Skip to main content
adGmail
adGmail
New Member
February 11, 2020
Solved

Upgrades - any tips, tricks, comments?

  • February 11, 2020
  • 4 replies
  • 12874 views

Its time to start my first significant round of Fortigate upgrades and am looking for tips and tricks from those that have done many. I'm using the following as a starting point; https://kb.fortinet.com/k...=FD35329&sliceId=1

 

Assumption - Firmware upgrades via the FG GUI can generally be relied upon to be hitless. 

 

Environment - All firewalls are clusters and have serial consoles connected

- Clusters use 'session-pickup enable' and 'session-pickup-connectionless enable' - I intend to use the FG GUI to perform the upgrades - All firewalls are connected to FortiManager 6.0.8. - First upgrades will be to get all 5.4 firewalls to 5.6

 

Procedure for first (Lab) cluster/ADOM 1. Take FMG backup via GUI 2. Upgrade ADOM to 5.6 in GUI 3. Check Device Manager 'Config Status' is Auto-update/Synchronised in FMG 4. Take FG backup 5. Connect to serial consoles 6. Perform first step in Upgrade Path 7. Login to FG GUI and check Firmware version and cluster status 8. Login to FMG GUI an check Device Manager 'Config Status' is Auto-update/Synchronised 9. Repeat steps 6-8 for each step in Upgrade Path 10. Take backup via FG GUI.

 

Any issues with that? Does it contain a sensible level of paranoia in the checks as the firmwares are stepped through?

I was planning to do the following in a single change; 5.4.5 (current version) 5.6.2 1486 5.6.6 1630 5.6.8 1672 5.6.11 1700

Thanks.

    Best answer by sw2090

    umm Fortinet TAC once told me that best practie is to first upgrade all FortiGate and then upgrade the adom in FMG.

    4 replies

    James_G
    James_G
    New Member
    February 11, 2020
    How many steps is it to max 5.4.x first, then jump to latest 5.6.x
    rwpatterson
    rwpatterson
    New Member
    February 11, 2020

    Take backups between each level. Can't hurt and will avoid much pain in case you brick. Chances are slim, but free insurance is good!

    Dave_Hall
    Dave_Hall
    New Member
    February 11, 2020

    Personally, at after upgrading to a major firmware version, I do advise performing a diff compare between the new/old configs to see what has been changed.  Sometimes and depending what features are used, the conversions scripts will change some settings - add something or configure some settings. 

     

    Eg.  convert old AP profiles to something similar under the new firmware, but give it a name like "tmp_ver50".  Same with SSL/SSH profiles, where the defaults are now readonly in the newer firmwares - you have new "custom_insert name".

     

    And I believe country codes (if not listed in the older config are added to the AP profiles.  And it seems if SSL/SSH proxy option are not used on a firewall policy a "deep SSL" proxy option is added automatically. 

     

    If you want to go the extra mile, perform on the CLI after each firmware upgrade: diagnose debug config-error-log read

     

     

    maiconp340
    maiconp340
    New Member
    June 1, 2020

    Hello, I will do similar job, update all my devices 60D from 5.2 version to 6.0.9 version.

    have you done that upgrade by FGT GUI or FortiAnalizer ?

     

    In my case neither devices 60D ( 120 FGT60D ) are under fortimanger yet so I think to do that upgrade step-by-step by FGT GUI and after put all under Fortimanger.

     

    Any tip is welcome.

     

    MattyG2787
    MattyG2787
    New Member
    June 2, 2020

    Hey there, we are in a similar situation and have done this on multiple occasions.

     

    Regarding the firewall updates, take backups as you step through and follow fortinet's upgrade path.

     

    We have not had an issue in 80+ fortigates using their paths.

    sw2090
    SuperUser
    sw2090Answer
    SuperUser
    June 2, 2020

    umm Fortinet TAC once told me that best practie is to first upgrade all FortiGate and then upgrade the adom in FMG.

    sw2090
    SuperUser
    sw2090
    SuperUser
    June 2, 2020

    thus to add: the last time I did that was from 5.6 to 6.0 (adom and FMG) even going best pratice as above resulted in  a load of issues after upgrading the adom.

    Even TAC suggested what I wrote above but they said that's the way they'd do it but there is no "official" way execpt from removing the FGTs from adom, upgrade them and re-add them to a new upgraded adom wich with over 200 Policies and objects is no alternative for me here...

    I up to now still cannot say if that was a fail of FMG/FGT/FortiOS or due to some database inconsistencies that wer found in ou FMG db too. However those were fixed before upgrading.

    So it might be always helpful to perform a db scan (and fix if it finds errors) on fmg db before you upgrade fmg or adom(s).

     

    What also happened to was that - after upgrading FMG itself to 6.2 - it kept trying to roll out commands that did not exist on the FGT. Tac gave me a tip that fixed that: do a retrieve config on all FGT in the adom.

     

    hth

    Sebastian

    Terms & ConditionsAccessibility statement