Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SecurityPlus
Contributor II

FortiOS 5.4.8 Is Out?

In the process of upgrading a FortiGate 60E from 5.4.6 to 5.4.7. It looks as though I need to get a special build to do this as the upgrade page of the UI says that I can not upgrade from FortiOS v5.4.7 build1167 from FortiOS v5.4.6 build6408. I presume that I need to download FortiOS v5.4.7 build6453. Is this correct?

 

While looking for the correct image to download I noticed a listing for 5.4.8.

https://support.fortinet....ad/FirmwareImages.aspx

 

Has this been released? Has anyone tried 5.4.8 yet?

2 Solutions
Baptiste

danilo.cardoso wrote:

Well.

I´m planning to upgrade my 100D to that version from the old 5.0.9.

Just taking some courage. 

Don't forget to save you config before and after each upgrade

 

You can check if some items are not correctly upgrade :

diagnose debug config-error-log read

2 FGT 100D  + FTK200

3 FGT 60E  FAZ VM  some FAP 210B/221C/223C/321C/421E

View solution in original post

2 FGT 100D + FTK200 3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
ddskier

Update on IPv6 BGP Issue.   Fortinet support was able to finally repro the issue in their labs and they were able to suggest a fix for the issue.  Added the following line to config router bgp:

 

set network-import-check disable

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

View solution in original post

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
18 REPLIES 18
danilo_cardoso

SecurityPlus wrote:
Are you planning to follow the supported upgrade path cookbook? http://cookbook.fortinet....-upgrade-paths-fortios What features of the 100D are you using? Is this firewall under support should you encounter any problems?

 

These are the enable features on global config

 

config system global    set admin-concurrent enable    set admin-https-redirect enable    set admin-maintainer enable    set allow-traffic-redirect enable    set auth-policy-exact-match enable    set batch-cmdb enable    set csr-ca-attribute enable    set dst enable    set endpoint-control-fds-access enable    set fds-statistics enable    set gui-antivirus enable    set gui-ap-profile enable    set gui-application-control enable    set gui-certificates enable    set gui-client-reputation enable    set gui-dynamic-routing enable    set gui-endpoint-control enable    set gui-explicit-proxy enable    set gui-implicit-policy enable    set gui-ips enable    set gui-multiple-utm-profiles enable    set gui-vpn enable    set gui-vulnerability-scan enable    set gui-webfilter enable    set ipsec-hmac-offload enable    set phase1-rekey enable    set registration-notification enable    set remoteauthtimeout 5    set send-pmtu-icmp enable    set sslvpn-cipher-hardware-acceleration enable    set sslvpn-kxp-hardware-acceleration enable    set strict-dirty-session-check enable    set wireless-controller enable
SecurityPlus

It would be beneficial to review the release notes for each version that you will encounter or pass. I wonder if it would be worth taking this in stages instead of doing this in mass.
Baptiste

danilo.cardoso wrote:

Well.

I´m planning to upgrade my 100D to that version from the old 5.0.9.

Just taking some courage. 

Don't forget to save you config before and after each upgrade

 

You can check if some items are not correctly upgrade :

diagnose debug config-error-log read

2 FGT 100D  + FTK200

3 FGT 60E  FAZ VM  some FAP 210B/221C/223C/321C/421E

2 FGT 100D + FTK200 3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
ddskier

FYI - I believe I have identified a bug with IPV6 BGP.   It doesn't seem to be announcing our prefix to the upstream ISP.

 

Fortinet took a look at it and recommended we roll back firmware until they can lab this out and figure out the issue.

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
ddskier
Contributor

I believe I have also identified another bug with SSLVPN using IPV6.   The LDAP audentication fails on IPv6 but works normally on IPv4.  Strange.

 

Fortinet is also researching this bug as well.

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
ddskier

Update on IPv6 BGP Issue.   Fortinet support was able to finally repro the issue in their labs and they were able to suggest a fix for the issue.  Added the following line to config router bgp:

 

set network-import-check disable

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
NeilG

ddskier wrote:

Update on IPv6 BGP Issue.   Fortinet support was able to finally repro the issue in their labs and they were able to suggest a fix for the issue.  Added the following line to config router bgp:

 

set network-import-check disable

 

 

Thanks for updating us on your resolution!

seadave

ddskier wrote:

Update on IPv6 BGP Issue.   Fortinet support was able to finally repro the issue in their labs and they were able to suggest a fix for the issue.  Added the following line to config router bgp:

 

set network-import-check disable

I'd be interested to know how many people are using IPv6.  We are so far away from that still.  Regardless that is a good bug catch and solid resolution.

ddskier

Official word from Fortinet.   Not LDAP IPv6 support until 6.0

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors