Last Friday the first patch for FortiOS 7.4 has been released.
No Security Fabric root for FG60E/F anymore
Interestingly, however, we found an existing feature for this patch that has been dropped: It seems that a device with only 2 GB RAM is not able to work as a Security Fabric root anymore. This feature worked on such devices in 7.4.0 but after upgrading to 7.4.1 this configuration is going to be lost – without further information! Please be aware of this – if your FG40F or FG60E/F is working as a Security Fabric root and you are upgrading this device to 7.4.1 – you are loosing this configuration!
With 7.4.1 such a device can be configured to work in standalone mode or as a Security fabric leaf (“Join Existing Fabric”), only. If you try to configure a Security Fabric root in the CLI you will get following error:
2GB-RAM models cannot be a Security Fabric root. Please set the upstream. object set operator error, -39, roll back the setting. Command failed. Return code -39
Update Sept. 6, 2023 – The release notes have been updated and a special note has been added.
New default settings
In the default settings of FOS 7.4.1 the “Policy change summary” is enabled and the “Policies expire by default” settings is enabled and configured to 30 days. You will find these settings in the WebUI: Systems > Settings:
With “Policy change summary” configured to “required”, the admin will be forced to add a summary when editing or creating a firewall policy. From a regulatory viewpoint this is a good idea.
Let’s have a look at the second default setting: by enabling the “Policies expire by default” setting, new firewall policies will expire automatically after the configured number of days. Fortunately this can be configured for every single firewall policy, but by default this is enabled!
Even though this sounds a bit dramatic – it is not! The workflow settings only became visible AND active, when the “Workflow Management” is enabled in the “Feature Visibility” – and this setting is disabled by default.