Moved the chat about my VPN download question to: https://forum.fortinet.com/FindPost/114051

FortiOS 5.2 has done quite well in my own testing

Have similar experience here. It is not perfect but generally FortiOS 5.2.0 works pretty stable and does what it is supposed to do. It has 2 major flaws though: one is hardware-related and another one - software-related. HARDWARE-related As we all noticed, FortiOS is steadily becoming more and more resource-consuming with every new FortiOS release; and memory is hit especially hard. We do understand why it is happening: FortiOS is getting more and more features; it is processing more and more data in real time; and it is becoming a lot more capable, flexible and intelligent. So nothing they could do about increased demand on resources (especially memory). The problem is though that there is still a lot of FortiGate/FortiWiFi units on the field with a mere 512MB RAM (FG/FW-20C, FG/FW-40C, earlier hardware versions of FG/FW-60C and FG/FW-80C). Many of those units are not even listed on Fortinet Product Life Cycle page ; and if they are - they still have a long time to go before reaching End-Of-Support milestone. So they all claimed to be " supported" on FortiOS 5.2. What happens after upgrading such a unit to v5.2 is - having a memory shortage on the system, unacceptably often FortiOS locks itself into the " conserve mode" as a self protection measure. While working in the " conserve more" a FG/FW unit has a " handicapped" performance; you can' t even adjust a unit' s configuration - as no adjustments are allowed in this mode. I am pretty sure that Fortinet' s Engineering was well aware about the " memory issue" . That is why they quietly introduced memory-upgraded hardware versions of FG/FW 60C and 80C (thanks to rwpatterson post). So we have a very interesting situation now. On one hand - it is unrealistic to expect that future builds/releases of FortiOS would require less amount of memory to operate efficiently. On the other hand - what to do with poor folks who own those memory-deficient FG/FW units? The Car Industry would make a recall, fixed the problem and returned products to their happy owners. IMHO although it is a costly undertaking, strategically Fortinet would benefit from similar approach in a long run. I wasn' t sure if Fortinet even contemplating such a recall. So I opened a ticket (it is good to have all your Fortinet equipment under support contracts ), argued the case, and managed to replace all our memory-deficient units (three FG/FW-80C(M) boxes) with RAM-upgrade hardware revisions. So if you don' t ask - you don' t get . SOFTWARE-related While v5.2 itself works pretty stable (according to my experience - it is not any worse than v5.0.7), " the devil is" in the upgrade scripts built into this particular build of FortiOS (the ones which transform firewall' s configuration from previous FortiOS version in the process of " in-place" upgrade). Not sure - if they assigned a junior programmer to compile those scripts, but they are written quite poorly and do not accommodate all possible configuration scenarios. As a result of an upgrade - it either misses some parts of pre-existing configuration or totally corrupts it, making the whole unit unusable. We have 25% success rate upgrading boxes from v5.0.7 to v5.2.0. So far we have upgraded 4 FG/FW units to v5.2 and only one of them was upgraded without noticeable issues. One unit fell into endless reboot cycle and other two - lost pre-existing WiFi networks without easy straight-forward way to re-instate those SSIDs. All lost SSIDs happened to be Captive Portal ones with customized messages. I was lucky enough as the configuration of the unit which fell into reboot loop was comparatively simple - it was rather easy to rebuild it from scratch. Unfortunately it is not always the case. Our main FG appliance installed in the head office, for example, has a pretty complex configuration: multiple policies, virtual IPs, dual-internet connections, miltiple VPN channels, complex routing, several SSIDs and so forth - it would be a nightmare to re-build its configuration from bottom-up. In the circumstances we can NOT rely on upgrade scripts which are built into this build of FortiOS. Much more reliable way to get a FG/FW box on v.5.2.0 is: formatting flash, uploading FortiOS through TFTP and then build the whole configuration from bottom up. Fortunately Fortinet do not need to do recall in this case - just make sure to do the job right.

Vic you mention the memory upgrades in some units. There was a similar situation with Cisco ASA' s when moving to 8.3 code. However, you could manually upgrade the memory in the unit to the new higher requirements. Curious if this is also possible w/ the Fortigate' s.

Vic you mention the memory upgrades in some units. There was a similar situation with Cisco ASA' s when moving to 8.3 code. However, you could manually upgrade the memory in the unit to the new higher requirements. Curious if this is also possible w/ the Fortigate' s.

That' s actually a very interesting question which opens the whole new discussion. Extended hardware warranty is a valuable part of FortiCare/FortiGuard subscription bundle. Although generally FortiGate/FortiWiFi boxes proved to be pretty reliable, they do fail: I had to exercise our hardware exchange right few times during 10 years of my working experience with Fortinet products. FG/FW units could easily be opened BUT while doing so you would break a seal that states " Warranty void if seal is broken" . So if you want to maintain hardware warranty you would not open a FG/FW unit. Our FG/FW units currently in service are all covered by support subscriptions, so I couldn' t have opened them for obvious reasons. I opened few old ones though which are no longer in service. I found that most of them (although not all! I.e on FG-60 memory is soldered - it is not removable) use standard removable memory modules - the same one which are used in regular PCs (not sure about high-end FG/FW models but on lower ones - they are Non-ECC, Unbuffered). So technically - memory is easily upgradeable, ...if you don' t have (or don' t care about) hardware warranty. Nor sure though if any memory restrictions are in force on FortiOS BIOS level. It would be interesting to know if anyone successfully upgraded memory on a FG/FW unit. Perhaps we should open a new thread re. the subject.

I wish it was a little more polished. Disappointing really because I am a big fan of what they are trying to do with it. It butchered wireless on my 60D though.

Could you tell me a bit more? I have to upgrade to 5.2.X on a remote 60D-Cluster, and i have a couple of FortiAPs running there.

I have to upgrade to 5.2.X on a remote 60D-Cluster, and i have a couple of FortiAPs running there.

I have upgraded a number of FG/FW units (including one FW-60D) with various types of SSIDs from 5.0.X to 5.2.0. In my experience (maybe experiences of others are different) - WPA/WPA2-Personal and WPA/WPA-2 Enterprise SSIDs are upgraded to v5.2.0 just fine but Captive portal ones ALWAYS get corrupted during the upgrade. I am not exactly sure why it was happening - whether it is due to our portal customizations or something else - Fortinet would be in a better position to answer this question. But after you remove a corrupted SSID and re-create it with the very same configuration on v5.2.0 - it works just fine. The problem though is that removing a corrupted SSID is not always a straight-forward process. You can' t do it from GUI since a corrupted SSID simply disappears from the list of configured Wireless Networks in WiFi Controller section of the GUI. So you need to do it from CLI removing all the dependencies first and then removing the SSID itself. And even with the CLI you can' t always do that. So your last resort to remove remains of corrupted SSID is - saving firewall' s configuration to a file - manually editing this configuration to clean it up off the failed SSID - and uploading it back to the firewall. So if you want to preserve a Wireless Network during the upgrade from v5.0.X to v5.2.0, the safest way to do so would be - removing it from the configuration right before the upgrade - performing the upgrade itself - and then re-create it back on v5.2.0. If you have a limited time-frame to perform a firewall upgrade - you may pre-compile " SSID_remove" and " SSID_create" scripts and apply them before and after upgrade accordingly. There is bigger issue to watch for while upgrading to v5.2.0 though. Whether you have a Wireless Network on your unit or not - sometimes a hardware-healthy FG falls into endless reboot loop when you apply v5.2.0 firmware. Again - I do not know why it happens, but it have happened to me once, as well as other people in the forums reported the same experience. The only solution available to you in this case: formatting flash -> uploading a firmware and either -> uploading an available configuration backup for that particular FortiOS version -> or rebuilding it from scratch.