Description
This article describes how to download and install firmware from a local TFTP server via the BIOS, under CLI control.
Caution: Installing firmware from a local TFTP server under console control will reset the FortiGate to factory default settings.
If possible, consider backing up the configuration before starting the TFTP server firmware upgrade.
Component:
- A null modem, or RJ-45 to DB9 console cable, supplied with the FortiGate.
- An Ethernet RJ45 cable.
- A terminal client, such as a PC running HyperTerminal (Windows).
- A TFTP server (see below the recommended software).
Solution
Topology.
- Download the required firmware from the Download Firmware Images page.
- Make a note of the name of the downloaded file, for example FGT_100E-v6-build1723-FORTINET.
- On the support site use the Download -> Firmware Image Checksums link, enter the filename with a .out extension. For example FGT_100E-v6-build1723-FORTINET.out.
- Select get checksum code and the system will generate MD5 Checksum Code (for example: 9b1e345711a95d9fe05481e9f2b8bdb0) and SHA-512 Checksum Code.
- Change the filename to image.out and copy to the TFTP directory.
6) Select Show Dir -> Explorer and copy the 'image.out' firmware file.
7) Connect the computer running TFTP server to the FortiGate. The port is prompted in the console output as below: connect TFTP server to Ethernet port 'MGMT" / other port.
8) Type the IP address of the computer running the TFTP server and press Enter. The console displays:
The console periodically displays a '#' (pound or hash symbol) to show the download progress.
11) When the download completes, the console displays a message similar as below, Press D.
Once entering the firmware image name and pressing enter, the FortiGate MAC address appears and the '#' symbols indicate the progress of the install.
If the MAC address does not show up, check the network cable and connector to ensure there are firmly attached to the FortiGate.
This article describes how to download and install firmware from a local TFTP server via the BIOS, under CLI control.
Caution: Installing firmware from a local TFTP server under console control will reset the FortiGate to factory default settings.
If possible, consider backing up the configuration before starting the TFTP server firmware upgrade.
Component:
- A null modem, or RJ-45 to DB9 console cable, supplied with the FortiGate.
- An Ethernet RJ45 cable.
- A terminal client, such as a PC running HyperTerminal (Windows).
- A TFTP server (see below the recommended software).
Solution
Topology.
Machine Settings.
Configure below settings on Ethernet adapter connected to MGMT / other port of FortiGate.
Configure below settings on Ethernet adapter connected to MGMT / other port of FortiGate.
TFTP Server configuration.
Recommended TFTP software:
tftpd64:
http://tftpd32.jounin.net/tftpd32_download.html
Recommended TFTP software:
tftpd64:
http://tftpd32.jounin.net/tftpd32_download.html
Select 'direct link' for tftpd64 installer to download tftpd64 server software.
TFTP (tftpd64) server configuration.
1) Open tftpd64 program with 'Run as administrator' access from windows start menu.
1) Open tftpd64 program with 'Run as administrator' access from windows start menu.
2) Open Settings -> Global in tftpd64.
3) Unselect everything except 'TFTP Server', and open second tab 'TFTP' and configure below settings.
4) Select 'PXE Compatibility' and 'Bind TFTP to this address', select Ethernet interface IP address and select 'OK'. It will ask to restart tftpd software. Select 'OK'.
5) Re-open tftpd64 as mentioned in 'Step (1)' and verify changed settings.
Download the FortiGate firmware and verify MD5 checksum.
- Download the required firmware from the Download Firmware Images page.
- Make a note of the name of the downloaded file, for example FGT_100E-v6-build1723-FORTINET.
- On the support site use the Download -> Firmware Image Checksums link, enter the filename with a .out extension. For example FGT_100E-v6-build1723-FORTINET.out.
- Select get checksum code and the system will generate MD5 Checksum Code (for example: 9b1e345711a95d9fe05481e9f2b8bdb0) and SHA-512 Checksum Code.
- Change the filename to image.out and copy to the TFTP directory.
6) Select Show Dir -> Explorer and copy the 'image.out' firmware file.
Steps to load the firmware image and FortiGate TFTP configuration:
1) Connect the computer to the FortiGate using the null modem cable.
2) Restart the FortiGate.
3) When the console displays 'Press any key to display configuration menu...' press the space bar or any other key.
4) When a list of choices with letter of Alphabet comes up. Press F to format the unit.
5) The below confirmation message will appear:
1) Connect the computer to the FortiGate using the null modem cable.
2) Restart the FortiGate.
3) When the console displays 'Press any key to display configuration menu...' press the space bar or any other key.
4) When a list of choices with letter of Alphabet comes up. Press F to format the unit.
5) The below confirmation message will appear:
Type 'yes' and press Enter:6) After the unit is formatted, a list of choices with letter of Alphabets come up again. Press G to continue to firmware installation.
It will erase data in boot device. Continue? [yes/no]:yes
7) Connect the computer running TFTP server to the FortiGate. The port is prompted in the console output as below: connect TFTP server to Ethernet port 'MGMT" / other port.
8) Type the IP address of the computer running the TFTP server and press Enter. The console displays:
Enter TFTP server address []: 192.168.1.1 (Press Enter)9) Type the IP address of the FortiGate port that is on the same subnet as the TFTP server and press Enter. The console displays:
Enter Local Address []: 192.168.1.99 (Press Enter)10) Type the firmware image file name and press Enter.The console displays:
Enter File Name []: image.out <- Change filename to “image.out” which is copied into tftpd64 explorer
The console periodically displays a '#' (pound or hash symbol) to show the download progress.
11) When the download completes, the console displays a message similar as below, Press D.
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?DThe FortiGate installs the new firmware image and restarts. The installation may take a few minutes to complete.
Troubleshooting.
Once entering the firmware image name and pressing enter, the FortiGate MAC address appears and the '#' symbols indicate the progress of the install.
If the MAC address does not show up, check the network cable and connector to ensure there are firmly attached to the FortiGate.
If MAC address shows up and no '#' signs appear, check which port the network cable is in.
Use the table above in step 2 to ensure it is in the right port.
Sample Console Output:
The following is an example of what the output from the console can look like. Depending on the FortiGate , it can vary slightly.
If the above mentioned settings are validated, and still having issues with TFTP transfer, turn off Windows firewall and try.
For any other issues, take Wireshark capture on machine’s Ethernet interface for analysis.
Sample Console Output:
The following is an example of what the output from the console can look like. Depending on the FortiGate , it can vary slightly.
FortiGate-40C (12:29-05.08.2013)Troubleshooting.
Ver:04000009
Serial number: FGT40C123-----9
CPU(00): 525MHz
Total RAM: 512MB
Initializing boot device...
Initializing MAC... nplite#0
Press any key to display configuration menu...
[C]: Configure TFTP parameters.
[R]: Review TFTP parameters.
[T]: Initiate TFTP firmware transfer.
[F]: Format boot device.
[I]: System information.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot.
[H]: Display this list of options.
Enter C,R,T,F,I,B,Q,or H: F
It will erase data in boot device. Continue? [yes/no]:yes
Formatting......... Done.
[C]: Configure TFTP parameters.
[R]: Review TFTP parameters.
[T]: Initiate TFTP firmware transfer.
[F]: Format boot device.
[I]: System information.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot.
[H]: Display this list of options.
Enter C,R,T,F,I,B,Q,or H: C
[P]: Set firmware download port.
[D]: Set DHCP mode.
[I]: Set local IP address.
[S]: Set local subnet mask.
[G]: Set local gateway.
[V]: Set local VLAN ID.
[T]: Set remote TFTP server IP address.
[F]: Set firmware file name.
[E]: Reset TFTP parameters to factory defaults.
[R]: Review TFTP parameters.
[N]: Diagnose networking(ping).
[Q]: Quit this menu.
[H]: Display this list of options.
Enter TFTP server address []: 192.168.1.99
Enter local address []: 192.168.1.1
Enter firmware image file name []: image.out
Please review TFTP parameters to compare it, and it should be as per below settings.
Enter P,D,I,S,G,V,T,F,E,R,N,Q,or H: R
Image download port: MGMT
DHCP status: Disabled
Local VLAN ID: <NULL>
Local IP address: 192.168.1.99
Local subnet mask: 255.255.255.0
Local gateway: 192.168.1.1
TFTP server IP address: 192.168.1.1
Firmware file name: image.out
Quit this menu with ‘Q’ to go to previous menu.
Enter P,D,I,S,G,V,T,F,E,R,N,Q,or H: Q
Press ‘T’ to initiate TFTP transfer.
Enter C,R,T,F,I,B,Q,or H: T
MAC:085B0E14BB3E
###################################
Total 37651242 bytes data downloaded.
Verifying the integrity of the firmware image.
Total 262144kB unzipped.
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?D
Programming the boot device now.
..............................................................................................................................................................................................................
Reading boot image 1393286 bytes.
Initializing firewall...
System is starting...
Starting system maintenance...
Scanning /dev/sda2... (100%)
FGT40C123-----9 login:
If the above mentioned settings are validated, and still having issues with TFTP transfer, turn off Windows firewall and try.
For any other issues, take Wireshark capture on machine’s Ethernet interface for analysis.
