Yet another Fortinet question - 7.4.3 OK to install?

ahmerali · Feb 13, 2024

I'm asking in light of the recent vulnerabilities that we're seeing, but also just in general. I just updated my 80F to 7.2.7 (the 'mature' firmware, whatever that means).

I see the option to upgrade to 7.4.3, I won't pull the trigger on it of course until I am onsite with the hardware. My switches are already at 7.4.2 and working fine, I have some newer FortiAPs at 7.4.0 and some older ones at 7.2.0.

I saw one reddit thread where there seems to have been some wackiness with SD-WAN when going to the 7.4.0 level, but that was only one thread and people seemed to be able to work through it. In my case the SD-WAN is only for internet redundancy, no site-to-site VPN or anything.

Anything I should be concerned about here, or is it full speed ahead after taking a backup?

Paladin · Feb 13, 2024

If there is a patched 7.2.x release, I would generally recommend that first, but if the next release is the 7.4.3 one and it is showing as available in the device management interface, it should be fine.

Read the release notes for 7.4 before you proceed just to make sure there are no feature or configuration changes that might cause you problems. Other than that, it should be fine.

oikjn · Feb 13, 2024

personally, I would stick to 7.2.7 for now and wait on going to the 7.4.x.

I moved a few small remote sites to 7.4 a bit ago to see how they worked out and didn't run into any problems, but my primary site is still on the 7.2 chain. Given the rush and limited scope of the 7.4.3 / 7.2.7 updates, I wouldn't trust them much at all... seems like we really need to update them if you are using SSL vpns, but this would not be the update I would chose to jump from 7.2.x to 7.4.x.

I like Fortinet and all their features, but I've been burnt too many times not to be cautious here. I like the 7.4 features, but I don't think there are any for us that were critical, so I'm holding off until at least 7.4.5 or 7.4.6

ahmerali · Feb 13, 2024

Thanks both. The customer is indeed using SSL-VPN, but not heavily, that's why I was a bit concerned. The 'patching' level of 7.2.7 is still a bit up in the air to me, it was released on February 7th and the news about the vulnerability came out on the 8th, so not sure where that stands. I won't rush into it, let's see what they do.

oikjn · Feb 13, 2024

given its listed as actively exploited in the wild, I would update to 7.2.7 now if they are using sslvpn on the default ports. If you moved it, then maaaaybe I would wait. I don't know about you, but with sslvpn on the default ports I see thousands of failed attempts every day against the vpn and I wouldn't want to leave that open too long.

ahmerali · Feb 13, 2024

I am on 7.2.7, I did that as soon as I saw it come up. VPN is not on the default port, I can imagine that would be borderline suicidal lol.

ahmerali · Jun 12, 2024

And....we're back!
So now with the latest vulnerability release comes new firmware. I'm trying out the 7.4.4 on my FortiAPs now. Still thinking about what to do with my Fortigate itself, it is at 7.2.8 Mature and I hesitated going to 7.4.3. but now I'm thinking to put the 7.4.4 on it. Anyone had any issues, comments about this?

Paladin · Jun 12, 2024

I'm staying on 7.2.x for now as I had tried 7.4 and had some VPN issues (IKEv2) that their support could not fix without command line mess that would get undone if you touched the VPN GUI at all. Basically their support said don't use 7.4 until it is marked mature or you have a good chance to test for more issues. The versions they recommend are a bit different based on the actual model in use though, mine was for a 90E and 400F.

ahmerali · Jun 12, 2024

Paladin said:
I'm staying on 7.2.x for now as I had tried 7.4 and had some VPN issues (IKEv2) that their support could not fix without command line mess that would get undone if you touched the VPN GUI at all. Basically their support said don't use 7.4 until it is marked mature or you have a good chance to test for more issues. The versions they recommend are a bit different based on the actual model in use though, mine was for a 90E and 400F.

Is that IPSec VPN, or are you talking about SSL-VPN?

Paladin · Jun 12, 2024

IPSec VPN. Given the nature of the bug, I figured it was better to stay on the mature release train until/unless I find a critical feature reason to go to 7.4.
7.2 and 7.4 are both being updated for bugs/security issues so I didn't see any need to go to 7.4 given the recommendation from support.

Tobold · Jun 12, 2024

We never really need the cutting edge features, so I would never go to the latest major release. They often don't seem to stabilize until the .4-.6 release, and going early is a recipe for breaking random stuff that you thought would have stabilized years ago. The 7.0 series had massive memory leak issues for many releases. The 7.2 series was more functional at least, but even 7.2.5 had major IPSec VPN fixes. You're best off being conservative with Fortinet.

ahmerali · Jun 12, 2024

Fair enough, has anyone seen a (mature) update beyond 7.2.8 built 1639?

Paladin · Jun 12, 2024

Not sure on the build number (those may vary by model) but the 7.2.8 version is the latest I saw today.
If you are worried about the recent advisory, it was regarding a fixed issue from a good while ago. https://www.fortiguard.com/psirt/FG-IR-23-460

waqar · Jun 16, 2024

got it on my 60e. Did notice on the version before it started doing the memory thing it used to back in the 6.x days. Lateest version fixed it. (again)

Paladin · Jun 16, 2024

waqar said:
got it on my 60e. Did notice on the version before it started doing the memory thing it used to back in the 6.x days. Lateest version fixed it. (again)

What did you get? I don't see a new release since around March for the 7.2 train and May for 7.4 I think.

blubyu · Jun 17, 2024

I live on the bleeding edge so you don't have to be

I currently am running 7.4.3 on all my firewalls throughout my org (about 35). Below is the list of issues:

FortiAP-W2 will randomly go offline (221E's in our case). This hasn't been a huge issue for us since we only have three. They do go offline almost every night though. We check them first thing in the morning and reset the POE if they are offline. This is fixed in 7.4.4

IPSEC VPN....I have had to turn off Replay detection. We have some firewalls that have the NP6xlite chip.....those cause errors in the replay detection. Only way to keep the tunnels up was to turn it off. This is fixed in 7.4.4

If you are running 7.4.3 on your gates and 7.4.x on your switches...don't

Revert your switches back to 7.2.x. The switches will stop receiving the config downloads from the gates. Change a port though the GUI on the gate and it won't get synced down to the switch. You can can get on the switch and restart the http dameon and the configs will start syncing...but they will eventually stop again. This doesn't happen with every switch on 7.4.x but enough of them that we started to revert our switches back.

I have had no issues with any of my SDWAN interfaces and I make heavy use of those. Both for Internet traffic (dual ISP connections) and as failover IPSEC connections.

We have a mix of firmwares for all of our devices. All of the gates are at 7.4.3 but the switches range anywhere from 7.0 - 7.4.2. Same for the AP's...most are at 7.4 but there are some at 7.2.x and a couple I just saw that are still on 7.0.

I would say 7.4 hasn't been that bad for me. We started on 7.4.1 and haven't had any significant impact on our day to day use. I will be installing 7.4.4 on all my devices in the next couple of weeks.

ahmerali · Jun 17, 2024

blubyu said:
I live on the bleeding edge so you don't have to be

I currently am running 7.4.3 on all my firewalls throughout my org (about 35). Below is the list of issues:

FortiAP-W2 will randomly go offline (221E's in our case). This hasn't been a huge issue for us since we only have three. They do go offline almost every night though. We check them first thing in the morning and reset the POE if they are offline. This is fixed in 7.4.4

IPSEC VPN....I have had to turn off Replay detection. We have some firewalls that have the NP6xlite chip.....those cause errors in the replay detection. Only way to keep the tunnels up was to turn it off. This is fixed in 7.4.4

If you are running 7.4.3 on your gates and 7.4.x on your switches...don't Revert your switches back to 7.2.x. The switches will stop receiving the config downloads from the gates. Change a port though the GUI on the gate and it won't get synced down to the switch. You can can get on the switch and restart the http dameon and the configs will start syncing...but they will eventually stop again. This doesn't happen with every switch on 7.4.x but enough of them that we started to revert our switches back.

I have had no issues with any of my SDWAN interfaces and I make heavy use of those. Both for Internet traffic (dual ISP connections) and as failover IPSEC connections.

We have a mix of firmwares for all of our devices. All of the gates are at 7.4.3 but the switches range anywhere from 7.0 - 7.4.2. Same for the AP's...most are at 7.4 but there are some at 7.2.x and a couple I just saw that are still on 7.0.

I would say 7.4 hasn't been that bad for me. We started on 7.4.1 and haven't had any significant impact on our day to day use. I will be installing 7.4.4 on all my devices in the next couple of weeks.

Wow, thank you so much for this feedback. I stopped reading about half way through to post this...no 7.4 for me until it goes mature. Thanks!

waqar · Jun 20, 2024

Paladin said:
What did you get? I don't see a new release since around March for the 7.2 train and May for 7.4 I think.

I just updated it to 7.4.4 last night. Seems OK
I've got it licensed so it just shows up on the status dashboard when a new one rolls along.

Yet another Fortinet question - 7.4.3 OK to install?

Ars Praefectus

Ars Legatus Legionis

Ars Scholae Palatinae

Ars Praefectus

Ars Scholae Palatinae

Ars Praefectus

Ars Praefectus

Ars Legatus Legionis

Ars Praefectus

Ars Legatus Legionis

Ars Scholae Palatinae

Ars Praefectus

Ars Legatus Legionis

Ars Praefectus

Ars Legatus Legionis

Seniorius Lurkius

Ars Praefectus

Ars Praefectus