Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
OnemoreDK
New Contributor

Best upgrade from v5.4.1

Please forgive my ignorance on this topic but I have been reading so many articles, threads, KB's, etc. that my head is spinning. I have inherited a site with a main corporate office and 3 satellite offices. All sites are using 60D Fortigate units, connected via IPSEC site to site VPN. All Fortigate units are on 5.4.1 firmware and there are users using IPSEC VPN from outside the office to connect to the network.

 

With the recent security threat that I have seen on various tech sites that say Fortigate VPN's are actively being exploited, I think it is time to patch. 

 

First question, is the security threat a problem on only certain firmwares? I read that it only applies to SSL VPN. Since we don't use that, does it still apply to us?

 

Second, based on your experiences, what is the most stable version to upgrade to? Should I stay with the 5.4 family? I think there is version 5.4.11 that is out? Should I upgrade to 5.6 or just go to v6.x? Based on the best practices documents for firmware updates, do I really have to go through all the firmwares listed in order? I can't just jump on the latest version I want to go to?

 

Third, do I have to update all the Fortigates at the same time with the same firmware? Considering that we are a production company, taking down the Internet on 4 sites to update the firmwares may not be an option. Can I update them at various times and still maintain VPN connectivity?

 

Also do I have to update all the Forti Clients as well? Everyone uses v5.4.2 Forti Client software. Will that play nicely with the new firmware until I get around to updating the 40+ users?

 

Thank you in advance for any advice you have.

 

 

4 REPLIES 4
sw2090
SuperUser
SuperUser

As you have a productive config on your units you do have to follow the upgrade path suggested by Fortinet. If you don't you acept the risk that parts of your config are getting lost or will not work correctly anymore.

Anyhow v. 5.4. is almost EOS so I'd recommend upgrading.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Toshi_Esumi
SuperUser
SuperUser

Are you concerning about this particular one?

https://fortiguard.com/psirt/FG-IR-18-384

A work around was in the link.

 

But, I would attempt to go up to 6.0.6 since many other vulnerabilities have fixed since 5.4.1 (relased June 2016). 6.0.x seems to be the last major version of 60D. 6.2.x doesn't exist for 60D.

If you ignore the upgrade paths, I'm almost sure it would break many things including PSK for IPSec. If you can't afford taking a very long maintenance window to complete upgrade path, I would just flush the boot drive and reload the new OS and configure everything from scratch.

 

OnemoreDK

Thank you very much for the advice. So do I need to upgrade all 4 Fortigates at the same time or can I do one at a time and get the others as time permits?

Toshi_Esumi

IPSec/IKE packet format/negotiation wouldn't change between FortiOS versions. It's a standard. I would try upgrading only one remote office first, by making sure at every step the VPN comes up and pingable through the tunnel.

Once you confirmed it's working next day for all users, you can feel good to proceed upgrading the rest of the remote locations. Then HQ would be the last.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors