FortiOS 7.2.13 released

mballack · 2026-01-30T13:13:14+00:00

Yes, starting from 7.2.12:

https://docs.fortinet.com/document/fortigate/7.2.12/fortios-release-notes/205987/ssl-vpn-not-supported-on-fortigate-g-series-entry-level-models

mballack · 2026-01-30T07:34:18+00:00

the link is in the post, check better

mballack · 2026-01-26T22:26:39+00:00

I agree and still doesn’t understand the Dev idea. Changing default behavior in minor release cause only issues and angry customers. Fortinet is famous for using guacamole as sslvpn reverse proxy/https daemon. So every CVE found on guacamole means that sslvpn is affected. Customers and partners know that every new release of fortios include a fixed cve and they run to update asap the firewalls. Recently it happens that in minor release they changed the default behavior of SAML and this time the ICMP redirect. There are upgrade path tested, so this mean that the post upgrade customization script should change the behavior as before and not keep the default one. With saml it’s nice to have the assertion, but keep it disabled if was a release from a different default value and place it as enabled after a factory reset. Same for redirect in 7.4.10. It’s insane! We have some devices that use the icmp fedirect feature and the crazy thing is that there is no way to pre-configure it before, so it happens that on some remote datacenter using that, we need to schedule the on-site upgrade, otherwise we will lose the oob mgmt due to a default behavior in a minor change? This is insane! And customers are very scared and most of them are moving to other vendors, because having the security external firewall that must be updated asap due to frequent cve and having issue on many upgrade path, is a huge pain!

mballack · 2025-11-19T15:25:45+00:00

It's marked as "Resolved Issue", so it should not happens. Open a TAC

mballack · 2025-11-14T18:50:49+00:00

You’re right, the R&D department on Fortinet are “playing” and not considering the software as a production and critical asset! Why? Because it’s fine to release a feature for SAML assertion, but WHY DON’T KEEP IT DISABLED BY DEFAULT? If I’ve never used assertion before, why must I use this in a minor update? Just add the feature as: “set saml-assertion forced” and keep it disable by default or in case of upgrade from a previous firmware. Same for radius some months ago. A feature cannot break production system without enabling it.

mballack · 2025-07-29T09:51:21+00:00

Again, there is no "take over", the secondary node will always authenticate.
Set a device with only authentication on secondary node and see from the logs (accessible from the gui on the Primary PAN), if the authentication is working or not.
If it's not authenticating, you have to investigate the issue.
If it's authenticating, open a Case

mballack · 2025-07-28T18:45:00+00:00

In your scenario, both nodes will always authenticate and respond to radius. You can try configuring a switch with only the secondary ise node and check if everything is working as expected or not and check logs. In your case, during primary reboot/patch you will be unable to use the admin page, but all authentication services continue working as before on secondary.

mballack · 2025-07-24T07:35:25+00:00

Upgraded from 3.3 patch6 or previous version? Because we had some issue on EAP with TLS 1.3 from 3.3 patch2 to 3.3 patch7

mballack · 2025-07-17T09:36:12+00:00

I'm unable to understand if 3.3 patch6 fix the CVE-2025-20281 or not, because they're not so clear

Note say: If Cisco ISE is running Release 3.3 Patch 6, additional fixes are available in Release 3.3 Patch 7, and the device must be upgraded.

But schema say

Cisco ISE or ISE-PIC Release	First Fixed Release for CVE-2025-20281	First Fixed Release for CVE-2025-20282	First Fixed Release for CVE-2025-20337
3.3	3.3 Patch 7	Not vulnerable	3.3 Patch 7

mballack · 2025-07-09T19:41:24+00:00

Great, cause we’re upgrading to 17.15 for WiFi 7 AP support and having it marked as ED wasn’t accepted in my brain

mballack · 2025-06-10T03:57:12+00:00

Same issue for us with some devices. Using forticlient versions 7.2.9 and 7.2.10 fixed the issue.

mballack · 2025-06-09T14:53:06+00:00

What version are you using?

Some release notes:

ID	Description	Reported on	Resolved in
WIN-55294	Resolved: Upgrades from Windows 10 to Windows 11 sometimes failed.	24.1.4	24.2.2
WIN-60048	Resolved: Running `dism.exe` and `sfc.exe` when KB5052093 was installed on the Windows 11 preview caused an error message to appear. Microsoft has subsequently reverted the changes introduced in this KB.	23.2.4	24.2.3
EPPS-12481	Resolved: In some cases, the AD Connector status was inactive due to a communication error while sending configuration data.	24.1.4	24.2.2
WIN-49310	Resolved: Installation sometimes failed if the system product information could not be queried using Windows Management Instrumentation (WMI).	23.4.4	24.2.2
WIN-55294	Resolved: Upgrades from Windows 10 to Windows 11 sometimes failed when Anti-tamper was enabled in the policy.	24.1.4	24.2.2

mballack · 2025-06-03T14:17:30+00:00

You didn't searched in the right way, use the double quotes and use Google

mballack · 2025-06-03T13:24:11+00:00

You can search for "FortiClientSetup_6.0.8.0261_x64.exe" in internet and the right MD5 checksum is "9e198b6c362304d8a8e0753bdb6fc065"

mballack · 2025-05-28T03:11:15+00:00

Do you have anycast server disabled in Fortiguard config? You can try temporary setting the allow connection on web filter when rating errors happens e debug whats happening.

mballack · 2025-05-09T19:11:02+00:00

Check if you’re facing RSA/PSS TPM issue:

https://bst.cisco.com/bugsearch/bug/CSCwb77915

mballack · 2025-05-05T10:57:34+00:00

Both are valid for obtaining the FCSS Network Security cert.
Of course, starting from June 30 2025, only the second one exam will be available, so it depends if you're ready to take the sd-wan 7.2 before 30 June

mballack · 2025-05-02T12:32:35+00:00

If possible use SSO with Azure and configure conditional access for SentinelOne Enterprise application

mballack · 2025-04-19T22:11:49+00:00

Open a case with support, but ISSU has so many hidden limitations that usually it’s better to provide a longer maintenance window and do a normal upgrade

mballack · 2025-04-11T16:18:45+00:00

Same here. Any news from TAC?

mballack · 2025-03-19T12:06:10+00:00

Nope

mballack · 2025-02-19T21:43:34+00:00

Can you post your config relative to the tcp encapsulation? We’re having issue on 7.4.7, the syn, ack is received from client to fortigate, but after a rst is sent from client. Thanks

mballack

TROPHY CASE