Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Clarification on upgrades with manipulate part...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Clarification on upgrades with manipulate partition - image OK, configuration not OK?
Hi!
KB "Keep the flash partition without it being overwritten (For rollback purposes)" seems useful, except, I think it's problematic. It basically, says, we can manipulate which into partition the new firmware image will be stored to keep (original firmware image in) the other partition from being overwritten during upgrade.
However, upgrade is not only about images, it's also about FortiOS configuration migration!!
As per KB, the partition into which the new firmware is one with "Active" is "No", but... (as I understand) the configuration used for FortiOS configuration migration will be sourced from partition with "Active" is "Yes".
So, in KB's step "Upgrade the firmware from 7.0.13 B0566 to 7.2.6 B1575:", the FortiOS configuration will be sourced from partition with the original "6.4.6" configuration, not the upgraded "7.0.13" configuration. And since that original FortiOS configuration was not migrated as per approved "Upgrade Path", we would end up with supposedly incorrect FortiOS configuration after the upgrade.
Is the above conclusion correct?
Thanks!
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
17 REPLIES 17
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you upgrade the firmware, it's based on the currently running partition and config.
If it's a physical appliance, then chances are it has multiple partition which you can check using # di sys flash list.
In general, you want to follow the upgrade path to avoid corrupt config. If you back up the full config (admin>Configuration>Backup configuration) then all you need to do is reload the firmware version used in the backup config then restore the backup configuration.
However, if you only moved one firmware then you can boot into the previous partition.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you upgrade A->B->C in two steps in the process KB is describing, The A-config is saved in the same partition with A-image. Then when you upgrade B->C after manipulating the boot partition in KB, the second A partition won't change but C-image and C-config are stored in the first C partition.
Therefore, when you downgrade/swap the active partitions back to the second A partition, it boots up with A-image + A-config.
Toshi
Created on 12-17-2024 02:29 PM Edited on 12-17-2024 02:40 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Toshi,
my question does not relate to which partition's config is used to boot, but, which is used to migrate - the problem "... since that original FortiOS configuration was not migrated as per approved "Upgrade Path", we would end up with supposedly incorrect FortiOS configuration after the upgrade." My context is upgraded partition "C", not, partition for rollback, "A".
The crux: "(as I understand) the configuration used for FortiOS configuration migration will be sourced from partition with "Active" is "Yes". Since we manually changed the "Active" partition, the upgraded "C" partition's configuration will be migrated from "A" partition's configuration, not "B" which is what we want due to "Upgrade path".
Based on my understanding, the procedure in that KB is flawed - it will only work if configuration in "A" can be migrated to "C", but Fortinet only guarantee configuration migration based on "Upgrade Path" (ie. A->B, then B->C, not A->C).
R's, Alex
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When FGT boots up (regardless after upgrade or not), it pulls the config into the memory. So when B->C happens, the upgrade is based on the config (after the conversion) in the momory. Not from the partition in the flash.
Toshi
Created on 12-17-2024 03:57 PM Edited on 12-17-2024 06:41 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> When FGT boots up (regardless after upgrade or not), it pulls the config into the memory. So when B->C happens, the upgrade is based on the config (after the conversion) in the memory. Not from the partition in the flash.
This contradicts "When the FortiGate goes through its upgrade procedure via the WebGUI, it applies the firmware upgrade to the non-active partition and takes the existing configuration on the active partition, upgrades it and assigns it to the non-active partition firmware." (FortiGate Recovery Partition), but, since that's not official Fortinet canon, let's assume he's wrong, and you're right....
How can I see the configuration "in the memory", I'm assuming you're referring to Flash/NVRAM (aka. "startup-configuration", in IOS/NX-OS), different to in RAM (ala. "running-configuration", in IOS/NX-OS) - so I can confirm which configuration is being migrated during the upgrade?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not completely contradict. The author of the article is just saying, the active/upgraded config (originally from the active partition when it booted up but now in the memory) would be saved in non-active partition when upgrade happens. Then active and non-active partition roles would be swapped.
If you have Cisco experience, their router or switch has "running-config" and "startup-config". The running-config is in memory while the startup-config is in the flash. "show run" shows the running-config and when you change something, it changes only in the running config, until you save it ("write mem" or "copy run start").
Kind of similar for most of routers switches whoever the vendor is, because that's similar to most of computer operations, like a PC.
If you still have some doubt, just test it yourself to confirm.
Toshi
Created on 12-17-2024 11:22 PM Edited on 12-17-2024 11:38 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> Not completely contradict. The author of the article is just saying, the active/upgraded config (originally from the active partition when it booted up but now in the memory) ...
No, not "originally ....". He's literally saying it "takes the existing configuration on the active partition, upgrades it ...", ie. during the upgrade. No mention of "memory" in the whole article.
By the way, FortiOS literally calls these two partitions,... "flash" - ala. "diagnose sys flash list".
Are you able to answer: "How can I see the configuration ..." equivalent of "startup-configuration", not "running-configuration", if system global's "cfg-save" is set to 'manual'?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unlike Cisco, FGTs always "write mem" every time you make changes and exit from the particular config section in CLI or GUI into the active partition/flash. So "running-config" is same as "startup-config" in the active partition.
But it would never change the config in the non-active partition. That's why "swap-back" to the previous partition works with the old config.
I don't know if any command exist to see the config of the non-active partition's config.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On the other hand, during upgrade, the FGT converts the config only in the memory and stores/sets it in the non-active partition where the new image is already loaded in, instead of saving it in the active partition, so that when the partitions were swapped and it booted up, it would come up with the new image with the new config. While the previous active image&config are still there in the new non-active partition.
Toshi
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,722 -
FortiClient
1,768 -
5.2
801 -
FortiManager
732 -
5.4
639 -
FortiAnalyzer
561 -
FortiSwitch
476 -
FortiAP
473 -
FortiClient EMS
435 -
6.0
416 -
5.6
362 -
FortiMail
319 -
6.2
251 -
SSL-VPN
246 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
Fortiweb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
83 -
Customer Service
80 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiGate-VM
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1720 | |
| 1093 | |
| 752 | |
| 447 | |
| 234 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.