Description

Scope

Solution

• The availability of a new feature in the new firmware, which helps the organization deploy new services or enhance current services;
• The need to address a known problem that is resolved in the targeted version;
• Ways in which the new update would help meet security compliance or patch existing vulnerabilities;
• The current firmware version has reached EOES (End of Engineering Support);
• The current firmware version has reached EOS (End of Support).

Steps to upgrade the FortiGate:

1. FortiOS, by default, downloads a config backup to the local machine when initiating the upgrade from the GUI. If required, it can be downloaded manually as shown below.
   
   

2. Read the release notes of the firmware that is planned to be upgraded. These are available in the Release Information section of the Fortinet Document Library. While checking the release notes, go through the resolved issues and known issues categories. Another important thing to note is that while upgrading the FortiGate, ensure that other devices like FortiAnalyzer or FortiManager, or FortiAPs, which are integrated with the FortiGate, are supported and compatible with the FortiOS version that is planned to upgrade to.
   
   This is explained in the release note under the title Product Integration and Support. If any compatibility issue is found with any of the products integrated with the FortiGate, keep in mind that those devices will also need an upgrade. The FortiManager and FortiAnalyzer compatibility can be checked against the Compatibility Tool for FortiManager and FortiAnalyzer. 
   
   
3. Another important thing to note while performing an upgrade is the upgrade path. Always follow the recommended upgrade path. These are documented in the Support Upgrade Paths section of the Fortinet Cookbook. An alternate link to check the same is available in the Upgrade Path Tool.
   
   
4. Once everything regarding the release notes has been checked, download the firmware from the Customer Service and Support web portal. Log in at support.fortinet.com and select the Download -> Firmware Images option. Make sure to download the firmware corresponding to the device model. At this point, it is necessary to download the firmware version currently running on the device. This is just a backup plan, so that it will be possible to revert to the old firmware if the upgrade is not successful.
   
   
5. Upgrade the device remotely or locally. It is always recommended to have access to the console of the device when it is upgrading. This is because in a case where the device does not come back online or gets stuck, it is possible to check the status of the upgrade or check for errors on the console. This might not be possible if the upgrade is being run remotely.
   
   
6. When executing the upgrade, downtime should be taken as the device will initiate a reboot once the new firmware has loaded. The time taken for the entire process depends on the number of patches that are to be through to reach the final firmware version planned to upgrade to. Also, it is recommended to allow a longer period so that if the upgrade does not proceed as smoothly as planned, there will be additional time to sort out the issue, if not revert to the previous working condition.
   
   
7. An HA cluster upgrade: An HA cluster upgrade is similar to that of a standalone unit. Both devices get upgraded without manual intervention, depending on the uninterruptible-upgrade setting under HA. While uninterruptible-upgrade enables firmware upgrades with little downtime, it is still recommended to schedule a maintenance window for vital networks to cover unforeseen problems. Make sure that every device in the cluster is in sync, that its memory and CPU usage are normal, and that all of its interfaces are connected and functioning.

1. It is necessary to have the pre-configuration file, which is used with the firmware planned to downgrade to. Trying to load the configuration that is used on the latest version will not work in older firmware.
   
   
2. While doing a downgrade, it is recommended to format the boot device (not always necessary). Once the format is done, it is possible to upload the firmware version required: Technical Tip: Formatting and loading FortiGate firmware image using TFTP.
   
   
3. Like for the upgrade operation, console access to the device is recommended in case something goes wrong. If the upgrade encounters a problem, the GUI will not be available, so no control actions are visible. This needs to be done from the CLI with the help of a TFTP server. 
   
   
4. Downtime should be considered, as the device will go for a reboot once the firmware has been loaded (same for HA).
   
   
5. Downgrading FortiGate in an HA cluster causes all cluster members to be downgraded simultaneously.
   
   
6. If initiated from the GUI, most settings and parameters are lost or changed during the downgrade, especially the default values. After the downgrade, it is strongly recommended to upload the pre-upgrade configuration file. 

At the end of every firmware upgrade or downgrade, always run the command 'execute update-now' to ensure that the FortiGuard services are up to date before verifying whether the FortiGate's connection is (still) functioning properly.

Note: It is also possible to backup the configuration file to a USB drive by using the following command (this command allows saving the configuration directly to the firewall's local storage or a USB device connected to the firewall): 

    execute backup config usb <backup_filename>   <Enter>|<backup_password> 

Enter the command below to verify that the configuration file is on the key.

 execute usb-disk list

Another method to downgrade is with the following command:

FGT # diagnose sys flash list
Partition    Image                       TotalSize(KB)   Used(KB)  Use%    Active
1            FGT61E-6.04-FW-build1778-201021    253920      87604   35%    Yes   
2            FGT61E-6.04-FW-build1803-201209    253920      88660   35%    No  
3            ETDB-84.00660                     3021708     200120    7%    No   
Image build at Dec  9 2020 22:27:52 for b1803

FGT # execute set-next-reboot {primary | secondary} <----- In this example, it will be secondary.
FGT # execute set-next-reboot secondary
Default image is changed to image# 2.

Primary and Secondary simply refer to partition number 1 or partition number 2, respectively. Partition number 3 can be ignored.

Once the secondary partition that is to be used to boot the device has been selected, reboot the FortiGate.

This can be done using the command:

FGT # execute reboot

Related articles:

• Technical Tip: Formatting and loading FortiGate firmware image using TFTP
• Technical Tip: Manual firmware upgrade by referring to an upgrade path 
• Technical Tip: Recommended Release for FortiOS
• Technical Tip: Firmware upgrade best practices
  
• Technical Tip: Backup FortiGate config on a USB thumb drive (CLI/Console and GUI)
• Technical Tip: Selecting an alternate firmware for the next reboot