Technical Tip: How to upgrade FortiGate firmware using the REST API

Description

This article describes how to upgrade FortiGate firmware programmatically using

the REST API, covering authentication options, firmware upload, and post-upgrade

verification.

Scope

FortiGate.

Solution

The FortiGate REST API provides a monitor endpoint that accepts firmware uploads and triggers the

upgrade and reboot sequence automatically.

The steps below describe the full process, from authentication through to post-upgrade cleanup.

Prerequisites:

Before starting, confirm the following:

1. An administrator account exists with a profile that includes super_admin or equivalent privileges.

2. The target firmware file is available in .out format and matches the FortiGate hardware model.

3. HTTPS access to the FortiGate management interface is available.

Step 1:

Choose an authentication method.

The firmware upload endpoint requires token-based (Bearer) authentication.

Cookie-based sessions established via /logincheck do not have JSON API access enabled by default and will return HTTP 403 on the upload endpoint.

Two paths are available:

Option A: Use a pre-configured REST API admin account.

Go to System -> Administrators, create an administrator with type 'REST API Admin', assign the super_admin profile, and generate an API key.

Include the key in every request using the Authorization header: Authorization: Bearer <api-key>.

Option B: Generate a temporary API token via SSH CLI

If only a standard admin username and password are available, a temporary API user can be created via SSH before the upgrade and removed afterward.

Connect to the FortiGate via SSH and run the following:

config system api-user
    edit "temp-api-upgrade"
        set accprofile "super_admin"
            config vdom
                edit "root"
            end
    next
end

execute api-user generate-key temp-api-upgrade

The output contains a line in the format: New API key: <generated-key>.

Use this key as the Bearer token for the upload request.

Remove the user after the upgrade is complete (see Step 5).

Step 2:

Upload the firmware.

Send a multipart POST request to the firmware upgrade endpoint: POST https://<FortiGate IP>/api/v2/monitor/system/firmware/upgrade.

The request must include the following:

1. Header: Authorization: Bearer <api-key>.

2. Header: Content-Type: multipart/form-data.

3. Form field 'file': the .out firmware file.

4. Form field 'source': the value 'upload'.

The 'source' field is required. Omitting it returns HTTP 424.

A successful response returns HTTP 200 or 202. The FortiGate immediately begins writing the firmware to the inactive flash partition and reboots.

Step 3:

Wait for the device to come back online.

After the upload is accepted, the FortiGate reboots into the new firmware.

Reboot time is typically 3 to 8 minutes, depending on the hardware platform and

configuration size.

For HA clusters, the secondary node upgrades and reboots first, followed by the primary node, adding 4 to 8 minutes.

Poll SSH or HTTPS at regular intervals (every 20 seconds is recommended) until a successful connection is established.

Step 4:

Verify the upgrade.
After the device comes back online, verify the running firmware version via CLI:

get system status

The output contains a 'Version' line confirming the running build.

Alternatively, query the REST API: GET https://<FortiGate IP>/api/v2/monitor/system/status.

Confirm that the 'version' field in the response matches the expected firmware version.

Step 5:
Remove the temporary API user (Option B only).

If a temporary API user was created in Step 1, remove it via SSH:

config system api-user
    delete "temp-api-upgrade"
end