FortiOS 7.2.6 Published

FortiOS 7.2.6 Published

Ali Enis T. Ali Enis T.

Ali Enis T.

IT Consultant

发布日期: 2023年11月16日
+ 关注

Hello, Fortigate released its new OS version, version 7.2.6, 2 months ago. Of course, although we, as the IT department, advocate that updates should not be made unless necessary, sometimes we like to go on adventures. Below I leave the link to the PDF document containing all the features that come with the update, you can read and review it here.

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/b136ebc0-528c-11ee-8e6d-fa163e15d75b/fortios-v7.2.6-release-notes.pdf

Let's get to the main issue. The biggest problem I experienced after the update was that the Arp reply settings did not work properly and as a result, I had problems with Virtual IP and IP Pool. I share an example of this below.

Did some more troubleshooting again and I can confirm that when upgrading to 7.2.6 and disabling arp-reply the Fortigate sends the traffic out the wrong interface. I am waiting to get my units reinstated under support so I can open a formal Fortinet ticket.

When on 7.2.6 with arp-reply disabled on the virtual server the Fortigate is sending the traffic out the wrong interface “ISP1” which should be “Wired LAN3” as described in the next scenario.

(root) # diag sniffer packet any 'not host 100.99.200.99 and port 6443' 4 0 l

interfaces=[any]

filters=[not host 100.99.200.99 and port 6443]

2023-11-08 12:44:04.676138 ISP1 out 71.187.150.63.16892 -> 100.99.200.51.6443: syn 429098527

2023-11-08 12:44:04.676146 RED1 out 71.187.150.63.16892 -> 100.99.200.51.6443: syn 429098527

2023-11-08 12:44:04.676149 x1 out 71.187.150.63.16892 -> 100.99.200.51.6443: syn 429098527

This is a debug of the same capture on 7.2.5 which works with no issues. The Fortigate is sending the traffic out the proper VLAN interface “Wired LAN3”.

(root) # diag sniffer packet any 'not host 100.99.200.99 and not host 100.99.1.47 and port 6443' 4 0 l

interfaces=[any]

filters=[not host 100.99.200.99 and not host 100.99.1.47 and port 6443]

领英推荐

2023-11-08 13:35:09.873120 Wired LAN3 out 71.187.150.63.16667 -> 100.99.200.52.6443: syn 1119182175

2023-11-08 13:35:09.873128 RED1 out 71.187.150.63.16667 -> 100.99.200.52.6443: syn 1119182175

2023-11-08 13:35:09.873133 x1 out 71.187.150.63.16667 -> 100.99.200.52.6443: syn 1119182175

Setting arp-reply to enable on the virtual-server while running 7.2.6 yields the following and this does not work either:

(root) # diag sniffer packet any 'not host 100.99.200.99 and not host 100.99.1.47 and port 6443' 4 0 l

interfaces=[any]

filters=[not host 100.99.200.99 and not host 100.99.1.47 and port 6443]

2023-11-08 12:47:04.766145 root out 100.100.100.111.14829 -> 100.99.200.51.6443: syn 421732591

2023-11-08 12:47:04.766152 root in 100.100.100.111.14829 -> 100.99.200.51.6443: syn 421732591

This is for traffic sourced from the Fortigate (IE: Private SDN Connector) destined for a virtual server that is configured on the same unit (different VDOM) but also applies to any traffic sourced from the Fortigate destined for a VIP/Virtual Server on the same unit.

After a week of searching for a solution, I had to revert back to FortiOS 7.2.5.

If it's not necessary, don't update it. Don't forget to take a backup.

Good work everyone.



要查看或添加评论,请登录

Ali Enis T.的更多文章

社区洞察

其他会员也浏览了