Greetings all,
We opened a case with Fortinet support on an IPSEC VPN tunnel issue with a Fortigate 60E where the VPN tunnel goes down every 12 hours. They couldn't definitively find a root cause and have advised us to upgrade to a newer version of the firmware. This was a good reminder for us to work towards upgrading all of the Fortigates in our small fleet and do a better job of keeping them up to date going forward.
Current hardware and versions:
100D (active/passive HA pair) running 5.4.2
100D running 5.4.2
60E running 5.4.5 <- this is the one having the VPN issue
60E running 5.6.10
Questions:
1) Our original plan was to get all firewalls up to 5.6.10, however we noticed that when 5.6.11 was released the upgrade path changed dramatically. We are now wondering if it makes more sense to target the 6.0 train, specifically 6.0.6. We are currently reviewing release notes, but are there any major known issues running 6.0.6 in a production environment or any known issues with the below Fortinet recommended upgrade paths?
5.4.2 -> 5.4.4 -> 5.6.2 -> 5.6.6 -> 6.0.4 -> 6.0.6
5.4.5 -> 5.6.2 -> 5.6.6 -> 6.0.4 -> 6.0.6
5.6.10 -> 6.0.6
2) Any recommendations on the best way to upgrade an HA pair? This will be the first time upgrading this pair and want to do what we can to give us the best shot at a smooth upgrade and recovery if it goes south. We will be following the standard advice for all of our upgrades such as keeping a copy of the config at each step, having each firmware version downloaded, allowing restoration of firmware/config from USB, and rebooting the firewalls prior to performing the first upgrade. Specifically for an HA pair, I recall reading about verifying that the firewalls are in sync and have found the commands to do so. Any other critical steps to take for upgrading a standalone or HA pair?
Thanks in advance!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I keep warning everybody in this forum but make sure you don't use zones that have the parent non-tagged interface and child vlan sub-interfaces as members. Those vlan interfaces would be thrown out from the zone when you upgrade 5.4.x to 5.6.0-5. If you do have them, find a path avoiding those versions.
Hi,
'lesson learnt' from last upgrade - verify if flash on both cluster members is fine, not like this:
FW01 (global) $ diag sys flash list Command fail. Return code -1 FW01 (global) $
@Toshi Esumi - We have tagged VLAN sub-interfaces, but we don't use zones.
@hubertzw - You mentioned not verifying the flash with the "diag sys flash list" command. Which command did you end up using, if you don't mind me asking?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.