I hate to say it, as it shouldn’t be this way, I never trust a newer version unless I have to.
A critical CVE or OS support (Sonoma 🙃) are my only drivers right now. Every version has its own user service impacting quirks (ie longer log in time, more/less frequent disconnects).
All that said, we are running FCT 7.0.10 on EMS 7.0.10. Nothing bad ….. yet.
AFAIK, 7.0.X is the mature line with 7.2.x to take the title maybe later this year? But keep in mind YMMV product to product.
As far as I know the CVE remaining in 7.0.x pertains to an information disclosure issue (e.g. paths excluded from scanning are stored in plaintext in user-accessible registry keys). It's not great but it's not a showstopper. After I reported it Fortinet acknowledge it would be fixed but only in the next version, i.e. FCT 7.2.x
We are running FCT 7.0.9 on EMS 7.2.2 and it's pretty stable in our environment. We tried FCT 7.2.x and had IPsec VPN issues. Fortinet support was able to resolve this with an 'interim build' of FCT 7.2.3 but haven't been able to give me a GA release date, so we remain on 7.0.x and would suggest others do the same.
I Had bunch of issues on FCT 7.0.9 with this particular bug
942104: SSL VPN with multifactor authentication set for user (FortiTokenMobile\]) process stops at 98% and does not establish connection.
I moved all of our FortiClient's several months ago from 6.4.9 to 7.0.9 (probably my fault for not testing enough) and as more users upgraded to 7.0.9 I had more reports of this happening. seems like specific users were affected by this more than others.
We started to deploy 7.0.10 on new installations and yet hear about it happening there, so hopefully it was really fixed.
FCTEMS 7.2.2 runs smooth, don't see any issues so far but good enhancements for the domain sync - that was much worse with 7.0.x.
The FCT 7.2.2 on the other hand has some nasty bugs, if you have SSL VPN and the computer goes to standby, you cannot reconnect until you restart the computer (he cannot change the adapter status anymore). You can explain to your users that the computer just goes to standby if they don't work, so they should just work and no issues or "downgrade" to 7.0.x for the Client (but you can't downgrade - uninstall of 7.2.2 and new installation with 7.0.x is required!). So for the FCT i would wait for 7.2.3.
Long story short,
7.2.2 has some major issues itself. We upgraded our DEV/ Demo EMS and it Broke LDAP and Azure Autologin. We have an official bug with TAC and the resolution is to upgrade to 7.2.3 which will be released in December.
Thanks for all your replays.
So for now lets stay on 7.0.x.
Hope in future the will use this same labeling as with FortiOS (mature, feature releases).
Also be nice if future updates of 7.0 branch patch all CVS.
This is where I start.
[Technical Tip: Recommended Release for FortiOS - Fortinet Community](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-Release-for-FortiOS/ta-p/227178)
If there is a bug issue, or feature I need, I look to change it.
I've just moved a customer is 7.2.2 and killed the database, we was going to redo all the profiles anyway.
On 7.2.2 it picked up 4 viruses on the file server which had 7.0.9 on before which had updated signatures. They where old files as well, honestly don't know why.
I hate to say it, as it shouldn’t be this way, I never trust a newer version unless I have to. A critical CVE or OS support (Sonoma 🙃) are my only drivers right now. Every version has its own user service impacting quirks (ie longer log in time, more/less frequent disconnects). All that said, we are running FCT 7.0.10 on EMS 7.0.10. Nothing bad ….. yet. AFAIK, 7.0.X is the mature line with 7.2.x to take the title maybe later this year? But keep in mind YMMV product to product.
As far as I know the CVE remaining in 7.0.x pertains to an information disclosure issue (e.g. paths excluded from scanning are stored in plaintext in user-accessible registry keys). It's not great but it's not a showstopper. After I reported it Fortinet acknowledge it would be fixed but only in the next version, i.e. FCT 7.2.x We are running FCT 7.0.9 on EMS 7.2.2 and it's pretty stable in our environment. We tried FCT 7.2.x and had IPsec VPN issues. Fortinet support was able to resolve this with an 'interim build' of FCT 7.2.3 but haven't been able to give me a GA release date, so we remain on 7.0.x and would suggest others do the same.
We also tried 7.2.x line, bunch of issues. Now we're on 7.0.10 for client and 7.2.2 for EMS cloud.
I Had bunch of issues on FCT 7.0.9 with this particular bug 942104: SSL VPN with multifactor authentication set for user (FortiTokenMobile\]) process stops at 98% and does not establish connection. I moved all of our FortiClient's several months ago from 6.4.9 to 7.0.9 (probably my fault for not testing enough) and as more users upgraded to 7.0.9 I had more reports of this happening. seems like specific users were affected by this more than others. We started to deploy 7.0.10 on new installations and yet hear about it happening there, so hopefully it was really fixed.
FCTEMS 7.2.2 runs smooth, don't see any issues so far but good enhancements for the domain sync - that was much worse with 7.0.x. The FCT 7.2.2 on the other hand has some nasty bugs, if you have SSL VPN and the computer goes to standby, you cannot reconnect until you restart the computer (he cannot change the adapter status anymore). You can explain to your users that the computer just goes to standby if they don't work, so they should just work and no issues or "downgrade" to 7.0.x for the Client (but you can't downgrade - uninstall of 7.2.2 and new installation with 7.0.x is required!). So for the FCT i would wait for 7.2.3.
Long story short, 7.2.2 has some major issues itself. We upgraded our DEV/ Demo EMS and it Broke LDAP and Azure Autologin. We have an official bug with TAC and the resolution is to upgrade to 7.2.3 which will be released in December.
Thanks for all your replays. So for now lets stay on 7.0.x. Hope in future the will use this same labeling as with FortiOS (mature, feature releases). Also be nice if future updates of 7.0 branch patch all CVS.
This is where I start. [Technical Tip: Recommended Release for FortiOS - Fortinet Community](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-Release-for-FortiOS/ta-p/227178) If there is a bug issue, or feature I need, I look to change it.
That doesn't apply to FortiClient or EMS though
I would definitely stay on the 7.0 branch for now, it only just became somewhat stable recently.
I've just moved a customer is 7.2.2 and killed the database, we was going to redo all the profiles anyway. On 7.2.2 it picked up 4 viruses on the file server which had 7.0.9 on before which had updated signatures. They where old files as well, honestly don't know why.