Description
This article describes the two ways to load an image to FPC. On the FortiGate-6000 Series, there is a TFTP server running internally.
To upload a firmware image from an external TFTP server to the FortiGate internal TFTP server, run the below:
From MBD, 'execute upload image tftp <image-file> <comment> <tftp-server-address>'.
Option 1: From MBD, 'execute load-balance update image <slot number>'.
Option 2: From FPC, Download the image from the default TFTP server running on the MBD.
Fortigate-6301F (mgmt-vdom) # diagnose ip address list | grep tftp
IP=169.254.255.1->169.254.255.1/255.255.255.0 index=17 devname=base-tftp
- A 169.254.255 IP is required in the boot process. Use any IP in range 169.254.255.X and make sure that the IP is not in use anywhere on the network.
Fortigate-6000F (mgmt-vdom) # diagnose ip address list | grep "169.254.255\|SN" <----- 169.254.255 ip addresses used usually on 6000 series.
Slot: 1 Module SN: FPC6KFT----------
IP=169.254.255.3->169.254.255.3/255.255.255.0 index=3 devname=x710-0
Slot: 2 Module SN: FPC6KFT----------
IP=169.254.255.4->169.254.255.4/255.255.255.0 index=3 devname=x710-0
Slot: 3 Module SN: FPC6KFT----------
IP=169.254.255.5->169.254.255.5/255.255.255.0 index=3 devname=x710-0
Slot: 4 Module SN: FPC6KFT----------
IP=169.254.255.6->169.254.255.6/255.255.255.0 index=3 devname=x710-0
Slot: 5 Module SN: FPC6KFT----------
IP=169.254.255.7->169.254.255.7/255.255.255.0 index=3 devname=x710-0
Slot: 6 Module SN: FPC6KFT----------
IP=169.254.255.8->169.254.255.8/255.255.255.0 index=3 devname=x710-0
MBD SN: FPC6KFT----------
IP=169.254.255.1->169.254.255.1/255.255.255.0 index=17 devname=base-tftp
If the first option 1 fails, use the second option to download the image as described below.
Scope
FortiGate-6000 series.
Solution
Before putting in place the solution, make sure that the image exists in the FortiGate root directory.
The following command on the FortiGate CLI shows that:
fnsysctl ls -l /data2/tftproot
The output should look like that and the file is a *.out file:
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:48 2024 81136 bootconf.gz
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:14 2024 8388678 chassis.rom
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:14 2024 0 fgtag_carrier
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:14 2024 0 fgtag_lic
-rw-r--r-- 1 0 0 Tue Sep 17 01:39:26 2024 106804109 image.out <----- This is the file.
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:14 2024 0 low_crypto.key
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:45 2024 1 miglogdisk_info
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:20 2024 1 vdlicense-v30.dat
One option is to connect to the Chassis via console and with Ctrl+T navigate between the FPCs of the Chassis and perform the tasks directly on the FPC.
An alternative is to connect via SSH:
Open two SSH connections to the MBD of the chassis.
On one SSH session, execute:
execute system console-server connect 3
From 2nd SSH session on MBD, reboot the failed FPC.
execute load-balance slot reboot 3
Fortigate-6301F (global) # execute system console-server connect 3
Trying 127.0.0.1...
<<<SKIPP>>>
Boot up, boot device capacity: 15272MB.
Press any key to display configuration menu...
[C]: Configure TFTP parameters.
[R]: Review TFTP parameters.
[T]: Initiate TFTP firmware transfer.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[I]: System configuration and information.
[Q]: Quit menu and continue to boot.
[H]: Display this list of options.
Enter C,R,T,F,B,I,Q,or H: <----- Type F.
All data will be erased, continue:[Y/N]? Y
Formatting boot device...
..............................
Format boot device completed.
Enter C,R,T,F,B,I,Q,or H: <----- Type C.
[P]: Set image download port.
[D]: Set DHCP mode.
[I]: Set local IP address.
[S]: Set local subnet mask.
[G]: Set local gateway.
[V]: Set local VLAN ID.
[T]: Set remote TFTP server IP address.
[F]: Set firmware image file name.
[E]: Reset TFTP parameters to factory defaults.
[R]: Review TFTP parameters.
[N]: Diagnose networking (ping).
[H]: Display this list of options.
[Q]: Quit this menu.
Enter P,D,I,S,G,V,T,F,E,R,N,H or Q: <----- Type I.
Enter local IP address [192.168.1.3]:169.254.255.50 <----- Choose any IP that is not in use in the 169.254.255.X subnet. Here 169.254.255.50 is used.
Enter P,D,I,S,G,V,T,F,E,R,N,H or Q: <----- Type F.
Enter firmware file name [BurnGate/Fortigate-6301F/HQIP/FGT_6000F-HQIP.4.0.1.2353.out]:image.out. <----- image.out is the correct name. Type as it is.
Enter P,D,I,S,G,V,T,F,E,R,N,H or Q: <----- Type T.
Enter remote TFTP server IP address [192.168.1.168]:169.254.255.1
Enter P,D,I,S,G,V,T,F,E,R,N,H or Q: -> Type R to review the settings.
Image download port: MGMT1
DHCP status: disabled
Local VLAN ID: none
Local IP address: 169.254.255.50 <----- Check.
Local subnet mask: 255.255.255.0 <----- Check.
Local gateway: 169.254.255.1
TFTP server IP address: 169.254.255.1 <----- Check.
Firmware file name: image.out <----- Check.
Enter P,D,I,S,G,V,T,F,E,R,N,H or Q: <----- Type Q.
Image download port: MGMT1
DHCP status: disabled
Local VLAN ID: none
Local IP address: 169.254.255.50 <----- Check.
Local subnet mask: 255.255.255.0 <----- Check.
Local gateway: 169.254.255.1
TFTP server IP address: 169.254.255.1 <----- Check.
Firmware file name: image.out <----- Check.
Enter P,D,I,S,G,V,T,F,E,R,N,H or Q: <----- Type T.
[C]: Configure TFTP parameters.
[R]: Review TFTP parameters.
[T]: Initiate TFTP firmware transfer.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[I]: System configuration and information.
[Q]: Quit menu and continue to boot.
[H]: Display this list of options.
Enter C,R,T,F,B,I,Q,or H:
Please connect TFTP server to Ethernet port "MGMT1".
MAC:
MAC: E8:1C:BA:54:9F:92
##########################################################################
Total 78275712 bytes data downloaded.
Verifying the integrity of the firmware image.
Total 262144kB unzipped.
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]? <----- Type D
Programming the boot device now.
................................................................................................................................................................................................................................................................
Reading boot image 3096759 bytes.
Initializing firewall...
System is starting...
Resizing shared data partition...done
Formatting shared data partition ... done!
Starting system maintenance...
Scanning /dev/sda1... (100%)
Scanning /dev/sda3... (100%)
F6KF31T019-----6 login: admin
Password:
Please wait until the FPC is completely Up and Running. Example:
Fortigate-6301F (global) # diagnose load-balance status
Slot 3: FPC6KFT018-----1
Status:Working Function:Active
Link: Base: Up Fabric: Up
Heartbeat: Management: Good Data: Good
Status Message:"Running"
NOTE.
After MBD factory reset, the FortiOS image file 'image.out' is deleted from:
fnsysctl ls -l /data2/tftproot
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:48 2024 81136 bootconf.gz
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:14 2024 8388678 chassis.rom
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:14 2024 0 fgtag_carrier
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:14 2024 0 fgtag_lic
-rw-r--r-- 1 0 0 Tue Sep 17 01:39:26 2024 106804109 image.out <----- This file is deleted after MBD "factory reset".
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:14 2024 0 low_crypto.key
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:45 2024 1 miglogdisk_info
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:20 2024 1 vdlicense-v30.dat
Install the FortiOS image to MBD from GUI interface is a quictly option to recovery this file.
Follow this KB article: Technical Tip: How to manually perform a firmware upgrade from the GUI / Upgrading the firmware usin...
This procedure will upgrade all FPCs with the FortiOS image installed.
To connect and review each FPC follow this KB article: Technical Tip: Use the console server to access an individual FPC if no physical console connection ...
Related document:
Installing firmware on an individual FPC
