Hello everyone,
I'm a newbie/newcomer with Fortinet's products.
Now I heard that upgrading to the latest version for FortiGate is not a recommendation. (from product supplier, not Fortinet)
Then, I'd like to find/check more details so what that really does mean.
I found that some points with Resolved/Known issues between the present and the newer version in Release Note
And I want to discuss detail here is related to some resolved CVEs' issues.
Here my discussing matter
・Currently using FortiOS version: 5.6.5
・I want to upgrade to version: 5.6.8
Although, I found that some CVEs (security related issues) that resolved on the 5.6.8 version of the Release Note.
But hold it on, when I reversely check on the CVE-2018-13371 (risk rather high) that written in Release Note of 5.6.8,
With the supported links: https://fortiguard.com/psirt/FG-IR-18-230
On the part [Affected products], I saw this "FortiOS version 5.6.7 and below"
so that means my FortiOS version is included either. And that made insecurity feeling now.
Therefore, I have some thoughts inside
[style="background-color: #ffffff;"]- If I upgrade to the latest version 5.6.8, it will be resolved the issue (but it's not a recommendation from the product supplier). I'm not much experience with Fortinet's products then it's not easy to make a decision.[/style]
[style="background-color: #ffffff;"]- If I do not, I do not know whether it will be a matter or not with the network system (the system run with Fortinet's product is about half of year without any notice/alert related to that security issue) [/style]
So, if someone who got this matter such as me, please help me to figure out or give me some advice on this matter!
Thank you for your help!
Best regards,
Takeshi
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I don't know the Fortinet's service/support in Japan. But assuming you get every JP version of release notes. I would just check all release notes from 5.6.5 to 5.6.8, or to 5.6.9 just release with one vulnerability fix then especially pay attention to "known issues" with the last 5.6.8 and 5.6.9(I assume they're almost the same because .9 fixed only one item). Then none of them is close enough to how you use the FGT I would just go to 5.6.9. If you have some concern about any specific known issue, you can always open a ticket with TAC (in Japan?) to ask the condition it may occur. Even if you use that particular feature, it may never happen if the condition is very far from your usage.
Make sure you check the upgrade path. Looks like you need to get to 5.6.9 via 5.6.7 from 5.6.5.
By the way, since 6.2.0 is out now, 5.6.x is already two generations older than the latest major version. They may stop fixing minor issues in the near future (if not already). As a matter of fact, I've been waiting them to fix one GUI problem we're experiencing with 5.6.6. But still not in 5.6.9 and they keep saying they already fixed it with 6.0. That's why I decided to go to 6.0.5 next month for our core FGTs and currently testing it. Soon you need to consider that. To me going to 5.6.9 from 5.6.5 is relatively safe. You can also ask the "X-team" but probably get a similar answer.
Upgrading to maintenance fixes is a good thing and we should always state on top of this. Upgrading to a fresh major version could be dangerous ;)
Ken Felix
PCNSE
NSE
StrongSwan
I don't know the context you heard, but I think it meant "going to the latest 6.2.0 is not a good idea". If a vulnerability fix is just released, like 6.0.5, 5.6.9, and you're running 6.0.x or 5.6.x already, going to the latest of the major version is relatively safe. Or no other option if you're literally threaten by the vulnerability.
Dear Toshi Esumi-san,
Thank you for your feedback!
>I don't know the context you heard, but I think it meant "going to the latest 6.2.0 is not a good idea".
→ Yes, it's meant upgrading to the latest version (5.6.8 or 6.2.0) is not a recommendation from the Fortinet's products supplier technical team (temporarily I named them as X team), not directly from the Fortinet team (I could not inquiry directly to the Fortinet Japan team because of the policy/procedure between Fortinet Japan and the product representative/supplier)
>If a vulnerability fix is just released, like 6.0.5, 5.6.9, and you're running 6.0.x or 5.6.x already, going to the latest of the >major version is relatively safe. Or no other option if you're literally threaten by the vulnerability.
→ Yeah, in parallel, as I mentioned before because I do not experience as much with Fortinet's products then it makes me confusing after making an inquiry to the X team. Although I also want to do that, and for making sure, I'd like to discuss on the Fortinet's forum for getting more the ideas/opinions or some people's experiences who faced the matter up such as me!
So that's my status now, and I do not know clearly what I should do on the next actions! It sounds like a disturbing (mixing concern) because the system impact might have occurred without careful readiness!
Before closing this topic, I hope I could give me more advice in details as well as you could share,
And I'm highly appreciated with any helps!
---
Thank you & Regards,
Takeshi
I don't know the Fortinet's service/support in Japan. But assuming you get every JP version of release notes. I would just check all release notes from 5.6.5 to 5.6.8, or to 5.6.9 just release with one vulnerability fix then especially pay attention to "known issues" with the last 5.6.8 and 5.6.9(I assume they're almost the same because .9 fixed only one item). Then none of them is close enough to how you use the FGT I would just go to 5.6.9. If you have some concern about any specific known issue, you can always open a ticket with TAC (in Japan?) to ask the condition it may occur. Even if you use that particular feature, it may never happen if the condition is very far from your usage.
Make sure you check the upgrade path. Looks like you need to get to 5.6.9 via 5.6.7 from 5.6.5.
By the way, since 6.2.0 is out now, 5.6.x is already two generations older than the latest major version. They may stop fixing minor issues in the near future (if not already). As a matter of fact, I've been waiting them to fix one GUI problem we're experiencing with 5.6.6. But still not in 5.6.9 and they keep saying they already fixed it with 6.0. That's why I decided to go to 6.0.5 next month for our core FGTs and currently testing it. Soon you need to consider that. To me going to 5.6.9 from 5.6.5 is relatively safe. You can also ask the "X-team" but probably get a similar answer.
Upgrading to maintenance fixes is a good thing and we should always state on top of this. Upgrading to a fresh major version could be dangerous ;)
Ken Felix
PCNSE
NSE
StrongSwan
I'm so sorry for letting this "sleeps" in a long time,
Until now, the managers not give any decision yet about this because it may harm our business if we make mistakes when doing upgrading. Then, I need to do research more and create an exact plan to do upgrading.
By the way,
> Toshi Esumi-san: Thank you for your feedback. I've got your ideas now, but maybe I'll continue to discuss more this topic with you. So if you don't mind, please share more pieces of advice or overviews in the future discussion. Thank you in advance!
> Ken Felix-san:
Thank you for your suggestions. I'll take that as a reference when doing upgrading!
Thank you all of you, again!
Regards,
Takeshi
Takashi,
I am about to perform a similar upgrade. How did yours go? Was it an HA pair? Did you experience any interruptions during the upgrade?
FortiOS 6.0 can provide SD-WAN capabilities on a FortiGate for greater application visibility and application steering to prioritize business application performance.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.