The answer: the one which is most suitable for your usecase.
Our answer could be summarized as simply as that. There is no version that we can always recommend. In addition, the FortiOS software is subject to constant further development. Therefore, we have gathered some facts that we consider important when selecting the appropriate FortiOS version. Whether it is a simple upgrade or a new installation, those decisions must be made.
Note on the side: Fortinet now maintains a list with the recommended release for each hardware platform. This list can be found in this KB article.
Decision 1: Which version do I want to use?
This is a question that has to be answered very individually. Many factors have an influence here. Often the following points are very decisive to answer this question:
- Do I want to use a new version or an already established version?
- Older versions usually have many bugs patched and therefore run very stable.
- New versions usually have more improvements and features implemented, but these can sometimes bring new limitations.
- Does a new version have new features that were not available before?
- Which version do I already have in use on other systems?
- Which version can I manage confidently and handle my everyday tasks with the least effort?
Decision 2: What FortiGate hardware is in use? Is the desired version an NPI build?
Which FortiGate hardware is in use: For completely new series, it is possible that not all FortiOS versions are available or certain versions are still offered as NPI builds. NPI builds are “New Product Integration” releases and are explicitly programmed for the new hardware. They are also called “special build” releases. These releases usually contain new drivers or other components for the new hardware, which have not yet been integrated into the main branch. These builds are not equally stable and are not programmed for every FortiOS version. The NPI builds can be recognized by the build number, which differs from the standard build number of the respective release.
Decision 3: Is it a brand new software version?
The first four releases of a new FortiOS are so called “New Feature Releases”. In these releases new features are implemented, accordingly they are less extensively tested as in older versions or the configuration changes during the upgrade. Example for New Feature Releases: Versions 7.0.0, 7.0.1, 7.0.2 and 7.0.3. For this reason, we only recommend these to a limited extent for productive environments.
Depending on the state of development, caution is still required for further versions. But to check this more precisely for your usecase, we move on to decision number 4.
Starting with FortiOS 7.2, all releases are classified into Feature and Mature releases. A release that contains new features also brings with it a greater chance of new bugs. Therefore, these releases are less suitable for use on production systems. Mature releases, on the other hand, contain more bug fixes and rather fewer new features and are therefore also to be regarded as more stable. The classification of whether a release is a feature or a mature release is made by Fortinet.
When you download a FortiOS firmware, there is the maturity level marked in the firmware filename right after the FortiOS version. As example:
Decision 4: Do the release notes agree with me?
If a desired release is found, be sure to check the release notes and read them carefully. Maybe a mandatory feature is affected by a bug and therefore this version is not recommended. They also contain information about changes that may affect the behavior of the Firwall (Sections: Changes in CLI, Changes in GUI behavior, Changes in default behavior or Changes in table size).
Decision 5: What are the support terms of the desired version?
Older software versions are no longer patched or supported after a certain period of time. The exact dates such as the “End of Engineering” date (no further development) or the “End of Support” date (no more support) can be found in Fortinet’s product lifecycle information. This KB Article describes, how to query the product lifecycle information.
Decision 6: The upgrade path must be followed
If it is an update, the upgrade path from the old to the new version must support a direct update. Otherwise, one or more intermediate steps must be taken. The correct upgrade path can be queried on this page.