Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sgursimran
Staff
Staff

Created on ‎12-16-2024 09:34 AM Edited on ‎02-04-2025 05:28 PM By Staff

Article Id 364824

Technical Tip: HA upgrade fails when upgrading from v7.0.16 to v7.2.10 orv 7.4.5 firmware on FortiGate-90G/91G and 120G/121G models

Description

This article describes the users are running while upgrading the HA cluster from firmware 7.0.16/7.0.17 to 7.2.10 or 7.4.5 or later on the FortiGate-90/91G and 120/121G models.
Scope

FortiGate v7.0.16/v7.0.17
Solution

HA cluster upgrades fail on the FortiGate-90/91G and 120/121G models due to high BIOS security level.
This is related to known issue 1102588.

 

get system status
Version: FortiGate-120G v7.0.16,build7536,241003 (GA.M)
Security Level: High
Firmware Signature: certified
Virus-DB: 92.19222(2024-12-03 21:26)
Extended DB: 92.19222(2024-12-03 21:25)
AV AI/ML Model: 3.12007(2024-12-03 20:45)
IPS-DB: 29.00916(2024-12-05 02:16)
IPS-ETDB: 0.00000(2001-01-01 00:00)
APP-DB: 29.00916(2024-12-05 02:16)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 5.00254(2024-12-06 15:16)
Serial-Number: FG120GTK24007657
BIOS version: 06000104
System Part-Number: P28808-04
Log hard disk: Not available
Hostname: DRHS-Main-120G-TOP
Private Encryption: Disable
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: a-p, primary
Cluster uptime: 2 days, 21 hours, 13 minutes, 16 seconds
Cluster state change time: 2024-12-06 14:54:20
Branch point: 0667
Release Version Information: GA
System time: Sat Dec 7 15:09:28 2024
Last reboot reason: warm reboot

 

During the upgrade process, FortiGate will encounter the error 'firmware failed signature validation', and the upgrade process will be aborted.

 

diagnose debug application hatalk 255

Debug messages will be on for 30 minutes.

 

diagnose debug application hasync 255

Debug messages will be on for 30 minutes.

 

diagnose debug en

 

<hasync> reap child: pid=25485, status=0

<hatalk> vcluster_0: ha_prio=1(secondary), state/chg_time/now=3(standby)/1733453659/1733879631

<hasync> reap child: pid=25486, status=0

<hatalk> vcluster_0: ha_prio=1(secondary), state/chg_time/now=3(standby)/1733453659/1733879641

<hasync:WARN> conn=0x36f2af50, peer closed the connection: dst=169.254.0.1, sync_type=18(byod)

<hatalk> vcluster_0: ha_prio=1(secondary), state/chg_time/now=3(standby)/1733453659/1733879651

<hatalk> vcluster_0: ha_prio=1(secondary), state/chg_time/now=3(standby)/1733453659/1733879661

<hatalk> parse options for 'FG120GTK24007657', packet_version=58

<hatalk> cfg_changed is set to 1: intf-changed

<hatalk> vcluster_0: vmember 'FG120GTK24007657' updated, override=0, usr_priority=200, mondev/pingsvr=0/0, uptime/reset_count=1950/0, flag=0x00000009

<hatalk> vcluster_0: reelect=1, vmember updated

<hatalk> vcluster_0: ha_prio's are not changed after HA election

<hatalk> cfg_changed is set to 0: hatalk_packet_setup_heartbeat

<hatalk> setup new heartbeat packet: hbdev='port1', packet_version=39

<hatalk> options buf is small: opt_type=41(DEVINFO), opt_sz=13806, buf_sz=1231

<hatalk> pack compressed dev_info: dev_nr=33, orig_sz=13800, z_len=253

<hatalk> heartbeat packet is set on hbdev 'port1'

<hatalk> setup new heartbeat packet: hbdev='port2', packet_version=39

<hatalk> options buf is small: opt_type=41(DEVINFO), opt_sz=13806, buf_sz=1231

<hatalk> pack compressed dev_info: dev_nr=33, orig_sz=13800, z_len=253

<hatalk> heartbeat packet is set on hbdev 'port2'

<hasync> reap child: pid=25491, status=0

<hasync:WARN> conn=0x36f2af50, peer closed the connection: dst=169.254.0.1, sync_type=5(conf)

<hasync:WARN> conn=0x36f2af50, peer closed the connection: dst=169.254.0.1, sync_type=10(cli-command)

Get image from ha primary OK.

Verifying the integrity of the firmware image...

******WARNING: This firmware failed signature validation.******

Fortinet cannot verify the authenticity of this firmware and therefore

there may be a risk that the firmware contains code unknown to Fortinet.

In short, Fortinet cannot validate the firmware and makes no warranties

or representations concerning the firmware.

 

Installation Aborted.

 

Workaround:
Lower the BIOS security level and once the upgrade is done, the user can switch back the BIOS level to high.


To change the security level:

  1. Connect to the console port of the FortiGate.

  2. Reboot the FortiGate (execute reboot) and enter the BIOS menu.

  3. Press [I] to enter the System Information menu

  4. Press [U] to enter the Set security level menu

  5. Enter the required security level.

  6. Continue to boot the device.

 

Break the HA Cluster and upgrade the device one at a time: How to break a HA cluster and use one of the members as standalone

Related article:
Troubleshooting Tip: Unable to boot the firewall or load firmware image
1811
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.