Fortigate 200D - Upgrade firmware from v5.2.3

schrockd · ‎07-08-2016

Hi, I am looking to upgrade firmware of my FG 200D from v5.2.3 to ???... I am not in a huge rush unless there are some audit security reason that are needed. I have 2 units that are in A/P-HA Mode in Production. Which version should I upgrade to. Not sure if going to v5.2.8 or v5.4.1 is best... any Pros and Cons to each version... Any bugs that I need to be worried about...

- using 2 WAN and 3 LAN interfaces

- HA is Active/Passive

- 200+ Policies

- 200+ Object address

- 150+ Services

- 30+ Virtual IPs

- 20+ IP Pools

IPSec VPN Tunnels

SSL VPN Tunnels

I

schrockd · ‎09-15-2016

Hi, can anyone help me here...

Fortigate 200D - Upgrade firmware from v5.2.3

Hi, I am looking to upgrade firmware of my FG 200D from v5.2.3 to ???... I am not in a huge rush unless there are some audit security reason that are needed. I have 2 units that are in A/P-HA Mode in Production. Which version should I upgrade to. Not sure if going to v5.2.8 or v5.4.1 is best... any Pros and Cons to each version... Any bugs that I need to be worried about... - using 2 WAN and 3 LAN interfaces - HA is Active/Passive - 200+ Policies - 200+ Object address - 150+ Services - 30+ Virtual IPs - 20+ IP Pools IPSec VPN Tunnels SSL VPN Tunnels

ede_pfau · ‎09-15-2016

alright, we got it...(you as poster can delete a post which you deem superfluous)

First, don't fix what ain't broken. Really.

IMHO the next stable version after v5.2.3 is v5.2.8. Common opinion is to stay away from v5.4 for the time being.

But, v5.2.8 may have trouble with SSL VPN tunnels (check the latest posts), and the just-released v5.2.9 as well. Of course, not all Fortigates in all production networks have broken SSL VPN tunnels now. It would be wise to search the forums for posts on this.

Ede Kernel panic: Aiee, killing interrupt handler!

emnoc · ‎09-15-2016

How about 5.2.9 ? It's been out since Sept 7 and has a few fix.

Ken

PCNSE

NSE

StrongSwan

ede_pfau · ‎09-15-2016

Usually, I'd suppose that a patch 8 or 9 would be rock solid with minor bug fixes. If you read up on https://forum.fortinet.com/tm.aspx?m=140855 one can see that on certain models (?) or certain configs there can be severe problems.

That's why I'd stay at v5.2.3 if not pressed to upgrade.

Ede Kernel panic: Aiee, killing interrupt handler!

emnoc · ‎09-15-2016

FWIW:

The OP needs to do some homework and review the relaese notes for 5.2.Xs to see if any of he fixes would benefit him. I would not stay on 5.2.3 personally, but that's just me. it's a good habit ;

[ul]

to not jump on the latest rev

not to be 3+ past releases rev

and to stay current as much as reasonably possible[/ul]

Mainly things have been founded and fix between 5.2.3 and 5.2.9. Your talking about a gap of over 12+ months which is like externally in the IT world.

ken

PCNSE

NSE

StrongSwan

schrockd · ‎09-15-2016

Thanks all... I will move to v5.2.8 or v5.2.9. One of the main reason for me not moving up was there wasn't a real audit security reason... but, I see yall point...

ede_pfau · ‎09-16-2016

Check out https://forum.fortinet.com/tm.aspx?m=140975 for a now confirmed bug in v5.2.9 concerning admin access and SSLVPN.

Ede Kernel panic: Aiee, killing interrupt handler!

MikePruett · ‎09-16-2016

In case you didn't know here is the supported upgrade path

5.2.3 > 5.2.5 > 5.2.7 > 5.2.8

I havent progressed to 5.2.9 just yet on devices that are using 5.2.x code

Mike Pruett

Fortinet GURU | Fortinet Training Videos

schrockd · ‎09-16-2016

Ok... thanks.

Fortigate 200D - Upgrade firmware from v5.2.3

Nominate a Forum Post for Knowledge Article Creation

Fortigate 200D - Upgrade firmware from v5.2.3