In some cases, TAC might request to upgrade the FortiGate CPLD version once confirmed that CPLD needs an update.

1. Confirm with TAC that the device is Gen 2.5 using Serial-Number and System Part-Number. 
   
   get system status
   
   
2. Once confirmed, TAC should provide the need HQIP image needed to load using a TFTP server.

The following shows an example of how to Upgrade CPLD2 and CPLD3 of FortiGate 4401F Gen 2.5. The steps are similar for FortiGate 4400F.

Note:

• Install a TFTP server on a workstation or server if needed before starting the process.
• Move the required HQIP special image to the TFTP server's file directory. 
• Once the TFTP server is prepared, create a 'FG4401F' or 'FG4400F' subfolder on the TFTP folder and move cpld2 and cpld3 rpd files inside the 'FG4401F' or 'FG4400F' directory.
• Physical access to the device is needed to complete the steps. Get ready all the required tools to connect via console port and management port.
• Use as reference the following article: Technical Tip: Required tools to restore firmware and configuration after an RMA 

Boot the device and enter the BIOS menu by pressing a key on the keyboard as shown below, then set the BIOS security level to 0.

CPU(f7:00050657 bfebfbff): MP initialization

CPU(f8:00050657 bfebfbff): MP initialization

CPU(f9:00050657 bfebfbff): MP initialization

Total RAM: 393200MB

Enabling cache...Done.

Scanning PCI bus...Done.

Allocating PCI resources...Done.

Enabling PCI resources...Done.

Zeroing IRQ settings...Done.

Verifying PIRQ tables...Done.

Boot up, boot device capacity: 28626MB.

Press any key to display configuration menu...

 Press the Space Bar, Enter, or any key once prompted to press any key to display the configuration menu.

[C]:  Configure TFTP parameters.

[R]:  Review TFTP parameters.

[T]:  Initiate TFTP firmware transfer.

[F]:  Format boot device.

[B]:  Boot with backup firmware and set as default.

[I]:  System configuration and information.

[Q]:  Quit menu and continue to boot.

[H]:  Display this list of options.

Enter C,R,T,F,B,I,Q,or H:

 Press I to enter the system configuration and information menu.

[S]:  Set serial port baudrate (will take effect on next boot).

[R]:  Set restricted mode.

[T]:  Set menu timeout.

[U]:  Set security level.

[I]:  Display system information.

[E]:  Reset system configuration.

[M]:  Enter memory test menu.

[Q]:  Quit this menu.

[H]:  Display this list of options.

Enter S,R,T,U,I,E,M,Q,or H:

 Press U to enter the security level menu.

Please select security level: [1]

 [0]: Level 0

 [1]: Level 1

 [2]: Level 2

Enter selection:

Set the security level by pressing 0, then press Q to return to the previous menu and configure the TFTP parameters if needed.

[C]:  Configure TFTP parameters.

[R]:  Review TFTP parameters.

[T]:  Initiate TFTP firmware transfer.

[F]:  Format boot device.

[B]:  Boot with backup firmware and set as default.

[I]:  System configuration and information.

[Q]:  Quit menu and continue to boot.

[H]:  Display this list of options.

Enter C,R,T,F,B,I,Q,or H:

Press C to configure TFTP parameters.

[P]:  Set image download port.

[D]:  Set DHCP mode.

[I]:  Set local IP address.

[S]:  Set local subnet mask.

[G]:  Set local gateway.

[V]:  Set local VLAN ID.

[T]:  Set remote TFTP server IP address.

[F]:  Set firmware image file name.

[E]:  Reset TFTP parameters to factory defaults.

[R]:  Review TFTP parameters.

[N]:  Diagnose networking (ping).

[Q]:  Quit this menu.

[H]:  Display this list of options.

Enter P,D,I,S,G,V,T,F,E,R,N,Q or H:

Press P to configure download port, press I for local IP address, press S for local subnet mask, press G for local gateway, press T for remote TFTP server IP address and press F and firmware image file name.

Press R to review the TFTP parameters, and then, press Q to return to the main menu and start the HQIP image download.

[C]:  Configure TFTP parameters.

[R]:  Review TFTP parameters.

[T]:  Initiate TFTP firmware transfer.

[F]:  Format boot device.

[B]:  Boot with backup firmware and set as default.

[I]:  System configuration and information.

[Q]:  Quit menu and continue to boot.

[H]:  Display this list of options.

Enter C,R,T,F,B,I,Q,or H:

Press T to initiate the download process.

Please connect TFTP server to Ethernet port "MGMT2".

MAC:         <device MAC address>

#########################################################################

Total 76868323 bytes data downloaded.

Verifying the integrity of the firmware image.

Total 131072kB unzipped.

Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?

Press R to run the image without saving.

................................................................................................................................

Reading boot image 5868829 bytes.

Initializing firewall...

Loading BCM (about 120 seconds)...

BCM is in user mode, PID:868

System is started.

Please press Enter to activate this console.

Press the Enter key to start the CPLD upgrade.

Note: Keep in mind to retry the failed CPLD upgrade if it fails (which happens very rarely).

Start the CPLD2 update by running diagnose hardware test cpld before using diagnose cpldupdate start and entering 02 for CPLD2 ID# as shown below.

Start the CPLD3 update using diagnose cpldupdate start and entering 03 for CPLD3 ID# as shown below.

Power cycle the FortiGate and enter the BIOS menu (hard reboot where AC or DC needs to be turned off for at least 10 seconds before turning back on).

Next, change the security level to the highest level. If the highest level is 2, then enter 2 when prompted for the security level. Refer to the instructions discussed previously if needed.

Finally, reboot the system and verify the CPLD Version by running diagnose hardwaretest cpld.