Skip to main content
akawade
Staff
akawade
Staff
December 26, 2019

Technical Tip: Failed to download firmware from FortiGuard

  • December 26, 2019
  • 0 replies
  • 72552 views

Description


This article provides information of the error which occurs when upgrading the firmware of FortiGate via the GUI.

 

Scope

 

FortiGate.


Solution


To upgrade the firmware, go to System -> Firmware.

The firmware management shows the current version running on the unit and the next available version.
Before performing the upgrade, verify the upgrade path (if applicable) and refer the release notes of the firmware which the unit suggests to upgrade.

Example:
If the Current version shows as FortiOS v6.0.7 build0302 (GA) It will show the firmware version which can be upgraded on the unit, as shown below:

 
The above is just an example; as per the unit firmware and the available firmware versions to upgrade, it shows the information.

Select 'Backup config and upgrade', a new window will open as shown below:
 
 
Select 'Continue' to upgrade the firmware, it takes some seconds, and if the upgrade fails, the following error appears:
 
 
The above error implies that the FortiGate device is unable to contact the FortiGuard server to fetch the firmware image, and hence the upgrade failed.
Now, check the FortiGuard reachability with the below command:
 
execute ping service.fortiguard.net <----- It shows some packet loss.
get system fortiguard <----- To verify the FortiGuard port (53 or 8888).
 
To troubleshoot FortiGuard packet loss :
 
  1. Change the DNS: go to Network -> DNS and change primary to 8.8.8.8 and secondary to 4.2.2.2.
  2. Shuffle the port between 53 and 8888. If set to 8888, change it to 53 as below:
 
config system fortiguard
    set port 53
end
 
  1. Try disabling fortiguard-anycast:
 
config system fortiguard 
    set fortiguard-anycast disable 
end 
execute update-now
 
Now, check the FortiGuard accessibility again with the ping command as above.
If the issue is still present, check if there is any issue in the upstream (L3) router and if it is still blocking the packets.
 
Alternatively, ignore the upgrade failed error and perform the upgrade firmware manually, by downloading the firmware image from the support portal as per the FortiGate model (Refer to the related article for the manual upgrade).
 
Alternative solution:

In some cases, changing the FortiGuard Server's location will resolve this issue.

 

Navigate to System -> FortiGuard -> FortiGuard updates -> Update server location -> Restrict to -> US only.

 

Test it by changing to the EU as well.

odahy_0-1724070271776.jpeg

 

Another workaround is to upgrade the Firmware by manually uploading the file.

 

To do this, go to Support -> Firmware download -> Select FortiGate as the product -> Go to Download
Select the matching firmware image of the FortiGate model and select HTTPS to download the image.

Follow the path above in the Support Portal to download the firmware for the FortiGate based on the model.

Make sure to follow the recommended upgrade path from Upgrade Path Tool.

 

Additional Note :
If the FortiGate is facing high memory issues and has been entering conserve mode, it will be necessary to address this problem first by bringing down the system memory to optimal levels. Normally, a reboot of the firewall will be the quick resolution, but to find the root cause, the guide below can be followed :
Troubleshooting Tip: How to do initial troubleshooting of high memory utilization issues (conserve mode)

Related article:

Technical Tip: Manual firmware upgrade by referring upgrade path

Terms & ConditionsAccessibility statement