Chapter 5 – Best Practices

Performing a firmware upgrade

Upgrading a firewall is something that should be compared to upgrading the operating system on your computer. It’s not to be taken lightly! You want to make sure everything is backed up and you have some options available if things go awry. Assuming it all seems to work you also want a list of things to do in order to confirm everything is working properly. Finally, you need enough time to do it. All really simple stuff, but what does this mean in relation to upgrading your FortiGate? It means, you follow these simple steps:

1. Backup and store old configuration (full configuration backup from CLI).

Digging into this a little, step 1 is easy to understand. Do a full backup of your old configuration. This is all part of your disaster recovery plan. If the upgrade fails in some way you need to make sure you can get the Firewall back up and running. The best way to do this is to get it back to a state where you know what the behavior was. For more information, refer to “Performing a configuration backup” on page 634.

2. Have copy of old firmware available.

Step 2, is also part of your disaster recovery. If the upgrade fails you might be able to switch the active partition. But as a Professional, you need to be prepared for the worst case scenario where you can’t do that. Which means you’ll need your old firmware.

3. Have disaster recovery option on standby — especially if remote.

Step 3, is your plan for what to do in the event of a critical failure. As we’re talking FortiGate this means that your firewall doesn’t come back after the upgrade. What this means is that you need to be able to get to the console port in order to find out why. Maybe it’s DHCP and the IP changed, maybe the OS is corrupt, who knows? Get to the console and find out.

There could be a simple fix. If there’s not, then be prepared for a format and TFTP reload.

4. Read the release notes, including the upgrade path and bug information.

Step 4, READ THE RELEASE NOTES. They contain all kinds of information, known bugs, fixed bugs even upgrade issues like lost configuration settings. Not all upgrade information is ever contained in any products release notes. That does not mean they are devoid of good/useful information. Read them, digest them, then a few days later read them again.

5. Double check everything.

Step 5, do a double check of everything. Is your TFTP server working, does your console connection function, is there anything in the release notes that could impact your upgrade procedure, do you have your configuration backed up? Make sure you’ve done everything.

6. Upgrade.

Step 6, do the upgrade. Doing an upgrade doesn’t take very long, a few minutes (less a lot of times) but make sure you schedule enough time for it. At the end of the day an upgrade can succeed or fail. If it succeeds you want some time to check/confirm that any important features you have are working (VPNs etc). If it fails you’ll need time to sort things out.

Performing a firmware downgrade

Just like upgrading, you need to make sure it’s done properly. While similar, the steps are somewhat different since there are other pitfalls in this case.

1. Locate pre-upgrade configuration file.

Step 1 is very important. This is why, when you upgrade you make a backup of your old configuration and save it. If you don’t, then you’ll need to rebuild manually.

2. Have copy of old firmware available.

Step 2 is fairly obvious. Even with devices that have multiple partitions and your downgrade process is simply going to be to switch the active partition, this could go wrong. In which case, you may be without Internet access. A professional has a plan for when things go wrong.

3. Have disaster recovery option on standby — especially if remote.

Step 3 is no different from before. Hopefully you don’t need to format the unit, but be prepared for that, just in case.

4. Read the release notes — is a downgrade possible, or necessary?

Step 4, once again, is to READ THE RELEASE NOTES. In this case, you will need to do this for the version you are on, and the version you are downgrading too, and everything in between (if you are going back multiple major releases or patches). Maybe the OS switched from 32 to 64 bits somewhere between the two firmware releases. In order to make sure you don’t get nailed by something like that you need to check the upgrade and downgrade information in every major release and patch, as it may have a direct impact on your options.

5. Double check everything.

6. Downgrade — all settings, except those needed for access, are lost.

Step 5 and 6 are the same as before. Double check everything, then downgrade.

7. Restore pre-upgrade configuration.

Step 7 is new. Obviously most settings are lost when you downgrade so in order to get back up and running you will need to restore your old configuration file.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.