Description

This article describes the officially supported upgrade path for FortiAuthenticator.

Be aware that downgrading will reset the FortiAuthenticator settings to FACTORY-DEFAULT.
FortiAuthenticator can only be reverted to a previous working version by restoring an existing config backup.
It is recommended to create a config backup before performing each upgrade.

Scope

FortiAuthenticator.

Solution

Table of Contents:

• Upgrade path to latest version
• Supported Models and Firmware
• Upgrading to firmware version 6.6.x
• Upgrading to firmware version 6.5.x
• Upgrading to firmware version 6.4.x
• Upgrading to firmware version 6.3.x
• Upgrading to firmware version 6.2.x or earlier
• Related documents

Upgrade path to latest version.

The following are the supported upgrade paths for the latest available firmware version of FortiAuthenticator:

Direct upgrade path to v.6.6.6:

• 6.2.1 →  6.6.5.

• 6.1.0 → 6.2.0 → 6.3.3 → 6.6.6.

• 6.0.7 →  6.6.6.

• 6.0.5 →  6.0.7 →  6.6.6.

Upgrade path to v.6.6.6 via v6.4.x:

• 6.2.1 → 6.3.x → 6.4.X → 6.5.6 → 6.6.6.

• 6.1.0 → 6.2.0 → 6.3.3 → 6.4.X → 6.5.6 → 6.6.6.

• 6.0.7 → 6.4.X → 6.5.6 → 6.6.6.

Note: Upgrading from 6.4.x to 6.6.6 may require an interim step 6.5.6

From older versions:

• 3.2.1 → 3.3.0 → 4.0.0 → 6.0.4 → 6.0.5 → 6.0.7 → 6.4.X → 6.5.6 → 6.6.6.

• 3.2.1 → 3.3.0 → 4.0.0 → 6.0.4 → 6.3.3 → 6.4.X → 6.5.6 → 6.6.6.

• 3.2.1 → 3.3.0 → 4.0.0 → 6.0.4 → 6.2.1 → 6.4.X → 6.5.6 → 6.6.6.

Supported Models and Firmware.

Note: VM includes the following Hypervisors: VMware, Hyper-V, KVM, Xen, Azure, AWS, Oracle OCI, and Alibaba Cloud.

Note: When upgrading KVM/Xen virtual machines from firmware version 6.0.7 to a higher version, the size of the virtual disk drive containing the operating system needs to be increased manually before upgrading. Further details may be found in the release notes for the targeted firmware version.

Upgrading to firmware version 6.6.x.

Firmware version 6.6.x includes the following releases:
6.6.0, build 1617
6.6.1, build 1660
6.6.2, build 1669
6.6.3, build 1740

6.6.4, build 1767
6.6.5, build 1802

6.6.6, build 1824

FortiAuthenticator v6.6.x requires at least 4GB of RAM.

FortiAuthenticator v6.6.x officially supports upgrades from previous versions by following these supported upgrade paths:

• If currently running FortiAuthenticator v6.0.5 or older, first upgrade to v6.0.7, then upgrade to v6.6.x.
  Otherwise, the following message will be displayed: "Image validation failed: The firmware image model number is different from the appliance's."
• If currently running FortiAuthenticator v6.0.7, then upgrade to 6.6.x directly.
• If currently running FortiAuthenticator between v6.1.0 and v6.2.0, first upgrade to v6.3.3, then upgrade to v6.6.x.
• If currently running FortiAuthenticator v6.2.1 or later, then upgrade to 6.6.x directly.

Note: 6.6.x disables support for SHA1 signing algorithms in certificates. Certificates may be used in LDAP, SAML, Syslog, SCEP/CMP, SSO Mobility Agent and admin UI. Any server certificates using SHA1 as a signing algorithm should be replaced before upgrading to 6.6.x

Upgrading to firmware version 6.5.x.

Firmware version 6.5.x includes the following releases:

6.5.0, build 1286

6.5.1, build 1295

6.5.2, build 1329

6.5.3, build 1355

6.5.4, build 1377

6.5.5, build 1385

6.5.6, build 1391

FortiAuthenticator v6.5.x requires at least 4GB of RAM.

FortiAuthenticator v6.5.x officially supports upgrades from previous versions by following these supported FortiAuthenticator upgrade paths:

• If currently running FortiAuthenticator v6.0.5 or older, first upgrade to v6.0.7, then upgrade to v6.5.x, otherwise, the following message will be displayed: Image validation failed: The firmware image model number is different from the appliance's.

• If currently running FortiAuthenticator v6.0.7, then upgrade to v6.5.x directly.

• If currently running FortiAuthenticator between v6.1.0 and 6.2.0, first upgrade to v6.3.3, then upgrade to v6.5.x.

• If currently running FortiAuthenticator v6.2.1 or later, then upgrade to v6.5.x directly.

Note: Firmware version 6.5 is out of engineering support, and will be out of support completely in August 2026.

Upgrading to firmware version 6.4.x.

Firmware version version 6.4.x includes the following releases:

6.4.0, build 0888

6.4.1, build 0958

6.4.2, build 0991

6.4.3, build 0993

6.4.4, build 1028

6.4.5, build 1040

6.4.6, build 1043

6.4.7, build 1054

6.4.8, build 1060

6.4.9, build 1067

6.4.10, build 1070

FortiAuthenticator v6.4.x officially supports upgrades from previous versions by following these supported FortiAuthenticator upgrade paths:

• If currently running FortiAuthenticator v6.0.5 or older, first upgrade to v6.0.7, then upgrade to v6.4.X. Otherwise, the following message will display: 'Image validation failed: The firmware image model number is different from the appliances.'
• If currently running FortiAuthenticator v6.0.7, then upgrade to v6.4.x directly.
• If currently running FortiAuthenticator between v6.1.0 and v6.2.0, first upgrade to v6.3.3, then upgrade to v6.4.x.
• If currently running FortiAuthenticator between v6.2.1 and v6.3.x, then upgrade to v6.4.x directly.

Note: Firmware version 6.4 is out of engineering support, and will be out of support completely in February 2026.

Upgrading to firmware version 6.3.x.

Firmware version 6.3.x includes the following releases:

6.3.0, build

6.3.1, build

6.3.2, build

6.3.3, build

6.3.4, build

FortiAuthenticator v6.4.x officially supports upgrades from previous versions by following these supported FortiAuthenticator upgrade paths:

• If currently running FortiAuthenticator v6.0.5 or older, first upgrade to v6.0.7, then upgrade to v6.3.X. Otherwise, the following message will display: 'Image validation failed: The firmware image model number is different from the appliances.'
• If currently running FortiAuthenticator v6.0.7, then upgrade to v6.3.x directly.

Note: Firmware version 6.3 is out of engineering support, and will be out of support completely in October 2025.

Upgrading to firmware version 6.2.x or earlier.

Firmware version 6.2.x and below are out of support completely. Release notes are still available at docs.fortinet.com and contain upgrade instructions.

To note:

• FortiAuthenticator v6.0.4 build 0059 officially supports upgrades from all versions of FortiAuthenticator v4.x, v5.x, and v6.0.x.
  All prior versions have to be upgraded to FortiAuthenticator v6.0.4 before they can upgrade to later releases of FortiAuthenticator.
• Upgrading the FortiAuthenticator 3000D from v4.0.x to v4.1.x is not supported.
• The workaround for this model is to upgrade from any v4.0.x version directly to v4.2.0 or higher (skipping all v4.1.x versions). If firmware version 4.1.x is installed on a FortiAuthenticator 3000D, it stops responding. The system can run again by restoring valid firmware using the TFTP boot process.

Related documents:

• Technical Tip: How to upgrade a FortiAuthenticator HA cluster
• Upgrading from 4.x/5.x/6.x
• Technical Tip: Downgrading FortiAuthenticator 
• Technical Tip: How to manually download and upgrade FortiAuthenticator firmware image on FortiAuthen...