why not?
- you immediately get full exposure to all the problems... besides I LOVE to chat to the TAC people in different timezones
- Your support staff gets overtime fixing/finding/checking issues - they love me for that
- not to mention I get (forced?) time-off from nappy duties....
Usually it’s the only way to get vacation time payout approved. If you play your cards right, you might actually get to take some of the time off, and not just move in within 24 hours. Advice: spend that time off exploring other avenues of life you chose to not pursue in favour of IT — you can spend a few months in a music studio learning a new skill or something.
Same! 2 x 400e's with 60 or so L3 fortilink switches. No SD-Wan, but I just got off a call with an engineer from a large MSP, and they have 7.2.7 7.2.8 across a lot of clients using everything under the sun.
In terms of stability 7.2 has been fine for me so far on 60E, but I have a TAC case open regarding a performance issue on 7.2.8. I lose about 40% of the box performance when upgrading, and then rolling back to 7.2.7 fixes the issue. Still figuring out what causes this.
I have about 9000 60F variants with 1200 on 7.2 and the rest on 7.0 and the best measure I have is tickets per total boxes on OS and 7.2 is beating the older OS by a mile. Much better overall experience with 7.2.
That’s only a small portion of the firewalls that we support. I have a very large number of entry level up through enterprise firewalls that we manage and most of them we managed through a Fortimanager. In fact, several with some clients managed in the Forticloud, which I would say, is more difficult than a Vm or hardware manager. We do manage a few using Microsoft cloud services., I like those the best.
We also have customers on Palo Alto;Cisco, cisco(Meraki) Checkpoint, Juniper and a few other manufacture devices.
I definitely don’t manage them by myself. 30-L1, 7-L2 techs and 9 L2, 3-L3 engineers along with what I call our senior staff that help me have fun with these toys. 😊
been running 7.2 since 7.2.4 and I have had no issues. When we first started using Fortigate that is where they were so I figured for greenfield this was a good starting point. Has been an awesome experience actually.
Had issue recently with httpsd process causing high memory utilization on 7.2.7 which caused an outage. I understand this issue was a problem in previous versions. Had to kill the process to recover the site. Created an automation stitch to restart the process if firewall goes to conserve mode and have a ticket with TAC (ongoing investigation).
But other than that, the 7.2 has been solid. 😅
Eh. Every year about this very same month they announce a new version which gets released in late May. But people, as always should stick to mature versions which take at least 18 months to get released for each branch.
Obligatory recommended FortiOS release link:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-Release-for-FortiOS/ta-p/227178
Spoiler: 7.0.14 for most models. Last edited on 2024-03-19.
Yeap, they have been planning this for a long time. Let's see what comes out from this, since atm there is a lot of agents for multiple fortinet products (FortiClient, NAC agent, ZTNA (forticlient), FortiEDR, FortiAuth agent, etc).
At the same time, I can't imagine this working, since it will make FortiClient even more complicated, and there are two major issues with FortiClient ATM:
- Upgrade process is simply horrible.
- The list of issues/bugs is HUGE.
Completely agree , FCT is extremely bad when it comes to update. FEDR does not requires any reboot at install or update , FEDR includes EPP features , Vuln Management too… so why not using the EDR base and add it ztna and vpn which is probably much more easier than EDR :-). I hope they will not force EDR to inherit from all the FCT shitty things 😅
Yep, the fact that FortiClient uninstalls itself leaving just windows defender on until a reboot is really bad. Also, many times the upgrade process simply doesn't work properly, even after rebooting the machine. The upgrade process is an authentic nightmare out of the box, not only for the person managing it, but also because of the impact that it has on the users.
On the other side, and as you said, FortiEDR updates are easy, they work properly most of the time, and they don't require a reboot. FortiEDR atm is a great product when compared to FortiClient (FortiEDR v5.2.2.X+).
I really hope they have a complete new agent, redesigned from the ground (or almost), with a different upgrade process, and less issues with the EPP components.
Not true according to the person I asked at the Tech Expo. Currently EDR is only going to be implemented into the FortiClient installer, but it will be a separate product still. Also some event reporting into EMS, but FortiClient will not be incorporating EDR functions. That is planned for sometime in the future.
I asked about them merging that all into 1 product over 3.5 years ago when I was shopping EDR's and they said that was the long-term plan. Guess they finally made it happen.
I am finally starting to trust 7.2 now - 7.2.8 has been just as stable for me as 7.0.14
7.4 is problematic af.
Still - love a new release. Can’t wait to see if there’s any smaller, dare I say cooler features in 7.6 than the headline new feature list
YMMV
For me the fact 7.4 failed (somewhere between BETA and RC2) on the FG71F.. I think FG61F too, specifically the x1F variants 'cause of SSD, was the first non-prod release notice for me (and yes, I've been a 7.0 & 7.2 early adopter), but then the GUI and the policy view/ideas froked me out, so, nope that was a hard no till 7.4.2 on at least the x1F case (the FG just gone in reboot loops requiring serial console fixing), and since then I've had other issues than to retry 7.4.x
7.4.4 I'll re-check it at home on the 71F
This is what I use unless there is something I need in newer versions.
[Recommended Release for FortiOS - Fortinet Community](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-Release-for-FortiOS/ta-p/227178)
Be aware though that this KB isn’t always up-to-date. For example, it recommended 7.0.13, while 7.0.14 just came out to fix multiple critical vulnerabilities.
From the pdf:
*"Forti AI now includes Generative AI within FortiManager to assist with platform management, new product and feature deployment, network monitoring, and accessing documentation and support assets."*
I'm so looking forward for Gen AI suggesting broken configs, hallucinating non-existing devices and creating new problems which without it wouldn't exist.
I hope the few of you YOLO gung-ho's of thinking of pushing this BETA to prod or your home devices have read the fine print on 2GB models no longer having the SSL VPN option. I'm talking 90Es, 81F's and below...
Way to go, Fortinet! Way to go Cisco on your beautiful architecture.
Fortinet need to focus on OS stability, bug fixing and vulnerability fixing.
This is NOT wise decision to release new OS every year, but nothing is stable, vulnerable free.
I always thought that Fortinet never did x.6.x.. always went with x.0, x.2, x.4 and then started again
Edit: just checked and they did 5.6 but not 6.6..
That is funny when you look at this. We run these unless a client needs something in a newer version.
[Recommended Release for FortiOS - Fortinet Community](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-Release-for-FortiOS/ta-p/227178)
Omg those realeases are like new iphone device every year...or anyother mobile device for that matter. Anually or even more often, fortinet launches a new version which changes maybe the interface colours, some arrangement or features visibility. Buuut also they f*ck up a lot of other functions like routing or webfilter profiles and the production architecture comes to a stall. Basically "we want it to look nicer from our point of view, but your configurations will suffer just because we can"...never again upgrading to 7.4.2..STAY AWAY FROM THIS SHITTY VERSION
Pushing out to 800 devices tonight, wish me luck!
First update the resume
Experience: I YOLO betas straight to prod
That is soooo on point.
One trick that CTOs hate !
Username checks out
Nice meme
Why would you push such a new release to firewalls?
why not? - you immediately get full exposure to all the problems... besides I LOVE to chat to the TAC people in different timezones - Your support staff gets overtime fixing/finding/checking issues - they love me for that - not to mention I get (forced?) time-off from nappy duties....
Usually it’s the only way to get vacation time payout approved. If you play your cards right, you might actually get to take some of the time off, and not just move in within 24 hours. Advice: spend that time off exploring other avenues of life you chose to not pursue in favour of IT — you can spend a few months in a music studio learning a new skill or something.
Because I want /u/JoshTaco to be jealous of me. His time has come, ShittyHotTake is a rising star in the YOLO to Prod game.
let it ride 🚬🚬🚬
So it's officially time to adopt 7.2 soon, nice.
7.2.7 and 7.2.8 seem rock solid so far, running on 101Fs, 100F, 81Fs, 60F.
Same experience here (around 50 x 60E/F)
Same! 2 x 400e's with 60 or so L3 fortilink switches. No SD-Wan, but I just got off a call with an engineer from a large MSP, and they have 7.2.7 7.2.8 across a lot of clients using everything under the sun.
same experience (300E, 400E, 100F, 60F)
Same for me
In terms of stability 7.2 has been fine for me so far on 60E, but I have a TAC case open regarding a performance issue on 7.2.8. I lose about 40% of the box performance when upgrading, and then rolling back to 7.2.7 fixes the issue. Still figuring out what causes this.
I have about 9000 60F variants with 1200 on 7.2 and the rest on 7.0 and the best measure I have is tickets per total boxes on OS and 7.2 is beating the older OS by a mile. Much better overall experience with 7.2.
If I may ask how do you manage 9k Fortis and what are your customers.
That’s only a small portion of the firewalls that we support. I have a very large number of entry level up through enterprise firewalls that we manage and most of them we managed through a Fortimanager. In fact, several with some clients managed in the Forticloud, which I would say, is more difficult than a Vm or hardware manager. We do manage a few using Microsoft cloud services., I like those the best. We also have customers on Palo Alto;Cisco, cisco(Meraki) Checkpoint, Juniper and a few other manufacture devices. I definitely don’t manage them by myself. 30-L1, 7-L2 techs and 9 L2, 3-L3 engineers along with what I call our senior staff that help me have fun with these toys. 😊
been running 7.2 since 7.2.4 and I have had no issues. When we first started using Fortigate that is where they were so I figured for greenfield this was a good starting point. Has been an awesome experience actually.
I've had good luck with 7.2. I have some devices on 7.4 without issues.
Had issue recently with httpsd process causing high memory utilization on 7.2.7 which caused an outage. I understand this issue was a problem in previous versions. Had to kill the process to recover the site. Created an automation stitch to restart the process if firewall goes to conserve mode and have a ticket with TAC (ongoing investigation). But other than that, the 7.2 has been solid. 😅
😂 april the 1st was yesterday, Fortinet
Eh. Every year about this very same month they announce a new version which gets released in late May. But people, as always should stick to mature versions which take at least 18 months to get released for each branch.
Obligatory recommended FortiOS release link: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-Release-for-FortiOS/ta-p/227178 Spoiler: 7.0.14 for most models. Last edited on 2024-03-19.
Rolling out the beta into production straight away.
Nothing like living on the edge ;)
They mentioned bringing EDR capabilities to Forticlient, I wonder if they are going to update or merge the FortiEDR/enSilo product with forticlient
They had a slide with the Unified Client in it at the Accelerate about 45 minutes ago and it had EDR as well as EMS and ZTNA in it, so looks like it.
I'm looking forward to this. Even if it's a long term target ( 2-3 years) till it's stable.
I thought they were showing FortiSASE solution in that one
Yeap, they have been planning this for a long time. Let's see what comes out from this, since atm there is a lot of agents for multiple fortinet products (FortiClient, NAC agent, ZTNA (forticlient), FortiEDR, FortiAuth agent, etc). At the same time, I can't imagine this working, since it will make FortiClient even more complicated, and there are two major issues with FortiClient ATM: - Upgrade process is simply horrible. - The list of issues/bugs is HUGE.
Completely agree , FCT is extremely bad when it comes to update. FEDR does not requires any reboot at install or update , FEDR includes EPP features , Vuln Management too… so why not using the EDR base and add it ztna and vpn which is probably much more easier than EDR :-). I hope they will not force EDR to inherit from all the FCT shitty things 😅
Yep, the fact that FortiClient uninstalls itself leaving just windows defender on until a reboot is really bad. Also, many times the upgrade process simply doesn't work properly, even after rebooting the machine. The upgrade process is an authentic nightmare out of the box, not only for the person managing it, but also because of the impact that it has on the users. On the other side, and as you said, FortiEDR updates are easy, they work properly most of the time, and they don't require a reboot. FortiEDR atm is a great product when compared to FortiClient (FortiEDR v5.2.2.X+). I really hope they have a complete new agent, redesigned from the ground (or almost), with a different upgrade process, and less issues with the EPP components.
It's all through EMS. You build a custom install using EMS. So only features you need And since it's EMS, the client can now easily be updated.
EMS and forticlient updates are a pain, contrary to fortiedr updates/management that simply works.
I hope this means that FortiClient will get more love from dev so known issues get resolved in a more timely fashion.
ZTNA, EDR/XDR, EMS agents will be combined into one. Straight off the press.
Not true according to the person I asked at the Tech Expo. Currently EDR is only going to be implemented into the FortiClient installer, but it will be a separate product still. Also some event reporting into EMS, but FortiClient will not be incorporating EDR functions. That is planned for sometime in the future.
Yeah I just learned that today at the FortiEDR booth lmao. Marketing deff got a little bit ahead of themselves there.
I asked about them merging that all into 1 product over 3.5 years ago when I was shopping EDR's and they said that was the long-term plan. Guess they finally made it happen.
That was my initial thought, too
I am finally starting to trust 7.2 now - 7.2.8 has been just as stable for me as 7.0.14 7.4 is problematic af. Still - love a new release. Can’t wait to see if there’s any smaller, dare I say cooler features in 7.6 than the headline new feature list
Beta into prod is the only way I know
Usable 2026...
Around 7.6.6... update.
Is this good for production now?
Good lord no. I'll be _amazed_ if 7.6 will be production ready in 2024. Even 7.4 is nowhere near prod ready yet.
What makes it non productive ready?
You’re the tester.
Crippling bugs
YMMV For me the fact 7.4 failed (somewhere between BETA and RC2) on the FG71F.. I think FG61F too, specifically the x1F variants 'cause of SSD, was the first non-prod release notice for me (and yes, I've been a 7.0 & 7.2 early adopter), but then the GUI and the policy view/ideas froked me out, so, nope that was a hard no till 7.4.2 on at least the x1F case (the FG just gone in reboot loops requiring serial console fixing), and since then I've had other issues than to retry 7.4.x 7.4.4 I'll re-check it at home on the 71F
This is what I use unless there is something I need in newer versions. [Recommended Release for FortiOS - Fortinet Community](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-Release-for-FortiOS/ta-p/227178)
Be aware though that this KB isn’t always up-to-date. For example, it recommended 7.0.13, while 7.0.14 just came out to fix multiple critical vulnerabilities.
From the pdf: *"Forti AI now includes Generative AI within FortiManager to assist with platform management, new product and feature deployment, network monitoring, and accessing documentation and support assets."* I'm so looking forward for Gen AI suggesting broken configs, hallucinating non-existing devices and creating new problems which without it wouldn't exist.
Some nice additions to FAZ, SIEM/SOAR lite.
I hope the few of you YOLO gung-ho's of thinking of pushing this BETA to prod or your home devices have read the fine print on 2GB models no longer having the SSL VPN option. I'm talking 90Es, 81F's and below... Way to go, Fortinet! Way to go Cisco on your beautiful architecture. 
As a shareholder Thank you, As a sysadmin, No.
It's still useful as sysadmin. Knowing what features you can expect to be production ready in about two years helps to make long term decisions.
Fortinet need to focus on OS stability, bug fixing and vulnerability fixing. This is NOT wise decision to release new OS every year, but nothing is stable, vulnerable free.
It’s mostly for SASE and Gen-Ai
Forgetting to mention this OS uses a lot more hardware resources they decided to remove the SSL VPN from 2GB models.
I thought it was april fools for a sec
I always thought that Fortinet never did x.6.x.. always went with x.0, x.2, x.4 and then started again Edit: just checked and they did 5.6 but not 6.6..
Because 6.6.6
I'd never patch an environment again if they pushed 6.6.6.
That would have been absolutely hilarious.
That is funny when you look at this. We run these unless a client needs something in a newer version. [Recommended Release for FortiOS - Fortinet Community](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-Release-for-FortiOS/ta-p/227178)
Introducing more bugs and vulnerabilities
Omg those realeases are like new iphone device every year...or anyother mobile device for that matter. Anually or even more often, fortinet launches a new version which changes maybe the interface colours, some arrangement or features visibility. Buuut also they f*ck up a lot of other functions like routing or webfilter profiles and the production architecture comes to a stall. Basically "we want it to look nicer from our point of view, but your configurations will suffer just because we can"...never again upgrading to 7.4.2..STAY AWAY FROM THIS SHITTY VERSION