Recommendation for Fortinet Devices: Upgrade to FortiOS 7.4.11

As part of UpKeep, our new feature to keep our NWG Manage customers' devices on the latest stable version, we reviewed the latest Fortinet releases and recommend an upgrade to FortiOS 7.4.11 for all supported devices. More details below.

Why Are You Sharing This Information?

Even if we're not managing Fortinet devices for you, we want you to have the latest information to help keep your devices secure.

What should I do if I have a Fortinet device that NWG manages?
If you have a Fortinet device(s) that we manage for you, we already know what hardware you have and what version you need to be on. We’ll handle the upgrade during an upcoming maintenance window. Zendesk notifications will be sent out once maintenance has been scheduled, including details about when implementation will take place. If your devices/locations require different days/times for maintenance to take place, you’ll receive separate tickets.
What if I have a Fortinet device that NWG does not manage?
If you have a Fortinet device(s) in your environment, we suggest you upgrade to the version listed below.
What if I don't have any Fortinet devices?
No action is needed if you don’t have any Fortinet devices or if your Fortinet devices are already running the recommended versions

Which Fortinet Release Do You Recommend?

NWG recommends an upgrade to FortiOS 7.4.11:

7.4.11, the newest release of FortiOS, has corrected the SAML signature verification with a new configuration option, giving users flexibility to enable or disable the feature. 7.4.11 does not show any severe, potentially service-impacting issues
NWG does not recommend any of the 7.6.X code train for use. Fortinet has begun recommending 7.6.6 for certain hardware models (E, F, and G) as of 2/13/2026. This new version was just released at the end of January and has not been real-world tested enough to be considered stable.

If you have devices that are not capable of running 7.4, we recommend 7.2.13.
If your devices are not capable of running 7.2 or 7.4, we recommend 6.2.17. Note that devices that cannot run firmware higher than 6.2 are in the end-of-life lifecycle and should be replaced.

Review Details

FortiOS 7.6

FortiOS 7.6 Review

Fortinet has not historically recommended any of the 7.6.X code train for use. Fortinet has begun recommending 7.6.6 for certain hardware models (E, F, and G) as of 2/13/2026. This new version was just released at the end of January and has not been real-world tested enough to be considered stable. While there are new features, the bugs identified create a much larger risk to production environments.

Bug ID: 965217
Description: In an HA configuration, FortiGate may experience intermittent heartbeat loss causing unexpected failover to the secondary unit.

Bug ID: 995912
Description: After a firmware upgrade, some VPN tunnels experience intermittent signal disruptions causing traffic to be re-routed.

FortiOS 7.6 Conclusion

NWG does not recommend using FortiOS 7.6.X on any Fortinet devices.

FortiOS 7.4

FortiOS 7.4.11 Review

This is the newest release of FortiOS. FortiOS 7.4.11 has corrected the SAML signature verification with a new configuration option, giving users flexibility to enable or disable the feature.

Lower-end models (50G, 70G, 90G, and their variants) have the same SSL VPN tunnel restrictions as 7.4.9 and will continue with all newer versions going forward due to limited resources on these models.

7.4.11 does not show any severe, potentially service-impacting issues.

NWG recommends 7.4.11 for all supported devices.

FortiOS 7.4.9 Review

FortiOS 7.4.9 has a new feature that has caused authentication outages with SAML configurations. This change in default behavior verifies the signature for SAML response messages. This means that configurations must be made to the SAML IdP to sign SAML responses and assertions. While providers such as Azure can be reconfigured to work properly, the only workaround for other IdPs (such as Google) is to downgrade to FortiOS 7.4.8.

On lower-end models (50G, 70G, 90G, and their variants), SSL VPN web and tunnel modes are no longer available, and any previous configuration will not be migrated during an upgrade. The workaround for this is to transition to IPSec for Remote Access VPN, but this requires planning due to changes required on the Firewall and to FortiClients.

In addition to the above SAML concerns, there are many new Hyperscale issues and limitations that have been identified.

NWG does not recommend 7.4.9 at this time.

FortiOS 7.4.8 Review

Release notes for 7.4.8 previously showed some potentially severe issues. The new known issues in 7.4.8 are listed below. Version 7.4.8 resolves 2 medium and one low severity vulnerabilities (CVE-2025-25250, CVE-2024-52963, and CVE-2025-24471). NWG has not experienced the known issues listed below. The known issues were noticed under extreme load in lab testing and do not correlate to real-world environments.

Bug ID: 1033083

Description: HA sessions are not properly synchronized, causing a high number of sessions on the primary unit, and the standby unit enters conserve mode.

Bug ID: 1101897

Description: VPN traffic sent bytes spike to anomalous levels within 10 minutes.

Bug ID: 1125487

Description: Autoconnect to IPsec VPN using Entra ID logon fails when there are multiple IPsec tunnels.

Bug ID: 1164811

Description: SSL VPN web mode showing Access Denied error after upgrade on 2GB models.

FortiOS 7.4.7 Review

FortiOS 7.4.7 does not show any severe, potentially service-impacting issues. It also resolves 1 critical and 1 medium vulnerability (CVE-2025-22252 and CVE-2025-22254).

FortiOS 7.4 Conclusion

NWG recommends FortiOS 7.4.11 for all supported devices.

FortiOS 7.2

FortiOS 7.2.13 Review

FortiOS 7.2.13 is the newest release of FortiOS 7.2.X. There are no severe new issues identified in the 7.2.13 release over previous releases. FortiOS 7.2.13 also resolves 1 critical vulnerability (CVE-2026-24858).

FortiOS 7.2.12 Review

FortiOS 7.2.12 has a new feature that has caused authentication outages with SAML configurations. This change in default behavior verifies the signature for SAML response messages. This means that configurations must be made to the SAML IdP to sign SAML responses and assertions. While providers such as Azure can be reconfigured to work properly, the only workaround for other IdPs (such as Google) is to downgrade to FortiOS 7.2.11.

FortiOS 7.2.11 Review

Fortinet recommends version 7.2.11 for FortiGate models 100E and 101E. There are no severe new issues identified in the 7.2.11 release over previous releases. Most new issues are either GUI issues or model-specific bugs that have workarounds. The only new features are more secure administrator password hashing and improved CPU performance when updating the IPS database. FortiOS 7.2.11 also resolves 1 high, 1 medium, and 1 low severity vulnerabilities (CVE-2024-52965, CVE-2025-22254, and CVE-2024-52963).

FortiOS 7.2 Conclusion

NWG recommends FortiOS 7.2.13 for all compatible devices that are not capable of running FortiOS 7.4.

FortiOS 6.2

FortiOS 6.2 Review

Fortinet recommends FortiOS 6.2.17. There are no new known issues with 6.2.17. There are also no new features. There are 2 high vulnerabilities resolved in 6.2.17 (CVE-2024-45324 and CVE-2024-26009).

FortiOS 6.2 Conclusion

NWG recommends FortiOS 6.2.17 for devices that are not capable of running 7.2 or 7.4. Note that devices that cannot run firmware higher than 6.2 are in the end-of-life lifecycle and should be replaced.

‍

Review Process

Model Evaluation
- Determines major code revision compatibility
Vendor Recommended
- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-Release-for-FortiOS/ta-p/227178
Newest Version (Mature/GA)
- Evaluate known issues
- Evaluate resolved issues
- Evaluate features as needed
Evaluate known vulnerabilities
- https://www.fortiguard.com/psirt

Code Versions

‍