Helpful ReplyHot!FortiOS 6.2.0 is out!

Page: < 123 > Showing page 2 of 3
Author
SMabille
Silver Member
  • Total Posts : 71
  • Scores: 18
  • Reward points: 0
  • Joined: 2013/03/31 15:39:51
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/03 03:19:32 (permalink) ☄ Helpfulby baker_gt 2019/04/09 18:42:58
5 (1)
Also have a customer that has been selecting FortiSwitch over competitors with Device Identification as main differentiator in the last few weeks. Could do without having to tell them that feature has disappeared... 

And FortiNAC is a NAC it provides other functionalities but doesn't allow to replace device specific policies.
For example SSL interception for everything but have few policies above for ios devices for specific authorised apps that refuse to import CA. We would have to bypass SSL for the whole website now irrelevant of devices. FortiNAT can't solve that type of use.
 
SEI
It is painful  for bigger shops who use it as a basic NAC.  We use it in large environments and it works great. Very useful in all these instances.  For those of us who use the FortiGate(s) as the routed core that consist also of Third Party Switches.
 
We use FGT1200D active-active Cluster with 3 branch offices connected/secured by FGT500E active-active Cluster and single FGT500E.
This allows to protect VLANs with NGFW features and security ... and device identification is extremely useful for BYOD (…) and much more as it adds another needed layer of security (e.g. WLAN) not to mention IoT.
 
At the end of the day it is all about continuity. In bigger environments you have to plan the use of features carefully as processes, workflow a.s.o. are involved (in IT and Business) on a long term basis.
 
Our clients have been carefully listening to Fortinet as they say "we have answers to the today challenges"  … should I go back to my clients and say (yes, but for production wait a year or so until the (unknown) features to bake in or wait if we see the existing features will "stay"  … forget about todays security challenges we will address them in a future release that is mature enough to do what it currently does)
 
In addition, now, that our WAN "Design" finally could improve with great features (improved, production ready) called "Security Fabric" and "SD-WAN" (Started testing it with the purchase of a FAZ with availability of Release 5.6.3) we still can not make use of these as several "unexpected behaviors" in all following releases up to 6.0.4 makes us stay with 5.6.3 on the FGT1200D Cluster.
 
It would be fair if Fortinet and it's Marketing communicates the truth: Today's Releases are showcases to be used in a year or so and only by then we can face today's challenges on a mature trusted FireWall
 
 




#21
seadave
Platinum Member
  • Total Posts : 315
  • Scores: 45
  • Reward points: 0
  • Joined: 2004/11/03 18:02:09
  • Location: Seattle, WA
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/03 14:14:45 (permalink)
0
Good points about device ID.  They have marketed it as a differentiator so removing it is odd.
#22
mboback
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/04/27 07:01:26
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/03 16:42:59 (permalink)
0
Does anyone have any info on the SAML SSO feature I see added under User/Device > SAML SSO ?
I see some configuration for defining a Service Provider and plugging in some IdP settings as well, but it's unclear to me how exactly this configuration can be leveraged by the Fortigate from a functionality perspective - is it strictly for signing in to the Fortigate as an admin with SSO to an IdP? Can't find any documentation on this yet.
#23
Andrej K
New Member
  • Total Posts : 4
  • Scores: 2
  • Reward points: 0
  • Joined: 2019/04/02 02:41:51
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/04 01:18:28 (permalink)
0
With SAML and SSO I would say it would be similar to 
https://cookbook.fortinet.com/saml-fsso-fortiauthenticator-okta-56/
or
https://cookbook.fortinet.com/saml-fsso-fortiauthenticator-google-60/
 
I'm also amazed on the comments like this "It still amazes me how many folks throw caution to the wind when upgrading firmware." together with "there are some pretty amazing new features in 6.2:"
Are this new features there to stay? Should Fortinet just ignore quality control of firmware? The answer is NO for both of them. 
 
Majority of the administrators install firmware updates for the bug fixes and not "super cool facebook thumbs up feature". In the end it is security device not an application. Instead Fortinet treats firmware updates as a showcase of features rather than what it is - firmware updates/bug fixes. In typical development cycle you have beta testers (who want to try new features) and regular users - who wants continuity and stability. Separate them in clear manner - keep it simple.
 
Why remove security feature without providing alternative?
 
Same mess across all of the integrated product EMS (no idea how to call it) lack of basic features which typical antivirus solution have for decades. 
Sandbox - easy detectable by any anti debugging tool or even powershell script, lack of integration - verdict useless.
Fortimail - "good bye".
Fortigate - constantly removing features, to sell licenses (push towards EMS when not ready/ compliance license/ etc)
 
We as a business need reliable product. We as a business need predictability and planning ahead. Due to recent events - PoC with other vendors prior licence renewal is my way forward to address business needs.
 
 
#24
josh
Bronze Member
  • Total Posts : 21
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/09/01 18:57:13
  • Location: Auckland, New Zealand
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/04 02:15:38 (permalink)
0
Upgraded my 60E and 30E fabric at home and all went well, though I am having some rather weird issues with certain applications no longer being able to connect/timing out, etc.
 
I am getting devices connecting to WiFi however they're complaining they don't have an Internet connection (e.g. the DNS probes or whatever they use to check liveliness during connection is failing), however they eventually recover. I thought disabling all UTM on v4 and v6 policies helped, but it doesn't appear completely resolved. Still getting random timeouts/failures here and there.
 
Only seems evident since the upgrade, though I haven't had enough willpower/time to look at why -- it's not impossible that it could be coincidence, but has anyone experienced similar?
 
I'd downgrade to 6.0.4 to see if that fixes it, however the 30E is remote to me and, as per the release notes, this happens:
-----------------------------------------------------------------------------------------------------------

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:
    operation modeinterface IP/management IPstatic route tableDNS settingsadmin user accountsession helperssystem access profiles
-----------------------------------------------------------------------------------------------------------
post edited by josh - 2019/04/04 02:17:00
#25
Andrej K
New Member
  • Total Posts : 4
  • Scores: 2
  • Reward points: 0
  • Joined: 2019/04/02 02:41:51
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/04 02:37:51 (permalink)
0
Remote downgrading is 50/50 coin flip. In theory should work in practice - well..
The only thing I suggest during downgrade is - downgrade it to previous firmware version and then restore full config backup from previous backup version of the config (config from the version you just downgraded to). I.E downgrade from 6.2.0 to 6.0.4 then restore backup config you took running 6.0.4 version (should be written on top of the config file if you open it)
 
In regards of the not being able to access to the internet this could be one of the following "features" based on my experience (and I use the word features here in sarcastic way)
1) You used Device ID to limit internet access to servers or in any other policies which would be above your permit policy. Because device ID is removed now you matching a different policy which might not have service permitted. 
2) If you have forticlient installed on the machines, if Forticlient can't access to the Internet for classification it will use default behavior to block UNKNOWN categories. Which would include WiFi portals. This is a know "feature" that Forticlient version 6 and above do not work on the guest/wifi/signon networks which does not permit 8000/8888 or DNS via 53 ports
post edited by Andrej K - 2019/04/04 02:41:35
#26
seadave
Platinum Member
  • Total Posts : 315
  • Scores: 45
  • Reward points: 0
  • Joined: 2004/11/03 18:02:09
  • Location: Seattle, WA
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/04 09:18:11 (permalink)
5 (1)
"Majority of the administrators install firmware updates for the bug fixes and not "super cool facebook thumbs up feature"."
 
I disagree.  I've been watching this forum for over 10 years, using Fortinet products for nearly 15.  There have been hundreds of posts that indicate people applied an update for whatever reason without having read the release notes or having a backup, only to become surprised or frustrated that something "broke" as a result.  In defense of some of these situations, back in the day Fortinet was way less reliable about detailing "Known Issues" which made it much harder to anticipate such things.  Remember, older firmware did not force one to make a backup first. 
 
"In the end it is security device not an application"
 
Code (whether software or firmware) running on a device with a processor by definition is an application.  Be it a firewall or a thermostat.  Some are programmed better than others and anyone who lived through 5.0.X knows that applies to different firmware versions also. Code has bugs, that is the way of the world.  Now if you were to make an argument that at times, Fortinet releases firmware with known issues that have no business being released and should be resolved beforehand, I will definitely agree with that.
 
"Instead Fortinet treats firmware updates as a showcase of features rather than what it is - firmware updates/bug fixes"
 
Fortinet does not put enough emphasis on "This is for testing only and should NOT be used in production yet" for new releases.  You can look to Juniper for an extreme opposite of this approach where they have JTAC recommended releases and X versions of the firmware that is focused more on stability/fixes instead of shiny new objects.  The above critique I think rings true when you look at 6.0.X is only at .4 release and now 6.2.0 is out.  But in most cases, nothing is forcing one to update.  We still run a variant of 5.6.X in production because it has proven to be stable for our situation and is providing the features that we need.  We are installing new 501Es soon and will evaluate 6.0.3/4 to see if we can expect the same.  I realize that this type of testing can be hard if you are working in a very small shop with a single device, but that is why you backup configs and keep current firmware copies handy.  You should almost assume you might need to revert when doing a .X update less than .5
 
The Fortinet model from at least 4.3.X has been that the X.X.0 release introduces the adds and removes from a feature standpoint, followed by incremental .X updates that fix what is found to be broken. 
 
I credit Fortinet as a major reason for keeping my network exploit free for the last 10 years.  They are not perfect, but I feel compared to other vendors they in the end provide more features for the money.  That has been my experience, I understand that may not be the case for others.
#27
seadave
Platinum Member
  • Total Posts : 315
  • Scores: 45
  • Reward points: 0
  • Joined: 2004/11/03 18:02:09
  • Location: Seattle, WA
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/04 09:23:04 (permalink)
0
josh
Upgraded my 60E and 30E fabric at home and all went well, though I am having some rather weird issues with certain applications no longer being able to connect/timing out, etc.
 
I am getting devices connecting to WiFi however they're complaining they don't have an Internet connection (e.g. the DNS probes or whatever they use to check liveliness during connection is failing), however they eventually recover. I thought disabling all UTM on v4 and v6 policies helped, but it doesn't appear completely resolved. Still getting random timeouts/failures here and there.
 
Only seems evident since the upgrade, though I haven't had enough willpower/time to look at why -- it's not impossible that it could be coincidence, but has anyone experienced similar?
 
I'd downgrade to 6.0.4 to see if that fixes it, however the 30E is remote to me and, as per the release notes, this happens:
-----------------------------------------------------------------------------------------------------------

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:
    operation modeinterface IP/management IPstatic route tableDNS settingsadmin user accountsession helperssystem access profiles
-----------------------------------------------------------------------------------------------------------


I have a FWF-60E at home and when I went from 6.0.3 to 6.0.4 I also experienced DNS issues.  Domains would not resolve and the service would eventually not respond properly after a few hours.  L3 was still working as I could ping IPs but DNS resolution was dead.  A reboot would fix for a few hours.  I never dug into the issue as I reverted back to 6.0.3 and the setup has been very stable as a result.  I have a FortiSwitch and FortiAP connected in addition to logging to a FAZ on AWS instance.
post edited by seadave - 2019/04/04 09:27:26
#28
josh
Bronze Member
  • Total Posts : 21
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/09/01 18:57:13
  • Location: Auckland, New Zealand
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/04 13:48:50 (permalink)
0
Andrej K
Remote downgrading is 50/50 coin flip. In theory should work in practice - well..
The only thing I suggest during downgrade is - downgrade it to previous firmware version and then restore full config backup from previous backup version of the config (config from the version you just downgraded to). I.E downgrade from 6.2.0 to 6.0.4 then restore backup config you took running 6.0.4 version (should be written on top of the config file if you open it)
 
In regards of the not being able to access to the internet this could be one of the following "features" based on my experience (and I use the word features here in sarcastic way)
1) You used Device ID to limit internet access to servers or in any other policies which would be above your permit policy. Because device ID is removed now you matching a different policy which might not have service permitted. 
2) If you have forticlient installed on the machines, if Forticlient can't access to the Internet for classification it will use default behavior to block UNKNOWN categories. Which would include WiFi portals. This is a know "feature" that Forticlient version 6 and above do not work on the guest/wifi/signon networks which does not permit 8000/8888 or DNS via 53 ports




Thanks, but yeah. Neither of those items in use. Thing likes Netflix on my LG Smart-TV just stopped working, zero reason why when it was fine on 6.0.4, and every other app (e.g. Amazon Prime) on the same device works. Thought it might have been something funny with UTM, but disabled UTM complete and let everything direct out -- no changes there, though it did fix some of the weird issues my partner was seeing with her phone and trying to download apps from Google Play store, etc.
 
Really quite odd. I think I'm just gonna go back to 6.0.4 and (as you suggested) reload the backed up config from before the upgrade. Fingers crossed the remote unit comes back up fine, haha.
 
dfollis
 
I have a FWF-60E at home and when I went from 6.0.3 to 6.0.4 I also experienced DNS issues.  Domains would not resolve and the service would eventually not respond properly after a few hours.  L3 was still working as I could ping IPs but DNS resolution was dead.  A reboot would fix for a few hours.  I never dug into the issue as I reverted back to 6.0.3 and the setup has been very stable as a result.  I have a FortiSwitch and FortiAP connected in addition to logging to a FAZ on AWS instance.

 
Doesn't sound related, this was related to 6.0.4 -> 6.2.0 -- 6.0.4 (and every other 6.0.x release) has been fine for me. I use FAP/FSW/FAZ as well. Sounds odd though.. I haven't seen that issue before.
#29
SMabille
Silver Member
  • Total Posts : 71
  • Scores: 18
  • Reward points: 0
  • Joined: 2013/03/31 15:39:51
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/04 14:10:44 (permalink)
0
Hi,

If you are using internet service with a rule to allow Netflix for example, the database is likely to be out of sync and back to 6.0.4 default one, force a Fortiguard update.

For the wierd DNS issue 6.0.3 to 6.0.4 I had similar issues with DNS latency problem, both on 6.0.3 and 6.0.4 never managed to get to the bottom of it. Suspect to be either DNS filter or DNS helper. Very intermittent, reset helping so might be some caching or resource exhaustion (but not memory leak).
#30
Andrej K
New Member
  • Total Posts : 4
  • Scores: 2
  • Reward points: 0
  • Joined: 2019/04/02 02:41:51
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/05 00:20:56 (permalink)
5 (1)
Put it in front to make below more conversation piece rather than "debate" or "proving a point":
 
We all agree that Fortinet need to do something with firmware releases, customer feedback and product lines to make it consistent and customer friendly. I like Fortinet a lot - it fits my way of logic, but I made my decision to look around before upgrades and see what is what. And this is only due to customer support and lack of strategy going forward (a lot of good idea but at the cost to the customer). Now to the conversation.
 
"I disagree. I've been watching this forum for over 10 years, using Fortinet products for nearly 15. There have been hundreds of posts that indicate people applied an update for whatever reason without having read the release notes or having a backup, only to become surprised or frustrated that something "broke" as a result. "

 
Lost the faith in administrators here . Maybe I need to readjust my expectations.
 
 

"Code (whether software or firmware) running on a device with a processor by definition is an application. "

 
Not going to debate semantics - I consider firmware - well a firmware - OS with apps on top. Code has bug is expected - we are humans. What I'm completely and utterly against of is treating firmware (application or OS or firmware or) as a milking cash cow. When I buy product with all the features and licenses and then when upgrade to fix the issues to find out that I need to buy another products or licenses for the features which were available to me before the upgrade. This goes against anything I've experienced on the market with other security vendors.
 
"But in most cases, nothing is forcing one to update. We still run a variant of 5.6.X in production because it has proven to be stable for our situation and is providing the features that we need."

 
Bug fixes - that is the reason for upgrade for me. New features are cool but I don't use them (they are new ), so non essential. 6.0.X (not sure if 5.6 same) has a cool bug for RA VPN where print instructions for users (should contain password) but they don't, so now you stuck with not knowing password. Non essential as I can decrypt the passwords, but annoying. And there are few BUG fixed for HA which I wanted to apply (recently learned about conserve mode). What I don't expect - is removing security features and making firewall open as a result. If you don't pay attention or do not have multiple rules - you will open your network to ALL traffic as policies containing Device ID will become widely open. This is not OK for me as this is a security device. Disable them, force to review - don't open up holes.
 
I like Fortinet, but.... and a lot of us will fill up dots with similar reasons, but there is a lot of buts for me.
post edited by Andrej K - 2019/04/05 00:24:11
#31
baker_gt
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/02/07 13:46:51
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/09 18:49:05 (permalink)
0
josh
 
I too have had some strange things going on with wifi devices. 
 
I have been running 6.2 for 4-5 months, and its been an issue most of the time. 
 
I through the GA release fixed it, but then i notices yesterday that the device profiles were gone and i was using an any rule :(
 
Since digging through and fixing that, the wifi issues are back. Things just dont load. There is something up with the UTM features killing stuff out.
 
There has also been an SSL bug blocking out loading of some pages with deep inspection enabled.
#32
sanderl
Bronze Member
  • Total Posts : 26
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/11/13 10:25:54
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/10 04:19:12 (permalink)
0
Cls
Quick note from first impressions on my test device:
As read in Release Notes / Changes in default behavior:
-FortiOS 6.2.0 removes any use of device enforcement from various FortiGate features.
 
This means that all policies and setups that are using Devices or Devices-Groups in policy will have "open" policies after upgrading to 6.2.0.
I cannot find any obvious replacemens for Device feature per now.
 
If anyone has more info on what Fortinet's plan on this is, I would appreciate a shoutout.. :)
 
 
Best Regards,
Runar


I Bit the bullet... and the first thing was:
NO INTERNET FOR ALL...
 
Due to the fact there was a policy with a device group attached limiting some devices to internet. But when that group was removed after upgrade to 6.2, the policy limited ALL internet traffic thus.
 
Strange thing is: I do still have the option to "add a custom device group" but then when I do it, I get this strange "

Error

CLI internal error

 
But now the question: how to restore previous functionality? How to restrict certain DEVICES internet Access.?
post edited by sanderl - 2019/04/10 04:34:57
#33
FatalHalt
Gold Member
  • Total Posts : 124
  • Scores: 8
  • Reward points: 0
  • Joined: 2014/06/11 08:51:54
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/10 12:09:59 (permalink)
0
sanderl
 
But now the question: how to restore previous functionality? How to restrict certain DEVICES internet Access.?

Revert to 6.0.
 
Or do it by IP Addresses. 
#34
BrainWaveCC
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/03/22 15:22:03
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/10 17:15:25 (permalink)
0
dfollis
I'm guessing they are going to drive folks towards FortiNAC for such things as it relates to device IDs.
https://www.fortinet.com/products/network-access-control.html


Let's hope that this is not really the plan.
FortiGate is very cost-effective for the SMB market today because you can get these full spectrum features in small form-factor devices, and scale up to bigger stuff if you need to.   Many don't need to -- not yet, and not at the current costs.
#35
BrainWaveCC
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/03/22 15:22:03
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/10 17:38:15 (permalink)
0
Andrej K
Majority of the administrators install firmware updates for the bug fixes and not "super cool facebook thumbs up feature".

 
Be that as it may, a X.Y.0 release (i.e. v6.2.0) is clearly one that is at least as focused on new features as it is on bug fixes.
With the current version on 6.0.4, and the recent history of Fortinet releases, it should not be expected that 6.2.0 is purely a bug fix release for 6.0.4
 
Hopefully, this feature loss issue is a bug and not an intended feature removal, but it does beg the question of why they felt it ready to release with that size bug in effect.

Anyway, while I like the possibilities presented by some of the features in 6.2.0, I'll be waiting for a few patch releases before I even test it.   I learned my lesson with 5.4.0, 5.4.1 and 5.6.0.  I can wait for others who have more testing time/appetite.
 
#36
James_G
Silver Member
  • Total Posts : 82
  • Scores: 4
  • Reward points: 0
  • Joined: 2016/02/28 02:55:47
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/15 02:11:20 (permalink) ☄ Helpfulby SMabille 2019/04/15 02:28:53
5 (1)
I have emailed my account manager at Fortinet to voice concern about the removal of custom devices and groups. I suggest anyone else with concerns does the same; as a forum post, however long, is not likely to affect any real change.
#37
SMabille
Silver Member
  • Total Posts : 71
  • Scores: 18
  • Reward points: 0
  • Joined: 2013/03/31 15:39:51
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/15 02:29:16 (permalink)
0
Same here.
 
James_G
I have emailed my account manager at Fortinet to voice concern about the removal of custom devices and groups. I suggest anyone else with concerns does the same; as a forum post, however long, is not likely to affect any real change.




#38
PeterK
New Member
  • Total Posts : 13
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/01/24 08:55:45
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/16 02:37:35 (permalink)
0
I agree more should be done to address bug fixes in the existing firmware before major firmware jumps, as a member has stated above it is too risky to go with the first release of a new major firmware.
 
I am on 6.04 and have noticed that release has stopped you amending some pf the policies from the top screen and you now have to edit them. Another bug that has come in is Internet Explorer no longer works for the SSL Web VPN login.  Chrome and Firefox work but you run into trouble with organisations using IE.  I would have like a patch for this latter problem before doing another major firmware update or as they have done in previous ones if they are going to do a major one run some patches to fix at least some of the patches with the existing firmware for instance 6.0.x
#39
brizvi_FTNT
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/04/01 20:42:06
  • Status: offline
Re: FortiOS 6.2.0 is out! 2019/04/24 13:06:22 (permalink)
0
peterkoszarek@nhs.net 
I am on 6.04 and have noticed that release has stopped you amending some pf the policies from the top screen and you now have to edit them. 

Are you trying to make changes from the policy list page? Which policies are you unable to make changes to?
 
post edited by brizvi - 2019/04/24 14:13:55
#40
Page: < 123 > Showing page 2 of 3
Jump to:
© 2019 APG vNext Commercial Version 5.5