Potential FortiOS Upgrade Issues: Mac Address and Features Issues

HA virtual MAC address changes

HA virtual MAC addresses are created for each FortiGate interface based on that interface’s index number. Between FortiOS 4.3 and 5.0 interface indexing changed. After upgrading a cluster to FortiOS 5.0 the virtual MAC addresses assigned to individual FortiGate interfaces may be different. You can use the get hardware nic command to view the virtual MAC address of each FortiGate interface.

The practical consequences of this could be seen in a situation where, in a very security conscious environment, there is some blocking or allowing of traffic based on mac addresses. When the firewall’s mac address is not on the list of allowed addresses any traffic going through the firewall is likely to be problematic.

Features removed or changed

While not an issue that will potentially stop the FortiGate from working, this issue will sometimes make it worthwhile to keep a close eye on the performance of your FortiGate after an upgrade to ensure everything is still doing what it was before the upgrade.

Example: Logtraffic function
For instance, when upgrading from 4.3 to version 5, the logtraffic-start function is disabled by default.

In version 4.3, the extended-traffic-logoption in config log [memory|disk|fortianalyzer|syslog] filter controlled the session start logging. In version 5.0, this is controlled by logtraffic-start in the policy settings. If before the upgrade, the”extended-traffic-log” was enabled, the logtraffic-start in policy settings will be disabled. More often than not this is the default setting of after an upgrade.

While for some users the loss of this function may be inconsequential, to other users this function might be useful. This is another reason to read the Release Notes; checking to verify that features commonly used in your environment will be there after the upgrade.

Example: Disk Logging
In version 4.3, logging to the local disk was possible only if Disk Logging was enabled and by default, it was disabled. Enabling the feature could be done either through the GUI or the CLI. In 5.0, not only was the feature disabled by default, but enabling it could only be done through the CLI, and even then, a message would appear stating that Logging to the local disk could seriously impact performance and that it should not be done. Despite the warning, it was possible to override the disabling of the feature and turn it on. In version 5.2, for devices that had only a single hard drive, it is not possible to override the disabling of the feature. The feature is still part of the firmware and available through the CLI, just not to all models.

Example: config system autoupdate override
When upgrading to 5.0.12 the config systemautoupdate override function is removed. This feature was used to specify an alternate FDS server, usually a FortiManager, in the event that the FortiGuard Distribution Network(FDN) was unavailable.