Fortinet announced that with FortiOS version 7.4.4, FortiGates with 2GB RAM or less will not support proxy-related features anymore as part of improvements to enhance performance and optimize memory usage on FortiGate models. Further than that, with version 7.6+ the SSL-VPN features will also be removed on FortiGates with 2GB RAM or less.
Important note: FortiGate VMs will not be affected by this change and will continue to support proxy-based features after upgrading to 7.4.4. However, it is recommended to have at least 4GB RAM available when using proxy-based features.
Proxy-based Features
What devices are affected by this? This change impacts the FortiGate/FortiWiFi:
- 40F series of devices and their variants.
- 60E series of devices and their variants.
- 60F series of devices and their variants.
- 80E series of devices and their variants.
- 90E series of devices and their variants.
- 60F and variants (2GB versions only)
After upgrading to FortiOS 7.4.4 or later, the following proxy features are no longer supported:
- Zero Trust Network Access (ZTNA)
- UTM profile with proxy-based inspection mode
- Firewall policy with proxy-based inspection mode
- Explicit and transparent proxies
- Virtual server load balance
- Proxy-only UTM profiles
- Video Filter
- Inline CASB
- ICAP
- Web application firewall (WAF)
- SSH Filter
- WAN optimization
To check if your system is affected by this, open up the CLI and enter the command diagnose hardware sysinfo conserve and check if the RAM value is greater than 2000 MB.
What should you do when you have a device with 2GB or less?
If you use proxy-based features and decide to update to FortiOS 7.4.4, all the proxy-based settings will be swapped to flow-based mode. Proxy-based inspection mode will change to flow-based mode. Firewall policies, which are on proxy-based mode will also be converted to flow-based mode. Proxy-only features such as ZTNA, explicit proxy or WAN optimization will be removed.
If you decide to continue using the proxy-based features, you will either need to stick to a version below 7.4.4 or think about trading in your current device and upgrading to a bigger appliance to continue receiving security updates and be able to continue using proxy-based features.
What is the difference between proxy-based and flow-based inspection mode?
Flow-based inspection uses single-pass direct filter approach (DFA) pattern, matching to identify possible attacks or threats. The file is getting scanned on a flow basis as it passes through the FortiGate. It requires fewer resources and delivers faster scanning.
In proxy-based inspection the FortiGate acts as a proxy and puts itself in the middle of client and server traffic. The FortiGate will have two TCP connections, one from the Client to FortiGate and the other from FortiGate to Server. Communication is terminated on layer 4. It adds more latency and is more resource intensive than flow-based inspection. However, it provides a higher level of threat protection, since the whole file will be buffered on the FortiGate and won’t be transmitted to the client simultaneously while checking the file for malware.
SSL-VPN
With version 7.6+ the SSL-VPN web and tunnel-mode feature will no longer be available. This affects the following devices:
- FGT/FWF-40F and variants
- FGT/FWF-60E and variants
- FGT/FWF-61E and variants
- FGT/FWF-60F
- FGT/FWF-61F
- FGT-80E and variants
- FGT-81E and variants
- FGT-90E
- FGT-91E
- FGR-60F and variants (2GB versions only)
To check if your system is affected by this, open up the CLI and enter the command diagnose hardware sysinfo conserve and check if the RAM value is greater than 2000 MB.
What should you do when you have a device with 2GB or less?
If you decide to stick with your current appliance, you will need to migrate to IPsec VPN or stick to a version lower than 7.6+.
If you want to continue using SSL VPN even after version 7.6+, you can think about trading in your current device and upgrade to a bigger appliance to continue receiving security updates and be able to use the SSL VPN feature.
Conclusion
This change of proxy-based and SSL-VPN feature being removed from devices with less than 2GB RAM will affect a lot of devices. There is no way for maintaining proxy-based features for 7.4.4 or SSL VPN for 7.6.+ if your appliance has less than 2GB of RAM.
Either you stick to a lower version, which can lead to security weaknesses over time, or you upgrade to a bigger appliance. If you decide to upgrade to a bigger appliance, you could think about trading in your current appliance and get a bigger model for a lower price.
Links
