FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
haljawhari
Staff
Staff
Article Id 197617

Description


This article describes how to download and install firmware from a local TFTP server via the BIOS, under CLI control.

 

It is also necessary to install firmware using the local TFTP server if 'OPEN DEVICE BOOT FAILED' message appears on console as follows:

 

Kush_Patel_0-1672762855623.png


Caution: Installing firmware from a local TFTP server under console control will reset the FortiGate unit to factory default settings.
Consider backing up the configuration (using the GUI or CLI commands below) before starting the TFTP server firmware upgrade:

 

execute backup config

execute backup ipsuserdefsig

 

The first command backs up the configuration and the second one backs up the IPS custom signatures, if any.

 

Scope

 

FortiGate.

 

Solution


Components:

  • A null modem, or RJ-45 to DB9 console cable, supplied with the FortiGate unit.
  • An Ethernet RJ45 cable.
  • A terminal client, such as a PC running HyperTerminal (Windows).
  • A TFTP server.

Physical connection:

 

Physical connection.PNG

 

  • The connection can be made on any ethernet port. In this case, WAN1.

Download the required firmware and verify the MD5 checksum:

 

  1. Download the required images from the support portal page at support.fortinet.com -> Support -> Firmware Download. Select and download the specific firmware version needed, as shown in the screenshot below.                   

 

2024-10-23 17 57 15.jpg

 

support portal1.gif

                                                          

 

  1. Download and install the TFTP server on the computer from TFTPD64 download page.
  2. Disable the Windows firewall or any other third-party packet filtering application (for example, Trend Micro LightWeight Filter Driver).

    LAN interface - Trend Micro Filter Driver.png                                      
  3. Create a directory and name it something like 'TFTP'.

  4. Move the firewall image to that directory.
  5. Rename the image file to 'image.out'. The reason for renaming the image to 'image.out' is for having a much shorter file name compared with the default file name, when the file is downloaded from 'support.fortinet.com'. If the file name is not changed, it can cause the TFTP file transfer to fail with below error:

    "tftp error 1 (file not found.) try to recover..."


  6. Set the system's ethernet interface IP as follows (the IP can be from any subnet):
    IP address: 10.10.10.1.
    Subnet mask: 255.255.255.0.
    Default Gateway: IP address that is set on FortiGate, in this example 10.10.10.115

 

TFTP.jpg

 

Note 1:

Ensure that only the firmware file named 'image.out' is present in the TFTP server's 'Current Directory.' If other files are in the directory, FortiGate may fail to load the firmware, even if the filename matches 'image.out'.

 

image - 2024-11-08T164343.572.png

 

image - 2024-11-08T164340.469.png

Note 2:

The connected network adapter will not show as 'connected,' and the NIC port on the PC will not light up until the file transfer begins.

 

image - 2024-11-08T164346.771.png

  1. Connect the computer to the FortiGate unit using the null modem cable. For detailed steps for this connection, see Technical Tip: How to connect to the FortiGate console port.

Terminal client communication parameters:
                8 bits
                no parity
                1 stop bit
                9600 baud (the FortiGate-300 uses 115,000 baud)
                Flow Control = None

 

  1. Restart the FortiGate.
  2. When the console displays 'Press any key to display configuration menu...', press any other key.

FortiGate-81E (12:47-03.03.2017)
               Ver:05000007
               Serial number: FGT81E*********1
               CPU: 1000MHz
               Total RAM: 2 GB
               Initializing boot device...
               Initializing MAC... nplite#0
               Please wait for OS to boot, or press any key to display the configuration menu.

 

  1. When a list of choices with individual letters of the alphabet appears, press 'F' to format the device.

 

[C]: Configure TFTP parameters.

[R]: Review TFTP parameters.

[T]: Initiate TFTP firmware transfer.
[F]: Format boot device.

[I]: System information.

[B]: Boot with backup firmware and set as default.

[Q]: Quit menu and continue to boot.

[H]: Display this list of options.

Enter C,R,T,F,I,B,Q,or H:

It will erase data in boot device. Continue? [yes/no]:yes

Formatting..........done

Done.

 

  1. After, the device will boot again.
  2. Again, a list of choices with letters will appear. Press 'R' to review TFTP parameters.

 

Enter C,R,T,F,I,B,Q,or H:R

Image download port: WAN1  <----- This port of the FortiGate should be connected to the computer ethernet port.
                   DHCP status: Disabled
                   Local VLAN ID: <NULL>
                   Local IP address: 10.10.10.115
                   Local subnet mask: 255.255.255.0
                   Local gateway: 10.10.10.1
                   TFTP server IP address: 10.10.10.1
                   Firmware file name: FGT_100F-v7.0.0-build0066-FORTINET.out

 

  1. Once again, a list of choices with letters will appear. Press 'C' to configure TFTP parameters.

 

[C]: Configure TFTP parameters.

[R]: Review TFTP parameters.

[T]: Initiate TFTP firmware transfer.

[F]: Format boot device.

[I]: System information.

[B]: Boot with backup firmware and set as default.

[Q]: Quit menu and continue to boot.

[H]: Display this list of options.

Enter C,R,T,F,I,B,Q,or H:C

 

  1. Change the parameters to be in line with the TFTP server configuration.

 

[P]: Set firmware download port.
[D]: Set DHCP mode.
[I]: Set local IP address.
[S]: Set local subnet mask.
[G]: Set local gateway.
[V]: Set local VLAN ID.
[T]: Set remote TFTP server IP address.
[F]: Set firmware file name.
[E]: Reset TFTP parameters to factory defaults.
[R]: Review TFTP parameters.
[N]: Diagnose networking(ping).
[Q]: Quit this menu.
[H]: Display this list of options.

Enter P,D,I,S,G,V,T,F,E,R,N,Q,or H:    <-- [I]: Set local IP address.

Enter local IP address [10.1.1.115]: 10.10.10.115

.done

Enter P,D,I,S,G,V,T,F,E,R,N,Q,or H:        <-- [S]: Set local subnet mask.

Enter local subnet mask [255.255.255.0]: 255.255.255.0

.done

Enter P,D,I,S,G,V,T,F,E,R,N,Q,or H:     <-- [G]: Set local gateway.

Enter remote TFTP server IP address [10.1.1.1]: 10.10.10.1

.done

Enter P,D,I,S,G,V,T,F,E,R,N,Q,or H:      <-- [T]: Set remote TFTP server IP address.

Enter remote TFTP server IP address [10.1.1.1]: 10.10.10.1
.done

Enter P,D,I,S,G,V,T,F,E,R,N,Q,or H:           <-- [F]: Set firmware file name.

Enter firmware file name [FGT_100F-v7.0.0-build0066-FORTINET.out]: image.out

.done

Enter P,D,I,S,G,V,T,F,E,R,N,Q,or H:           <-- [Q]: Quit this menu.

 

  1. Now press 'T' to initiate TFTP firmware transfer.

 

Please connect TFTP server to Ethernet port 'WAN1'.

MAC: 94:ff:3c:6e:e9:66

Connect to tftp server 10.10.10.1 ...

 

After this is connected and the transfer has begun, the screen will start filling with the '#' symbol as below. This means that the TFTP transfer has started successfully.

 

#######################################################################################################################################################################################
Image Received.
Checking image... OK
This firmware image is certified!
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?D

Programming the boot device now. The system must re-layout the boot device to install this firmware.
The default and backup firmware will be lost.
Continue:[Y/N]?Y
.. OK
Verifying... OK
.done


Booting OS...
Initializing firewall...

System is starting...
Resizing shared data partition...done
Formatting shared data partition ... done!
Starting system maintenance...
Scanning /dev/mmcblk0p1... (100%)
Scanning /dev/mmcblk0p3... (100%)


FortiGate-81E login: admin
Password:
You are forced to change your password. Please input a new password.
New Password:
Confirm Password:
Welcome!

 

After formatting the device, it will be reachable again using the default IP 192.168.1.99/24. So, the laptop connected to the management interface must have an IP part of this subnet and then it will be possible to restore the configuration file via GUI and CLI.

 

If there is any error while loading the firmware the error is something like the below, in that the solution could be found in the following KB.

Fatal error: Loading FOS fails!
  Please power cycle. System halted.

 

Or:

 

Fatal error: AV engine file authentication failed!
  Please power cycle. System halted.


Note:

  1. Make sure the TFTP version matches the computer such as tftp64 for a 64-bit computer.
  2. While transferring the image through the TFTP server, it is necessary to make sure the Windows firewall or antivirus is disabled, and also if WIFI is connected, it needs to be disconnected while transferring the firmware image.

Related articles:

Troubleshooting Tip: Unable to boot the firewall or load firmware image

Troubleshooting Tip: Boot secondary/stand by firmware from console

Technical Tip: FortiGate TFTP Upgrade 

Comments
H_aristizabal

This document can also be used to boot with the backup/secondary firmware (step 11) in case the main one is bad or corrupted.