Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Paul_S
Contributor

Upgrade path 5.2.10 to 5.6.5 or 5.2.10 to 5.4.9

I am planning and preparing to upgrade my FG200D HA cluster (2 units). current version is 5.2.10.

 

Question 1) Do you guys find the support.fortinet.com upgrade path tool reliable?

I ask this question because using the tool for 5.2.10 to 5.6.5 is kind of weird (5.2.10 > 5.4.6 > 5.6.3 > 5.6.5)

I was thinking (5.2.10 > 5.2.12 > 5.4.9 > 5.6.5).  I just want to make sure I avoid the IPSEC bug in the upgrade to 5.6.4.

 

Question 2) Would you risk 5.6.5 or stick with 5.4.9?  I don't have any zones in 5.2.x do I don't think I need to worry about the zone VLAN interface bug. I would like to use the 5.6.x feature that allows address objects in the policy routes.

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
5 REPLIES 5
emnoc
Esteemed Contributor III

Follow the migration  tool and more importantly read the  release notes ;)

 

As far as even one, I would go 5.6 since most items have been shake out and it quite developer for the 2nd to last train.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Toshi_Esumi
SuperUser
SuperUser

I think (not sure) the tool is showing just one possible upgrade path simply based on the fact that each step of the upgrade is supported, without considering in what kinds of bags are with the version, which might break previous config depending on the features configured and used.

Based on the assumption, I think (again) your educated discretion is necessary to modify the entire path from the one given by the tool to avoid some particular upgrade problems, by checking each step using the same tool since that information is no longer provided with release notes.

 

At this moment, at least I don't have any problems deploying 5.6.5 IF we didn't have zones with the parent and vlan sub-interfaces. Practically it's impossible to upgrade those FGTs in the field. However, that's the only issue holding us from upgrading the whole fleet of our FGTs. Others in the forum might have different opinions (likely).

sw2090
SuperUser
SuperUser

Accoarding to the Fortinet Support portal:

 

Recommended Upgrade Path Following is the recommended FortiOS migration path for your product. Version Build Number

5.2.10  9428

5.2.12  9782

5.4.9    1202

 

Recommended Upgrade Path Following is the recommended FortiOS migration path for your product. Version   Build Number

5.2.10    9428

5.4.6      1165

5.6.3      1547

5.6.5      1600

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Paul_S

Thank you all for the feedback. I have been testing my upgrade at my desk on some similar hardware. My team decided we would go to 5.6.5 on 8/28/2018.

 

5.2.10 > 5.2.12 > 5.4.9 > 5.6.5   seems to work fine. All the config errors during upgrade seem to be minor things (dashboards, snmp, etc...)

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Paul_S

I upgraded to 5.6.5 and everything went pretty smooth. I see that 5.6.6 is out now too which addresses a few things that have held some people back. I am hoping 5.6.6 is solid.

 

The only minor issue I have gotten calls about is that we have action "warn" set for unrated website (which I recommend for stopping the payload download phase of some malware). This has been setup for many months prior to the upgrade. after the upgrade people started having things (credit card machines, specialized VPN software, etc..) not work. When I looked at the logs it was blocked HTTP/HTTPS requests to an IP address. I created a special rule and/or did some web rating overrides depending on the situation.  I wonder if 5.6 actually "Warns" on unrated website more thoroughly.

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors