Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sachin_Alex_Cherian_
Staff
Staff

Created on ‎12-23-2014 08:11 AM Edited on ‎08-27-2024 04:59 AM By Moderator

Article Id 191729

Technical Tip: Best Practices for firmware upgrades and downgrades

Description

 

This article explains the best practices and the precautions to be taken while doing a firmware upgrade or downgrade on the FortiGate


Scope

 

FortiGate.
 

Solution

 
Upgrading:
 
Upgrading the firmware on a firewall should not be taken lightly. An administrator should have a solid reason to upgrade the firmware. The rationale cannot be solely because the administrator wants the most recent version. The cause must be stated in terms of business, technical, or operational improvement. Upgrading can be justified with reasons such as the availability of a new feature available in the new firmware which helps the organization deploy new services or enhance current services; the need to address a known problem which is resolved in the targeted version; ways in which the new update would help meet security compliance; or the current firmware version has reached EOS (End of Support).
 
It is critical to ensure that everything is backed up and that some choices are available in case something goes wrong. Assuming everything is in working order, a checklist of steps must be completed to ensure that everything is functioning properly. Finally, sufficient time is required to complete the task.
 

What it means to upgrade the FortiGate:

 

  1. FortiOS by default downloads a config backup to local machine when initiating the upgrade from GUI. If required it can be downloaded manually as shown below.
From GUI:
 

Backup.jpg


 

Alternatively, from the CLI, run the following command:
 
execute backup config tftp <string> <tftp server IP> <- The TFTP server must be reachable from the FortiGate.
 
  1. Read the release notes of the firmware that is planned to be upgraded. These are available in the Release Information section of the Fortinet Document LibraryWhile checking the release notes, go through the resolved issues and known issues category.  Another important thing to be noted is that while upgrading the FortiGate ensure that other devices like FortiAnalyzer or FortiManager or FortiAPs which are integrated with the FortiGate, are supported and compatible with the FortiOS version that are planned to upgrade to. This is explained in the release note under the title Product Integration and Support. If any compatibility issue is found with any of the products integrated with the FortiGate, keep in mind that those devices will also need an upgrade. The FortiManager and FortiAnalyzer compatibility can be checked against Compatibility Tool for FortiManager and Fortianalyzer. 

  2. Another important thing to note while peforming an upgrade is the upgrade path. Always follow the recommended upgrade path.These are documented in the Support Upgrade Paths section of the Fortinet Cookbook. An alternate link to check the same is available in Upgrade path Tool.

  3. Once everything regarding the release notes has been checked, download the firmware from the Customer Service and Support web portal. Log in at support.fortinet.com and select the Download -> Firmware Images option. Make sure to download the firmware corresponding to the device model. At this point, it is necessary to download the firmware version currently running on the device. This is just a backup plan, so that it will be possible to revert back to the old firmware if the upgrade is not successful.

  4. Upgrade the device remotely or locally. It is always recommended to have access to the console of the device when it is upgrading. This is because in a case where the device does not come back online or gets stuck, it is possible to check the status of the upgrade or check for errors on the console. This might not be possible if the upgrade is being run remotely.

  5. When executing the upgrade, downtime should be taken as the device will initiate a reboot once the new firmware has loaded. The time taken for the entire process depends on the number of patches there are to go through in order to reach the final firmware version planned to upgrade to. Also, it is recommended to allow a longer time period so that if the upgrade does not proceed as smoothly as planned, there will be additional time to sort out the issue if not revert back to the previous working condition.

  6. An HA cluster upgrade: An HA cluster upgrade is similar to that of a standalone unit. Both devices get upgraded without manual intervention depending on the uninterruptible-upgrade setting under HA. While uninterruptible-upgrade enables firmware upgrades with little downtime, it is still recommended to schedule a maintenance window for vital networks to cover unforeseen problems. Make sure that every device in the cluster is in sync, that its memory and CPU usage are normal, and that all of its interfaces are connected and functioning.

Downgrading:

Before starting with this, make a note that a downgrade is not recommended. However, in scenarios where critical services are affected after the upgrade, it is possible to revert to the previous firmware and configuration by booting FortiGate with the secondary partition as explained in Reverting to the FortiOS version from secondary partition. It has to be noted that a rollback can be performed only with a single version jump ie if upgrade was from 7.2.9 to 7.4.4 the secondary partition can be used to revert back to 7.2.9. If upgrade was from 7.2.9 > 7.4.0 > 7.4.4, then its only possible to revert back to 7.4.0 using the above method.
In certain cases, a replacement device may arrive running a firmware version higher than the one the original device did, and in these cases a downgrade might be required.
 
In these cases,follow the steps below:
 
  1. It is necessary to have the pre-configuration file which is used with the firmware planned to downgrade to. Trying to load the configuration which is used on the latest version will not work in older firmware.

  2. While doing a downgrade, it is recommend to format the boot device (not always necessary). Once the format is done it is possible to upload the firmware version required. Technical Tip: Formatting and loading FortiGate firmware image using TFTP
  3. Like for the upgrade operation, a console access to the device is recommended in case if something goes wrong. If the upgrade encounters a problem, GUI will not be available, so no control actions are visible. This needs to be done from the CLI with the help of a TFTP server. 

  4. Downtime should be considered, as the device will go for a reboot once the firmware has been loaded (same for HA).

  5. Downgrading FortiGate in an HA cluster causes all cluster members to be downgraded simultaneously.

  6. If initiated from the GUI, most settings and parameters are lost or changed during the downgrade, especially the default values. After the downgrade, it is strongly recommended to upload the pre-upgrade configuration file. 

 

Related article:

Labels:
100741
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.