Description

This article describes details regarding the downgrade of the firewall image.

There will be downtime during the downgrade since a graceful downgrade is not supported.
To minimize downtime, follow Method 2.

Scope

For FortiGate-6000 and 7000 series.

Solution

Prerequisites.

• The previous configuration file of the firmware to downgrade is required. For example, to downgrade to v5.6.7 from v6.2.4, the previous configuration file of v5.6.7 is required.
• In case of HA, where Method 2 is followed, both Primary and Secondary configuration files are required. Two separate IP addresses are required to access the Primary and Secondary chassis individually using the GUI during the downgrade process.
• Have console connections to both Primary and Secondary Chassis.
  

Downgrade Process:
Standalone Chassis: Check the related article.

Firewalls in HA Cluster:

Method 1.

1. In this method, the downtime will be around 30-40 minutes.
2. Upload the FortiOS image to the Primary Chassis from GUI: Global Dashboard -> System -> Firmware, upload FortiOS file, confirm version downgrade, backup config, and downgrade.
3. Both chassis will reboot with the uploaded firmware image.
4. Wait for both chassis to come up.  Use 'diagnose load-balance status' and check Status Message:'Running' and 'Status:Working' on all Slots.
5. Check and verify the version of the firmware on both chassis using the command 'get system status'.
6. Connect to the GUI of Primary and upload the previously saved Primary configuration file of the same version.
7. Both chassis will reboot again with the uploaded config files.
8. Once firewalls are completely up, check for config errors using the command 'diagnose debug config-error-log read' and make for necessary changes if any errors are observed.

Method 2.
The downtime will be very little in this method as the chassis will be downgraded one-by-one.

Steps to follow for rollback:
Note.
Referring to fw1 as Primary and fw2 as Secondary, the override setting is disabled under HA settings.

1. If 10.1.1.1/24 is the IP address to be assigned to Secondary, execute the command using Secondary Serial Number (FG74E83E17-----3) from Secondary:

execute ha disconnect FG74E83E17-----3 mgmt 10.1.1.1 255.255.255.0

This command will disconnect HA, and it will remove all IP addresses from all interfaces of the Secondary.
It will also assign the mentioned IP address to the MGMT interface and set mode to Standalone under HA settings.

 

2. Then access Secondary using GUI (https://10.1.1.1) and downgrade the firmware from GUI: Global Dashboard -> System -> Firmware, upload FortiOS file, confirm version downgrade, backup config, and downgrade.
   
3. Wait for the whole chassis to come up. Use 'diagnose load-balance status' and check Status Message: 'Running' and Status:Working on all Slots.
   
4. Upload the previous version config file to Secondary. Make sure Chassis-ID is set correctly under HA settings. The chassis will reboot now with the uploaded config file.
   
5. Wait for the whole chassis to come up. Use 'diagnose load-balance status' and check Status Message: 'Running' and Status:Working on all Slots.
   
6. Once fw2 is completely up, check for config errors using the command: 'diagnose debug config-error-log read' and make necessary changes if any errors are observed.
   
7. Check 'get system ha status' from Secondary and Primary to see if both chassis in the cluster are visible. However, it will not be in sync since they are on different FortiOS versions.
   
8. If 10.1.1.5/24 is the IP address to be assigned to Primary, execute the command Primary serial number (FG74E83E17-----1) from Primary:  

9. Repeat the same steps on fw1 from 2 to 6 (fw1 GUI can be accessed using https://10.1.1.5).
   
10. Once fw1 is completely up, check for 'get sys ha status' and check for config sync between both firewalls.
11. If required, fail back to fw1 usingthe  command from Secondary: 'diagnose sys ha reset-uptime'.