Next Generation Firewall (NGFW)

Hello All,

We have been told upgrade our 100F running 6.2.3 to 6.2.10 to fix a SSLVPN DHCP issue. I have been reading and a lot of the suggestions are to go with the 6.4.x train. I was wondering if anyone had any issues with moving from 6.2 to 6.4 and if moving to 6.4 is the correct thing to do.

We are running 2 100F's in an HA pair and I would break the HA pair, upgrade one of the 100F's to the latest firmware version (either 6.2.10 or 6.4.8), schedule some downtime and put the upgraded 100F in service to give me a fall-back plan in case there is some issue with the firmware upgraded version.

Thanks for your time,
Matt

The 6.4 train has been very good.  One of my customers has been running 6.4.8 on a pair of 1800F's for a few months and it's been solid.

I also have a 100F that has been stable since 7.0.5.  I had severe issues with 7.0.2 and 7.0.3 and had to stay on 7.0.1 for a while but everything has been stable in the three weeks since going to 7.0.5.

Regarding your fallback plan another option would be to leave the HA pair intact but download the 6.2.3 image from the Fortinet support site and keep it on hand and proceed with upgrading to 6.4.8 (there will be multiple upgrades required from 6.2.3), taking a backup of the config at each upgrade along the way.  Then, if you have any trouble with 6.4.8, simply load 6.2.3 and restore the config you saved from 6.2.3.
Original Message:
Sent: Mar 03, 2022 07:47 AM
From: Matt Mackey
Subject: Upgrading 100F running 6.2.3 to either 6.2.10 or 6.4.8

Hello All,

We have been told upgrade our 100F running 6.2.3 to 6.2.10 to fix a SSLVPN DHCP issue. I have been reading and a lot of the suggestions are to go with the 6.4.x train. I was wondering if anyone had any issues with moving from 6.2 to 6.4 and if moving to 6.4 is the correct thing to do.

We are running 2 100F's in an HA pair and I would break the HA pair, upgrade one of the 100F's to the latest firmware version (either 6.2.10 or 6.4.8), schedule some downtime and put the upgraded 100F in service to give me a fall-back plan in case there is some issue with the firmware upgraded version.

Thanks for your time,
Matt

Thanks Mark. How easy is it to load an older version of firmware? It looks like as long as I have the 6.2.3 firmware file I can downgrade through the GUI.
Original Message:
Sent: Mar 04, 2022 12:45 PM
From: Mark Bell
Subject: Upgrading 100F running 6.2.3 to either 6.2.10 or 6.4.8

The 6.4 train has been very good.  One of my customers has been running 6.4.8 on a pair of 1800F's for a few months and it's been solid.

I also have a 100F that has been stable since 7.0.5.  I had severe issues with 7.0.2 and 7.0.3 and had to stay on 7.0.1 for a while but everything has been stable in the three weeks since going to 7.0.5.

Regarding your fallback plan another option would be to leave the HA pair intact but download the 6.2.3 image from the Fortinet support site and keep it on hand and proceed with upgrading to 6.4.8 (there will be multiple upgrades required from 6.2.3), taking a backup of the config at each upgrade along the way.  Then, if you have any trouble with 6.4.8, simply load 6.2.3 and restore the config you saved from 6.2.3.
Original Message:
Sent: Mar 03, 2022 07:47 AM
From: Matt Mackey
Subject: Upgrading 100F running 6.2.3 to either 6.2.10 or 6.4.8

Hello All,

We have been told upgrade our 100F running 6.2.3 to 6.2.10 to fix a SSLVPN DHCP issue. I have been reading and a lot of the suggestions are to go with the 6.4.x train. I was wondering if anyone had any issues with moving from 6.2 to 6.4 and if moving to 6.4 is the correct thing to do.

We are running 2 100F's in an HA pair and I would break the HA pair, upgrade one of the 100F's to the latest firmware version (either 6.2.10 or 6.4.8), schedule some downtime and put the upgraded 100F in service to give me a fall-back plan in case there is some issue with the firmware upgraded version.

Thanks for your time,
Matt

Correct, it's very easy to downgrade.  Go to System -> Firmware and upload the 6.2.3 image, which will trigger a reboot.  After the unit comes back up, restore your 6.2.3, which will trigger another reboot and that's it.
Original Message:
Sent: Mar 07, 2022 08:03 AM
From: Matt Mackey
Subject: Upgrading 100F running 6.2.3 to either 6.2.10 or 6.4.8

Thanks Mark. How easy is it to load an older version of firmware? It looks like as long as I have the 6.2.3 firmware file I can downgrade through the GUI.
Original Message:
Sent: Mar 04, 2022 12:45 PM
From: Mark Bell
Subject: Upgrading 100F running 6.2.3 to either 6.2.10 or 6.4.8

The 6.4 train has been very good.  One of my customers has been running 6.4.8 on a pair of 1800F's for a few months and it's been solid.

I also have a 100F that has been stable since 7.0.5.  I had severe issues with 7.0.2 and 7.0.3 and had to stay on 7.0.1 for a while but everything has been stable in the three weeks since going to 7.0.5.

Regarding your fallback plan another option would be to leave the HA pair intact but download the 6.2.3 image from the Fortinet support site and keep it on hand and proceed with upgrading to 6.4.8 (there will be multiple upgrades required from 6.2.3), taking a backup of the config at each upgrade along the way.  Then, if you have any trouble with 6.4.8, simply load 6.2.3 and restore the config you saved from 6.2.3.
Original Message:
Sent: Mar 03, 2022 07:47 AM
From: Matt Mackey
Subject: Upgrading 100F running 6.2.3 to either 6.2.10 or 6.4.8

Hello All,

We have been told upgrade our 100F running 6.2.3 to 6.2.10 to fix a SSLVPN DHCP issue. I have been reading and a lot of the suggestions are to go with the 6.4.x train. I was wondering if anyone had any issues with moving from 6.2 to 6.4 and if moving to 6.4 is the correct thing to do.

We are running 2 100F's in an HA pair and I would break the HA pair, upgrade one of the 100F's to the latest firmware version (either 6.2.10 or 6.4.8), schedule some downtime and put the upgraded 100F in service to give me a fall-back plan in case there is some issue with the firmware upgraded version.

Thanks for your time,
Matt

I concur on 6.4.8 being very stable. The lowest risk will be going to 6.2.10. There are also a few security reasons to push up from 6.2.3 to 6.210. You can address your bug issue then plan out the move to 6.4.8 or as Mark said just keep the backups at each point. I like to push up from one code line such as 6.2 to 6.4 only when all starts off running fine and I need a feature, or I deem it is time. I am moving a final group of firewalls this weekend from 6.2.10 to 6.4.8. I have another group on 7.0.5 and all are fine so far but won't move the 6.4.8 ones to 7.0 till more like 7.0.8 unless I need a feature in 7.0.
Original Message:
Sent: Mar 03, 2022 07:47 AM
From: Matt Mackey
Subject: Upgrading 100F running 6.2.3 to either 6.2.10 or 6.4.8

Hello All,

We have been told upgrade our 100F running 6.2.3 to 6.2.10 to fix a SSLVPN DHCP issue. I have been reading and a lot of the suggestions are to go with the 6.4.x train. I was wondering if anyone had any issues with moving from 6.2 to 6.4 and if moving to 6.4 is the correct thing to do.

We are running 2 100F's in an HA pair and I would break the HA pair, upgrade one of the 100F's to the latest firmware version (either 6.2.10 or 6.4.8), schedule some downtime and put the upgraded 100F in service to give me a fall-back plan in case there is some issue with the firmware upgraded version.

Thanks for your time,
Matt

Thanks Peter. I was thinking of taking this time to get on the 6.4.x since the upgrade path seems to be the same amount of firmware upgrades for 6.2.10 and 6.4.8. 
Hope your upgrades went well this weekend
Original Message:
Sent: Mar 04, 2022 12:58 PM
From: Peter Cook
Subject: Upgrading 100F running 6.2.3 to either 6.2.10 or 6.4.8

I concur on 6.4.8 being very stable. The lowest risk will be going to 6.2.10. There are also a few security reasons to push up from 6.2.3 to 6.210. You can address your bug issue then plan out the move to 6.4.8 or as Mark said just keep the backups at each point. I like to push up from one code line such as 6.2 to 6.4 only when all starts off running fine and I need a feature, or I deem it is time. I am moving a final group of firewalls this weekend from 6.2.10 to 6.4.8. I have another group on 7.0.5 and all are fine so far but won't move the 6.4.8 ones to 7.0 till more like 7.0.8 unless I need a feature in 7.0.
Original Message:
Sent: Mar 03, 2022 07:47 AM
From: Matt Mackey
Subject: Upgrading 100F running 6.2.3 to either 6.2.10 or 6.4.8

Hello All,

We have been told upgrade our 100F running 6.2.3 to 6.2.10 to fix a SSLVPN DHCP issue. I have been reading and a lot of the suggestions are to go with the 6.4.x train. I was wondering if anyone had any issues with moving from 6.2 to 6.4 and if moving to 6.4 is the correct thing to do.

We are running 2 100F's in an HA pair and I would break the HA pair, upgrade one of the 100F's to the latest firmware version (either 6.2.10 or 6.4.8), schedule some downtime and put the upgraded 100F in service to give me a fall-back plan in case there is some issue with the firmware upgraded version.

Thanks for your time,
Matt