Upgrading from FortiOS 4 to FortiOS 5, Service ANY/All Problems?
I recently upgraded a Fortigate 40C from FortiOS 4 (the latest release, build 665) to FortiOS 5 build 208. There was an existing configuration with very simple policies (any internal to any over WAN1 using any service with destination interface NAT).
Before the upgrade everything worked just fine, however after the upgrade, no communication to the internet was possible because the Fortigate was blocking all traffic.
I found the problem: Fortinet decided to rename the service " ANY" to " All" (which makes sense IMHO), but didn' t bother to upgrade my configuration to reflect this change, thereby essentially breaking my Firewall.
My question is: Has anyone else noticed this behavior? Is there an official word on this from Fortinet?
At work, my team and I manage a larger 3950B Firewall with over 130 Virtual Domains. If this is the normal behavior, upgrading our machine to FortiOS 5 would be a catastrophe, as we would have to go through every single VDOM manually and change service " ANY" to service " All" .
I recently did a similar upgrade on an 80C from 4.3.14 (build 665) to 5.0.3 (build 208). The only conversion problem I had was related to web-filter policies, but it was easily fixed.
Ede' s advice is what I' d do (the latter unless I couldn' t afford the downtime).
I know what can be done to rectify the situation. The config on the 3950B, though, is something to the tune of 35 megabytes, so it' s quite a bit of a challenge to modify.
I really wanted to know if anyone else had run into similar issues and if it was documented on Fortinet' s side. If you say you did an upgrade on an 80C between the same revisions, then it' s probably something specific to the 40C image.
Whenever there is a new firmware release, I would save the config before and after performing the upgrade, then use a text comparison tool (my personally preference is to use WinMerge for this) to see what changes were made. I also use this approach when " converting" configs from one model to another or troubleshooting a customer' s fgt (vs a base or test unit config).
Using the above approach we manage to avoid much of the problems noted on these forums.
I had the same problem. I have two FG-100Ds. Our production is running 4.3.18. Upgrade guides indicate I should be able to go from 4.3.18-5.0.10-5.2.2.
I did a factory reset on our backup FG-100D. Then did a TFTP firmware load and boot device format to 4.3.18. Worked fine. Then I restored the production firmware from our 4.3.18 system and all of the settings came over.
Next I upgraded to 5.0.10. I watched via the console and noted that some things were changed using the "diag debug config-error-log read" to show what had change. All changes were minor.
Finally I upgraded to 5.2.2, again reviewing any errors to the config the first time it reboots.
I spent the rest of the day attempting to test throughput using a temp config between port 15 and WAN 2, thus leaving my other policies intact. I could not get it to work. Finally I realized it was the ALL/ANY problem. I was simply trying to verify services would pass. I knew WAN2 was working as the Firewall registered with Fortinet and downloaded latest updates.
I could ping from the CLI to 126.96.36.199 (Google) but I could not ping via a laptop connected to port 15. Nor could I ping the IP assigned to WAN 2. I finally realized if I changed the service to "Ping" instead of "All" it worked. I also tried ALL_TCP and ALL_UDP. That also did not allow Ping because it is ICMP. So not sure how to create an "allow anything" service definition. I have a few systems that I allow that for outbound because of dynamic ports.
So I'm not sure what the default options should be. Attached is screenshot of my "General" services. Can someone else on 5.2.2 confirm this is what they have?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.