.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Quick note from first impressions on my test device:
As read in Release Notes / Changes in default behavior:
-FortiOS 6.2.0 removes any use of device enforcement from various FortiGate features.
This means that all policies and setups that are using Devices or Devices-Groups in policy will have "open" policies after upgrading to 6.2.0.
I cannot find any obvious replacemens for Device feature per now.
If anyone has more info on what Fortinet's plan on this is, I would appreciate a shoutout.. :)
Best Regards,
Runar
Very strange, they also stop Fortigate telemetry functionality from Fortigate and removed the feature. Are they crazy? (sorry for the wording). Should we really install EMS (including necessary Windows license) just for compliance enforcement? And the paid telemetry license and maintenance fees are for nothing? https://docs.fortinet.com...oint-telemetry-license
Agreed. At some point the FortiFabric becomes FortiExpensive! I say that as a very loyal customer, but we all have our limits. I'd still put their price point and solutions up against anyone else. All of the Cisco vulns coming out lately have made me happy I didn't swallow that pill long ago.
I agree that the removal of device identification will be painful for smaller shops trying to use it as a basic NAC. I use it that way at home and it works great. Very useful in these instances. For those of us with a routed core environment that didn't consist of FortiSwitches it was useless. So at the very least they should have kept it available as an on/off feature.
That complaint aside, there are some pretty amazing new features in 6.2:
http://video.fortinet.com/latest/workspace-mode-for-fortios-config
The external block lists and multiple DNS domains are great, as is the log consistency and some TLS 1.3 inspection.
But like so many have said before, cool your jets a bit before upgrading, unless you have a very small shop and need to use some of the automation hooks for example. If you have other products such as FAZ/FAC/EMS/FWF, make sure those are compatible first and follow the upgrade path documents.
Wait a few releases for the features to bake in and then follow the upgrade good practice of backing up your config before the upgrade while keeping a copy of your current firmware on a USB so you can restore both if 6.2 breaks something critical and you need to revert. It still amazes me how many folks throw caution to the wind when upgrading firmware.
Also have a customer that has been selecting FortiSwitch over competitors with Device Identification as main differentiator in the last few weeks. Could do without having to tell them that feature has disappeared... And FortiNAC is a NAC it provides other functionalities but doesn't allow to replace device specific policies. For example SSL interception for everything but have few policies above for ios devices for specific authorised apps that refuse to import CA. We would have to bypass SSL for the whole website now irrelevant of devices. FortiNAT can't solve that type of use.
SEI wrote:It is painful for bigger shops who use it as a basic NAC. We use it in large environments and it works great. Very useful in all these instances. For those of us who use the FortiGate(s) as the routed core that consist also of Third Party Switches.
We use FGT1200D active-active Cluster with 3 branch offices connected/secured by FGT500E active-active Cluster and single FGT500E.
This allows to protect VLANs with NGFW features and security ... and device identification is extremely useful for BYOD (…) and much more as it adds another needed layer of security (e.g. WLAN) not to mention IoT.
At the end of the day it is all about continuity. In bigger environments you have to plan the use of features carefully as processes, workflow a.s.o. are involved (in IT and Business) on a long term basis.
Our clients have been carefully listening to Fortinet as they say "we have answers to the today challenges" … should I go back to my clients and say (yes, but for production wait a year or so until the (unknown) features to bake in or wait if we see the existing features will "stay" … forget about todays security challenges we will address them in a future release that is mature enough to do what it currently does)
In addition, now, that our WAN "Design" finally could improve with great features (improved, production ready) called "Security Fabric" and "SD-WAN" (Started testing it with the purchase of a FAZ with availability of Release 5.6.3) we still can not make use of these as several "unexpected behaviors" in all following releases up to 6.0.4 makes us stay with 5.6.3 on the FGT1200D Cluster.
It would be fair if Fortinet and it's Marketing communicates the truth: Today's Releases are showcases to be used in a year or so and only by then we can face today's challenges on a mature trusted FireWall
I have emailed my account manager at Fortinet to voice concern about the removal of custom devices and groups. I suggest anyone else with concerns does the same; as a forum post, however long, is not likely to affect any real change.
Agreed. At some point the FortiFabric becomes FortiExpensive! I say that as a very loyal customer, but we all have our limits. I'd still put their price point and solutions up against anyone else. All of the Cisco vulns coming out lately have made me happy I didn't swallow that pill long ago.
Got a 60E with a couple of FAP221Es at home and can't get my Sonos devices to connect to the wireless at all since upgrading. Everything else is fine including every other wireless client. No major issues with the upgrade. Went from 6.0.4 to 6.2.0. Seems that even when I connect the Sonos devices via ethernet, the multicast forwarding for the App to discover the devices (SSDP) has also changed behaviour. Worked fine before. Right now though, I'm just stuck with getting the devices onto the wifi.
I notice that during the beta there were some specific FortiAP builds to work with 6.2 but the release notes state that older FortiAP versions should still be supported.
Will keep debugging when I get time but has anyone else seeing issues with FortiAPs?
Hi,
Not really, FortiNAC doesn't replace the device type based policies, there isn't an overlap of functionalities. Also licensing model is unadapted to small Fortigate deployment (minimum 2000 ports).
The strategy doesn't really make much sense for a company that has been pushing IoT in marketing. So hopefully the feature will be back in 6.2.x (or 6.4 but then would need a migration path from 6.0 not to loose the config).
Otherwise it will open the question of extended support. Device based policies is a key feature for some customers, so being unable to upgrade as functionality has been removed, they would then expect 6.0 to be supported until either feature is back or EOL of the appliances (E series, so years away).
Definitely a case of bad product management... (now the release quality seems to improve, features are taken away). It takes a serious amount of efforts to defend Fortinet with customers.
dfollis wrote:I'm guessing they are going to drive folks towards FortiNAC for such things as it relates to device IDs.
https://www.fortinet.com/products/network-access-control.html
dfollis wrote:I'm guessing they are going to drive folks towards FortiNAC for such things as it relates to device IDs.
https://www.fortinet.com/products/network-access-control.html
Let's hope that this is not really the plan.
FortiGate is very cost-effective for the SMB market today because you can get these full spectrum features in small form-factor devices, and scale up to bigger stuff if you need to. Many don't need to -- not yet, and not at the current costs.
Cls wrote:I Bit the bullet... and the first thing was:Quick note from first impressions on my test device:
As read in Release Notes / Changes in default behavior:
-FortiOS 6.2.0 removes any use of device enforcement from various FortiGate features.
This means that all policies and setups that are using Devices or Devices-Groups in policy will have "open" policies after upgrading to 6.2.0.
I cannot find any obvious replacemens for Device feature per now.
If anyone has more info on what Fortinet's plan on this is, I would appreciate a shoutout.. :)
Best Regards,
Runar
NO INTERNET FOR ALL...
Due to the fact there was a policy with a device group attached limiting some devices to internet. But when that group was removed after upgrade to 6.2, the policy limited ALL internet traffic thus.
Strange thing is: I do still have the option to "add a custom device group" but then when I do it, I get this strange "
But now the question: how to restore previous functionality? How to restrict certain DEVICES internet Access.?
sanderl wrote:Revert to 6.0.
But now the question: how to restore previous functionality? How to restrict certain DEVICES internet Access.?
Or do it by IP Addresses.
Hi,
Looks like devices are doing a (small) come back in 6.2.1:
https://docs.fortinet.com/document/fortigate/6.2.1/new-features/370579
If I read correctly all predefined group and detection are still absent (let's hope and wait for 6.2.2) but categories can be defined again manually, in the GUI, based on MAC or MAC range.
Good partial back-track, let's implement the whole device detection back in 6.2.2!
Cls wrote:Quick note from first impressions on my test device:
As read in Release Notes / Changes in default behavior:
-FortiOS 6.2.0 removes any use of device enforcement from various FortiGate features.
This means that all policies and setups that are using Devices or Devices-Groups in policy will have "open" policies after upgrading to 6.2.0.
I cannot find any obvious replacemens for Device feature per now.
If anyone has more info on what Fortinet's plan on this is, I would appreciate a shoutout.. :)
Best Regards,
Runar
I agree more should be done to address bug fixes in the existing firmware before major firmware jumps, as a member has stated above it is too risky to go with the first release of a new major firmware.
I am on 6.04 and have noticed that release has stopped you amending some pf the policies from the top screen and you now have to edit them. Another bug that has come in is Internet Explorer no longer works for the SSL Web VPN login. Chrome and Firefox work but you run into trouble with organisations using IE. I would have like a patch for this latter problem before doing another major firmware update or as they have done in previous ones if they are going to do a major one run some patches to fix at least some of the patches with the existing firmware for instance 6.0.x
peterkoszarek@nhs.net wrote:Are you trying to make changes from the policy list page? Which policies are you unable to make changes to?
I am on 6.04 and have noticed that release has stopped you amending some pf the policies from the top screen and you now have to edit them.
Having trouble now replicating this which is odd. Defo still having a big issue with Internet Explorer (we are using 11) being able to log into the SSL VPN Web mode and even to the Fortigate to manage. I tend to not use IE as much but we cannot tell staff not to. Has this been resolved in 6.2.0 as they do not seem to be doing more patches after 6.0.4?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.