Description

This article describes how to quickly revert to the previous firmware in configuration in case of SSL VPN tunnel mode removal after automatic upgrade to v7.6.3.

Scope

FortiGate.

Solution

Starting from v7.4.5 and v7.6.1, automatic firmware upgrades are enabled by default. In v7.6.3, SSL VPN tunnel mode is removed.

If automatic firmware upgrades were not disabled, this may result in FortiGate upgrading to v7.6.3 before completing the migration to IPsec, causing remote VPN access to be lost.

Downgrading the FortiGate by applying the previous firmware file will not resolve the issue and will result in lost configuration. Instead, the fastest way to recover is to boot from the alternate partition where the previous firmware and configuration are preserved. Only physical devices support this recovery method- VM FortiGates should be recovered manually by applying a virtual machine backup or snapshot on the hosting platform.

This method also applies if remote SSL VPN access was lost after a planned upgrade to v7.6.3 or later, for example after upgrade from v7.4.6 to v7.6.3.

A detailed guide can be found in this KB article: Technical Tip: Selecting an alternate firmware for the next reboot 

After booting to the previous version, it is recommended to disable the automatic firmware upgrade until the migration to IPsec VPN is completed.

More information can be found in this KB article: Technical Tip: How to disable automatic firmware upgrades on FortiGate.

A detailed guide for SSL VPN to IPsec VPN migration can be found in this document: SSL VPN to IPsec VPN Migration.