Description
This article describes how to rollback firmware on the FortiGate-6000 and 7000 series.
FortiGate has two boot partitions on the flash memory to store the firmware images and configuration files.
During a firmware upgrade, the new FortiOS image is uploaded and saved in the secondary boot partition which on reboot is set as active partition. The previous firmware, saved in the primary boot partition is set as non-active partition.
Scope
For FortiGate-6000 and FortiGate-7000 series.
Solution
For the FortiGate-6000 and 7000 Series, the process is not straightforward to select alternate partitions to boot with.
The administrator will have to login to each individual FPC (Fortinet Processor Card) and MBD (Management Board) for 6000 Series or individual FPM (Fortinet Processing Module) and FIM (Fortinet Interface Modules) for 7000 Series and do it manually.
The situation becomes tricky when there are certain FPM/FPC modules that have a different active partition.
See the output below:
diagnose sys flash list
==========================================================================
Slot: 1 Module SN: FPC6KFTXXXXXXXXX
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FG-6KF-6.00-FW-build0372-201013 253871 121098 48% No
2 FG-6KF-6.00-FW-build0335-200331 253871 121438 48% Yes
3 EXDB-1.00000 14866900 1068832 7% No
Image build at Mar 31 2020 19:11:43 for b0335
==========================================================================
Slot: 2 Module SN: FPC6KFTXXXXXXXXX
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FG-6KF-6.00-FW-build0372-201013 253871 121094 48% No
2 FG-6KF-6.00-FW-build0335-200331 253871 121434 48% Yes
3 EXDB-1.00000 14866900 1068832 7% No
Image build at Mar 31 2020 19:11:43 for b0335
==========================================================================
Slot: 3 Module SN: FPC6KFTXXXXXXXXX
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FG-6KF-6.00-FW-build0372-201013 253871 121150 48% No
2 FG-6KF-6.00-FW-build0335-200331 253871 121490 48% Yes
3 EXDB-1.00000 14866900 985156 7% No
Image build at Mar 31 2020 19:11:43 for b0335
==========================================================================
Slot: 4 Module SN: FPC6KFTXXXXXXXXX
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FG-6KF-6.00-FW-build0335-200331 253871 121438 48% Yes
2 FG-6KF-6.00-FW-build0372-201013 253871 121098 48% No
3 EXDB-1.00000 14866900 1068832 7% No
Image build at Mar 31 2020 19:11:43 for b0335
==========================================================================
Slot: 5 Module SN: FPC6KFTXXXXXXXXX
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FG-6KF-6.00-FW-build0372-201013 253871 121096 48% No
2 FG-6KF-6.00-FW-build0335-200331 253871 121436 48% Yes
3 EXDB-1.00000 14866900 1068828 7% No
Image build at Mar 31 2020 19:11:43 for b0335
==========================================================================
Slot: 6 Module SN: FPC6KFTXXXXXXXXX
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FG-6KF-6.00-FW-build0372-201013 253871 121098 48% No
2 FG-6KF-6.00-FW-build0335-200331 253871 121438 48% Yes
3 EXDB-1.00000 14866900 1068832 7% No
Image build at Mar 31 2020 19:11:43 for b0335
==========================================================================
MBD SN: F6KF31TXXXXXXXXX
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FG-6KF-6.00-FW-build0372-201013 253871 112666 44% No
2 FG-6KF-6.00-FW-build0335-200331 253871 113022 45% Yes
3 EXDB-1.00000 14866900 1154260 8% No
Image build at Mar 31 2020 19:11:43 for b0335
The majority of the active partitions are secondary partitions, except Slot #4.
As a result, the user will have to input the command 'execute-set-next-reboot primary' on all the blades (including MBD) while inputting the command 'execute-set-next-reboot secondary' on Slot #4, which can be confusing for some users, especially when dealing with 6500F series FortiGates that have 10 FPCs and one MBD.
There is one quick method to do this:
execute set-next-reboot rollback
==========================================================================
Slot: 1 Module SN: FPC6KFTXXXXXXXXX
Default image is changed to image# 1.
==========================================================================
Slot: 2 Module SN: FPC6KFTXXXXXXXXX
Default image is changed to image# 1.
==========================================================================
Slot: 3 Module SN: FPC6KFTXXXXXXXXX
Default image is changed to image# 1.
==========================================================================
Slot: 4 Module SN: FPC6KFTXXXXXXXXX
Default image is changed to image# 2.
==========================================================================
Slot: 5 Module SN: FPC6KFTXXXXXXXXX
Default image is changed to image# 1.
==========================================================================
Slot: 6 Module SN: FPC6KFTXXXXXXXXX
Default image is changed to image# 1.
==========================================================================
MBD SN: F6KF31TXXXXXXXXX
Default image is changed to image# 1.
The command will automatically set the default image to the current non-active partition, saving the effort to the administrator to do it manually on all the blades and also eliminating human error to boot the wrong partition.
Followed by a reboot, all slots in the chassis are now rollback to the previous firmware and configuration.
