FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 241339
Description This article describes how to upgrade a FortiGate High Availability (HA) Cluster through an TFTP server.
Scope FortiGate.

Users can upgrade the FortiOS firmware running on an HA cluster with a TFTP server with the same methods used to upgrade the firmware through the GUI.


The following sequence describes in detail the steps necessary to upgrade an HA cluster through cli via TFTP server:


1) Start the TFTP server.

2) Copy the new firmware image file to the TFTP server.

3) Log into the FGT primary unit CLI.

4) Verify that FGT primary unit can connect to the TFTP server. For example, if the IP address of the TFTP server is, enter the CLI command:


# execute ping


5) Enter the following command to copy the firmware image from the TFTP server to the primary FortiGate unit:


# execute restore image tftp <filename> <tftp_ip>


Replace <filename> with the name and location of the firmware image file and <tftp_ip> with the IP address of the TFTP server. For example, if the firmware image file name is FGT_300D.out and the IP address of the TFTP server is, enter:


# execute restore image tftp FGT_300D.out


FortiGate will respond with the following message:


This operation will replace the current firmware version!

Do you want to continue? (y/n)


Press Y on the keyboard to continue the process. 


FortiGate will download the firmware image file, upgrade both units to the new firmware version, and restart. This process typically takes a few minutes.





 Eimage3-3.PNG6) Reconnect to the CLI.

7) To confirm the new firmware image was successfully installed, enter the following command and check the results:


# get system status