Adam,

Thank you for the response.  Stability and reliability are critical, so I would want thee most stable version, but SSL VPN are also critical, so I would need that version to have reliable SSL VPN performance as well.

You said v6.2.4 was the stable leading edge, but I have read horror stories about that version, including how quickly v6.2.5 was released to address all of the bugs in v6.2.4.  Why are you recommending a version that caused so many issues?

Hi Kelly,

Thanks for you feedback and observations. Other peoples experience may not be the same as mine or my customers but certainly provides additional data points to consider.  That said, what you describe has not been my experience with release v6.2.4 so far but every environment is different and uses different features and configuration options. Most of my customers are of the larger variety and change is typically slower and policies typically more conservative. Since v6.2.5 is out now that would be a good choice as well given some of the items that were addressed by that release. I do have a few customers on that release and they seem happy at this point without any major issues. 

If there is something of specific concern in the release notes Support can assist in helping you understand the scope of the issue so that you may make your own determination as to whether to use a given release or not. In truth, they see a broader scope of issues than any field sales engineer does but generally want to recommend the latest release because it will always contain the most recent bug fixes. Depending on your preferences, tolerance for risk and change control policies this may or may not be an acceptable or desirable path. 

FOS 6.4.3 is out now as well so if you want/need the new features in the 6.4 release train I would take the latest one.  That said, the v6.4.3 release has not seen the same number of deployments in the field as the v6.2.x releases at this point so that is something else to consider before deploying that release. For larger enterprise environments I am still recommending v6.2.x. 

Adam

Understood.  Thanks for your shared experience.  I think we will start with 6.2.5 and wait for the 6.4.x to mature.  I like some things about 6.4 but we can't afford to be beta testers, and those things are "nice to haves" not "must haves."

I really do appreciate your responses!  I wish more people would have chimed in here, since it IS a Fortinet forum, but I did get input from other sources so i feel confident in my decision.

From your use description, i would go with 6.4.3. (i think 6.4.4 is due before the end of the year) Unless there are reasons not to we've been doing new installs based on 6.4 since the summer and have not run into issues so far.

You mention ssl vpn as a primary feature. We have 6.4.3 on our own internal main cluster with pretty much the whole company working from home right now with no issues seen yet. I'm running forticlient 6.0.10 and use it for many customers with all sorts of fortios versions and find it to be rock steady.

The reason for going with 6.4 (making sure to test prior to going live) on new deployments is a calculated risk. The intention being that it will remain on that main release for at least a couple of years, if not longer and minor patching of bugs/vulnerabilities is, as a rule, less risky than doing main release upgrades. 

Another thing we do on all new installs is to configure SD-WAN on WAN interfaces as default. Even if you don't need it as such, the metrics you get on line quality are worthwhile for troubleshooting purposes if nothing else. It's a reasonably big lift to implement it later if you need it, so you make your life easier by doing it from the get go.

Simon,

Thank you for your response.  6.4.3 is the latest release.  While I like the new features of 6.4.x, I am concerned about being a beta tester.  Our network is too critical.  How many networks have you deployed 6.4.3 on?  Have you seen any instability or bugs that affected those networks?

I guess we've either deployed as new or patched up to around 20 customers or so to 6.4 with deployments across a broad range of models and different use cases.

6.4 is 8 months old now as a release, so i really wouldn't call it beta. In fact our experience with it is better, than 6.2. As it happens i've just been working through the night at a customer with 2000E and 501E clusters on 6.2.3 where both clusters lost several firewall rules during a lights out test, something i've never yet seen!


So whilst 6.2.6 is too new to say much about, our impression is that 6.4 at patch 3 is better than 6.2 at patch 5. To my knowledge, none of our customers have had to roll back from 6.4 and certainly our own internal 400D cluster has been fine on 6.4.2 and now 6.4.3.
The only thing that springs to mind with 6.4 is from upgrades and how this version deals with flow/proxy inspection compared to earlier versions which required changes to the configuration rather than it being any bug


When it comes to bugs it can often be a hit and miss affair. You could hit one in any release and i wouldn't say it's a given that 6.2.x is going to be more stable for your particular use case than 6.4.x so that's why i say you need to test the functionality that's relevant to you first before going into production.
Years ago i piloted a 600+ deployment of 60Ds with 5.2.0, and rolled out with 5.2.1 without a single hitch. 6 years down the line and having gone through 5.2, 5.4 and now 6.0 i still haven't hit a confirmed bug and have only had 2 boxes die on me, which i would say is a pretty good record. Yet in other cases i've seen no end of problems with a single unit or cluster.

This post was removed