FortiOS v5.2.6 is out...

storaid · ‎01-29-2016

new release is available in the download portal...

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

seadave · ‎02-16-2016

They always say that, "just upgrade". I'm beginning to think the biggest weakness is the infinite flexibility of these devices. My guess is you would take 100 users and each one would have a slightly different config making it nearly impossible to do effective testing for new firmware stability. That is all I can come up with or they have the most incompetent QC people in the industry. If you feel the same, share this with your rep. They need to keep hearing this until they do something about it.

I have a stand alone 500D that is running 5.2.3,build670. I have all filters enabled and we lock things down quite a bit here. Our connection is 100Mbps to the web. The following features are enabled:

Advanced Routing

VPN

AntiVirus

App Ctrl

DLP

IPS/IDS

Web Filter

Endpoint Control

Certs

DNS Database

Load Balance

Implicit Firewall Policies

Multiple Security Policies

Policy Based IPSec VPN

Traffic Shaping

WAN Link Load Balancing

!!Turn off features that you are not using!!

It has been rock solid for over 143 days, with one exception. I attempted to add a EC cert using the GUI and it broke the Cert portion of the GUI. Everything else works fine, but the cert GUI won't come up. I'm guessing I could go into the CLI and remove the CSR and that might fix it, but I decided to wait and hold for an updated stable firmware version. Looks like I'm still waiting!

I do have a second 500D that I'm using for testing. I upgraded it to 5.2.6 and then 5.4.0, but haven't had a chance to do further tests. No visible problems after upgrade, but I haven't put production traffic through it yet. As mentioned before, any time you do a firmware update, do the following:

[ol]

Backup your current config and download your existing firmware release if you need to factory reset and then downgrade. (You may need to do this via TFTP in a worst case scenario so make sure you know how that works and have a TFTP server setup on a laptop for such purposes ahead of time).

If you are in a low memory situation, disable logging and other unnecessary processes to free up mem during the upgrade.

Reboot once before upgrading to flush any hung processes.

Upgrade and upon reboot, log into the CLI and issue the command: diagnose debug config-error-log read

Note any errors that indicate portions of your old log file are not compatible and need to be updated.[/ol]

Based on my readings of these forums, it seems like lots of the problems revolve around HA. My company is fairly small with less than 200 employees so I've always elected to buy two firewalls. One stays in production and the other is used for testing/POC. I know this may not be an option for everyone but it has served us well. As many have learned "upgrading Fortigates on a whim" are a recipe for disaster. Using one unit for testing gives you greater flexibility and if the units are identical, it is trivial to take a backup config and load it on the second unit to duplicate your production system for troubleshooting/testing. It is of course critical to keep your config copies current in the event of a hardware failure.

Based on my experience, unless you have a security or technical reason for doing so, don't upgrade to minor versions. If you must, try to avoid versions where the firmware isn't at least the second or third version past GA release. Always read and understand the release notes, what works and what doesn't. Visit these forums often and learn from others' mistakes. Often in the past later versions make things more stable. I'm still not sure what happened with 5.2.4 and 5.2.5 as that doesn't seem to be the case.

Here's a slightly aged link but has additional detail on doing upgrades:

https://mbrownnyc.wordpress.com/2013/01/30/upgrading-the-firmware-on-a-fortigate-unit/

View solution in original post

Gianluca_Caldi · ‎02-17-2016

Hi PIDDLAW,

upgrading to the last available release is the standard answer from Fortinet support to all problems. Sadly to say, in particular in the last times, it has proved not to be at all the best solution. FortiOS 5.4 has already a long list of known bugs (read the specific forum) so nobody will really think of moving to it in a productive environment up to now. Moreover it doesn't work on many old boxes (we've a lot old Cs, some Bs...) so for a lot of people it's not an option at all.

Fortinet provided a new firmware (5,2,6) -> Fortinet has to have this firmware working, that's simple! Patching, fixing, testing is part of their work, not ours. I'd like we all do some pushing on these guys in order to solve the problems and not always looking for some "workaround". Moreover the complains about the software part of their product are starting to become "embarrassing" (in numbers) for a serious company. I hope they'll change route asap or their customers will start too look around (as we're doing after the last year of continous problems).

I also opened a ticket for this very problem and keep you updated on what will erupt from it. For now I'm trying to reinstall the vpn clients affected and see if we got some improvement... and when all the phones on my desk rings I simply kill the vpnssld process and make the users working again (at least for a while)..

Bye

Gianluca

FGT: 50E,100D, 200D, 600D
FMG: VM64

FAZ: VM64

XavierMP · ‎02-17-2016

this mess with the bugs is a joke.

It seems 5.2.4 is the most stable version.

So I will continue in it for a while

FGTuser · ‎02-18-2016

The biggest joke is advice from FTNT support to upgrade to 5.4.0.

Seriously? Should we upgrade critical production box to "almost beta" release?

NotMine · ‎02-18-2016

That is a standard advice for almost every tech support I've dealt with so far. Only once have I had a case when they've advised me to downgrade a firmware - and it was with the HPE. :)

We shouldn't be so harsh on the tech support teams, they are, in my experience at least, really trying to help in every support ticket. :) They asked me to upgrade the firmware only two times, and both times the new firmware had had a fix for a reported bug. In my opinion, Fortinet has a small minus on software development and QA, but a BIG PLUS on technical support. On the other hand, their systems are really versatile, and maybe that is their biggest problem?

NSE 7

All oppinions/statements written here are my own.

CyberNorris · ‎03-04-2016

I've only had tech support recommend a firmware upgrade once, from 5.2.4 to 5.2.5 because of an issue in 5.2.4 with an IP Pool and VIP having the same IP address.

Norris Carden

Fortinet XTreme Team USA (2015, 2016)

CISSP (2005), CISA (2007), NSE4 (2016)

rpedrica · ‎02-08-2016

Does anyone know if the SSL Inspection issue is solved in 5.2.6?

Regards, Robby

emnoc · ‎02-08-2016

read the release notes

PCNSE

NSE

StrongSwan

Lucascat · ‎02-08-2016

I've update some small model (40c and 60d) and the memory utilization is the same of 5.0.12 or 5.2.5 :)

I don't use SSL ispection

rpedrica · ‎02-08-2016

emnoc wrote:
read the release notes

Thanks for that @emnoc but your answer could have been a little more helpful - eg. see bug id 304566 in release notes ...

Saying that, I didn't ask if Fortinet had indicated that the problem had been resolved; I asked if the problem had been resolved - bit of a difference. Anyone else's experience would be appreciated.

Regards, Robby

emnoc · ‎02-08-2016

If I can find and download the release notes which explains a lot issues, than you could have done the same. A lot of issues with bugs where listed, did you expect me to "read the release notes out to you also ?"

You should always read the rls notes that why they (FTNT) provides them.

;)

Now the real question, who will try 5.2.6 and see if anything else pops up.

PCNSE

NSE

StrongSwan