|
If the FortiGate device is running BIOS version 5000100 or 6000100 (or newer), the user will not be able to downgrade to 6.0, 6.2, or any other FortiOS versions below the ones listed here:
6.4.13 new features
7.0.12 new features
7.2.5 new features
7.4.0 new features - enhance BIOS level signature and file integrity checking
The device will not work and will display this error when booting up:
Booting OS...
Fatal error: Loading FOS fails!
Please power cycle. System halted.
We recommend upgrading FortiOS to a version that supports the BIOS security check to maximize the security posture of the device. Only if the upgrade of FortiOS is not possible then please follow the instructions below in order to change the BIOS security level.
To perform the downgrade in this case, the BIOS security level needs to be lowered down to 0:
- Lower the security level to 0. (Instructions below).
- Downgrade to the desired FortiOS version.
- If only a temporary downgrade is required (for a configuration conversion or other similar purpose), load the configuration as required.
- Upgrade to one of the latest firmware versions (for example 6.4.14, 7.0.12, 7.2.5, 7.4.0).
- Change the security level back to 2 in the BIOS.
To change the BIOS security level, ensure a console cable is connected, which is required to access the necessary menus. Then, follow this sequence in the BIOS menu:
Reboot FortiGate.
FortiGate-60F
Ver:05000009
Serial number: FGT60XXXXXXXXXXXXXX
CPU: 1200MHz
Total RAM: 2 GB
Initializing boot device...
Initializing MAC... NP6XLITE#0
Please wait for OS to boot, or press any key to display configuration menu. <-- Press any key.
During the reboot process Fortigate will print a message on the console "press any key to display configuration menu", then press a key to access the BIOS.
[C]: Configure TFTP parameters.
[R]: Review TFTP parameters.
[T]: Initiate TFTP firmware transfer.
[F]: Format boot device.
[I]: System information. <-- Select this by pressing 'I'.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot.
[H]: Display this list of options.
Enter C,R,T,F,I,B,Q,or H:
[S]: Set serial port baudrate.
[R]: Set restricted mode.
[T]: Set menu timeout.
[U]: Set security level. <-- Select this by pressing 'U'.
[I]: Display system information.
[E]: Reset system configuration.
[P]: Normal POST test.
[Q]: Quit this menu.
[H]: Display this list of options.
Enter S,R,T,U,I,E,P,Q,or H:
[0]: Level 0 - Check image silently
[1]: Level 1 - Check image with result only
[2]: Level 2 - Check image and reinforce validity
Enter security level setting [2]: <-- Provide the digit for the intended security level [0, 1, or 2].
After this, follow the instructions to close the menu and boot the device (this will typically consist of pressing Q, then Q again).
Additional note:
It is possible to check the security level currently set before rebooting the unit or after changing it with the command 'get system status'.
get system status
Version: FortiGate-60F v6.4.13,build2092,230606 (GA.M)
Security Level: 2
Virus-DB: 92.00663(2024-01-15 04:20)
Warning:
Be advised that modifying this parameter will impact the overall security posture of the device and/or network. It could potentially allow a local user with access to the appliance to install or run modified, malicious code in the system.
|
