Firmware

Firmware

Fortinet periodically updates the FortiGate firmware to include new features and resolve important issues. After you have registered your FortiGate unit, you can download firmware updates from the support web site, https://support.fortinet.com.

 

Before you install any new firmware, be sure to follow the steps below:

  • Review the Release Notes for a new firmware release.
  • Review the Supported Upgrade Paths document to make sure the upgrade from your current image to the desired new image is supported.
  • Backup the current configuration, including local certificates. For more information, see Firmware on page 2321.
  • Test the new firmware until you are satisfied that it applies to your configuration.

Installing new firmware without reviewing release notes or testing the firmware may result in changes to settings or unexpected issues.

Only FortiGate admin users and administrators whose access profiles contain system read and write privileges can change the FortiGate firmware.

 

Backing up the current configuration

In case you need to restore your FortiGate configuration, you should always back up the configuration before installing new firmware.

 

To create a local backup:

1. Go to System > Dashboard > Status and locate the System Information widget.

2. Select Backup beside System Configuration.

3. Choose either Local PC or USB Disk to save the configuration file.

4. If desired, select Encrypt configuration file.

5. Select Backup.

 

Restoring configuration

Rather than reconfigure the FortiGate manually, it is possible to upload a saved configuration file.

 

To restore your FortiGate configuration

1. Go to System > Dashboard > Status and locate the System Information widget.

2. Select [Restore] beside System Configuration.

3. Choose either Local PC or USB Disk depending the location of the file.

4. Select Choose File and browse to the correct file in the file manager window.

5. If a password was associated with the configuration file, enter it in the Password field.

6. Select Restore.

 

Troubleshooting

During the installation there are some possible errors that you may come across but the solutions are usually straightforward.

 

Error mes- sage

Reason and Solution

Configuration file error

This error occurs when attempting to upload a configuration file that is incompatible with the device. This may be due to the configuration file being for a different model or being saved from a different version of firmware.

Solution: upload a configuration file that is for the correct model of FortiGate device and the correct version of the firmware.

Invalid pass- word

When the configuration file is saved, it can be protected by a password. The password entered during the upload process is not matching the one associated with the configuration file.

Solution: use the correct password if the file is password protected.

Downloading firmware

Firmware images for all FortiGate units is available on the Fortinet Customer Support website, https://support.fortinet.com.

 

To download firmware

1. Log into the site using your user name and password.

2. Go to Download > Firmware Images.

3. A list of Release Notes is shown. If you have not already done so, download and review the Release Notes for the firmware you wish to upgrade your FortiGate unit to.

4. Select HTTPS Download.

Firmware can also be downloaded using FTP; however, as FTP is not an encrypted file transferring protocol, HTTPS downloading is recommended.

5. Navigate to find the folder for the firmware version you wish to use.

6. Select your FortiGate model from the list. If your unit is a FortiWiFi, be sure to get the appropriate firmware, which will have a filename starting with FWF.

7. Save the firmware image to your computer.

 

Testing new firmware before installing

FortiOS enables you to test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure, the FortiGate unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed. The next time the FortiGate unit restarts, it operates with the originally installed firmware image using the current configuration. If the new firmware image operates successfully, you can install it permanently using the procedure Testing new firmware before installing on page 2322 .

To use this procedure, you must connect to the CLI using the FortiGate console port and a RJ-45 to DB-9 or null modem cable. This procedure temporarily installs a new firmware image using your current configuration.

For this procedure, you must install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.

To test the new firmware image

1. Connect to the CLI using a RJ-45 to DB-9 or null modem cable.

2. Make sure the TFTP server is running.

3. Copy the new firmware image file to the root directory of the TFTP server.

4. Make sure the FortiGate unit can connect to the TFTP server using the execute ping command.

5. Enter the following command to restart the FortiGate unit:

execute reboot

6. As the FortiGate unit reboots, press any key to interrupt the system startup. As the FortiGate unit starts, a series of system startup messages appears.

When the following messages appears:

Press any key to display configuration menu….

7. Immediately press any key to interrupt the system startup.

 

You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiGate unit reboots and you must login and repeat the execute reboot command.

 

If you successfully interrupt the startup process, the following messages appears:

[G]: Get firmware image from TFTP server. [F]: Format boot device.

[B]: Boot with backup firmware and set as default

[C]: Configuration and information

[Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options.

Enter G, F, Q, or H:

8. Type G to get the new firmware image from the TFTP server.

The following message appears:

Enter TFTP server address [192.168.1.168]:

9. Type the address of the TFTP server and press Enter.

The following message appears:

Enter Local Address [192.168.1.188]:

10. Type an IP address of the FortiGate unit to connect to the TFTP server.

 

The IP address must be on the same network as the TFTP server.

Make sure you do not enter the IP address of another device on this network. The following message appears:

Enter File Name [image.out]:

11. Enter the firmware image file name and press Enter.

The TFTP server uploads the firmware image file to the FortiGate unit and the following appears.

Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]

12. Type R.

 

The FortiGate image is installed to system memory and the FortiGate unit starts running the new firmware image, but with its current configuration.

You can test the new firmware image as required. When done testing, you can reboot the FortiGate unit, and the FortiGate unit will resume using the firmware that was running before you installed the test firmware.

 

Upgrading the firmware – web-based manager

Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up to date.

Always remember to back up your configuration before making any changes to the firmware.

 

To upgrade the firmware

1. Log into the web-based manager as the admin administrative user.

2. Go to System > Dashboard > Status and locate the System Information widget.

3. Beside Firmware Version, select Update.

4. Type the path and filename of the firmware image file, or select Browse and locate the file.

5. Select OK.

The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiGate login. This process takes a few minutes.

 

Upgrading the firmware – CLI

Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up to date. You can also use the CLI command execute update-now to update the antivirus and attack definitions. For more information, see the System Administration handbook.

Before you begin, ensure you have a TFTP server running and accessible to the FortiGate unit.

Always remember to back up your configuration before making any changes to the firmware.

 

To upgrade the firmware using the CLI

1. Make sure the TFTP server is running.

2. Copy the new firmware image file to the root directory of the TFTP server.

3. Log into the CLI.

4. Make sure the FortiGate unit can connect to the TFTP server.

You can use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168:

execute ping 192.168.1.168

5. Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:

execute restore image tftp <filename> <tftp_ipv4>

Where <name_str>  is the name of the firmware image file and <tftp_ip4> is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is 192.168.1.168, enter:

execute restore image tftp image.out 192.168.1.168

The FortiGate unit responds with the message:

This operation will replace the current firmware version!

Do you want to continue? (y/n)

6. Type y.

7. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes.

8. Reconnect to the CLI.

9. Update antivirus and attack definitions, by entering:

execute update-now

 

Installing firmware from a system reboot using the CLI

There is a possibility that the firmware upgrade does not load properly and the FortiGate unit will not boot, or continuously reboots. If this occurs, it is best to perform a fresh install of the firmware from a reboot using the CLI.

This procedure installs a firmware image and resets the FortiGate unit to default settings. You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware.

To use this procedure, you must connect to the CLI using the FortiGate console port and a RJ-45 to DB-9, or null modem cable. This procedure reverts the FortiGate unit to its factory default configuration.

For this procedure you install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.

Before beginning this procedure, ensure you back up the FortiGate unit configuration.

If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the backup configuration file.

Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up to date.

 

To install firmware from a system reboot

1. Connect to the CLI using the RJ-45 to DB-9 or null modem cable.

2. Make sure the TFTP server is running.

3. Copy the new firmware image file to the root directory of the TFTP server.

4. Make sure the internal interface is connected to the same network as the TFTP server.

5. To confirm the FortiGate unit can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168:

execute ping 192.168.1.168

6. Enter the following command to restart the FortiGate unit.

execute reboot

The FortiGate unit responds with the following message:

This operation will reboot the system! Do you want to continue? (y/n)

7. Type y.

As the FortiGate unit starts, a series of system startup messages appears. When the following messages appears:

Press any key to display configuration menu……….

Immediately press any key to interrupt the system startup.

You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiGate unit reboots and you must log in and repeat the execute reboot command.

If you successfully interrupt the startup process, the following messages appears:

[G]: Get firmware image from TFTP server. [F]: Format boot device.

[B]: Boot with backup firmware and set as default

[C]: Configuration and information

[Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options.

Enter G, F, Q, or H:

8. Type G to get to the new firmware image form the TFTP server.

 

The following message appears:

Enter TFTP server address [192.168.1.168]:

9. Type the address of the TFTP server and press Enter.

The following message appears:

Enter Local Address [192.168.1.188]:

10. Type an IP address the FortiGate unit can use to connect to the TFTP server. The IP address can be any IP

address that is valid for the network the interface is connected to.

Make sure you do not enter the IP address of another device on this network. The following message appears:

Enter File Name [image.out]:

11. Enter the firmware image filename and press Enter.

The TFTP server uploads the firmware image file to the FortiGate unit and a message similar to the following appears:

Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]

12. Type D.

The FortiGate unit installs the new firmware image and restarts. The installation might take a few minutes to complete.

 

Reverting to a previous firmware version – CLI

This procedure reverts the FortiGate unit to its factory default configuration and deletes IPS custom signatures, web content lists, email filtering lists, and changes to replacement messages.

Before beginning this procedure, it is recommended that you:

  • back up the FortiGate unit system configuration using the command execute backup config
  • back up the IPS custom signatures using the command  execute backup ipsuserdefsig
  • back up web content and email filtering lists

To use the following procedure, you must have a TFTP server the FortiGate unit can connect to.

 

To revert to a previous firmware version using the CLI

1. Make sure the TFTP server is running

2. Copy the firmware image file to the root directory of the TFTP server.

3. Log into the FortiGate CLI.

4. Make sure the FortiGate unit can connect to the TFTP server execute by using the execute ping command.

5. Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:

execute restore image tftp <name_str> <tftp_ipv4>

Where <name_str> is the name of the firmware image file and <tftp_ip4> is the IP address of the TFTP server. For example, if the firmware image file name is imagev28.out and the IP address of the TFTP server is 192.168.1.168, enter:

execute restore image tftp image28.out 192.168.1.168

The FortiGate unit responds with this message:

This operation will replace the current firmware version!

Do you want to continue? (y/n)

6. Type y.

 

The FortiGate unit uploads the firmware image file. After the file uploads, a message similar to the following appears:

Get image from tftp server OK. Check image OK.

This operation will downgrade the current firmware version! Do you want to continue? (y/n)

7. Type y.

8. The FortiGate unit reverts to the old firmware version, resets the configuration to factory defaults, and restarts.

This process takes a few minutes.

9. Reconnect to the CLI.

10. To restore your previous configuration, if needed, use the command:

execute restore config <name_str> <tftp_ip4>

11. Update antivirus and attack definitions using the command:

execute update-now.

 

Reverting to a previous firmware version – web-based manager

The following procedures revert the FortiGate unit to its factory default configuration and deletes any configuration settings. If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the backup configuration file.

Always remember to back up your configuration before making any changes to the firmware.

 

To revert to a previous firmware version

1. Go to System > Dashboard > Status and locate the System Information widget.

2. Beside Firmware Version, select Update.

3. Type the path and filename of the firmware image file, or select Browse and locate the file.

4. Select OK.

The FortiGate unit uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the FortiGate login. This process takes a few minutes.

This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.