FortiOS 7.0

Has anyone upgraded their firmware to version 7 yet?

I'm still not ready to do it even at home.  The early 6.4 releases kind of traumatized me, ha.  Any cool stuff you've found that would justify the upgrade?

Xaxa, Let's Encrypt is the indeed most spoken about feature, as if the money was the only reason people didn't use proper SSL certificates until now ... which you could/can buy for 8-10$ a year basically )))
Somehow noone thinks that SSL certificates issued via LEt's Encrypt are logged forever and are visible to the whole Internet  - easiest way to enumerate all your certifates/web sites especially internal ones. Makes an interesting reading searching with automated tools for Let's Encrypt certs for *.gov, domains ))

I've done this. I had an old FG 60D on my home network, replaced it with a 60F so jumped up to the latest 7.0 so I could start learning it and many of the more advanced features of Fortigate I'd never gotten around to.
 
Two things caused me some pain, most of which were probably my own fault, and may not necessarily be related to 7.0 (the 60D only ran up to 6.0).
 
First, I've been using IPv6 at home for a long time, my 60D didn't have the prefix delegation stuff in the GUI so I had done it all in the CLI.  So doing it in the GUI I was able to set an impossible configuration that could never work, where the interface's IPv6 subnet and the SLAAC delegated subnet don't overlap. I get a /56 from my ISP so have a lot of /64 subnets to work with.
 
This would be like having your own IPv4 interface address and the default gateway not on the same subnet as determined by the mask
 
Interface: VL6-INTERNAL (my internal VLAN)
IPv6 addressing mode: [Delegated]
IPv6 upstream prefix [wan1]
IPv6 subnet [::6:0:0:0:1/64]  <-- the "6" is the important part
 
Later in Stateless Address Auto-configuration (SLAAC):
IPv6 delegated prefix list [On]
Upstream interface [wan1]
subnet [0::/64] <-- this is wrong
 
I misread the last "subnet" part to be just a mask, so this generated incompatible addresses:
 
XXXX:XXXX:XXXX:XXXX /64 mask
                  v
2600:1111:1111:1106::1/64  <-- interface address
2600:1111:1111:1106::7/64  <-- valid delegated address
2600:1111:1111:1100::7/64  <-- invalid delegated address
 
The subnet of [0::/64] put a 0 in the lowest digit of the network part when it should have been a 6: I clearly did this wrong, but it seems that Fortigate should have noted that the SLAAC subnet didn't "fit" in the interface's subnet.
 
I should have put 0:0:0:6::/64 in the subnet part
 
This would have saved me several hours plus a tech support call.
 
Second, I have a new FortiAP 221E running 6.0.x (the last one in the series). It would simply never go online until I upgraded it to 6.2 something. I'm sure this was documented somewhere, but I didn't see it and burned a LOT of time on it.
 
EDIT: I just found this thread https://forum.fortinet.com/tm.aspx?m=195451&tree=true that would have saved me a lot of time on the FortiAP thing. Sigh.

"The early 6.4 releases kind of traumatized me, ha."  LOL !
 
I upgraded one of my 80E and so far I've had no problems (crossing my fingers ?)  But I did loose connection to my FortiManager.  I was told by support that FortiManager firmware version 7 will not come out until next week, oh well...

Thanks Yurisk!