Installing firmware

You can use either the web UI or the CLI to upgrade or downgrade the firmware of the FortiMail unit.

Administrators whose Domain is System and whose access profile contains Read-Write access in the Others category, such as the admin administrator, can change the FortiMail firmware.

Firmware changes are either:

• an upgrade to a newer version
• a reversion to an earlier version

To determine if you are upgrading or reverting your firmware image, examine the firmware version number. For example, if your current firmware version is FortiMail-400 3.00,build288,080327, changing to FortiMail-400 3.00,build266,071209, an earlier build number and date, indicates that you are reverting.

Reverting to an earlier version may cause the FortiMail unit to remove parts of the configuration that are not valid for that earlier version. In some cases, you may lose all mail data and configurations. For details, see “Downgrading from version 4.0 to 3.0” on page 690.

When upgrading, there may also be additional considerations. For details, see “Upgrading” on page 694.

Therefore, no matter you are upgrading or downgrading, it is always a good practice to back up the configuration and mail data. For details, see “Backup and restore” on page 218.

If you are installing firmware to a high availability (HA) group, install firmware on the primary unit before installing firmware on the backup units.

Similar to upgrading the firmware of a standalone FortiMail unit, normal email processing is temporarily interrupted while firmware is being installed on the primary unit, but, if the HA group is active-passive, it is not interrupted while firmware is being installed on backup units.

Installing firmware on an active-passive HA group does not necessarily trigger a failover. Before a firmware installation, the primary unit signals the backup unit that a firmware upgrade is taking place. This causes the HA daemon operating on the backup unit to pause its monitoring of the primary unit for a short time. When the firmware installation is complete, the primary unit signals the backup unit to resume HA heartbeat monitoring. If the backup unit has not received this signal after a few minutes, the backup unit resumes HA heartbeat monitoring anyway, and, if the primary unit has failed during the firmware installation, the HA group fails over to the backup unit, which becomes the new primary unit.

To install firmware using the web UI

1. Log in to the Fortinet Technical Support web site, https://support.fortinet.com/.
2. Download the firmware image file to your management computer.
3. Log in to the web UI as the admin administrator, or an administrator account that has system configuration read and write privileges.
4. In the advanced mode of the web UI, install firmware in one of two ways:

• Go to Monitor > System Status > Status, and in the System Information area, in the Firmware version row, click Update. Click Browse to locate the firmware and then click Submit.
• Go to Maintenance > System > Configuration, under Restore Firmware, check Local PC, and click Browse to locate the firmware. Then click Restore.

Your web browser uploads the firmware file to the FortiMail unit. The FortiMail unit installs the firmware and restarts. Time required varies by the size of the file and the speed of your network connection.

If you are downgrading the firmware to a previous version, the FortiMail unit reverts the configuration to default values for that version of the firmware. You must either reconfigure the FortiMail unit or restore the configuration file.

5. Clear the cache of your web browser and restart it to ensure that it reloads the web UI and correctly displays all changes.
6. To verify that the firmware was successfully installed, log in to the web UI and go to Monitor > System Status > Status. Text appearing in the Firmware version row indicates the currently installed firmware version.

To install firmware using the CLI

1. Log in to the Fortinet Technical Support web site, https://support.fortinet.com/.
2. Download the firmware image file to your management computer.
3. Connect your management computer to the FortiMail console port using a RJ-45 to DB-9 serial cable or a null-modem cable.
4. Initiate a connection from your management computer to the CLI of the FortiMail unit, and log in as the admin administrator, or an administrator account that has system configuration read and write privileges.
5. Connect port1 of the FortiMail unit directly or to the same subnet as a TFTP server.
6. Copy the new firmware image file to the root directory of the TFTP server.
7. Verify that the TFTP server is currently running, and that the FortiMail unit can reach the TFTP server.

To use the FortiMail CLI to verify connectivity, enter the following command:

execute ping 192.168.1.168 where 192.168.1.168 is the IP address of the TFTP server.

8. Enter the following command to download the firmware image from the TFTP server to the FortiMail unit:

execute restore image tftp <name_str> <tftp_ipv4>

where <name_str> is the name of the firmware image file and <tftp_ipv4> is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is 192.168.1.168, enter:

execute restore image tftp image.out 192.168.1.168

One of the following message appears:

This operation will replace the current firmware version! Do you want to continue? (y/n)

or:

Get image from tftp server OK.

Check image OK.

This operation will downgrade the current firmware version!

Do you want to continue? (y/n)

9. Type y.

The FortiMail unit downloads the firmware image file from the TFTP server. The FortiMail unit installs the firmware and restarts. Time required varies by the size of the file and the speed of your network connection.

If you are downgrading the firmware to a previous version, the FortiMail unit reverts the configuration to default values for that version of the firmware. You must either reconfigure the FortiMail unit or restore the configuration file.

10.If you also use the web UI, clear the cache of your web browser and restart it to ensure that it reloads the web UI and correctly displays all tab, button, and other changes.

11.To verify that the firmware was successfully installed, log in to the CLI and type: get system status

12.If you have downgraded the firmware version, reconnect to the FortiMail unit using its default

IP address for port1, 192.168.1.99, and restore the configuration file. For details, see “Reconnecting to the FortiMail unit” on page 691 and “Restoring the configuration” on page 692.

If you have upgraded the firmware version, to verify the conversion of the configuration file, see “Verifying the configuration” on page 694. If the upgrade is unsuccessful, you can downgrade the firmware to a previous version.

13.Update the FortiGuard Antivirus definitions.

Installing firmware replaces the current antivirus definitions with those included with the firmware release that you are installing. After you install the new firmware, make sure that your FortiGuard Antivirus definitions are up-to-date. For more information, see “Manually requesting updates” on page 243.

14.After upgrading to FortiMail v3.0 from any older version, create new LDAP profiles. LDAP profiles cannot be automatically converted from the FortiMail v3.0 configuration format. For details, see “Configuring LDAP profiles” on page 548.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!