FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gakshay
Staff
Staff
Article Id 197938

Description

 

This article describes the procedure to configure the automatic installation of firmware and the system configuration from a USB disk when the FortiGate unit restarts.

 

Scope

 

Any supported version of FortiGate firmware on any FortiGate unit with a USB disk connection.


Solution

 

Use the steps in this article to configure automatic installation of firmware and system configuration from a USB disk when the FortiGate unit restarts and to prepare a USB disk to use in this process.

If the configuration is in place and the firmware image is updated, the installation and configuration both occur on the same reboot. The FortiGate unit will not reload a firmware or configuration file that has already been loaded. Third-party USB disks are supported.

 

For a FAT16 drive:


To format a USB disk connected to the FortiGate unit, enter the following command in the CLI:

 

# exe usb-disk format


To format the USB disk when it is connected to a Windows system, enter the following command in the CLI:

 

# format <drive_letter>: /FS:FAT /V:<drive_label>

 

Replace <drive_letter> with the letter of the connected USB drive to format (for example, 'E'), and replace <drive_label> with  the name to give the USB disk volume for identification (for example, 'FortiGate update').

 

For a FAT32 drive:

 

Before proceeding, format the USB on a Windows machine with the following process:

 

1) Open the command line as an administrator.

2) Run 'diskpart'.

3) Enter 'list disk' in the DiskPart prompt that appears.

 

If the USB disk listing has '*' under the GPT column, it means the USB disk has a GPT partition table. Proceed as follows, entering the following commands in the DiskPart prompt:

 

# select disk <n> <-- where 'n' is the USB disk number from the prior listing
clean
convert mbr
create partition primary
format fs=fat32

 

Wait until the format operation finishes and enter the 'exit' command to exit DiskPart.

After converting the USB disk to MBR, it should be visible on both the Windows machine and FortiGate.

 

Use the following configuration commands to configure the automatic installation of firmware and system configuration from a USB disk when the FortiGate unit restarts.

 

# config system auto-install
    set auto-install-config {enable | disable}   Enable/disable auto install the config in USB disk.
    set auto-install-image {enable | disable}   Enable/disable auto install the image in USB disk.
    set default-config-file {string}   Default config file name in USB disk. Size = 127.
    set default-image-file {string}   Default image file name in USB disk. Size = 127.
end

 

Disable auto installation with USB:


An attacker with physical access to a FortiGate device could load a new configuration or new firmware on the FortiGate using the USB port and reboot the device through a power cut. This could allow them to compromise the FortiGate unit.

 

To avoid this, disable automatic update from USB entirely by executing the following CLI commands:

 

# config system auto-install
set auto-install-config disable
set auto-install-image disable