Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fortilover
New Contributor III

Created on ‎06-21-2024 12:12 AM Edited on ‎06-21-2024 12:26 AM

What da heck is going on with Version 7.4.4

Dear all.

 

After upgrading to version 7.4.4 we experience massive performance and handling issues. Can anyone of you confirm this?

 

What I can see among other things are the following facts:

 

  1. When adding new entries to an already existing address group the entries in the group are sorted alphabetically the entries on the right which I want to choose are not. They are sorted by creation. So new entries are at the end.
  2. When adding new entries to a already existing address group the entries on the right I want to add are only loaded when I scoll down and this takes very long. It is like only 30 entries are loaded and the others are not. They will be loaded only when I scroll down to the end. We use hundreds and thousands of entries and the scrolling for new created entries takes minutes now and not only 1-2 seconds like in version 7.4.0. In 7.4.0 just all where loaded directly and I was able to scroll down to the end immediately.
  3. The country database in order to block IPs seems to be completely wrong. Most of the IPs are assigned to Finnland although they are located in Ukraine, Germany, Netherlands, United Arabic Emirates and so on... I have checked the update status of the country database and it seems up to date but it is definetely wrong. countrydb.jpg
  4. Mailing for Actions (Security Fabric -> Automation) is still working but now with another additional Reply To Address (DoNotReply@fortinet-notifications.com). Like described here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Unable-to-send-FortiToken-email-using-cust...
  5. The bad thing is that mail delivery for 2FA User Logins (SSL VPN for instance) is not working at all anymore. Could be related to the article I have posted in point 4. I have tried everything. It just does not work anymore with custom defined smtp servers. Thanks for that... :(
  6. In the list for Adresses for instance we see the column Ref like in the other versions 7.4.0. But now I cannot filter or sort by Ref anymore. It is/was helpful to see which entries are not used anymore. Now this is not possible anymore in our environment because we have thousands of entries... and scrolling down until to the end and looking for entries with 0 references is quite imppossible.
  7. Bookmarks for websites in VPN Portals seem not to work like before. The connection to the internal server is just blocked although nothing has been changed before and after the update related to those settings. Means our Websites we have provided through Web mode SSL VPN for external accesses will not work anymore.
  8. There are more and more warning messages in the GUI related to legacy web modes: "For increased security, use SSL-VPN tunnel mode instead of the legacy web mode." If it is unsafe why is it now displayed as a warning and not disabled to use?

I really love my Fortigate and the Fortinet infrastructure like you can see in my nickname :) I really do. But this update is really really bad to be honest. Do you experience the same? I am really sure we will rollback to 7.4.0 in the next days. 7.4.4 is quiet impossible to use in comparison to 7.4.4... And why are address groups an address lists now separated? Why?! :D Come on guys from fortinet. Who made this decisions? Can you not just add an option to switch between the old and new GUI so that customers can choose on their own what to use? In my personal opinion this is not a good update for real hugh environments like we have with thousands of entries... 

I think I will find more "not so well" changes. But probably not because I think first off all the best idea is to rollback.

 

With kindest Regards a not so happy FortiLover after updating :(

Labels:
286
2 REPLIES 2
AEK
SuperUser
SuperUser

Created on ‎06-21-2024 04:03 AM

Hi FortiLover

I went through the 7.4.4's known issues and didn't find the bugs you described above, this should mean that you may have discovered new issues in this version. I think if you report these bugs by opening a ticket, Fortinet will handle this issues seriously and correct them in future patches.

 

On the other hand 7.4.0 seems to be a very nice version with nice new features but it is very new and it has not yet reached maturity. So you may already know that you should not install 7.4.x (from 7.4.0 to 7.4.4) in critical production environment, you should rather install the recommended version: 7.2.8, which is stable and vulnerability free (so far).

Ref:  https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-Release-for-FortiOS/ta-p/22717...

 

AEK
AEK
224
0 Kudos
Pittstate
New Contributor III

Created on ‎06-21-2024 09:00 AM

Running 7.4.4 on a new install of 1800F in HA. I see no major issues with performance on 7.4.4. It's not without its behavioral issues, so if you're coming from an earlier version, you will see some changes. Most of the issues I've had are moving from a stand alone (on 7.0.14) to an HA config and some of the nuances there. I've also encountered a behavioral change in how the FG handles timeouts with remote/ldap authentications. I also realize that I'm making a two version jump to the bleeding edge, so I accept the risks that come with the territory.

 

I did notice the sorting issue mentioned in your point #1, and as for #2 you can always filter your search instead of scrolling the gui. If you have thousands of entries, filtering would seem more efficient anyway. I do that and I only have several hundred entries because I don't want to scroll. But these are minor QoL issues and will be fixed as 7.4 matures.

 

Regarding your point #7 and #8, they have disabled web mode by default in new installs. They also tell you to disable it in the 7.4.4 administrator's guide sslvpn security best practices section.

 

Based on what you've written it looks like you've migrated into the 7.4 series and so these features will be enabled and you'll get warnings. To me, it looks like Fortinet is moving away from sslvpn type connections and trying to move people towards certificate based IPSEC or ZTNA policy. A skeptic would say this is for financial purposes, getting people to license their other products. But nearly all the major exploits against a FG in the last few years have involved the sslvpn component. All the major security vendors have had their sslvpns exploited in some fashion in the last year. So, it makes sense for them to try to limit the attack surface.

 

Why don't they just disable it? Because people who had it configured would complain that it suddenly stopped working. So instead they give you a warning message and nudge you to start migrating away from it. Also, I'd imagine Fortinet would disable it if they could as sslvpn has been a major thorn in their side for at least the last 3 years from major security exploit perspective. All of the emergency maintenance patches I've performed have been because of an sslvpn exploit of some kind.

195
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.