FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sbaikadi
Staff
Staff
Description
This article describes details regarding the downgrade of firewall image.

There will be downtime during downgrade since graceful downgrade is not supported.
To minimize downtime, follow Method2.


Scope
For FortiGate-6000 and 7000 series.

Solution
Prerequisites.
- The previous configuration file of the firmware to downgrade is required. For example, to downgrade to v5.6.7 from v6.2.4, previous configuration file of v5.6.7 is required.
- In case of HA where Method2 is followed, both Master and Slave configuration files are required. Two separate IP addresses are required to access Master and Slave chassis individually using GUI during downgrade process.
- Have console connections to both Master and Slave Chassis.

Downgrade Process:
Standalone Chassis: Check related article.

Firewalls in HA Cluster:

Method1.

1) In this method, the downtime will be around 30-40 minutes.
2) Upload the FortiOS image to the Master Chassis from GUI: Global Dashboard -> System -> Firmware, upload FortiOS file, confirm version downgrade, backup config and downgrade.
3) Both chassis will reboot with the uploaded firmware image.
4) Wait for both chassis to come up.  Use '# diagnose load-balance status' and check Status Message:'Running' and 'Status:Working' on all Slots.
5) Check and verify the version of the firmware on both chassis using command '# get system status'.
6) Connect to GUI of Master and upload previously saved Master configuration file of same version.
7) Both chassis will reboot again with the uploaded config files.
8) Once firewalls are completely up, check for config errors using command '# diagnose debug config-error-log read' and make for necessary changes if any errors are observed.

Method2.

The downtime will be very less in this method as the chassis will be downgraded one-by-one.

Steps to follow for rollback:

Note.
Referring to fw1 as Master and fw2 as Slave and override setting is disabled under HA settings.

1) If 10.1.1.1/24 is the IP address to be assigned to Slave, execute command using Slave Serial Number (FG74E83E17-----3) from Slave:
# execute ha disconnect FG74E83E17-----3 mgmt 10.1.1.1 255.255.255.0
This command will disconnect HA and it will remove all IP address from all interfaces of Slave.
It will also assign mentioned IP address to MGMT interface and set mode to Standalone under HA settings.




2) Then access Slave using GUI (https://10.1.1.1) and downgrade the firmware from GUI: Global Dashboard -> System -> Firmware, upload FortiOS file, confirm version downgrade, backup config and downgrade.
3) Wait for whole chassis to come up. Use '# diagnose load-balance status' and check Status Message: 'Running' and Status:Working on all Slots.
4) Upload previous version config file to Slave. Make sure Chassis-ID is set correctly under HA settings. The chassis will reboot now with uploaded config file.
5) Wait for whole chassis to come up. Use '# diagnose load-balance status' and check Status Message: 'Running' and Status:Working on all Slots.
6) Once fw2 is completely up, check for config errors using command: '# diagnose debug config-error-log read' and make necessary changes if any errors are observed.
7) Check '# get system ha status' from Slave and Master to see both chassis in cluster are visible. However, It will not be in sync since they are on different FortiOS versions.
8) If 10.1.1.5/24 is the IP address to be assigned to Master, execute command Master serial number (FG74E83E17-----1) from Master:  
# execute ha disconnect FG74E83E17-----1 mgmt 10.1.1.5 255.255.255.0
When this command is executed, fw2 will become master and traffic will now flow through fw2. During this time, existing sessions needs to be re-established on fw2.
9) Repeat same steps on fw1 from 2 to 6 (fw1 GUI can be accessed using https://10.1.1.5)
10) Once fw1 is completely up, check for '# get sys ha status' and check for config sync between both firewalls
11) If required, failback to fw1 using command from Slave: '# diag sys ha reset-uptime'.


Related Articles

Technical Tip: How to rollback firmware on FortiGate-6000 and 7000 series

Technical Tip: FortiGate-6000/7000 Chassis health check commands

Contributors