Helpful ReplyHot!what version of fortios should I run?

Author
jason
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Status: offline
2020/04/09 17:12:57 (permalink)
0

what version of fortios should I run?

I am currently running 5.6.12 on my 100D.  Now that 6.4 is out, even if it is not for the 100D, I am wondering is it time to upgrade to 6.0.9?  or is 6.2.3 better?  I would follow the upgrade path.  I have read about some memory leak issues in the 6.x series, are they fixed in 6.0.9 and/or 6.2.3 or do I have to contact support to get the latest IPS engine?  IPsec VPNs are a big thing for me so I need stability for that.  My fortigate connects via fortigate to fotigate VPN to a unit running 5.6.10 I think.  I have no control that unit.  Would there be any problems with connecting from a 6.2.3 to a 5.6.10 unit?
#1
ede_pfau
Expert Member
  • Total Posts : 6267
  • Scores: 526
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: what version of fortios should I run? 2020/04/10 04:27:50 (permalink)
0
First off, "if it ain't broke, don't fix it". That is, if your FGT runs OK, I wouldn't upgrade it.
Second, v5.6 is still supported until 2021 whereas if you used v5.4 it was about time to upgrade, no choice.
Third, if you decide you'd have to upgrade then IMHO better go with v6.0 than v6.2. Skip the first 4-5 patches of any new major line.
 
There haven't been any complaints about IPsec VPN with v6.0, and I'm using it daily on several FGTs. Yet, if you use IPS...see "First".
Just my 2 cents.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#2
emnoc
Expert Member
  • Total Posts : 5622
  • Scores: 357
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: what version of fortios should I run? 2020/04/10 06:58:17 (permalink)
0
It depends,
 
You upgrade due to security risk
 
New features
 
for known bugs and remedy for them...
 
CPU/MEM issues and fixes within a later version...
 
 
etc..
 
Ede did a great job in his explanation but to add to it. I run 6.4 at my home because it is new and I want to get a fill of it. I just did a FGT100E and we ran 6.2.3 in a production env. It was previously on 6.0.8 . In both cases the reason why we upgraded and the version selected depends on that env.
 
In some case with new hardware deployment, you want to upgrade immediately due to the shipped model is on some older rev.
 
e.g FGT51 shipped with 6.0.2 and the latest version is 6.0.9 that's available.
 
So in  many reason can exists and your env really mandate if you need to update and to what version. I never would run a bleeding edge version if it has not had 2 or 3 maintenance fixes. The 1st version of any release needs some time to mature and to shake out any problems, and specially with FortiOS.
 
TIP: Also it's wise to upgrade and make a backup b4 and during any intermediate version along the way to the target and final version.
 
TIP: If you in one release it's wise to be within 1-2 of the latest maintenance release for that train.
 
e.g   FortiOS6.0.8-6.0.9 would be okay , 6.0.2 would not be wise.
        FortiOS6.2.2-6.2.3 would be okay,   6.2.0 would not be wise
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#3
nsantin
Gold Member
  • Total Posts : 127
  • Scores: 2
  • Reward points: 0
  • Joined: 2005/03/06 20:08:20
  • Status: offline
Re: what version of fortios should I run? 2020/04/10 08:14:33 (permalink) ☄ Helpfulby ede_pfau 2020/04/10 11:16:49
0
I upgraded my 100D HA cluster (Firewall, BGP Routing, VPN, IDS) to 6.0.9 from 5.6.12 and it was probably one of the smoothest upgrades i've seen in 15 years of using FGTs.
 
5.6.12 has a critical bug with link montoring, so if you're using multi links you may want to upgrade just for that: See my thread here: https://forum.fortinet.com/tm.aspx?m=182995
 
Also, there are some known CVE's in 5.6.12 that apparently will not be fixed in the 5.6 branch
 
There is some discussion about an issue with RDP over SSL-VPN that was in 6.0.8 and MAY be fixed in 6.0.9 the bug is no longer in the most recent release notes (either existing or resolved), so the theory is it was "unofficially fixed". I haven't seen any issues with it.
 
There are no issues with IPSec VPN, and I too have a BO tunnel back to a 5.6 box (no issues) and some Cisco's (no issues)
post edited by nsantin - 2020/04/10 08:17:36
#4
ede_pfau
Expert Member
  • Total Posts : 6267
  • Scores: 526
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: what version of fortios should I run? 2020/04/10 11:17:46 (permalink)
0
@nsantin: thanks for the head-up, it slipped by for me. Time to proceed to v6.0...

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#5
emnoc
Expert Member
  • Total Posts : 5622
  • Scores: 357
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: what version of fortios should I run? 2020/04/10 13:54:19 (permalink)
0
Yeah we started doing the same thing, jumping from 6.0.8 to 6.2.3 on FGT100Es
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#6
jason
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: what version of fortios should I run? 2020/04/16 11:49:09 (permalink)
0
I am a believer of if it ain't broke don't fix, but I don't want to get to far behind either.  I didn't know there is a lifespan on the firmware.  Where can I find that document?
I would only switch to 6.0.9 or 6.2.3, following the upgrade path.  I am think 6.0.9 is the safer option.  I always backup my configuration before an upgrade and after.  I am not going to jump to any firmware that is less than 6.x.4 unless I have no choice.  Where can I find out about what CVEs are fixed in 6.0.9 but not 5.6.13?
#7
Jump to:
© 2020 APG vNext Commercial Version 5.5