Home > Uncategorized > Upgrading the firmware on a standalone Fortigate unit or units in an HA cluster

Upgrading the firmware on a standalone Fortigate unit or units in an HA cluster

Understanding upgrade paths:

Each firmware version has an upgrade path requirement from older versions. There is a newly published doc available at docs.fortinet.com that details upgrade paths, under FortiOS, that will assist you.

Most of the time when you are in a MR (major release) patch level, you can upgrade straight to any patch level within the MR.
ex:
1) currently, a fortigate unit is running 4.0 MR3 patch 3.
2) You wish to upgrade it to 4.0 MR3 patch 11.
3) You can simply upgrade it directly to 4.0 MR3 patch 11.

Most of the time when you are upgrading from a MR to the next MR, you can upgrade straight to any patch level in the next MR
as long as you are at the highest patch level in the lower/previous MR.
ex:
1) currently, a fortigate unit is running 4.0 MR2 patch 3.
2) You wish to upgrade it to 4.0 MR3 patch 11.
3) You must first upgrade it to 4.0 MR2 patch 13 (highest 4.0 MR2 patch).
4) Then you can upgrade to 4.0 MR3 patch 11.

You should ALWAYS refer to the release notes of the firmware release you wish to upgrade your unit.
Even, for comfort, just open a ticket with Support to verify the upgrade path.

FTP info:

ftp://pftpintl:sgn89IOngs@support.fortinet.com/FortiGate

Procedure to upgrade a standalone Fortigate:
1) Grab the existing firmware version .out file from the FTP and store it locally.

2) Grab the target firmware version(s) .out file(s) from the FTP and store it/them locally.

3) Backup the current config to the hg repo you know you keep of your firewall configs, and keep a copy locally in case of problem.

4) Check to see the booted/running partition:

conf global
diag sys flash list | grep Yes

5) On the System>Dashboard>Status screen, within the System Informatoon Widget, click Firmware Version> Update. If the System Information Widget is unavailable, add it by clicking the + Widget icon near the top.

6) Keep Local Hard Disk selected and click Choose File, selecting the target firmware .out file. Keep boot to the new firmware checked. Click OK and allow the firmware to upload.

The firmware upgrade procedure will also affect the configuration, possibly rewriting some lines.

7) The system should reboot in under 15 minutes.

8) If you need to upgrade the firmware again (in the case of multiple steps in the upgrade path), remember to backup the config at each step, repeating the exact process detailed.

Procedure to upgrade all HA cluster members (with downtime, as recommended by Fortigate):
1) Grab the existing firmware version .out file from the FTP and store it locally.

2) Grab the target firmware version(s) .out file(s) from the FTP and store it/them locally.

3) Backup the current config to the hg repo you know you keep of your firewall configs, and keep a copy locally in case of problem.

4) Set uninterruptable-upgrade to disabled:

config global
config system ha 
set uninterruptable-upgrade disable
end

Note that this is the recommended procedure from Fortinet. It is possible to upgrade without affecting bringing the cluster down, and allowing it to pass traffic if you leave `uninterruptable-upgrade` to `enabled`. This affects the procedure by doubling the time it takes to upgrade (since the master upgrades the subordinate(s) first, allows it to reboot, then promotes it to primary, then upgrades itself). Clearly, there is more room for error, and if you can afford it, state a maintenance window and `uninterruptable-upgrade disable`.

5) Check to see the booted/running partition:

conf global
diag sys flash list | grep Yes

6) On the System>Dashboard>Status screen, within the System Informatoon Widget, click Firmware Version> Update. If the System Information Widget is unavailable, add it by clicking the + Widget icon near the top.

7) Keep Local Hard Disk selected and click Choose File, selecting the target firmware .out file. Keep boot to the new firmware checked. Click OK and allow the firmware to upload.

The firmware upgrade procedure will also affect the configuration, possibly rewriting some lines.

8) The system should reboot in under 15 minutes.

Roll back procedure:

Things went mildly wrong:
1) Check the currently running firmware image/partition and the other partitions (FLDB* is not a firmware partition):

diag sys flash list

2) Configure the next reboot to use the alternate partition, which should be the partition for which you were running previously:

conf global
execute set-next-reboot secondary
execute reboot

3) Reboot may take up to 10 minutes.

4) Be happy.

Things went horribly wrong:
You’ve installed, waited over 15 minutes and nothing.
1) Grab the console cable

2) Configure something (putty for instance) to 9600 baud, 8-n-1 (8 data bits, no parity, 1 stop bit), no flow control.

3) With putty opened, unplug and replug the power to the Fortigate unit.

4) During boot, you should see “Press any key to display configuration menu…” for three seconds. Press a key during that time.

5) You will see the configuration menu. Hit the B key to boot from the backup partition and set as the primary partition.

6) Be happy.

Things went terribly horribly wrong:
You’ve installed, waited over 15 minutes, performed the procedure above and nothing on reboot.

1) Grab a TFTP server from the internet (there are several free ones, I prefer tftpd32). By default, TFTP uses UDP port 69, so make sure that’s opened on any firewalls between the TFTP server and the fortigate.
2) Place a copy of the old firmware .out file in the home directory of the TFTP server (you should already have this file).
If you don’t, look at the first line of the saved config file you have for “config-version” to see the firmware version that the config will work with, then download it from the Fortigate FTP.
3) Start the TFTP server (probably after you’ve placed the file).
4) Grab the console cable
5) Configure something (putty for instance) to 9600 baud, 8-n-1 (8 data bits, no parity, 1 stop bit), no flow control.
6) With putty opened, unplug and replug the power to the Fortigate unit.
7) During boot, you should see “Press any key to display configuration menu…” for three seconds. Press a key during that time.
8) You will see the configuration menu. Hit the G key to grab a firmware image from the TFTP server.
9) Enter the TFTP server’s IP address, and the Fortigate’s client IP. (note that the interface on the Fortigate will not be ‘up’ until you’ve configured all settings, and FortiOS begins searching for the .out file on the TFTP)
10) Enter the firmware .out file name.
11) Hit D to load the firmware as the default firmware
12) After rebooting, the following are the default configurations for the 60C. I am unsure if they vary by model:

internal 192.168.1.99
WAN1 10.0.0.1
DMZ 10.10.10.1
Default admin username	 admin
Default admin password	 <none>

13) You should be able to access the web UI from the internal interface and restore the backed up config.

Advertisements
  1. Ronald Schmit
    August 15, 2013 at 4:01 pm

    Hello,

    In step #3 for upgrade, you said:

    3) Backup the current config to the hg repo you know you keep of your firewall configs, and keep a copy locally in case of problem.

    What does “hg repo” mean?

    • August 15, 2013 at 4:06 pm

      “hg” is a revision control tool, short for mercurial. It allows you to “commit” revisions to plain text files as they come.

      For instance, you can create a “repo” (short for repository) in a directory, save your fortigate config via the web UI to the directory, add the config file to the repo, then commit the current file to the repo. Then, when you save over the file in the same directory/repo and commit again, the commit will be accessible historically! That way you can roll back or pull out portions of older configs as you need. Search for “tortoise hg” for the GUI that I use.

      What are you doing now to manage older versions of your configs?

  2. Ronald Schmit
    August 16, 2013 at 9:55 am

    I just download the log file, and save it in my PC.

    Our environment is small, just 2 FGT in HA at main office, and other FGT smaller in a branch office.

    Regards,

  3. October 1, 2013 at 12:56 pm

    I had a old Fortigate 100A, and thanks to you, I was available to upgrade it
    Thanks alot.
    the FTP access was a life saver.

  4. August 7, 2014 at 10:02 pm

    Nice guide. I dig your mildly, horrible, terribly levels :)

  5. KlasB
    May 28, 2015 at 11:18 am

    Hi
    I have 2 FGT600C in HA A-P configuration. No problem upgrading before.
    Now I tryed upgrade from 5.0.10 to 5.2.2. After the slave was upgraded the master newer did.
    Tryed to upgrade master one more time. Lost internet Connection and members did not sync.
    Downgraded master back to 5.0.10 and restored configuration.
    I ended up with master on 5.0.10 and slave on 5.2.2 but in sync. Did shutdown on slave.
    I will check “diag sys flash list” to see if I can change boot image and recover.
    Otherwise I dont know how to get it back to previus version. Probebly FTP.
    Have to wait to next maintanance window to try.

    • May 29, 2015 at 1:46 pm

      I’d highly suggest having both on the same firmware, for sure. I’m surprised that both members would create a cluster with different firmware versions.

      I’m assuming that you followed the upgrade path?

  6. Mohammad
    November 11, 2015 at 5:19 am

    Hi guys,

    I need to upgrade the firmware on my FortiGate 60C. Does anyone have the latest firmware and could you kindly upload it somewhere.

    Thanks in advance.

  7. Eduard
    March 10, 2016 at 4:59 pm

    Hey guys,
    Thanks for the info. If my upgrade path is marked as follows:

    5.0 128 ► 5.0.2 ► 5.0.3 ► 5.0.4 ► 5.0.7 ► 5.0.9 ► 5.0.11 ► 5.0.12

    What would happen if I jump from 5.02 to 5.0.7 for example? I know that it’s possible but perhaps some vulnerabilities are not fixed.

    Thanks!

  1. June 3, 2013 at 4:18 am
  2. September 4, 2014 at 1:30 pm
  3. May 24, 2015 at 5:21 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: