Upgrade Fortigates 5.4.x -> 5.6.10/11 or 6.0.6
We opened a case with Fortinet support on an IPSEC VPN tunnel issue with a Fortigate 60E where the VPN tunnel goes down every 12 hours. They couldn't definitively find a root cause and have advised us to upgrade to a newer version of the firmware. This was a good reminder for us to work towards upgrading all of the Fortigates in our small fleet and do a better job of keeping them up to date going forward.
Current hardware and versions:
100D (active/passive HA pair) running 5.4.2
100D running 5.4.2
60E running 5.4.5 <- this is the one having the VPN issue
60E running 5.6.10
1) Our original plan was to get all firewalls up to 5.6.10, however we noticed that when 5.6.11 was released the upgrade path changed dramatically. We are now wondering if it makes more sense to target the 6.0 train, specifically 6.0.6. We are currently reviewing release notes, but are there any major known issues running 6.0.6 in a production environment or any known issues with the below Fortinet recommended upgrade paths?
5.4.2 -> 5.4.4 -> 5.6.2 -> 5.6.6 -> 6.0.4 -> 6.0.6
5.4.5 -> 5.6.2 -> 5.6.6 -> 6.0.4 -> 6.0.6
5.6.10 -> 6.0.6
2) Any recommendations on the best way to upgrade an HA pair? This will be the first time upgrading this pair and want to do what we can to give us the best shot at a smooth upgrade and recovery if it goes south. We will be following the standard advice for all of our upgrades such as keeping a copy of the config at each step, having each firmware version downloaded, allowing restoration of firmware/config from USB, and rebooting the firewalls prior to performing the first upgrade. Specifically for an HA pair, I recall reading about verifying that the firewalls are in sync and have found the commands to do so. Any other critical steps to take for upgrading a standalone or HA pair?
Thanks in advance!