FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Wallerson
Staff
Staff
Article Id 347586
Description This article describes how to erase and add a new FortiOS image to the Non-Active partition.
Scope FortiGate.
Solution

The following output shows two different images on each partition:

 

FortiGate # diagnose sys flash list
Partition  Image                                     TotalSize(KB)  Used(KB)  Use%  Active
1          FG6H1F-7.02-FW-build1639-240313                  253871    121450   48%  No ---> 7.2.8
2          FG6H1F-7.04-FW-build2463-230830                  253871    126857   50%  Yes --> 7.4.1
3          EXDB-1.00000                                   28327040    173048    1%  No

 

FortiGate has v7.2.8 in the Partition 1 and FortiOS 7.4.1 in the Partition 2. The active partition at the moment is Partition 2.

 

To erase and install a different FortiOS image in the Non-Active partition (Partition 1 in this example) there are two options.

Either upload the firmware directly to the second partition via TFTP, or it is possible to keep the active partition on Partition 2 and then do a normal firmware upgrade. The firmware upgrade will always overwrite the Non-Active partition. 
See more details here: Technical Tip: Keep the flash partition without it being overwritten (For rollback purposes)

If TFTP is preferred, the command 'execute restore secondary-image' must be used. FortiGate will connect to the TFTP server and download the image:

 

execute restore secondary-image tftp <filename> <ip>

 

Where 'filename' is the name of the firmware image file, and 'ip' is the IP address of the FTP/TFTP server. 

 

FortiGate # execute restore secondary-image tftp Image.out 192.168.158.10
This operation will store the firmware to backup partition.
Do you want to continue? (y/n)y

Please wait...

Connect to tftp server 192.168.158.10 ...
####################################################################################################

Get image from tftp server OK.
Verifying the signature of the firmware image.
Warning: Upgrading to an image with Mature maturity notation.

Restore to backup partition.

FortiGate #

Firmware upgrade in progress ...
Mount point is not allowed: dev: /dev/sda1, path: /data_secondary, type: ext2, flags: 32782, proc: smit (3661)
Mount point is not allowed: dev: /dev/sda1, path: /data_secondary, type: reiserfs, flags: 14, proc: smit (3661)
Done.

 

The errors in red are displayed because the Active boot partition is Partition 2. The previous image is erased. FortiGate does not boot, the Active FortiOS remains v7.4.1:

 

FortiGate # diagnose sys flash list
Partition  Image                                     TotalSize(KB)  Used(KB)  Use%  Active
1          FG6H1F-7.04-FW-build2702-240916                  253871    104100   41%  No --> 7.4.5
2          FG6H1F-7.04-FW-build2463-230830                  253871    127778   50%  Yes --> 7.4.1
3          EXDB-1.00000                                   28327040    209924    1%  No
Image was built at Aug 30 2023 22:16:28 for b2463

 

FortiGate # get system status
Version: FortiGate-601F v7.4.1,build2463,230830 (GA.F)
Security Level: 0
Firmware Signature: certified

 

Related article:

Selecting an alternate firmware for the next reboot