We were operating a pair of 100D Hardware Appliances (v6.2.3 build 1066 GA), running HA in an Active/Passive configuration.
I noticed that the Events Log included a lot of entries regarding application crashes, specifically the IPS Engine.
Fortinet Support advised me to upgrade to 6.2.4 as there was a known issue with the installed version of the IPS Engine. I had been hesitant to do this based on the experiences of those posting here, but felt I had no real option other than carry out the upgrade.
As of this time (16 hours after upgrade) we have had no major issues. However, immediately after the upgrade completed there was something not quite right with DHCP. Our Fortigate assigns IP Addresses to the 100 Cisco Access Points in our wireless network. After the upgrade, I checked DHCP Monitor and could see no entries (normally there were 100).
As a test I rebooted a single access point and the DHCP Monitor log then showed a lot of entries with a Status of "Removed due to conflict". It appears that the Fortigate had forgotten the IP addresses it had handed out previously as it tried several addresses from the address pool in an effort to find a free one. If an address is marked as "Removed due to conflict" in the DHCP Monitor can it no longer be used? I'm afraid that when the access points renew their leases all addresses will have been exhausted.
I'm in the process of rebooting the access points, a few at a time and manually revoking those addresses marked 'removed'. This is proving to be quite a lengthy process, but seems to be my only option to ensure that the IP address pool is not exhausted.
I probably could have run the execute dhcp lease-clear all command from the CLI but was unsure if this would have worked. Would it have just forced the 100 APs to renew their existing IP Addresses?
Just thought I'd put this out there in case someone else encounters a similar issue.