Firmware Management – FortiOS 6.2

Firmware

Fortinet periodically updates the FortiGate firmware to include new features and resolve important issues. After you have registered your FortiGate unit, you can download firmware updates from the Fortinet Support web site, Before you install any new firmware, be sure to follow the steps below:

  • Review the Release Notes for a new firmware release.
  • Review the Supported Upgrade Paths SysAdmin note on the Fortinet Cookbook site to prepare for the upgrade of FortiOS on your FortiGate.
  • Backup the current configuration, including local certificates. l Test the new firmware until you are satisfied that it applies to your configuration.

Installing new firmware without reviewing release notes or testing the firmware may result in changes to settings or unexpected issues.

Backing up the current configuration

You should always back up the configuration before installing new firmware, in case you need to restore your FortiGate configuration.

Downloading

Firmware images for all FortiGate units are available on the Fortinet Support website.

To download firmware:

  1. Log into the site using your user name and password.
  2. Go to Download > Firmware Images.
  3. A list of Release Notes is shown. If you have not already done so, download and review the Release Notes for the firmware you wish to upgrade your FortiGate unit to.
  4. Select Download.
  5. Navigate to the folder for the firmware version you wish to use.
  6. Select your FortiGate model from the list. If your unit is a FortiWiFi, the firmware will have a filename starting with ‘FWF’.
  7. Save the firmware image to your computer.

Testing

The integrity of firmware images downloaded from Fortinet’s support portal can be verified using a file checksum. A file checksum that does not match the expected value indicates a corrupt file. The corruption could be caused by errors in transfer or by file modification. A list of expected checksum values for each build of released code is available on Fortinet’s support portal.

Image integrity is also verified when the FortiGate is booting up. This integrity check is done through a cyclic redundancy check (CRC). If the CRC fails, the FortiGate unit will encounter an error during the boot process.

Lastly, firmware images are signed and the signature is attached to the code as it is built. When upgrading an image, the running OS will generate a signature and compare it with the signature attached to the image. If the signatures do not match, the new OS will not load.

Testing before installation

FortiOS lets you test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure, the FortiGate unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed. The next time the FortiGate unit restarts, it operates with the originally installed firmware image using the current configuration. If the new firmware image operates successfully, you can install it permanently using the procedure explained in Upgrading firmware.

To use this procedure, you must connect to the CLI using the FortiGate console port and an RJ-45 to DB-9 or null modem cable. This procedure temporarily installs a new firmware image using your current configuration.

For this procedure, you must install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.

To test the new firmware image:

  1. Connect to the CLI using an RJ-45 to DB-9 or null modem cable.
  2. Make sure the TFTP server is running.
  3. Copy the new firmware image file to the root directory of the TFTP server.
  4. Make sure the FortiGate unit can connect to the TFTP server using the execute ping
  5. Enter the following command to restart the FortiGate unit: execute reboot
  6. As the FortiGate unit reboots, press any key to interrupt the system startup. As the FortiGate unit starts, a series of system startup messages appears: Press any key to display configuration menu….
  7. Immediately press any key to interrupt the system startup.
  8. If you successfully interrupt the startup process, the following messages appears:

[G]: Get firmware image from TFTP server.

[F]: Format boot device.

[B]: Boot with backup firmware and set as default

[C]: Configuration and information

[Q]: Quit menu and continue to boot with default firmware.

[H]: Display this list of options. Enter G, F, Q, or H:

  1. Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]:
  2. Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]:
  3. Type an IP address of the FortiGate unit to connect to the TFTP server. The IP address must be on the same network as the TFTP server.
  4. The following message appears: Enter File Name [image.out]:
  5. Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and the following appears: Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]
  6. Type R. The FortiGate image is installed to system memory and the FortiGate unit starts running the new firmware image, but with its current configuration.

You can test the new firmware image as required. When done testing, you can reboot the FortiGate unit, and the FortiGate unit will resume using the firmware that was running before you installed the test firmware.

Upgrading firmware

Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up to date. You can also use the CLI command execute update-now to update the antivirus and attack definitions.

To upgrade the firmware – GUI:

  1. Log into the GUI as the admin administrative user.
  2. Go to System > Firmware.
  3. Under Upload Firmware, select Browse and locate the firmware image file.
  4. Select OK.

The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiGate login. This process takes a few minutes.

To upgrade the firmware – CLI:

Before you begin, ensure you have a TFTP server running and accessible to the FortiGate unit.

  1. Make sure the TFTP server is running.
  2. Copy the new firmware image file to the root directory of the TFTP server.
  3. Log into the CLI.
  4. Make sure the FortiGate unit can connect to the TFTP server. You can use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168 execute ping 192.168.1.168
  5. Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:

execute restore image tftp <filename> <tftp_ipv4>

  1. The FortiGate unit responds with the message:

This operation will replace the current firmware version! Do you want to continue? (y/n)

  1. Type y. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and restarts.

This process takes a few minutes.

  1. Reconnect to the CLI.
  2. Update antivirus and attack definitions:

execute update-now.

Reverting

The following procedure reverts the FortiGate unit to its factory default configuration and deletes any configuration settings. If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the backup configuration file.

To revert to a previous firmware version – GUI:

  1. Log into the GUI as the admin user.
  2. Go to System > Firmware
  3. Under Upload Firmware, select Browse and locate the firmware image file.
  4. Select OK.

The FortiGate unit uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the FortiGate login. This process takes a few minutes.

To revert to a previous firmware version – CLI:

Before beginning this procedure, it is recommended that you:

  • Backup the FortiGate unit system configuration using the command execute backup config
  • Backup the IPS custom signatures using the command execute backup ipsuserdefsig
  • Backup web content and email filtering lists.

To use the following procedure, you must have a TFTP server the FortiGate unit can connect to.

  1. Make sure that the TFTP server is running.
  2. Copy the firmware image file to the root directory of the TFTP server.
  3. Log in to the FortiGate CLI.
  4. Make sure the FortiGate unit can connect to the TFTP server by using the execute ping
  5. Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:

execute restore image tftp <name_str> <tftp_ipv4>

  1. The FortiGate unit responds with this message:

This operation will replace the current firmware version! Do you want to continue? (y/n)

  1. Type y. The FortiGate unit uploads the firmware image file. After the file uploads, a message similar to the following appears:

Get image from tftp server OK.

Check image OK.

This operation will downgrade the current firmware version! Do you want to continue? (y/n)

  1. Type y. The FortiGate unit reverts to the old firmware version, resets the configuration to factory defaults, and restarts. This process takes a few minutes.
  2. Reconnect to the CLI.
  3. To restore your previous configuration, if needed, use the command:

execute restore config <name_str> <tftp_ipv4>

  1. Update antivirus and attack definitions using the command:

execute update-now

Installation from system reboot

In the event that the firmware upgrade does not load properly and the FortiGate unit will not boot, or continuously reboots, it is best to perform a fresh install of the firmware from a reboot using the CLI.

This procedure installs a firmware image and resets the FortiGate unit to default settings. You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware.

To use this procedure, you must connect to the CLI using the FortiGate console port and a RJ-45 to DB-9, or null modem cable. This procedure reverts the FortiGate unit to its factory default configuration.

For this procedure you install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.

Before beginning this procedure, ensure you backup the FortiGate unit configuration.

If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the backup configuration file.

Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up to date.

To install firmware from a system reboot:

  1. Connect to the CLI using the RJ-45 to DB-9 or null modem cable.
  2. Make sure the TFTP server is running.
  3. Copy the new firmware image file to the root directory of the TFTP server.
  4. Make sure the internal interface is connected to the same network as the TFTP server.
  5. To confirm the FortiGate unit can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168: execute ping 192.168.1.168
  6. Enter the following command to restart the FortiGate unit: execute reboot
  7. The FortiGate unit responds with the following message:

This operation will reboot the system!

Do you want to continue? (y/n)

  1. Type y. As the FortiGate unit starts, a series of system startup messages appears. When the following messages appears:

Press any key to display configuration menu……….

  1. If you successfully interrupt the startup process, the following messages appears:

[G]: Get firmware image from TFTP server.

[F]: Format boot device.

[B]: Boot with backup firmware and set as default

[C]: Configuration and information

[Q]: Quit menu and continue to boot with default firmware.

[H]: Display this list of options. Enter G, F, Q, or H

  1. Type G to get to the new firmware image form the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]:
  2. Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]:
  3. Type an IP address the FortiGate unit can use to connect to the TFTP server. The IP address can be any IP address that is valid for the network to which the interface is connected.
  4. The following message appears: Enter File Name [image.out]:
  5. Enter the firmware image filename and press Enter.The TFTP server uploads the firmware image file to the FortiGate unit and a message similar to the following appears: Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]
  6. Type D. The FortiGate unit installs the new firmware image and restarts. The installation might take a few minutes to complete.

Restoring from a USB key

  1. Log into the CLI.
  2. Enter the following command to restore an unencrypted configuration file:

execute restore image usb Restore image from USB disk. {string} Image file name on the USB disk.

  1. The FortiGate unit responds with the following message:

This operation will replace the current firmware version! Do you want to continue? (y/n)

  1. Type y.

Controlled upgrade

Using a controlled upgrade, you can upload a new version of the FortiOS firmware to a separate partition in the FortiGate memory for later upgrade. The FortiGate unit can also be configured so that when it is rebooted, it will automatically load the new firmware (CLI only). Using this option, you can stage a number of FortiGate units to do an upgrade simultaneously to all devices using FortiManager or script.

To load the firmware for later installation:

execute restore secondary-image {ftp | tftp | usb} <filename_str>

To set the FortiGate unit so that when it reboots, the new firmware is loaded:

execute set-next-reboot {primary | secondary}

where {primary | secondary} is the partition with the preloaded firmware.

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.