Upgrade Requirements
Ticket # |
Description |
---|---|
931408 |
Under Portal > Portal SSL the "Disabled" option is no longer available as of FortiNAC v9.4.5, vF7.2.5 and vF7.4.0. If using this option, install SSL certificates in the Portal target prior to upgrade. See Certificate management in the Administration Guide. |
Upgrade Path Requirements |
Systems on version 9.1.6 must upgrade to either: - Higher version of 9.1 (e.g. 9.1.7) - 9.2.4 or higher Systems on versions 8.2 or lower must upgrade to 8.3 before upgrading to 8.4 or higher. |
Legacy SSH Ciphers |
Vulnerable Diffie-Hellman SSH Ciphers were removed from versions 9.2.8, 9.4.4. F7.2.3 and greater. The removal of these ciphers can cause SSH communication to fail between FortiNAC and network infrastructure devices still using these legacy ciphers. Depending upon the device, resulting behavior can vary from failing L2 and L3 polling to failing VLAN switching. The following events would be generated for the affected device:
The legacy ciphers must be re-added to FortiNAC via the CLI after upgrade. For details, see KB article https://community.fortinet.com/t5/FortiNAC-F/Troubleshooting-Tip-SSH-communication-fails-after-upgrade-due-to/ta-p/281029 |
FortiNAC License Key: Upgrading to this release requires the FortiNAC License. It is possible, however unlikely, older appliances may not have this specific type of license key installed. In such cases, an error will display during the upgrade. For additional details, see KB article https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-Upgrade-fails-with-license-requirement-error/ta-p/246324 | |
892856 |
High Availability and FortiNAC Manager Environments: The following are required as of 9.4.3:
|
885056 | All devices managed by FortiNAC must have a unique IP address. This includes FortiSwitches in Link Mode: Managed FortiSwitch interface IP addresses must be unique. Otherwise, they will not be properly managed by FortiNAC and inconsistencies may occur. This is also noted in the FortiSwitch Integration reference manual. |
9.2 |
As of Persistent Agent version 5.3, there is no option to disable secure agent communications. Agents upgraded from previous versions to 5.3 or greater will communicate over TCP 4568 regardless of the "securityEnabled" Persistent Agent setting. Therefore, the following must be done prior to upgrading hosts to agent version 5.3: Ensure valid SSL certificates are installed in the Persistent Agent Certificate Target. For details see section Certificate Management in the Administration Guide. Packet Transport Configurations must have TCP 4568 listed. For instructions see section Transport configurations in the Administration Guide. |
9.2 |
The number of Operating System and Anti-Virus program options in the Scan Configuration have been reduced. Only those currently supported or commonly in use are now listed. For a list of available Operating Systems and Anti-Virus programs, see KB article 198098. |
834826 |
As of FortiNAC versions 9.4.2 & vF7.x, Persistent Agent communication using UDP 4567 is no longer supported. It is recommended the following be checked prior to upgrade to avoid agent communication disruptions: SSL certificates are installed for the Persistent Agent target Persistent Agents are running a minimum version of 5.3 For additional details see KB article 251359. https://community.fortinet.com/t5/FortiNAC/Technical-Note-Agent-communication-using-UDP-4567-no-longer/ta-p/251359 |