Very strange, they also stop Fortigate telemetry functionality from Fortigate and removed the feature. Are they crazy? (sorry for the wording). Should we really install EMS (including necessary Windows license) just for compliance enforcement? And the paid telemetry license and maintenance fees are for nothing? https://docs.fortinet.com...oint-telemetry-license

Agreed.  At some point the FortiFabric becomes FortiExpensive!  I say that as a very loyal customer, but we all have our limits.  I'd still put their price point and solutions up against anyone else.  All of the Cisco vulns coming out lately have made me happy I didn't swallow that pill long ago.

I agree that the removal of device identification will be painful for smaller shops trying to use it as a basic NAC.  I use it that way at home and it works great.  Very useful in these instances.  For those of us with a routed core environment that didn't consist of FortiSwitches it was useless.  So at the very least they should have kept it available as an on/off feature.

That complaint aside, there are some pretty amazing new features in 6.2:

http://video.fortinet.com/latest/workspace-mode-for-fortios-config

The external block lists and multiple DNS domains are great, as is the log consistency and some TLS 1.3 inspection.

But like so many have said before, cool your jets a bit before upgrading, unless you have a very small shop and need to use some of the automation hooks for example.  If you have other products such as FAZ/FAC/EMS/FWF, make sure those are compatible first and follow the upgrade path documents.

Wait a few releases for the features to bake in and then follow the upgrade good practice of backing up your config before the upgrade while keeping a copy of your current firmware on a USB so you can restore both if 6.2 breaks something critical and you need to revert.  It still amazes me how many folks throw caution to the wind when upgrading firmware.

Also have a customer that has been selecting FortiSwitch over competitors with Device Identification as main differentiator in the last few weeks. Could do without having to tell them that feature has disappeared...  And FortiNAC is a NAC it provides other functionalities but doesn't allow to replace device specific policies. For example SSL interception for everything but have few policies above for ios devices for specific authorised apps that refuse to import CA. We would have to bypass SSL for the whole website now irrelevant of devices. FortiNAT can't solve that type of use.

SEI wrote:

It is painful  for bigger shops who use it as a basic NAC.  We use it in large environments and it works great. Very useful in all these instances.  For those of us who use the FortiGate(s) as the routed core that consist also of Third Party Switches.

 

We use FGT1200D active-active Cluster with 3 branch offices connected/secured by FGT500E active-active Cluster and single FGT500E.

This allows to protect VLANs with NGFW features and security ... and device identification is extremely useful for BYOD (…) and much more as it adds another needed layer of security (e.g. WLAN) not to mention IoT.

 

At the end of the day it is all about continuity. In bigger environments you have to plan the use of features carefully as processes, workflow a.s.o. are involved (in IT and Business) on a long term basis.

 

Our clients have been carefully listening to Fortinet as they say "we have answers to the today challenges"  … should I go back to my clients and say (yes, but for production wait a year or so until the (unknown) features to bake in or wait if we see the existing features will "stay"  … forget about todays security challenges we will address them in a future release that is mature enough to do what it currently does)

 

In addition, now, that our WAN "Design" finally could improve with great features (improved, production ready) called "Security Fabric" and "SD-WAN" (Started testing it with the purchase of a FAZ with availability of Release 5.6.3) we still can not make use of these as several "unexpected behaviors" in all following releases up to 6.0.4 makes us stay with 5.6.3 on the FGT1200D Cluster.

 

It would be fair if Fortinet and it's Marketing communicates the truth: Today's Releases are showcases to be used in a year or so and only by then we can face today's challenges on a mature trusted FireWall