.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Quick note from first impressions on my test device:
As read in Release Notes / Changes in default behavior:
-FortiOS 6.2.0 removes any use of device enforcement from various FortiGate features.
This means that all policies and setups that are using Devices or Devices-Groups in policy will have "open" policies after upgrading to 6.2.0.
I cannot find any obvious replacemens for Device feature per now.
If anyone has more info on what Fortinet's plan on this is, I would appreciate a shoutout.. :)
Best Regards,
Runar
Very strange, they also stop Fortigate telemetry functionality from Fortigate and removed the feature. Are they crazy? (sorry for the wording). Should we really install EMS (including necessary Windows license) just for compliance enforcement? And the paid telemetry license and maintenance fees are for nothing? https://docs.fortinet.com...oint-telemetry-license
Agreed. At some point the FortiFabric becomes FortiExpensive! I say that as a very loyal customer, but we all have our limits. I'd still put their price point and solutions up against anyone else. All of the Cisco vulns coming out lately have made me happy I didn't swallow that pill long ago.
I agree that the removal of device identification will be painful for smaller shops trying to use it as a basic NAC. I use it that way at home and it works great. Very useful in these instances. For those of us with a routed core environment that didn't consist of FortiSwitches it was useless. So at the very least they should have kept it available as an on/off feature.
That complaint aside, there are some pretty amazing new features in 6.2:
http://video.fortinet.com/latest/workspace-mode-for-fortios-config
The external block lists and multiple DNS domains are great, as is the log consistency and some TLS 1.3 inspection.
But like so many have said before, cool your jets a bit before upgrading, unless you have a very small shop and need to use some of the automation hooks for example. If you have other products such as FAZ/FAC/EMS/FWF, make sure those are compatible first and follow the upgrade path documents.
Wait a few releases for the features to bake in and then follow the upgrade good practice of backing up your config before the upgrade while keeping a copy of your current firmware on a USB so you can restore both if 6.2 breaks something critical and you need to revert. It still amazes me how many folks throw caution to the wind when upgrading firmware.
Also have a customer that has been selecting FortiSwitch over competitors with Device Identification as main differentiator in the last few weeks. Could do without having to tell them that feature has disappeared... And FortiNAC is a NAC it provides other functionalities but doesn't allow to replace device specific policies. For example SSL interception for everything but have few policies above for ios devices for specific authorised apps that refuse to import CA. We would have to bypass SSL for the whole website now irrelevant of devices. FortiNAT can't solve that type of use.
SEI wrote:It is painful for bigger shops who use it as a basic NAC. We use it in large environments and it works great. Very useful in all these instances. For those of us who use the FortiGate(s) as the routed core that consist also of Third Party Switches.
We use FGT1200D active-active Cluster with 3 branch offices connected/secured by FGT500E active-active Cluster and single FGT500E.
This allows to protect VLANs with NGFW features and security ... and device identification is extremely useful for BYOD (…) and much more as it adds another needed layer of security (e.g. WLAN) not to mention IoT.
At the end of the day it is all about continuity. In bigger environments you have to plan the use of features carefully as processes, workflow a.s.o. are involved (in IT and Business) on a long term basis.
Our clients have been carefully listening to Fortinet as they say "we have answers to the today challenges" … should I go back to my clients and say (yes, but for production wait a year or so until the (unknown) features to bake in or wait if we see the existing features will "stay" … forget about todays security challenges we will address them in a future release that is mature enough to do what it currently does)
In addition, now, that our WAN "Design" finally could improve with great features (improved, production ready) called "Security Fabric" and "SD-WAN" (Started testing it with the purchase of a FAZ with availability of Release 5.6.3) we still can not make use of these as several "unexpected behaviors" in all following releases up to 6.0.4 makes us stay with 5.6.3 on the FGT1200D Cluster.
It would be fair if Fortinet and it's Marketing communicates the truth: Today's Releases are showcases to be used in a year or so and only by then we can face today's challenges on a mature trusted FireWall
I have emailed my account manager at Fortinet to voice concern about the removal of custom devices and groups. I suggest anyone else with concerns does the same; as a forum post, however long, is not likely to affect any real change.
Hi,
I'm having high memory usage issues (memory leak?) since the release of this firmware. I have 2 Azure FG-VM02s running in Active/Active HA. I removed one of them from the Azure Loadbalancer back-end pool ("cluster") at 64% memory usage. Even with close to no traffic going through it, the memory usage stayed at 64% constantly. The usage gradually climbs when the ipsengine is in use. diagnose sys top shows ipsengine using lots of memory, and not releasing it. I also can't seem to downgrade the firmware; the fortigate fails to download the file from FortiGuard.
I wonder if you're experiencing (or have experienced) something similar?
Thanks.
Same here on the memory issues. Experienced the same thing with 2 customers - today. It's the wad service using all the memory, device goes into conserve mode, then I get a call that the internet is down. It was the wad service on both customers.
Pid: 00195, application: wad, Firmware: FortiGate-100E v6.2.0,build0866b0866,190328 (GA) (Release), Signal 11 received, Backtrace: [0x36c0aba6] [0x36c8b2a5] [0x36c8b4e9] [0x00a166d3] [0x00a44085] [0x00033979] [0x00037587] [0x36c0a971] [0x00031cc9]
One customer, ah, just a fluke. Two customers, within 6 hours of each other - stay away for now. Both of these customers wanted to upgrade for some of the new SD-WAN functionality, but I won't be upgrading any customers for a while.
Yesterday we also had memory issues. The memory load grows to 100% in 5-10 minutes. With network down situation.
Firmware: FortiGate-100E v6.2.0,build0866b0866,190328 (GA)
We temp. could resolve it with disable all service policy. It seems, that the IPS Prevention had high memory load.
Ditto on the memory issues - went into conserve mode on Friday and is currently rising back up.
FortiOS v6.2.0 build0866 on 201E
Try this...
get sys perf top
ID app that is running the most memory. For me, I have seen both ipsmonitor and wad causing the mem issue. Restarting the problematic thread gets you out of conserve mode, but isn't a fix.
This will restart the app:
diagnose test application ipsmonitor 99
Where I saw the mem issue crop up, the 6.2.1 fixed it. However, now I'm having SSL inspection issues with certain website on one of them now.
Hope this helps...
Ignotum per ignotius...
Side note... While upgrading to 6.2.1, we are seeing a bug... If your admin account is locked down to certain IP address ranges, and your WIFI SSID isn't in the ip range, you might not be able to bring up the AP's after upgrading to 6.2.1.
We thought this might have been a softswitch error, but it looks like an official bug. We've had Fortinet on the line and they are looking in to it. Doesn't happen with all of them, I rolled up a 200E last night with 12 AP's and 10 VPN's and it worked flawlessly.
Anyone see anything similar?
Ignotum per ignotius...
Aron1 wrote:Side note... While upgrading to 6.2.1, we are seeing a bug... If your admin account is locked down to certain IP address ranges, and your WIFI SSID isn't in the ip range, you might not be able to bring up the AP's after upgrading to 6.2.1.
We thought this might have been a softswitch error, but it looks like an official bug. We've had Fortinet on the line and they are looking in to it. Doesn't happen with all of them, I rolled up a 200E last night with 12 AP's and 10 VPN's and it worked flawlessly.
Anyone see anything similar?
Hi Aron1,
This is one known issue in FortiOS 6.2.1, and it will be fixed by 6.2.2.
The workaround is to add FAP's IP or subnet into admin trusthost list.
Cheers,
Mike
Mike@ftnt wrote:Hi Aron1,
This is one known issue in FortiOS 6.2.1, and it will be fixed by 6.2.2.
The workaround is to add FAP's IP or subnet into admin trusthost list.
Cheers,
Mike
Hi Mike... Thanks for confirming that... We figured that out as well.
NapaCab wrote:This has always been true of new FortiOS major releases, customers do the QA.
Not necessarily. Not to fanboi too much, sorry... I'm more of a Cisco guy, but Fortigate does seem relatively responsive to things like this. Contrast them with trying to get Extreme or MS to correct a "known issue"...
Ignotum per ignotius...
Aron1 wrote:Try this...
get sys perf top
ID app that is running the most memory. For me, I have seen both ipsmonitor and wad causing the mem issue. Restarting the problematic thread gets you out of conserve mode, but isn't a fix.
This will restart the app:
diagnose test application ipsmonitor 99
Where I saw the mem issue crop up, the 6.2.1 fixed it. However, now I'm having SSL inspection issues with certain website on one of them now.
Hope this helps...
This seems to be the IPS memory leak that's been around in one way shape or form since FortiOS 5.4 days....ouch.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.