Skip to main content
Marco_P
Marco_P
New Member
September 27, 2024
Question

upgrade batch of FGT 6.4.6 to be used in FMGR7.4

  • September 27, 2024
  • 2 replies
  • 1693 views

Hi,

 

having issues with this scenario.  I'm wondering what the best practice is...

 

FMGR release = 7.4.3 build 2487

ADOM is created for FGT release 7.2

 

In this ADOM we use a Device Blueprint to import a batch of Fortigates and push the config to them (using templates).  On the Fortigates we run a CLI script to register them in FortiManager, so minimal touch is required (we plan to use DHCP option for the FortiManager settings)

 

However, we have a batch of Fortigates - 60F model - (unpacked - so "new") which come in release 6.4.6.

When we run the CLI to register them in FortiManager, the device does not link to FMGR. I assume this is due to the fact that the ADOM is in R7.2 and the FGT is in R6.4.6 (incompatible).

 

Are there any best practices to get these Fortigates in FMG with minimal touch config?

 

I tried:

- booting the Fortigates with an USB stick with 7.2 firmware, but this results in a crash of the Fortigate (fails to boot. A TFTP file transfer is needed). If it would boot, I could perform a factory reset because the upgrade path was not followed.

 

I could try with a lower version first (R 7.0) and then continue to R7.2, but these are a lot of extra steps. 

 

Even if this works, if I unpack a FGT I'm not 100% sure which release is installed on it. 

So, it could be I'm doing these steps which are not needed if I pick a box with a recent firmware installed on it.

 

 

I also raised a ticket at Fortinet support, but untill now the reaction was "FMGR 7.2 = not compatible with FortiOS 6.4.6)

 

Also checked with Fortigate Cloud / ZTP deployment.  I can point to my own FMGR - but no option to do a firmware upgrade.

2 replies

sierragarcia
sierragarcia
New Member
September 27, 2024

You are using FortiManager version 7.4.3 and trying to connect FortiGate devices that have version 6.4.6, but they don’t work because the versions are not compatible. The best way to fix this is to create a new space in FortiManager for devices with version 6.4.6. Once they are connected, you can upgrade their firmware step by step, first to version 7.0 and then to 7.2. After upgrading, you can move them to the space for version 7.2. You can also use a script or settings to automatically connect the devices to FortiManager, and then do the upgrades with fewer steps.

Marco_P
Marco_PAuthor
New Member
September 30, 2024

I'm aware FortiOS 6.4.x is not compatible with FMGR 7.4.3.  

 

I was hoping the device could register into the 7.2 ADOM version and it could do it's firmware upgrade ("enforce firmware upgrade") first using the device blueprint.

 

Doing it in multiple steps with ADOMs in a lower release is not an option.  FMGR 7.4.3 cannot create an ADOM lower then 7.0.  But even with this ADOM, the FGT does not appear - also due to the uncompatible versions I guess.  

 

But even if it would work, then it's not "zero-touch" (or "few-touches") at all anymore.  In sales/commercial presentations they always pointed to this advantage.  Once your config is ready with templates, blueprints, ... no need to touch the device anymore.  Send it to your customer, make sure they plug it in, register it in FMGR (manual - or with dhcp option), done.  This only works if your new device in the box has a recent firmware release - but if you have a big stock - this chance is very low.

 

For now, I'm using this procedure (I need to prep xx devices for retail).  But I still need to test the last step

1) plug in the FGT in our prep room.  WAN1 connected to our prep network with internet access

2) console port connected to a device where I can connect multiple console ports (up to 16)

3) via CLI to all devices simultaneously, initiate firmware transfer via TFTP or FTP (execute upload image ....) >> still have to test this step.  If I do a upgrade in the GUI from 6.4.6 to 7.2.x the FGT crashes in the boot sequence.  TFTP firmware transfer via the boot menu is the only remediation then

4) CLI to all devices simultaneously: execute factory reset

5) FGT's are now in the 7.2.x release

Terms & ConditionsAccessibility statement