Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
Anonymous
Not applicable

Created on ‎12-30-2022 04:02 AM Edited on ‎11-13-2025 09:57 AM By Moderator

Article Id 241458

Technical Tip: How to upgrade FortiGate using FortiManager

Description This article explains how to upgrade FortiGate through FortiManager.
Scope Any supported FortiGate, FortiManager version.
Solution

Prerequisite:

The FortiGate needs a valid upgrade license (FMWR license).

To check the FortiGate license on FortiManager, use the following FortiManager CLI command:

 

diagnose fmupdate fds-dump subs

 

Upgrade a FortiGate:

 

  1. Under Device Manager -> Managed FortiGate, double-click on the FortiGate to upgrade. Under the Firmware Version section, select Upgrade Firmware.

 

lingky88_0-1672367178273.png

 


  1. Select the appropriate version/image and select Upgrade.

 

lingky88_1-1672366134823.png

 

Note: The new layout as of version 7.4 is shown below:

 

2025-05-06_12-26-51.png

 

  1. A prompt will be shown before the Upgrade. Select OK to proceed.

 

lingky88_1-1672388381966.pnglingky88_2-1672388391465.png

 

  1. Track the progress of the upgrade. Wait for it to complete successfully.

     

lingky88_3-1672388495953.png

 

Alternatively, upgrade using a Firmware Template:

 

  1. Assign a firmware template under Device Manager -> Firmware Templates -> Create New.
  2. Create a new firmware template and select the platform and the firmware version under the Upgrade Details section.

 

lingky88_0-1672388078136.png
lingky88_2-1672366266092.png

 

  1. It is recommended to upgrade based on the recommended upgrade path under the Upgrade Path option.

 

lingky88_1-1672367291216.png

 

  1. After the firmware template has been created, assign the device to this template by right-clicking the template and selecting the Assign to Device/Group options. Next, move the FortiGate(s) into the Selected Entries section and select OK.

 

lingky88_4-1672390408701.png

 

  1. The selected devices assigned to the Firmware Templates will be shown.

 

lingky88_5-1672390485645.png

 

  1. Check under the Device Manager page that the firmware template has been assigned under the managed devices.

 

lingky88_6-1672390533662.png

 

  1. To upgrade, go back to the firmware templates, right-click on the correct template and select Upgrade Now to which will prompt an upgrade of the FortiGate(s).

 

lingky88_9-1672390662447.png
lingky88_8-1672390629329.png

 

  1. Select OK to upgrade the devices assigned to the template and wait for the upgrade to complete successfully.

 

lingky88_10-1672390820154.png

 

Solution for FortiGates in HA cluster, which are being managed by the FortiManager:

 

The FortiGate HA is upgraded the same way as the FortiManager as a standalone FortiGate. The Firmware template might seem a little confusing as the 'Assign Device' section only shows the primary FortiGate and not the secondary cluster member. However, that is by design as the FortiGate is a HA cluster and FortiManager always communicates with the primary member. The secondary member should get upgraded automatically if the HA is in good shape.

 

When performing an upgrade of FortiGate via FortiManager, it is important to run debug from the FortiManager and FortiGate sides.

 

Debug from FortiManager:

 

diagnose fwmanager fwm-log <----- Live debug when upgrading FortiGate.

 

Debug from FortiGate: (Possibly run through the console):

 

Lotus-kvm05 # diagnose debug cli 8

Lotus-kvm05 # diagnose debug en

 

The task Job will be displayed from the Task Monitor at FortiManager.

 

Complete task from FortiManager:

 

Nur_1-1742772847428.png

Note: Upgrading FortiGate HA clusters using FortiManager could cause a network outage if triggered while a disk check is required on the FortiGate. For more information on this issue, refer to the following KB article: Troubleshooting Tip: FortiManager reboots the firewall HA cluster twice during a firmware upgrade, c...

 

Troubleshooting:

 

The following CLI commands are used for troubleshooting firmware issues from FortiManager:

 

diagnose fwmanager fwm-log 
diagnose fwmanager service-restart

 

Note: When upgrading FortiGate HA from FortiManager, check if disk checking is enabled. If the disk check message appears on the Firewall, FortiManager will reboot the firewall first before sending the firmware image to the firewall. As per the proper process, reboot the primary firewall and then the secondary.

 

However, note that in FortiManager, there is no wait time for the primary firewall to come up before rebooting the secondary firewall. Therefore, if firewalls (3600, 4400 or other high end  units) take more than 5 minutes to reboot, FortiManager will send the reboot command to the secondary, causing both firewalls to reboot at same time and causing network outages. This will also cause the only primary firewall to upgrade and the secondary firewall to remain on the same firmware version.   

 

The workaround available is to disable the disk check on fmupdate before the upgrade using the following command:

config fmupdate fwm-setting
    set check-fgt-disk disable
end

 

Related articles:

Troubleshooting Tip: FortiGate failed to upgrade using the Firmware Template 

Technical Tip: How to check the FortiGate upgrade path on FortiManager 

Technical Tip: How to download and import firmware images into FortiManager 

Technical Tip: How to perform scheduled upgrade for FortiGates using FortiManager 
41539
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.