FortiGate FortiOS release madness

make · ‎03-12-2018

Hello Everyone,

I'm wondering what is Fotinet up to with all their current releases branches. This is absolutely madness.

- 5.2.x finally works stable on most of the FortiGate units but it's already End of Engineering Support and the end of support Date is 2018-12-13. It's also not available for the E/F series.

- 5.4.x received the most updates from the newer releases but ist still full of bugs.

- 5.6.x is patched to version 3 from 2017-12-05 and contains really a lot of bugs (Month of post: March). It seems like it doesn't get a lot of attention from Fortinet.

- The upcoming 6.0.0 release will also be full of bugs and most likely not recommend/suitable for prod environments. IMO most of the customers should wait at least 1 year of development and bug fixes before using it.

So what is your strategy for 2018 and FortiOS? Are you using FortiGate D Series with FortiOS 5.2 even after EoS or are you using 5.4/5.6 with the need to frequently bother the bug-tracker and/or support?

Thank you all

Kind Regards, Maximilian

SMabille · ‎03-12-2018

Hi,

Fully agree, lack of "long term" sustained engineering version is a real issue.

5.4.x prior to 5.4.8 was not production ready at all (is it now? It's probably getting were 5.2.5-5.2.7 was), so we didn't recommended large critical customer for whom stability is primordial to upgrade yet.

Now we got (very weird) performance issue on 5.2 (likely IPS/IPS Engine) but end of engineering means pushing the customer to upgrade, putting us in a very awkward situation.

In perfect world (not driven by marketing), in my opinion, we need 5.2.x fully supported for at least another 12 to 18 months.

5.4, 5.6, 6.0 don't, in my opinion warrant three major revisions. Most of 5.4 and 5.6 under one version, with security fabrics and internet services, and another version with NGFW Policy mode and 6.0 new features.

More efforts should be in stabilising current version, with longer term support, and less new branches.

View solution in original post

seadave · ‎04-04-2018

All the above concerns are valid, but in some cases, user configuration can play a part in stability. The classic for me was the "Inspect All Ports" option under "Protocol Port Mapping" for a "SSL/SSH Inspection" profile in 5.4.x. Turning that on caused all sorts of issues.

For all the talk about how bad 5.4.x is. I'm running 5.4.5 on a 500D with a single VDOM in proxy mode, with ~85 rules, 1Gbps Internet Link, SSLVPN, MFA via FAC, FSSO, logging to FAZ, VIPs, using all UTM features with the exception of SPAM filtering, and ~225 users. My current uptime is 83 days. CPU util is ~10% on average and Mem util is 60%. Maybe I have a simple setup, but seems fairly standard. Of course some have much more or less complexity. Also I feel that many folks don't take advantage of the "Feature Select" option in 5.4.X to free up Mem. If you aren't using a feature, turn it off. I think this isn't an option in 5.2.X if I remember. Not sure.

Another problem is update exhaustion. I see it across all of the hundreds of products I manage. It is never ending and only getting worse from a frequency and quality standpoint. Considering the days of 5.0.X I think Fortinet is doing better than most.

To make updating less error prone, I always buy two firewalls of the same model when we upgrade every 4 to 5 years. One is for testing, other is production. This isn't good from a fail-over standpoint but I've never had a Gate brick. I have over the last 15 years experienced a few bad AV/IPS sig updates, but those can be fixed with a definition refresh. I can afford (but not enjoy :-)) a few hours of downtime. If I was a bank or retail outfit, this model wouldn't work and I would need a traditional HA setup.

This allows me to take my existing config on the spare Gate, update it and use the "diag debug config-error-log read" to see what the new firmware update didn't like about the old config before moving to production. Far too few people do this. We also log to FAZ and via FAZ to Splunk. This allows us to quickly determine when something changed if a problem occurs. I use the rule in the FAZ to email me every time a config change is made so I can keep track of those in the event I need to revert. I realize that some of you are MSPs and this model isn't appropriate for the fleets of small offices you manage.

Herein is the challenge for those folks. You are working with small shops who don't really understand why they need a firewall and why it should be replaced every 4 to 5 years. They see it as just another expense they don't want to incur. Then when there is an issue due to updating because you lack either time or resources to test, they see it as a disruption. I remember those scenarios from my consulting days and I don't wish to relive them any time soon.

Everyone has the challenge of "its running just fine, why should I get rid of it" when the device is going on 6 to 8 years. I have that problem with my Force10/Dell switches right now (going on 10!!!). But I know that continuing to run these will on a daily basis increase the chance that I will experience a major failure, so even though they are "just fine" it is time for them to go. I would argue you need to be willing to do the same with your firewalls but on a more frequent basis (4 to 5 years) due to the evolving threat basis.

One final comment regarding reliability is sizing. I've always felt that Fortinet doesn't make it easy to determine what size of firewall you need for a given number of users. Based on simple economics, many sites go; for obvious reasons, with the least expensive model that seems appropriate. For example, we used to be running 100Ds, but when it was time to upgrade I asked my VAR what we should be using this go around based on usage patterns and anticipated growth. They suggested the 500D. Seemed like a big jump to me at the time, but their advice was solid and as a result we have had zero issues related to resource contention.

View solution in original post

rwpatterson · ‎03-29-2018

Am I (and perhaps Ede and Emnoc) the only one who remembers the last time the 'release madness' was going on? I guess Fortinet forgot... 11 years isn't such a long time.

https://forum.fortinet.com/tm.aspx?m=19573&high=stability+now#24994

https://forum.fortinet.co...gh=stability+now#26147

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

ede_pfau · ‎03-29-2018

@Bob, that was a really good hint! Rereading thread #19573, sentiments come up...Abelio was one of the knowing guys then, 9 or 11 years ago. Much of what we thought then still holds true today, even if we've come a long way since. "Feature freeze", "fixes only, no new features", "better QA", along these lines.

What I am really proud of is that this forum, kept alive by all of it's users, after all these years still is a safe place for questions, mutual support and respectful exchange. Venting one's emotions and clearly articulating one's needs towards Fortinet is and was an important part of this, and probably not in vain.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

emnoc · ‎03-29-2018

i can't believe it's been that long and I've been a member for some time now. Wow ;)

Ken

PCNSE

NSE

StrongSwan

ericli_FTNT · ‎03-29-2018

Whenever, whoever, you guys found any issue of FortiOS, please let me know or list the issue description here.

If it's a bug, someone will try to fix it.

If it's a demand of new feature, someone will try to add it to new build.

Thanks all!

seadave · ‎03-29-2018

ericli wrote:
Whenever, whoever, you guys found any issue of FortiOS, please let me know or list the issue description here.

If it's a bug, someone will try to fix it.
If it's a demand of new feature, someone will try to add it to new build.

Thanks all!

You would NEVER see the above in a Cisco forum. Why I'm a Fortinet customer since 2004. Thanks!

Yes there were some periods where you learned very quickly not to do upgrades until needed and to use this invaluable resource to let others navigate the minefield first :)

seadave · ‎03-29-2018

ddskier wrote:
dfollis wrote:
I've been running 5.4.5 on 500D for months with over 250 users accessing it, SSL VPN, multi-factor with FAC, logging to FAZ, OSPF and it has been rock solid. What kind of bugs are you seeing? I have ~50 policies and using all but spam and WAF filters. I've found over the last 14 years that .0/.1/.2 can be very buggy and or often unintended user configurations that don't follow good practice (which is often difficult to determine) are the cause of most issues.

Running 5.6.3 on 60WiFi with AP at home and that also appears to be performing well. If you are commenting on the Security Fabric, I agree totally it needs more work and I would suggest is more of a gimmick than actual network overlay security solution at this point.

We are moving our 500D to 5.6.3 soon.

See some of my posts within the 5.48 is out thread and you will see some of the issues that I have run into.

I'll review, thanks for pointing that out.

emnoc · ‎03-29-2018

I just post a thread on Fortios v5.6.0 is here. I will be upgrade a FWF50E appliance when my supplier get his stock refresh. Should be interesting to say the least ;)

Ken

PCNSE

NSE

StrongSwan

SMabille · ‎03-30-2018

Hi, I think that loads of aggravation with large customers with need for really rock solid firmware could resolved be extending engineering support for longer. The lifetime of a release is too short for them, they “finally” got a stable platform on 5.2 (roughly 6 months without incident) and rebuilding their trust in the product that they are told they need to move up. Extending engineering support on 5.2 shouldn’t be very costly or resources intensive at this stage and will allow to tell customers that the software they are installing (let’s say when 5.2.9 was released) will be supported for 4 years, instead we have to tell them they will need to upgrade in 12 months.... commercially it’s a major issue.

emnoc · ‎03-30-2018

Not really, the life cycle of the firmware is right on par with others..

e.g PANOS has approx 36months of slightly more on it's version and FortiOS is just about the same.

The problem is , fortigate QA program is not catching all of the issues. We are the actually the best QC department ( end-users ) and without feedback in the form of supportcases, they won't fix the issues in the firmware.

We can complain and wine about v.5.2.x all day long, but it's ( v5.2.x) going to die and reach some EoL/EoS. v5.4 or v5.6 or now v6.0 is your new major releases. So get use to it ;)

Ken

PCNSE

NSE

StrongSwan

SMabille · ‎03-30-2018

If you read my post correctly, I complain about the lifespan of stable version, so let’s be generous 5.2.7 was 03/17, exactly a year ago (and still discovered a couple of major bugs) and EOL today. 5.4.8 is now solid enough to recommend customers to use it, but with 6.0 being released 5.4 EOL is already in sight. And for reference PanOS lifecycle is very different to what you mention (it would mean 5.2.13 would have engineering support for 48 months). Commercially it’s invaluable Software release 5.0 or after: Major feature releases will be supported for 24 months. The last minor feature release of a major release cycle (see definition below) will be supported for 48 months. Support includes technical support, bug fixes, maintenance releases, workarounds, and patches for critical bugs And I’m sorry but customers don’t have to “live with it”, they are always free to vote with their feet. As FG partner it’s one of the biggest issue we got, customers complaining that once they finally reach a stable platform they have to upgrade 6 months down the line with the risk of a new cycle of major bugs discovery.