Has anyone looked at possibly adding memory to the 60F that seems to be experiencing all of the conserve mode issues? We have quite a few recently purchased and I'm regretting the 60-month contract. However, I'd gladly swap a chipset, even if I lose some warranty protection.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
You may consider VMs due to flexibility:
Hi @olporr,
Conserve mode could be a firmware issue/bug. I suggest opening a ticket to investigate first.
Regards,
I'm curious about the ability to upgrade the memory on my 60F firewalls because beginning with 7.4.4, the devices will no longer support ZTNA with less than 4 GB of RAM. All my 60F's have 2 GB.
Memory is not field upgradable. You would lose any warranty coverage by attempting this. I also wouldn't be surprised if the firmware is expecting a specific memory number and would fail to boot if the memory doesn't match what it is supposed to for a 60F. What version of FortiOS?
It doesn't matter what FortiOS I'm currently running, if I upgrade to 7.4.4 or later, support for the ZTNA proxy is removed if the 60F has less than 2 GB of memory.
My 60F's are all 2 GB models and ZTNA after 7.4.4 is only available on models with 4 GB or more.
Support did say they would provide security updates for the remaining 3-1/2 years of my support contract if I choose to stay at 7.4.3 or older.
Correct, talk to your account team or Fortinet partner about a trade-in or upgrade for your hardware appliance.
We're a non-profit and we just spent $200,000 a little over a year ago for all new Fortigates, so that's a definite non-starter. We anticipated getting 5-8 years out of this most recent purchase.
We're mostly disappointed that the folks at Fortinet didn't sell us a robust enough solution that wouldn't be obsolete a year later in terms of using all available functions of the device.
At the very least, the ability to upgrade RAM to keep pace with evolving functionality during the original 5 years of ownership should have been a priority.
Important Changes in FortiOS 7.4.4
In a significant move by Fortinet, the upcoming FortiOS version 7.4.4 introduces a pivotal change affecting numerous FortiGate devices. Users planning to upgrade need to be aware of the substantial shift from proxy-based features, which will no longer be supported under this new firmware version.
What Changes with FortiOS 7.4.4?
FortiOS 7.4.4 marks the end of support for all proxy-based functionalities. This decision impacts devices with 2GB of RAM or less. For users currently utilizing these features, it’s crucial to note that any configurations related to proxy-based services will not be retained after the upgrade.
Firewall Policies
When configuring firewall rules in a FortiOS 7.4.4 environment, users might encounter a significant change in how rules are processed. Although the user interface allows for rules to be set to proxy-based (assuming `set gui-proxy-inspection` is activated), this setting unfortunately does not influence the behavior of the firewall in practice. This apparent discrepancy in the GUI strongly suggests a bug, as rules that are intended to be proxy-based are instead processed as flow-based.
Security Profi
Although proxy-based security profiles can still be created and configured on FortiOS 7.4.4, the proxy-based function configured in it is not taken into account during processing.
Explicit Proxy
In addition, the explicit proxy option is now completely greyed out under ‘Feature Visibility’ and cannot be activated. If this feature was enabled prior to the FortiOS 7.4.4 update, all associated rules will be deleted and cannot be recreated. This change significantly limits the configuration options for network administrators who rely on explicit proxy settings.
How to Check Your Device’s RAM?
Before deciding to upgrade, you should verify the amount of RAM in your FortiGate device. This can be done through the Command Line Interface (CLI) with the following command:
get system performance status | grep Memory
This command will provide details about the system’s performance, including the installed RAM, allowing you to determine if your device will be affected by the new update:
fgt01 get system performance status | grep Memory
Memory: 3806668k total, 1596088k used (41.9%), 1932164k free (50.8%), 278416k freeable (7.3%)
fgt01 # diag hardware sysinfo conserve | grep "total RAM:"
total RAM: 3717 MB
Affected Devices
The discontinuation of proxy-based features primarily affects entry-level FortiGate models with equal or less than 2GB of RAM. The list of affected devices includes:
- FortiGate Rugged-35D
- FortiGate/FortiWiFi 40F
- FortiGate/FortiWiFi 40F-3G4G
- FortiGate/FortiWiFi 60/61F
- FortiGate Rugged-60F/-3G4G
- FortiGate Rugged-60F/-3G4G Gen2
- FortiGate Rugged-60F/-3G4G Gen3
- FortiGate Rugged-60F/-3G4G Gen4
Not affected are appliances from FortiGate Rugged-60F/-3G4G Gen5 and up, as well as FortiGate 70/71F and higher models.
Affected Firewall Features
After upgrading to FortiOS 7.4.4 or later, the following proxy features are no longer supported on impacted devices, as they depend on proxy-based inspection:
- Zero Trust Network Access (ZTNA)
- UTM profile with proxy-based inspection mode
- Firewall policy with proxy-based inspection mode
- Explicit and transparent proxies
- Virtual server load balance
- Proxy-only UTM profiles:
- Video Filter
- Inline CASB
- ICAP
- Web application firewall (WAF)
- SSH Filter
- WAN optimization
Exceptions to the Rule
Virtual Machines
FortiGate Virtual Machines (VMs) that operate with 2 GB of RAM or less are not subject to this change. These VMs will continue to support proxy-related features even after the upgrade to FortiOS 7.4.4.
FortiOS 7.2 or 7.0 Appliances
Currently, FortiGate appliances running FortiOS 7.0.x and 7.2.x or earlier are not limited by this restriction. Only FortiOS 7.4.4 and higher are affected.
Checking Proxy-Based Sessions
If you want to ensure that proxy-based inspection is still working, you can execute the following CLI command to list all sessions with proxy-based sessions applied:
diag sys session list | grep state=redir
To show more details about the sessions, you can run:
diag sys session list | grep state=redir -A15 -B
Additional Information
- [Release Notes](https://docs.fortinet.com/document/fortigate/7.4.4/fortios-release-notes/768039/2-gb-ram-fortigate-m...)
- [Administration Guide](https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/519079/proxy-related-feature...)
- [New Features Guide](https://docs.fortinet.com/document/fortigate/7.4.0/new-features/519079/proxy-related-features-no-lon...)
- [Admin Guide](https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/519079)
By following these steps and guidelines, you can ensure a smooth transition to FortiOS 7.4.4 while understanding the limitations and changes in proxy-based features.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.