Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
angie1996
New Contributor

recommendations fortios 6.4.4 or others

hello friends, I read that version 6.4.4 is not recommended. I have a fortigate 300E v6.0.3 and would like to update the version. please your recommendations. What versions do you recommend?
5 REPLIES 5
Markus
Valued Contributor

Where did you read that 6.4.4 is not recommended? Just interested as I have 2 clusters running 6.4.4

Generally there are 2 firmware lines for Fortigates, the "stable" line, and the "experimental" line. Stable only gets bug fixes and security updates, experimental gets all the new features.

If your goal is reliability, stick with the latest release on the stable line. If you don't mind helping to track down and report bugs in return for getting new features earlier, go with something in the experimental line (preferably one with several minor releases if you are doing this on production equipment).


________________________________________________________
--- NSE 4 ---
________________________________________________________

ede_pfau
Esteemed Contributor III

Uhm, this classification does not apply to the firmware versions you can download as an ordinary user. FortiOS does come in 'experimental' flavors but this is only available for developers / beta testers.

 

All versions pubished are official and intended to be 'stable'.

 

But we all know this might not be the case for all features and in all circumstances. All versions do have quirks, some more than others. That's why you should

- always read the Release Notes (sections 'Resolved issues' and 'Known bugs')

- preferably update within the major version only (e.g., from 6.0.3 to 6.0.12)

- upgrade (6.0 to 6.2 or 6.4) only if you need the added features

 

IMHO "experimental" and "production equipment" do not go together in one sentence.

 

My personal view on the stability of the current FortiOS releases is (and this is wholly subjective as I do not use ALL features on the FGTs I manage):

- v6.0.12 is the latest patch release of 6.0 and rock solid

- v6.2.7 is the latest patch release of 6.2 and often encountered in prod environments. Earlier patch releases suffered from memory leaks, esp. when using SSL VPN. Using SD-WAN would be a reason to upgrade.

- v6.4.4 does offer a lot of new features but still is in the early patch stages. It does run stably on many FGTs but...I still refrain from using it in customer production environments IF those features are not urgently needed.

 

Again, best practice demands to roll out on a test FGT first, checking details and watching resource consumption. If upgrading, make frequent backups, watch closely, check the forums, and enjoy if it works out for you.

And keep your installations up-to-date with patch releases, giving them 3-4 weeks before applying.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
mike_dp

We run on 6.4.4 we had a couple issues : 

-dns filter wasn't able to check the dns filtering server licence because of the new default anycast mode. We have to set : conf sys fortiguard, set fortiguard-anycast disable. Apparently Fortiguard has issues with anycast servers.

 

-We had issues with returning traffic to some specific sd-wan traffic in our phone system like the database replication on port 1504. Ramdomly the traffic from port 1504 wasn't coming back like it should. We had to set static routes. I will open a case on this to see if it's a known issue it doesn't look like it's in the release notes known bugs.

 

-We had major issues with self originating traffic and sd-wan (traffic from the box itself like dns, syslog, fortianalyzer, etc.) we had to go in CLI to each specific services and set interface-select-method sdwan instead of auto. Some services still doesn't route correctly so we have to set static routes. Apparently they made major changes in 6.2+ for self originating traffic routing.

 

-Traffic going through UTM policies set to flow once in a while get a certificate error (we had to switch it to flow instead of proxy because of the issues with 6.2.6 in the past). We might switch it back to proxy.

 

We didn't have any issues with IPSec and SSL VPNs.

 

I believe 6.4.4 is more stable than any 6.2.x versions. I would avoid anything 6.2. I'm not even sure why 6.2 exists they released 6.4 not so long after 6.2.

Fortigate : 80E, 80F, 100E, 200F, 300E : 6.4.6

FortiAnalyzer, ForticlientEMS

comsec
New Contributor

If you want to be on the safe side go 6.0.12, 6.2 and 6.4 series still have some serious issues.

 

Remember to follow supported upgrade path, with all halfway updates, tipically 2 minors at a time:

 

Recommended Upgrade Path Following is the recommended FortiOS migration path for your product. VersionBuild Number

6.0.3 0200

6.0.5 0268

6.0.7 0302

6.0.9 0335

6.0.11 0387

6.0.12 0419

rd19_
New Contributor

I also upgraded my Fortigate 300E to 6.4.4 3 months ago and suddenly my "Application control" had problem. When I am applying "Application Control" to policy, I was not able to access our internal servers (even terminal like SecureCRT). But when I remove "application control", no issue at all. I just don't get it, because it runs smoothly before. Anyone that has the same issue? Thanks for your response.