Technical Tip : Device Upgrade Failure for FortiEDR

Overview

A device is not upgrading to the latest version.

Procedure

Note.

In a multi-tenant environment, upgrading devices is recommended to be done from the Hoster View.

1) In the Console, go to the Inventory tab. Search for the device name in the search bar and confirm the Collector Group the device belongs to.

Note that this Inventory screen will also show the current collector version running on the device, so this can also be confirmed on this screen.

2) After confirming the Collector Group the device belongs to and verifying the version is not showing the latest upgrade, go to the Administration Tab. Under Licensing, select the Update Collectors button at the bottom of the screen.

3) The Update Collectors screen will show the Collector Groups and what version they have been set to upgrade to. Confirm the Collector Group of the device is set to the expected upgrade version. 

4) Now that it is confirmed the correct Collector Group was set to upgrade to the correct version, a simple restart may actually resolve the upgrade issue. Try restarting the device.

After the device has completed the restart, wait for a few minutes to let the device to retrieve the upgrade package from the Central Manager and to conduct the upgrade and confirm if the new version is running.

If not, proceed to Step 5 to continue troubleshooting and obtain logs.

5. Return to the Inventory tab and locate the device again.  From the Inventory tab, select the checkbox next to the device and then select Export -> Collector Logs to collect the logs. If this is successful, skip step 6 and move to step 7.

Note.

This will not work if the device is Disconnected. See step 5 if this is the case.

6) If the device is Disconnected, obtain the FortiEDR logs from the device itself:

• Windows will have logs at \ProgramData\fortiedr
  - Please also export the Windows Application log and Windows System log in a .evtx format, along with the Windows Task Scheduler logs at C:\Windows\Tasks.

- Note: XP logs will be at \Documents and Settings\All Users\Application Data
MacOS will have logs at /Library/fortiedr/Logs/Driver or /Library/fortiedr/Logs/Collector
Linux 2.6.x will have logs at /opt/fortiedr/logs
Linux 2.7.x will have logs at /opt/fortiedrCollector/logs

 In the logs that were exported from the system, you will find installer_<version>.log.

To do a local analysis, you can use Ctrl+F to find “value 3” in this log file.

Look a few lines above that to find where the upgrade failure occurred. Please open a support ticket in FortiCare for Support Assistance. 

For more advanced local troubleshooting, try upgrading the device locally. If that does not  work, uninstall the version on the local device and do a clean install of the new version.  If that fails create a support ticket. 

When prompted, enter the Uninstall/Registration PWD, run the correct version 32/64 bit on the affected machine at least 2 times with reboot, and then install the new Collector.

If the Collector fails to install at this point, run Procmon alongside the install to further troubleshoot and also get the installer logs using /l*vx log.txt parameter.

Save the Procmon log as a PML file and create a FortiCare Support Ticket.