Description
This article describes how to revert an HA cluster unit to the previous firmware image.
With the first upgrade, or with a new firmware image installation, FortiOS creates a second boot partition. When FortiGate firmware is upgraded, the new firmware image is stored on the new partition, while the previous firmware image will still be stored on existing partition as a backup image. These are called 'primary' and 'secondary'. Note that 'primary' is not always the active partition - check the flag at the end of each line.
In some cases, firmware upgrades may cause unexpected issues and reverting to the previous image is a fast fix worth considering. This article describes how to revert FortiGate to the previous firmware image when using an HA cluster. Some precautions are required in a High Availability setup.
Scope
FortiGate HA.
Solution
This only works on physical appliances: Virtual Machines do not have the dual boot option.
An alternative for VMs is to create snapshots before the upgrade.
Backup the configuration first before reverting to the previous firmware by using the following commands through the CLI and select which firmware should be used at the next reboot:
diagnose sys flash list
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FGT61E-7.02-FW-build1517-230606 253920 102716 40% Yes
2 FGT61E-7.02-FW-build1262-221109 253920 98304 39% No
3 ETDB-90.06786 3021708 232936 8% No
Image build at Jun 6 2023 16:47:58 for b1517
As shown in the output above, partition 1 can be seen to be active and holds the current firmware 7.2.5, while the partition 2 is on 7.2.3 hold the last firmware.
execute set-next-reboot {primary | secondary}
Primary and Secondary simply refer to partition number 1 or partition number 2 respectively. Partition number 3 can be ignored.
execute set-next-reboot secondary <-----In this example it will be secondary, as we want to roll back to partition 2. The default image is changed to image #2.
Once the secondary partition that is to be used to boot the device has been selected, reboot the FortiGate. This can be done with the following command:
execute reboot
When it comes to HA operation, there are a few things to note:
- These commands are not synchronized and must be used on every FortiGate unit member of the cluster.
- The units will boot with the newly selected firmware image and the Active unit will be selected according to FortiOS HA election process.
- Note the override flag/priority/monitored interfaces.
- Direct console access, cable access to a port, or dedicated management interface is strongly recommended for each of the units in the cluster.
- If the units are not rebooted at the same time, the cluster may no longer form after the reboot and will create a split-brain scenario. The second unit may not be reachable through 'exec ha manage'. When accessing the secondary unit from primary CLI, reboot the secondary unit and, then primary unit.
- Since all of the configuration changes performed since the upgrade will be lost, it is necessary to reconfigure access to the FortiGate (only if changes are performed after the upgrade).
- Additionally, keep the serial console available during the process to manage the device.
Related articles:
