Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Carl_Wallmark
Valued Contributor

FortiOS 6.2.0 is out!

.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
6 Solutions
Cls
New Contributor

Quick note from first impressions on my test device:

As read in Release Notes / Changes in default behavior:

-FortiOS 6.2.0 removes any use of device enforcement from various FortiGate features.

 

This means that all policies and setups that are using Devices or Devices-Groups in policy will have "open" policies after upgrading to 6.2.0.

I cannot find any obvious replacemens for Device feature per now.

 

If anyone has more info on what Fortinet's plan on this is, I would appreciate a shoutout.. :)

 

 

Best Regards,

Runar

View solution in original post

ThomasK
New Contributor II

Very strange, they also stop Fortigate telemetry functionality from Fortigate and removed the feature. Are they crazy? (sorry for the wording). Should we really install EMS (including necessary Windows license) just for compliance enforcement? And the paid telemetry license and maintenance fees are for nothing? https://docs.fortinet.com...oint-telemetry-license

View solution in original post

seadave
Contributor III

Agreed.  At some point the FortiFabric becomes FortiExpensive!  I say that as a very loyal customer, but we all have our limits.  I'd still put their price point and solutions up against anyone else.  All of the Cisco vulns coming out lately have made me happy I didn't swallow that pill long ago.

View solution in original post

seadave

I agree that the removal of device identification will be painful for smaller shops trying to use it as a basic NAC.  I use it that way at home and it works great.  Very useful in these instances.  For those of us with a routed core environment that didn't consist of FortiSwitches it was useless.  So at the very least they should have kept it available as an on/off feature.

 

That complaint aside, there are some pretty amazing new features in 6.2:

 

http://video.fortinet.com/latest/workspace-mode-for-fortios-config

 

The external block lists and multiple DNS domains are great, as is the log consistency and some TLS 1.3 inspection.

 

But like so many have said before, cool your jets a bit before upgrading, unless you have a very small shop and need to use some of the automation hooks for example.  If you have other products such as FAZ/FAC/EMS/FWF, make sure those are compatible first and follow the upgrade path documents.

 

Wait a few releases for the features to bake in and then follow the upgrade good practice of backing up your config before the upgrade while keeping a copy of your current firmware on a USB so you can restore both if 6.2 breaks something critical and you need to revert.  It still amazes me how many folks throw caution to the wind when upgrading firmware.

View solution in original post

SMabille

Also have a customer that has been selecting FortiSwitch over competitors with Device Identification as main differentiator in the last few weeks. Could do without having to tell them that feature has disappeared...  And FortiNAC is a NAC it provides other functionalities but doesn't allow to replace device specific policies. For example SSL interception for everything but have few policies above for ios devices for specific authorised apps that refuse to import CA. We would have to bypass SSL for the whole website now irrelevant of devices. FortiNAT can't solve that type of use.

 

SEI wrote:

It is painful  for bigger shops who use it as a basic NAC.  We use it in large environments and it works great. Very useful in all these instances.  For those of us who use the FortiGate(s) as the routed core that consist also of Third Party Switches.

 

We use FGT1200D active-active Cluster with 3 branch offices connected/secured by FGT500E active-active Cluster and single FGT500E.

This allows to protect VLANs with NGFW features and security ... and device identification is extremely useful for BYOD (…) and much more as it adds another needed layer of security (e.g. WLAN) not to mention IoT.

 

At the end of the day it is all about continuity. In bigger environments you have to plan the use of features carefully as processes, workflow a.s.o. are involved (in IT and Business) on a long term basis.

 

Our clients have been carefully listening to Fortinet as they say "we have answers to the today challenges"  … should I go back to my clients and say (yes, but for production wait a year or so until the (unknown) features to bake in or wait if we see the existing features will "stay"  … forget about todays security challenges we will address them in a future release that is mature enough to do what it currently does)

 

In addition, now, that our WAN "Design" finally could improve with great features (improved, production ready) called "Security Fabric" and "SD-WAN" (Started testing it with the purchase of a FAZ with availability of Release 5.6.3) we still can not make use of these as several "unexpected behaviors" in all following releases up to 6.0.4 makes us stay with 5.6.3 on the FGT1200D Cluster.

 

It would be fair if Fortinet and it's Marketing communicates the truth: Today's Releases are showcases to be used in a year or so and only by then we can face today's challenges on a mature trusted FireWall

 

 

View solution in original post

James_G

I have emailed my account manager at Fortinet to voice concern about the removal of custom devices and groups. I suggest anyone else with concerns does the same; as a forum post, however long, is not likely to affect any real change.

View solution in original post

58 REPLIES 58
anujdalal
New Contributor

Hi,

 

I'm having high memory usage issues (memory leak?) since the release of this firmware. I have 2 Azure FG-VM02s running in Active/Active HA. I removed one of them from the Azure Loadbalancer back-end pool ("cluster") at 64% memory usage. Even with close to no traffic going through it, the memory usage stayed at 64% constantly. The usage gradually climbs when the ipsengine is in use. diagnose sys top shows ipsengine using lots of memory, and not releasing it. I also can't seem to downgrade the firmware; the fortigate fails to download the file from FortiGuard.

 

I wonder if you're experiencing (or have experienced) something similar?

 

Thanks.

sullimd

Same here on the memory issues. Experienced the same thing with 2 customers - today.  It's the wad service using all the memory, device goes into conserve mode, then I get a call that the internet is down.  It was the wad service on both customers. 

 

Pid: 00195, application: wad, Firmware: FortiGate-100E v6.2.0,build0866b0866,190328 (GA) (Release), Signal 11 received, Backtrace: [0x36c0aba6] [0x36c8b2a5] [0x36c8b4e9] [0x00a166d3] [0x00a44085] [0x00033979] [0x00037587] [0x36c0a971] [0x00031cc9]

 

One customer, ah, just a fluke.  Two customers, within 6 hours of each other - stay away for now.  Both of these customers wanted to upgrade for some of the new SD-WAN functionality, but I won't be upgrading any customers for a while.

Frank_Baschin

Yesterday we also had memory issues. The memory load grows to 100% in 5-10 minutes. With network down situation.

Firmware: FortiGate-100E v6.2.0,build0866b0866,190328 (GA)

 

We temp. could resolve it with disable all service policy. It seems, that the IPS Prevention had high memory load.

confusedcrib

Ditto on the memory issues - went into conserve mode on Friday and is currently rising back up.

 

FortiOS v6.2.0 build0866 on 201E

Aron1

Try this...

 

get sys perf top

 

ID app that is running the most memory. For me, I have seen both ipsmonitor and wad causing the mem issue. Restarting the problematic thread gets you out of conserve mode, but isn't a fix.

This will restart the app:

diagnose test application ipsmonitor 99

 

Where I saw the mem issue crop up, the 6.2.1 fixed it. However, now I'm having SSL inspection issues with certain website on one of them now.

 

Hope this helps...

 

Ignotum per ignotius...

Ignotum per ignotius...
Aron1
New Contributor

Side note... While upgrading to 6.2.1, we are seeing a bug... If your admin account is locked down to certain IP address ranges, and your WIFI SSID isn't in the ip range, you might not be able to bring up the AP's after upgrading to 6.2.1.

 

We thought this might have been a softswitch error, but it looks like an official bug. We've had Fortinet on the line and they are looking in to it. Doesn't happen with all of them, I rolled up a 200E last night with 12 AP's and 10 VPN's and it worked flawlessly.

 

Anyone see anything similar?

Ignotum per ignotius...

Ignotum per ignotius...
Mike_FTNT

Aron1 wrote:

Side note... While upgrading to 6.2.1, we are seeing a bug... If your admin account is locked down to certain IP address ranges, and your WIFI SSID isn't in the ip range, you might not be able to bring up the AP's after upgrading to 6.2.1.

 

We thought this might have been a softswitch error, but it looks like an official bug. We've had Fortinet on the line and they are looking in to it. Doesn't happen with all of them, I rolled up a 200E last night with 12 AP's and 10 VPN's and it worked flawlessly.

 

Anyone see anything similar?

Hi Aron1,

 

This is one known issue in FortiOS 6.2.1, and it will be fixed by 6.2.2.

The workaround is to add FAP's IP or subnet into admin trusthost list.

 

Cheers,

Mike

Aron1

Mike@ftnt wrote:

Hi Aron1,

 

This is one known issue in FortiOS 6.2.1, and it will be fixed by 6.2.2.

The workaround is to add FAP's IP or subnet into admin trusthost list.

 

Cheers,

Mike

Hi Mike... Thanks for confirming that... We figured that out as well.

 

NapaCab wrote:

This has always been true of new FortiOS major releases, customers do the QA.

 

Not necessarily. Not to fanboi too much, sorry... I'm more of a Cisco guy, but Fortigate does seem relatively responsive to things like this. Contrast them with trying to get Extreme or MS to correct a "known issue"...

Ignotum per ignotius...

Ignotum per ignotius...
NapaCab
New Contributor

Aron1 wrote:

Try this...

 

get sys perf top

 

ID app that is running the most memory. For me, I have seen both ipsmonitor and wad causing the mem issue. Restarting the problematic thread gets you out of conserve mode, but isn't a fix.

This will restart the app:

diagnose test application ipsmonitor 99

 

Where I saw the mem issue crop up, the 6.2.1 fixed it. However, now I'm having SSL inspection issues with certain website on one of them now.

 

Hope this helps...

 

This seems to be the IPS memory leak that's been around in one way shape or form since FortiOS 5.4 days....ouch.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors