Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Release Notes

    5.2.10
    5.2.11
    5.2.10
    5.2.9
    5.2.8
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2

    Special notices

    Special notices

    FortiController 5.2.10 supports FortiOS 5.6.6 or later or 6.0.3 or later

    Before you upgrade your FortiController firmware to 5.2.10, you must upgrade the FortiOS firmware running on the FortiGates in the SLBC cluster to FortiOS 5.6.6 or later or FortiOS 6.0.3 or later. Running older versions of FortiOS may cause IPsec VPN issues. FortiController 5.2.10 is not compatible with FortiOS 6.0.0, 6.0.1, or 6.0.2.

    FortiController 5.2.10 trusted host limitation

    FortiController 5.2.10 supports creating a maximum of 140 trusted hosts. Creating more than 140 trusted hosts is allowed by the CLI, but creating more than 140 trusted hosts can block management access over special management ports to the FortiController and FortiGates in the secondary chassis in an FGCP HA configuration.

    FortiGates in an SLBC cluster can go out of sync after a FortiGuard update

    When operating normally, FortiOS uses a collection of CAs (called a CA bundle) for various certificate-related functions. FortiOS normally gets the latest CA bundle from FortiGuard.

    FOS firmware images come with their own CA bundle. Immediately after a firmware upgrade, all of the FortiGates in a Session-aware Load Balancing Cluster (SLBC) will have the CA bundle that comes with the firmware image. When the first automatic or manual FortiGuard update occurs, the primary FortiGate in the SLBC downloads the latest CA bundle from FortiGuard and synchronizes it to the other FortiGates in the cluster. Due to a known issue with FortiOS 5.6.7 and earlier, this synchronization step may fail, resulting in a synchronization problem with the cluster.

    You can avoid this issue by using the following steps to upgrade the firmware of the FortiGates in an SLBC cluster, perform a FortiGuard update, and manually re-synchronize the configuration:

    1. Log in to the primary FortiGate and enter the following command to disable graceful-upgrade.

      config system elbc

      set graceful-upgrade disable

      end

    2. Use the normal firmware upgrade procedure to upgrade the SLBC firmware.
    3. After all of the FortiGates have restarted and joined the cluster, log into the primary FortGate and use the diagnose sys confsync status command to verify that the primary FortiGate can communicate with all of the FortiGates in the cluster.
    4. Enter diagnose autoupdate versions | grep -A2 'Bundle' to check the version of CA bundle on the primary FortiGate (for example, for FOS v5.6.7, the version should be 1.00012).
    5. Start a FortiGuard update on the primary FortiGate. For example, use the execute update-now command.
    6. Wait a few minutes, then enter diagnose autoupdate versions | grep -A2 'Bundle' to verify that a new CA bundle has been installed.
    7. Backup the configuration of the primary FortiGate.
    8. Restore the configuration of the primary FortiGate.
      The primary FortiGate synchronizes its configuration to all of the FortiGates in the cluster. After a few minutes, all of the FortiGates should restart and the cluster configuration should be synchronized.
    9. Use the diagnose sys confsync status command to verify that the cluster is synchronized.

    Previous
    Next

    Special notices

    Special notices

    FortiController 5.2.10 supports FortiOS 5.6.6 or later or 6.0.3 or later

    Before you upgrade your FortiController firmware to 5.2.10, you must upgrade the FortiOS firmware running on the FortiGates in the SLBC cluster to FortiOS 5.6.6 or later or FortiOS 6.0.3 or later. Running older versions of FortiOS may cause IPsec VPN issues. FortiController 5.2.10 is not compatible with FortiOS 6.0.0, 6.0.1, or 6.0.2.

    FortiController 5.2.10 trusted host limitation

    FortiController 5.2.10 supports creating a maximum of 140 trusted hosts. Creating more than 140 trusted hosts is allowed by the CLI, but creating more than 140 trusted hosts can block management access over special management ports to the FortiController and FortiGates in the secondary chassis in an FGCP HA configuration.

    FortiGates in an SLBC cluster can go out of sync after a FortiGuard update

    When operating normally, FortiOS uses a collection of CAs (called a CA bundle) for various certificate-related functions. FortiOS normally gets the latest CA bundle from FortiGuard.

    FOS firmware images come with their own CA bundle. Immediately after a firmware upgrade, all of the FortiGates in a Session-aware Load Balancing Cluster (SLBC) will have the CA bundle that comes with the firmware image. When the first automatic or manual FortiGuard update occurs, the primary FortiGate in the SLBC downloads the latest CA bundle from FortiGuard and synchronizes it to the other FortiGates in the cluster. Due to a known issue with FortiOS 5.6.7 and earlier, this synchronization step may fail, resulting in a synchronization problem with the cluster.

    You can avoid this issue by using the following steps to upgrade the firmware of the FortiGates in an SLBC cluster, perform a FortiGuard update, and manually re-synchronize the configuration:

    1. Log in to the primary FortiGate and enter the following command to disable graceful-upgrade.

      config system elbc

      set graceful-upgrade disable

      end

    2. Use the normal firmware upgrade procedure to upgrade the SLBC firmware.
    3. After all of the FortiGates have restarted and joined the cluster, log into the primary FortGate and use the diagnose sys confsync status command to verify that the primary FortiGate can communicate with all of the FortiGates in the cluster.
    4. Enter diagnose autoupdate versions | grep -A2 'Bundle' to check the version of CA bundle on the primary FortiGate (for example, for FOS v5.6.7, the version should be 1.00012).
    5. Start a FortiGuard update on the primary FortiGate. For example, use the execute update-now command.
    6. Wait a few minutes, then enter diagnose autoupdate versions | grep -A2 'Bundle' to verify that a new CA bundle has been installed.
    7. Backup the configuration of the primary FortiGate.
    8. Restore the configuration of the primary FortiGate.
      The primary FortiGate synchronizes its configuration to all of the FortiGates in the cluster. After a few minutes, all of the FortiGates should restart and the cluster configuration should be synchronized.
    9. Use the diagnose sys confsync status command to verify that the cluster is synchronized.

    Previous
    Next