.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Quick note from first impressions on my test device:
As read in Release Notes / Changes in default behavior:
-FortiOS 6.2.0 removes any use of device enforcement from various FortiGate features.
This means that all policies and setups that are using Devices or Devices-Groups in policy will have "open" policies after upgrading to 6.2.0.
I cannot find any obvious replacemens for Device feature per now.
If anyone has more info on what Fortinet's plan on this is, I would appreciate a shoutout.. :)
Best Regards,
Runar
Very strange, they also stop Fortigate telemetry functionality from Fortigate and removed the feature. Are they crazy? (sorry for the wording). Should we really install EMS (including necessary Windows license) just for compliance enforcement? And the paid telemetry license and maintenance fees are for nothing? https://docs.fortinet.com...oint-telemetry-license
Agreed. At some point the FortiFabric becomes FortiExpensive! I say that as a very loyal customer, but we all have our limits. I'd still put their price point and solutions up against anyone else. All of the Cisco vulns coming out lately have made me happy I didn't swallow that pill long ago.
I agree that the removal of device identification will be painful for smaller shops trying to use it as a basic NAC. I use it that way at home and it works great. Very useful in these instances. For those of us with a routed core environment that didn't consist of FortiSwitches it was useless. So at the very least they should have kept it available as an on/off feature.
That complaint aside, there are some pretty amazing new features in 6.2:
http://video.fortinet.com/latest/workspace-mode-for-fortios-config
The external block lists and multiple DNS domains are great, as is the log consistency and some TLS 1.3 inspection.
But like so many have said before, cool your jets a bit before upgrading, unless you have a very small shop and need to use some of the automation hooks for example. If you have other products such as FAZ/FAC/EMS/FWF, make sure those are compatible first and follow the upgrade path documents.
Wait a few releases for the features to bake in and then follow the upgrade good practice of backing up your config before the upgrade while keeping a copy of your current firmware on a USB so you can restore both if 6.2 breaks something critical and you need to revert. It still amazes me how many folks throw caution to the wind when upgrading firmware.
Also have a customer that has been selecting FortiSwitch over competitors with Device Identification as main differentiator in the last few weeks. Could do without having to tell them that feature has disappeared... And FortiNAC is a NAC it provides other functionalities but doesn't allow to replace device specific policies. For example SSL interception for everything but have few policies above for ios devices for specific authorised apps that refuse to import CA. We would have to bypass SSL for the whole website now irrelevant of devices. FortiNAT can't solve that type of use.
SEI wrote:It is painful for bigger shops who use it as a basic NAC. We use it in large environments and it works great. Very useful in all these instances. For those of us who use the FortiGate(s) as the routed core that consist also of Third Party Switches.
We use FGT1200D active-active Cluster with 3 branch offices connected/secured by FGT500E active-active Cluster and single FGT500E.
This allows to protect VLANs with NGFW features and security ... and device identification is extremely useful for BYOD (…) and much more as it adds another needed layer of security (e.g. WLAN) not to mention IoT.
At the end of the day it is all about continuity. In bigger environments you have to plan the use of features carefully as processes, workflow a.s.o. are involved (in IT and Business) on a long term basis.
Our clients have been carefully listening to Fortinet as they say "we have answers to the today challenges" … should I go back to my clients and say (yes, but for production wait a year or so until the (unknown) features to bake in or wait if we see the existing features will "stay" … forget about todays security challenges we will address them in a future release that is mature enough to do what it currently does)
In addition, now, that our WAN "Design" finally could improve with great features (improved, production ready) called "Security Fabric" and "SD-WAN" (Started testing it with the purchase of a FAZ with availability of Release 5.6.3) we still can not make use of these as several "unexpected behaviors" in all following releases up to 6.0.4 makes us stay with 5.6.3 on the FGT1200D Cluster.
It would be fair if Fortinet and it's Marketing communicates the truth: Today's Releases are showcases to be used in a year or so and only by then we can face today's challenges on a mature trusted FireWall
I have emailed my account manager at Fortinet to voice concern about the removal of custom devices and groups. I suggest anyone else with concerns does the same; as a forum post, however long, is not likely to affect any real change.
Put it in front to make below more conversation piece rather than "debate" or "proving a point":
We all agree that Fortinet need to do something with firmware releases, customer feedback and product lines to make it consistent and customer friendly. I like Fortinet a lot - it fits my way of logic, but I made my decision to look around before upgrades and see what is what. And this is only due to customer support and lack of strategy going forward (a lot of good idea but at the cost to the customer). Now to the conversation.
"I disagree. I've been watching this forum for over 10 years, using Fortinet products for nearly 15. There have been hundreds of posts that indicate people applied an update for whatever reason without having read the release notes or having a backup, only to become surprised or frustrated that something "broke" as a result. "
Lost the faith in administrators here . Maybe I need to readjust my expectations.
"Code (whether software or firmware) running on a device with a processor by definition is an application. "
Not going to debate semantics - I consider firmware - well a firmware - OS with apps on top. Code has bug is expected - we are humans. What I'm completely and utterly against of is treating firmware (application or OS or firmware or) as a milking cash cow. When I buy product with all the features and licenses and then when upgrade to fix the issues to find out that I need to buy another products or licenses for the features which were available to me before the upgrade. This goes against anything I've experienced on the market with other security vendors.
"But in most cases, nothing is forcing one to update. We still run a variant of 5.6.X in production because it has proven to be stable for our situation and is providing the features that we need."
Bug fixes - that is the reason for upgrade for me. New features are cool but I don't use them (they are new ), so non essential. 6.0.X (not sure if 5.6 same) has a cool bug for RA VPN where print instructions for users (should contain password) but they don't, so now you stuck with not knowing password. Non essential as I can decrypt the passwords, but annoying. And there are few BUG fixed for HA which I wanted to apply (recently learned about conserve mode). What I don't expect - is removing security features and making firewall open as a result. If you don't pay attention or do not have multiple rules - you will open your network to ALL traffic as policies containing Device ID will become widely open. This is not OK for me as this is a security device. Disable them, force to review - don't open up holes.
I like Fortinet, but.... and a lot of us will fill up dots with similar reasons, but there is a lot of buts for me.
josh wrote:
I too have had some strange things going on with wifi devices.
I have been running 6.2 for 4-5 months, and its been an issue most of the time.
I through the GA release fixed it, but then i notices yesterday that the device profiles were gone and i was using an any rule :(
Since digging through and fixing that, the wifi issues are back. Things just dont load. There is something up with the UTM features killing stuff out.
There has also been an SSL bug blocking out loading of some pages with deep inspection enabled.
"Majority of the administrators install firmware updates for the bug fixes and not "super cool facebook thumbs up feature"."
I disagree. I've been watching this forum for over 10 years, using Fortinet products for nearly 15. There have been hundreds of posts that indicate people applied an update for whatever reason without having read the release notes or having a backup, only to become surprised or frustrated that something "broke" as a result. In defense of some of these situations, back in the day Fortinet was way less reliable about detailing "Known Issues" which made it much harder to anticipate such things. Remember, older firmware did not force one to make a backup first.
"In the end it is security device not an application"
Code (whether software or firmware) running on a device with a processor by definition is an application. Be it a firewall or a thermostat. Some are programmed better than others and anyone who lived through 5.0.X knows that applies to different firmware versions also. Code has bugs, that is the way of the world. Now if you were to make an argument that at times, Fortinet releases firmware with known issues that have no business being released and should be resolved beforehand, I will definitely agree with that.
"Instead Fortinet treats firmware updates as a showcase of features rather than what it is - firmware updates/bug fixes"
Fortinet does not put enough emphasis on "This is for testing only and should NOT be used in production yet" for new releases. You can look to Juniper for an extreme opposite of this approach where they have JTAC recommended releases and X versions of the firmware that is focused more on stability/fixes instead of shiny new objects. The above critique I think rings true when you look at 6.0.X is only at .4 release and now 6.2.0 is out. But in most cases, nothing is forcing one to update. We still run a variant of 5.6.X in production because it has proven to be stable for our situation and is providing the features that we need. We are installing new 501Es soon and will evaluate 6.0.3/4 to see if we can expect the same. I realize that this type of testing can be hard if you are working in a very small shop with a single device, but that is why you backup configs and keep current firmware copies handy. You should almost assume you might need to revert when doing a .X update less than .5
The Fortinet model from at least 4.3.X has been that the X.X.0 release introduces the adds and removes from a feature standpoint, followed by incremental .X updates that fix what is found to be broken.
I credit Fortinet as a major reason for keeping my network exploit free for the last 10 years. They are not perfect, but I feel compared to other vendors they in the end provide more features for the money. That has been my experience, I understand that may not be the case for others.
Andrej K wrote:Majority of the administrators install firmware updates for the bug fixes and not "super cool facebook thumbs up feature".
Be that as it may, a X.Y.0 release (i.e. v6.2.0) is clearly one that is at least as focused on new features as it is on bug fixes.
With the current version on 6.0.4, and the recent history of Fortinet releases, it should not be expected that 6.2.0 is purely a bug fix release for 6.0.4.
Hopefully, this feature loss issue is a bug and not an intended feature removal, but it does beg the question of why they felt it ready to release with that size bug in effect.
Anyway, while I like the possibilities presented by some of the features in 6.2.0, I'll be waiting for a few patch releases before I even test it. I learned my lesson with 5.4.0, 5.4.1 and 5.6.0. I can wait for others who have more testing time/appetite.
I have emailed my account manager at Fortinet to voice concern about the removal of custom devices and groups. I suggest anyone else with concerns does the same; as a forum post, however long, is not likely to affect any real change.
Same here.
James_G wrote:I have emailed my account manager at Fortinet to voice concern about the removal of custom devices and groups. I suggest anyone else with concerns does the same; as a forum post, however long, is not likely to affect any real change.
SEI wrote:It would be fair if Fortinet and it's Marketing communicates the truth: Today's Releases are showcases to be used in a year or so and only by then we can face today's challenges on a mature trusted FireWall
This has always been true of new FortiOS major releases, customers do the QA.
FortiOS major releases are really lab versions for a good year or so due to poor software QA/quality control and most of their fabric helper products like FAZ/FMG are a solid 6-8 months behind in software updates to work with the latest FortiOS major code releases.
I'm guessing they are going to drive folks towards FortiNAC for such things as it relates to device IDs.
https://www.fortinet.com/products/network-access-control.html
FortiNAC is not exactly cheap. And if you want to use their FortiNAC appliances instead of VMs it costs way more than the firewalls, at least for my application. I really hope there is some other device ID solution. In combination with the new EMS requirements for FortiClient compliance enforcement this is looking problematic at best.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.