Description
When upgrading from a pre-8.8 version to 8.8 or higher, the upgrade may hang if the appliance does not have external FTP access.
The upgrade introduces a new local RADIUS server feature that requires additional CenOS patches. The download and installation of the patches occur during the upgrade process. A new .repo file is written in order to download the patches and specifies FTP as the transfer protocol.
Scope
Version: 8.8.x
Solution
Solution: Addressed in versions 8.8.3 and 9.1.0.
Workaround:
Option 1: Customers that currently do not have a README and want to upgrade themselves should do the following:
a. Modify firewall to allow FTP access for the eth0 IP address for each appliance until upgrade is completed.
b. Once completed, modify the repo files to the desired protocol for future OS updates. For instructions, refer to the Appendix in the CentOS Updates document in the Fortinet Document Library.
Note: These changes are persistent through upgrades.
Option 2: If the Local RADIUS feature will not be used, bypass winbind and radiusd installation so system startup will complete.
Perform the following steps prior to upgrade:
1. Login to each appliance CLI as root.
2. Create the following two files and add "exit 0" (without the quotes) in the content
/bsc/campusMgr/bin/internal/install-winbind
/bsc/campusMgr/bin/internal/install-radiusd
Option 3: If Proxy is required for OS update, configure each appliance with the appropriate proxy.
Perform the following steps prior to upgrade:
1. Login to each appliance CLI as root.
2. Edit /etc/yum.conf
3. Set environment variable
proxy=http://<Proxy-Server-IP-Address>:<Proxy-Port>
4. If user name and password is required for proxy, add the following:
proxy_username=<Proxy-User-Name>
proxy_password=<Proxy-Password>
Customers should contact Support to schedule the upgrade if any of the following apply:
- System currently has a README file in place (custom configurations that don't persist through an upgrade)
- Do not want to upgrade themselves
- Cannot make the temporary firewall change
- Require assistance with Options 2 or 3
ID 676065
Upgrade instructions when FTP access cannot be allowed
1. Download the install script via Administration UI. Follow steps 1-8 in the section Upgrade Using the Administration UI of the Upgrade Instructions and Considerations document.
https://docs.fortinet.com/document/fortinac/8.6.0/upgrade-instructions-and-considerations/699092/upg...
2. Once the download is complete, logout of UI.
3. Open two SSH sessions to the appliance (login as root): One to initiate the upgrade (window 1) and the other for modifying the repo files (window 2).
4. In Window 1 type
cd /bsc/campusMgrUpdates
5. In Window 2 type
cd /etc/yum.repos.d/
6. In window 1 start the upgrade by typing the downloaded script filename
Examples:
FNAC_install_8.8.0_build1704.bin
FNAC_install_8.8.1_build1710.bin
7. Watch the upgrade progress in window 1 for the repo files networkradius.repo and bradford.repo.rpmnew to be written.
8. In Window 2, modify /etc/yum.repos.d/networkradius.repo
Change all instances of the baseurl to reflect the correct protocol and save
Example:
Change
ftp://fortinacftp
To
http://fortinacftp
9. In Window 2, modify /etc/yum.repos.d/bradford.repo.rpmnew
Change all instances of the baseurl to reflect the correct protocol and save
Once these files are modified, the appliance should be able to complete the OS updates and software upgrade. If the repo files are modified after the first attempt to download the OS files, the appliance will try again.
Note: The .repo file changes are persistent through upgrades.
