In FortiOS v7.4, there is a restriction that limits the allowed administrative access to ping and security fabric only.

This issue is triggered upon upgrade if a custom interface with 'set fortilink enable' also has SSH or any administrative access configured other than 'PING' and 'Security Fabric Connection'.

When a device with such configuration is upgraded to v7.4, the interface configuration fails to apply, which is visible in config-error-log read and causes the interface loss. Other configuration elements which depend on this interface are also lost.

config system interface

    edit "FORTILINK"

        set vdom "root"
        set fortilink enable
        set allowaccess ping ssh fabric
        set type aggregate
        set member "port7" "port8"

    next

end

After the upgrade, there is no 'FORTILINK' interface and an entry in config-error-log.

FortiGate-101F # diagnose debug config-error-log read
>>> "next" @ global.system.interface.FORTILINK:failed command (error 1)

This issue does not affect the built-in interface named 'fortilink' with no capitals. The following interface would be retained after the upgrade.

config system interface

    edit "fortilink"

        set vdom "root"
        set fortilink enable
        set ip 10.255.1.1 255.255.255.0
        set allowaccess ping ssh fabric
        set type aggregate
        set member "x1" "x2"

    next

end

Resolving the issue:
Reconfigure the missing interface and other missing configurations.

In some deployments this requires extensive configuration, since there are may be many other elements referring to the Fortilink interface, such as VLAN sub-interfaces, DHCP pools, and firewall policies.

For these scenarios, it is recommended to instead revert to the previous configuration and firmware in a maintenance window following the article 'Technical Tip: Selecting an alternate firmware for the next reboot'. After this, remove the additional administrative access manually, then upgrade to 7.4.x again. CLI example below:

config system interface

    edit "FORTILINK"

        set fortilink disable  << allow-access settings can only be changed when fortilink is disabled.

        set allow-access ping fabric

    next

    edit "FORTILINK"

        set fortilink enable

    next

end

FortiLink interfaces can only be converted to non-FortiLink interfaces when there is no managed device (FortiSwitch or FortiAP) connected over this interface. Otherwise, the conversion will fail.

FortiGate-101F (FORTILINK) # set fortilink disable
there are managed devices remaining on this interface FORTILINK
Command fail. Return code -7

FortiGate-101F (FORTILINK) #

If it is not possible to modify the FortiLink interface in the running configuration for this reason, take a configuration backup of the device using a super_admin, modify the backup in a plain text editor to specify the correct allow-access setting, and restore the modified backup.

The following screenshot shows the error when attempting to add options other than fabric or a ping to the 'fortilink' interface:

If reverting to the previous firmware and configuration is not possible, downgrading firmware to previous versions can be done from the GUI or CLI but is not recommended and can have issues. The following article provides details related to this process: Technical Tip: FortiGate Firmware Downgrade for Minor Releases.