Hot!FortiOS 7.0

Author
Alfred Cruz
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/08/13 10:52:39
  • Status: offline
2021/04/08 08:34:03 (permalink)
0

FortiOS 7.0

Has anyone upgraded their firmware to version 7 yet?
#1
Markus
Expert Member
  • Total Posts : 302
  • Scores: 59
  • Reward points: 0
  • Joined: 2015/03/19 07:30:23
  • Location: Switzerland
  • Status: offline
Re: FortiOS 7.0 2021/04/08 16:05:31 (permalink)
0
Yes, not in production, but in my home lab (from 6.4.5) no issues 'till now, everything working as before (so far)...
#2
lobstercreed
Platinum Member
  • Total Posts : 393
  • Scores: 45
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: FortiOS 7.0 2021/04/12 06:42:02 (permalink)
0
I'm still not ready to do it even at home.  The early 6.4 releases kind of traumatized me, ha.  Any cool stuff you've found that would justify the upgrade?
#3
Markus
Expert Member
  • Total Posts : 302
  • Scores: 59
  • Reward points: 0
  • Joined: 2015/03/19 07:30:23
  • Location: Switzerland
  • Status: offline
Re: FortiOS 7.0 2021/04/12 06:48:41 (permalink)
0
No, just looking to try the Let's encrypt feature so far.
#4
Yurisk
Gold Member
  • Total Posts : 217
  • Scores: 33
  • Reward points: 0
  • Joined: 2011/12/04 03:30:01
  • Status: offline
Re: FortiOS 7.0 2021/04/12 07:39:14 (permalink)
0
Xaxa, Let's Encrypt is the indeed most spoken about feature, as if the money was the only reason people didn't use proper SSL certificates until now ... which you could/can buy for 8-10$ a year basically )))
Somehow noone thinks that SSL certificates issued via LEt's Encrypt are logged forever and are visible to the whole Internet  - easiest way to enumerate all your certifates/web sites especially internal ones. Makes an interesting reading searching with automated tools for Let's Encrypt certs for *.gov, domains ))
#5
Yurisk
Gold Member
  • Total Posts : 217
  • Scores: 33
  • Reward points: 0
  • Joined: 2011/12/04 03:30:01
  • Status: offline
Re: FortiOS 7.0 2021/04/12 07:42:30 (permalink)
0
@Alfred - I installed in a Lab VM, but didn't find any real cool features to try on the live traffic so far. The only new and mystery feature - ZTNA is completely absent from the Fortinet documentation so far, so waiting for kb.fortinet.com to catch up to try it ...
 
 
#6
SJFriedl
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/12/10 14:13:55
  • Location: Southern California USA
  • Status: offline
Re: FortiOS 7.0 2021/04/12 09:34:42 (permalink)
0
I've done this. I had an old FG 60D on my home network, replaced it with a 60F so jumped up to the latest 7.0 so I could start learning it and many of the more advanced features of Fortigate I'd never gotten around to.
 
Two things caused me some pain, most of which were probably my own fault, and may not necessarily be related to 7.0 (the 60D only ran up to 6.0).
 
First, I've been using IPv6 at home for a long time, my 60D didn't have the prefix delegation stuff in the GUI so I had done it all in the CLI.  So doing it in the GUI I was able to set an impossible configuration that could never work, where the interface's IPv6 subnet and the SLAAC delegated subnet don't overlap. I get a /56 from my ISP so have a lot of /64 subnets to work with.
 
This would be like having your own IPv4 interface address and the default gateway not on the same subnet as determined by the mask
 
Interface: VL6-INTERNAL (my internal VLAN)
IPv6 addressing mode: [Delegated]
IPv6 upstream prefix [wan1]
IPv6 subnet [::6:0:0:0:1/64]  <-- the "6" is the important part
 
Later in Stateless Address Auto-configuration (SLAAC):
IPv6 delegated prefix list [On]
Upstream interface [wan1]
subnet [0::/64] <-- this is wrong
 
I misread the last "subnet" part to be just a mask, so this generated incompatible addresses:
 
XXXX:XXXX:XXXX:XXXX /64 mask
                  v
2600:1111:1111:1106::1/64  <-- interface address
2600:1111:1111:1106::7/64  <-- valid delegated address
2600:1111:1111:1100::7/64  <-- invalid delegated address
 
The subnet of [0::/64] put a 0 in the lowest digit of the network part when it should have been a 6: I clearly did this wrong, but it seems that Fortigate should have noted that the SLAAC subnet didn't "fit" in the interface's subnet.
 
I should have put 0:0:0:6::/64 in the subnet part
 
This would have saved me several hours plus a tech support call.
 
Second, I have a new FortiAP 221E running 6.0.x (the last one in the series). It would simply never go online until I upgraded it to 6.2 something. I'm sure this was documented somewhere, but I didn't see it and burned a LOT of time on it.
 
EDIT: I just found this thread https://forum.fortinet.com/tm.aspx?m=195451&tree=true that would have saved me a lot of time on the FortiAP thing. Sigh.
post edited by SJFriedl - 2021/04/12 09:51:21
#7
Alfred Cruz
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/08/13 10:52:39
  • Status: offline
Re: FortiOS 7.0 2021/04/12 11:46:16 (permalink)
0
Thanks Markus!
#8
Alfred Cruz
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/08/13 10:52:39
  • Status: offline
Re: FortiOS 7.0 2021/04/12 11:49:50 (permalink)
0
"The early 6.4 releases kind of traumatized me, ha."  LOL !
 
I upgraded one of my 80E and so far I've had no problems (crossing my fingers ?)  But I did loose connection to my FortiManager.  I was told by support that FortiManager firmware version 7 will not come out until next week, oh well...
#9
Alfred Cruz
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/08/13 10:52:39
  • Status: offline
Re: FortiOS 7.0 2021/04/12 11:55:14 (permalink)
0
Thanks SJFriedl !
#10
Alfred Cruz
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/08/13 10:52:39
  • Status: offline
Re: FortiOS 7.0 2021/04/12 11:56:32 (permalink)
0
Thanks Yurisk!
#11
Jump to:
© 2021 APG vNext Commercial Version 5.5