I am planning and preparing to upgrade my FG200D HA cluster (2 units). current version is 5.2.10.
Question 1) Do you guys find the support.fortinet.com upgrade path tool reliable?
I ask this question because using the tool for 5.2.10 to 5.6.5 is kind of weird (5.2.10 > 5.4.6 > 5.6.3 > 5.6.5)
I was thinking (5.2.10 > 5.2.12 > 5.4.9 > 5.6.5). I just want to make sure I avoid the IPSEC bug in the upgrade to 5.6.4.
Question 2) Would you risk 5.6.5 or stick with 5.4.9? I don't have any zones in 5.2.x do I don't think I need to worry about the zone VLAN interface bug. I would like to use the 5.6.x feature that allows address objects in the policy routes.
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Follow the migration tool and more importantly read the release notes ;)
As far as even one, I would go 5.6 since most items have been shake out and it quite developer for the 2nd to last train.
PCNSE
NSE
StrongSwan
I think (not sure) the tool is showing just one possible upgrade path simply based on the fact that each step of the upgrade is supported, without considering in what kinds of bags are with the version, which might break previous config depending on the features configured and used.
Based on the assumption, I think (again) your educated discretion is necessary to modify the entire path from the one given by the tool to avoid some particular upgrade problems, by checking each step using the same tool since that information is no longer provided with release notes.
At this moment, at least I don't have any problems deploying 5.6.5 IF we didn't have zones with the parent and vlan sub-interfaces. Practically it's impossible to upgrade those FGTs in the field. However, that's the only issue holding us from upgrading the whole fleet of our FGTs. Others in the forum might have different opinions (likely).
Accoarding to the Fortinet Support portal:
Recommended Upgrade Path Following is the recommended FortiOS migration path for your product. Version Build Number
5.2.10 9428
5.2.12 9782
5.4.9 1202
Recommended Upgrade Path Following is the recommended FortiOS migration path for your product. Version Build Number
5.2.10 9428
5.4.6 1165
5.6.3 1547
5.6.5 1600
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thank you all for the feedback. I have been testing my upgrade at my desk on some similar hardware. My team decided we would go to 5.6.5 on 8/28/2018.
5.2.10 > 5.2.12 > 5.4.9 > 5.6.5 seems to work fine. All the config errors during upgrade seem to be minor things (dashboards, snmp, etc...)
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
I upgraded to 5.6.5 and everything went pretty smooth. I see that 5.6.6 is out now too which addresses a few things that have held some people back. I am hoping 5.6.6 is solid.
The only minor issue I have gotten calls about is that we have action "warn" set for unrated website (which I recommend for stopping the payload download phase of some malware). This has been setup for many months prior to the upgrade. after the upgrade people started having things (credit card machines, specialized VPN software, etc..) not work. When I looked at the logs it was blocked HTTP/HTTPS requests to an IP address. I created a special rule and/or did some web rating overrides depending on the situation. I wonder if 5.6 actually "Warns" on unrated website more thoroughly.
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.