Description

This article describes how to load or reimage firmware on an individual FortiProcessor Card (FPC) in a FortiGate 6000 series chassis.

Scope

FortiGate 6k Chassis.

Solution

Firmware installation on a specific FPC may be required to correct software anomalies or when the FPC is running a different firmware version than the management module. Below steps can be followed.

1. Download the firmware from the Support Portal: How to manually download Firmware of FortiGate.
2. Upload the firmware image file onto the FortiGate 6k internal TFTP server.

FTP, TFTP, or USB options can be used. In this example, the TFTP method is used.

execute upload image tftp <image-file> <comment> <tftp-server-address>
execute upload image tftp FGT_6000F-v7.2.10.M-build1706-FORTINET.out comment 10.56.1.155 <----- where 10.56.1.155 is the external tftp server IP. Make sure the FortiGate is able to communicate with the external TFTP server

After executing the command above, the image gets loaded into the FortiGate 6k internal TFTP server:

Primary (global) # execute upload image tftp FGT_6000F-v7.2.10.M-build1706-FORTINET.out comment 10.56.1.155
Please wait...

Connect to tftp server 10.56.1.155 ...
#####################################################################################################
Get image from tftp server OK.

3. Login to the console of the specific FPC that needs to be upgraded.

execute system console-server connect 2

Once the admin credentials have been entered, reboot the FPC. 

Note: Only the specific FPC is being rebooted - not the whole Chassis.

Primary (global) # execute system console-server connect 2
Trying 127.0.0.1...
Connected to 127.0.0.1.

Primary login: admin
Password:
Welcome!

Primary [FPC02] # c g

Primary [FPC02] (global) # execute reboot
This operation will reboot the system !
Do you want to continue? (y/n)y

System is rebooting...

When the FPC starts, monitor the boot process in the console session and press any key when prompted to interrupt it.

4. Setup the TFTP parameters as required.

Press C and configure TFTP parameters such as local IP address, local gateway, remote TFTP server IP address.

[C]: Configure TFTP parameters.
[R]: Review TFTP parameters.
[T]: Initiate TFTP firmware transfer.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[I]: System configuration and information.
[Q]: Quit menu and continue to boot.
[H]: Display this list of options.

Enter C,R,T,F,B,I,Q,or H:

[P]: Set image download port.
[D]: Set DHCP mode.
[I]: Set local IP address.
[S]: Set local subnet mask.
[G]: Set local gateway.
[V]: Set local VLAN ID.
[T]: Set remote TFTP server IP address.
[F]: Set firmware image file name.
[E]: Reset TFTP parameters to factory defaults.
[R]: Review TFTP parameters.
[N]: Diagnose networking (ping).
[Q]: Quit this menu.
[H]: Display this list of options.

The IP address of the internal TFTP server can also be checked using the following command:

Primary (global) # fnsysctl ifconfig base-tftp
base-tftp Link encap:Ethernet HWaddr 02:4C:A5:94:40:C1
inet addr:169.254.255.1 Bcast:169.254.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1
RX packets:306113 errors:0 dropped:0 overruns:0 frame:0
TX packets:306001 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15306490 (14.6 MB) TX bytes:240536007 (229.4 MB)

Once everything is in place, the TFTP parameters should look like this:

Image download port: MGMT1
DHCP status: disabled
Local VLAN ID: none
Local IP address: 169.254.255.2
Local subnet mask: 255.255.255.0
Local gateway: 169.254.255.1
TFTP server IP address: 169.254.255.1
Firmware file name: image.out

5. Press T and initiate the TFTP transfer.

Please connect TFTP server to Ethernet port "MGMT1".
MAC: 70:4C:A5:94:54:00
#####################################################################################################
Total 106808443 bytes data downloaded.
Verifying the integrity of the firmware image.
This firmware image is certified.

Total 262144kB unzipped.
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]? D <----- Make sure to select D here to make it the default image.
Programming the boot device now.

6. Once the FPC is up it will be synced with the MBD.

Primary login: admin
Password:
Welcome!

Primary [FPC02] # get sys statue

Primary [FPC02] # c g

Primary [FPC02] (global) # get sys status
Version: FortiGate-6301F v7.2.10,build1706,240918 (GA.M) 

Primary (global) # diagnose load-balance status
==========================================================================
MBD SN: F6KF31T018900015
Primary FPC Blade: slot-1

Slot 1: FPC6KFT018900168
Status:Working Function:Active
Link: Base: Up Fabric: Up
Heartbeat: Management: Good Data: Good
Status Message:"Running"
Slot 2: FPC6KFT018900176
Status:Working Function:Active
Link: Base: Up Fabric: Up
Heartbeat: Management: Good Data: Good
Status Message:"Running"