FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
ocara
Staff
Staff
Article Id 352219
Description

This article describes the steps required to format/flash a FortiAuthenticator hardware device and install a desired firmware using a TFTP server.

 

This procedure is especially helpful for resolving issues such as database corruption, system or disk errors, SATA link failures, inability to boot up the node, or recovery from unexpected or abnormal shutdowns/reboots. The TFTP server will be a laptop connected to one of the FortiAuthenticator interfaces.

 

Prerequisites:

  • A laptop with TFTP server software installed.
  • A console cable connecting the laptop to the console interface of the FortiAuthenticator.
  • An Ethernet (RJ45) cable connecting the laptop to one of the FortiAuthenticator interfaces.
  • The appropriate firmware downloaded from the portal
Scope

FortiAuthenticator, all HW appliances.

Solution

In this article, the procedure is demonstrated on a FortiAuthenticator 300F. A laptop is connected to the FortiAuthenticator via the console interface, and an Ethernet cable is connected to Port2 of the device for TFTP transfer.

 

FortiAuthenticator Port2 IP: 10.10.10.1/24

TFTP Server IP (Laptop): 10.10.10.3/24

 

Note: This procedure will wipe data on the boot partition. While it generally does not delete the configuration, it is highly recommended to back up the configuration before proceeding, whenever possible. Sometimes the node may be completely inaccessible from GUI and SSH, or it may fail to boot up.

 

1.png

 

  1. Reboot FortiAuthenticator. When the console displays 'Press any key to display configuration menu...', press any key.

Serial number:FAC3HFT…

Total RAM: 8192MB

Boot up, boot device capacity: 1913MB.

Press any key to display configuration menu.....

 

  1. After pressing any key, the following menu will appear:

[C]:  Configure TFTP parameters.

[R]:  Review TFTP parameters.

[T]:  Initiate TFTP firmware transfer.

[F]:  Format boot device.

[B]:  Boot with backup firmware and set as default.

[Q]:  Quit menu and continue to boot.

[H]:  Display this list of options.

 

Enter C,R,T,F,B,Q,or H:

 

  1. Press [F] to begin formatting the boot device. This process will erase all data on the boot system. Press [Y] to confirm and continue.

 

2.png

 

  1. Once the format procedure is completed, it will need to configure the IP address, subnet mask, and gateway for the interface where the cable is connected. The menu displayed after the format will appear as shown below. These settings can be configured by pressing [I] for the interface, then [S] for the subnet mask, and [G] for the gateway.

3.png

 

  1. Set Local IP address:

4.1.png

 

  1. Set Subnet-Mask:

4.2.png

 

  1. Set Gateway (This Should be TFTP-Server IP / Laptop IP).

4.3.png

 

It is possible to configure the Image Download Port by pressing [P]. This option is particularly useful when multiple cables are connected to the device. If only one laptop is connected, no additional configuration is necessary, as the FortiAuthenticator can automatically detect the active interface. In this case, since only Port 2 of the FortiAuthenticator is connected, defining an Image Download Port is not required.

 

  1. To configure the TFTP Server, press [T]. Ensure that the download image is located in the correct TFTP root directory on the connected laptop.

5.png

 

  1. Enter the filename by pressing [F].

6.png

 

  1. After completing these configurations, these results can be reviewed by pressing [R].

 7.png

 

 

  1. At this point, it is possible to initiate the image transfer by exiting this menu by pressing [Q], returning to the default menu, and then pressing [T] to start the TFTP firmware transfer

 8.png

 

From the TFTP-Server, transfer details will be visible as below:

 

8.1.png

 

  1. After transferring the image, it needs to be saved as the default firmware, and the FortiAuthenticator will reboot with the new installation.

 9.png

 

9.1.png

 

  1. After the reboot, logging in to FortiAuthenticator is possible using a previous username and password. FortiAuthenticator will be running the new firmware, and can be accessed with the existing credentials.

10.png

 

  1. At this stage, the FortiAuthenticator is running the new firmware. A check for any system errors, database corruption, or disk errors is necessary to be done. The FortiAuthenticator can be accessed through the GUI using current admin credentials. If any errors are detected, it is recommended to perform a factory reset.

 

> execute factory-reset

 

This command will erase your current configuration.

Do you want to continue? (y/n)> execute factory-reset

 

This command will erase your current configuration.

Do you want to continue? (y/n)

 

Note: This reset will erase all configurations on the node, so it is important to download a configuration backup, if it was not possible to do so before the formatting.

 

  1. After the reset is necessary to reconfigure the username/password and set up an interface for GUI access. Ensure that SSH and HTTPS-GUI access are permitted on the configured interface.

     

  1. Once access to the node is established, previous configuration can be restored again.

 

execute restore config tftp <filepath> <server fqdn:ipaddr> [password <encryption password>]

 

Note that these issues can occur if FortiAuthenticator is not properly rebooted or is shut down by 'pulling the plug'. The Database processes or filesystem may be writing data at that time that suddenly gets interrupted. Usually this will not cause issues, but it may in some cases. Evidence of these cases can be found in the FortiAuthenticator logs by searching for this entry:

 

"FortiAuthenticator recovered from an unintended/unusual shutdown/reboot."

2024-05-22T11:38:22.352474+02:00 lab-fac kernel: [  332.818260] EXT4-fs (sdb2): error count since last fsck: 5

2024-05-22T11:38:22.352518+02:00 lab-fac kernel: [  332.818277] EXT4-fs (sdb2): initial error at time 1685892993: ext4_check_bdev_write_error:218

2024-05-22T11:38:22.352522+02:00 lab-fac kernel: [  332.818281] EXT4-fs (sdb2): last error at time 1685894675: ext4_truncate:4336: inode 2637896

 

System errors, database corruption, and SATA link failures can cause the node to take several hours to boot up. All of these issues can be resolved by reinstalling the firmware.

 

Related articles:

Technical Tip: Downgrading FortiAuthenticator

Technical Tip: Formatting and loading FortiGate firmware image using TFTP