Due to several known issues, we do not yet recommend FortiOS 6.2 in productive environments.
As with every software product, even the latest and greatest releases have some known glitches. That’s one of the reasons why you should review the release notes as part of the upgrade process.
But even after checking the know issues section, you might face a not-yet-documented issue. You’ll find some notable examples below.
FortiAPs won’t connect anymore (6.2.1, fixed in 6.2.2)
Some customers have reported, that their FortiAPs won’t connect anymore after upgrading to FortiOS 6.2.1. Fortinet has confirmed that this is a know issue only when using trusted hosts to restrict the administrative access to the FortiGate.
The official workaround is to add the FortiAP’s IP or subnet as an additional trusted host entry on one of the admin users:
config system admin edit "adminuser" set trusthostx 10.33.33.3 255.255.255.255 <-- IP Address of the FortiAP next end
RADIUS Server behind VPN-Tunnel not working (6.2.1, fixed in 6.2.2)
When using a RADIUS server behind an IPsec-tunnel, you most likely had to configure the source-ip in the radius configuration (normally to the internal address of the firewall). A bug in FortiOS 6.2.1 prevents this from working. As a workaround you’ll have to use an ip address owned by the outgoing interface.
config user radius edit "nps-server" set source-ip "192.168.101.99" <-- IP Address of the outgoing (IPsec)interface next end
Minimum Lenght of WPA2 PSKs (new since 6.2.1)
After upgrading to FortiOS 6.2 you might be unable to edit existing SSIDs because their PSK is too short. There’s a new command to overcome this restriction. After enabling, the minimum PSK length is eight characters again and you can edit the SSIDs using the CLI (6.2.1) or also the GUI (6.2.2).
config wireless-controller setting set wfa-compatibility enable end
Cannot change the account used for FortiCloud activation (since 6.2.3)
Starting with 6.2.3 you cannot change the account for the FortiCloud activation using the wizzard. This change is related to the FortinetOne SSO integration, but Fortinet has left a CLI options to change the account:
exec fortiguard-log login <email> <password>