FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Matt_B
Staff
Staff
Article Id 349628
Description

This article describes the FortiGate/FortiOS concepts of ‘Major’, ‘Minor’, and ‘Patch’ firmware versions, as well as other Fortinet-specific firmware terminology.

Scope FortiOS.
Solution

At a high level, the version number for a given FortiOS release can be read as ‘vMajor.Minor.Patch’.

FortiGate version information in the GUI under 'Dashboard -> Status', or in CLI as the output of 'get system status'.


system status.PNG

 

get system status
Version: FortiGate-61F v7.6.0,build3401,240724 (GA.F)

(other output omitted)

 

The version numbers in 'v7.6.0 build 3401 (Feature)' can be read as follows:

  • v7:   Major Version.
  • v7.6:   Minor Version.
  • v7.6.0:  Patch Version.
  • build 3401:  build number within the Major Version.
  • (Feature):  the Maturity Level of a GA build (Feature or Mature).

Differences between Major, Minor, and Patch:

  • Major Versions contain generational changes in the firmware. During a device’s operational life, it may or may not require upgrade to a different major version depending on operational and support requirements.

 

  • Minor Versions are branches within a Major Version and are the ‘Software Version’ referred to in Product Life Cycle information, see 'Product Life Cycle Information on Fortinet products' for how to verify the Life Cycle for a particular product. There are almost always significant changes between one Minor Version and the next and it is strongly recommended to plan and test upgrades between different Minor Versions. Most physical FortiGate devices will require an upgrade to one or more new Minor Versions at some stage in their operational life to introduce new features or maintain required support levels. FortiGate virtual machines that are in place for some time also require upgrade, similar to physical FortiGates.

  • Patch Versions are the full GA version number, for example, v7.4.5. It is strongly recommended to regularly upgrade patch versions since new releases can include significant stability or vulnerability fixes. Upgrading the firewall can be done manually or scheduled to occur automatically.
    If ‘Automatic patch-level upgrades’ are performed, the unit upgrades to the latest available Patch Version within the current Minor Version.
    To verify if automatic patch-level upgrades from FortiGate Cloud or FortiGuard are enabled, see the articles 'How to control Automatic Upgrades/Firmware Profiles on FortiGate Cloud' and 'Automatic Patch Upgrades'.


Familiarity with the terms above is sufficient to understand most Fortinet documentation regarding FortiGate firmware management.

Other useful terminology:

The firmware image,
in this context, is the file containing the FortiGate OS (FortiOS). Updating the firmware image running on the device always requires a reboot. For devices with a firmware license, image files can be downloaded from the support portal.

FortiOS build numbers identify a firmware image within its Major Version. In some contexts, such as the configuration backup filename and output of ‘diagnose sys flash list’, the full patch version does not appear. In such cases, the build number can be used to confirm the patch version of a given firmware image by verifying it against the firmware version’s release notes.

 

diagnose sys flash list
Partition  Image                                     TotalSize(KB)  Used(KB)  Use%  Active
1          FGT61F-7.04-FW-build2702-240916                  253920    157344   62%  No   
2          FGT61F-7.06-FW-build3401-240724                  253920    160880   63%  Yes 
3          ETDB-1.00000                                    3021708    328572   11%  No   
Image was built at Jul 24 2024 17:37:34 for b3401

 

 

GA is an abbreviation for ‘General Availability’ and refers to firmware releases available to customers with a valid contract through the support portal or from FortiGuard. GA firmware images are dual-signed by the Fortinet Certificate Authority and a Third-party Certificate Authority. See 'New Features: Enhance BIOS-level signature and file integrity checking'.


GA releases are the most common kind of firmware image a FortiGate administrator will interact with, however other build classifications do exist.

Feature Maturity is a concept introduced in FortiOS 7.2 and is only relevant for GA releases. See 'New Features: Introduce maturity firmware levels'.

For a GA release, the Feature Maturity level is either ‘Feature’ (GA.F) or ‘Mature’ (GA.M). The Maturity level can provide some insight into the rationale for the patch release. However, it is sometimes necessary to upgrade from a ‘Mature’ to a ‘Feature’ release to address specific issues or vulnerabilities. 


Special builds are an example of a supported firmware release that is not GA. They have a Major and Minor Version, but may or may not have a corresponding Patch Version. Such builds can exist to ‘fill the gap’ for uncommon issues that are not reasonable to address in a GA release. Like GA releases, special builds have undergone QA testing. If an issue is identified as fixed in a particular special build, Fortinet TAC may provide a customer with the matching firmware image under an existing support contract.


Special builds are signed by the Fortinet CA but not signed by a Third-party CA. Running a special build firmware image will show a warning depending on the BIOS security level. They can generally be treated as equivalent to their branch point for purposes of firmware upgrades and upgrade paths, see 'Verifying upgrade path for hardware running on special build'.

FIPS-CC images are specialized images for environments with specific compliance requirements. They use a different versioning scheme from the one discussed in this article. See 'How to Verify if a FortiOS FIPS-CC Image is Certified or Patched' for more details.