Firmware Upgrade Document.

Description
Firmware Upgrade Help Document

Scope

Solution

FIRMWARE UPGRADE

For information on Firmware and Firmware upgrades it is advisable to refer to the appropriate sections of the FortiOS 4.0, 5.0 FortiGate Administration Guide –“Basic Setup” and “Firmware”.

• http://docs.fortinet.com/fortigate/admin-guides

• Technical Documentation

• FortiGate Administration Guide

Fortinet recommends reviewing this section before upgrading because it contains important information about how to properly back up your current configuration settings and what to do if the upgrade is unsuccessful.

In addition to firmware images, Fortinet releases patch releases—maintenance release builds that resolve important issues. Fortinet strongly recommends reviewing the release notes for the patch release before upgrading the firmware.

Follow the steps below:

• Download and review the release notes for the patch release.
• Download the patch release.
• Back up the current configuration.
• Install the patch release using the procedure “Testing firmware before upgrading”.
• Test the patch release until you are satisfied that it applies to your configuration.

Caution: Installing a patch release without reviewing release notes or testing the firmware may result in changes to settings or unexpected issues.

Note:After upgrading firmware, perform an “Update Now” (System → Config → FortiGuard → AV and IPS options) to retrieve the latest AV/NIDS signatures from the FortiGuard Distribution Network (FDN) as these signatures included in the firmware may be older than those currently available on the FDN.

UPGRADE PATH

Please refer to the release notes of the release you want to install for the correct upgrade path. The release notes are found in the same file folder as the firmware image as a PDF document. It is important to upgrade your firmware as per the supported path. The release notes will also advise of any re-configuration that you may need to make once completing the upgrade.

BOOT ALTERNATE FIRMWARE OPTION

This feature is available for FortiGate 100 units or higher. The Boot Alternate Firmware option is located in System → Dashboard → Status → System Information → Firmware Version → [Details] . This option enables you to have two firmware images, such as FortiOS 4.0 MR3 Patch Release 7 and FortiOS 4.0 MR3 Patch Release 12 available on separate partitions and is useful for downgrading/upgrading purposes.

FGT_CSR # diag sys flash list

Partition  Image                                                         TotalSize(KB)  Used(KB)  Use%  Active
1          FG200B-4.00-FW-build632-120705                    64485     27499   43%  No
2          FG200B-4.00-FW-build646-121119                    64485     27440   43%  Yes
3          FLDB-10.00974                                                 3715588    313224    8%  No
Image build at Nov 20 2012 02:14:41 for b0646

FIRMWARE DOWNGRADE

When downgrading firmware through the GUI your full configuration will NOT remain in tact. It is important to refer to the firmware release notes for further information before downgrading your firmware. The best practice to successfully downgrade your firmware would be to reformat the device, reload the original firmware and restore the configuration backup that you made prior to upgrading your firmware.

For more information please refer to the FortiGate Administration Guide – Managing Firmware Versions.

Formatting a FortiGate hard disk - see related article

Loading FortiGate firmware using TFTP - see related article

Back up and Restore

• FortiGate Administration Guide

• System Maintenance

• Back Up and Restore

FIRMWARE BEST PRACTICE

• Plan a maintenance window to perform the firmware upgrade. The device will reboot during the upgrade process

• Remote firmware upgrades are not recommended unless upgraded via a FortiManager

• Back up the current configuration prior to each upgrade

• Upgrade as per the specified upgrade path, found in the release notes

• It is best practice to stay up to date with patch releases within your current MR (Major Release). Please consult Technical Support or your Fortinet Partner/Reseller prior to upgrading to a new MR or new FortiOS release to ensure that this new MR or OS is considered stable for your production environment.

Note: In addition to major releases that contain new features, Fortinet releases patch releases that resolve specific issues without containing new features and/or changes to existing features. It is recommended to download and install patch releases as soon as they are available.

FIRMWARE IMAGES

Fortinet Technical Support web site http://support.fortinet.com.

• Firmware images are available on our support site under “Firmware Images”

• To find out your current build, refer to the GUI under System->Dashboard-> Status -> System Information or type #get system status from the CLI. As there were two naming conventions for firmware in FortiOS, the “Branch Point” is the correct three digit build number as reflected on the support site for firmware downloads. For example, from the output below, the branch point is 646 which is MR3 Patch Release 11.

FG200B3909600135 # get system status
Version: Fortigate-200B v4.0,build0646,121119 (MR3 Patch 11)
Virus-DB: 14.00000(2011-08-24 17:17)
Extended DB: 14.00000(2011-08-24 17:09)
IPS-DB: 3.00150(2012-02-15 23:15)
FortiClient application signature package: 4.322(2013-03-27 14:40)
Serial-Number: FG200B3909600135
BIOS version: 04000006
Log hard disk: Need format
Internal Switch mode: switch
Hostname: FG200B3909600135
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Distribution: International
Branch point: 646
Release Version Information: MR3 Patch 11
System time: Wed Mar 27 17:45:44 2013

• Images are specific to the device that you are using and follow the same naming convention

• FWF → FortiWiFi, FGT → FortiGate

• Characters following the device ID such as “A” “B” “LENC” are important identifiers as well. Attempting to update a FWF60A with a FWF60B image will result in a failure error

• LENC are for Low Encryption Devices

FWF_60B-v300-build0740-FORTINET.out is the correct image for a FortiWiFi 60B

FGT_310B-v300-build0740-FORTINET.out is the correct image for a FortiGate 310B

Verifying the MD5 checksum - see related article on verification steps

HIGH AVAILABILITY (HA) UPGRADES

Please refer to the HA Overview and HA Guide for information on the upgrade procedures for HA configurations.

HA Guide 4.0 MR3 : http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-ha-40-mr3.pdf

HA Guide 5.0 : http://docs.fortinet.com/fgt/handbook/50/fortigate-ha-50.pdf

ERROR MESSAGES

See the related articles: False alarm during upgrade (configuration will return to "Factory Default"), Upload file is too big or invalid message, and Explanation of the “File is not an update file” message

Please refer to the Fortinet Product Life Cycle Policy available on the Fortinet  Support site

Related Articles

Technical Tip: Formatting and loading FortiGate firmware image using TFTP

False alarm message "Factory Default"

Upload file is too big or invalid

Technical Tip: Resolve the "File is not an update file" error message

False alarm message "Factory Default"

Upload file is too big or invalid

Technical Tip: Resolve the "File is not an update file" error message