Description | This article describes the Firmware Signature Validation check on FortiGate 6000/7000 Chassis platforms when it is upgraded to 6.4.13 or 7.0.12. |
Scope | FortiGate-6000/7000 Chassis platforms. |
Solution |
Starting from 6.4.13 and 7.0.12, the security level is enabled for Firmware validation Firmware upgrade for 7.0.12: When upgrading the chassis to version 7.0.12, it is necessary to verify the certified and uncertified Status of FPC/FPM from the get system Status page. This is due to new firmware signature verification from firmware version 7.0.12.
6300F [FPC01] $ get sys status
It will not impact the normal operation or performance of the device, but it is strongly recommended to fix this issue. This issue can be fixed by reuploading the same 7.0.12 build once more on 6k/7k platforms. However, before going ahead with fixing this issue, it is necessary to validate the device functionality on 7.0.12 to ensure the build is stable for the environment first. This is to ensure there is still a smooth rollback option in case the 7.0.12 build seemed unstable in the environment.
Note this firmware signature validation varies with respect to hardware platforms and firmware versions.
- Expected output for 7.0.12
Version: FortiGate-6301F v7.0.12,build0168,230612 (GA.M)
- Expected output for a firmware upgrade to 6.4.13
FortiGate-6000F / 7000E:
Version: FortiGate-6501F v6.4.13,build1930,230609 (GA.M)
FortiGate-7000F:
Version: FortiGate-7121F v6.4.13,build1930,230609 (GA.M) Since 7000F is a newer platform, it is possible to see firmware signatures certified in 6.4.13 but the security level is set to 0 because in this case, BIOS is preprogrammed to verify firmware signatures |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.