Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Takeshi89
New Contributor

Upgrade latest FortiOS is really a good solution?

Hello everyone, 

 

I'm a newbie/newcomer with Fortinet's products. 

Now I heard that upgrading to the latest version for FortiGate is not a recommendation. (from product supplier, not Fortinet)

Then, I'd like to find/check more details so what that really does mean.

I found that some points with Resolved/Known issues between the present and the newer version in Release Note

And I want to discuss detail here is related to some resolved CVEs' issues.

 

Here my discussing matter

・Currently using FortiOS version: 5.6.5

・I want to upgrade to version: 5.6.8

Although, I found that some CVEs (security related issues) that resolved on the 5.6.8 version of the Release Note.

But hold it on, when I reversely check on the CVE-2018-13371 (risk rather high) that written in Release Note of 5.6.8,

With the supported links: https://fortiguard.com/psirt/FG-IR-18-230

On the part [Affected products], I saw this "FortiOS version 5.6.7 and below"

so that means my FortiOS version is included either. And that made insecurity feeling now.

Therefore, I have some thoughts inside

[style="background-color: #ffffff;"]- If I upgrade to the latest version 5.6.8, it will be resolved the issue (but it's not a recommendation from the product supplier). I'm not much experience with Fortinet's products then it's not easy to make a decision.[/style]

[style="background-color: #ffffff;"]- If I do not, I do not know whether it will be a matter or not with the network system (the system run with Fortinet's product is about half of year without any notice/alert related to that security issue) [/style]

 

So, if someone who got this matter such as me, please help me to figure out or give me some advice on this matter!

Thank you for your help!

 

Best regards,

Takeshi

2 Solutions
Toshi_Esumi
Esteemed Contributor III

I don't know the Fortinet's service/support in Japan. But assuming you get every JP version of release notes. I would just check all release notes from 5.6.5 to 5.6.8, or to 5.6.9 just release with one vulnerability fix then especially pay attention to "known issues" with the last 5.6.8 and 5.6.9(I assume they're almost the same because .9 fixed only one item). Then none of them is close enough to how you use the FGT I would just go to 5.6.9. If you have some concern about any specific known issue, you can always open a ticket with TAC (in Japan?) to ask the condition it may occur. Even if you use that particular feature, it may never happen if the condition is very far from your usage.

Make sure you check the upgrade path. Looks like you need to get to 5.6.9 via 5.6.7 from 5.6.5.

 

By the way, since 6.2.0 is out now, 5.6.x is already two generations older than the latest major version. They may stop fixing minor issues in the near future (if not already). As a matter of fact, I've been waiting them to fix one GUI problem we're experiencing with 5.6.6. But still not in 5.6.9 and they keep saying they already fixed it with 6.0. That's why I decided to go to 6.0.5 next month for our core FGTs and currently testing it. Soon you need to consider that. To me going to 5.6.9 from 5.6.5 is relatively safe. You can also ask the "X-team" but probably get a similar answer.

View solution in original post

emnoc
Esteemed Contributor III

Upgrading to maintenance fixes is a good thing and we should always state on top of this. Upgrading to a fresh major version could be dangerous ;)

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
7 REPLIES 7
Toshi_Esumi
Esteemed Contributor III

I don't know the context you heard, but I think it meant "going to the latest 6.2.0 is not a good idea". If a vulnerability fix is just released, like 6.0.5, 5.6.9, and you're running 6.0.x or 5.6.x already, going to the latest of the major version is relatively safe. Or no other option if you're literally threaten by the vulnerability.

Takeshi89

Dear Toshi Esumi-san,

 

Thank you for your feedback!

 

>I don't know the context you heard, but I think it meant "going to the latest 6.2.0 is not a good idea".

 → Yes, it's meant upgrading to the latest version (5.6.8 or 6.2.0) is not a recommendation from the Fortinet's products supplier technical team (temporarily I named them as X team), not directly from the Fortinet team (I could not inquiry directly to the Fortinet Japan team because of the policy/procedure between Fortinet Japan and the product representative/supplier)

 

>If a vulnerability fix is just released, like 6.0.5, 5.6.9, and you're running 6.0.x or 5.6.x already, going to the latest of the >major version is relatively safe. Or no other option if you're literally threaten by the vulnerability.

 → Yeah, in parallel, as I mentioned before because I do not experience as much with Fortinet's products then it makes me confusing after making an inquiry to the X team. Although I also want to do that, and for making sure, I'd like to discuss on the Fortinet's forum for getting more the ideas/opinions or some people's experiences who faced the matter up such as me!

 

So that's my status now, and I do not know clearly what I should do on the next actions! It sounds like a disturbing (mixing concern) because the system impact might have occurred without careful readiness!

 

Before closing this topic, I hope I could give me more advice in details as well as you could share,

And I'm highly appreciated with any helps!

 

---

Thank you & Regards,

Takeshi

 

Toshi_Esumi
Esteemed Contributor III

I don't know the Fortinet's service/support in Japan. But assuming you get every JP version of release notes. I would just check all release notes from 5.6.5 to 5.6.8, or to 5.6.9 just release with one vulnerability fix then especially pay attention to "known issues" with the last 5.6.8 and 5.6.9(I assume they're almost the same because .9 fixed only one item). Then none of them is close enough to how you use the FGT I would just go to 5.6.9. If you have some concern about any specific known issue, you can always open a ticket with TAC (in Japan?) to ask the condition it may occur. Even if you use that particular feature, it may never happen if the condition is very far from your usage.

Make sure you check the upgrade path. Looks like you need to get to 5.6.9 via 5.6.7 from 5.6.5.

 

By the way, since 6.2.0 is out now, 5.6.x is already two generations older than the latest major version. They may stop fixing minor issues in the near future (if not already). As a matter of fact, I've been waiting them to fix one GUI problem we're experiencing with 5.6.6. But still not in 5.6.9 and they keep saying they already fixed it with 6.0. That's why I decided to go to 6.0.5 next month for our core FGTs and currently testing it. Soon you need to consider that. To me going to 5.6.9 from 5.6.5 is relatively safe. You can also ask the "X-team" but probably get a similar answer.

emnoc
Esteemed Contributor III

Upgrading to maintenance fixes is a good thing and we should always state on top of this. Upgrading to a fresh major version could be dangerous ;)

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Takeshi89

I'm so sorry for letting this "sleeps" in a long time,

Until now, the managers not give any decision yet about this because it may harm our business if we make mistakes when doing upgrading. Then, I need to do research more and create an exact plan to do upgrading.

By the way,

 

> Toshi Esumi-san: Thank you for your feedback. I've got your ideas now, but maybe I'll continue to discuss more this topic with you. So if you don't mind, please share more pieces of advice or overviews in the future discussion. Thank you in advance!

 

> Ken Felix-san:

Thank you for your suggestions. I'll take that as a reference when doing upgrading!

 

Thank you all of you, again!

Regards,

Takeshi

djwilliams979
New Contributor

Takashi,

 

I am about to perform a similar upgrade.  How did yours go?  Was it an HA pair?  Did you experience any interruptions during the upgrade?

ruhhana

FortiOS 6.0 can provide SD-WAN capabilities on a FortiGate for greater application visibility and application steering to prioritize business application performance.

 https://www.youtube.com/watch?v=jaNZiFFg-38

ios

tableau training, data science course
Labels
Top Kudoed Authors