Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiToken
- FortiTester
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- active-passive firmware upgrade
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
active-passive firmware upgrade
Hi All,
I wonder if you can help me.
I' ve got two Fortigate 110C boxes running in an active-passive cluster.
They are on the firmware 3.0 and I' d like to upgrade them to 4.0 MR3.
I know that I can' t jump directly from 3.0 to 4.0 MR3 and will have to do it step by step, but I was wondering what is the best way to do it.
Do I upgrade the master first and slave will automatically get upgraded? or do I have to break the cluster? And do it separately? How does the process look like?
Thanks in advance!
A
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
30 REPLIES 30
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
and welcome to the forums.
Apparently you' re very new to the forums and haven' t read a lot about current firmware versions. So I will help you: stay away from 4.3 for now! There have been a number of serious bugs and inconsistencies reported which have not been fixed yet; employing this release is asking for trouble. Just do a quick search on " 4.3" or " MR 3" .
The update process is easy: using the Web GUI, start the upgrade. The cluster itself will organize it in such a way that the least possible downtime will occur.
Specifically,
- the passive slave will be upgraded first and reboot
- the cluster will fail over to the upgraded slave
- the passive slave (ex master) will be upgraded and reboot
- depending on your settings, one last failover will happen (or not)
So actually, you will sit and watch all the time. Please read the Release Notes carefully and follow the recommended path through the intermediate releases.
It can' t be bad to check if the config has been converted flawlessly in between upgrades:
diag debug config-error-log read
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Taking the chance. Approximately, how much time does the process take in a cluster composed by 2 Fortigates? 1 Hour maybe? Or more? The amount of time that is going to take is dependent on the Fortigate' s hardware?
Thanks in advance for any feedback.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
time is not that long. In a pinch you could do this in 15-30mins or the time it takes to send the firmware and the reboots for A/P member assuming just 2 members.
One thing that you will need to do is break the standby away from the cluster ( assign it an ip_address ) so that you can upload the firmware to the standby unit.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But, shouldn' t the master unit upload the new firmware to the stand-by unit?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortinet has a big document on the upgrade process for the hit-less upgrades. IIRC I don' t think they made any changes in the lastest code with the process but review the documentation. It' s very straight forward for hit-less upgrades between master/standby unit(s).
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whoa!
Don' t get confused by that last post: you don' t have to break the cluster to upgrade, and IMHO you shouldn' t by no means.
Maybe in the days of v2.80 code it was wise to do so, but all steps that emnoc described (and as lined out in my first post) are nowadays taken by the upgrade logic automatically . The firmware image is shoved over via the HA link - watch the activity LED on that port.
Breaking a cluster involves assigning new IPs to all ports (or cutting all ports but one off), plus rebooting, the slave unit gets new MAC addresses etc. etc. Heavens, let the FGTs do that and don' t interfere.
As with every major operation it' s wise to watch the upgrade process - from the console port. Reason is that on the console port you can see certain messages which are not duplicated in syslog or in the SSH console.
In very few cases the slave unit didn' t come back on after the upgrade; that was due to corrupted configuration, mismatched upgrade path or such. Of course we had to resort to breaking up the cluster then to avoid downtime. But that were rare occasions, and certainly before v3.00MR3.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you guys for your replies,
it looks like the whole process is not that complex, of course - if everything goes as planned 
Do you by any chance know if any other firmware can be used, as Fortinet doesn' t host on their ftp server anything for 110C that is lower than 3.0 MR6 P4, and I have to start the upgrade from 3.0.
Shall I use one for FGT_100? 100A?
Thank you in advance,
A
Do you by any chance know if any other firmware can be used, as Fortinet doesn' t host on their ftp server anything for 110C that is lower than 3.0 MR6 P4, and I have to start the upgrade from 3.0.
Shall I use one for FGT_100? 100A?
Thank you in advance,
A
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, you cannot use a firmware image for a different hardware. A 110C is not a 100A.
You can find the images on Fortinet' s ftp server down to v2.80. In the v3.00 folder, everything older than 3.0MR3 is in ' Archives' .
The 110C was not included in the Product Matrix of May 2008 but I' ve got a datasheet of it from August 2008.
The first FortiOS firmware available for the 110C is 3.00 MR6 patch4, build 673, from October 2008. You simply cannot have any version before that on your machine.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Upgrade path:
3.6.4 brings to directly to 4.0.4.
4.0.4 brings to either to 4.1.10 or 4.2.8 whichever you like better (green/white layout).
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- S2S VPN issues with packets drops 98 Views
- Upgrade from 6.4.6 straight to 6.4.15... 101 Views
- Upgrade 100F to 120G 116 Views
- Fortimanager upgrade of ADOM from 7.0... 144 Views
- Unable to access Web GUI after... 138 Views
Labels
-
Fortigate
7,448 -
FortiClient
1,469 -
5.2
801 -
5.4
639 -
FortiManager
637 -
FortiAnalyzer
484 -
6.0
416 -
FortiSwitch
387 -
FortiAP
386 -
5.6
362 -
FortiClient EMS
312 -
FortiMail
287 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
181 -
FortiNAC
134 -
SSL-VPN
129 -
6.4
128 -
IPsec
124 -
FortiGuard
121 -
FortiGateCloud
97 -
FortiCloud Products
93 -
FortiSIEM
92 -
FortiToken
80 -
Customer Service
72 -
Wireless Controller
68 -
SD-WAN
65 -
4.0MR3
64 -
FortiProxy
53 -
FortiEDR
47 -
Fortivoice
46 -
FortiADC
46 -
FortiDNS
43 -
FortiAuthenticator
43 -
Firewall policy
40 -
FortiSandbox
38 -
VLAN
38 -
FortiExtender
37 -
FortiGate v5.4
36 -
FortiSwitch v6.4
32 -
High Availability
32 -
DNS
28 -
BGP
27 -
LDAP
27 -
FortiConnect
26 -
ZTNA
26 -
FortiGate v5.2
24 -
FortiWAN
24 -
FortiConverter
23 -
SAML
22 -
Interface
22 -
Authentication
21 -
Routing
21 -
Certificate
21 -
FortiSwitch v6.2
20 -
FortiLink
19 -
NAT
19 -
FortiPortal
18 -
VDOM
18 -
RADIUS
16 -
Logging
16 -
FortiMonitor
16 -
Virtual IP
16 -
Web profile
16 -
FortiGate v5.0
15 -
SSL SSH inspection
15 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Application control
14 -
Traffic shaping
13 -
FortiManager v5.0
12 -
FortiCASB
12 -
SSO
12 -
IP address management - IPAM
11 -
FortiRecorder
10 -
SSID
10 -
Static route
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiAnalyzer v5.0
9 -
FortiSOAR
9 -
FortiWeb v5.0
9 -
SNMP
9 -
RMA Information and Announcements
9 -
OSPF
9 -
FortiAP profile
9 -
WAN optimization
9 -
FortiManager v4.0
8 -
FortiBridge
8 -
Admin
8 -
Security profile
8 -
Proxy policy
8 -
Web application firewall profile
8 -
4.0
7 -
FortiCache
7 -
Automation
7 -
trunk
6 -
IPS signature
6 -
Antivirus profile
6 -
Traffic shaping policy
6 -
System settings
6 -
FortiCarrier
5 -
FortiDirector
5 -
DNS Filter
5 -
Packet capture
5 -
FortiTester
5 -
Users
5 -
Port policy
5 -
Intrusion prevention
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiScan
4 -
Explicit proxy
4 -
FortiPAM
4 -
Traffic shaping profile
4 -
Application signature
4 -
DLP sensor
4 -
DoS policy
4 -
Web rating
4 -
FortiInsight
3 -
FortiDB
3 -
FortiCWP
3 -
FortiToken Cloud
3 -
FortiHypervisor
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
Email filter profile
3 -
Fabric connector
3 -
File filter
3 -
Multicast routing
3 -
FortiAI
2 -
FortiNDR
2 -
Internet Service Database
2 -
Netflow
2 -
Protocol option
2 -
Replacement messages
2 -
Schedule
2 -
Service
2 -
VoIP profile
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
Kerberos
1 -
RIP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1238 | |
| 932 | |
| 674 | |
| 441 | |
| 176 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.