what version of fortios should I run?

jason2 · ‎04-09-2020

I am currently running 5.6.12 on my 100D. Now that 6.4 is out, even if it is not for the 100D, I am wondering is it time to upgrade to 6.0.9? or is 6.2.3 better? I would follow the upgrade path. I have read about some memory leak issues in the 6.x series, are they fixed in 6.0.9 and/or 6.2.3 or do I have to contact support to get the latest IPS engine? IPsec VPNs are a big thing for me so I need stability for that. My fortigate connects via fortigate to fotigate VPN to a unit running 5.6.10 I think. I have no control that unit. Would there be any problems with connecting from a 6.2.3 to a 5.6.10 unit?

nsantin · ‎04-10-2020

I upgraded my 100D HA cluster (Firewall, BGP Routing, VPN, IDS) to 6.0.9 from 5.6.12 and it was probably one of the smoothest upgrades i've seen in 15 years of using FGTs.

5.6.12 has a critical bug with link montoring, so if you're using multi links you may want to upgrade just for that: See my thread here: https://forum.fortinet.com/tm.aspx?m=182995

Also, there are some known CVE's in 5.6.12 that apparently will not be fixed in the 5.6 branch

There is some discussion about an issue with RDP over SSL-VPN that was in 6.0.8 and MAY be fixed in 6.0.9 the bug is no longer in the most recent release notes (either existing or resolved), so the theory is it was "unofficially fixed". I haven't seen any issues with it.

There are no issues with IPSec VPN, and I too have a BO tunnel back to a 5.6 box (no issues) and some Cisco's (no issues)

View solution in original post

ede_pfau · ‎04-10-2020

First off, "if it ain't broke, don't fix it". That is, if your FGT runs OK, I wouldn't upgrade it.

Second, v5.6 is still supported until 2021 whereas if you used v5.4 it was about time to upgrade, no choice.

Third, if you decide you'd have to upgrade then IMHO better go with v6.0 than v6.2. Skip the first 4-5 patches of any new major line.

There haven't been any complaints about IPsec VPN with v6.0, and I'm using it daily on several FGTs. Yet, if you use IPS...see "First".

Just my 2 cents.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

emnoc · ‎04-10-2020

It depends,

You upgrade due to security risk

New features

for known bugs and remedy for them...

CPU/MEM issues and fixes within a later version...

etc..

Ede did a great job in his explanation but to add to it. I run 6.4 at my home because it is new and I want to get a fill of it. I just did a FGT100E and we ran 6.2.3 in a production env. It was previously on 6.0.8 . In both cases the reason why we upgraded and the version selected depends on that env.

In some case with new hardware deployment, you want to upgrade immediately due to the shipped model is on some older rev.

e.g FGT51 shipped with 6.0.2 and the latest version is 6.0.9 that's available.

So in many reason can exists and your env really mandate if you need to update and to what version. I never would run a bleeding edge version if it has not had 2 or 3 maintenance fixes. The 1st version of any release needs some time to mature and to shake out any problems, and specially with FortiOS.

TIP: Also it's wise to upgrade and make a backup b4 and during any intermediate version along the way to the target and final version.

TIP: If you in one release it's wise to be within 1-2 of the latest maintenance release for that train.

e.g FortiOS6.0.8-6.0.9 would be okay , 6.0.2 would not be wise.

FortiOS6.2.2-6.2.3 would be okay, 6.2.0 would not be wise

Ken Felix

PCNSE

NSE

StrongSwan

nsantin · ‎04-10-2020

I upgraded my 100D HA cluster (Firewall, BGP Routing, VPN, IDS) to 6.0.9 from 5.6.12 and it was probably one of the smoothest upgrades i've seen in 15 years of using FGTs.

5.6.12 has a critical bug with link montoring, so if you're using multi links you may want to upgrade just for that: See my thread here: https://forum.fortinet.com/tm.aspx?m=182995

Also, there are some known CVE's in 5.6.12 that apparently will not be fixed in the 5.6 branch

There is some discussion about an issue with RDP over SSL-VPN that was in 6.0.8 and MAY be fixed in 6.0.9 the bug is no longer in the most recent release notes (either existing or resolved), so the theory is it was "unofficially fixed". I haven't seen any issues with it.

There are no issues with IPSec VPN, and I too have a BO tunnel back to a 5.6 box (no issues) and some Cisco's (no issues)

ede_pfau · ‎04-10-2020

@nsantin: thanks for the head-up, it slipped by for me. Time to proceed to v6.0...

Ede

"Kernel panic: Aiee, killing interrupt handler!"

emnoc · ‎04-10-2020

Yeah we started doing the same thing, jumping from 6.0.8 to 6.2.3 on FGT100Es

Ken Felix

PCNSE

NSE

StrongSwan

jason2 · ‎04-16-2020

I am a believer of if it ain't broke don't fix, but I don't want to get to far behind either. I didn't know there is a lifespan on the firmware. Where can I find that document?

I would only switch to 6.0.9 or 6.2.3, following the upgrade path. I am think 6.0.9 is the safer option. I always backup my configuration before an upgrade and after. I am not going to jump to any firmware that is less than 6.x.4 unless I have no choice. Where can I find out about what CVEs are fixed in 6.0.9 but not 5.6.13?

mbi_support · ‎08-25-2021

I realize this is quite an old thread, but I've seen this question asked a few times and figured I'd add a quick answer for those that might possibly search and find this thread.

In general, FortiGate firmware branches are supported for 54 months. Start the clock begins at general availability. New branches are typically released annually.

Example:

Version, Release Date (GA), End of Support Date (EOS)

5.6 2017-03-30 2021-09-30 6.0 2018-03-29 2022-09-29 6.2 2019-03-28 2023-09-28 6.4 2020-03-31 2024-09-30 7.0 2021-03-30 2025-09-30

This page helps direct you to the general hardware and software lifecycle lookup:

https://kb.fortinet.com/k....do?externalID=FD49527

Lifecycle policy:

https://support.fortinet...._Life_Cycle_Policy.pdf