FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sachin_Alex_Cherian_
Article Id 191729

Description

 

This article explains the best practices and the precautions to be taken while doing a firmware upgrade or downgrade on the FortiGate


Scope

 

FortiGate.
 

Solution

 
Upgrading:
Upgrading a firewall should be compared to upgrading the operating system on a Computer. 
It is not to be taken lightly! 
 
It is important to ensure everything is backed up and some options are available if things go awry.  Assuming it all seems to work, a list of things is necessary to do to confirm everything is working properly.  Finally, it needs enough time to do it. 
 

All really simple stuff, but what does this mean to upgrade the FortiGate.

 

  1. Take a backup of the current working configuration and save it locally.
 
From GUI:

emmanouilg_0-1655814155275.png

 


Alternatively, from the CLI run:
 
execute backup config tftp <string> <tftp server IP> <----- The TFTP server must be reachable from the FortiGate.
 
  1. Read the release notes of the firmware that is planned to be upgraded. These are available in the Release Information section of the Fortinet Document Library.While checking the release notes, go through the resolved issues and known issues category.  Another important thing to be noted is that while upgrading the FortiGate ensure that other devices like FortiAnalyzer or FortiAPs which are integrated with the FortiGate, are supported and compatible with the FortiOS version that are planned to upgrade to. This is explained in the release note under the title Product Integration and Support. If any compatibility is found issue with any of the product integrated with the FortiGate, just keep in mind that those devices will also need an upgrade.
  2. Another important thing to be noted while doing an upgrade is the upgrade path.  Always follow the recommended upgrade path. These are documented in the Support Upgrade Paths section of the Fortinet Cookbook.
  3. Once everything with regards to the release notes has been checked, the firmware can be downloaded from the Customer Service and Support web portal.  Log in at support.fortinet.com and select the Download -> Firmware Images option.below link:

Make sure to download the firmware corresponding to the device model.
At this point, it is necessary to download the firmware version currently running on the device.

This is just a backup plan, so that it is possible to revert back to the old firmware if the upgrade is not successful.

 

  1. Upgrading the device remotely or locally. It is always recommended to have access to the console of the device when it is upgrading.This is because in the case where the device does not come back online or gets stuck it is possible to check on the console the status of the upgrade or check for errors.  This might not be possible if running the upgrade remotely.
  2. Doing the upgrade.  Downtime should be taken as the device will go for a reboot once the new firmware has loaded. The question is how much time will it take for the entire process?
 
It depends on the number of patches there are to go through in order to reach the final firmware that is planned to upgrade to.
Also, it is advisable to get a longer time so if the upgrade does not work out for the user as smoothly as planned, there will have some time to sort out the issue if not revert back to the previous working condition.

Downgrading:
Before starting with this, make a note that a downgrade is not recommended.
A rollback can be performed only with a single version jump: Technical Tip: Selecting an alternate firmware for the next reboot
There are situations where a replacement device is received with a higher Firmware version than the old device was running, and the configuration file in this case is not compatible with the new firmware. Another reason for downgrade would be a multi-step upgrade that does not provide the required functionality.
 
For such cases, here are the steps to be followed:
 
  1. It is necessary to have the pre-configuration file which is used with the firmware planned to downgrade to. Trying to load the configuration which is used on the latest version might not work in older firmware.
  2. While doing a downgrade, we recommend to format the boot device (not always necessary). Once the format is done it is possible to upload the firmware version required. Technical Tip: Formatting and loading FortiGate firmware image using TFTP
  3. Like for the upgrade operation, a console access to the device is recommended in case if something goes wrong. If the upgrade encounters a problem, GUI will not be available, so no control actions are visible. This needs to be done from the CLI with the help of a TFTP server. 
  4. Downtime should be considered, as the device will go for a reboot once the firmware has been loaded (same for HA).
  5. Most settings and parameters are lost or changed during the downgrade, especially the default values. After the downgrade, it is strongly recommended to upload the pre-upgrade configuration file. 

 

Related article:

Technical Tip: Formatting and loading FortiGate firmware image using TFTP