FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sachin_Alex_Cherian_
Article Id 191729

Description

 

This article explains the best practices and the precautions to be taken while doing a firmware upgrade or downgrade on the FortiGate.


Scope

 

FortiOS Upgrade.
FortiOS Downgrade.


Solution

Upgrading.

Upgrading a firewall is something that should be compared to upgrading the operating system on a Computer. 
It is not to be taken lightly! 
 
It is important to make sure everything is backed up and there are some options available if things go awry. 
Assuming it all seems to work, a list of things is necessary to do in order to confirm everything is working properly.
Finally, it need enough time to do it. 
 
All really simple stuff, but what does this mean in relation to upgrading the FortiGate?

1)  Take a backup of the current working configuration and save it locally.
 
From GUI:

emmanouilg_0-1655814155275.png

 


Alternatively, from the CLI run:
 
# execute backup config tftp <string> <tftp server IP> <----- The TFTP server must be reachable from the FortiGate.

2) Read the release notes of the firmware that are planned to upgrade to.
These are available in the Release Information section of the Fortinet Document Library.

While checking the release notes, go through the resolved issues and known issues category.  Another important thing to be noted is that while upgrading the FortiGate ensure that other devices like FortiAnalyzer or FortiAPs which are integrated with the FortiGate, are supported and compatible with the FortiOS version that are planned to upgrade to.
This is explained in the release note under the title Product Integration and Support.
If any compatibility is found issue with any of the product integrated with the FortiGate, just keep in mind that those devices will also need an upgrade.

3) Another important thing to be noted while doing an upgrade is the upgrade path. 
Always follow the recommended upgrade path.
These are documented in the Support Upgrade Paths section of the Fortinet Cookbook.

4) Once everything with regards to the release notes has been checked, the firmware can be downloaded from the Customer Service and Support web portal. 
Log in at support.fortinet.com and select the Download -> Firmware Images option.below link:

Make sure to download the firmware corresponding to the device model.

At this point, it is necessary to download the firmware version currently running on the device.
This is just a backup plan, so that it is possible to revert back to the old firmware if the upgrade is not successful.

5) Upgrading the device remotely or locally?

It is always recommended to have access to the console of the device when it is upgrading.
This is because in the case where the device does not come back online or gets stuck it is possible to check on the console the status of the upgrade or check for errors. 
This might not be possible if running the upgrade remotely.

6)  Finally doing the upgrade. 
A downtime should be taken as the device will go for a reboot once the new firmware has loaded. The question is how much time will it take for the entire process?
 
It depends on the number of patches there are to go through in order to reach the final firmware that is planned to upgrade to.
Also, it is advisable to get a longer time so if the upgrade does not work out for the user as smoothly as planned, there will have some time to sort out the issue if not revert back to the previous working condition.

Downgrading

Before to start with this, make a note that downgrade is not recommended.
But these situations will appear where have received a replacement device which has a higher version than which the old device was running and the configuration file that  is not compatible with the new firmware.
In such cases lets go through the steps to be followed:

1) It is necessary to have the pre-configuration file which is used with the firmware planned to downgrade to.
Trying to load the configuration which is used on the latest version might not work in older firmware.

2) While doing a downgrade, it will be necessary to format the device.
Once the format is done it is possible to directly downgrade to the firmware required.

3) Read the release notes of the firmware planned to downgrade to.
The same product integration and support of other devices connected to the FortiGate needs to be checked.

4) As like what we followed in an upgrade a console access to the device is recommended, in case if something goes wrong.
There will not be an option from the GUI like what visible for an upgrade.
This needs to be done from the CLI with the help of a TFTP server. The details of the same are explained in the related article 'Loading FortiGate firmware using TFTP'.

5) A downtime should be taken as the device will go for a reboot once the new firmware has been loaded.

 

Related Articles

Technical Tip: Formatting and loading FortiGate firmware image using TFTP