Technical Tip: Upgrading FortiManager/FortiAnalyzer

Description

This article describes how to upgrade FortiManager/FortiAnalyzer firmware and choose the right firmware image.

Scope

FortiManager and FortiAnalyzer, all versions.

Solution

Before Upgrading:

Check the upgrade path to follow for FortiManager or FortiAnalyzer. If the source image cannot be found, check the Upgrade Guide. For example, upgrading from v6.2.9 to v7.4.6 may require an upgrade first to 6.2.13 as per the Firmware Upgrade Paths in the documentation Firmware Upgrade Paths, after which it will be possible to use the upgrade tool from v6.4.15 to v7.4.6.

Check the recommended Technical Tip: Recommended release for FortiOS, Technical Tip: Recommended Release for FortiManager and FortiAnalyzer versions, and if possible, based on the Compatibility Tool, use the recommended one.

It is important to read the release notes and upgrade guides, which are also available from the Fortinet Customer Service & Support site (Support) in the same section as the firmware image download.

Once downloaded, review the special notices, upgrade information, product integration, and support, and resolve issues, known issues, and limitations. Also, always review the Compatibility Tool FortiManager, Compatibility Tool FortiAnalyzer, and Product life cycle (software part).

Release notes can also be found in the following location:

• Release notes FortiManager
• Release notes FortiAnalyzer

Select the proper version using the drop-down arrow:

To upgrade the firmware:

In System Settings -> Advanced -> Advanced Settings, enable Offline Mode.

Offline mode stops automatic firmware updates during the upgrade.

• Go to System Settings -> Dashboard.
• In the System Information widget, go to the Firmware Version field, and select the Upgrade Firmware icon. 
• Connect to Fortinet Firmware Images And Software Releases and select the proper version of the file for the VM (KVM for KVM or Nutanix, VM without any other letter for ESXi, HV for Microsoft HyperV, AWS for Amazon, Xen for Citrix...) or select the proper hardware.
• Firmware images ending .out are for upload directly to the FortiManager/FortiAnalyzer GUI.
• Complete packages for first-time deployment are also available, such as .ovf.zip and .hyperv.zip.
• For more information on First-time deployment, see the Private Cloud documentation (links for FortiManager Private Cloud and FortiAnalyzer Private Cloud here).
• Select the HTTPS hyperlink to download.

• In the Firmware Upload dialog box, select Browse to locate the firmware package (.out file) downloaded from the Customer Service & Support portal, and select Open.
• Select OK.

The firmware image is uploaded. When the upgrade completes, a message confirms a successful upgrade.

It is recommended to view the console log output during the upgrade. See the Checking FortiManager log output. When the login window displays, log in to FortiManager.

Upgrades done on the device can be checked using the cli command : 

diagnose cdb upgrade summary

When the upgrade completes, it may be necessary to refresh the web browser to see the login window.

In System Settings -> Advanced -> Advanced Settings, disable Offline Mode.

Review the System Settings -> Event Log for any additional errors. See Checking FortiManager events.

Optionally, it is possible to upgrade firmware stored on an FTP, SFTP, SCP or TFTP server using the following CLI command:

execute restore image {ftp | scp | sftp} <file path to server> <IP of server> <username on server> <password>

execute restore image tftp <string> <ip>

Note:

When upgrading firmware, all ADOMs (and Policy Package Versions, if ADOMs are disabled) remain at the same version after the upgrade. For information about upgrading ADOMs, see the FortiManager Administration Guide.  

The username and password to log on to the server. This option is not available for restore operations from TFTP servers. 

Upgrading the device firmware can trigger an SQL database rebuild. New logs are not available until the rebuild is complete. The time required to rebuild the database depends on the size of the database. It is possible to use the command below to display the SQL log database rebuild status.

diagnose sql status rebuild-db

The following features are not available until the SQL database rebuild is complete: FortiView, Log View, Event Management, and Reports.

Example:

The output is taken from the serial console.

FortiAnalyzer:

execute restore image ftp /FAZ_VM64_KVM-v7.0.8-build0452-FORTINET.out 10.44.1.2 test1 test1
Start getting file from FTP Server...
Transferred 331.974M of 331.974M in 0:00:01s (180.323M/s)

Upgrade image from v7.0.3-build0254-220202(GA) to v7.0.8-build0452-230606

This operation will replace the current firmware version and reboot the system!
Do you want to continue? (y/n)y

The system is going down NOW !!

database server is shutting down.... OK
Upgrade image from v7.0.3-build0254-220202(GA) to v7.0.8-build0452-230606
Done

Please stand by while rebooting the system.
[3656122.286573] reboot: Restarting system

Initialize file systems...
Old version: v7.0.3-build0254 branchpt0254 220202 (GA)
New version: v7.0.8-build0452 branchpt0452 230606 (GA)

Upgrade database ... adom[18] dev[1] global[1]

Upgrading: Upgrade rtm db
Total 19 databases...
...upgrading progress is 1%, estimated remain time is 0s. (1/54 step1/2)

Upgrading: Upgrade user nsx
start to upgrade user nsx...

Upgrading: Update FortiAI platform name
Database upgrade finished, using 0m5s
Upgrading report config from version:7, patch:3, branch point:254
Exporting existing config... (step 1/4)
Exporting existing config took 1.121 seconds.
Initializing default config... (step 2/4)
Initializing default config took 9.481 seconds.
Upgrading existing config... (step 3/4)
Upgrading V7.0.3->V7.0.4...
Upgrading V7.0.4->V7.0.5...
Upgrading V7.0.5->V7.0.6...
Upgrading V7.0.6->V7.0.7...
Upgrading V7.0.7->V7.0.8...
Upgrading existing config took 1.929 seconds.
Importing upgraded config... (step 4/4)
Importing upgraded config took 4.965 seconds.
Upgrading report config completed, took 18.527 seconds.

FAZ: admin
Password:
get system status
Platform Type : FAZVM64-KVM
Platform Full Name : FortiAnalyzer-VM64-KVM
Version : v7.0.8-build0452 230606 (GA)

Additionally, consider using the GUI (FortiManager is used in this example):

In the upper-right corner, select the currently logged-in user and select Upgrade Firmware:

Or:

In System Settings -> Dashboard -> System Information widget -> Use the upgrade firmware button.

Drag and drop the file in the grey area and select OK.

Note:

Although this activity does not delete any logs from the device running as a FortiAnalyzer, keeping a regular backup of the logs/reports/configuration is always recommended before proceeding with any such activities.

Related articles:

• Technical Tip: How to upgrade an ADOM on FortiManager.
• Technical Tip: How to check FortiManager database prior to upgrade.
• Technical Tip: How to check upgrade path and upgrade details of FortiManager, FortiAnalyzer
• Technical Tip: Backup and restore of FortiAnalyzer settings, logs, and reports
• Technical Tip: How to locate a FortiAnalyzer device image for upgrade/reinstallation in a support site