Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ad
New Contributor

Upgrades - any tips, tricks, comments?

Its time to start my first significant round of Fortigate upgrades and am looking for tips and tricks from those that have done many. I'm using the following as a starting point; https://kb.fortinet.com/k...=FD35329&sliceId=1

 

Assumption - Firmware upgrades via the FG GUI can generally be relied upon to be hitless. 

 

Environment - All firewalls are clusters and have serial consoles connected

- Clusters use 'session-pickup enable' and 'session-pickup-connectionless enable' - I intend to use the FG GUI to perform the upgrades - All firewalls are connected to FortiManager 6.0.8. - First upgrades will be to get all 5.4 firewalls to 5.6

 

Procedure for first (Lab) cluster/ADOM 1. Take FMG backup via GUI 2. Upgrade ADOM to 5.6 in GUI 3. Check Device Manager 'Config Status' is Auto-update/Synchronised in FMG 4. Take FG backup 5. Connect to serial consoles 6. Perform first step in Upgrade Path 7. Login to FG GUI and check Firmware version and cluster status 8. Login to FMG GUI an check Device Manager 'Config Status' is Auto-update/Synchronised 9. Repeat steps 6-8 for each step in Upgrade Path 10. Take backup via FG GUI.

 

Any issues with that? Does it contain a sensible level of paranoia in the checks as the firmwares are stepped through?

I was planning to do the following in a single change; 5.4.5 (current version) 5.6.2 1486 5.6.6 1630 5.6.8 1672 5.6.11 1700

Thanks.

3 Solutions
Dave_Hall

Personally, at after upgrading to a major firmware version, I do advise performing a diff compare between the new/old configs to see what has been changed.  Sometimes and depending what features are used, the conversions scripts will change some settings - add something or configure some settings. 

 

Eg.  convert old AP profiles to something similar under the new firmware, but give it a name like "tmp_ver50".  Same with SSL/SSH profiles, where the defaults are now readonly in the newer firmwares - you have new "custom_insert name".

 

And I believe country codes (if not listed in the older config are added to the AP profiles.  And it seems if SSL/SSH proxy option are not used on a firewall policy a "deep SSL" proxy option is added automatically. 

 

If you want to go the extra mile, perform on the CLI after each firmware upgrade: diagnose debug config-error-log read

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
emnoc
Esteemed Contributor III

Upgrades if you follow the pre-design migration path almost never leads into issues. I would add post monitoring of  

 

ARP table

DHCP monitor

routes

VPNs if applicable

 

You should be close to what you had at the start of upgrade but DHCP leases counts might be low if upgrade is late-hours and machines are power-down , the same for dialup vpns.

 

YMMV

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
sw2090
Honored Contributor

umm Fortinet TAC once told me that best practie is to first upgrade all FortiGate and then upgrade the adom in FMG.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
9 REPLIES 9
James_G
Contributor III

How many steps is it to max 5.4.x first, then jump to latest 5.6.x
rwpatterson
Valued Contributor III

Take backups between each level. Can't hurt and will avoid much pain in case you brick. Chances are slim, but free insurance is good!

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Dave_Hall

Personally, at after upgrading to a major firmware version, I do advise performing a diff compare between the new/old configs to see what has been changed.  Sometimes and depending what features are used, the conversions scripts will change some settings - add something or configure some settings. 

 

Eg.  convert old AP profiles to something similar under the new firmware, but give it a name like "tmp_ver50".  Same with SSL/SSH profiles, where the defaults are now readonly in the newer firmwares - you have new "custom_insert name".

 

And I believe country codes (if not listed in the older config are added to the AP profiles.  And it seems if SSL/SSH proxy option are not used on a firewall policy a "deep SSL" proxy option is added automatically. 

 

If you want to go the extra mile, perform on the CLI after each firmware upgrade: diagnose debug config-error-log read

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
emnoc
Esteemed Contributor III

Upgrades if you follow the pre-design migration path almost never leads into issues. I would add post monitoring of  

 

ARP table

DHCP monitor

routes

VPNs if applicable

 

You should be close to what you had at the start of upgrade but DHCP leases counts might be low if upgrade is late-hours and machines are power-down , the same for dialup vpns.

 

YMMV

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ad
New Contributor

James_G wrote:
How many steps is it to max 5.4.x first, then jump to latest 5.6.x
The versions i listed are from the upgrade path tool, so it says go from 5.4.5 to 5.6.2 then step through the 5.6.x versions.

maiconp340
New Contributor

Hello, I will do similar job, update all my devices 60D from 5.2 version to 6.0.9 version.

have you done that upgrade by FGT GUI or FortiAnalizer ?

 

In my case neither devices 60D ( 120 FGT60D ) are under fortimanger yet so I think to do that upgrade step-by-step by FGT GUI and after put all under Fortimanger.

 

Any tip is welcome.

 

MattyG2787
New Contributor

Hey there, we are in a similar situation and have done this on multiple occasions.

 

Regarding the firewall updates, take backups as you step through and follow fortinet's upgrade path.

 

We have not had an issue in 80+ fortigates using their paths.

sw2090
Honored Contributor

umm Fortinet TAC once told me that best practie is to first upgrade all FortiGate and then upgrade the adom in FMG.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
Honored Contributor

thus to add: the last time I did that was from 5.6 to 6.0 (adom and FMG) even going best pratice as above resulted in  a load of issues after upgrading the adom.

Even TAC suggested what I wrote above but they said that's the way they'd do it but there is no "official" way execpt from removing the FGTs from adom, upgrade them and re-add them to a new upgraded adom wich with over 200 Policies and objects is no alternative for me here...

I up to now still cannot say if that was a fail of FMG/FGT/FortiOS or due to some database inconsistencies that wer found in ou FMG db too. However those were fixed before upgrading.

So it might be always helpful to perform a db scan (and fix if it finds errors) on fmg db before you upgrade fmg or adom(s).

 

What also happened to was that - after upgrading FMG itself to 6.2 - it kept trying to roll out commands that did not exist on the FGT. Tac gave me a tip that fixed that: do a retrieve config on all FGT in the adom.

 

hth

Sebastian

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Top Kudoed Authors