Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Carl_Wallmark
Valued Contributor

FortiOS 6.2.0 is out!

.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
6 Solutions
Cls
New Contributor

Quick note from first impressions on my test device:

As read in Release Notes / Changes in default behavior:

-FortiOS 6.2.0 removes any use of device enforcement from various FortiGate features.

 

This means that all policies and setups that are using Devices or Devices-Groups in policy will have "open" policies after upgrading to 6.2.0.

I cannot find any obvious replacemens for Device feature per now.

 

If anyone has more info on what Fortinet's plan on this is, I would appreciate a shoutout.. :)

 

 

Best Regards,

Runar

View solution in original post

ThomasK
New Contributor II

Very strange, they also stop Fortigate telemetry functionality from Fortigate and removed the feature. Are they crazy? (sorry for the wording). Should we really install EMS (including necessary Windows license) just for compliance enforcement? And the paid telemetry license and maintenance fees are for nothing? https://docs.fortinet.com...oint-telemetry-license

View solution in original post

seadave
Contributor III

Agreed.  At some point the FortiFabric becomes FortiExpensive!  I say that as a very loyal customer, but we all have our limits.  I'd still put their price point and solutions up against anyone else.  All of the Cisco vulns coming out lately have made me happy I didn't swallow that pill long ago.

View solution in original post

seadave

I agree that the removal of device identification will be painful for smaller shops trying to use it as a basic NAC.  I use it that way at home and it works great.  Very useful in these instances.  For those of us with a routed core environment that didn't consist of FortiSwitches it was useless.  So at the very least they should have kept it available as an on/off feature.

 

That complaint aside, there are some pretty amazing new features in 6.2:

 

http://video.fortinet.com/latest/workspace-mode-for-fortios-config

 

The external block lists and multiple DNS domains are great, as is the log consistency and some TLS 1.3 inspection.

 

But like so many have said before, cool your jets a bit before upgrading, unless you have a very small shop and need to use some of the automation hooks for example.  If you have other products such as FAZ/FAC/EMS/FWF, make sure those are compatible first and follow the upgrade path documents.

 

Wait a few releases for the features to bake in and then follow the upgrade good practice of backing up your config before the upgrade while keeping a copy of your current firmware on a USB so you can restore both if 6.2 breaks something critical and you need to revert.  It still amazes me how many folks throw caution to the wind when upgrading firmware.

View solution in original post

SMabille

Also have a customer that has been selecting FortiSwitch over competitors with Device Identification as main differentiator in the last few weeks. Could do without having to tell them that feature has disappeared...  And FortiNAC is a NAC it provides other functionalities but doesn't allow to replace device specific policies. For example SSL interception for everything but have few policies above for ios devices for specific authorised apps that refuse to import CA. We would have to bypass SSL for the whole website now irrelevant of devices. FortiNAT can't solve that type of use.

 

SEI wrote:

It is painful  for bigger shops who use it as a basic NAC.  We use it in large environments and it works great. Very useful in all these instances.  For those of us who use the FortiGate(s) as the routed core that consist also of Third Party Switches.

 

We use FGT1200D active-active Cluster with 3 branch offices connected/secured by FGT500E active-active Cluster and single FGT500E.

This allows to protect VLANs with NGFW features and security ... and device identification is extremely useful for BYOD (…) and much more as it adds another needed layer of security (e.g. WLAN) not to mention IoT.

 

At the end of the day it is all about continuity. In bigger environments you have to plan the use of features carefully as processes, workflow a.s.o. are involved (in IT and Business) on a long term basis.

 

Our clients have been carefully listening to Fortinet as they say "we have answers to the today challenges"  … should I go back to my clients and say (yes, but for production wait a year or so until the (unknown) features to bake in or wait if we see the existing features will "stay"  … forget about todays security challenges we will address them in a future release that is mature enough to do what it currently does)

 

In addition, now, that our WAN "Design" finally could improve with great features (improved, production ready) called "Security Fabric" and "SD-WAN" (Started testing it with the purchase of a FAZ with availability of Release 5.6.3) we still can not make use of these as several "unexpected behaviors" in all following releases up to 6.0.4 makes us stay with 5.6.3 on the FGT1200D Cluster.

 

It would be fair if Fortinet and it's Marketing communicates the truth: Today's Releases are showcases to be used in a year or so and only by then we can face today's challenges on a mature trusted FireWall

 

 

View solution in original post

James_G

I have emailed my account manager at Fortinet to voice concern about the removal of custom devices and groups. I suggest anyone else with concerns does the same; as a forum post, however long, is not likely to affect any real change.

View solution in original post

58 REPLIES 58
seadave

I agree that the removal of device identification will be painful for smaller shops trying to use it as a basic NAC.  I use it that way at home and it works great.  Very useful in these instances.  For those of us with a routed core environment that didn't consist of FortiSwitches it was useless.  So at the very least they should have kept it available as an on/off feature.

 

That complaint aside, there are some pretty amazing new features in 6.2:

 

http://video.fortinet.com/latest/workspace-mode-for-fortios-config

 

The external block lists and multiple DNS domains are great, as is the log consistency and some TLS 1.3 inspection.

 

But like so many have said before, cool your jets a bit before upgrading, unless you have a very small shop and need to use some of the automation hooks for example.  If you have other products such as FAZ/FAC/EMS/FWF, make sure those are compatible first and follow the upgrade path documents.

 

Wait a few releases for the features to bake in and then follow the upgrade good practice of backing up your config before the upgrade while keeping a copy of your current firmware on a USB so you can restore both if 6.2 breaks something critical and you need to revert.  It still amazes me how many folks throw caution to the wind when upgrading firmware.

SEI
New Contributor II

It is painful  for bigger shops who use it as a basic NAC.  We use it in large environments and it works great. Very useful in all these instances.  For those of us who use the FortiGate(s) as the routed core that consist also of Third Party Switches.

 

We use FGT1200D active-active Cluster with 3 branch offices connected/secured by FGT500E active-active Cluster and single FGT500E.

This allows to protect VLANs with NGFW features and security ... and device identification is extremely useful for BYOD (…) and much more as it adds another needed layer of security (e.g. WLAN) not to mention IoT.

 

At the end of the day it is all about continuity. In bigger environments you have to plan the use of features carefully as processes, workflow a.s.o. are involved (in IT and Business) on a long term basis.

 

Our clients have been carefully listening to Fortinet as they say "we have answers to the today challenges"  … should I go back to my clients and say (yes, but for production wait a year or so until the (unknown) features to bake in or wait if we see the existing features will "stay"  … forget about todays security challenges we will address them in a future release that is mature enough to do what it currently does)

 

In addition, now, that our WAN "Design" finally could improve with great features (improved, production ready) called "Security Fabric" and "SD-WAN" (Started testing it with the purchase of a FAZ with availability of Release 5.6.3) we still can not make use of these as several "unexpected behaviors" in all following releases up to 6.0.4 makes us stay with 5.6.3 on the FGT1200D Cluster.

 

It would be fair if Fortinet and it's Marketing communicates the truth: Today's Releases are showcases to be used in a year or so and only by then we can face today's challenges on a mature trusted FireWall

 

-------------------------------------------------------------------------------------------

 UPDATE (5. April 2019)

Response to my Ticket from Fortinet support regarding

-> Use of device enforcement from various FortiGate features removed in this release:

 "... this is also part of the known bug in FortiOS 6.2 and will be addressed in a future release"

-> They refer to BugID 532309: Custom device page keep loading and cannot create device group

 

 

SMabille

Also have a customer that has been selecting FortiSwitch over competitors with Device Identification as main differentiator in the last few weeks. Could do without having to tell them that feature has disappeared...  And FortiNAC is a NAC it provides other functionalities but doesn't allow to replace device specific policies. For example SSL interception for everything but have few policies above for ios devices for specific authorised apps that refuse to import CA. We would have to bypass SSL for the whole website now irrelevant of devices. FortiNAT can't solve that type of use.

 

SEI wrote:

It is painful  for bigger shops who use it as a basic NAC.  We use it in large environments and it works great. Very useful in all these instances.  For those of us who use the FortiGate(s) as the routed core that consist also of Third Party Switches.

 

We use FGT1200D active-active Cluster with 3 branch offices connected/secured by FGT500E active-active Cluster and single FGT500E.

This allows to protect VLANs with NGFW features and security ... and device identification is extremely useful for BYOD (…) and much more as it adds another needed layer of security (e.g. WLAN) not to mention IoT.

 

At the end of the day it is all about continuity. In bigger environments you have to plan the use of features carefully as processes, workflow a.s.o. are involved (in IT and Business) on a long term basis.

 

Our clients have been carefully listening to Fortinet as they say "we have answers to the today challenges"  … should I go back to my clients and say (yes, but for production wait a year or so until the (unknown) features to bake in or wait if we see the existing features will "stay"  … forget about todays security challenges we will address them in a future release that is mature enough to do what it currently does)

 

In addition, now, that our WAN "Design" finally could improve with great features (improved, production ready) called "Security Fabric" and "SD-WAN" (Started testing it with the purchase of a FAZ with availability of Release 5.6.3) we still can not make use of these as several "unexpected behaviors" in all following releases up to 6.0.4 makes us stay with 5.6.3 on the FGT1200D Cluster.

 

It would be fair if Fortinet and it's Marketing communicates the truth: Today's Releases are showcases to be used in a year or so and only by then we can face today's challenges on a mature trusted FireWall

 

 

seadave

Good points about device ID.  They have marketed it as a differentiator so removing it is odd.

mboback

Does anyone have any info on the SAML SSO feature I see added under User/Device > SAML SSO ?

I see some configuration for defining a Service Provider and plugging in some IdP settings as well, but it's unclear to me how exactly this configuration can be leveraged by the Fortigate from a functionality perspective - is it strictly for signing in to the Fortigate as an admin with SSO to an IdP? Can't find any documentation on this yet.

Andrej_K

With SAML and SSO I would say it would be similar to 

https://cookbook.fortinet.com/saml-fsso-fortiauthenticator-okta-56/

or

https://cookbook.fortinet.com/saml-fsso-fortiauthenticator-google-60/

 

I'm also amazed on the comments like this "It still amazes me how many folks throw caution to the wind when upgrading firmware." together with "there are some pretty amazing new features in 6.2:"

Are this new features there to stay? Should Fortinet just ignore quality control of firmware? The answer is NO for both of them. 

 

Majority of the administrators install firmware updates for the bug fixes and not "super cool facebook thumbs up feature". In the end it is security device not an application. Instead Fortinet treats firmware updates as a showcase of features rather than what it is - firmware updates/bug fixes. In typical development cycle you have beta testers (who want to try new features) and regular users - who wants continuity and stability. Separate them in clear manner - keep it simple.

 

Why remove security feature without providing alternative?

 

Same mess across all of the integrated product EMS (no idea how to call it) lack of basic features which typical antivirus solution have for decades. 

Sandbox - easy detectable by any anti debugging tool or even powershell script, lack of integration - verdict useless.

Fortimail - "good bye".

Fortigate - constantly removing features, to sell licenses (push towards EMS when not ready/ compliance license/ etc)

 

We as a business need reliable product. We as a business need predictability and planning ahead. Due to recent events - PoC with other vendors prior licence renewal is my way forward to address business needs.

 

 

josh
New Contributor

Upgraded my 60E and 30E fabric at home and all went well, though I am having some rather weird issues with certain applications no longer being able to connect/timing out, etc.

 

I am getting devices connecting to WiFi however they're complaining they don't have an Internet connection (e.g. the DNS probes or whatever they use to check liveliness during connection is failing), however they eventually recover. I thought disabling all UTM on v4 and v6 policies helped, but it doesn't appear completely resolved. Still getting random timeouts/failures here and there.

 

Only seems evident since the upgrade, though I haven't had enough willpower/time to look at why -- it's not impossible that it could be coincidence, but has anyone experienced similar?

 

I'd downgrade to 6.0.4 to see if that fixes it, however the 30E is remote to me and, as per the release notes, this happens:

-----------------------------------------------------------------------------------------------------------

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

[ul]operation modeinterface IP/management IPstatic route tableDNS settingsadmin user accountsession helperssystem access profiles[/ul]

-----------------------------------------------------------------------------------------------------------

Andrej_K
New Contributor

Remote downgrading is 50/50 coin flip. In theory should work in practice - well..

The only thing I suggest during downgrade is - downgrade it to previous firmware version and then restore full config backup from previous backup version of the config (config from the version you just downgraded to). I.E downgrade from 6.2.0 to 6.0.4 then restore backup config you took running 6.0.4 version (should be written on top of the config file if you open it)

 

In regards of the not being able to access to the internet this could be one of the following "features" based on my experience (and I use the word features here in sarcastic way)

1) You used Device ID to limit internet access to servers or in any other policies which would be above your permit policy. Because device ID is removed now you matching a different policy which might not have service permitted. 

2) If you have forticlient installed on the machines, if Forticlient can't access to the Internet for classification it will use default behavior to block UNKNOWN categories. Which would include WiFi portals. This is a know "feature" that Forticlient version 6 and above do not work on the guest/wifi/signon networks which does not permit 8000/8888 or DNS via 53 ports

seadave
Contributor III

josh wrote:

Upgraded my 60E and 30E fabric at home and all went well, though I am having some rather weird issues with certain applications no longer being able to connect/timing out, etc.

 

I am getting devices connecting to WiFi however they're complaining they don't have an Internet connection (e.g. the DNS probes or whatever they use to check liveliness during connection is failing), however they eventually recover. I thought disabling all UTM on v4 and v6 policies helped, but it doesn't appear completely resolved. Still getting random timeouts/failures here and there.

 

Only seems evident since the upgrade, though I haven't had enough willpower/time to look at why -- it's not impossible that it could be coincidence, but has anyone experienced similar?

 

I'd downgrade to 6.0.4 to see if that fixes it, however the 30E is remote to me and, as per the release notes, this happens:

-----------------------------------------------------------------------------------------------------------

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

[ul]operation modeinterface IP/management IPstatic route tableDNS settingsadmin user accountsession helperssystem access profiles[/ul]

-----------------------------------------------------------------------------------------------------------

I have a FWF-60E at home and when I went from 6.0.3 to 6.0.4 I also experienced DNS issues.  Domains would not resolve and the service would eventually not respond properly after a few hours.  L3 was still working as I could ping IPs but DNS resolution was dead.  A reboot would fix for a few hours.  I never dug into the issue as I reverted back to 6.0.3 and the setup has been very stable as a result.  I have a FortiSwitch and FortiAP connected in addition to logging to a FAZ on AWS instance.

josh
New Contributor

Andrej K wrote:

Remote downgrading is 50/50 coin flip. In theory should work in practice - well..

The only thing I suggest during downgrade is - downgrade it to previous firmware version and then restore full config backup from previous backup version of the config (config from the version you just downgraded to). I.E downgrade from 6.2.0 to 6.0.4 then restore backup config you took running 6.0.4 version (should be written on top of the config file if you open it)

 

In regards of the not being able to access to the internet this could be one of the following "features" based on my experience (and I use the word features here in sarcastic way)

1) You used Device ID to limit internet access to servers or in any other policies which would be above your permit policy. Because device ID is removed now you matching a different policy which might not have service permitted. 

2) If you have forticlient installed on the machines, if Forticlient can't access to the Internet for classification it will use default behavior to block UNKNOWN categories. Which would include WiFi portals. This is a know "feature" that Forticlient version 6 and above do not work on the guest/wifi/signon networks which does not permit 8000/8888 or DNS via 53 ports

Thanks, but yeah. Neither of those items in use. Thing likes Netflix on my LG Smart-TV just stopped working, zero reason why when it was fine on 6.0.4, and every other app (e.g. Amazon Prime) on the same device works. Thought it might have been something funny with UTM, but disabled UTM complete and let everything direct out -- no changes there, though it did fix some of the weird issues my partner was seeing with her phone and trying to download apps from Google Play store, etc.

 

Really quite odd. I think I'm just gonna go back to 6.0.4 and (as you suggested) reload the backed up config from before the upgrade. Fingers crossed the remote unit comes back up fine, haha.

 

dfollis wrote:

 

I have a FWF-60E at home and when I went from 6.0.3 to 6.0.4 I also experienced DNS issues.  Domains would not resolve and the service would eventually not respond properly after a few hours.  L3 was still working as I could ping IPs but DNS resolution was dead.  A reboot would fix for a few hours.  I never dug into the issue as I reverted back to 6.0.3 and the setup has been very stable as a result.  I have a FortiSwitch and FortiAP connected in addition to logging to a FAZ on AWS instance.

 

Doesn't sound related, this was related to 6.0.4 -> 6.2.0 -- 6.0.4 (and every other 6.0.x release) has been fine for me. I use FAP/FSW/FAZ as well. Sounds odd though.. I haven't seen that issue before.

Labels
Top Kudoed Authors