FortiOS 5.2: should we wait or should we go?

VicAndr · ‎06-19-2014

Questions to those who had been brave enough to upgrade their units to FortiOS v5.2.0: How did it handle complex configurations in the course of upgrade (I mean " in-place upgrade" )? Are there any pitfalls to watch for? Does v5.2 work stable? Is there anything to loose in the jump to v5.2? Are you still there on v5.2 or had to go back to v5.0 for one reason or another? What are your overall experiences so far? We have a pure FortiOS v5.0.7 in our environment. It generally works fine but our main headache is new FortiAPs supporting 802.11ac - they are practically unusable on v5.0.7 (we do not want to go with " interim" FortiOS build as it raises a whole bunch of other questions). Thank you all for any feedback, VA

ejhardin · ‎07-02-2014

By default the SSL profile is " certificate-inspection" . In this mode the FortiGate is basically just reading the dns name from the certificate during the SSL handshake. Question... Has anyone really had an issues with SSL connections while using " certificate-inspection" ? I haven' t had an issue and I like the fact that the " certificate-inspection" is on by default. Other firewall companies are doing the same thing.

View solution in original post

Greg_Hennessy · ‎06-20-2014

FortiASIC offload is broken for my FWF60C here. CPU loads are high and platform performance takes a serious hit as a consequence Trying to work up the enthusiasm to do a clean factory reset and load of a clean empty policy to see if that sorts it.

rwpatterson · ‎06-20-2014

Unwritten IS policy #1: Never on a Friday! (unless you want to spend the better part of your weekend fixing it...)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Dipen · ‎06-21-2014

upgraded my 100D to FortiOS 5.2 a few days ago. No problems as of now. I have Application Control in my environment ,,Glad they introduced a block-page for Application control as well. My users are happy..at least they now know that application is blocked by " security-people" . fortiview wasn' t much impressive. Impressive changes to VPN GUI though with all Wizards... but again IPSEC Wizard dosent customize Phase1 / Phase 2 parameters in Wizard only.

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

VicAndr · ‎06-25-2014

Usually I do not upgrade my Fortigate/FortiWiFi units to a GA release but this time I broke my own rule. I' ve upgraded a FortiWiFi unit (FWF-80CM) in one of our remote locations from FortiOS v5.0.7 to v5.2.0 and ...almost immediately was punished for being inpatient: the unit fell into " conserve mode" . I have opened a case with Fortinet. I think though that it is not necessarily a problem with the new release of FortiOS as such. The thing is that with every release of FortiOS, it is gradually becoming more and more resource-consuming. So gap between FortiOS' demand on CPU' s number-crunching abilities as well as on memory capacity and what resources actual hardware could offer keeps growing. ...especially if your box was purchased a while ago. In our case it seems to be not so much a CPU problem as a lack of memory issue. With a comparatively simple configuration and logging disabled memory utilization consistently stays at ~80%. ...even under a very light traffic. So if you have one of those older Fortigate/FortiWiFi boxes (revision 1 of FG-80C, FG-80CM, FWF-80CM, ...) with just 512MB of RAM - good luck with FortiOS 5.2.0! Second generation of FortiGate-80C model line has twice as more memory (thanks to rwpatterson for putting excellent hardware reference here), so it should not be an issue here.

pace · ‎06-25-2014

Hi, i can confirm that it' s not a good idea to upgrade one of the old 512 MB FortiGates! Upgraded an old FG60C from 5.0.7 to 5.2.0 five days ago and the memory utilization was soon at ~85%. If you nedd to test 5.2.0, i would recommend to change the global ips algorithm to low. This has decreased the Memory utilization to 78-80%. But i would NOT recommend to install this release on a productive 512 MB FortiGate.

emnoc · ‎06-25-2014

Unwritten IS policy #1: Never on a Friday! (unless you want to spend the better part of your weekend fixing it...)

op Just have a fall back plan. I upgrade 2 low critical devices and had problems one requiring a format, reboot, tftp upgrade. I found a slew of problems some cosmetic to service impacting. What you should do, is to look at the risk involved if something goes wrong. On one site I was pushed with having to send a spare unit out form a nearby office. The other side was in my control so it wasn' t greatly impact. I personally would wait for 1-2months unless you " just have to upgrade " and see what else is found and posted by this forum , TAC and other members. My rule of thumbs matches that of rwpatterson , but I also typically don' t upgrade into a new release until there' s a minor release for that release so a 5.2.1

PCNSE

NSE

StrongSwan

VicAndr · ‎06-26-2014

I personally would wait for 1-2months unless you " just have to upgrade " and see what else is found and posted by this forum , TAC and other members.

From personal perspective I fully agree with you. " Flip side of a coin" though is that those who do all this " dirty job" of stepping into " unknown territory" , save the rest of us from " riding through the same bumpy and dangerous road" by sharing their experiences. That' s what makes humans different from other living things. When I opened this thread I was trying to " be smart" and learn from " other members" experiences. Unfortunately there was no overwhelming number of responses to this call. So I decided to roll my own sleeves... Well, now at least I could share my own proven experience: if you have a FG/FWF unit with 512MB of memory - don' t expect it to work properly on FortiOS v5.2.0 ...unless you disable logging, device detection, AV, web-content filtering, IPS and so forth ...essentially everything except power button. And this is despite the fact that your particular model might be listed among supported in the release notes.

ghorchem · ‎06-29-2014

I would wait. because in 5.2 when you edit existing a security policy or create a new one SSL inspection will be enabled and you can' t disable it. This will cause issues for mail servers like Novell Groupwise that can' t listen on port 465 and incomming mail needs port 25 without SSL. I hope that Fortinet will put out an update to let you enable or disable SSL inspection.

ShrewLWD · ‎06-30-2014

Hey Ghorchem, Hmm, that is a weird one. I am running 5.2 on a few (non-production) boxes, and am not seeing that, either in the GUI or the CLi. I can enable and disable SSL Inspection at will. FortiWifi 60C and FortiGate 100D. Now, *BOTH* boxes were fully wiped and had 5.2 installed fresh, versus inplace upgrading. What firmware version did you go from, and what box?

FortiOS 5.2: should we wait or should we go?

Nominate a Forum Post for Knowledge Article Creation