Technical Tip: How to restore a chassis based FortiGate after RMA

Restore the firmware on the chassis-based FortiGate

6000 series chassis

First, it is important to have the firmware that needs to be restored.

Secondly, set up the following IP address on the laptop NIC: @IP 192.168.1.10 Mask 255.255.255.0

Connect the laptop to the mgmt1 interface with an RJ45 cable.

Some checks need to be performed before pushing the firmware:

• Connect to the console or SSH to 192.168.1.99. The default user is 'admin' and the default password is '' (blank).
• Run the following commands:

config global

diagnose load-balance status | grep "Status Message"

Example output for a 6500f:

diagnose load-balance status | grep "Status Message"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"

If not all status message are set to 'running' after a while, reboot the FortiGate to fix the issue.

config global
execute reboot

When all messages are in the 'Running' state, proceed to the upgrade.

To upgrade the firmware in the GUI:

1. Log into the FortiGate GUI as the admin administrative user.
2. Go to System -> Firmware.
3. Under Upload Firmware, select Browse and locate the previously targeted firmware image file.
4. Select Backup config and upgrade.
   The FortiGate unit will back up the current configuration to the management computer, upload the firmware image file, upgrade to the new firmware version, and restart. This process takes a few minutes.

To upgrade the firmware in the CLI:

1. Make sure that the TFTP server is running.
2. Copy the new firmware image file to the root directory of the TFTP server.
3. Log in via the CLI or Console
4. Ping the TFTP server to ensure that the FortiGate can connect to it:

c v

edit mgmt-vdom
execute ping <tftp_ipv4>

5. Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:

config global
execute restore image tftp <filename> <tftp_ipv4>

The FortiGate unit will respond with the following message:

This operation will replace the current firmware version!
Do you want to continue? (y/n)

6. Type Y. The FortiGate unit will upload the firmware image file, upgrade to the new firmware version, and restart. This process takes a few minutes.
7. Reconnect to the CLI.
8. Update the antivirus and attack definitions:

execute update-now

After the upgrade, a health check must be performed again:

• Connect to the console or SSH to 192.168.1.99.
• The default user is 'admin' and the default password is '' (blank).
• Run the following commands:

config global
get system status | grep build
diagnose load-balance status | grep "Status Message"

7000 series chassis

The whole chassis is replaced, FIMs and FPMs included:

First, it is important to have the firmware that needs to be restored.

Secondly, set up the following IP address on the laptop NIC: @IP 192.168.1.10 Mask 255.255.255.0.

Connect the laptop to the mgmt1 interface with an RJ45 cable.

Some checks need to be performed before pushing the firmware.

• Connect to the console or SSH to 192.168.1.99. The default user is 'admin' and the default password is '' (blank).
• Run the following commands:

config global

get system status | grep build

diagnose load-balance status | grep "Status Message"

Example of output with 2 FIMs and 2 FPMs:

c g

diagnose load-balance status | grep "Status Message"

       Status Message:"Running"

       Status Message:"Running"

       Status Message:"Running"

       Status Message:"Running"

If not all status messages are set to 'running' after a while, reboot the FortiGate to fix the issue.

config global
execute reboot

When all messages are in the 'Running' state, proceed to the upgrade.

To upgrade the firmware in the GUI:

1. Log into the FortiGate GUI as the admin administrative user.
2. Go to System -> Firmware.
3. Under Upload Firmware, select Browse and locate the previously targeted firmware image file.
4. Select Backup config and upgrade.
   The FortiGate unit will back up the current configuration to the management computer, upload the firmware image file, upgrade to the new firmware version, and restart. This process takes a few minutes.

To upgrade the firmware in the CLI:

1. Make sure that the TFTP server is running.
2. Copy the new firmware image file to the root directory of the TFTP server.
3. Log in via the CLI or Console.
4. Ping the TFTP server to ensure that the FortiGate can connect to it:

execute ping <tftp_ipv4>

5. Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:

config global
execute restore image tftp <filename> <tftp_ipv4>

The FortiGate unit will respond with the following message:

This operation will replace the current firmware version!
Do you want to continue? (y/n)

6. Type Y. The FortiGate unit will upload the firmware image file, upgrade to the new firmware version, and restart. This process takes a few minutes.
7. Reconnect to the CLI.
   Update the antivirus and attack definitions:

execute update-now

After the upgrade, perform a health check again:

• Connect to the console or SSH to 192.168.1.99. The default user is 'admin' and the default password is '' (blank).
• Run the following commands:

config global
get system status | grep build
diagnose load-balance status | grep “Status Message”

Chassis backplane replacement:

In this scenario, the RMA was just about the chassis itself. All FIMs and FPMs are kept and not replaced.

To perform the swap:

• Switch off both chassis.
• Pull back FIMa in slot1 from the faulty chassis.
• Insert FIMa in the new chassis slot 1.
• Pull back the FIMb (if any) in slot 2 from the faulty chassis.
• Insert the FIMb into the new chassis' slot 2.
• Do the same for FPM3, FPM4, FPM5 and FPM6 (if any).
• Modules must be installed in the same slot number in the new chassis.
• Once hardware is swapped, power on the chassis.

After the swap, a health check must be performed again:

• Connect to the console or SSH to 192.168.1.99. The default user is 'admin' and the default password is '' (blank).
• Run the following commands:

config global
get system status | grep build
diagnose load-balance status | grep “Status Message”

Expected output:

diagnose load-balance status | grep "Status Message"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"

FIM or FPM replacement

In this scenario, only a module is replaced within the chassis. It could be either an FIM or an FPM.

To perform the swap:

• Pull back the faulty module from chassis slot X.
• Insert the new one (it should be the same) in the empty slot X.
• The module will boot up.
• It will pick up the appropriate firmware from the primary module automatically.
• After a while, the new module should be back on track.
• After the module swap, perform a health check again:
  
  • Connect to the console or SSH to 192.168.1.99. The default user is 'admin' and the default password is '' (blank).
    • Run the following commands:

config global
diagnose load-balance status | grep “Status Message”

Expected output:

diagnose load-balance status | grep "Status Message"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"

Restore the configuration file on a chassis based FortiGate

6000 series chassis

First, it is important to have the configuration that needs to be restored at hand.
The device must run the firmware associated with the config file that is going to be restored.

In an HA cluster design, make sure to restore the right configuration among the two members of the cluster. Both files look very similar, but they have significant differences.

Secondly, set up the following IP address to the laptop NIC: @IP 192.168.1.10 Mask 255.255.255.0.

Connect the laptop to the mgmt1 interface with an RJ45 cable.

Some checks need to be performed before uploading the configuration.

• Connect to the console or SSH to 192.168.1.99. The default user is 'admin' and the default password is '' (blank).
• Run the following commands:

config global
diagnose load-balance status | grep “Status Message”

Example output for a 6500f:

diagnose load-balance status | grep "Status Message"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"

If not all Status Messages are set to 'running' after a while, reboot the FortiGate to fix the issue.

config global
execute reboot

When all messages are in the 'Running' state, proceed to restore the configuration.

Go to https://192.168.1.99 and enter the username and password. If the admin password was not changed, use the default username, admin, and leave the password field blank.

To restore the FortiGate configuration using the GUI:

1. Select the user name in the upper right-hand corner of the screen and select Configuration > Restore.
2. Identify the source of the configuration file to be restored: the Local PC or a USB Disk.
3. Select Upload, locate the configuration file, and select Open.
4. Enter the password if required.
5. Select OK.
   The FortiGate will reboot.

To restore the FortiGate configuration using the CLI:

Copy the configuration file to the TFTP root directory first then run the following command in the CLI:

execute restore config tftp <backup_filename> <tftp_server> <password(if any)>

After the configuration uploads and the reboot completes, perform another health check.

• Connect to the console.
• Ask the customer for credentials.
• Run the following commands:

config global
get system status | grep build
diagnose load-balance status | grep “Status Message”

7000 series chassis

Firstly, it is important to have the configuration that needs to be restored.
The device must run the firmware associated with the config file that going to be restored.

In an HA cluster design, make sure to restore the right configuration among the two members of the cluster. Both files look very similar, but they have significant differences.

Secondly, set up the following IP address on the laptop NIC: @IP 192.168.1.10 Mask 255.255.255.0.

Connect the laptop to the mgmt1 interface with an RJ45 cable.

config global
get system status | grep build
diagnose load-balance status | grep "Status Message"

Example of output with 2 FIMs and 2 FPMs

c g
diagnose load-balance status | grep "Status Message"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"
Status Message:"Running"

If not all status message are set to 'running' after a while, reboot the FortiGate to fix the issue:

config global
execute reboot

When all messages are in the 'Running' state, proceed to restore the configuration.

Go to https://192.168.1.99 and enter the username and password. If the admin account’s password has not been changed, use the default username, admin, and leave the password field blank.

To restore the FortiGate configuration using the GUI:

1. Select the user name in the upper right-hand corner of the screen and select Configuration -> Restore.
2. Identify the source of the configuration file to be restored: the Local PC or a USB Disk.
3. Select Upload, locate the configuration file, and select Open.
4. Enter the password if required.
5. Select OK.
   The FortiGate will reboot.

To restore the FortiGate configuration using the CLI:

Copy the configuration file to the tftp root directory first and run the following CLI command:

execute restore config tftp <backup_filename> <tftp_server> <password(if any)>

After the configuration upload and reboot, perform another health check:

• Connect to the console.
• Ask the customer for credentials.
• Run the following commands:

config global
get system status | grep build
diagnose load-balance status | grep "Status Message"