As a network administrator managing FortiGate firewalls, I’ve encountered several critical but unannounced issues with FortiOS 7.4.7 on the FortiGate 121G model. These bugs, which Fortinet has not publicly acknowledged at the time of writing, have caused significant operational challenges in our environment. After extensive troubleshooting with Fortinet’s support team yielded no resolution, we’ve decided to downgrade to a more stable firmware version. Below, I outline the issues we faced, the troubleshooting steps taken, and our rationale for downgrading, in hopes of helping others who may be experiencing similar problems.
Issue 1: Proxy Chain with Upstream Proxies – Monitor Failure and FQDN Limitations
When configuring a proxy chain with two upstream proxies on FortiGate 121G running FortiOS 7.4.7, we encountered two significant issues:
- Monitor Cannot Be Enabled: The option to enable monitoring for the upstream proxies in the proxy chain configuration is non-functional. This prevents the FortiGate from actively checking the health of the upstream proxies, potentially leading to traffic disruptions if a proxy becomes unavailable.
- FQDN Not Supported, IP Required: When defining upstream proxies, using Fully Qualified Domain Names (FQDNs) causes intermittent internet access failures for some users. The only workaround is to specify the upstream proxy addresses using static IP addresses. This limitation is problematic in environments where proxy servers use dynamic DNS or load-balanced FQDNs, as it forces reliance on less flexible IP-based configurations.
These issues disrupt reliable internet access for users and complicate proxy chain management, especially in complex network setups.
Issue 2: Config Restoration Causes Slow Download Speeds for Proxy Traffic
Another critical issue arose when restoring a configuration backup from one FortiGate 121G to another firewall (including different models). After restoration, we observed significantly reduced download speeds, but only for traffic routed to a proxy server. This issue affected both:
- Direct access to the proxy server.
- Traffic passing through the FortiGate’s explicit proxy.
Interestingly, non-proxy traffic remained unaffected, maintaining normal performance. Fortinet’s support team advised multiple troubleshooting sessions and requested configuration exports, but no root cause or resolution was identified. The inconsistent performance post-config restoration suggests a potential bug in how FortiOS 7.4.7 handles proxy-related configurations or session management.
Issue 3: Troubleshooting on Loan Unit Introduces Additional Problems
To further investigate the slow download speed issue, we restored the configuration to a loan unit of the same FortiGate 121G model. Unfortunately, this process introduced new issues:
- CLI Inaccessible via Web GUI: After restoring the configuration, we could no longer access the Command Line Interface (CLI) through the web-based GUI, severely limiting our ability to perform advanced diagnostics.
- Packet Capture Failure: Attempts to run packet capture for troubleshooting failed with an error message indicating “interface not detected.” This issue prevented us from collecting critical diagnostic data to analyze the slow download speed problem.
These additional failures on the loan unit further eroded our confidence in FortiOS 7.4.7’s stability, as they suggest deeper issues with configuration handling or firmware compatibility.
Fortinet’s Response and Lack of Resolution
Throughout our engagement with Fortinet’s support team, we conducted multiple troubleshooting sessions and provided detailed configuration files as requested. Despite these efforts, Fortinet was unable to identify the root cause of any of the issues or provide a fix. The lack of progress, combined with the severity of the problems, left us with no choice but to consider alternative solutions to restore network reliability.
Finding
While researching these issues, I found discussions in online forums (such as Reddit’s r/fortinet) that suggest FortiOS 7.4.7 may have broader stability problems, particularly on smaller hardware models like the FortiGate 60F and 121G. For example, users have reported memory leaks, conserve mode triggers, and session drops after upgrading to 7.4.x, with some recommending sticking to FortiOS 7.2.x until 7.4 matures further []. While Fortinet labels 7.4 as “mature,” community feedback emphasizes that “mature” does not equate to “stable,” and caution is advised before upgrading production environments [].
Our Decision: Downgrade to a Stable Version
Given the unresolved bugs, their impact on our network’s performance, and the lack of a clear resolution from Fortinet, we’ve decided to downgrade our FortiGate 121G firewalls to a more stable firmware version, likely FortiOS 7.2.10. This version has been reported as reliable in our environment and by other users in the community []. Downgrading is not a decision we take lightly, as it involves additional effort and potential risks, but the severity of these issues leaves us with no viable alternative.
Based on our experience, I offer the following advice to fellow network administrators:
- Exercise Caution with FortiOS 7.4.7: If you’re running FortiGate 121G or similar models, thoroughly test 7.4.7 in a non-production environment before deploying it. Be particularly vigilant if you use proxy chains or rely on configuration restoration.
- Monitor Community Feedback: Platforms like Reddit and Fortinet’s community forums can provide early warnings about firmware issues not yet acknowledged by Fortinet.
- Engage Fortinet Support Early: If you encounter similar issues, open a support ticket immediately and provide detailed logs and configurations to expedite troubleshooting.
- Consider Downgrading: If stability is critical, reverting to a proven firmware version like 7.2.10 may be the safest option until Fortinet addresses these bugs.
- Backup Configurations: Always maintain clean, tested configuration backups before upgrading or restoring, as configuration issues can exacerbate firmware bugs.
Conclusion
The unannounced bugs in FortiOS 7.4.7 on the FortiGate 121G have caused significant disruptions in our network, from proxy chain misconfigurations to slow download speeds and troubleshooting failures. While Fortinet’s support team has been responsive, the lack of resolution underscores the risks of deploying newer firmware versions without extensive testing. By sharing our experience, I hope to raise awareness and encourage others to approach FortiOS 7.4.7 with caution. For now, we’re downgrading to a stable version to restore reliability, and we’ll closely monitor Fortinet’s release notes for fixes in future updates.