Upgrade latest FortiOS is really a good solution?

Question

Hello everyone,

I'm a newbie/newcomer with Fortinet's products.

Now I heard that upgrading to the latest version for FortiGate is not a recommendation. (from product supplier, not Fortinet)

Then, I'd like to find/check more details so what that really does mean.

I found that some points with Resolved/Known issues between the present and the newer version in Release Note

And I want to discuss detail here is related to some resolved CVEs' issues.

Here my discussing matter

・Currently using FortiOS version: 5.6.5

・I want to upgrade to version: 5.6.8

Although, I found that some CVEs (security related issues) that resolved on the 5.6.8 version of the Release Note.

But hold it on, when I reversely check on the CVE-2018-13371 (risk rather high) that written in Release Note of 5.6.8,

With the supported links: https://fortiguard.com/psirt/FG-IR-18-230

On the part [Affected products], I saw this "FortiOS version 5.6.7 and below"

so that means my FortiOS version is included either. And that made insecurity feeling now.

Therefore, I have some thoughts inside

[style="background-color: #ffffff;"]- If I upgrade to the latest version 5.6.8, it will be resolved the issue (but it's not a recommendation from the product supplier). I'm not much experience with Fortinet's products then it's not easy to make a decision.[/style]

[style="background-color: #ffffff;"]- If I do not, I do not know whether it will be a matter or not with the network system (the system run with Fortinet's product is about half of year without any notice/alert related to that security issue) [/style]

So, if someone who got this matter such as me, please help me to figure out or give me some advice on this matter!

Thank you for your help!

Best regards,

Takeshi

Toshi_Esumi · Accepted Answer

I don't know the Fortinet's service/support in Japan. But assuming you get every JP version of release notes. I would just check all release notes from 5.6.5 to 5.6.8, or to 5.6.9 just release with one vulnerability fix then especially pay attention to "known issues" with the last 5.6.8 and 5.6.9(I assume they're almost the same because .9 fixed only one item). Then none of them is close enough to how you use the FGT I would just go to 5.6.9. If you have some concern about any specific known issue, you can always open a ticket with TAC (in Japan?) to ask the condition it may occur. Even if you use that particular feature, it may never happen if the condition is very far from your usage.

Make sure you check the upgrade path. Looks like you need to get to 5.6.9 via 5.6.7 from 5.6.5.

By the way, since 6.2.0 is out now, 5.6.x is already two generations older than the latest major version. They may stop fixing minor issues in the near future (if not already). As a matter of fact, I've been waiting them to fix one GUI problem we're experiencing with 5.6.6. But still not in 5.6.9 and they keep saying they already fixed it with 6.0. That's why I decided to go to 6.0.5 next month for our core FGTs and currently testing it. Soon you need to consider that. To me going to 5.6.9 from 5.6.5 is relatively safe. You can also ask the "X-team" but probably get a similar answer.

Toshi_Esumi · Answer

I don't know the context you heard, but I think it meant "going to the latest 6.2.0 is not a good idea". If a vulnerability fix is just released, like 6.0.5, 5.6.9, and you're running 6.0.x or 5.6.x already, going to the latest of the major version is relatively safe. Or no other option if you're literally threaten by the vulnerability.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded