FortiOS 7.6.5: What you should know about the new mature release

Author: sra Category: Fortinet

Fortinet has officially transitioned FortiOS 7.6 into the “Mature” phase with the release of FortiOS 7.6.5. For many administrators, this is the green light to begin upgrading production environments. However, this release isn’t just about bug fixes, it introduces several mandatory enforcement measures designed to harden security.

If you are planning an upgrade, there are some major changes you need to prepare for.

Table of Contents

    Mandatory FortiCare Registration

    In previous versions, registering your device was highly recommended but could be bypassed or delayed during the initial setup. With FortiOS 7.2.11, 7.4.8, 7.6.5 and 8.0.0 FortiCare registration is now enforced on all FortiGate G series models.

    Impact: You will be prompted to register the device during the setup wizard or upon the first login after upgrading. If you login with the console access, you will see the following ” The device is not registered with Forticare. Any configuration change is not allowed.”.

    Workaround: FortiCare Registration enforcement can be disabled from the BIOS usining the following procedure:

    1. Connect to the device via console access.
    2. Reboot the device.
    3. When the message “Please wait for OS to boot, or press any key to display configuration menu.” appears, press any key.

    4. In the configuration menu, press “I”, to access the “System Information”.

    5. Press “C” to access “Set FortiCare registration”.

    6. Press “1” to select “Not Enforce”.

    7. Press “Q” to quit the current menu.

    8. Press “Q” again to quit and continue to boot process.

    Resources:
    Technical Tip: Enforcing FortiCare Registration
    Release Notes (Bug ID: 1112727)

    Deprecation of Diffie-Hellman (DH) Group 5

    Security standards are constantly evolving, and older cryptographic methods eventually become liabilities. In FortiOS 7.6.5, DH Group 5 is no longer supported. Additionally, the default DH groups for Phase 1 and Phase 2 have shifted from 5 and 14 to 20 and 21.

    Impact: VPNs configured with the default DH groups 5 and 14 before the upgrade will be automatically updated to DH groups 14, 20 and 21 after the upgrade.

    Action Required: Before upgrading, audit your IPsec VPN tunnels. If any of your Phase 1 or Phase 2 configurations still rely on DH Group 5, you must migrate them to more secure groups. Failing to do so will result in tunnel failures after the upgrade.

    Resoucres:
    Release Notes (Bug ID: 1107163)

    Enforced Password Policy

    After upgrading to FortiOS 7.6.5 or later, a password policy will be enforced and you must meet these requirements before you can log in to FortiOS.

    The new requirements are:

    • 1 uppercase letter
    • 1 lowercase letter
    • 1 special character
    • 1 number (0-9)
    • Minimum length of 12 characters

    Impact: You must change your password before you can log in to the GUI or CLI if your current credentials does not meet the requirements.

    Resources:
    Password policy enforcement Release Notes

    Loading

    Leave a Reply

    Your email address will not be published. Required fields are marked *