5.4. or 5.6.5 for a version on my new 100E firewall not in production yet

jkoelker · ‎08-22-2018

Hello all. We are going to be migrating to a new 100E for our production firewall. We are currently running a 300C which needs to be replaced. Currently on the 100E I have 5.4.9 on it but also see that 5.6.5 is out. I've read release notes and I don't have a certain need to be on one version or the other but I'm wondering if 5.6.5 is stable enough to put into a production environment to feel comfortable. 5.4.9 seems like it should be stable but if I could get my firewall to 5.6.X before going live, it will prevent me from having to do it down the line. We don't have a backup/spare firewall so that is why I ask. Better to do it now or wait because 5.6.x isn't stable in your opinion. We do run a handful of IPsec vpn connections through it but mostly just user traffic in and out of wan/dmz connections. Thanks in advance.

bobm · ‎08-23-2018

We have a 100E also, and I just upgraded to 5.6.5 from 5.6.3 about a month ago. Had basically the same question, and one of the tech support engineers told me that in his opinion, he'd stay away from x.x.1 through x.x.3 in a production environment w/no backup, but after that they're usually pretty safe. So far it's been very stable for me, and pretty good to configure/use as well. The only thing I've noticed so far is some quirky device discovery/inventory issues, but no show stoppers. Just make sure you check the Known Issues in the release notes first.

View solution in original post

Toshi_Esumi · ‎08-22-2018

My opinion about it is in this thread.

https://forum.fortinet.com/tm.aspx?tree=true&m=165220&mpage=1

bobm · ‎08-23-2018

We have a 100E also, and I just upgraded to 5.6.5 from 5.6.3 about a month ago. Had basically the same question, and one of the tech support engineers told me that in his opinion, he'd stay away from x.x.1 through x.x.3 in a production environment w/no backup, but after that they're usually pretty safe. So far it's been very stable for me, and pretty good to configure/use as well. The only thing I've noticed so far is some quirky device discovery/inventory issues, but no show stoppers. Just make sure you check the Known Issues in the release notes first.

jkoelker · ‎08-23-2018

Thanks bobm. This is the type of information I was looking for. I created a ticket with support and they simply told me to read the release notes. I told them in the past, support has been helpful in determining how buggy a version was and when to stay away from it yet. They were less than helpful this time around in getting me any information. I'll take a look at the known issues and confirm that they shouldn't be an issue for me and proceed. Thanks again.

tanr · ‎08-23-2018

Moved a couple FortiGates and a FortiAnalyzer to 5.6.5, plus FortiAPs to 5.6.4 about a month back as well.

Has all gone smoothly. Multiple IPsec VPN between two locations, plus SSL VPN for remote access and web filter. I've been watching CPU and memory usage and they've stayed low. Haven't seen any unexplained crash logs, which is refreshing. Have seen an improvement in some App Control filters that were missing certain YouTube access from iOS devices before.

We did set up both locations and FortiGates as part of the same security fabric, which has been working fine, but with one design issue I really don't like. When you make FortiGates part of the security fabric they stop allowing you to do logging to local storage. That means if I start running into problems with connectivity from our branch location to the main office I can't check local logs at the branch location to figure out what's happening, unless I disconnect it from the security fabric.

sfales · ‎09-12-2018

I'm running some 5.6.5 and have not had issues.

Be sure to avoid the NGFW Policy based mode. It forces centralized SNAT, which caused me some grief.

It also changes the function of application control.

(4) - 200b' s (15) 81WiFi FAZ 400b Fmgr 100c