Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jiahoong112
Staff
Staff

Created on ‎11-10-2022 10:52 PM Edited on ‎11-26-2024 05:00 AM By Moderator

Article Id 229557

Troubleshooting Tip: 'Image upgrade failed. Firmware image is not valid - FortiGate HA firmware upgrade failed due to firmware version mismatch'

Description

This article describes how to fix the error 'Image upgrade failed. Firmware image is not valid - FortiGate HA firmware upgrade failed'.

In this case, the Primary and Secondary FortiGates have mismatching firmware versions.

 

Using this method will result in total downtime for the entire network as both FortiGates will be rebooted.

This method also assumes that HA Management Interface is configured so that the GUI of the FortiGate with the lower firmware version can be accessed.

 

This method WILL cause Total Service Outage of both firewalls. Read all the steps first before proceeding to execute them.
Scope Fortigate HA - Applicable for Active-Passive and Active-Active.
Solution

 

  1. FortiGate HA will be Out of Sync when the firmware versions on the Primary and Secondary FortiGates do not match.

  2. Download the firmware version that is to be upgraded from the Fortinet Support Portal: support.fortinet.com.

  3. Perform a HA failover so that the FortiGate on the lower firmware version is the Primary. 
    See this article for steps on how to manually trigger an HA failover.

  4. In the meantime, access the FortiGate on the higher firmware version. 
Note: If there is no management IP configured for access, SSH into the FortiGate that is on the higher firmware version through the current Primary. 

 

 

 

  1. SSH into the current Primary.
  2. Run this command:

 

exec ha manage ?


 

 

  1. An ID will be seen here. 
  2. Run the following:

 

exec ha manage <id> <username>

 

Press Enter, type the password in, and then press Enter again.

See this document.

 

  1. Access the GUI of the FortiGate with the lower firmware version.

  2. Perform the firmware upgrade by uploading the firmware version manually.

 

Below version 7.2.x:

Go to System -> Firmware -> Browse and Upload the firmware.

 

Version 7.2.x onwards:

Go to System -> Fabric Management -> Selecy the FortiGate and select Upgrade -> File Upload -> Browse and Upload the firmware.

 

  1. When the Upload progress of the firmware hits 50% or 70%, reboot the other FortiGate that is already on the higher firmware version via SSH.
    To reboot the firewall via SSH CLI, run this command:

 

exec reboot

  1. Wait for both FortiGates to become active. Both FortiGates should now be on the same firmware version. Wait a few minutes for HA to sync.

 

An alternative option is to change the 'Security level' to '0' on the Primary and Secondary FortiGates and perform the upgrade again. However, this method requires console access.

 

To change the security level, see the documentation.

 

It is recommended to the set the Security level back to '2' after the upgrade.
18999
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.