FortiOS 6.2: Upgrade Notes

Due to several known issues, we did not recommend the use of FortiOS 6.2 in productive environments for the first couple of months.

As per FortiOS 6.2.5, we noticed that most of the issues have been resolved. Please have a look into our FortiOS upgrade guide for the upgrade procedure.

As with every software product, even the latest and greatest releases have some known glitches. That’s one of the reasons why you should review the release notes as part of the upgrade process.

But even after checking the know issues section, you might face a not-yet-documented issue. You’ll find some notable examples below.

Hardware Support

Not all models are compatible with FortiOS 6.2. Please consult the Product Life Cycle for more information.

FortiAPs won’t connect anymore (6.2.1, fixed in 6.2.2)

Some customers have reported, that their FortiAPs won’t connect anymore after upgrading to FortiOS 6.2.1. Fortinet has confirmed that this is a know issue only when using trusted hosts to restrict the administrative access to the FortiGate.

The official workaround is to add the FortiAP’s IP or subnet as an additional trusted host entry on one of the admin users:

config system admin 
   edit "adminuser"
     set trusthostx 10.33.33.3 255.255.255.255 <-- IP Address of the FortiAP
   next
 end

RADIUS Server behind VPN-Tunnel not working (6.2.1, fixed in 6.2.2)

When using a RADIUS server behind an IPsec-tunnel, you most likely had to configure the source-ip in the radius configuration (normally to the internal address of the firewall). A bug in FortiOS 6.2.1 prevents this from working. As a workaround you’ll have to use an ip address owned by the outgoing interface.

config user radius
  edit "nps-server"
    set source-ip "192.168.101.99" <-- IP Address of the outgoing (IPsec)interface
  next
end 

Minimum Lenght of WPA2 PSKs (new since 6.2.1)

After upgrading to FortiOS 6.2 you might be unable to edit existing SSIDs because their PSK is too short. There’s a new command to overcome this restriction. After enabling, the minimum PSK length is eight characters again and you can edit the SSIDs using the CLI (6.2.1) or also the GUI (6.2.2).

config wireless-controller setting
  set wfa-compatibility enable
end

Cannot change the account used for FortiCloud activation (since 6.2.3)

Starting with 6.2.3 you cannot change the account for the FortiCloud activation using the wizzard. This change is related to the FortinetOne SSO integration, but Fortinet has left a CLI options to change the account:

exec fortiguard-log login <email> <password>

Unexpected termination of RDP sessions (since 6.2.3)

You might experience RDP session interruptions after upgrading to FortiOS 6.2.3. In a flow trace you will find some “no session match” messages. For more information about this bug, consult the release notes (page 12).