| Solution |
At a high level, the version number for a given FortiOS release can be read as ‘vMajor.Minor.Patch’.
FortiGate version information in the GUI under 'Dashboard -> Status', or in CLI as the output of 'get system status'.
get system status
Version: FortiGate-61F v7.6.0,build3401,240724 (GA.F)
(other output omitted)
The version numbers in 'v7.6.0 build 3401 (Feature)' can be read as follows:
- v7: Major Version.
- v7.6: Minor Version.
- v7.6.0: Patch Version.
- build 3401: build number within the Major Version.
- (Feature): the Maturity Level of a GA build (Feature or Mature).
Differences between Major, Minor, and Patch:
- Major Versions contain generational changes in the firmware. During a device’s operational life, it may or may not require upgrade to a different major version depending on operational and support requirements.
There are almost always significant changes between one Minor Version and the next and it is strongly recommended to plan and test upgrades between different Minor Versions. Most physical FortiGate devices will require an upgrade to one or more new Minor Versions at some stage in their operational life to introduce new features or maintain required support levels. FortiGate virtual machines that are in place for some time may also require redeployment or upgrade to a new Minor Version, similar to physical FortiGates.
- Patch Versions are the full GA version number, for example, v7.4.5. It is strongly recommended to regularly upgrade patch versions since new releases can include significant stability or vulnerability fixes. Upgrading the firewall can be done manually or scheduled to occur automatically.
If ‘Automatic patch-level upgrades’ are performed, the unit upgrades to the latest available Patch Version within the current Minor Version.
To verify if automatic patch-level upgrades from FortiGate Cloud or FortiGuard are enabled, see the articles 'How to control Automatic Upgrades/Firmware Profiles on FortiGate Cloud' and 'Automatic Patch Upgrades'.
Familiarity with the terms above is sufficient to understand most Fortinet documentation regarding FortiGate firmware management.
Other useful terminology:
- The FortiOS firmware image, is the file containing the FortiGate OS (FortiOS). Updating the running firmware image always requires a reboot. Image files can be downloaded from the support portal if the account contains a device with a current firmware license.
- FortiOS build numbers identify a firmware image precisely within its Major Version. In some contexts, such as the configuration backup filename and output of ‘diagnose sys flash list’, the 'vMajor.Minor.Patch' version name does not appear. In this case the build number can be used to confirm the version of a given firmware image by verifying it against the firmware version’s release notes.
diagnose sys flash list
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FGT61F-7.04-FW-build2702-240916 253920 157344 62% No
2 FGT61F-7.06-FW-build3401-240724 253920 160880 63% Yes
3 ETDB-1.00000 3021708 328572 11% No
Image was built at Jul 24 2024 17:37:34 for b3401
- GA is an abbreviation for ‘General Availability’ and refers to firmware releases available to customers with a valid contract through the support portal or from FortiGuard. GA firmware images are dual-signed by the Fortinet Certificate Authority and a Third-party Certificate Authority. See 'New Features: Enhance BIOS-level signature and file integrity checking'.
GA releases are the most common kind of firmware image a FortiGate administrator will interact with, however other build classifications do exist.
- NPI is an abbreviation for 'New Product Introduction' and refers to newly released FortiGate models. The GA release build numbers for NPI models may be different from the typical firmware. For an example, see 'Special branch supported models' in 'Release Notes: Introduction and supported models (v7.0.17)'
- Feature Maturity is a concept introduced in FortiOS 7.2 and is only relevant for GA releases. See 'New Features: Introduce maturity firmware levels'. For a GA release, the Feature Maturity level is either ‘Feature’ (GA.F) or ‘Mature’ (GA.M). It is sometimes necessary to upgrade from a ‘Mature’ release to a ‘Feature’ release on a new Minor Version to address specific issues or vulnerabilities.
Once a Minor Version has its first Mature release, future patches in that train are also expected to be marked as Mature.
- Special builds are an example of a supported firmware release that is not GA. They have a Major and Minor Version, but may or may not have a corresponding Patch Version. Such builds can exist to ‘fill the gap’ for uncommon issues that are not reasonable to address in a GA release. Like GA releases, special builds have undergone QA testing. Fortinet TAC may provide customers with the appropriate firmware image under an existing support contract if an issue is identified as fixed in a particular special build.
If TAC gives any special instructions for applying special builds, they should be followed closely. Special builds are signed by the Fortinet CA but not signed by a Third-party CA. Running a special build firmware image will show a warning depending on the BIOS security level. They can generally be treated as equivalent to their branch point for purposes of firmware upgrades and upgrade paths, see 'Verifying upgrade path for hardware running on special build'.
- FIPS-CC images are specialized images for environments with a specific compliance requirement. They use a different versioning scheme from the one discussed in this article. See 'How to Verify if a FortiOS FIPS-CC Image is Certified or Patched' for more details.
Related Article:
Technical Tip: Security enforcement change for FortiGates provisioned to FortiGate Cloud without act...
|
