Hello Everyone,
I'm wondering what is Fotinet up to with all their current releases branches. This is absolutely madness.
- 5.2.x finally works stable on most of the FortiGate units but it's already End of Engineering Support and the end of support Date is 2018-12-13. It's also not available for the E/F series.
- 5.4.x received the most updates from the newer releases but ist still full of bugs.
- 5.6.x is patched to version 3 from 2017-12-05 and contains really a lot of bugs (Month of post: March). It seems like it doesn't get a lot of attention from Fortinet.
- The upcoming 6.0.0 release will also be full of bugs and most likely not recommend/suitable for prod environments. IMO most of the customers should wait at least 1 year of development and bug fixes before using it.
So what is your strategy for 2018 and FortiOS? Are you using FortiGate D Series with FortiOS 5.2 even after EoS or are you using 5.4/5.6 with the need to frequently bother the bug-tracker and/or support?
Thank you all
Kind Regards, Maximilian
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Fully agree, lack of "long term" sustained engineering version is a real issue.
5.4.x prior to 5.4.8 was not production ready at all (is it now? It's probably getting were 5.2.5-5.2.7 was), so we didn't recommended large critical customer for whom stability is primordial to upgrade yet.
Now we got (very weird) performance issue on 5.2 (likely IPS/IPS Engine) but end of engineering means pushing the customer to upgrade, putting us in a very awkward situation.
In perfect world (not driven by marketing), in my opinion, we need 5.2.x fully supported for at least another 12 to 18 months.
5.4, 5.6, 6.0 don't, in my opinion warrant three major revisions. Most of 5.4 and 5.6 under one version, with security fabrics and internet services, and another version with NGFW Policy mode and 6.0 new features.
More efforts should be in stabilising current version, with longer term support, and less new branches.
All the above concerns are valid, but in some cases, user configuration can play a part in stability. The classic for me was the "Inspect All Ports" option under "Protocol Port Mapping" for a "SSL/SSH Inspection" profile in 5.4.x. Turning that on caused all sorts of issues.
For all the talk about how bad 5.4.x is. I'm running 5.4.5 on a 500D with a single VDOM in proxy mode, with ~85 rules, 1Gbps Internet Link, SSLVPN, MFA via FAC, FSSO, logging to FAZ, VIPs, using all UTM features with the exception of SPAM filtering, and ~225 users. My current uptime is 83 days. CPU util is ~10% on average and Mem util is 60%. Maybe I have a simple setup, but seems fairly standard. Of course some have much more or less complexity. Also I feel that many folks don't take advantage of the "Feature Select" option in 5.4.X to free up Mem. If you aren't using a feature, turn it off. I think this isn't an option in 5.2.X if I remember. Not sure.
Another problem is update exhaustion. I see it across all of the hundreds of products I manage. It is never ending and only getting worse from a frequency and quality standpoint. Considering the days of 5.0.X I think Fortinet is doing better than most.
To make updating less error prone, I always buy two firewalls of the same model when we upgrade every 4 to 5 years. One is for testing, other is production. This isn't good from a fail-over standpoint but I've never had a Gate brick. I have over the last 15 years experienced a few bad AV/IPS sig updates, but those can be fixed with a definition refresh. I can afford (but not enjoy :-)) a few hours of downtime. If I was a bank or retail outfit, this model wouldn't work and I would need a traditional HA setup.
This allows me to take my existing config on the spare Gate, update it and use the "diag debug config-error-log read" to see what the new firmware update didn't like about the old config before moving to production. Far too few people do this. We also log to FAZ and via FAZ to Splunk. This allows us to quickly determine when something changed if a problem occurs. I use the rule in the FAZ to email me every time a config change is made so I can keep track of those in the event I need to revert. I realize that some of you are MSPs and this model isn't appropriate for the fleets of small offices you manage.
Herein is the challenge for those folks. You are working with small shops who don't really understand why they need a firewall and why it should be replaced every 4 to 5 years. They see it as just another expense they don't want to incur. Then when there is an issue due to updating because you lack either time or resources to test, they see it as a disruption. I remember those scenarios from my consulting days and I don't wish to relive them any time soon.
Everyone has the challenge of "its running just fine, why should I get rid of it" when the device is going on 6 to 8 years. I have that problem with my Force10/Dell switches right now (going on 10!!!). But I know that continuing to run these will on a daily basis increase the chance that I will experience a major failure, so even though they are "just fine" it is time for them to go. I would argue you need to be willing to do the same with your firewalls but on a more frequent basis (4 to 5 years) due to the evolving threat basis.
One final comment regarding reliability is sizing. I've always felt that Fortinet doesn't make it easy to determine what size of firewall you need for a given number of users. Based on simple economics, many sites go; for obvious reasons, with the least expensive model that seems appropriate. For example, we used to be running 100Ds, but when it was time to upgrade I asked my VAR what we should be using this go around based on usage patterns and anticipated growth. They suggested the 500D. Seemed like a big jump to me at the time, but their advice was solid and as a result we have had zero issues related to resource contention.
Am I (and perhaps Ede and Emnoc) the only one who remembers the last time the 'release madness' was going on? I guess Fortinet forgot... 11 years isn't such a long time.
https://forum.fortinet.com/tm.aspx?m=19573&high=stability+now#24994
https://forum.fortinet.co...gh=stability+now#26147
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
@Bob, that was a really good hint! Rereading thread #19573, sentiments come up...Abelio was one of the knowing guys then, 9 or 11 years ago. Much of what we thought then still holds true today, even if we've come a long way since. "Feature freeze", "fixes only, no new features", "better QA", along these lines.
What I am really proud of is that this forum, kept alive by all of it's users, after all these years still is a safe place for questions, mutual support and respectful exchange. Venting one's emotions and clearly articulating one's needs towards Fortinet is and was an important part of this, and probably not in vain.
i can't believe it's been that long and I've been a member for some time now. Wow ;)
Ken
PCNSE
NSE
StrongSwan
Whenever, whoever, you guys found any issue of FortiOS, please let me know or list the issue description here.
If it's a bug, someone will try to fix it.
If it's a demand of new feature, someone will try to add it to new build.
Thanks all!
ericli wrote:You would NEVER see the above in a Cisco forum. Why I'm a Fortinet customer since 2004. Thanks!Whenever, whoever, you guys found any issue of FortiOS, please let me know or list the issue description here.
If it's a bug, someone will try to fix it.
If it's a demand of new feature, someone will try to add it to new build.
Thanks all!
Yes there were some periods where you learned very quickly not to do upgrades until needed and to use this invaluable resource to let others navigate the minefield first :)
ddskier wrote:I'll review, thanks for pointing that out.dfollis wrote:I've been running 5.4.5 on 500D for months with over 250 users accessing it, SSL VPN, multi-factor with FAC, logging to FAZ, OSPF and it has been rock solid. What kind of bugs are you seeing? I have ~50 policies and using all but spam and WAF filters. I've found over the last 14 years that .0/.1/.2 can be very buggy and or often unintended user configurations that don't follow good practice (which is often difficult to determine) are the cause of most issues.
Running 5.6.3 on 60WiFi with AP at home and that also appears to be performing well. If you are commenting on the Security Fabric, I agree totally it needs more work and I would suggest is more of a gimmick than actual network overlay security solution at this point.
We are moving our 500D to 5.6.3 soon.
See some of my posts within the 5.48 is out thread and you will see some of the issues that I have run into.
I just post a thread on Fortios v5.6.0 is here. I will be upgrade a FWF50E appliance when my supplier get his stock refresh. Should be interesting to say the least ;)
Ken
PCNSE
NSE
StrongSwan
Not really, the life cycle of the firmware is right on par with others..
e.g PANOS has approx 36months of slightly more on it's version and FortiOS is just about the same.
The problem is , fortigate QA program is not catching all of the issues. We are the actually the best QC department ( end-users ) and without feedback in the form of supportcases, they won't fix the issues in the firmware.
We can complain and wine about v.5.2.x all day long, but it's ( v5.2.x) going to die and reach some EoL/EoS. v5.4 or v5.6 or now v6.0 is your new major releases. So get use to it ;)
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.