Skip to main content
jason2
jason2
New Member
April 10, 2020
Solved

what version of fortios should I run?

  • April 10, 2020
  • 2 replies
  • 8257 views

I am currently running 5.6.12 on my 100D.  Now that 6.4 is out, even if it is not for the 100D, I am wondering is it time to upgrade to 6.0.9?  or is 6.2.3 better?  I would follow the upgrade path.  I have read about some memory leak issues in the 6.x series, are they fixed in 6.0.9 and/or 6.2.3 or do I have to contact support to get the latest IPS engine?  IPsec VPNs are a big thing for me so I need stability for that.  My fortigate connects via fortigate to fotigate VPN to a unit running 5.6.10 I think.  I have no control that unit.  Would there be any problems with connecting from a 6.2.3 to a 5.6.10 unit?

    Best answer by nsantin

    I upgraded my 100D HA cluster (Firewall, BGP Routing, VPN, IDS) to 6.0.9 from 5.6.12 and it was probably one of the smoothest upgrades i've seen in 15 years of using FGTs.

     

    5.6.12 has a critical bug with link montoring, so if you're using multi links you may want to upgrade just for that: See my thread here: https://forum.fortinet.com/tm.aspx?m=182995

     

    Also, there are some known CVE's in 5.6.12 that apparently will not be fixed in the 5.6 branch

     

    There is some discussion about an issue with RDP over SSL-VPN that was in 6.0.8 and MAY be fixed in 6.0.9 the bug is no longer in the most recent release notes (either existing or resolved), so the theory is it was "unofficially fixed". I haven't seen any issues with it.

     

    There are no issues with IPSec VPN, and I too have a BO tunnel back to a 5.6 box (no issues) and some Cisco's (no issues)

    2 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    April 10, 2020

    First off, "if it ain't broke, don't fix it". That is, if your FGT runs OK, I wouldn't upgrade it.

    Second, v5.6 is still supported until 2021 whereas if you used v5.4 it was about time to upgrade, no choice.

    Third, if you decide you'd have to upgrade then IMHO better go with v6.0 than v6.2. Skip the first 4-5 patches of any new major line.

     

    There haven't been any complaints about IPsec VPN with v6.0, and I'm using it daily on several FGTs. Yet, if you use IPS...see "First".

    Just my 2 cents.

    emnoc
    emnoc
    New Member
    April 10, 2020

    It depends,

     

    You upgrade due to security risk

     

    New features

     

    for known bugs and remedy for them...

     

    CPU/MEM issues and fixes within a later version...

     

     

    etc..

     

    Ede did a great job in his explanation but to add to it. I run 6.4 at my home because it is new and I want to get a fill of it. I just did a FGT100E and we ran 6.2.3 in a production env. It was previously on 6.0.8 . In both cases the reason why we upgraded and the version selected depends on that env.

     

    In some case with new hardware deployment, you want to upgrade immediately due to the shipped model is on some older rev.

     

    e.g FGT51 shipped with 6.0.2 and the latest version is 6.0.9 that's available.

     

    So in  many reason can exists and your env really mandate if you need to update and to what version. I never would run a bleeding edge version if it has not had 2 or 3 maintenance fixes. The 1st version of any release needs some time to mature and to shake out any problems, and specially with FortiOS.

     

    TIP: Also it's wise to upgrade and make a backup b4 and during any intermediate version along the way to the target and final version.

     

    TIP: If you in one release it's wise to be within 1-2 of the latest maintenance release for that train.

     

    e.g   FortiOS6.0.8-6.0.9 would be okay , 6.0.2 would not be wise.

            FortiOS6.2.2-6.2.3 would be okay,   6.2.0 would not be wise

     

    Ken Felix

     

    nsantin
    nsantinAnswer
    New Member
    April 10, 2020

    I upgraded my 100D HA cluster (Firewall, BGP Routing, VPN, IDS) to 6.0.9 from 5.6.12 and it was probably one of the smoothest upgrades i've seen in 15 years of using FGTs.

     

    5.6.12 has a critical bug with link montoring, so if you're using multi links you may want to upgrade just for that: See my thread here: https://forum.fortinet.com/tm.aspx?m=182995

     

    Also, there are some known CVE's in 5.6.12 that apparently will not be fixed in the 5.6 branch

     

    There is some discussion about an issue with RDP over SSL-VPN that was in 6.0.8 and MAY be fixed in 6.0.9 the bug is no longer in the most recent release notes (either existing or resolved), so the theory is it was "unofficially fixed". I haven't seen any issues with it.

     

    There are no issues with IPSec VPN, and I too have a BO tunnel back to a 5.6 box (no issues) and some Cisco's (no issues)

    jason2
    jason2Author
    New Member
    April 16, 2020

    I am a believer of if it ain't broke don't fix, but I don't want to get to far behind either.  I didn't know there is a lifespan on the firmware.  Where can I find that document?

    I would only switch to 6.0.9 or 6.2.3, following the upgrade path.  I am think 6.0.9 is the safer option.  I always backup my configuration before an upgrade and after.  I am not going to jump to any firmware that is less than 6.x.4 unless I have no choice.  Where can I find out about what CVEs are fixed in 6.0.9 but not 5.6.13?

    mbi_support
    mbi_support
    New Member
    August 25, 2021

    I realize this is quite an old thread, but I've seen this question asked a few times and figured I'd add a quick answer for those that might possibly search and find this thread.

     

    In general, FortiGate firmware branches are supported for 54 months. Start the clock begins at general availability. New branches are typically released annually.

     

    Example:

    Version, Release Date (GA), End of Support Date (EOS)

    5.6     2017-03-30     2021-09-30 6.0     2018-03-29     2022-09-29 6.2     2019-03-28     2023-09-28 6.4     2020-03-31     2024-09-30 7.0     2021-03-30     2025-09-30

    This page helps direct you to the general hardware and software lifecycle lookup:

    https://kb.fortinet.com/k....do?externalID=FD49527

     

    Lifecycle policy:

    https://support.fortinet...._Life_Cycle_Policy.pdf

    Terms & ConditionsAccessibility statement