Troubleshooting Tip: FortiGate upgrade fails - 'Image upgrade failed'

This article describes how to handle the error 'Image upgrade failed' that occurs while upgrading the FortiGate from GUI.

FortiGate.

Try one of the subsequent options:

1. Clear the browser cache and cookies.
2. Try another browser.
3. Use incognito mode.
4. Verify if FortiGuard is connected so the firmware can be downloaded.

If it fails, either fix the FortiGuard connectivity or try to download the image from Support: Support -> Firmware download -> Download.

Then upload the Firmware image to FortiGate by following the steps outlined in Technical Tip: How to manually download Firmware of FortiGate and how to upload it on FortiGate.

5. An error may also occur when upgrading to an interim or special build. In such cases, the BIOS security level must be adjusted.

Note:

The FortiGate BIOS security level cannot be modified using standard CLI commands such as:

config system global

    set bios-security-level low

end

config system global

    set bios-security-level high

end

To change the BIOS security level, the device must be rebooted and accessed through the console port.

The details are explained in the following document: BIOS-level signature and file integrity checking during downgrade.

To check the current security level, use the following command:

get system status

Note:
The default Security Level will be 2, and change to Security Level 1 for the Firmware Upgrade issue, once the upgrade is done without any issue, and revert to Security Level 2:

get system status 

Version: FortiGate-VM64-KVM v7.2.7,build1577,240131 (GA.M)
Security Level: 1
Firmware Signature: certified
Virus-DB: 1.00000(2018-04-09 18:07)

If there is no console access or the FortiGate is in a remote location, the issue can also be resolved by rebooting the FortiGate, especially if the FortiGate has been up for quite some time, and then proceeding with the Firmware upgrade. For FortiGate 30/31G running on FortiOS 7.2.11, reboot the FortiGate and then upgrade to interim Build: 6661. After upgrade to interim build: 6661, will be possible to upgrade to FortiOS 7.2.13 or higher. To receive the interim Build: 6661, open a ticket with TAC through the portal: Welcome to Fortinet Support.

Try upgrading the firmware using a different browser, such as Chrome, Firefox, or Edge, or use Incognito/Private Browsing mode. In some cases, browser-specific issues such as cached content, stale cookies, or incomplete script execution may interfere with the firmware upload process via the FortiGate GUI. Using an alternate browser or private session helps avoid these issues and ensures a clean firmware upgrade.

If the upgrade is still failing, console access is required to collect further diagnostics when attempting the upgrade. (Reference: Technical Tip: How to connect to the FortiGate and FortiAP console port) For upgrade failures, output messages via the GUI/System Event Logs only provide a generic overview of the issue. The console logs the entire upgrade process and provides real-time updates and details, which can help determine the reason for the failure.

Note:

In some cases, this error is observed in IOS operating systems. It is recommended to use Chrome instead of Safari to perform the upgrade.

Related documents:

• Troubleshooting Tip: Unable to boot the firewall or load firmware image
• BIOS-level signature and file integrity checking
  
• Technical Tip: How to connect to the FortiGate and FortiAP console port