FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 229557

This article describes how to fix the error 'Image upgrade failed. Firmware image is not valid - FortiGate HA firmware upgrade failed'.

In this case, the Primary and Secondary FortiGates have mismatching firmware versions.


Using this method will result in total downtime for the entire network as both FortiGates will be rebooted.

This method also assumes that HA Management Interface is configured so that the GUI of the FortiGate with the lower firmware version can be accessed.


This method WILL cause Total Service Outage of both firewalls. Read all the steps first before proceeding to execute them.

Scope Fortigate HA - Applicable for Active-Passive and Active-Active.

1) FortiGate HA will be Out of Sync when the firmware versions on the Primary and Secondary FortiGates do not match.


2) Download the firmware version that is to be upgraded from the Fortinet Support Portal:


3) Perform a HA failover so that the FortiGate on the lower firmware version is the Primary. 

Manually trigger HA failover: 


4) In the meantime, access the FortiGate on the higher firmware version. 


Note: If there is no management IP configured for access, SSH into the FortiGate that is on the higher firmware version through the current Primary. 


a) SSH into the current Primary.

b) Run this command: # exec ha manage ?

c) An ID will be seen here. 

d) # exec ha manage <id> <username>

-> Hit Enter, type the password and then hit Enter again.



3) Access the GUI of the FortiGate with the lower firmware version.


4) Perform the firmware upgrade by uploading the firmware version manually.


Below version 7.2.x:

Go to System -> Firmware -> Browse and Upload the firmware.


Version 7.2.x onwards:

Go to System -> Fabric Management -> Selecy the FortiGate and select Upgrade -> File Upload -> Browse and Upload the firmware.


5) When the Upload progress of the firmware hits 50% or 70%, reboot the other FortiGate that is already on the higher firmware version via SSH.

To reboot the firewall via SSH CLI, run this command: # exec reboot.


6) Wait for both FortiGates to become active. Both FortiGates should now be on the same firmware version. Wait a few minutes for HA to sync.