2014/02/05 09:30:09
    • Status: offline
    Re: FortiOS 6.4.2 is out! 2020/09/14 19:07:32 (permalink)
    0
    M.M.SW
     
    We found some problems in the use of OS6.4.2
    Especially the use of Ban IP in FortiView
    Because the search function is cancelled in FortiView
    So it is extremely difficult to find a specific IP and give it a ban ip
    If you use the function of Indicators of Compromise Service
    You can even isolate its MAC and not block IP
     
    There are also settings for SSL/SSH inspection
    As long as you don’t use the built-in profiles
    Other self-defined profiles are more or less problematic in use
     
    Can anyone have a good solution?


    Hi there, thank you for your report.

    For banning an IP, you can also do it via Log pages > Search for the device IP, then hover over the device MAC > Tooltip pop up and there is a Ban IP action there. This Ban IP action is available on any page that has device tooltip.

    FYI we will be adding back support for searching for FortiView in future version.
    #13
    M.M.SW
    Bronze Member
    • Total Posts : 40
    • Scores: 2
    • Reward points: 0
    • Joined: 2012/12/20 19:50:24
    • Status: offline
    Re: FortiOS 6.4.2 is out! 2020/09/14 21:04:39 (permalink)
    0
     
    Thank you thuynh for your reply
     
    In fact, we found that if the device is connected to FortiSwitch or FortiAP
    In the LOG record, only quarantine host can be done but not IP banning
    If it is not connected to the FortiSwitch or FortiAP device
    Banning an IP can be executed by following the steps you described.
    Isn't this weird?
     
    I can only look forward to replying to the original FortiView ban IP function as soon as possible.
    #14
    thuynh_FTNT
    Silver Member
    • Total Posts : 65
    • Scores: -2
    • Reward points: 0
    • Joined: 2014/02/05 09:30:09
    • Status: offline
    Re: FortiOS 6.4.2 is out! 2020/09/14 21:37:10 (permalink)
    0
    M.M.SW
    Thank you thuynh for your reply
     
    In fact, we found that if the device is connected to FortiSwitch or FortiAP
    In the LOG record, only quarantine host can be done but not IP banning
    If it is not connected to the FortiSwitch or FortiAP device
    Banning an IP can be executed by following the steps you described.
    Isn't this weird?
     
    I can only look forward to replying to the original FortiView ban IP function as soon as possible.



    The FortiSwitch and FortiAP case is intentional as we recommend quarantine MAC (layer 2) over ban-ip (layer 3). However, we can review this behaviour if ban-ip is still desired in this case.
     
    Another workaround you can do is to find the device in the following pages and ban-ip from there
    - User & Device dashboard - Device Inventory widget, tooltip action on each entry
    - From the above page, you can also right click on the device and find it in FortiView/Log and perform the action there. This can serve as a FortiView search workaround for now.
    - WiFi Dashboard - WiFi Client (for device behind FortiAP)
    - FortiSwitch client (for device behind FortiSwitch)
    - User & Device dashboard - Quarantine widget (all quarantined devices should show here and you can also ban-ip them)
    #15
    M.M.SW
    Bronze Member
    • Total Posts : 40
    • Scores: 2
    • Reward points: 0
    • Joined: 2012/12/20 19:50:24
    • Status: offline
    Re: FortiOS 6.4.2 is out! 2020/09/14 22:57:49 (permalink)
    0
     
    Thank you thuynh for your reply again
     
    I will try the operation method you provide
    For some reasons we can only use Ban IP
    But because there are hundreds of devices
    I still hope that the previous management method is better
    Thank you anyway!
     
     
    #16
    Jump to:
    © 2020 APG vNext Commercial Version 5.5