.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Quick note from first impressions on my test device:
As read in Release Notes / Changes in default behavior:
-FortiOS 6.2.0 removes any use of device enforcement from various FortiGate features.
This means that all policies and setups that are using Devices or Devices-Groups in policy will have "open" policies after upgrading to 6.2.0.
I cannot find any obvious replacemens for Device feature per now.
If anyone has more info on what Fortinet's plan on this is, I would appreciate a shoutout.. :)
Best Regards,
Runar
Very strange, they also stop Fortigate telemetry functionality from Fortigate and removed the feature. Are they crazy? (sorry for the wording). Should we really install EMS (including necessary Windows license) just for compliance enforcement? And the paid telemetry license and maintenance fees are for nothing? https://docs.fortinet.com...oint-telemetry-license
Agreed. At some point the FortiFabric becomes FortiExpensive! I say that as a very loyal customer, but we all have our limits. I'd still put their price point and solutions up against anyone else. All of the Cisco vulns coming out lately have made me happy I didn't swallow that pill long ago.
I agree that the removal of device identification will be painful for smaller shops trying to use it as a basic NAC. I use it that way at home and it works great. Very useful in these instances. For those of us with a routed core environment that didn't consist of FortiSwitches it was useless. So at the very least they should have kept it available as an on/off feature.
That complaint aside, there are some pretty amazing new features in 6.2:
http://video.fortinet.com/latest/workspace-mode-for-fortios-config
The external block lists and multiple DNS domains are great, as is the log consistency and some TLS 1.3 inspection.
But like so many have said before, cool your jets a bit before upgrading, unless you have a very small shop and need to use some of the automation hooks for example. If you have other products such as FAZ/FAC/EMS/FWF, make sure those are compatible first and follow the upgrade path documents.
Wait a few releases for the features to bake in and then follow the upgrade good practice of backing up your config before the upgrade while keeping a copy of your current firmware on a USB so you can restore both if 6.2 breaks something critical and you need to revert. It still amazes me how many folks throw caution to the wind when upgrading firmware.
Also have a customer that has been selecting FortiSwitch over competitors with Device Identification as main differentiator in the last few weeks. Could do without having to tell them that feature has disappeared... And FortiNAC is a NAC it provides other functionalities but doesn't allow to replace device specific policies. For example SSL interception for everything but have few policies above for ios devices for specific authorised apps that refuse to import CA. We would have to bypass SSL for the whole website now irrelevant of devices. FortiNAT can't solve that type of use.
SEI wrote:It is painful for bigger shops who use it as a basic NAC. We use it in large environments and it works great. Very useful in all these instances. For those of us who use the FortiGate(s) as the routed core that consist also of Third Party Switches.
We use FGT1200D active-active Cluster with 3 branch offices connected/secured by FGT500E active-active Cluster and single FGT500E.
This allows to protect VLANs with NGFW features and security ... and device identification is extremely useful for BYOD (…) and much more as it adds another needed layer of security (e.g. WLAN) not to mention IoT.
At the end of the day it is all about continuity. In bigger environments you have to plan the use of features carefully as processes, workflow a.s.o. are involved (in IT and Business) on a long term basis.
Our clients have been carefully listening to Fortinet as they say "we have answers to the today challenges" … should I go back to my clients and say (yes, but for production wait a year or so until the (unknown) features to bake in or wait if we see the existing features will "stay" … forget about todays security challenges we will address them in a future release that is mature enough to do what it currently does)
In addition, now, that our WAN "Design" finally could improve with great features (improved, production ready) called "Security Fabric" and "SD-WAN" (Started testing it with the purchase of a FAZ with availability of Release 5.6.3) we still can not make use of these as several "unexpected behaviors" in all following releases up to 6.0.4 makes us stay with 5.6.3 on the FGT1200D Cluster.
It would be fair if Fortinet and it's Marketing communicates the truth: Today's Releases are showcases to be used in a year or so and only by then we can face today's challenges on a mature trusted FireWall
I have emailed my account manager at Fortinet to voice concern about the removal of custom devices and groups. I suggest anyone else with concerns does the same; as a forum post, however long, is not likely to affect any real change.
Quick note from first impressions on my test device:
As read in Release Notes / Changes in default behavior:
-FortiOS 6.2.0 removes any use of device enforcement from various FortiGate features.
This means that all policies and setups that are using Devices or Devices-Groups in policy will have "open" policies after upgrading to 6.2.0.
I cannot find any obvious replacemens for Device feature per now.
If anyone has more info on what Fortinet's plan on this is, I would appreciate a shoutout.. :)
Best Regards,
Runar
Indeed, not clear warning (beside small note in default behaviour). Likely to caught lots of customers (I'm using devices for IoT devices, but also to disable SSL inspection for specific applications on iOS that refuse custom CA). There is no documentation or recommendation on best approach to replace this. It's very very disappointing to say the least. Hopefully the feature will be back or credible alternative provided. Until then I can't really see any practical way to solve the issue. The only way I can imagine is to reserve MAC in DHCP in specific range for specific device but: - Would run out of address quickly - Impractical for BYOB scenario or large estate of iOS devices Can't think of a good reason to suppress the feature. Upgrade shouldn't be about deprecate feature without clear notice.
Really three steps backward for IoT management.
Cls wrote:Quick note from first impressions on my test device:
As read in Release Notes / Changes in default behavior:
-FortiOS 6.2.0 removes any use of device enforcement from various FortiGate features.
This means that all policies and setups that are using Devices or Devices-Groups in policy will have "open" policies after upgrading to 6.2.0.
I cannot find any obvious replacemens for Device feature per now.
If anyone has more info on what Fortinet's plan on this is, I would appreciate a shoutout.. :)
Best Regards,
Runar
Very strange, they also stop Fortigate telemetry functionality from Fortigate and removed the feature. Are they crazy? (sorry for the wording). Should we really install EMS (including necessary Windows license) just for compliance enforcement? And the paid telemetry license and maintenance fees are for nothing? https://docs.fortinet.com...oint-telemetry-license
Shame about the device management being removed, was really a cool feature.
On the flip side the new SD-WAN SLAs are great, and the new 'Undo' feature when you change a policy in the GUI is awesome too.
The release notes do not list 60D as supported, is this correct?
Yes it is correct, the 60D is not supported in 6.2 and later.
NSE 4/5/7
How does that work when the 60D is supported until 2023, but 6.0 is only supported to 2022?
I am very disappointed that the 60D is not supported with 6.2 - and it seems to be implied that the 60D won't go beyond 6.0.x versions.
For small (real small like under 25 users) the Fortigate WAS a great solution because it would do everything - but now not only has the licensing cost for a 60D jumped, but the features keep getting pulled out and requiring a dedicated "server".
With the accelerating speed that features are moving from Fortigate to FortiXXXXX I can't even calculate value or ROI for upgrading Fortigate hardware for these small clients.
Please check the Product Lifecycle Page:
https://support.fortinet.com/Information/ProductLifeCycle.aspx
You will find several statements with a list of devices which arent supported by the latest releases.
These devices get extended access to Customer Services until these devices are EOL.
NSE 4/5/7
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.