Fortinet has an article posted about which FortiOS is recommended in comparison to hardware platforms (Technical Tip: Recommended Release for FortiOS - Fortinet Community). I have been wrecking my brain in trying to better understand what the philosophy is behind the recommendations. FortiOS 7.0 was released roughly 3 years ago (2021-03-30) and therefore has obviously the most bug fixes in it. But according to the product life cycle page it will reach the end of it's engineering support by the end of this month (2024-03-30, Fortinet Service & Support).
FortiOS 7.2 has been on the market for 2 years now (released 2022-03-31). I am surprised that it takes Fortinet roughly 2 years to finally recommend it's own software for usage. It almost seems like the only reason why Fortinet considers the recommendation for 7.2 now is because 7.0 has reached its EOES.
Does anyone know why Fortinet would not potentially recommend versions of the different OS levels? For instance:
- if you are running 7.0 we recommend 7.0.14
- if you are running 7.2 we recommend 7.2.8
- currently we don't recommend 7.4.x.
Is it possible that two or more versions of FortiOS exist that are both still under engineering support and get recommended? Is 2 years "normal" for bugfixes until a release is considered stable/mature?
Thank you in advance for any insights.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Thank you for your reply. I am aware that certain hardware platforms / generations of firewalls support only up to certain versions of FortiOS. As you already pointed out some of the "D" series might support only FortiOS up to version 6.0.x and therefore it would make no sense to recommend to use a version 7.0.x code for those. However my question is for up-to-date firewalls that support the latest available FortiOS versions. If a Fortigate (lets say the 101F series) supports 7.0.x (3 year old), 7.2.x (2 year old), and 7.4.x (9 month old) then why is it that only FortiOS 7.0.x is recommended? How much time does it take for Fortinet to actually recommend a version? It is normal that a .0 or .1 release of software products are considered to be initial releases and should be used with caution but how long should it take to get a stable release? In the current situation it appears Fortinet does not recommend to use any of the FortiOS versions until they have been out on the market for 2 years. Or to say it different - customers should not expect to be able to use any new available features until 2 years after they were released.
In a direct message to me I did receive this response regarding when releases are considered mature:
These make sense but I see a problem with the 2nd bullet. Fortinet customers don't want to be "beta testers" and will only deploy stable/mature/recommended version - especially if they support large environments. This means Fortinet will not see a high adoption rate of new FortiOS versions for a long time which then again results in Fortinet not recommending the implementation because the deployment numbers are not reached. Maybe this needs to be thought over...
Hello Michael,
The recommendations are based on the Product as well as the vulnerability patch.
Few hardware (for example: D-series) cannot go beyond 7.0.x then the recommendation will be based on the latest vulnerability patch and the mature image in 77.0 versions.
Right now, all 7.4 versions are Feature-release and not mature releases. That's why you do not see it in the recommendations.
Thank you for your reply. I am aware that certain hardware platforms / generations of firewalls support only up to certain versions of FortiOS. As you already pointed out some of the "D" series might support only FortiOS up to version 6.0.x and therefore it would make no sense to recommend to use a version 7.0.x code for those. However my question is for up-to-date firewalls that support the latest available FortiOS versions. If a Fortigate (lets say the 101F series) supports 7.0.x (3 year old), 7.2.x (2 year old), and 7.4.x (9 month old) then why is it that only FortiOS 7.0.x is recommended? How much time does it take for Fortinet to actually recommend a version? It is normal that a .0 or .1 release of software products are considered to be initial releases and should be used with caution but how long should it take to get a stable release? In the current situation it appears Fortinet does not recommend to use any of the FortiOS versions until they have been out on the market for 2 years. Or to say it different - customers should not expect to be able to use any new available features until 2 years after they were released.
In a direct message to me I did receive this response regarding when releases are considered mature:
These make sense but I see a problem with the 2nd bullet. Fortinet customers don't want to be "beta testers" and will only deploy stable/mature/recommended version - especially if they support large environments. This means Fortinet will not see a high adoption rate of new FortiOS versions for a long time which then again results in Fortinet not recommending the implementation because the deployment numbers are not reached. Maybe this needs to be thought over...
Hi @MichaelHinz
Fortigate-100F V6.2.3
Fortigate-60F V6.0.11
i want to upgrade above version , can you please help me , which latest version suitable for above models
Created on 05-27-2024 04:25 PM Edited on 05-27-2024 04:26 PM
Fortinet themselves recommend the following versions for your hardware based on this article (Recommended Release for FortiOS - Fortinet Community:(
100F V7.2.7
60F V7.2.7
The versions you are running a pretty old and no longer officially supported by Fortinet. FortiOS 6.0 was released in 2018 and support stopped in 2022. FortiOS 6.2 was released in 2019 and support stopped in 2023. (Fortinet Service & Support)
Based on Fortinet's recommendation I would at minimum consider 7.2.x as the version to go to. 7.4.x was released last summer (2023) and is still considered fairly new. 7.6.x will be released in June and going to the first released of a brand new version is always a risk.
I don't know what features you use in your Fortigates that will also make a difference. If you have a contract with Fortinet you can ask them to do a "bug scrub" for you. Here you would submit a configuration of a Fortigate to them and they will check it against known issues with the FortiOS you are planning to upgrade to. You will receive a report if known issues (with i.e. 7.2.x or 7.4.x) are known that would affect your configuration and then you can make a decision. Regardless of what the recommendation is - ALWAYS test the new version before rolling it out to a lot of firewalls.
Another best practice to do is to read the "known issues" section of the release notes of the version you are planning to go. For example is the current latest 7.2.8 version release notes you will find this bug (Known issues | FortiGate / FortiOS 7.2.8 | Fortinet Document Library:(
901721 | In a certain edge case, traffic directed towards a VLAN interface could trigger a kernel panic. |
Fortinet has released a special build to address this issue but you can't get that via the portal. If you want it you have to open a ticket with Fortinet and ask for it.
Alternative - wait for 7.2.9 which is scheduled for likely July and hope that this one has no bugs....
Hope this was informative :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1647 | |
1070 | |
751 | |
443 | |
214 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.