Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jiahoong112
Staff
Staff

Created on ‎11-10-2022 10:52 PM Edited on ‎01-12-2025 01:00 AM By Community Manager

Article Id 229557

Troubleshooting Tip: 'Image upgrade failed. Firmware image is not valid - FortiGate HA firmware upgrade failed due to firmware version mismatch'

Description

This article describes how to fix the error 'Image upgrade failed. Firmware image is not valid - FortiGate HA firmware upgrade failed'.

In this case, the Primary and Secondary FortiGates have mismatching firmware versions.

 

Using this method will result in total downtime for the entire network as both FortiGates will be rebooted.

This method also assumes that HA Management Interface is configured so that the GUI of the FortiGate with the lower firmware version can be accessed.

 

This method WILL cause Total Service Outage of both firewalls. Read all the steps first before proceeding to execute them.
Scope Fortigate HA - Applicable for Active-Passive and Active-Active.
Solution
  1. FortiGate HA will be Out of Sync when the firmware versions on the Primary and Secondary FortiGates do not match.
  2. Download the firmware version to be upgraded from the Fortinet Support Portal: support.fortinet.com.
  3. Perform an HA failover so that the FortiGate on the lower firmware version is the Primary. 
    See this article for steps on how to manually trigger an HA failover.
  4. In the meantime, access the FortiGate using the higher firmware version. 

Note: 

If there is no management IP configured for access, SSH into the FortiGate on the higher firmware version through the current Primary. 

 

  1. SSH into the current Primary.
  2. Run this command:

 

exec ha manage ?

 

  1. An ID will be seen here. 
  2. Run the following:

 

exec ha manage <id> <username>

 

Here Username is administrator name used to log into FortiGate. Press Enter, type the password in, and then press Enter again. See Technical Tip: Managing individual cluster units with the CLI command 'execute ha manage' .

 

  1. Access the GUI of the FortiGate with the lower firmware version.
  2. Perform the firmware upgrade by uploading the firmware version manually.

 

Below version 7.2.x:

Go to System -> Firmware -> Browse and Upload the firmware.

 

Version 7.2.x onwards:

Go to System -> Fabric Management -> Select the FortiGate and select Upgrade -> File Upload -> Browse and Upload the firmware.

 

  1. When the Upload progress of the firmware hits 50% or 70%, reboot the other FortiGate that is already on the higher firmware version via SSH.


To reboot the firewall via SSH CLI, run this command:

 

exec reboot

 

  1. Wait for both FortiGates to become active. Both FortiGates should now be on the same firmware version. Wait a few minutes for HA to sync.

An alternative option is to change the 'Security level' to '0' on the Primary and Secondary FortiGates and perform the upgrade again. However, this method requires console access.

 

To change the security level: BIOS-level signature and file integrity checking during downgrade

 

It is recommended to set the Security level back to '2' after the upgrade.
21149
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.