| Solution |
If a FortiGate device is running BIOS version 5000100 or 6000100 (or newer), the user will not be able to downgrade to 6.0, 6.2, or any other FortiOS versions below the ones listed here:
The device will not pass traffic and will display this error when booting up:
Booting OS...
Fatal error: Loading FOS fails!
Please power cycle. System halted.
It is recommend to upgrade FortiOS to a version that supports the BIOS security check to maximize the security posture of the device.
If earlier firmware is required, follow the instructions below to change the BIOS security level and allow the device to load.
Warning:
Changing BIOS security level affects the overall security posture of the device and network. A lower BIOS security level could allow a user with administrative access to the FortiGate appliance to install and run modified, malicious firmware builds.
- To change the BIOS security level, ensure a serial console cable is connected and power on the device.
- When the console displays 'press any key to display configuration menu', press any key.
FortiGate-60F
Ver:05000009
Serial number: FGT60XXXXXXXXXXXXXX
CPU: 1200MHz
Total RAM: 2 GB
Initializing boot device...
Initializing MAC... NP6XLITE#0
Please wait for OS to boot, or press any key to display configuration menu. <-- Press any key.
- The BIOS configuration menu displays. Press 'I'.
[C]: Configure TFTP parameters.
[R]: Review TFTP parameters.
[T]: Initiate TFTP firmware transfer.
[F]: Format boot device.
[I]: System information. <-- Select this by pressing 'I'.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot.
[H]: Display this list of options.
Enter C,R,T,F,I,B,Q,or H:
- The system information menu displays. Press 'U'.
[S]: Set serial port baudrate.
[R]: Set restricted mode.
[T]: Set menu timeout.
[U]: Set security level. <- Select this by pressing 'U'.
[I]: Display system information.
[E]: Reset system configuration.
[P]: Normal POST test.
[Q]: Quit this menu.
[H]: Display this list of options.
Enter S,R,T,U,I,E,P,Q,or H:
- The available security levels display. Enter the desired security level '0'.
[0]: Level 0 - Check image silently
[1]: Level 1 - Check image with result only
[2]: Level 2 - Check image and reinforce validity
Enter security level setting [2]: <-- Provide the digit for the intended security level [0, 1, or 2].
- After this, follow the menu options to quit the configurations menus and boot the device. Typically the key sequence is 'Q', then 'Q'.
- The device boots with the updated security level. Earlier firmware versions may now be loaded to the device.
- If upgrading to later firmware versions in the future, it is recommended to set the security level back to 2 after upgrade.
Note:
It is possible to check the security level currently set before rebooting the unit or after changing it with the command 'get system status'.
get system status
Version: FortiGate-60F v6.4.13,build2092,230606 (GA.M)
Security Level: 2
Virus-DB: 92.00663(2024-01-15 04:20)
Starting with v7.0.16, v7.2.11, v7.4.6, and v7.6.1, the naming convention for Security Levels has been updated. The previous numerical levels 0, 1, and 2 are now represented as low, low, and high, respectively. More information about this change can be seen in this document: BIOS security Low and High level classification 7.0.16.
FortiGate VM models no longer support changing BIOS security level after upgrade to FortiOS GA builds v7.0.16, 7.2.9, 7.4.4, 7.6.0 or later. The VM BIOS security level is hard coded to 2 and cannot be changed.
Some units such as FortiGate 50G, 70G, 90G, 120G and 200G and their variants have a 'Signed Firmware Hardware Switch' that requires physical access to change the BIOS security level. If BIOS security level does not appear as an option for a physical device, see the product's datasheet to verify if a device includes this feature.
|
