Upgraded a FortiWiFi 60D from 5.2.5 to 5.4.0. So far it seems to be working OK. Will know more after running the new firmware for a few days. The new FortiView / Device Topology looks interesting. Some glitches that may be operator error, configuration issues, or may be addressed in future 5.2 releases.

Well I spoke too soon. Shortly after I posted the message above I lost access to the network. Come to find out that after a while the policies all disappeared (except for the implicit deny policy). With suggestion from Fortinet tech support I restored to a backup of the configuration that I made shortly after upgrading to the 5.4.0 firmware. This temporary restored the policies. The policies then disappeared again a little while later.

 

I'm wondering if running the Wizard through to the Configuration / Summary could somehow be a factor in the policies disappearing. I did not make firewall configuration changes after upgrading to 5.4.0 but I did run through a lot of the pages of the new UI and ran the Wizard both times that I lost the policies. Could just be coincidence.

 

Tech support found a lot of errors in the crash logs and thought it might be a drive problem that is causing the issue. They are RMA'ng the unit.

I ran through the Wizard at the top right corner of the GUI, next to the Videos button. At the end of the Wizard it displays three errors:

System Switch Interface: Entry not found.

System Interface: Entry not found.

Policy: Input value is invalid.

 

After running this Wizard the policies once again disappeared. I would be curious if someone else wants to test this to see if the same thing happens on another firewall or not. I have been able to restore the policies with a backup that I made shortly after the upgrade to 5.4.0.

This is so disappointing. You think after the 5.2.4/5 issues they would have striven to put out something more stable.  I have yet to test (I have two 500Ds, one test, one production), but after reading these posts it almost seems like a waste of time.  Why are firmware releases put out that disable critical functions???  These aren't obscure features.

 

I know this is a "new" release, but that indicates to me that the QC process at Fortinet is severely lacking.  I have been with Fortinet for a very long time and we have invested substantial resources with them over the years, but I'm beginning to look at other options.  Bugs should be the exception, not the rule.  I feel like I'm watching a good friend slowly die.  Is it time to start a petition to get the person in charge of software quality replaced?  Customers don't deserve this kind of grief.  I install patches on different systems/appliances monthly and they are almost NEVER as problem prone and unstable as Fortinet's firmware seems to consistently be.  What is the root of the problem:

[ul]

A system that is TOO flexible and allows customers to create wild configs that never upgrade consistently?

Too many different hardware configurations for them to reliably test and support?

Indifference when obvious bugs are noted by the user community and not patched for multiple weeks if not months?

Internal cutbacks and outsourcing for QC and software development (wild speculation)?[/ul]

I do agree with all of the comments about the following:

[ul]

You should NOT expect a firewall to last more than 3 years.  Threats evolve too rapidly and Fortinet is VERY affordable compared to nearly every other vendor.  You should be budgeting for replacement funds from the minute you purchase a new firewall for this reason.[/ul][ul]

You should NEVER upgrade a production system to new firmware without having either a test unit to work on first or without having spent time reading these forums and knowing what is likely to break (although I guess we do owe some thanks to those that "take the plunge" and find these bugs the hard way).  It would be nice if Fortinet allowed a VM for testing only to see if that might expose some of these issues before they hit a production system, but not sure how Apples to Apples this might be.[/ul]

 

I really hope things get better sooner than later or I will need to move on.

beta=> RC2~3=> GA

too fast...

 

I'm sure the push to get 5.4 GA out the door in 2015 was not from the technical people.

 

I can't even use it on my test network at home as we picked up a bug in RC2 that dropped all L3 traffic going over an ethernet over power link to one of the switch ports, dhcp and capwap seemed to be ok but no layer3. (FWF60D POE)

 

There are a lot of nice new features in 5.4 but with a 'what's new' doc running at 151 pages you just know it's going to take some time to iron out the bugs, perhaps by the end of the year it might be worth taking a serious look at.

 

Until then it's a 'concept car', nice to look at and shows the direction fortios is heading but not something you could take out on the road.

SecurityPlus wrote:

I ran through the Wizard at the top right corner of the GUI, next to the Videos button. At the end of the Wizard it displays three errors:

System Switch Interface: Entry not found.

System Interface: Entry not found.

Policy: Input value is invalid.

 

Can you provide your config via private message so we can reproduce the issue?

 

SecurityPlus wrote:

After running this Wizard the policies once again disappeared. I would be curious if someone else wants to test this to see if the same thing happens on another firewall or not. I have been able to restore the policies with a backup that I made shortly after the upgrade to 5.4.0.

 

The wizard is intended to be used for initial setup, and so it replaces most of the configuration so that the unit is in working state. This includes policies, as the wizard will create additional policies based on the options you choose.

Thanks for letting me know of the intended operation of the Wizard. In some computer programs you can run through the Wizard again to check or modify settings. I assumed that this was the case. It seems that there should be a warning that an admin could loose some or all of the policies. Had we not had a backup I would have been very disappointed.

 

I uploaded the config backup to the ticket that Fortinet tech support created.

 

Thanks again!

SecurityPlus wrote:

Thanks for letting me know of the intended operation of the Wizard. In some computer programs you can run through the Wizard again to check or modify settings. I assumed that this was the case. It seems that there should be a warning that an admin could loose some or all of the policies. Had we not had a backup I would have been very disappointed.

 

I uploaded the config backup to the ticket that Fortinet tech support created.

 

Thanks again!

We will add a note about this to the Getting Started chapter of the FortiOS handbook (that should be out in a week or two).