Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssudhakar
Staff
Staff

Created on ‎03-08-2021 04:23 AM Edited on ‎10-22-2024 01:56 AM By Community Manager

Article Id 192497

Technical Tip: Procedure to download image on FPC from default TFTP server running on MBD

Description

 

This articles describes the two ways to load an image to FPC. On FortiGate-6000 Series, there is a TFTP server running internally.

 

To upload a firmware image from an external TFTP server to the FortiGate internal TFTP server, run the below:

From MBD, '# execute upload image tftp <image-file> <comment> <tftp-server-address>'.


Option 1: From MBD, '# execute load-balance update image <slot number>'.
Option 2: From FPC, Download image from default TFTP server running on the MBD.

 

Fortigate-6301F (mgmt-vdom) # diagnose ip address list | grep tftp
IP=169.254.255.1->169.254.255.1/255.255.255.0 index=17 devname=base-tftp

 

- A 169.254.255 IP is required in the boot process. Use any IP in range 169.254.255.X and make sure that the IP is not in use anywhere on the network.

 

 

Fortigate-6000F (mgmt-vdom) # diagnose ip address list | grep "169.254.255\|SN"<----- ####<<169.254.255 ip addresses used usually on 6000 series>>####

Slot: 1  Module SN: FPC6KFT----------

IP=169.254.255.3->169.254.255.3/255.255.255.0 index=3 devname=x710-0

Slot: 2  Module SN: FPC6KFT----------

IP=169.254.255.4->169.254.255.4/255.255.255.0 index=3 devname=x710-0

Slot: 3  Module SN: FPC6KFT----------

IP=169.254.255.5->169.254.255.5/255.255.255.0 index=3 devname=x710-0

Slot: 4  Module SN: FPC6KFT----------

IP=169.254.255.6->169.254.255.6/255.255.255.0 index=3 devname=x710-0

Slot: 5  Module SN: FPC6KFT----------

IP=169.254.255.7->169.254.255.7/255.255.255.0 index=3 devname=x710-0

Slot: 6  Module SN: FPC6KFT----------

IP=169.254.255.8->169.254.255.8/255.255.255.0 index=3 devname=x710-0

MBD SN: FPC6KFT----------

IP=169.254.255.1->169.254.255.1/255.255.255.0 index=17 devname=base-tftp

 

If the first option 1 fails, use the second option to download the image as described below.


Scope

 

FortiGate-6000 series.

Solution

 

Before putting in place the solution, make sure that the image exists in the FortiGate root directory.

The following command on the FortiGate CLI shows that:

 

# fnsysctl ls -l /data2/tftproot

 

The output should look like that and and the file is a *.out file:

 

-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:48 2024 81136 bootconf.gz
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:14 2024 8388678 chassis.rom
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:14 2024 0 fgtag_carrier
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:14 2024 0 fgtag_lic
-rw-r--r-- 1 0 0 Tue Sep 17 01:39:26 2024 106804109 image.out  <----- this is the file
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:14 2024 0 low_crypto.key
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:45 2024 1 miglogdisk_info
-rw-rw-rw- 1 0 0 Tue Oct 22 01:25:20 2024 1 vdlicense-v30.dat

 

Open two SSH connections to the MBD of the chassis.
On one SSH session, execute:

 

execute system console-server connect 3

 

From 2nd SSH session on MBD, reboot the failed FPC.

 

execute load-balance slot reboot 3

 

Fortigate-6301F (global) # execute system console-server connect 3
Trying 127.0.0.1...
<<<SKIPP>>>
Boot up, boot device capacity: 15272MB.
Press any key to display configuration menu...

[C]:  Configure TFTP parameters.
[R]:  Review TFTP parameters.
[T]:  Initiate TFTP firmware transfer.
[F]:  Format boot device.
[B]:  Boot with backup firmware and set as default.
[I]:  System configuration and information.
[Q]:  Quit menu and continue to boot.
[H]:  Display this list of options.

Enter C,R,T,F,B,I,Q,or H:                           <----- Type F.

All data will be erased, continue:[Y/N]? Y
Formatting boot device...
..............................
Format boot device completed.


Enter C,R,T,F,B,I,Q,or H:                           <----- Type C.

[P]:  Set image download port.
[D]:  Set DHCP mode.
[I]:  Set local IP address.
[S]:  Set local subnet mask.
[G]:  Set local gateway.
[V]:  Set local VLAN ID.
[T]:  Set remote TFTP server IP address.
[F]:  Set firmware image file name.
[E]:  Reset TFTP parameters to factory defaults.
[R]:  Review TFTP parameters.
[N]:  Diagnose networking (ping).
[H]:  Display this list of options.
[Q]:  Quit this menu.

Enter P,D,I,S,G,V,T,F,E,R,N,H or Q:                 <----- Type I.

Enter local IP address [192.168.1.3]:169.254.255.50 <----- Choose any IP that is not in used in 169.254.255.X subnet. Here 169.254.255.50 is used.

Enter P,D,I,S,G,V,T,F,E,R,N,H or Q:                 <----- Type F.

Enter firmware file name [BurnGate/Fortigate-6301F/HQIP/FGT_6000F-HQIP.4.0.1.2353.out]:image.out. <----- ###<<image.out is the correct name. Type as it is>###

Enter P,D,I,S,G,V,T,F,E,R,N,H or Q:                 <----- Type T.

Enter remote TFTP server IP address [192.168.1.168]:169.254.255.1
Enter P,D,I,S,G,V,T,F,E,R,N,H or Q: ->> Type R to review the settings

Image download port:     MGMT1
DHCP status:             disabled
Local VLAN ID:           none
Local IP address:        169.254.255.50             <----- Check
Local subnet mask:       255.255.255.0              <----- Check
Local gateway:           169.254.255.1    
TFTP server IP address:  169.254.255.1              <----- Check
Firmware file name:      image.out                  <----- Check.

Enter P,D,I,S,G,V,T,F,E,R,N,H or Q:                 <----- Type Q

Image download port:     MGMT1
DHCP status:             disabled
Local VLAN ID:           none
Local IP address:        169.254.255.50 <----- Check.
Local subnet mask:       255.255.255.0  <----- Check.
Local gateway:           169.254.255.1
TFTP server IP address:  169.254.255.1  <----- Check.
Firmware file name:      image.out      <----- Check.

Enter P,D,I,S,G,V,T,F,E,R,N,H or Q:                 <----- Type T

[C]:  Configure TFTP parameters.
[R]:  Review TFTP parameters.
[T]:  Initiate TFTP firmware transfer.
[F]:  Format boot device.
[B]:  Boot with backup firmware and set as default.
[I]:  System configuration and information.
[Q]:  Quit menu and continue to boot.
[H]:  Display this list of options.

Enter C,R,T,F,B,I,Q,or H:

Please connect TFTP server to Ethernet port "MGMT1".
MAC:
MAC:         E8:1C:BA:54:9F:92
 ##########################################################################
Total 78275712 bytes data downloaded.
Verifying the integrity of the firmware image.

Total 262144kB unzipped.
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]? <----- Type D
Programming the boot device now.
................................................................................................................................................................................................................................................................
Reading boot image 3096759 bytes.
Initializing firewall...
System is starting...
Resizing shared data partition...done
Formatting shared data partition ... done!
Starting system maintenance...
Scanning /dev/sda1... (100%)   
Scanning /dev/sda3... (100%)   

F6KF31T019-----6 login: admin
Password:
Please wait until the FPC is completely Up and Running. Example:

Fortigate-6301F (global) # diagnose load-balance status
Slot 3: FPC6KFT018-----1
Status:Working   Function:Active
Link:      Base: Up          Fabric: Up
Heartbeat: Management: Good   Data: Good

Status Message:"Running"


Related document:
Installing firmware on an individual FPC

Labels:
3049
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.