Q1 Is it possible to upgrade FW using "execute restore image usb" command because I want to use USB to upgrade my firewall instead of TFTP.
which brings me to the next question
Q2 Is USB or TFTP upgrade faster?
Q3 When I want to see fortigate lldp neighbors, I use the "diagnose lldprx neighbor summary". So what is the difference between a "get" and "diagnose" command?
Q4 Why isnt lldp under the "get" command? Like it is show cdp neighbor in cisco.
Solved! Go to Solution.
regarding Q2 (upgrade via TFTP or USB):
For using TFTP upgrade, you will have to establish a working network connection first. On a notebook, you will have to set up a static IP, a TFTP server, connect FGT and NB via cable (find a free port on FGT), check connectivity from NB and from FGT side. All of this takes considerably more time than inserting a USB stick, check the auto-install settings, and reboot the FGT.
And preparing and inserting a USB stick can be done by nearly anybody, even without networking skills ('a helping hand'), which can be very convenient if the FGT is in a remote location.
So, I would not denounce the auto-install feature in general. Can be very efficient, for instance when new FGTs arrive and need to be upgraded to a target version at the very beginning. auto-install with 'image.out' and 'fgt_system.conf' settings is enabled by default after factory reset, and thus at delivery from distribution.
Just my 2 cents...
I see you changed your mind (taken as solution) when you had a second thought on network setup necessity versus brisk deployment implications of auto-upgrade more described by @ede_pfau
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Q10 When I input "diag lldprx neighbor summary" I get a blank output so I assume that lldp is disabled. However, when I go to "Dashboard > Devices&Users> Device Inventory" , I can see the neighbors. Why is this so?
Q11 Is there an equivalent of "show etherchannel summary" in fortinet? "diag ip address list " only shows the ip address, but not the logical interfaces and their names.
Can anyone help to answer my 2 questions above?
Created on 04-23-2022 10:25 AM
for Q12, by combining two commands below, you can get about the same information with Cisco's "sh etherchannel summary". You need to be in a vdom, not global, to run these commands if it's multi-vdom env:
xxx-fg1 (root) # diag netlink aggregate list-active
List of 802.3ad link aggregation active interfaces:
1: AaaaPath: port25,port26
2: BbbbPath: port27,port28
xxx-fg1 (root) # diag netlink aggregate list
List of 802.3ad link aggregation interfaces:
1 name AaaaPath status up algorithm L3 lacp-mode active
2 name BbbbPath status up algorithm L3 lacp-mode active
Toshi
regarding Q2 (upgrade via TFTP or USB):
For using TFTP upgrade, you will have to establish a working network connection first. On a notebook, you will have to set up a static IP, a TFTP server, connect FGT and NB via cable (find a free port on FGT), check connectivity from NB and from FGT side. All of this takes considerably more time than inserting a USB stick, check the auto-install settings, and reboot the FGT.
And preparing and inserting a USB stick can be done by nearly anybody, even without networking skills ('a helping hand'), which can be very convenient if the FGT is in a remote location.
So, I would not denounce the auto-install feature in general. Can be very efficient, for instance when new FGTs arrive and need to be upgraded to a target version at the very beginning. auto-install with 'image.out' and 'fgt_system.conf' settings is enabled by default after factory reset, and thus at delivery from distribution.
Just my 2 cents...
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.