Description
This article describes how to revert to the previous firmware image and how to roll back FortiOS after an upgrade.
This procedure only works on physical appliances. FortiOS virtual machines do not have the dual boot option.
The alternative for VMs is to create a snapshot on the hypervisor level before upgrades. It is recommended to stop the VM before taking a snapshot.
Scope
FortiGate.
Solution
The following CLI command lists the FortiOS image files installed in both partitions:
FortiGate# diagnose sys flash list
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FGT61F-7.04-FW-build2867-260116 253920 162892 64% No
2 FGT61F-7.04-FW-build2878-260126 253920 162892 64% Yes
3 ETDB-1.00000 3102320 186640 6% No
Image was built at Jan 26 2026 20:18:31 for b2878
For multi-VDOM, this command and the following ones are available under the 'global' context:
FortiGate# config global
FortiGate (global)# diagnose sys flash list
As per the above output, partition 2 (secondary) can be seen to be Active (Active -> Yes) and holds the current firmware (v7.4.11, while partition 1, primary, is on v7.4.10). Use the build number to identify the firmware version. The build numbers can be correlated with firmware versions via firmware images at support.fortinet.com, in the Download section, or by checking the first line of the configuration backup.
Back up the configuration first before reverting to the previous firmware by using the GUI. The following CLI commands select which firmware should be used at the next reboot. In this example, the Active partition is 'secondary' so it will be changed to 'primary':
FortiGate# execute set-next-reboot {primary | secondary}
FortiGate# execute set-next-reboot primary
Default image is changed to image# 1.
Primary and Secondary simply refer to partition number 1 or partition number 2, respectively. Partition number 3 can be ignored. Once the secondary partition that is to be used to boot the device has been selected, reboot the FortiGate.
In HA, set the non-active same firmware on both the primary and secondary units.
To do this, run the following command:
FortiGate# execute set-next-reboot {primary | secondary}
After, reboot the salve and master unit at the same time respectively.
The HA selection process will happen after the reboot.
FortiGate# execute reboot
The CLI get system status command can then be used to verify the current firmware. Alternatively, use the following commands to verify the active partition:
FortiGate# diagnose sys flash list
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FGT61F-7.04-FW-build2867-260116 253920 162892 64% Yes
2 FGT61F-7.04-FW-build2878-260126 253920 162892 64% No
3 ETDB-1.00000 3102320 186640 6% No
Image was built at Jan 26 2026 20:18:31 for b2878
VDOM administrators do not have permission to run this command. It must be executed by a super administrator. After an upgrade, this will automatically change (here it is from v7.4.11 to v7.4.10, which looks the same as a regular switch in this case):
FortiGate# diagnose sys flash list
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FGT61F-7.04-FW-build2867-260116 253920 162892 64% Yes
2 FGT61F-7.04-FW-build2878-260126 253920 162892 64% No
3 ETDB-1.00000 3102320 186640 6% No
Image was built at Jan 26 2026 20:18:31 for b2878
Alternative method:
Selecting an alternate firmware from the boot menu:
- Reboot the FortiGate ('execute reboot' or power off/on).
- Before it starts to boot, press any key to display the configuration menu.
- From the presented options, choose option 'B' to boot with backup firmware.
Once this is done, FortiGate will boot up with the backup firmware image.
Note:
- Rebooting the FortiGate from the other partition will cause the loss of any configuration changes that were made since the upgrade. It is preferable to use Notepad++ with Compare plugins to quickly highlight the difference between the backup configuration before reloading and the backup of the currently running configuration. Reverting the configuration changes made in the recent firmware version on the primary partition can also be helpful in scenarios where device access is lost following a configuration update that disrupted communication between the FortiGate and the remote authentication server. This is particularly relevant if the device was accessed using a remotely authenticated Administrator account and no local admin account is configured (or the local admin password has been lost).
- In HA environments, the command needs to be applied to each unit in the cluster individually. This is not synchronized and will not automatically take effect on other units in the cluster. To toggle the passive device's CLI prompt, run the following:
execute ha manage 1 <username> <- Use 0 if 1 is not a valid index. See Technical Tip: Managing individual cluster units with the CLI command 'execute ha manage'.
Both FortiGates in the HA setup should boot with backup firmware at the same time to avoid entering a split-brain scenario. If the HA setup is in Active-Passive mode, boot the Passive/Secondary device with backup firmware first, wait for it to fully boot with the previous firmware, and then proceed with the Active/Primary unit. Ensure HA election functionality is understood before this activity. See this article: Technical Tip: FortiGate HA Primary unit selection when override is disabled vs enabled.
- In the FortiGate-6000F, 7000E, and 7000F series, the partition has to be changed on each MBD/FPC or FIM/FPM. Alternatively, use the Technical Tip: How to rollback firmware on FortiGate-6000 and 7000 series command.
- FortiToken licenses, once added to any of the units, are kept and shared between the units of the cluster. Therefore, a reboot (or shutdown) of a unit in HA should not impact the operation or usage of FortiTokens through the remaining unit. When a downgrade is performed as above, the unit will load the previous configuration (with FortiTokens in the same state and assigned as they were before the last upgrade). This may be useful when the token licenses are not validated correctly following an upgrade.
Related documents:
