Dear all.
After upgrading to version 7.4.4 we experience massive performance and handling issues. Can anyone of you confirm this?
What I can see among other things are the following facts:
I really love my Fortigate and the Fortinet infrastructure like you can see in my nickname :) I really do. But this update is really really bad to be honest. Do you experience the same? I am really sure we will rollback to 7.4.0 in the next days. 7.4.4 is quiet impossible to use in comparison to 7.4.4... And why are address groups an address lists now separated? Why?! :D Come on guys from fortinet. Who made this decisions? Can you not just add an option to switch between the old and new GUI so that customers can choose on their own what to use? In my personal opinion this is not a good update for real hugh environments like we have with thousands of entries...
I think I will find more "not so well" changes. But probably not because I think first off all the best idea is to rollback.
With kindest Regards a not so happy FortiLover after updating :(
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi FortiLover
I went through the 7.4.4's known issues and didn't find the bugs you described above, this should mean that you may have discovered new issues in this version. I think if you report these bugs by opening a ticket, Fortinet will handle this issues seriously and correct them in future patches.
On the other hand 7.4.0 seems to be a very nice version with nice new features but it is very new and it has not yet reached maturity. So you may already know that you should not install 7.4.x (from 7.4.0 to 7.4.4) in critical production environment, you should rather install the recommended version: 7.2.8, which is stable and vulnerability free (so far).
Running 7.4.4 on a new install of 1800F in HA. I see no major issues with performance on 7.4.4. It's not without its behavioral issues, so if you're coming from an earlier version, you will see some changes. Most of the issues I've had are moving from a stand alone (on 7.0.14) to an HA config and some of the nuances there. I've also encountered a behavioral change in how the FG handles timeouts with remote/ldap authentications. I also realize that I'm making a two version jump to the bleeding edge, so I accept the risks that come with the territory.
I did notice the sorting issue mentioned in your point #1, and as for #2 you can always filter your search instead of scrolling the gui. If you have thousands of entries, filtering would seem more efficient anyway. I do that and I only have several hundred entries because I don't want to scroll. But these are minor QoL issues and will be fixed as 7.4 matures.
Regarding your point #7 and #8, they have disabled web mode by default in new installs. They also tell you to disable it in the 7.4.4 administrator's guide sslvpn security best practices section.
Based on what you've written it looks like you've migrated into the 7.4 series and so these features will be enabled and you'll get warnings. To me, it looks like Fortinet is moving away from sslvpn type connections and trying to move people towards certificate based IPSEC or ZTNA policy. A skeptic would say this is for financial purposes, getting people to license their other products. But nearly all the major exploits against a FG in the last few years have involved the sslvpn component. All the major security vendors have had their sslvpns exploited in some fashion in the last year. So, it makes sense for them to try to limit the attack surface.
Why don't they just disable it? Because people who had it configured would complain that it suddenly stopped working. So instead they give you a warning message and nudge you to start migrating away from it. Also, I'd imagine Fortinet would disable it if they could as sslvpn has been a major thorn in their side for at least the last 3 years from major security exploit perspective. All of the emergency maintenance patches I've performed have been because of an sslvpn exploit of some kind.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.