Chapter 5 – Best Practices

Grounding

  • l  Ensure the FortiGate unit is connected and properly grounded to a lightning and surge protector. WAN or LAN connections that enter the premises from outside the building should be connected to an Ethernet CAT5 (10/100 Mb/s) surge protector.
  • l  Shielded Twisted Pair (STP) Ethernet cables should be used whenever possible rather than Unshielded Twisted Pair (UTP).
  • l  Do not connect or disconnect cables during lightning activity to avoid damage to the FortiGate unit or personal injury.

 

Rack mounting

  • Elevated Operating Ambient – If installed in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient.

Therefore, consideration should be given to installing the equipment in an environment compatible with the maximum ambient temperature (Tmax) specified by the manufacturer.

  • Reduced Air Flow – Installation of the equipment in a rack should be such that the amount of air flow required for safe operation of the equipment is not compromised.
  • Mechanical Loading – Mounting of the equipment in the rack should be such that a hazardous condition is not achieved due to uneven mechanical loading.
  • Circuit Overloading – Consideration should be given to the connection of the equipment to the supply circuit and the effect that overloading of the circuits might have on overcurrent protection and supply wiring. Appropriate consideration of equipment nameplate ratings should be used when addressing this concern.
  • Reliable Earthing – Reliable earthing of rack-mounted equipment should be maintained.

 

Particular attention should be given to supply connections other than direct connections to the branch circuit (e.g. use of power strips).

 

Firmware

Firmware upgrading and downgrading sounds pretty simple, anyone can do it, right? The mark of a professional is not that they can do something correctly, or even do it correctly over and over again. A professional works in such a way that, if anything goes wrong they are prepared and able to quickly get things back to normal. Firmware updates can go wrong just like anything else. So a real professional does things in a way that minimizes their risk and follows some best practices, as listed below.

Firmware change management

Consider the following five points when performing firmware upgrades, not only in FortiOS but in general. This applies to pretty much any change you have to do in a production environment.

 

Understanding the new version first

Before attempting any changes in production, first make sure you set up a laboratory where you can freely play with the new features, and understand them with enough time and no pressure. Read the Release Notes, Manuals, and other documentation like presentations, videos, or podcasts about the new version.

 

You are ready to explain the need for an upgrade once you understand:

  • The differences and the enhancements between the new version and the previous version(s).
  • The impact of the upgrade on customers and the users of the operating platform.
  • The known limitations that might affect your environment.
  • The potential risks when performing the upgrade.
  • The licensing changes that may apply.

 

Never attempt to upgrade to a version you don’t fully understand (both on features and known limitations), and on which you have no operational experience.

 

Have a valid reason to upgrade

The reason can NOT be “Because I want to have the latest version”. The reason has to be explained in terms of business, technical, and/or operational improvement.

Affirmative answers to the following questions are valid reasons to upgrade:

  • Does the new version have a feature that helps to ensure compliance?
  • Does the new version have an enhancement that allows 40% decrease (40% improvement) on the time to perform a certain operation?
  • Does the new feature correct a known defect/bug found on a previous version that affects the company business/operations?
  • Will the new version allow your organization to deploy new services that will help to gain new customers or increase loyalty of existing ones?
  • Is the vendor cutting support for the version your organization is currently using?

 

If the best reason to upgrade is “Because the new features seem to be cool” or “Because I want to have the latest version”, a little more understanding and planning may be necessary.

 

Prepare an upgrade plan

If you choose to upgrade because you found a valid reason to do so, make sure you create a plan that covers business, technical, and operational aspects of the upgrade:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.