Fortinet PLEASE Stop Doing This!
HTML-код
- Опубликовано: 8 июл 2024
- Fortinet used to have a tried and true method to their madness. Release new GA code (.0 versions) for major releases and then spend the rest of the time patching the flaws and stability issues as the code matures. They have gotten away from this and it is causing shenanigans.
Buy Hardware: bit.ly/2QZVeqh
Get Consulting: bit.ly/36FinSU
My Other Projects:
Office Of The CISO: bit.ly/3HGMH1o
Packet Llama: bit.ly/3SEX3H4
###### SOCIAL LINKS ######
Twitter: bit.ly/2WXiRAv
Facebook: bit.ly/3eigz4D
Instagram: bit.ly/3cZneAz
######################
What are some things that Fortinet is doing that you wish they would change? Post below and lets discuss!
I would like them to finally and forever fix the update feature. It seemed to get better, but I've just set up a 30E and it. just refuses to download and install newer versions. Had to upload along 3 versions manually following the update path.
This is plaguing me on many devices since v5 when I first came in touch with FortiGates.
Could not agree more. The most important thing is stability, without that you have nothing.
I 100% agree with what you are saying; I cant tell you how much time I spend reading release notes to make sure I get customers on a stable release.
What is even worse, when the customer contacts support they don't admit the software is broke, and do an entire workaround.
This has happened for filters and SIP traffic mostly; now I am having issues with DNS resolutions where the customer would have to restart the firewall for it to work.
It hurts so bad!
I am working with Fortinet products at a partner for over 4 years, and I could not agree more. I also may add this:
- Fix the goddamn documentation. Not just fill in the blanks, but the fact that there is some stuff in the docs and some other in KBs when it should be in one place.
- Tech support: well, the intro of your other videos says it all. The usual stuff is “hello tac, I have a problem with VXLANs, here’s a wireshark capture that shows at offset xxx…”, and the reply is: “diagnose sys top”.
- Pre-upgrade test: yeah, I know that there are release notes, but we can’t calculate mentally from such notes how the configuration will be converted, I’d be nice to just “preview” it before the upgrade.
- Unlicensed VMs: the ones that we use at labs. Without a license they are very crippled (cannot add them to FortiManager, no VDOMS, five policies, etc.) to the point that they can’t be used with advanced stuff. Sure, I can request an evaluation license, but even when working at a gold partner this now seems to require a blood sample and a covid test.
Preach! I completely agree.
Amen brother!
Every video makes me a better professional, all thanks to you Mike, keep doing what you love most. Thank you.
Keep on doing what you love! Thanks for that huge input every video.
Couldn't agree more and its not just Fortinet. From what I've seen this a knock of of more vendors moving to an agile process where developers rule the roost.
When it comes to a Firewall that's the last thing we want. Like you said major releases for new features then smaller releases should just be bug fixes.
Hopefully if this gains traction Fortinet can do something to fix this. Have you thought of linking to this video on linkedIn? Much more likely to gain traction when account reps see people in their news feed sharing issues with Fortinet.
Not a bad idea
Thank you for verbalizing this! I've been going nuts with upgrading sub-versions to fix a bug only to find more bugs.
I'm new with Fortinet products... thanks for taking your time to explain concepts and solutions, I truly appreciate it!i
and answering your question: Exactly that's what they should change. Never knowing if a device is still doing what it's intended to, after every single update is a huge pain in the ass...(and makes the cost-efficient devices not so cost-efficient from an administrative point of view).
Yepp, FortiNet has trained me well to test EVERY network feature we rely on after EVERY firmware upgrade... Many times I've upgraded firmware, thought everything was fine, but then days later, I'll learn that the upgrade broke this or that... then I have to spent too much time fighting those fires.
I don't mind change but I hate sudden changes where I end up going back to the new version documentation and search for new CLI commands that replaced the older ones that basically served the same purpose. Also stability is very important I hate upgrading the firmware and finding out something got broken and I have to redo it again.
I love change, when it is expected. If they keep the changes in the .0 version of major releases then we should be safe. .1-.15 etc should be for stability and vulnerability resolutions.
I think what you're suggesting is great. The bugs in all the different versions of 6.2 have been awful. 6.2.3 TCP MSS issue when using PPPoE, broke all my streaming devices. 6.2.4, dumpster fire. 6.2.5, web filtering with flow mode policies basically stopped working. 6.2.6, got lots of IPSec tunnels? Yeah, those are gonna have issues. I'm not even sure what new features I received between all those updates that weren't on 6.2.0, all I know is the bugs caused major issues.
Totally agree with you. One thing i also hate, is them changing FortiClient licensing every year. #StopThat
I think they haven't found the right flow for forticlient yet. I remember you used to be required to have a license for the EMS AND the FortiGate in order to have telemetry. They probably need to let some things bake a little longer before making them public.
@@FortinetGuru Yes, definitely. Also had a lot of angry customers when they suddenly changed the telemetry license to only the maximum the appliance could hold. Not that bad when you have a 30D, but a 500E was not a joke to customers with 30 clients.
Most agreed! Fortinet is Fortinet's worse enemy.
They have the power to fix it though and I have faith that they will!
I can certainly understand the frustration and I'd be peeved too. I've notice with all the bugs they fix there seems to be just as many if not more new bugs...I often wondered how that can be and why. I'm at 6.10 now, mainly because if I upgrade beyond this I lose my free 10 user FortiClient license. I had I known they were going to do this I would not of upgraded from the 60D to the 60F, but it is what it is. The 60F is for home and work, gets pretty expensive for all these licenses. Anyway as always, enjoyed the video.
I don't know what the problem is with people regarding your hair, I though it looks good.
where did you get this t-shirt, I really need it :D
Hi Forti Guru
i'm new in Forti stuff, intending to deploy Fortinet in my company.
what would be according to you the recommanded Version 7 release for a maximum of stability ?
thanks :)
I agree with you 100%. Only just this week I upgraded a customer from 6.0.6 to 6.2.4 and it broke SSL VPN group matching, Fortinet then advised to downgrade to 6.2.3. Also IPS seems broken on 6.2.3 on a LB VIP which was working perfectly fine on 6.0.6
Man that bites. Sorry to hear
Hello; Been working with fortinet's product for over 6 years now. I agree with you 100%. I had a mayor headache last week because a 100E (6.2.3) wouldn't assign the correct dns servers (doing split dns) whenever the user connected using the forticlient.
Sorry you are experiencing that. Hopefully it gets resolved.
Hi Mike, I agree with what your saying. And I would expect that most of the engineers that work at Fortinet do to. These early releases should always be betas and come with an installation warning. I suspect even the Devs are screaming at the marketing teams... don't realise it ... Give is more time..!!
Hi Mike, really enjoying your videos. I work for a service provider that has Fortigates out in the wild but managing them all centrally has been a challenge. Would you suggest using FortiCloud management? I video covering touching this topic would be very helpful. Thanks!
Forticloud is getting better and better every week. I still prefer FortiManager for wide deployments though.
Could not agree more. This is why the ISP I work for currently operates 6.0.10 across the board.
Word! :) I couldn't agree more!
What i really hate about new Firmware - they have "know issues", and when i read for example "Known issues" section of 6.4.4 - i have a huge question, why its not getting fixed? They fix something here and there, but in the same time they add something here and there. But why you add something new, when there is huge "known issues" list?
I can relate on this.
we are in a running environment then suddenly there was an issue for stability.
which give us to many negative feedback from the customer and the management.
I totally agree Guitarguru / FortinetGuru
All software venders need to stop doing this.
Hello Sir. I'm watching all your videos.Thank you very much. Sir could you please upload Failover IPsec vpn Configuration. Means if Head Office One link(ISP) is down that time automatically up second link(ISP)
I will get one made for you!
Thank you so much Sir.
i love ur videos, keep ur work
Thanks, will do!
I couldn't agree more, I back FTNT everyday in my professional life and we never had issues, but since 6.2 it's a joke, we are stuck at 6.0.10. It's not the only silly thing Fortinet have done lately but it's the most frustrating.
Very frustrating. I have faith they will right the ship but Lawd does it make me shake my head.
I agree! They should only release new features in the major release and the remaining sub revisions should be to stabilize the major release.
That’s my thought process
Totally agree! I have a FortiGate 200E completly unmanageable running FortiOS 6.2.3 (6.4.0 already available at the time) at 4:30AM with near to nobody consuming resources. No DoS, no high CPU, less than 20% of RAM usage. It simply stopped, 100 miles away from me, on a weekend, with my backup person at vacation. Since this, I'm simply afraid of being happy with all really interesting new features.
It is a major pain for sure!
That's funny. I laugh the part about your hair. LOL. I agree with stability.
Absolutely. I get ragged about it but I’m alright with it 😂😂
Spot on! Recently we've been dealing with some very wacky issues with AOPVN (Microsoft's Always On VPN - don't judge too harshly, it's a fit for the environment ATM and it's something we'll review going forward). Long story short, our MSP has kept on pushing us to go the latest version to fix the problem but have each time asked for the evidence that backs up their claims that it fixed our issues (slow SMB traffic over the VPN) but they kept coming back with "it should fix it" without any real evidence to which I said a big NO. Since we've gone down the Fortinet path (very recently I might add) we've made a strong point to read the release notes and honestly it's been horrifying when you read the known bugs section! We're on 6.2.3 code and are probably going to wait for 6.2.5 and re-evaluate then. Still working on the issue but I'm not upgrading unless its for a very good reason.
100% agree, stick to the old life cycle management / patch management method.
Totally agree with this.
Also it does not even stop with new features. I don't understand why they have to mess with functionality inside a major branch.
For example jumping from 6.2.1 to 6.2.2 in interface admin access you previously had CAPWAP + FortiTelemetry which was substituted by single "Fabric". Not a big deal if you always configure equipment by hand but if it's done via automation, these small changes will bug the hell out of you. Also the same patch introduced forced cam. voi. etc. interfaces creation when you enable your switch controller. Again have to rewrite all ZTP-templates. 6.2.3 is introduced, ZTP breaks again because of interface admin access changes not applied to an interface what is operational during auto-link.
Oh yes, did anyone notice that in 6.2.3 the "allow intra-zone traffic" button worked the wrong way around? In early 6.0.x -patches you could not change VLAN-tagging of multiple ports at the same time and initially they told that the fix would not be even in 6.0 -branch but luckily they came to their senses. These are just few examples which I remember (the details might not be right) but lately I've been a bit paranoid about applying software updates to any FortiProducts.
My complaint is moving from interface mapping to "normalized interfaces" on 6.4.1 Fortimanager. My zone "per device mappings" worked perfectly.
I still haven't opened that can of worms. I'm already afraid what's ahead :(
I demand stability!!! Its a simple concept Fortinet
They will get there. Sometimes folks just need to vent and be heard for them to get folks informed on the perspective of others.
As somebody thats nse 1-7 certified I highly agree.... we only approve upto 6.0.9 currently as we can't afford the pain of bugs
I have just recently pushed some clients to 6.0.10. That was after some extensive testing on branches that were less of a concern. Hopefully, they return to their former glory (still buggy, but more manageable!)
@@FortinetGuru at the same time I run 6.2.3 at home.... no sign of 6.4.x being pushed to my E series model yet.
And the same day I wrote the other comment, I found myself doing "execute router restart" to have FortiGate take some static routes. I think will soon get back to 6.0.x. :(
Got another one... 6.4.1 was released for FortiGates weeks before 6.4.1 was released for FortiManager, and 6.4.1 is a REQUIREMENT on FortiManagers for FortiGates managed by the FortiGate. It's almost as if two different companies shoot for the same release date, but then don't communicate with each other.
i am sure i sat in a Fortinet product pitch were they promised that this is how they will do it from now on but yes we can only dream
We shall see!
Hah! That's funny you mentioned you hair. I guess that means I don't need to start the GoFundMe page for Mike's haircut. Kidding! (kind of) Seriously though, yeah stability is very important. I usually upgrade when either 1) the current version has some serious security issues, or 2) the new version has some compelling features that might be beneficial to implement.
:P
I totally agree 👍🏼
Totally agree.
You be you Mike!
You know I will
You have great hair. They are just jealous!! 😂🤣
Lovesies
Could you make a video (or reply below) what do you think about and expect from 6.4 branch? I follow reddit and Fortinet forums and compared to 6.2 it seems much more stable. I'm thinking about skipping 6.2 and upgrade directly to 6.4 (I want the consolidated IPv6 policies).
6.4.x has been a win in my opinion with regards to the plethora of new features added and the relative stability. They did some things I'm not fond of, but I don't run the company and they certainly don't have to bend the knee to my every (or any for that matter) request. Overall, I'm happy with it. SD-WAN takes some giant leaps forward and some of the newer features are very interesting and fun. I did a video about the 10 features I am most excited about. The more I play with it the more I feel I could do a part 2 of that video. In good time, if they make it more stable, it will be the next platform I jump to. I am, for the most part, skipping 6.2.x code for my clients and recommending people that I do time and material consulting for (I dont directly manage full time) to skip it as well.
Too new to know the issues of features you speak of, however it sounds like Forti OS is the router OS as to Windows 10 lately.
I agree, test your product, do not push until stability is there. And for the love of anything, stop letting your end users be the testers of your product. If we are your testing team then we need to be compensated for it.
Absolutely.
Since losing my hair in 2005, I have refrained from ridiculing anyone's hair.
One day I shall shave it all
I agree.
Features are great...when you expect them. We used to wait to upgrade to a new code version until .3-.4 or whenever they stabilized. Now its a total crapshoot.
We shouldn't have to pick between fixing 1 bug while introducing 2 more or just living with it as-is. Slow down your feature releases Fortinet and just fix what's out there.
Fed up with being Beta testers each time we update and (even with limited skillset) having to second guess Fortinet support when they advise crazy stuff...after updating to 6.4.0 from 6.0.7 a bunch of rules "broke" as they changed from "Proxy" mode to "Flow" mode - Forti support suggested that uploading the 6.0.7 conf file would resolve the issue :-(
Fortigate support saying that certain tasks are not supported (such as FW downgrade) and yet they provide detailed instructions on how to do it!
Would really appreciate a video on the easiest way to 'move' a port (and corresponding ruleset) - we are about to update to a 10G internet pipe which means that the current port/connection will need to be moved (we don't use zones).
Sounds good Damian. Will get a video about that made ASAP.
That's a bad idea if they did that. We have to stay within a code level and not add features mid-stream.
u rock men! crazy fucking hair!
LOL!
I understand and appreciate your views. However, if you look at PAN's .0 known issues, it far exceeds the .0 known issues that Fortinet offers. PAN introduces new features in .1 for example. I think companies have to address market demands and sometimes every vendor must release code that is not optimal. Look at cisco iWAN on the ISR routers. I appreciate all views from all sides. that's all.
Valuable insight. This video isn’t specific to disliking .0 stability. I expect .0 to be flakey and desire the flakiness to stay there.
6.4.1 has been madness... FortiManager and FortiGates... SSL inspection broken?! Can't diff policies in FortiManager?! AKKK!!! Does FortiNet test anything? "don't upgrade until ?.?.4+ is available" is something I've heard from MANY different sources (I only updated to 6.4.1 because 6.2.3/6.2.4 was also a mess).
So, to answer your question... I wish they would change from seemingly not testing... to TESTING!
Fortinet took away free labs for the partners and I really hate that.
Yeah, I buy my lab licenses so I can keep on making videos and continue my education.
Agree
great haircut btw...😁
Only have to pay for half! :P
This was a funny into :)
Stuff happens when I drink Tequila
Agree, I don't undertand the need to release untested software
I am sure they test it. Their labs just don't have the same level of config as production environments.
I have to agree that 6.2 has been of unusually poor quality. I'm hearing that 6.2.5 should fix a lot of the major issues. Also, 6.4 is effectively a new platform/design and this is why it seems much better than 6.2 even from the outset.
Everyone that works with fortinet agrees.
And they have promised to do so many times. 5.2 had the same issues. 5.6 and 6.0 where better bit 6.2 and 6.4 are bad. They have a history like this because 4.2 was also not good. Maybe 6.6 will be better again?
Maybe they will eventually get there.
@@FortinetGuru true but will they stay there? ;-)
I think Trump and Fortinet have something in common, stability in the next level...please!
So, you don't care what your customers think? Interesting philosophy ...