Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Madhu_G
Staff
Staff

Created on ‎06-13-2023 09:51 PM Edited on ‎06-14-2023 09:23 PM By Community Manager

Article Id 260024

Technical Tip: FortiGate-6000/7000 Chassis Platforms: Firmware Signature validation check when upgrading to 6.4.13 or 7.0.12

Description This article describes the Firmware Signature Validation check on FortiGate 6000/7000 Chassis platforms when it is upgraded to 6.4.13 or 7.0.12.
Scope FortiGate-6000/7000 Chassis platforms.
Solution

Starting from 6.4.13 and 7.0.12, the security level is enabled for Firmware validation

Firmware upgrade for 7.0.12:

When upgrading the chassis to version 7.0.12, it is necessary to verify the certified and uncertified Status of FPC/FPM from the get system Status page. This is due to new firmware signature verification from firmware version 7.0.12.

 

6300F [FPC01] $ get sys status
Firmware Version: v7.0.12,build0168,230612 (GA.M)
Security Level: 1
Firmware Signature: ****un-certified****

6300F(global) # get sys status
Version: FortiGate-6301F v7.0.12,build0168,230612 ****(Non-GA.M) *****
Security Level: 1
Firmware Signature: certified


If the firmware signature is uncertified If the line 'Firmware Signature: certified' is not visible or if the build is labeled as Non_GA.M as shown above, there is no need to be alarmed.

It will not impact the normal operation or performance of the device, but it is strongly recommended to fix this issue.

This issue can be fixed by reuploading the same 7.0.12 build once more on 6k/7k platforms.

However, before going ahead with fixing this issue, it is necessary to validate the device functionality on 7.0.12 to ensure the build is stable for the environment first. This is to ensure there is still a smooth rollback option in case the 7.0.12 build seemed unstable in the environment.

Here is the output of the get sys status command with the Firmware Signature status highlighted:

 

Note this firmware signature validation varies with respect to hardware platforms and firmware versions.

 

- Expected output for 7.0.12

 

Version: FortiGate-6301F v7.0.12,build0168,230612 (GA.M)
Security Level: 1
Firmware Signature: certified

 

- Expected output for a firmware upgrade to 6.4.13

 

FortiGate-6000F / 7000E:

 

Version: FortiGate-6501F v6.4.13,build1930,230609 (GA.M)
Security Level: 1   <-----
Virus-DB: 91.04143(2023-06-12 18:20)

 

FortiGate-7000F:

 

Version: FortiGate-7121F v6.4.13,build1930,230609 (GA.M)
Security Level: 0
Firmware Signature: certified

Since 7000F is a newer platform, it is possible to see firmware signatures certified in 6.4.13 but the security level is set to 0 because in this case,  BIOS is preprogrammed to verify firmware signatures
421
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.