Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
make
New Contributor

FortiGate FortiOS release madness

Hello Everyone,

 

I'm wondering what is Fotinet up to with all their current releases branches. This is absolutely madness.

- 5.2.x finally works stable on most of the FortiGate units but it's already End of Engineering Support and the end of support Date is 2018-12-13. It's also not available for the E/F series.

- 5.4.x received the most updates from the newer releases but ist still full of bugs.

- 5.6.x is patched to version 3 from 2017-12-05 and contains really a lot of bugs (Month of post: March). It seems like it doesn't get a lot of attention from Fortinet.

- The upcoming 6.0.0 release will also be full of bugs and most likely not recommend/suitable for prod environments. IMO most of the customers should wait at least 1 year of development and bug fixes before using it.

 

So what is your strategy for 2018 and FortiOS? Are you using FortiGate D Series with FortiOS 5.2 even after EoS or are you using 5.4/5.6 with the need to frequently bother the bug-tracker and/or support?

 

Thank you all

Kind Regards, Maximilian

Kind Regards, Maximilian
2 Solutions
SMabille
Contributor

Hi,

 

Fully agree, lack of "long term" sustained engineering version is a real issue.

5.4.x prior to 5.4.8 was not production ready at all (is it now? It's probably getting were 5.2.5-5.2.7 was), so we didn't recommended large critical customer for whom stability is primordial to upgrade yet.

Now we got (very weird) performance issue on 5.2 (likely IPS/IPS Engine) but end of engineering means pushing the customer to upgrade, putting us in a very awkward situation. 

 

In perfect world (not driven by marketing), in my opinion, we need 5.2.x fully supported for at least another 12 to 18 months.

 

5.4, 5.6, 6.0 don't, in my opinion warrant three major revisions. Most of 5.4 and 5.6 under one version, with security fabrics and internet services, and another version with NGFW Policy mode and 6.0 new features.

 

More efforts should be in stabilising current version, with longer term support, and less new branches.

View solution in original post

seadave
Contributor III

All the above concerns are valid, but in some cases, user configuration can play a part in stability.  The classic for me was the "Inspect All Ports" option under "Protocol Port Mapping" for a "SSL/SSH Inspection" profile in 5.4.x.  Turning that on caused all sorts of issues.

 

For all the talk about how bad 5.4.x is.  I'm running 5.4.5 on a 500D with a single VDOM in proxy mode, with ~85 rules, 1Gbps Internet Link, SSLVPN, MFA via FAC, FSSO, logging to FAZ, VIPs, using all UTM features with the exception of SPAM filtering, and ~225 users.  My current uptime is 83 days.  CPU util is ~10% on average and Mem util is 60%. Maybe I have a simple setup, but seems fairly standard.  Of course some have much more or less complexity.  Also I feel that many folks don't take advantage of the "Feature Select" option in 5.4.X to free up Mem.  If you aren't using a feature, turn it off.  I think this isn't an option in 5.2.X if I remember.  Not sure.

 

Another problem is update exhaustion.  I see it across all of the hundreds of products I manage.  It is never ending and only getting worse from a frequency and quality standpoint.  Considering the days of 5.0.X I think Fortinet is doing better than most. 

 

To make updating less error prone, I always buy two firewalls of the same model when we upgrade every 4 to 5 years.  One is for testing, other is production.  This isn't good from a fail-over standpoint but I've never had a Gate brick.  I have over the last 15 years experienced a few bad AV/IPS sig updates, but those can be fixed with a definition refresh.  I can afford (but not enjoy :-)) a few hours of downtime. If I was a bank or retail outfit, this model wouldn't work and I would need a traditional HA setup.

 

This allows me to take my existing config on the spare Gate, update it and use the "diag debug config-error-log read" to see what the new firmware update didn't like about the old config before moving to production.  Far too few people do this.  We also log to FAZ and via FAZ to Splunk.  This allows us to quickly determine when something changed if a problem occurs.  I use the rule in the FAZ to email me every time a config change is made so I can keep track of those in the event I need to revert.  I realize that some of you are MSPs and this model isn't appropriate for the fleets of small offices you manage.

 

Herein is the challenge for those folks.  You are working with small shops who don't really understand why they need a firewall and why it should be replaced every 4 to 5 years.  They see it as just another expense they don't want to incur.  Then when there is an issue due to updating because you lack either time or resources to test, they see it as a disruption.  I remember those scenarios from my consulting days and I don't wish to relive them any time soon.

 

Everyone has the challenge of "its running just fine, why should I get rid of it" when the device is going on 6 to 8 years.  I have that problem with my Force10/Dell switches right now (going on 10!!!).  But I know that continuing to run these will on a daily basis increase the chance that I will experience a major failure, so even though they are "just fine" it is time for them to go.  I would argue you need to be willing to do the same with your firewalls but on a more frequent basis (4 to 5 years) due to the evolving threat basis.

 

One final comment regarding reliability is sizing.  I've always felt that Fortinet doesn't make it easy to determine what size of firewall you need for a given number of users.  Based on simple economics, many sites go; for obvious reasons, with the least expensive model that seems appropriate.  For example, we used to be running 100Ds, but when it was time to upgrade I asked my VAR what we should be using this go around based on usage patterns and anticipated growth.  They suggested the 500D.  Seemed like a big jump to me at the time, but their advice was solid and as a result we have had zero issues related to resource contention.

 

 

 

View solution in original post

27 REPLIES 27
SMabille
Contributor

Hi,

 

Fully agree, lack of "long term" sustained engineering version is a real issue.

5.4.x prior to 5.4.8 was not production ready at all (is it now? It's probably getting were 5.2.5-5.2.7 was), so we didn't recommended large critical customer for whom stability is primordial to upgrade yet.

Now we got (very weird) performance issue on 5.2 (likely IPS/IPS Engine) but end of engineering means pushing the customer to upgrade, putting us in a very awkward situation. 

 

In perfect world (not driven by marketing), in my opinion, we need 5.2.x fully supported for at least another 12 to 18 months.

 

5.4, 5.6, 6.0 don't, in my opinion warrant three major revisions. Most of 5.4 and 5.6 under one version, with security fabrics and internet services, and another version with NGFW Policy mode and 6.0 new features.

 

More efforts should be in stabilising current version, with longer term support, and less new branches.

emnoc
Esteemed Contributor III

You do know hat 5.2 has been out now for over 4 years? So that's impressive from that standpoint. As far as  v5.4 and  v5.6 goes these are newier trains that are not deep in sub-build but they will  continual to be supported and groom for more fixes.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
tanr
Valued Contributor II

Hi Ken,

 

I think auto-correct munged your last post.  What did you mean by "Newier trains"?

emnoc
Esteemed Contributor III

v5.4.x and v5.6 are the ( two ) new releases that should be focused on. v5.2 will come to a end. The OP indicated that in the 1st paragraph of his post.

 

 

So FTNT has done a good job with giving us two build trains ( v5.4 and v5.6 ) pick your poison and drink it ;). We can only hope  v6.0 is going to be good, but I wonder if  v5.8 is going to be skipped.

 

The only negative I see in FortiOS v5.4.x and v5.6.x , we don't have enough builds that are proven good . I see this as  comparing  windows 7 window8.1 and window10 .

 

A big 3 choices to  select from.

 

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Ray
New Contributor III

The Security Fabric marketing hype does not make firewall admins' jobs a lot easier. I agree with Ken (emnoc) that "... we don't have enough builds that are proven good."

 

We don't need many choices. We need better QA firmware.

Itguy
New Contributor

The choices of stable firmware are garbage.. 5.4.8 is about all there is now and that has issues. 5.2.13 or whatever is 100% rock solid and stable far more than 5.4.8.. Yet we're being told to rush to 5.6 series which is horribly buggy and now 6.0 is coming out?

 

Fortinet needs to slow down. We've been evaluating switching to a different solution because of this stupid speeding through revisions and not properly fixing bugs or staging releases.

 

It's all about marketing hype and fake enhancements now apparently.

ddskier

Ray wrote:

The Security Fabric marketing hype does not make firewall admins' jobs a lot easier. I agree with Ken (emnoc) that "... we don't have enough builds that are proven good."

 

We don't need many choices. We need better QA firmware.

I agree.  Since the 4.0 days you never jumped to the new version until 5 or 6 patches are in.   We just jumped from 5.2.13 to 5.4.8 hoping they have figured everything out.  I already have run into a few issues.   I hope 5.4.9 will final squash more of these outstanding bugs...

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
seadave

I've been running 5.4.5 on 500D for months with over 250 users accessing it, SSL VPN, multi-factor with FAC, logging to FAZ, OSPF and it has been rock solid.  What kind of bugs are you seeing?  I have ~50 policies and using all but spam and WAF filters.  I've found over the last 14 years that .0/.1/.2 can be very buggy and or often unintended user configurations that don't follow good practice (which is often difficult to determine) are the cause of most issues. 

 

Running 5.6.3 on 60WiFi with AP at home and that also appears to be performing well.  If you are commenting on the Security Fabric, I agree totally it needs more work and I would suggest is more of a gimmick than actual network overlay security solution at this point.

 

We are moving our 500D to 5.6.3 soon.

ddskier

dfollis wrote:

I've been running 5.4.5 on 500D for months with over 250 users accessing it, SSL VPN, multi-factor with FAC, logging to FAZ, OSPF and it has been rock solid.  What kind of bugs are you seeing?  I have ~50 policies and using all but spam and WAF filters.  I've found over the last 14 years that .0/.1/.2 can be very buggy and or often unintended user configurations that don't follow good practice (which is often difficult to determine) are the cause of most issues. 

 

Running 5.6.3 on 60WiFi with AP at home and that also appears to be performing well.  If you are commenting on the Security Fabric, I agree totally it needs more work and I would suggest is more of a gimmick than actual network overlay security solution at this point.

 

We are moving our 500D to 5.6.3 soon.

See some of my posts within the 5.48 is out thread and you will see some of the issues that I have run into.

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
Top Kudoed Authors