Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Matt_B
Staff
Staff

Created on ‎10-16-2024 10:46 PM Edited on ‎10-17-2024 08:20 AM

Article Id 349392

Technical Tip: FortiGate/FortiOS Upgrade Path

Description This article describes the FortiGate/FortiOS concept of an ‘upgrade path’ and some commonly encountered scenarios.
Scope All FortiOS versions.
Solution

Definition of an upgrade path.

 

A FortiGate 'upgrade path' is a platform-specific sequence of supported firmware images starting from an initial firmware version and ending at a target firmware version. The upgrade path may include multiple ‘intermediate steps’. Depending on the firmware version and platform, there may be multiple supported upgrade paths.

 

Upgrade from one step in the upgrade path to the next step is supported.


Is it always necessary to follow a recommended upgrade path, even for a device with a factory default configuration.

 

Following a recommended upgrade path is always required for the best results. Possible effects of upgrading without following an upgrade path include the following:

  • Configuration loss.
  • Network disruption.
  • Loss of remote management.
  • High Availability synchronization issues.
  • High Availability split-brain issues.
  • Failure to boot (for example, 'Boot failure after upgrading to v7.0.15').

 

If an upgrade path contains many steps and the device is not in production, an administrator may consider 'Formatting and loading FortiGate firmware image using TFTP' as a method of loading firmware directly without upgrading the device.

 

There are no supported 'Downgrade Paths'.

 

Downgrading FortiGate firmware is not supported and could cause any of the issues indicated for not following a recommended upgrade path. There are no recommended downgrade paths for any firmware.

 

See 'FortiGate Firmware Downgrade for Minor Releases' for alternatives to downgrading, as well as considerations to be aware of when loading earlier firmware.


Determining an upgrade path.


A recommended upgrade path is most commonly retrieved using the Upgrade Path Tool or from the FortiGate GUI 'System > Fabric Management > Select Upgrade page'. If using FortiGate GUI to determine the upgrade path, be aware of the Known Issue with the 'Follow Upgrade Path' button described later in this article.**

 

If FortiGate TAC recommends an upgrade to address an identified issue in the context of an existing support case, TAC may also specify an upgrade path.

 

Information required for the Upgrade Path Tool to determine a recommended upgrade path.

 

  • FortiGate model.
  • Current firmware version.
  • Target firmware version.
  • Upgrade paths can change rarely, so accessing the tool at a different time may give an updated result.

 

For example, a recommended upgrade path for FortiGate 121G from v7.0.14 to v7.4.5 is v7.0.14 -> v7.2.10 -> v7.4.5.


upgrade path result.PNG


The Upgrade Path Tool ‘Target Upgrade Version’ does not include a certain target firmware version.


If the tool does not show a target firmware version in the dropdown, there is no supported Upgrade Path from the initial firmware to that firmware.

The two most common causes for this are:

  • The target firmware version does not exist for the selected FortiGate platform. For example, the latest firmware releases for FortiGate 30E are in the v6.2 branch. There are no v7.0 releases for this hardware platform.
  • The target firmware version does exist for this model, but there is no recommended upgrade path from the Current Version. For example, v7.4.3 was released on 2024-02-07, before the v7.2.9 release on 2024-08-15. There are no supported upgrade paths from v7.2.9 to v7.4.3.

 

The screenshot below indicates for FortiGate 100F the earliest supported upgrade path from v7.2.9 to a v7.4 release goes from v7.2.9 to v7.4.4.

 

no available.png

Method to apply an upgrade path.


The upgrade path is applied by a FortiGate administrator using whichever upgrade method is preferred. Each step in an upgrade path is a separate firmware upgrade and the device will reboot automatically as part of each upgrade.

It is recommended to take a configuration backup before the upgrade and create a VM snapshot if the appliance is a virtual machine.

Example firmware upgrade methods include:

 

**Known Issue: GUI standalone upgrade with ‘Follow upgrade path’ from earlier v7.0, v7.2, and v7.4 firmware versions are affected by known issue 925567:


image_before_modif.png
See ‘GUI Firmware Upgrade tool not following Upgrade Path on the FortiGate’ for more affected versions and available workarounds for the GUI firmware upgrade issue.


On affected firmware, the intermediate steps are incorrectly skipped when using GUI firmware. For example, upgrading from 7.0.14 to 7.4.5 with the ‘Follow upgrade path’ selected will skip 7.2.10, even though 7.2.10 is displayed as the next step.

 

Upgrade path behavior for automatic upgrade methods.

 

Automatic upgrade methods follow a recommended upgrade path by default.

 

If specified in their configuration, device management products such as FortiGate Cloud and FortiManager can skip the upgrade path and upgrade a FortiGate directly. This is not the default behavior for these products and is not recommended.


Read the FortiOS Release Notes for intermediate upgrade steps.


Best Practices apply for each step in the upgrade path, including the requirement to read the Release Notes for each interim upgrade version. See 'Best Practices: Performing a firmware upgrade' as well as the Preparation Checklist in How to upgrade FortiGate firmware.

 

A recommended Upgrade Path changed.


Fortinet sometimes updates the recommended upgrade paths or Release Notes if a new issue is identified, and different FortiGate models may have different recommended upgrade paths.

 

For these reasons, it is always recommended to verify the current upgrade path before the upgrade, even if a similar upgrade was performed on a different device without incident.

 

Testing after the firmware upgrade revealed an unanticipated issue. 


Physical platforms include the option to revert to the previous configuration and firmware by booting from the backup partition. This is supported and not considered a downgrade. See ‘Selecting an alternate firmware for the next reboot’.

 

Booting from the backup partition reverts a maximum of one upgrade path step. For this reason, it is strongly recommended to test after each upgrade, not just on the target firmware version.

 

Most hypervisors or cloud platforms capable of running FortiGate virtual machines have built-in snapshot or VM backup functions. For available backup and reversion options for FortiGate virtual machines, reference any third-party documentation provided by the VM hosting solution.


Related documents:

Upgrade Path Tool Table

How to upgrade FortiGate firmware

Best Practices: Performing a firmware upgrade

Release Notes: GUI firmware upgrade does not follow the recommended upgrade path (v7.2.8) 
Recommended Release for FortiOS

How to control Automatic Upgrades/Firmware Profiles on FortiGate Cloud

Formatting and loading FortiGate firmware image using TFTP
231
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.