new release is available in the download portal...
FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2
FSW224B x1
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
They always say that, "just upgrade". I'm beginning to think the biggest weakness is the infinite flexibility of these devices. My guess is you would take 100 users and each one would have a slightly different config making it nearly impossible to do effective testing for new firmware stability. That is all I can come up with or they have the most incompetent QC people in the industry. If you feel the same, share this with your rep. They need to keep hearing this until they do something about it.
I have a stand alone 500D that is running 5.2.3,build670. I have all filters enabled and we lock things down quite a bit here. Our connection is 100Mbps to the web. The following features are enabled:
Advanced Routing
VPN
AntiVirus
App Ctrl
DLP
IPS/IDS
Web Filter
Endpoint Control
Certs
DNS Database
Load Balance
Implicit Firewall Policies
Multiple Security Policies
Policy Based IPSec VPN
Traffic Shaping
WAN Link Load Balancing
!!Turn off features that you are not using!!
It has been rock solid for over 143 days, with one exception. I attempted to add a EC cert using the GUI and it broke the Cert portion of the GUI. Everything else works fine, but the cert GUI won't come up. I'm guessing I could go into the CLI and remove the CSR and that might fix it, but I decided to wait and hold for an updated stable firmware version. Looks like I'm still waiting!
I do have a second 500D that I'm using for testing. I upgraded it to 5.2.6 and then 5.4.0, but haven't had a chance to do further tests. No visible problems after upgrade, but I haven't put production traffic through it yet. As mentioned before, any time you do a firmware update, do the following:
[ol]
Based on my readings of these forums, it seems like lots of the problems revolve around HA. My company is fairly small with less than 200 employees so I've always elected to buy two firewalls. One stays in production and the other is used for testing/POC. I know this may not be an option for everyone but it has served us well. As many have learned "upgrading Fortigates on a whim" are a recipe for disaster. Using one unit for testing gives you greater flexibility and if the units are identical, it is trivial to take a backup config and load it on the second unit to duplicate your production system for troubleshooting/testing. It is of course critical to keep your config copies current in the event of a hardware failure.
Based on my experience, unless you have a security or technical reason for doing so, don't upgrade to minor versions. If you must, try to avoid versions where the firmware isn't at least the second or third version past GA release. Always read and understand the release notes, what works and what doesn't. Visit these forums often and learn from others' mistakes. Often in the past later versions make things more stable. I'm still not sure what happened with 5.2.4 and 5.2.5 as that doesn't seem to be the case.
Here's a slightly aged link but has additional detail on doing upgrades:
https://mbrownnyc.wordpress.com/2013/01/30/upgrading-the-firmware-on-a-fortigate-unit/
Hi PIDDLAW,
upgrading to the last available release is the standard answer from Fortinet support to all problems. Sadly to say, in particular in the last times, it has proved not to be at all the best solution. FortiOS 5.4 has already a long list of known bugs (read the specific forum) so nobody will really think of moving to it in a productive environment up to now. Moreover it doesn't work on many old boxes (we've a lot old Cs, some Bs...) so for a lot of people it's not an option at all.
Fortinet provided a new firmware (5,2,6) -> Fortinet has to have this firmware working, that's simple! Patching, fixing, testing is part of their work, not ours. I'd like we all do some pushing on these guys in order to solve the problems and not always looking for some "workaround". Moreover the complains about the software part of their product are starting to become "embarrassing" (in numbers) for a serious company. I hope they'll change route asap or their customers will start too look around (as we're doing after the last year of continous problems).
I also opened a ticket for this very problem and keep you updated on what will erupt from it. For now I'm trying to reinstall the vpn clients affected and see if we got some improvement... and when all the phones on my desk rings I simply kill the vpnssld process and make the users working again (at least for a while)..
Bye
Gianluca
FGT: 50E,100D, 200D, 600D
FMG: VM64
FAZ: VM64
this mess with the bugs is a joke.
It seems 5.2.4 is the most stable version.
So I will continue in it for a while
The biggest joke is advice from FTNT support to upgrade to 5.4.0.
Seriously? Should we upgrade critical production box to "almost beta" release?
That is a standard advice for almost every tech support I've dealt with so far. Only once have I had a case when they've advised me to downgrade a firmware - and it was with the HPE. :)
We shouldn't be so harsh on the tech support teams, they are, in my experience at least, really trying to help in every support ticket. :) They asked me to upgrade the firmware only two times, and both times the new firmware had had a fix for a reported bug. In my opinion, Fortinet has a small minus on software development and QA, but a BIG PLUS on technical support. On the other hand, their systems are really versatile, and maybe that is their biggest problem?
NSE 7
All oppinions/statements written here are my own.
I've only had tech support recommend a firmware upgrade once, from 5.2.4 to 5.2.5 because of an issue in 5.2.4 with an IP Pool and VIP having the same IP address.
Norris Carden
Fortinet XTreme Team USA (2015, 2016)
CISSP (2005), CISA (2007), NSE4 (2016)
Does anyone know if the SSL Inspection issue is solved in 5.2.6?
Regards, Robby
read the release notes
PCNSE
NSE
StrongSwan
I've update some small model (40c and 60d) and the memory utilization is the same of 5.0.12 or 5.2.5 :)
I don't use SSL ispection
emnoc wrote:Thanks for that @emnoc but your answer could have been a little more helpful - eg. see bug id 304566 in release notes ...read the release notes
Saying that, I didn't ask if Fortinet had indicated that the problem had been resolved; I asked if the problem had been resolved - bit of a difference. Anyone else's experience would be appreciated.
Regards, Robby
If I can find and download the release notes which explains a lot issues, than you could have done the same. A lot of issues with bugs where listed, did you expect me to "read the release notes out to you also ?"
You should always read the rls notes that why they (FTNT) provides them.
;)
Now the real question, who will try 5.2.6 and see if anything else pops up.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.