Skip to main content
Alfred_Cruz
Alfred_Cruz
New Member
April 8, 2021
Question

FortiOS 7.0

  • April 8, 2021
  • 2 replies
  • 8952 views

Has anyone upgraded their firmware to version 7 yet?

2 replies

Markus
Markus
New Member
April 8, 2021
Yes, not in production, but in my home lab (from 6.4.5) no issues 'till now, everything working as before (so far)...
lobstercreed
lobstercreed
New Member
April 12, 2021

I'm still not ready to do it even at home.  The early 6.4 releases kind of traumatized me, ha.  Any cool stuff you've found that would justify the upgrade?

Markus
Markus
New Member
April 12, 2021

No, just looking to try the Let's encrypt feature so far.

SJFriedl
SJFriedl
New Member
April 12, 2021

I've done this. I had an old FG 60D on my home network, replaced it with a 60F so jumped up to the latest 7.0 so I could start learning it and many of the more advanced features of Fortigate I'd never gotten around to.

 

Two things caused me some pain, most of which were probably my own fault, and may not necessarily be related to 7.0 (the 60D only ran up to 6.0).

 

First, I've been using IPv6 at home for a long time, my 60D didn't have the prefix delegation stuff in the GUI so I had done it all in the CLI.  So doing it in the GUI I was able to set an impossible configuration that could never work, where the interface's IPv6 subnet and the SLAAC delegated subnet don't overlap. I get a /56 from my ISP so have a lot of /64 subnets to work with.

 

This would be like having your own IPv4 interface address and the default gateway not on the same subnet as determined by the mask

 

Interface: VL6-INTERNAL (my internal VLAN)

IPv6 addressing mode: [Delegated]

IPv6 upstream prefix [wan1]

IPv6 subnet [::6:0:0:0:1/64]  <-- the "6" is the important part

 

Later in Stateless Address Auto-configuration (SLAAC):

IPv6 delegated prefix list [On]

Upstream interface [wan1]

subnet [0::/64] <-- this is wrong

 

I misread the last "subnet" part to be just a mask, so this generated incompatible addresses:

 

XXXX:XXXX:XXXX:XXXX /64 mask

                  v

2600:1111:1111:1106::1/64  <-- interface address

2600:1111:1111:1106::7/64  <-- valid delegated address

2600:1111:1111:1100::7/64  <-- invalid delegated address

 

The subnet of [0::/64] put a 0 in the lowest digit of the network part when it should have been a 6: I clearly did this wrong, but it seems that Fortigate should have noted that the SLAAC subnet didn't "fit" in the interface's subnet.

 

I should have put 0:0:0:6::/64 in the subnet part

 

This would have saved me several hours plus a tech support call.

 

Second, I have a new FortiAP 221E running 6.0.x (the last one in the series). It would simply never go online until I upgraded it to 6.2 something. I'm sure this was documented somewhere, but I didn't see it and burned a LOT of time on it.

 

EDIT: I just found this thread https://forum.fortinet.com/tm.aspx?m=195451&tree=true that would have saved me a lot of time on the FortiAP thing. Sigh.

Alfred_Cruz
Alfred_CruzAuthor
New Member
April 12, 2021

Thanks SJFriedl !

Terms & ConditionsAccessibility statement