I have been running 7.0 on one of my lab units since the beta, but was strictly focus on the FortiOS feature set. With GA happening last Tuesday, I decided to expand what I had, though didn't go full 7.0 - my main FortiGate is still on 6.4.5.
I noticed that my WiFi didn't come back after the upgrade, and when I logged into the FortiGate I noticed my APs were down. Then I remembered something in the release notes.
FortiOS 7.0.0 has reinforced strong cryptographic ciphers. As a result, legacy FortiAP models using weak ciphers are blocked from connecting with FortiGates running FortiOS 7.0.0.
To workaround this issue, enter the following in FortiOS:
config system global
set ssl-static-key-ciphers enable
set strong-crypto disable
endOne more thing I'd like to add, is that the minimum FortiAP code version for "strong-crypto enable" will be FortiAP version 7.0, I found this out after contacting my Fortinet Switch and Wireless Team SE. So you probably want to do this right after upgrade and then reboot your APs.
While easily referenced I have seen a lot of other folks asking about this lately. So I wanted to include this on the site. Also please follow these simple rules when upgrading:
Look up the upgrade path
Read the release notes for each step of the upgrade path
Make backups of your configuration during each step of the upgrade path. If you have FortiManager you can skip this step if you have a proper revision for each step
Read the release notes for each step in the upgrade path
You'll notice I put "Read the release notes for each step in the upgrade path" twice, this is important, as device behavior changes from version to version (see 6.2.2 -> 6.2.3 with CAPWAP vs Security Fabric Connection). If you don't read the release notes, you're upgrading blindly, and that could be a can of worms you really don't want to deal with.
Thank you for reading, I hope this has been helpful.
Comments