Description

This article describes how to upgrade FortiDDoS B.E-Series firmware. Look for another article if using F-Series firmware.

Upgrade considerations (Upgrade Considerations) :
The following considerations help determine whether to follow a standard or non-standard upgrade procedure:

• HA — Updating firmware on an HA cluster requires some additions to the usual steps for a standalone appliance. See Updating firmware on an HA cluster
  
• Downgrades — Special guidelines apply when downgrading firmware to an earlier version. See Downgrading firmware. In some cases, the downgrade path requires reimaging. Take care to study the release notes for each version in the downgrade path.
  
• Re-imaging — If installing a firmware version that requires a different size of system partition, it might be required to re-image the boot device.
  Important: Read the Release notes for release-specific upgrade considerations.
  

Scope

FortiDDoS.

Solution

Updating firmware using GUI.

The following figure shows the user interface for managing firmware. Firmware can be loaded on two disk partitions. You can use the web UI to boot the firmware version stored on the alternate partition or to upload and boot firmware updates (either upgrades or downgrades).

                                                

Before beginning:

• Download the firmware file from the Fortinet Technical Support website.
  
• Read the release notes for the version planned to install.
  
• Important: Downgrading returns the unit to factory default with no user config. If stored backup config of the earlier release is not available and its a must to downgrade, it will be necessary to backup the current config, edit the first line to the correct destination (downgraded) firmware version release, build number and date, and restore that config file.
• Downgrading below 4.1.12 is not recommended for bug and security reasons. If it is necessary to downgrade to below 4.1.2, remove all NTP config and remove multiple remote syslog servers if configured.
• It is necessary to have super user permission (user admin) to upgrade firmware.

To install firmware:

1. Go to System -> Maintenance -> Backup & Restore tab.
   
2. Under Firmware Upgrade/Downgrade, use the controls to select the firmware file desired to install and select the Update and Reboot icon.
     Note: Clear the cache of the web browser and restart it to ensure that it reloads the web UI.
   
3. Use the upload file to select the firmware image file.
4. Select OK to upload the file, and install the firmware.

Updating firmware using the CLI.

This procedure is provided for CLI users.
Before beginning:

• Read the release notes for the version planned to install. If information in the release notes is different from this documentation, follow the instructions in the release notes.
  
• It is necessary to be able to use TFTP to transfer the firmware file to the FortiDDoS system. If not having a TFTP server, download and install one, like tftpd, on a server located on the same subnet as the FortiDDoS system.
  
• Download the firmware file from the Fortinet Technical Support website.
  
• Copy the firmware image file to the root directory of the TFTP server.
  
• Back up the configuration before beginning this procedure. Reverting to an earlier firmware version could reset settings that are not compatible with the new firmware.
  
• Make a note of configurations that are disabled in the active configuration. Configurations that are not enabled are not preserved in the upgrade. For example, if a custom HTTP service port, log remote port, or event log port has been configured and then disabled in 4.1.11, the port information is not preserved in the upgrade to 4.2.1.
  
• It is necessary to have super user permission (user admin) to upgrade firmware.
  
  

To install firmware via the CLI:

1. Connect the management computer to the FortiDDoS console port using an RJ-45-to-DB-9 serial cable or a null-modem cable.
   
2. Initiate a connection to the CLI and log in as the user admin.
   
3. Use an Ethernet cable to connect FortiDDoS port1 to the TFTP server directly, or connect it to the same subnet as the TFTP server.
   
4. If necessary, start the TFTP server.
   
5. Enter the following command to transfer the firmware image to the FortiDDoS system:
   
   execute restore image tftp <filename_str> <tftp_ipv4>

Where <filename_str> is the name of the firmware image file and <tftp_ipv4> is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is 192.168.1.168, enter:

execute restore image tftp image.out 192.168.1.168

One of the following message appears:

This operation will replace the current firmware version!
Do you want to continue? (y/n)

Or:

Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)

6. Type y. The system installs the firmware and restarts:

    

   MAC:00219B8F0D94
   ###########################
   Total 28385179 bytes data downloaded.
   Verifying the integrity of the firmware image.
   Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?

    

7. To verify that the firmware was successfully installed, use the following command:

    

get system status

The firmware version number is displayed.

 
If the download fails after the integrity check with the error message invalid compressed format (err=1,but the firmware matches the integrity checksum on the Fortinet Technical Support website, try a different TFTP server.
 
TFTP is not secure, and it does not support authentication. It should be run only on trusted administrator-only networks, and never on computers directly connected to the Internet. Turn off tftpd off immediately after completing this procedure.