FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 195420
The purpose of this KB article is to demonstrate the results of upgrading from 5.4.0 to 5.4.1. It is essential to upgrade to 5.4.0 prior to upgrading to 5.4.1; no other upgrade path is supported.

All FortiGates currently managing a FortiSwitch in 5.4.0 upgrading to 5.4.1

In the following image the FortiSwitch 224D has an established FortiLink. In this case the switch is being managed by an HA cluster (possible only in 5.4). This is why two ports are seen on the switch connected to port2 on the FortiGate.


If we navigate to the interface list, we can see that port2 is configured as the dedicated extension device. There are 2 references to it on the far right.

When we click on the reference link we would see that it has a DHCP and NTP reference (the NTP is configured on the DHCP server).

When an interface is set to “Dedicated extension device” a DHCP server is automatically created and can be referenced in the CLI.  Typically the range for the dedicated extension device is a range in the 169.x.x.x

After the upgrade the “Dedicated extension device” interface will be changed to a “root-sw” hardware switch interface. We will look at this in a minute, after we upgrade.

It is important to be aware of the "VLAN Switch" interfaces as well, as they will be moved and changed as sub-interfaces to the dedicated interface, after the upgrade.


**NOTE: You should not have any policies referenced to the “Dedicated extension device”. If you do, remove them.

I will now backup the config and upgrade the FortiGate to 5.4.1 (build 1064).

After the upgrade we can navigate to the interface list.

We should see that a “root-sw” hardware switch interface is created. The “root” portion of the name will vary depending on the name of the VDOM.

The sub-interfaces for the root-sw interface are the VLANs configured on the switch. They will carry over from your previous configuration.


Right away we can look at the managed switch menu. If you have not enabled the automatic authorization then you will need to authorize the switch again.


After you authorize the FortiLink will establish again.

Please be aware, that in some cases the switch may need to reboot in order for the FortiLink to establish.

It is possible, that if you have references to the “Dedicated extension device”, before the upgrade such as policies (NOT REQUIRED) or other references other than the DHCP server; then the FortiLink may fail to connect after the upgrade.

Let’s see what this looks like after we upgrade to 5.4.1

In the image below, we can see that port2 is not part of the “root-sw” hardware switch.


We can also see that there are 2 references to port2. If we click on the reference link we also see that there are 2 policies and the IDs are listed.


Under the Managed Switch menu, the switch is also not showing up.  It will continue to scan and not provide any results.


To remedy all references to port2 must be deleted.

Port2 can then be added to the “root-sw” hardware switch.

The switch should now show up and it is available to be authorized.


It should be noted that in some cases the switch may need to reboot in order for the FortiLink to be established.