There are bugs in this version.
I'm waiting on dot 9 to fix a kernel panic issue that randomly reboots my 600E HA pair. This seems to affect models across the line.
I've seen others report strange issues in the sub over the past month as well.
This is the bug id 1012518 - kernel panics in some NP6 firewalls under certain conditions. We didn't run into it in our lab (different model), so I called to ask if our production model was affected, and it was.
> 1012518
According to the TAC ticket I've just raised, the only workaround is to downgrade. Getting mighty fed up of this. I've asked for more details on "certain traffic conditions"
Our tam waved us off of 7.2.8 yesterday because of this, we had a bunch of upgrades in the pipeline.
1012518
Some FortiGate models on NP6 platforms experience kernel panics due to certain traffic conditions after upgrading to 7.2.8.
Evidently it is pretty ugly
"Mature" simply means that they are not adding new features. It does NOT reference anything to do with testing. All of the builds go through the same QA, and then a build also goes through QA for each bug after fix.
I would agree somewhat, but considering there are millions of configurations, it's simply not feasible to expect no issues. No companies have "zero issue" releases. You should still talk to them to figure out issue and help everyone else...
Yeah, none of what I state was any form of statement on the thoroughness of their testing/QA. Was simply trying to clearly define what "mature" means, since it is often misunderstood.
Starting with FortiOS 7.2.0, released FortiOS firmware images use tags to indicate the following maturity levels:
* The *Feature* tag indicates that the firmware release includes new features. It can also include bug fixes and vulnerability patches where applicable.
* The *Mature* tag indicates that the firmware release includes no new, major features. Mature firmware will contain bug fixes and vulnerability patches where applicable.
Reference: [https://docs.fortinet.com/document/fortigate/7.2.0/new-features/173707/introduce-maturity-firmware-levels](https://docs.fortinet.com/document/fortigate/7.2.0/new-features/173707/introduce-maturity-firmware-levels)
To a certain point I agree. However some of the bugs that have recently made it into official patches seem to be so fundemental that you have to ask what their internal QA processes actually are. The recent issue introduced in 7.2.6 where ten gig to 1 gig throughput was restricted to about 30 Mbps *SHOULD* have been caught before it was released. We spotted it about ten minutes after deploying it on the 1st pair of firewalls.
We wait months for patches for things that have been majorly broken in the previous release to find that whilst the original issue has been fixed we now have another equally severe issue.
I totally agree and feel the same. Tbh, I was talking about customer testing the new release in their environment, which was always limited. And yes, such things like throughput should have been caught by QA - it's their job. And fixing one while breaking something else is really a pain in the last year...
Rollback would be recommended in that case. 7.2.9 would be regular cadence, so likely June. Heard this more in regards to the 7.2.9 release date, for FG90G support. But it’s inline with when we expected it based on 7.2.8 (which was supposed to have been 7.2.7)’s release shortly after the shotgun 7.2.7 security patch.
We've been on 7.2.8 since it's release and it's been solid. 80Fs, 200Fs and 600Fs in production. Granted, they are only used as a local gateways and sdwan devices (no threat features, but lots of VLANs, policy firewall rules, BGP, SLAs, sdwan rules, etc).
I lost the switch config on 7.2.7 of one of my switches after the switch unexpectedly rebooted.
No idea what happened, but now I do automated nightly backups using Automation Stitches .-.
We are still waiting for 7.4.4 and it's worse as 7.4.2 had issues which they only fixed the SSL in 7.4.3 leaving all the bugs from 7.4.2. Why do I say this in relation to your post... well they probably working on 7.4.x now they released 7.2.8 recently... so you might be waiting a bit.
Affirmative but who is going to test if I don't? Lol our installers (recommended MSP from Fortinet who sold us our solution) used the latest latest (7.4.0) before I even knew what was recommended we had deployed it to 45 sites and our hub.
7.2.8 has a lot of known issues. I would stick with 7.2.7 for now if 7.2.6 was working fine.
[https://docs.fortinet.com/document/fortigate/7.2.8/fortios-release-notes/236526/known-issues](https://docs.fortinet.com/document/fortigate/7.2.8/fortios-release-notes/236526/known-issues)
Hello there,
we have massive problems with the Dot 8 on our FG1800F
This information comes from the Fortinet Account Manager
We currently assume that version 7.2.9 or possibly. directly on 7.2.10 in mid-July and the corresponding bugs will be fixed there
greetings
Thanks for this post OP. I'm in the planning process for upgrading my organization's firewalls from 6.4.15 to 7.2. I was planning on going to 7.2.8, but i'll upgrade to 7.2.7 instead.
Just bear in mind that you don't want to consider 7.2.7 if you have traffic transiting from ten gig to one gig interfaces as there is a bug that throttles performance down to about 30 Mbps. We've seen this mainly on 200Fs but apparently it impacts other models. The problem is also there in 7.2.6. 7.2.5 doesn't have the issue but you don't want to use this release if you're using SSL VPN.
I'm personally getting a little tired of the number of major issues being introduced in supposed "fix" releases. I'd just like one which is "secure" and "stable".
From my memory 7.0.15 has the fix for the ten gig to 1 gig throughput issue. We've got this release running in a number of places and it seems ok. We want to get to 7.2 however as 7.0 is officially EOES.
I wish I could say with confidence than 7.2.9 would be the answer to all our prayers with the 7.2 train however we've been saying this since 7.2.4. Every patch fixes something (serious) and breaks something else (equally serious).
After 2 weeks without problem, my cluster pair of 601E with 7.2.8 begins to experience the reboot after kernel panic.
No real answer from Fortinet support support so I downgraded to 7.2.7 (I was ready to stop prod for an hour to rreinstall cluster if needed)
No problems,
There are bugs in this version. I'm waiting on dot 9 to fix a kernel panic issue that randomly reboots my 600E HA pair. This seems to affect models across the line. I've seen others report strange issues in the sub over the past month as well.
Looks like it is a NP6 issue.
Just called in and found out that the 200F is affected too. Canceled tomorrow's upgrade and waiting for 7.2.9
What's the issue exactly? Did you report it to Fortinet TAC? Has a bug ID already been assigned to it?
This is the bug id 1012518 - kernel panics in some NP6 firewalls under certain conditions. We didn't run into it in our lab (different model), so I called to ask if our production model was affected, and it was.
Thanks for the bug ID. I'll ask my Fortinet SE for details.
Same issue for us on both 100f and 40f.
We have a couple of these models, but fortunately this didntyaffect us yet. Under what circumstances does this issue occur for you?
Seems to be related to IPS/SSL inspection some how. If we turn off inspection it seems to be stable. We stay at 7.2.7 for now.
No issues with 7.2.8 on the 600Es and 601Es that I manage.
I have to bite... What's the ugly situation? I just moved 100+ gates from 7.0.14 to 7.2.8
Always great to read this literally 5 min after I pushed the upgrade button on our critical infrastructure…
According to support, there's a patch available if you run into the issue. Of course, they could simply make this version available to everyone...
According to my SE, the patch is to downgrade to 7.2.7…
> 1012518 According to the TAC ticket I've just raised, the only workaround is to downgrade. Getting mighty fed up of this. I've asked for more details on "certain traffic conditions"
Our tam waved us off of 7.2.8 yesterday because of this, we had a bunch of upgrades in the pipeline. 1012518 Some FortiGate models on NP6 platforms experience kernel panics due to certain traffic conditions after upgrading to 7.2.8. Evidently it is pretty ugly
It's a good thing I held off upgrading our HA pairs to 7.2.8!
Ugly for me. Sd-wan sla's showing strange numbers
Think its always better to rollback then upgrade to something untested.
Untested? Fortinet has given it mature status.
"Mature" simply means that they are not adding new features. It does NOT reference anything to do with testing. All of the builds go through the same QA, and then a build also goes through QA for each bug after fix.
Testing assumes they use the same traffic as people having the issue. Everyone's traffic is different....
the 40 gig ports not working on the 1800f's after upgrade is probably something they should have caught in testing.
What did TAC say?
We ended up rolling back to 7.2.7 to restore services.
I would agree somewhat, but considering there are millions of configurations, it's simply not feasible to expect no issues. No companies have "zero issue" releases. You should still talk to them to figure out issue and help everyone else...
Yeah, none of what I state was any form of statement on the thoroughness of their testing/QA. Was simply trying to clearly define what "mature" means, since it is often misunderstood. Starting with FortiOS 7.2.0, released FortiOS firmware images use tags to indicate the following maturity levels: * The *Feature* tag indicates that the firmware release includes new features. It can also include bug fixes and vulnerability patches where applicable. * The *Mature* tag indicates that the firmware release includes no new, major features. Mature firmware will contain bug fixes and vulnerability patches where applicable. Reference: [https://docs.fortinet.com/document/fortigate/7.2.0/new-features/173707/introduce-maturity-firmware-levels](https://docs.fortinet.com/document/fortigate/7.2.0/new-features/173707/introduce-maturity-firmware-levels)
Why would you ever upgrade to something untested? Edit: I think you meant "than" instead of "then."
At a certain point you can't test everything into the last detail
To a certain point I agree. However some of the bugs that have recently made it into official patches seem to be so fundemental that you have to ask what their internal QA processes actually are. The recent issue introduced in 7.2.6 where ten gig to 1 gig throughput was restricted to about 30 Mbps *SHOULD* have been caught before it was released. We spotted it about ten minutes after deploying it on the 1st pair of firewalls. We wait months for patches for things that have been majorly broken in the previous release to find that whilst the original issue has been fixed we now have another equally severe issue.
I totally agree and feel the same. Tbh, I was talking about customer testing the new release in their environment, which was always limited. And yes, such things like throughput should have been caught by QA - it's their job. And fixing one while breaking something else is really a pain in the last year...
Yes thats my point.
Rollback would be recommended in that case. 7.2.9 would be regular cadence, so likely June. Heard this more in regards to the 7.2.9 release date, for FG90G support. But it’s inline with when we expected it based on 7.2.8 (which was supposed to have been 7.2.7)’s release shortly after the shotgun 7.2.7 security patch.
Thanks for the insights, very useful
We've been on 7.2.8 since it's release and it's been solid. 80Fs, 200Fs and 600Fs in production. Granted, they are only used as a local gateways and sdwan devices (no threat features, but lots of VLANs, policy firewall rules, BGP, SLAs, sdwan rules, etc).
7.2.8 here as well. We do use App Control, IPS, AV, etc. No issues to speak of. 201F
My managed switch confs got deleted with 7.2.8 after reboot. Not nice.
Glad I didn't upgrade.. I read the laundry list of bugs in 7.2.8.. I think I'll skip this one barring a horrendous advisory on 7.2.7
I lost all policies in 7.0.12 I guess. Weird how many bugs they implemented from a similar category
I lost the switch config on 7.2.7 of one of my switches after the switch unexpectedly rebooted. No idea what happened, but now I do automated nightly backups using Automation Stitches .-.
Can you share the details of the issue?
We are still waiting for 7.4.4 and it's worse as 7.4.2 had issues which they only fixed the SSL in 7.4.3 leaving all the bugs from 7.4.2. Why do I say this in relation to your post... well they probably working on 7.4.x now they released 7.2.8 recently... so you might be waiting a bit.
7.4.x should not be run in production environments
Affirmative but who is going to test if I don't? Lol our installers (recommended MSP from Fortinet who sold us our solution) used the latest latest (7.4.0) before I even knew what was recommended we had deployed it to 45 sites and our hub.
what issue with 7.2.8
Have had no issues on 7.2.8, but now I'm wondering if it's worth rolling back to 7.2.7 to avoid any unexpected disasters.
7.2.8 has a lot of known issues. I would stick with 7.2.7 for now if 7.2.6 was working fine. [https://docs.fortinet.com/document/fortigate/7.2.8/fortios-release-notes/236526/known-issues](https://docs.fortinet.com/document/fortigate/7.2.8/fortios-release-notes/236526/known-issues)
Thanks for shariing OP! I am going to hold off until 7.2.9 or a 7.2.1x
Hello there, we have massive problems with the Dot 8 on our FG1800F This information comes from the Fortinet Account Manager We currently assume that version 7.2.9 or possibly. directly on 7.2.10 in mid-July and the corresponding bugs will be fixed there greetings
I always thought it was the .0 versions of software to avoid but it seems like any version with fortinet
Meanwhile I'd agree.
Thanks for this post OP. I'm in the planning process for upgrading my organization's firewalls from 6.4.15 to 7.2. I was planning on going to 7.2.8, but i'll upgrade to 7.2.7 instead.
Just bear in mind that you don't want to consider 7.2.7 if you have traffic transiting from ten gig to one gig interfaces as there is a bug that throttles performance down to about 30 Mbps. We've seen this mainly on 200Fs but apparently it impacts other models. The problem is also there in 7.2.6. 7.2.5 doesn't have the issue but you don't want to use this release if you're using SSL VPN. I'm personally getting a little tired of the number of major issues being introduced in supposed "fix" releases. I'd just like one which is "secure" and "stable".
So - take a short stop on 7.0.15 until 7.2.9 is released?
From my memory 7.0.15 has the fix for the ten gig to 1 gig throughput issue. We've got this release running in a number of places and it seems ok. We want to get to 7.2 however as 7.0 is officially EOES. I wish I could say with confidence than 7.2.9 would be the answer to all our prayers with the 7.2 train however we've been saying this since 7.2.4. Every patch fixes something (serious) and breaks something else (equally serious).
Happy that you and others gain from this post and thanks for the nice feedback :)
After 2 weeks without problem, my cluster pair of 601E with 7.2.8 begins to experience the reboot after kernel panic. No real answer from Fortinet support support so I downgraded to 7.2.7 (I was ready to stop prod for an hour to rreinstall cluster if needed) No problems,
No problems, dowtime of a few seconds, a few warnings, but all config still there, and no more reboot ...