| Description |
This article describes how to downgrade firmware between Minor Releases on FortiGate. Examples of Minor Release downgrades are from v7.4.x to v7.2.x, whereas a Patch Release downgrade would be from v7.2.5 to v7.2.3. The v7 Major Release includes both v7.4.x and v7.2.x. |
| Scope | FortiGate. |
| Solution |
Note: Firmware downgrade is not supported and has a high likelihood of causing unexpected issues. Fortinet TAC does NOT recommend performing firmware downgrade. Fortinet's QA and development teams do not test nor fix firmware downgrade issues.
Administrators are strongly recommended to consider the following alternative methods available for taking a FortiGate from a newer version of firmware back to an older version:
The remainder of this community article should only be utilized if a step-by-step firmware downgrade is the only option available (for example, when working with a remote FortiGate that has no option for on-site technicians and no config backups exist for the target older version). Even then, any maintenance windows for performing downgrades must account for possible outages/unexpected behaviors during the process.
Furthermore, take note that when downgrading FortiGates in a High Availability (HA) cluster, all members of the cluster will be downgraded simultaneously (i.e. there is no equivalent option to uninterruptible-upgrade/upgrade-mode when performing downgrades), so plan for brief network disruption when downgrading HA clusters. See also: Administration Guide: Downgrading individual device firmware. For example:
To check the upgrade path from a given start and end firmware version, refer to the Upgrade Path Tool Table. Note that the Upgrade Path Tool will only show information about ascending upgrades (minor version to major version).
To determine a downgrade path (upgrade path in reverse), set the 'Current Version' drop-down list to the target older firmware version, and in the 'Target Upgrade Version' drop-down list set the FortiGate's current FortiOS version. The list the is produced can be followed in reverse (i.e. downgrading from newer firmware to older) to reach the older firmware destination.
Note: When upgrading between Major Releases of FortiOS, there can often be significant changes in CLI syntax (e.g. new CLI options added, or adjustments/renames of existing syntax). Newer FortiOS versions will contain logic to handle upgrade scenarios gracefully, but such logic is not included for downgrade scenarios. As such, the new syntax will not revert to the old syntax, and so weird or unexpected issues may occur.
To avoid this problem, the recommendation is to restore a FortiGate configuration backup that was automatically taken when the FortiGate was first being upgraded to the newly downgraded FortiGate version.
For example, if an upgrade from v7.2.5 to v7.4.0 was done, the config for v7.2.5 would have already been taken initially. If issues are faced after the downgrade from v7.4.0 to v7.2.5, simply restore the config that was previously taken on v7.2.5.
Note that this assumes that the downgrade is occurring relatively recently after a firmware upgrade occurred. If the upgrade occurred some time ago then it's possible that the config backup is out-of-date (e.g. changes may have been made after the upgrade that are not reflected in the older, pre-upgrade backup). Keep this in mind when restoring older config backups.
For the firmware downgrade/upgrade procedure, follow this related KB article: Technical Tip: How to upgrade FortiGate firmware.
Disclaimer: Fortinet TAC does NOT provide stand-by support for firmware upgrades/downgrades. Call the Fortinet Support Hotline only when an issue is encountered during the upgrade/downgrade process. Furthermore, if an issue occurs as a result of a downgrade, be prepared to perform a TFTP format and reinstall operation in order to restore service. Technical Tip: Formatting and loading FortiGate firmware image using TFTP |
