![]() I was in contact with tech support and after several months they finally fixed it. ![]() With proxy-based SSL inspection there was a bug that the FG did not reply the complete certificate chain which broke everything with chained certificates. Proxy-based SSL inspection will completely terminate the SSL session on the FG (resulting in different cipher suites towards the client) while flow-based does some kind of "don't touch, only look" and tries to decrypt the passing stream without modifying it. Fingers crossed.ĭid you use flow-based or proxy-based SSL inspection? It mainly depends on which kind of AV you apply to that policy. Still testing some of our web filtering policies that previously worked better with flow-based vs proxy and vice versa, but so far everything seems stable and consistent. I had to chuckle a bit, as I was praising the FortiOS platform to a potential adopter the other week, but had to voice some frustration about the so-so log viewer performance. Reverse DNS is showing up consistently for sources and search results will no longer randomly come up empty. Log viewing has received a significant overhaul. I will properly investigate when time permits, but it's not a big issue for us now. ![]() These stopped working with 5.2.3 until I removed the SSL inspection object on them. We had a few policies which used an SSL inspection object with "protect SSL server" enabled. Search for fortios-v5.2.3-release-notes.pdf.įirst impressions after upgrading from 5.2.2 on a FortiGate 1000C with a few hundred policies and objects:įortiView received some performance refinements and searching is more consistent throughout. Just checked, and release notes are in the download directory. Those wishing not to upgrade the firmware can modify the affected firewall services to explicitly set the protocol-number to 0. ![]() Upon upgrading the FortiGate device, the firewall service protocol number is restored to 0. ![]() The most commonly observed impact of this change is that after upgrading to the affected firmware, the “ALL” service matches only TCP traffic.Įxecuting a factory-reset on the FortiGate device does NOT change the default value to 6.įortiOS v5.0.10 and v5.2.3 has fixed the issue. In FortiOS v5.0.8 and v5.0.9 and v5.2.0 through v5.2.2, the default value of the firewall service protocol number was changed from a value of 0 to 6. Subject: Firewall Service Protocol Number Change ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |