Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Carl_Wallmark
Valued Contributor

FortiOS 6.2.0 is out!

.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
6 Solutions
Cls
New Contributor

Quick note from first impressions on my test device:

As read in Release Notes / Changes in default behavior:

-FortiOS 6.2.0 removes any use of device enforcement from various FortiGate features.

 

This means that all policies and setups that are using Devices or Devices-Groups in policy will have "open" policies after upgrading to 6.2.0.

I cannot find any obvious replacemens for Device feature per now.

 

If anyone has more info on what Fortinet's plan on this is, I would appreciate a shoutout.. :)

 

 

Best Regards,

Runar

View solution in original post

ThomasK
New Contributor II

Very strange, they also stop Fortigate telemetry functionality from Fortigate and removed the feature. Are they crazy? (sorry for the wording). Should we really install EMS (including necessary Windows license) just for compliance enforcement? And the paid telemetry license and maintenance fees are for nothing? https://docs.fortinet.com...oint-telemetry-license

View solution in original post

seadave
Contributor III

Agreed.  At some point the FortiFabric becomes FortiExpensive!  I say that as a very loyal customer, but we all have our limits.  I'd still put their price point and solutions up against anyone else.  All of the Cisco vulns coming out lately have made me happy I didn't swallow that pill long ago.

View solution in original post

seadave

I agree that the removal of device identification will be painful for smaller shops trying to use it as a basic NAC.  I use it that way at home and it works great.  Very useful in these instances.  For those of us with a routed core environment that didn't consist of FortiSwitches it was useless.  So at the very least they should have kept it available as an on/off feature.

 

That complaint aside, there are some pretty amazing new features in 6.2:

 

http://video.fortinet.com/latest/workspace-mode-for-fortios-config

 

The external block lists and multiple DNS domains are great, as is the log consistency and some TLS 1.3 inspection.

 

But like so many have said before, cool your jets a bit before upgrading, unless you have a very small shop and need to use some of the automation hooks for example.  If you have other products such as FAZ/FAC/EMS/FWF, make sure those are compatible first and follow the upgrade path documents.

 

Wait a few releases for the features to bake in and then follow the upgrade good practice of backing up your config before the upgrade while keeping a copy of your current firmware on a USB so you can restore both if 6.2 breaks something critical and you need to revert.  It still amazes me how many folks throw caution to the wind when upgrading firmware.

View solution in original post

SMabille

Also have a customer that has been selecting FortiSwitch over competitors with Device Identification as main differentiator in the last few weeks. Could do without having to tell them that feature has disappeared...  And FortiNAC is a NAC it provides other functionalities but doesn't allow to replace device specific policies. For example SSL interception for everything but have few policies above for ios devices for specific authorised apps that refuse to import CA. We would have to bypass SSL for the whole website now irrelevant of devices. FortiNAT can't solve that type of use.

 

SEI wrote:

It is painful  for bigger shops who use it as a basic NAC.  We use it in large environments and it works great. Very useful in all these instances.  For those of us who use the FortiGate(s) as the routed core that consist also of Third Party Switches.

 

We use FGT1200D active-active Cluster with 3 branch offices connected/secured by FGT500E active-active Cluster and single FGT500E.

This allows to protect VLANs with NGFW features and security ... and device identification is extremely useful for BYOD (…) and much more as it adds another needed layer of security (e.g. WLAN) not to mention IoT.

 

At the end of the day it is all about continuity. In bigger environments you have to plan the use of features carefully as processes, workflow a.s.o. are involved (in IT and Business) on a long term basis.

 

Our clients have been carefully listening to Fortinet as they say "we have answers to the today challenges"  … should I go back to my clients and say (yes, but for production wait a year or so until the (unknown) features to bake in or wait if we see the existing features will "stay"  … forget about todays security challenges we will address them in a future release that is mature enough to do what it currently does)

 

In addition, now, that our WAN "Design" finally could improve with great features (improved, production ready) called "Security Fabric" and "SD-WAN" (Started testing it with the purchase of a FAZ with availability of Release 5.6.3) we still can not make use of these as several "unexpected behaviors" in all following releases up to 6.0.4 makes us stay with 5.6.3 on the FGT1200D Cluster.

 

It would be fair if Fortinet and it's Marketing communicates the truth: Today's Releases are showcases to be used in a year or so and only by then we can face today's challenges on a mature trusted FireWall

 

 

View solution in original post

James_G

I have emailed my account manager at Fortinet to voice concern about the removal of custom devices and groups. I suggest anyone else with concerns does the same; as a forum post, however long, is not likely to affect any real change.

View solution in original post

58 REPLIES 58
seadave
Contributor III

Bummer regarding device ID.  Has been a bit flakey, but I use it on a 60E at home.  Perhaps this is due to the increasing use of dynamic MACs in Android and iOS?  I wondered how that would impact things like FG Device ID and NACs that rely on that to identify a device.

 

I remember having all of my policies color coded in 4.3 and then 5.0 wiped those out.  Now they returned in 5.6.  I also agree that major changes like this need to be in BOLD text at the front of the release notes.  This will certainly ruin someone's afternoon who isn't careful.

bartman10

This is simply NOT true. I just got done speaking with TAC about this. I was in the 6.2 Beta for my 200D FortiAnalizer only to see in the GA notes 200D dropped.. Well that's funny kids I was using 6.2 beta on it.

TAC has stock answsers like EOS bla.. but it's simply not true.

He was even able to give me a, supported, 6.2 FortiAnalizer image after I showed my CPU usage is 3% and RAM is like 35%. I guess if you load it up to max logs per sec 6.2 may not work as advertised.. but ya..

 

They just make up whenever they decide to stop supporting gear with new updates. They are NOT clear about this and, AND, they still expect payment in FULL when that support contract comes up for renewal. 

 

Ok.. you drop new firmware for some reason.. well take that % out of my support contract because I don't need to pay to support the new firmware, only minimal bug fixes in last.

 

 

 

Go look up FortiGate unites with 6.2 released. There are many D models that EOS in 2017-2018

100D - EOS- 2018-07-26

92D - EOS - 2017-07-16

400D - EOS - 2018-05-08

140D - EOS - 2018-05-08

80D - EOS - 2018-04-16

 

All of these FortiGates have 6.2.

 

 

 

 

bommi wrote:

Please check the Product Lifecycle Page:

https://support.fortinet.com/Information/ProductLifeCycle.aspx

 

You will find several statements with a list of devices which arent supported by the latest releases.

These devices get extended access to Customer Services until these devices are EOL.

 

 

300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.

Over 100 WiFi AP's and growing.

FAZ-200D

FAC-VM 2 node cluster

Friends don't let friends FWF!

300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track. Over 100 WiFi AP's and growing. FAZ-200D FAC-VM 2 node cluster Friends don't let friends FWF!
SolracLeinad

 

bartman10 wrote:

Go look up FortiGate unites with 6.2 released. There are many D models that EOS in 2017-2018

100D - EOS- 2018-07-26

92D - EOS - 2017-07-16

400D - EOS - 2018-05-08

140D - EOS - 2018-05-08

80D - EOS - 2018-04-16

 

All of these FortiGates have 6.2.

Maybe they updated their page already:

Product            | EOO            | LSED          | (EOS)

FortiGate-100D | 2018-07-26 | 2022-07-26 | 2023-07-26 FortiGate-92D   | 2017-07-16 | 2021-07-16 | 2022-07-16 FortiGate-400D | 2018-05-08 | 2022-05-08 | 2023-05-08 I'm also mailing my account manager as the removal of custom devices and groups has a huge impact on our company. I wonder if its still somewhere hidden deep inside the CLI tho...

gianlucagiacometti

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/262899/wireless-mac-filter-updates

 

Maybe this new feature is the key

 

Which actually makes more sense, because with the previous solution everyone with a SSID WPA2-personal password could connect to the SSID, inappropriately using an IP address and the downstream policy was delegated to block the user. This, I guess, was also causing some overhead. With the new solution only the members who have been given permission can connect to the SSID.

I would have liked to have also a GUI to do that, but I'm confident it will be introduced in future OS upgrades.

 

G

gianlucagiacometti

Well, this COULD HAVE BEEN the solution.

Unfortunately the maximum number of entry in config wireless-controller address is 256.

256!

That's a real shame. I have more than 600 entries. A FortiGate 800D is not a toy, neither it should be programmed as so.

Ok, now I'm stuck with an open WiFi (passwords are not secrets in Universities), hoping in the next release.

I'm rather disappointed. The release to 6.2 should have been held some months further.

morten

OOOOHHH...! Do I regret testing out 6.2 on a live Fortigate...

Upgraded my 30E-3G4G-INTL from 6.0.4 about a week ago, and since then it has just frozen allmost daily. I can not log in to the GUI or SSH when this happens, so power reset is the only way to get it up and running again. It wasn't until today I managed to get a look at the GUI before it hung again. I noticed my phone didn't connect to a website, and logged on to the Fortigate from my PC to se if I could troubleshoot anything this time. The first thing I see after logging in is that the Fortigate has entered memory conserve mode. I cannot login to the CLI (Says "too many connections"), so I cannot see or restart the shitty process. I doesn't take many seconds before I am kicked out of the GUI as well, and the Fortigate stops responding completely. Again, power reset only "solution". Anyone else experienced anything like this?

As we speak, I have a SSH session running with diag sys top, and will monitor memory usage to see if I can find a clue as to which process is the culprit, and keep you updated.

 

Good thing to have my home office Fortigate as testlab...wouldn't like this to happen on 100+ customer Fortigates

seadave
Contributor III

This seems to be a re-occurring theme.  Perhaps make sure that any of the services such as spam filtering, wifi/switch controller, waf, advanced routing, that you are not using is disabled in the Features gui.  That will reduce memory load.  I think Fortinet needs to do a better job on advising which models are optimized for which release.  The sub-100 units most likely will not run well on 6.2 until it is revised to .4 or .5 is my guess.  Also if you have too many features enabled on the lower number models it will never run well.

SMabille

Good luck with that one, once the support for 6.0 end and customers are forced to upgrade to 6.2 and cash out new licenses to keep the functionality, in most European country it will be assimilated to forced sales (and is obviously illegal). I can see court cases coming....

 

Another way to build/keep good customers relationship, not!

 

ThomasK wrote:

Very strange, they also stop Fortigate telemetry functionality from Fortigate and removed the feature. Are they crazy? (sorry for the wording). Should we really install EMS (including necessary Windows license) just for compliance enforcement? And the paid telemetry license and maintenance fees are for nothing? https://docs.fortinet.com...oint-telemetry-license

Andrej_K

Removing Device Identification is just crazy. We can talk all we want about security/static ip/mac and traffic sniffing, but it is just make sense to have more security features available to you, not less. But I guess the new Fortinet policy - "Fortinet who cares".

Well I learned one thing for me - it would not be the straight swap to a newer model despite liking Fortigate devices. I better go through pain of PoC with other vendors rather than accepting "removing the features just because" This is true for EMS/DeviceID/Client enforcement/Compliance licenses/etc. 

I feel like in pay to win games. With every new release the features which were available disappear and I need to buy either new device or new license to replace removed feature. 

Fortinet your customers not a cow you can milk to death for money by removing features. 

 

ThomasK
New Contributor II

Based on the FortiNet support, EMS 6.2 will be available in Q3/2019.

So if you update to FortiGate 6.2, you will loose Telemetry/Compliance enforcement and EMS 6.2, which will takeover that functionality, is not released yet.

 

 

Labels
Top Kudoed Authors