Description
When FortiGate firmware is upgraded, the new firmware image is stored on one partition (which becomes the primary unit) while the previous firmware image will still be stored on another partition as a backup image (the secondary unit). In some cases, firmware upgrades cause unexpected issues and reverting to the previous image is a fast fix worth considering. This article describes how to revert FortiGate to the previous firmware image when using an HA cluster. Some precautions are required in a High Availability setup.
Scope
FortiGate HA.
Solution
FortiGate has two boot partitions on its flash drive to store firmware images and configuration files.
This only works on physical appliances: Virtual Machines do not have the dual boot option. An alternative for VMs is to create snapshots before the upgrade.
Backup the configuration first before reverting to the previous firmware by using the following commands through the CLI and select which firmware should be used at the next reboot:
FGT # diag sys flash list
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FGT61E-7.02-FW-build1517-230606 253920 102716 40% Yes
2 FGT61E-7.02-FW-build1262-221109 253920 98304 39% No
3 ETDB-90.06786 3021708 232936 8% No
Image build at Jun 6 2023 16:47:58 for b1517
As per the above output, partition 1 can be seen to be active and holds the current firmware 7.2.5, while the partition 2 is on 7.2.3 hold the last firmware.
FGT # execute set-next-reboot {primary | secondary} Primary and Secondary simply refer to partition number 1 or partition number 2 respectively. Partition number 3 can be ignored.
FGT # execute set-next-reboot secondary <-----In this example it will be secondary, as we want to roll back to partition 2.
Default image is changed to image# 2.
Once the secondary partition that is to be used to boot the device has been selected, reboot the FortiGate.
This can be done using the command:
FGT # execute reboot
When it comes to HA operation, there are a few things to note:
- These commands are not synchronized and must be used on every FortiGate unit member of the cluster.
- The units will boot with the newly selected firmware image and the HA master will be selected according to FortiOS HA master election process.
- Note the override flag/priority/monitored interfaces.
- Direct console access, cable access to a port, or dedicated management interface is strongly recommended for each of the units in the cluster.
- If the units are not rebooted at the same time, the cluster may no longer form after the reboot and will create a split-brain scenario. The second unit may not be reachable through 'exec ha manage'.
- Since all of the configuration changes performed since the upgrade will be lost, it is necessary to reconfigure access to the FortiGate (only if changes are performed after the upgrade).
Related articles:
