Helpful ReplyHot!FortiOS 6.2.0 is out!

Page: 12 > Showing page 1 of 2
Author
Selective
Expert Member
  • Total Posts : 2741
  • Scores: 115
  • Reward points: 0
  • Joined: 2007/07/03 10:44:56
  • Location: Gothenburg - Sweden
  • Status: offline
2019/03/29 07:19:23 (permalink)
0

FortiOS 6.2.0 is out!

.
#1
Cls
New Member
  • Total Posts : 2
  • Scores: 4
  • Reward points: 0
  • Joined: 2007/08/21 01:09:04
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/03/29 16:54:06 (permalink) ☄ Helpfulby SMabille 2019/03/30 07:30:45
5 (2)
Quick note from first impressions on my test device:
As read in Release Notes / Changes in default behavior:
-FortiOS 6.2.0 removes any use of device enforcement from various FortiGate features.
 
This means that all policies and setups that are using Devices or Devices-Groups in policy will have "open" policies after upgrading to 6.2.0.
I cannot find any obvious replacemens for Device feature per now.
 
If anyone has more info on what Fortinet's plan on this is, I would appreciate a shoutout.. :)
 
 
Best Regards,
Runar
#2
SMabille
Silver Member
  • Total Posts : 69
  • Scores: 18
  • Reward points: 0
  • Joined: 2013/03/31 15:39:51
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/03/30 07:38:48 (permalink)
5 (2)
Indeed, not clear warning (beside small note in default behaviour).
Likely to caught lots of customers (I'm using devices for IoT devices, but also to disable SSL inspection for specific applications on iOS that refuse custom CA).
There is no documentation or recommendation on best approach to replace this. It's very very disappointing to say the least. Hopefully the feature will be back or credible alternative provided. Until then I can't really see any practical way to solve the issue.
The only way I can imagine is to reserve MAC in DHCP in specific range for specific device but:
- Would run out of address quickly
- Impractical for BYOB scenario or large estate of iOS devices

Can't think of a good reason to suppress the feature. Upgrade shouldn't be about deprecate feature without clear notice. 
 
Really three steps backward for IoT management.
 
 
Cls
Quick note from first impressions on my test device:
As read in Release Notes / Changes in default behavior:
-FortiOS 6.2.0 removes any use of device enforcement from various FortiGate features.
 
This means that all policies and setups that are using Devices or Devices-Groups in policy will have "open" policies after upgrading to 6.2.0.
I cannot find any obvious replacemens for Device feature per now.
 
If anyone has more info on what Fortinet's plan on this is, I would appreciate a shoutout.. :)
 
 
Best Regards,
Runar




#3
ThomasK
New Member
  • Total Posts : 5
  • Scores: 2
  • Reward points: 0
  • Joined: 2019/03/22 05:04:03
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/03/30 14:58:13 (permalink) ☄ Helpfulby SMabille 2019/04/01 05:07:26
5 (1)
Very strange, they also stop Fortigate telemetry functionality from Fortigate and removed the feature. Are they crazy? (sorry for the wording). Should we really install EMS (including necessary Windows license) just for compliance enforcement? And the paid telemetry license and maintenance fees are for nothing?

https://docs.fortinet.com...oint-telemetry-license
post edited by ThomasK - 2019/03/30 15:18:49
#4
neonbit
Expert Member
  • Total Posts : 511
  • Scores: 65
  • Reward points: 0
  • Joined: 2013/07/02 21:39:52
  • Location: Dark side of the moon
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/03/31 19:49:18 (permalink)
5 (1)
Shame about the device management being removed, was really a cool feature.
 
On the flip side the new SD-WAN SLAs are great, and the new 'Undo' feature when you change a policy in the GUI is awesome too.
#5
James_G
Silver Member
  • Total Posts : 66
  • Scores: 4
  • Reward points: 0
  • Joined: 2016/02/28 02:55:47
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/01 02:21:07 (permalink)
0
The release notes do not list 60D as supported, is this correct?
#6
bommi
Gold Member
  • Total Posts : 143
  • Scores: 10
  • Reward points: 0
  • Joined: 2016/08/03 03:42:49
  • Location: Germany
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/01 03:42:27 (permalink)
0
Yes it is correct, the 60D is not supported in 6.2 and later.
#7
James_G
Silver Member
  • Total Posts : 66
  • Scores: 4
  • Reward points: 0
  • Joined: 2016/02/28 02:55:47
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/01 04:20:38 (permalink)
0
How does that work when the 60D is supported until 2023, but 6.0 is only supported to 2022?
 
#8
bommi
Gold Member
  • Total Posts : 143
  • Scores: 10
  • Reward points: 0
  • Joined: 2016/08/03 03:42:49
  • Location: Germany
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/01 04:30:26 (permalink)
0
Please check the Product Lifecycle Page:
https://support.fortinet.com/Information/ProductLifeCycle.aspx
 
You will find several statements with a list of devices which arent supported by the latest releases.
These devices get extended access to Customer Services until these devices are EOL.
 
 
#9
seadave
Platinum Member
  • Total Posts : 302
  • Scores: 43
  • Reward points: 0
  • Joined: 2004/11/03 18:02:09
  • Location: Seattle, WA
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/01 16:41:07 (permalink)
0
Bummer regarding device ID.  Has been a bit flakey, but I use it on a 60E at home.  Perhaps this is due to the increasing use of dynamic MACs in Android and iOS?  I wondered how that would impact things like FG Device ID and NACs that rely on that to identify a device.
 
I remember having all of my policies color coded in 4.3 and then 5.0 wiped those out.  Now they returned in 5.6.  I also agree that major changes like this need to be in BOLD text at the front of the release notes.  This will certainly ruin someone's afternoon who isn't careful.
#10
seadave
Platinum Member
  • Total Posts : 302
  • Scores: 43
  • Reward points: 0
  • Joined: 2004/11/03 18:02:09
  • Location: Seattle, WA
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/01 18:02:31 (permalink)
0
I'm guessing they are going to drive folks towards FortiNAC for such things as it relates to device IDs.
 
https://www.fortinet.com/products/network-access-control.html
 
#11
tanr
Platinum Member
  • Total Posts : 646
  • Scores: 25
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/01 19:38:38 (permalink)
5 (3)
FortiNAC is not exactly cheap.  And if you want to use their FortiNAC appliances instead of VMs it costs way more than the firewalls, at least for my application.  I really hope there is some other device ID solution.  In combination with the new EMS requirements for FortiClient compliance enforcement this is looking problematic at best. 
#12
seadave
Platinum Member
  • Total Posts : 302
  • Scores: 43
  • Reward points: 0
  • Joined: 2004/11/03 18:02:09
  • Location: Seattle, WA
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/01 20:59:48 (permalink) ☄ Helpfulby SEI 2019/04/01 23:44:40
5 (3)
Agreed.  At some point the FortiFabric becomes FortiExpensive!  I say that as a very loyal customer, but we all have our limits.  I'd still put their price point and solutions up against anyone else.  All of the Cisco vulns coming out lately have made me happy I didn't swallow that pill long ago.
post edited by seadave - 2019/04/01 21:01:28
#13
Adrian Lewis
Gold Member
  • Total Posts : 315
  • Scores: 5
  • Reward points: 0
  • Joined: 2004/03/08 23:17:37
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/02 01:52:48 (permalink)
0
Got a 60E with a couple of FAP221Es at home and can't get my Sonos devices to connect to the wireless at all since upgrading. Everything else is fine including every other wireless client. No major issues with the upgrade. Went from 6.0.4 to 6.2.0. Seems that even when I connect the Sonos devices via ethernet, the multicast forwarding for the App to discover the devices (SSDP) has also changed behaviour. Worked fine before. Right now though, I'm just stuck with getting the devices onto the wifi.
 
I notice that during the beta there were some specific FortiAP builds to work with 6.2 but the release notes state that older FortiAP versions should still be supported.
 
Will keep debugging when I get time but has anyone else seeing issues with FortiAPs? 
#14
SMabille
Silver Member
  • Total Posts : 69
  • Scores: 18
  • Reward points: 0
  • Joined: 2013/03/31 15:39:51
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/02 02:04:08 (permalink)
5 (1)
Hi,
 
Not really, FortiNAC doesn't replace the device type based policies, there isn't an overlap of functionalities.
Also licensing model is unadapted to small Fortigate deployment (minimum 2000 ports).
 
The strategy doesn't really make much sense for a company that has been pushing IoT in marketing.

So hopefully the feature will be back in 6.2.x (or 6.4 but then would need a migration path from 6.0 not to loose the config).
Otherwise it will open the question of extended support. Device based policies is a key feature for some customers, so being unable to upgrade as functionality has been removed, they would then expect 6.0 to be supported until either feature is back or EOL of the appliances (E series, so years away). 
 
Definitely a case of bad product management... (now the release quality seems to improve, features are taken away). It takes a serious amount of efforts to defend Fortinet with customers.  
 
dfollis
I'm guessing they are going to drive folks towards FortiNAC for such things as it relates to device IDs.
 
https://www.fortinet.com/products/network-access-control.html
 




#15
SMabille
Silver Member
  • Total Posts : 69
  • Scores: 18
  • Reward points: 0
  • Joined: 2013/03/31 15:39:51
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/02 02:13:41 (permalink)
0
Good luck with that one, once the support for 6.0 end and customers are forced to upgrade to 6.2 and cash out new licenses to keep the functionality, in most European country it will be assimilated to forced sales (and is obviously illegal). I can see court cases coming....
 
Another way to build/keep good customers relationship, not!
 
ThomasK
Very strange, they also stop Fortigate telemetry functionality from Fortigate and removed the feature. Are they crazy? (sorry for the wording). Should we really install EMS (including necessary Windows license) just for compliance enforcement? And the paid telemetry license and maintenance fees are for nothing?

https://docs.fortinet.com...oint-telemetry-license




#16
Andrej K
New Member
  • Total Posts : 4
  • Scores: 2
  • Reward points: 0
  • Joined: 2019/04/02 02:41:51
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/02 02:53:45 (permalink)
0
Removing Device Identification is just crazy. We can talk all we want about security/static ip/mac and traffic sniffing, but it is just make sense to have more security features available to you, not less. But I guess the new Fortinet policy - "Fortinet who cares".
Well I learned one thing for me - it would not be the straight swap to a newer model despite liking Fortigate devices. I better go through pain of PoC with other vendors rather than accepting "removing the features just because" This is true for EMS/DeviceID/Client enforcement/Compliance licenses/etc. 
I feel like in pay to win games. With every new release the features which were available disappear and I need to buy either new device or new license to replace removed feature. 
Fortinet your customers not a cow you can milk to death for money by removing features. 
 
#17
ThomasK
New Member
  • Total Posts : 5
  • Scores: 2
  • Reward points: 0
  • Joined: 2019/03/22 05:04:03
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/02 02:59:42 (permalink)
0
Based on the FortiNet support, EMS 6.2 will be available in Q3/2019.


So if you update to FortiGate 6.2, you will loose Telemetry/Compliance enforcement and EMS 6.2, which will takeover that functionality, is not released yet.
 
 
#18
seadave
Platinum Member
  • Total Posts : 302
  • Scores: 43
  • Reward points: 0
  • Joined: 2004/11/03 18:02:09
  • Location: Seattle, WA
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/02 09:27:12 (permalink) ☄ Helpfulby tanr 2019/04/02 10:04:28
5 (2)
I agree that the removal of device identification will be painful for smaller shops trying to use it as a basic NAC.  I use it that way at home and it works great.  Very useful in these instances.  For those of us with a routed core environment that didn't consist of FortiSwitches it was useless.  So at the very least they should have kept it available as an on/off feature.
 
That complaint aside, there are some pretty amazing new features in 6.2:
 
http://video.fortinet.com/latest/workspace-mode-for-fortios-config
 
The external block lists and multiple DNS domains are great, as is the log consistency and some TLS 1.3 inspection.
 
But like so many have said before, cool your jets a bit before upgrading, unless you have a very small shop and need to use some of the automation hooks for example.  If you have other products such as FAZ/FAC/EMS/FWF, make sure those are compatible first and follow the upgrade path documents.
 
Wait a few releases for the features to bake in and then follow the upgrade good practice of backing up your config before the upgrade while keeping a copy of your current firmware on a USB so you can restore both if 6.2 breaks something critical and you need to revert.  It still amazes me how many folks throw caution to the wind when upgrading firmware.
#19
SEI
New Member
  • Total Posts : 4
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/08/23 07:13:24
  • Location: Switzerland
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/03 03:01:38 (permalink)
5 (1)
It is painful  for bigger shops who use it as a basic NAC.  We use it in large environments and it works great. Very useful in all these instances.  For those of us who use the FortiGate(s) as the routed core that consist also of Third Party Switches.
 
We use FGT1200D active-active Cluster with 3 branch offices connected/secured by FGT500E active-active Cluster and single FGT500E.
This allows to protect VLANs with NGFW features and security ... and device identification is extremely useful for BYOD (…) and much more as it adds another needed layer of security (e.g. WLAN) not to mention IoT.
 
At the end of the day it is all about continuity. In bigger environments you have to plan the use of features carefully as processes, workflow a.s.o. are involved (in IT and Business) on a long term basis.
 
Our clients have been carefully listening to Fortinet as they say "we have answers to the today challenges"  … should I go back to my clients and say (yes, but for production wait a year or so until the (unknown) features to bake in or wait if we see the existing features will "stay"  … forget about todays security challenges we will address them in a future release that is mature enough to do what it currently does)
 
In addition, now, that our WAN "Design" finally could improve with great features (improved, production ready) called "Security Fabric" and "SD-WAN" (Started testing it with the purchase of a FAZ with availability of Release 5.6.3) we still can not make use of these as several "unexpected behaviors" in all following releases up to 6.0.4 makes us stay with 5.6.3 on the FGT1200D Cluster.
 
It would be fair if Fortinet and it's Marketing communicates the truth: Today's Releases are showcases to be used in a year or so and only by then we can face today's challenges on a mature trusted FireWall
 
-------------------------------------------------------------------------------------------
 UPDATE (5. April 2019)
Response to my Ticket from Fortinet support regarding
-> Use of device enforcement from various FortiGate features removed in this release:
 "... this is also part of the known bug in FortiOS 6.2 and will be addressed in a future release"
-> They refer to BugID 532309: Custom device page keep loading and cannot create device group
 
 
post edited by SEI - 2019/04/05 01:36:02
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2019 APG vNext Commercial Version 5.5