Its time to start my first significant round of Fortigate upgrades and am looking for tips and tricks from those that have done many. I'm using the following as a starting point; https://kb.fortinet.com/k...=FD35329&sliceId=1
Assumption - Firmware upgrades via the FG GUI can generally be relied upon to be hitless.
Environment - All firewalls are clusters and have serial consoles connected
- Clusters use 'session-pickup enable' and 'session-pickup-connectionless enable' - I intend to use the FG GUI to perform the upgrades - All firewalls are connected to FortiManager 6.0.8. - First upgrades will be to get all 5.4 firewalls to 5.6
Procedure for first (Lab) cluster/ADOM 1. Take FMG backup via GUI 2. Upgrade ADOM to 5.6 in GUI 3. Check Device Manager 'Config Status' is Auto-update/Synchronised in FMG 4. Take FG backup 5. Connect to serial consoles 6. Perform first step in Upgrade Path 7. Login to FG GUI and check Firmware version and cluster status 8. Login to FMG GUI an check Device Manager 'Config Status' is Auto-update/Synchronised 9. Repeat steps 6-8 for each step in Upgrade Path 10. Take backup via FG GUI.
Any issues with that? Does it contain a sensible level of paranoia in the checks as the firmwares are stepped through?
I was planning to do the following in a single change; 5.4.5 (current version) 5.6.2 1486 5.6.6 1630 5.6.8 1672 5.6.11 1700
Thanks.
Solved! Go to Solution.
Personally, at after upgrading to a major firmware version, I do advise performing a diff compare between the new/old configs to see what has been changed. Sometimes and depending what features are used, the conversions scripts will change some settings - add something or configure some settings.
Eg. convert old AP profiles to something similar under the new firmware, but give it a name like "tmp_ver50". Same with SSL/SSH profiles, where the defaults are now readonly in the newer firmwares - you have new "custom_insert name".
And I believe country codes (if not listed in the older config are added to the AP profiles. And it seems if SSL/SSH proxy option are not used on a firewall policy a "deep SSL" proxy option is added automatically.
If you want to go the extra mile, perform on the CLI after each firmware upgrade: diagnose debug config-error-log read
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Upgrades if you follow the pre-design migration path almost never leads into issues. I would add post monitoring of
ARP table
DHCP monitor
routes
VPNs if applicable
You should be close to what you had at the start of upgrade but DHCP leases counts might be low if upgrade is late-hours and machines are power-down , the same for dialup vpns.
YMMV
Ken Felix
PCNSE
NSE
StrongSwan
umm Fortinet TAC once told me that best practie is to first upgrade all FortiGate and then upgrade the adom in FMG.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Take backups between each level. Can't hurt and will avoid much pain in case you brick. Chances are slim, but free insurance is good!
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Personally, at after upgrading to a major firmware version, I do advise performing a diff compare between the new/old configs to see what has been changed. Sometimes and depending what features are used, the conversions scripts will change some settings - add something or configure some settings.
Eg. convert old AP profiles to something similar under the new firmware, but give it a name like "tmp_ver50". Same with SSL/SSH profiles, where the defaults are now readonly in the newer firmwares - you have new "custom_insert name".
And I believe country codes (if not listed in the older config are added to the AP profiles. And it seems if SSL/SSH proxy option are not used on a firewall policy a "deep SSL" proxy option is added automatically.
If you want to go the extra mile, perform on the CLI after each firmware upgrade: diagnose debug config-error-log read
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Upgrades if you follow the pre-design migration path almost never leads into issues. I would add post monitoring of
ARP table
DHCP monitor
routes
VPNs if applicable
You should be close to what you had at the start of upgrade but DHCP leases counts might be low if upgrade is late-hours and machines are power-down , the same for dialup vpns.
YMMV
Ken Felix
PCNSE
NSE
StrongSwan
James_G wrote:The versions i listed are from the upgrade path tool, so it says go from 5.4.5 to 5.6.2 then step through the 5.6.x versions.
How many steps is it to max 5.4.x first, then jump to latest 5.6.x
Hello, I will do similar job, update all my devices 60D from 5.2 version to 6.0.9 version.
have you done that upgrade by FGT GUI or FortiAnalizer ?
In my case neither devices 60D ( 120 FGT60D ) are under fortimanger yet so I think to do that upgrade step-by-step by FGT GUI and after put all under Fortimanger.
Any tip is welcome.
Hey there, we are in a similar situation and have done this on multiple occasions.
Regarding the firewall updates, take backups as you step through and follow fortinet's upgrade path.
We have not had an issue in 80+ fortigates using their paths.
umm Fortinet TAC once told me that best practie is to first upgrade all FortiGate and then upgrade the adom in FMG.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
thus to add: the last time I did that was from 5.6 to 6.0 (adom and FMG) even going best pratice as above resulted in a load of issues after upgrading the adom.
Even TAC suggested what I wrote above but they said that's the way they'd do it but there is no "official" way execpt from removing the FGTs from adom, upgrade them and re-add them to a new upgraded adom wich with over 200 Policies and objects is no alternative for me here...
I up to now still cannot say if that was a fail of FMG/FGT/FortiOS or due to some database inconsistencies that wer found in ou FMG db too. However those were fixed before upgrading.
So it might be always helpful to perform a db scan (and fix if it finds errors) on fmg db before you upgrade fmg or adom(s).
What also happened to was that - after upgrading FMG itself to 6.2 - it kept trying to roll out commands that did not exist on the FGT. Tac gave me a tip that fixed that: do a retrieve config on all FGT in the adom.
hth
Sebastian
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.