- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Upgrades - any tips, tricks, comments?
Its time to start my first significant round of Fortigate upgrades and am looking for tips and tricks from those that have done many. I'm using the following as a starting point; https://kb.fortinet.com/k...=FD35329&sliceId=1
Assumption - Firmware upgrades via the FG GUI can generally be relied upon to be hitless.
Environment - All firewalls are clusters and have serial consoles connected
- Clusters use 'session-pickup enable' and 'session-pickup-connectionless enable' - I intend to use the FG GUI to perform the upgrades - All firewalls are connected to FortiManager 6.0.8. - First upgrades will be to get all 5.4 firewalls to 5.6
Procedure for first (Lab) cluster/ADOM 1. Take FMG backup via GUI 2. Upgrade ADOM to 5.6 in GUI 3. Check Device Manager 'Config Status' is Auto-update/Synchronised in FMG 4. Take FG backup 5. Connect to serial consoles 6. Perform first step in Upgrade Path 7. Login to FG GUI and check Firmware version and cluster status 8. Login to FMG GUI an check Device Manager 'Config Status' is Auto-update/Synchronised 9. Repeat steps 6-8 for each step in Upgrade Path 10. Take backup via FG GUI.
Any issues with that? Does it contain a sensible level of paranoia in the checks as the firmwares are stepped through?
I was planning to do the following in a single change; 5.4.5 (current version) 5.6.2 1486 5.6.6 1630 5.6.8 1672 5.6.11 1700
Thanks.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Personally, at after upgrading to a major firmware version, I do advise performing a diff compare between the new/old configs to see what has been changed. Sometimes and depending what features are used, the conversions scripts will change some settings - add something or configure some settings.
Eg. convert old AP profiles to something similar under the new firmware, but give it a name like "tmp_ver50". Same with SSL/SSH profiles, where the defaults are now readonly in the newer firmwares - you have new "custom_insert name".
And I believe country codes (if not listed in the older config are added to the AP profiles. And it seems if SSL/SSH proxy option are not used on a firewall policy a "deep SSL" proxy option is added automatically.
If you want to go the extra mile, perform on the CLI after each firmware upgrade: diagnose debug config-error-log read
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Upgrades if you follow the pre-design migration path almost never leads into issues. I would add post monitoring of
ARP table
DHCP monitor
routes
VPNs if applicable
You should be close to what you had at the start of upgrade but DHCP leases counts might be low if upgrade is late-hours and machines are power-down , the same for dialup vpns.
YMMV
Ken Felix
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
umm Fortinet TAC once told me that best practie is to first upgrade all FortiGate and then upgrade the adom in FMG.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Take backups between each level. Can't hurt and will avoid much pain in case you brick. Chances are slim, but free insurance is good!
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Personally, at after upgrading to a major firmware version, I do advise performing a diff compare between the new/old configs to see what has been changed. Sometimes and depending what features are used, the conversions scripts will change some settings - add something or configure some settings.
Eg. convert old AP profiles to something similar under the new firmware, but give it a name like "tmp_ver50". Same with SSL/SSH profiles, where the defaults are now readonly in the newer firmwares - you have new "custom_insert name".
And I believe country codes (if not listed in the older config are added to the AP profiles. And it seems if SSL/SSH proxy option are not used on a firewall policy a "deep SSL" proxy option is added automatically.
If you want to go the extra mile, perform on the CLI after each firmware upgrade: diagnose debug config-error-log read
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Upgrades if you follow the pre-design migration path almost never leads into issues. I would add post monitoring of
ARP table
DHCP monitor
routes
VPNs if applicable
You should be close to what you had at the start of upgrade but DHCP leases counts might be low if upgrade is late-hours and machines are power-down , the same for dialup vpns.
YMMV
Ken Felix
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
James_G wrote:The versions i listed are from the upgrade path tool, so it says go from 5.4.5 to 5.6.2 then step through the 5.6.x versions.
How many steps is it to max 5.4.x first, then jump to latest 5.6.x
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I will do similar job, update all my devices 60D from 5.2 version to 6.0.9 version.
have you done that upgrade by FGT GUI or FortiAnalizer ?
In my case neither devices 60D ( 120 FGT60D ) are under fortimanger yet so I think to do that upgrade step-by-step by FGT GUI and after put all under Fortimanger.
Any tip is welcome.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey there, we are in a similar situation and have done this on multiple occasions.
Regarding the firewall updates, take backups as you step through and follow fortinet's upgrade path.
We have not had an issue in 80+ fortigates using their paths.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
umm Fortinet TAC once told me that best practie is to first upgrade all FortiGate and then upgrade the adom in FMG.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thus to add: the last time I did that was from 5.6 to 6.0 (adom and FMG) even going best pratice as above resulted in a load of issues after upgrading the adom.
Even TAC suggested what I wrote above but they said that's the way they'd do it but there is no "official" way execpt from removing the FGTs from adom, upgrade them and re-add them to a new upgraded adom wich with over 200 Policies and objects is no alternative for me here...
I up to now still cannot say if that was a fail of FMG/FGT/FortiOS or due to some database inconsistencies that wer found in ou FMG db too. However those were fixed before upgrading.
So it might be always helpful to perform a db scan (and fix if it finds errors) on fmg db before you upgrade fmg or adom(s).
What also happened to was that - after upgrading FMG itself to 6.2 - it kept trying to roll out commands that did not exist on the FGT. Tac gave me a tip that fixed that: do a retrieve config on all FGT in the adom.
hth
Sebastian
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams