Potential FortiOS Upgrade Issues: Admin Access, Category Numbers and FortiManager Issues

Failure of secondary WAN IP for admin access

There is an issue with the 5.2.4 version of the firmware that affects a very specific configuration. In dual-wan setups, after upgrading to FortiOS 5.2.4, the secondary WAN IP cannot be used for administrative HTTPS access or SSL-VPN. PING and VIP using the second WAN as an external interface will work fine.

Packets are correctly sent to the second WAN IP address but the reply is sent through the other WAN interface.

Most instances will not be affected by this, but the upgrade path table has been modified to avoid 5.2.4 just to avoid any possible impact.

Loss of secondary IP address for everyone

Similar to the above issue with secondary IP addresses and admin access there is an even more significant example of losing the secondary IP address. At one point, a number of the upgrade paths to the 5.4 version of the firmware involved going to 5.4.0. This worked well enough until the system was upgraded to 5.4.1 at which point any secondary IP addresses were lost. This problem did not exist when going directly from a 5.2.x version to 5.4.1 so the tables were changed to bypass 5.4.0. This cannot be done if you are already on 5.4.0, so if you do upgrade from 5.4.0 to a more recent version, remember to record any instances of a secondary IP address on any of the interfaces so that they can be added manually after the upgrade.

Changing of Category Numbers

When looking at the FortiGuard Web filter categories or Application categories in the GUI, we see the names that indicate what they refer to. However, in the firmware code, these categories are referenced by an integer and not a text string. Periodically, the list of categories changes, whether by the number growing larger or smaller. If the list changes, then so do the object values in that list. If your policies are such that everything is wide open, you are not likely to see an issue. However, if there are carefully crafted restrictions in place.

Web filter category removal and FortiManager

Sometimes an issue in the upgrade process will not affect the FortiGate itself but will not affect one of the other devices connecting to the FortiGate. This issue similar to the changing Category numbers issue, but it differs in that it affects the FortiManager rather than the FortiGate itself.

Instead of changing the subject of a category, there is an instance where a category was completely removed from the list of categories. Firmware upgrades developed soon after the removal of the category sanitized the configuration file. Later firmware versions ignored the category if it was left in the configuration file. An upgrade from 4.3.18 to 5.0.12 may leave the category in place, but this does not affect the FortiGate. However, if FortiManager, running a current version of its firmware, tries to work with a configuration file with the removed category in it, an error message is triggered.

To determine if your FortiGate may affect the FortiGate later on, run this simple check.

1. Save your configuration file to your hard drive
2. Open it in your favorite text or code editor.
3. Go to the “config webfilter profile” section.
4. Check to see if any of the web filter profiles are set to perform an action on category 32 or if you’re feeling lazy, do a search for “set category 32“

If you find a reference to category 32 and you have already upgraded past FortiOS 4.3.18, go into your configuration using the CLI, and remove any references to category 32 and proceed as close as possible to the upgrade path below.

To completely remove the chance of this affecting the FortiManager, use the following path when upgrading the FortiGate:

4.3.18 > 5.0.2 > 5.0.4 > 5.0.6 > 5.0.10

There appears to be a large number of intermediate steps where the sanitizing of the configuration file should be taking place. This is because references to the category were not removed all at once. It first disappeared from the GUI and then from various points within the CLI and the firmware code.

After reaching 5.0.10, proceed as normal.

This path was not added to the main table as it is a somewhat isolated case.