FortiOS Upgrading Issues Specific to 5.6.x and 5.4.x

Upgrade issues specific to 5.6.x

Use of Port 4433

This issue usually occurs when the Admin access port for HTTPS access is changed due to an SSL-VPN using 443.

The new FTM-push feature in 5.6.0 uses port 4433 by default. If a SysAdmin has changed the HTTP or HTTPS access port to 4433 before the upgrade and FTM is enabled on the interface, once the upgrade has been completed, FTM is now using this feature and the SysAdmin can be prevented from accessing the administrative features of the FortiGate through the GUI.

1. The CLI doesn’t give any warnings regarding this issue.
2. Removing FTM from the allowaccess setting does not get back the GUI access.
3. If this issue is encountered, temporarily reset the admin ports back to their default settings to regain GUI access.

IPsec

There is an issue with IPsec tunnels when upgrading from 5.4.5 to 5.6.0, but only between these two versions. Going from 5.4.4 to 5.6.0 doesn’t present an issue. If you do upgrade between these two versions any Phase 1 psksecrets will have to be reset.

Upgrade issues specific to 5.4.x

Wildcard FQDNs

FortiOS 5.2 allowed configurations to use wildcard FQDN objects in the firewall policies.  This functionality was removed starting in 5.4. If a user has a firewall running FOS 5.2 with firewall rules configured to use wildcard FQNDs, when the customer upgrades the firewall to FOS 5.4.x or later, the firewall rules using wildcard FQDNs will be deleted.  This can cause unexpected traffic to pass or be blocked.