Clarification on upgrades with manipulate partition - image OK, configuration not OK?

Forum|Forum|1 year ago
December 17, 2024
2 replies
4353 views

Hi!

KB "Keep the flash partition without it being overwritten (For rollback purposes)" seems useful, except, I think it's problematic. It basically, says, we can manipulate which into partition the new firmware image will be stored to keep (original firmware image in) the other partition from being overwritten during upgrade.

However, upgrade is not only about images, it's also about FortiOS configuration migration!!

As per KB, the partition into which the new firmware is one with "Active" is "No", but... (as I understand) the configuration used for FortiOS configuration migration will be sourced from partition with "Active" is "Yes".

So, in KB's step "Upgrade the firmware from 7.0.13 B0566 to 7.2.6 B1575:", the FortiOS configuration will be sourced from partition with the original "6.4.6" configuration, not the upgraded "7.0.13" configuration. And since that original FortiOS configuration was not migrated as per approved "Upgrade Path", we would end up with supposedly incorrect FortiOS configuration after the upgrade.

Is the above conclusion correct?

Thanks!

FortiGate

Renante_Era

Staff

When you upgrade the firmware, it's based on the currently running partition and config.

If it's a physical appliance, then chances are it has multiple partition which you can check using # di sys flash list.

In general, you want to follow the upgrade path to avoid corrupt config. If you back up the full config (admin>Configuration>Backup configuration) then all you need to do is reload the firmware version used in the backup config then restore the backup configuration.

However, if you only moved one firmware then you can boot into the previous partition.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Selecting-an-alternate-firmware-for-the-next/ta-p/191425

Toshi_Esumi

SuperUser

When you upgrade A->B->C in two steps in the process KB is describing, The A-config is saved in the same partition with A-image. Then when you upgrade B->C after manipulating the boot partition in KB, the second A partition won't change but C-image and C-config are stored in the first C partition.
Therefore, when you downgrade/swap the active partitions back to the second A partition, it boots up with A-image + A-config.

Toshi

AlexFerenXAuthor

Visitor III

Hi Toshi,

my question does not relate to which partition's config is used to boot, but, which is used to migrate - the problem "... since that original FortiOS configuration was not migrated as per approved "Upgrade Path", we would end up with supposedly incorrect FortiOS configuration after the upgrade." My context is upgraded partition "C", not, partition for rollback, "A".

The crux: "(as I understand) the configuration used for FortiOS configuration migration will be sourced from partition with "Active" is "Yes". Since we manually changed the "Active" partition, the upgraded "C" partition's configuration will be migrated from "A" partition's configuration, not "B" which is what we want due to "Upgrade path".

Based on my understanding, the procedure in that KB is flawed - it will only work if configuration in "A" can be migrated to "C", but Fortinet only guarantee configuration migration based on "Upgrade Path" (ie. A->B, then B->C, not A->C).

R's, Alex

Toshi_Esumi

SuperUser

When FGT boots up (regardless after upgrade or not), it pulls the config into the memory. So when B->C happens, the upgrade is based on the config (after the conversion) in the momory. Not from the partition in the flash.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded