Category Archives: FortiOS

Loopback interfaces

Loopback interfaces

A loopback interface is a logical interface that is always up (no physical link dependency) and the attached subnet is always present in the routing table.

The FortiGate’s loopback IP address does not depend on one specific external port, and is therefore possible to access it through several physical or VLAN interfaces. Multiple loopback interfaces can be configured in either non-VDOM mode or in each VDOM.

Loopback interfaces still require appropriate firewall policies to allow traffic to and from this type of interface. A loopback interface can be used with:

Management access
BGP (TCP) peering
PIM RP

Loopback interfaces are a good practice for OSPF. Setting the OSPF router ID the same as loopback IP address troubleshooting OSPF easier, and remembering the management IP addresses (telnet to “router ID”).

Dynamic routing protocols can be enabled on loopback interfaces

For black hole static route, use the black hole route type instead of the loopback interface.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Virtual Switch

Leave a reply

Virtual Switch

Virtual switch feature enables you create virtual switches on top of the physical switch(es) with designated interfaces/ports so that a virtual switch can build up its forwarding table through learning and forward traffic accordingly. When traffic is forwarded among interfaces belonging to the same virtual switch, the traffic doesn’t need to go up to the software stack, but forwarded directly by the switch. When traffic has to be relayed to interfaces not on the virtual switch, the traffic will go through the normal data path and be offloaded to NP4 when possible.

This feature is only available on mid to high end FortiGate units, including the 100D, 600C, 1000C, and 1240B.

To enable and configure the virtual switch, enter the CLI commands:

config system virtual-switch edit vs1

set physical-switch sw0 config port

edit 1

set port port1 set speed xx set duplex xx

set status [up|down]

edit 2

set port port2 set …

end

Software switch

1 Reply

Software switch

A software switch, or soft switch, is a virtual switch that is implemented at the software, or firmware level, rather than the hardware level. A software switch can be used to simplify communication between devices connected to different FortiGate interfaces. For example, using a software switch, you can place the FortiGate interface connected to an internal network on the same subnet as your wireless interfaces. Then devices on the internal network can communicate with devices on the wireless network without any additional configuration such as additional security policies, on the FortiGate unit.

It can also be useful if you require more hardware ports on for the switch on a FortiGate unit. For example, if your FortiGate unit has a 4-port switch, WAN1, WAN2 and DMZ interfaces, and you need one more port, you can create a soft switch that can include the 4-port switch and the DMZ interface all on the same subnet. These types of applications also apply to wireless interfaces and virtual wireless interfaces and physical interfaces such as those with FortiWiFi and FortiAP unit.

Similar to a hardware switch, a software switch functions like a single interface. A software switch has one IP address; all of the interfaces in the software switch are on the same subnet. Traffic between devices connected to each interface are not regulated by security policies, and traffic passing in and out of the switch are affected by the same policy.

There are a few things to consider when setting up a software switch:

Ensure you create a back up of the configuration.
Ensure you have at least one port or connection such as the console port to connect to the FortiGate unit. If you accidentally combine too many ports, you will need a way to undo any errors.
The ports that you include must not have any link or relation to any other aspect of the FortiGate unit. For example, DHCP servers, security policies, and so on.
For increased security, you can create a captive portal for the switch, allowing only specific user groups access to the resources connected to the switch.

To create a software switch – web-based manager

1. Go to System > Network > Interface and select Create New.

2. For Type, select Software Switch.

3. In the Physical Interface Members option, select the interfaces to include.

4. Configure the remaining interface settings

5. Select OK.

To create a software switch – CLI

config system switch-interface edit <switch-name>

set type switch

set member <interface_list>

end

config system interface edit <switch_name>

set ip <ip_address>

set allowaccess https ssh ping

end

Soft switch example

For this example, the wireless interface (WiFi) needs to be on the same subnet as the DMZ1 interface to facilitate wireless syncing from an iPhone and a local computer. The synching between two subnets is problematic. By putting both interfaces on the same subnet the synching will work. The software switch will accomplish this.

In this example, the soft switch includes a wireless interface. Remember to configure any wireless security before proceeding. If you leave this interface open without any password or other security, it leaves open access to not only the wireless interface but to any other interfaces and devices connected within the software switch.

Clear the interfaces and back up the configuration

First, ensure that the interfaces are not being used with any other security policy or other use on the FortiGate unit. Check the WiFi and DMZ1 ports to ensure DHCP is not enabled on the interface and there are no other dependencies with these interfaces.

Next, save the current configuration, in the event something doesn’t work, recovery can be quick.

Merge the interfaces

The plan is to merge the WiFi port and DMZ1 port. This will create a software switch with a name of “synchro” with an IP address of 10.10.21.12. The steps will create the switch, add the IP and then set the administrative access for HTTPS, SSH and Ping.

To merge the interfaces – CLI

config system switch-interface edit synchro

set type switch

set member dmz1 wifi

end

config system interface edit synchro

set ip 10.10.21.12

set allowaccess https ssh ping

end

Final steps

With the switch set up, you can now add security policies, DHCP servers an any other configuration that you would normally do to configure interfaces on the FortiGate unit.

Physical Interfaces FortiGate

Leave a reply

Physical

FortiGate units have a number of physical ports where you connect ethernet or optical cables. Depending on the model, they can have anywhere from four to 40 physical ports. Some units have a grouping of ports labelled as internal, providing a built-in switch functionality.

In FortiOS, the port names, as labeled on the FortiGate unit, appear in the web-based manager in the Unit Operation widget, found on the Dashboard. They also appear when you are configuring the interfaces, by going to System > Network > Interface. As shown below, the FortiGate-100D (Generation 2) has 22 interfaces.

Two of the physical ports on the FortiGate-100D (Generation 2) are SFP ports. These ports share the numbers 15 and 16 with RJ-45 ports. Because of this, when SFP port 15 is used, RJ-45 port 15 cannot be used, and vice versa. These ports also share the same MAC address.

Configuring the FortiGate-100D ports

Normally the internal interface is configured as a single interface shared by all physical interface connections – a switch. The switch mode feature has two states – switch mode and interface mode. Switch mode is the default mode with only one interface and one address for the entire internal switch. Interface mode enables you to configure each of the internal switch physical interface connections separately. This enables you to assign different subnets and netmasks to each of the internal physical interface connections.

The larger FortiGate units can also include Advanced Mezzanine Cards (AMC), which can provide additional interfaces (Ethernet or optical), with throughput enhancements for more efficient handling of specialized traffic. These interfaces appear in FortiOS as port amc/sw1, amc/sw2 and so on. In the following illustration, the FortiGate-3810A has three AMC cards installed: two single-width (amc/sw1, amc/sw2) and one double-width (amc/dw).

Interface settings

In System > Network > Interface, you configure the interfaces, physical and virtual, for the FortiGate unit. There are different options for configuring interfaces when the FortiGate unit is in NAT mode or transparent mode. On FortiOS Carrier, you can also enable the Gi gatekeeper on each interface for anti-overbilling.

Interface page

Create New Select to add a new interface, zone or, in transparent mode, port pair.

For more information on configuring zones, see Zones.

Depending on the model you can add a VLAN interface, a loopback inter- face, a IEEE 802.3ad aggregated interface, or a redundant interface.

When VDOMs are enabled, you can also add Inter-VDOM links.

Interface page

The names of the physical interfaces on your FortiGate unit. This includes any alias names that have been configured.

When you combine several interfaces into an aggregate or redundant inter- face, only the aggregate or redundant interface is listed, not the component interfaces.

Name

If you have added VLAN interfaces, they also appear in the name list, below the physical or aggregated interface to which they have been added.

If you have added loopback interfaces, they also appear in the interface list, below the physical interface to which they have been added. If you have software switch interfaces configured, you will be able to view them. If your FortiGate unit supports AMC modules, the interfaces are named amc-sw1/1, amc-dw1/2, and so on.

Type The configuration type for the interface.

IP/Netmask The current IP address and netmask of the interface.

In VDOM, when VDOMs are not all in NAT or transparent mode some val- ues may not be available for display and will be displayed as “-”.

Access The administrative access configuration for the interface.

Administrative Status

Indicates if the interface can be accessed for administrative purposes. If the administrative status is a green arrow, and administrator could connect to the interface using the configured access.

If the administrative status is a red arrow, the interface is administratively down and cannot be accessed for administrative purposes.

Link Status The status of the interface physical connection. Link status can be either up (green arrow) or down (red arrow). If link status is up the interface is con- nected to the network and accepting traffic. If link status is down the inter- face is not connected to the network or there is a problem with the connection. You cannot change link status from the web-based manager, and typically is indicative of an ethernet cable plugged into the interface.

Link status is only displayed for physical interfaces.

MAC The MAC address of the interface.

Mode Shows the addressing mode of the interface. The addressing mode can be manual, DHCP, or PPPoE.

Secondary IP Displays the secondary IP addresses added to the interface.

Interface page

MTU The maximum number of bytes per transmission unit (MTU) for the inter- face.

Virtual Domain The virtual domain to which the interface belongs. This column is visible when VDOM configuration is enabled.

VLAN ID The configured VLAN ID for VLAN subinterfaces.

Interface configuration and settings

To configure an interface, go to System > Network > Interface and select Create New.

Name Enter a name of the interface. Physical interface names cannot be changed.

Alias

Enter an alternate name for a physical interface on the FortiGate unit. This field appears when editing an existing physical interface.

The alias can be a maximum of 25 characters. The alias name will not appears in logs.

Link Status Indicates whether the interface is connected to a network (link status is Up) or not (link status is Down). This field appears when editing an existing physical interface.

Type

Select the type of interface that you want to add.

On some models you can set Type to 802.3ad Aggregate or Redundant Interface.

Interface Displayed when Type is set to VLAN.

Select the name of the physical interface to which to add a VLAN inter- face. Once created, the VLAN interface is listed below its physical inter- face in the Interface list.

You cannot change the physical interface of a VLAN interface except when adding a new VLAN interface.

Displayed when Type is set to VLAN.

VLAN ID

Enter the VLAN ID. You cannot change the VLAN ID except when adding a new VLAN interface.

The VLAN ID can be any number between 1 and 4094 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch con- nected to the VLAN subinterface.

Virtual Domain Select the virtual domain to add the interface to.

Admin accounts with super_admin profile can change the Virtual Domain.

This section has two different forms depending on the interface type:

Physical Interface Members

Software switch interface – this section is a display-only field show- ing the interfaces that belong to the software switch virtual interface.
802.3ad aggregate or Redundant interface – this section includes available interface and selected interface lists to enable adding or removing interfaces from the interface.

Select interfaces from this Available Interfaces list and select the right arrow to add an interface to the Selected Interface list.

Addressing mode Select the addressing mode for the interface.

Select Manual and add an IP/Netmask for the interface. If IPv6 configuration is enabled you can add both a IPv4 and an IPv6 IP address.
Select DHCP to get the interface IP address and other network settings from a DHCP server.

Select PPPoE to get the interface IP address and other network set- tings from a PPPoE server.
Select One-Arm Sniffer to enable the interface as a means to detect possible traffic threats. This option is available on physical ports not configured for the primary Internet connection.

Select Dedicate to FortiAP/FortiSwitch to have a FortiAP unit or

FortiSwitch unit connect exclusively to the interface. This option is only available when editing a physical interface, and it has a static IP address. When you enter the IP address, the FortiGate unit auto- matically creates a DHCP server using the subnet entered. This option is not available on the ADSL interface.

The FortiSwitch option is currently only available on the FortiGate-100D.

IP/Netmask

If Addressing Mode is set to Manual, enter an IPv4 address/subnet mask for the interface. FortiGate interfaces cannot have IP addresses on the same subnet.

IPv6 Address If Addressing Mode is set to Manual and IPv6 support is enabled, enter an IPv6 address/subnet mask for the interface. A single interface can have both an IPv4 and IPv6 address or just one or the other.

Administrative Access Select the types of administrative access permitted for IPv4 con- nections to this interface.

HTTPS Allow secure HTTPS connections to the web-based manager through this interface. If configured, this option will enable automatically when selecting the HTTP option.

PING Interface responds to pings. Use this setting to verify your installation and for testing.

HTTP Allow HTTP connections to the web-based manager through this inter- face. If configured, this option will also enable the HTTPS option.

SSH Allow SSH connections to the CLI through this interface.

SNMP Allow a remote SNMP manager to request SNMP information by con- necting to this interface.

TELNET Allow Telnet connections to the CLI through this interface. Telnet con- nections are not secure and can be intercepted by a third party.

FMG–Access Allow FortiManager authorization automatically during the com- munication exchange between the FortiManager and FortiGate units.

FortiHeartBeat

You can configure a FortiGate interface as an interface that will accept FortiClient connections. When configured, the FortiGate unit sends broadcast messages which the FortiClient software running on an end user PC is listening for.

CAPWAP Allows the FortiGate unit’s wireless controller to manage a wireless access point, such as a FortiAP unit.

IPv6 Administrative Access

Select the types of administrative access permitted for IPv6 con- nections to this interface. These types are the same as for Admin- istrative Access.

Security Mode Select a captive portal for the interface. When selected, you can define the portal message and look that the user sees when logging into the interface. You can also define one or more user groups that have access to the interface.

DHCP Server

Select to enable a DHCP server for the interface. For more information on configuring a DHCP server on the interface, see DHCP servers and relays.

Detect and Identify Devices Select to enable the interface to be used with BYOD hardware such as iPhones. Define the device definitions by going to User & Device > Device.

Add New Devices to Vul- nerability Scan List

This option appears when Detect and Identify Devices is enabled. When enabled, the FortiGate unit performs a network vulnerability scan of any devices detected or seen on the interface. The vul- nerability scan occur as configured, either on demand, or as sched- uled.

Enforce FortiHeartBeat for all

FortiClients

Available when FortiHeartBeat is enabled for the Administrative Access. Select to enable sends broadcast messages which the FortiClient software running on a end user PC is listening for.

Once enabled, the FortiGate unit broadcasts a discovery message that includes the IP address of the interface and listening port number to the local network. All PCs running FortiClient on that network listen for this discovery message.

Enable Explicit Web Proxy

Available when enabling explicit proxy on the System Information Dashboard (System > Dashboard > Status).

This option is not available for a VLAN interface selection. Select to enable explicit web proxying on this interface. When enabled, this inter- face will be displayed on System > Network > Explicit Proxy under Listen on Interfaces and web traffic on this interface will be proxied according to the Web Proxy settings.

Enable STP With FortiGate units with a switch interface is in switch mode, this option is enabled by default. It enables the single instance MSTP span- ning tree protocol.

Listen for RADIUS Accounting

Messages

Select to use the interface as a listening port for RADIUS content.

Secondary IP Address Add additional IPv4 addresses to this interface. Select the Expand

Arrow to expand or hide the section.

Comments Enter a description up to 63 characters to describe the interface.

Administrative Status Select either Up (green arrow) or Down (red arrow) as the status of this interface.

Up indicates the interface is active and can accept network traffic.

Down indicates the interface is not active and cannot accept traffic.

Gi Gatekeeper (FortiOS Carrier only)

For FortiOS Carrier, enable Gi Gatekeeper to enable the Gi firewall as part of the anti-overbilling configuration. You must also configure Gi Gatekeeper Settings by going to System > Admin > Settings.

Interfaces

Leave a reply

Interfaces

Interfaces, both physical and virtual, enable traffic to flow to and from the internal network, and the Internet and between internal networks. The FortiGate unit has a number of options for setting up interfaces and groupings of subnetworks that can scale to a company’s growing requirements.

This chapter includes:

Physical
Interface settings
Software switch
Virtual Switch
Loopback interfaces
Redundant interfaces
One-armed sniffer
Aggregate Interfaces
DHCP addressing mode on an interface
Administrative access
Wireless
Interface MTU packet size
Secondary IP addresses to an interface
Virtual domains
Virtual LANs
Zones

Controlled upgrade

Leave a reply

Controlled upgrade

Using a controlled upgrade, you can upload a new version of the FortiOS firmware to a separate partition in the FortiGate memory for later upgrade. The FortiGate unit can also be configured so that when it is rebooted, it will automatically load the new firmware (CLI only). Using this option, you can stage a number of FortiGate units to do an upgrade simultaneously to all devices using FortiManager or script.

To load the firmware for later installation – web-based manager

1. Go to System > Dashboard > Status.

2. Under System Information > Firmware Version, select Update.

3. Type the path and filename of the firmware image file, or select Browse and locate the file.

4. Deselect the Boot the New Firmware option.

5. Select OK.

To load the firmware for later installation – CLI

execute restore secondary-image {ftp | tftp | usb}

To set the FortiGate unit so that when it reboots, the new firmware is loaded, use the CLI command…

execute set-next-reboot {primary | secondary}

… where {primary | secondary} is the partition with the preloaded firmware.

To trigger the upgrade using the web-based manager

1. Go to System > Dashboard > Status.

2. Under System Information > Firmware Version, select Details.

3. Select the check box for the new firmware version.

The Comments column indicates which firmware version is the current active version.

4. Select Upgrade icon.

Configuration revision

Leave a reply

Configuration revision

The Configuration Revisions menu enables you to manage multiple versions of configuration files on models that have a 512 flash memory and higher. Revision control requires either a configured central management server or the local hard drive. The central management server can either be a FortiManager unit or FortiCloud.

If central management is not configured on your FortiGate unit, a message appears to tell you to do one of the following:

enable central management
obtain a valid license.

When revision control is enabled on your FortiGate unit, and configurations backups have been made, a list of saved revisions of those backed-up configurations appears.

Configuration revisions are viewed in the System Information widget on the Dashboard.

Firmware

Leave a reply

Firmware

Fortinet periodically updates the FortiGate firmware to include new features and resolve important issues. After you have registered your FortiGate unit, you can download firmware updates from the support web site, https://support.fortinet.com.

Before you install any new firmware, be sure to follow the steps below:

Review the Release Notes for a new firmware release.
Review the Supported Upgrade Paths document to make sure the upgrade from your current image to the desired new image is supported.
Backup the current configuration, including local certificates. For more information, see Firmware on page 2321.
Test the new firmware until you are satisfied that it applies to your configuration.

Installing new firmware without reviewing release notes or testing the firmware may result in changes to settings or unexpected issues.

Only FortiGate admin users and administrators whose access profiles contain system read and write privileges can change the FortiGate firmware.

Backing up the current configuration

In case you need to restore your FortiGate configuration, you should always back up the configuration before installing new firmware.

To create a local backup:

1. Go to System > Dashboard > Status and locate the System Information widget.

2. Select Backup beside System Configuration.

3. Choose either Local PC or USB Disk to save the configuration file.

4. If desired, select Encrypt configuration file.

5. Select Backup.

Restoring configuration

Rather than reconfigure the FortiGate manually, it is possible to upload a saved configuration file.

To restore your FortiGate configuration

1. Go to System > Dashboard > Status and locate the System Information widget.

2. Select [Restore] beside System Configuration.

3. Choose either Local PC or USB Disk depending the location of the file.

4. Select Choose File and browse to the correct file in the file manager window.

5. If a password was associated with the configuration file, enter it in the Password field.

6. Select Restore.

Troubleshooting

During the installation there are some possible errors that you may come across but the solutions are usually straightforward.

Error mes- sage

Reason and Solution

Configuration file error

This error occurs when attempting to upload a configuration file that is incompatible with the device. This may be due to the configuration file being for a different model or being saved from a different version of firmware.

Solution: upload a configuration file that is for the correct model of FortiGate device and the correct version of the firmware.

Invalid pass- word

When the configuration file is saved, it can be protected by a password. The password entered during the upload process is not matching the one associated with the configuration file.

Solution: use the correct password if the file is password protected.

Downloading firmware

Firmware images for all FortiGate units is available on the Fortinet Customer Support website, https://support.fortinet.com.

To download firmware

1. Log into the site using your user name and password.

2. Go to Download > Firmware Images.

3. A list of Release Notes is shown. If you have not already done so, download and review the Release Notes for the firmware you wish to upgrade your FortiGate unit to.

4. Select HTTPS Download.

Firmware can also be downloaded using FTP; however, as FTP is not an encrypted file transferring protocol, HTTPS downloading is recommended.

5. Navigate to find the folder for the firmware version you wish to use.

6. Select your FortiGate model from the list. If your unit is a FortiWiFi, be sure to get the appropriate firmware, which will have a filename starting with FWF.

7. Save the firmware image to your computer.

Testing new firmware before installing

FortiOS enables you to test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure, the FortiGate unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed. The next time the FortiGate unit restarts, it operates with the originally installed firmware image using the current configuration. If the new firmware image operates successfully, you can install it permanently using the procedure Testing new firmware before installing on page 2322 .

To use this procedure, you must connect to the CLI using the FortiGate console port and a RJ-45 to DB-9 or null modem cable. This procedure temporarily installs a new firmware image using your current configuration.

For this procedure, you must install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.

To test the new firmware image

1. Connect to the CLI using a RJ-45 to DB-9 or null modem cable.

2. Make sure the TFTP server is running.

3. Copy the new firmware image file to the root directory of the TFTP server.

4. Make sure the FortiGate unit can connect to the TFTP server using the execute ping command.

5. Enter the following command to restart the FortiGate unit:

execute reboot

6. As the FortiGate unit reboots, press any key to interrupt the system startup. As the FortiGate unit starts, a series of system startup messages appears.

When the following messages appears:

Press any key to display configuration menu….

7. Immediately press any key to interrupt the system startup.

You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiGate unit reboots and you must login and repeat the execute reboot command.

If you successfully interrupt the startup process, the following messages appears:

[G]: Get firmware image from TFTP server. [F]: Format boot device.

[B]: Boot with backup firmware and set as default

[C]: Configuration and information

[Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options.

Enter G, F, Q, or H:

8. Type G to get the new firmware image from the TFTP server.

The following message appears:

Enter TFTP server address [192.168.1.168]:

9. Type the address of the TFTP server and press Enter.

The following message appears:

Enter Local Address [192.168.1.188]:

10. Type an IP address of the FortiGate unit to connect to the TFTP server.

The IP address must be on the same network as the TFTP server.

Make sure you do not enter the IP address of another device on this network. The following message appears:

Enter File Name [image.out]:

11. Enter the firmware image file name and press Enter.

The TFTP server uploads the firmware image file to the FortiGate unit and the following appears.

Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]

12. Type R.

The FortiGate image is installed to system memory and the FortiGate unit starts running the new firmware image, but with its current configuration.

You can test the new firmware image as required. When done testing, you can reboot the FortiGate unit, and the FortiGate unit will resume using the firmware that was running before you installed the test firmware.

Upgrading the firmware – web-based manager

Always remember to back up your configuration before making any changes to the firmware.

To upgrade the firmware

1. Log into the web-based manager as the admin administrative user.

2. Go to System > Dashboard > Status and locate the System Information widget.

3. Beside Firmware Version, select Update.

4. Type the path and filename of the firmware image file, or select Browse and locate the file.

5. Select OK.

The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiGate login. This process takes a few minutes.

Upgrading the firmware – CLI

Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up to date. You can also use the CLI command execute update-now to update the antivirus and attack definitions. For more information, see the System Administration handbook.

Before you begin, ensure you have a TFTP server running and accessible to the FortiGate unit.

Always remember to back up your configuration before making any changes to the firmware.

To upgrade the firmware using the CLI

1. Make sure the TFTP server is running.

2. Copy the new firmware image file to the root directory of the TFTP server.

3. Log into the CLI.

4. Make sure the FortiGate unit can connect to the TFTP server.

You can use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168:

execute ping 192.168.1.168

5. Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:

execute restore image tftp <filename> <tftp_ipv4>

Where <name_str> is the name of the firmware image file and <tftp_ip4> is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is 192.168.1.168, enter:

execute restore image tftp image.out 192.168.1.168

The FortiGate unit responds with the message:

This operation will replace the current firmware version!

Do you want to continue? (y/n)

6. Type y.

7. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes.

8. Reconnect to the CLI.

9. Update antivirus and attack definitions, by entering:

execute update-now

Installing firmware from a system reboot using the CLI

There is a possibility that the firmware upgrade does not load properly and the FortiGate unit will not boot, or continuously reboots. If this occurs, it is best to perform a fresh install of the firmware from a reboot using the CLI.

This procedure installs a firmware image and resets the FortiGate unit to default settings. You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware.

To use this procedure, you must connect to the CLI using the FortiGate console port and a RJ-45 to DB-9, or null modem cable. This procedure reverts the FortiGate unit to its factory default configuration.

For this procedure you install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.

Before beginning this procedure, ensure you back up the FortiGate unit configuration.

If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the backup configuration file.

To install firmware from a system reboot

1. Connect to the CLI using the RJ-45 to DB-9 or null modem cable.

2. Make sure the TFTP server is running.

3. Copy the new firmware image file to the root directory of the TFTP server.

4. Make sure the internal interface is connected to the same network as the TFTP server.

5. To confirm the FortiGate unit can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168:

execute ping 192.168.1.168

6. Enter the following command to restart the FortiGate unit.

execute reboot

The FortiGate unit responds with the following message:

This operation will reboot the system! Do you want to continue? (y/n)

7. Type y.

As the FortiGate unit starts, a series of system startup messages appears. When the following messages appears:

Press any key to display configuration menu……….

Immediately press any key to interrupt the system startup.

You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiGate unit reboots and you must log in and repeat the execute reboot command.

If you successfully interrupt the startup process, the following messages appears:

[G]: Get firmware image from TFTP server. [F]: Format boot device.

[B]: Boot with backup firmware and set as default

[C]: Configuration and information

[Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options.

Enter G, F, Q, or H:

8. Type G to get to the new firmware image form the TFTP server.

The following message appears:

Enter TFTP server address [192.168.1.168]:

9. Type the address of the TFTP server and press Enter.

The following message appears:

Enter Local Address [192.168.1.188]:

10. Type an IP address the FortiGate unit can use to connect to the TFTP server. The IP address can be any IP

address that is valid for the network the interface is connected to.

Make sure you do not enter the IP address of another device on this network. The following message appears:

Enter File Name [image.out]:

11. Enter the firmware image filename and press Enter.

The TFTP server uploads the firmware image file to the FortiGate unit and a message similar to the following appears:

Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]

12. Type D.

The FortiGate unit installs the new firmware image and restarts. The installation might take a few minutes to complete.

Reverting to a previous firmware version – CLI

This procedure reverts the FortiGate unit to its factory default configuration and deletes IPS custom signatures, web content lists, email filtering lists, and changes to replacement messages.

Before beginning this procedure, it is recommended that you:

back up the FortiGate unit system configuration using the command execute backup config
back up the IPS custom signatures using the command execute backup ipsuserdefsig
back up web content and email filtering lists

To use the following procedure, you must have a TFTP server the FortiGate unit can connect to.

To revert to a previous firmware version using the CLI

1. Make sure the TFTP server is running

2. Copy the firmware image file to the root directory of the TFTP server.

3. Log into the FortiGate CLI.

4. Make sure the FortiGate unit can connect to the TFTP server execute by using the execute ping command.

5. Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:

execute restore image tftp <name_str> <tftp_ipv4>

Where <name_str> is the name of the firmware image file and <tftp_ip4> is the IP address of the TFTP server. For example, if the firmware image file name is imagev28.out and the IP address of the TFTP server is 192.168.1.168, enter:

execute restore image tftp image28.out 192.168.1.168

The FortiGate unit responds with this message:

This operation will replace the current firmware version!

Do you want to continue? (y/n)

6. Type y.

The FortiGate unit uploads the firmware image file. After the file uploads, a message similar to the following appears:

Get image from tftp server OK. Check image OK.

This operation will downgrade the current firmware version! Do you want to continue? (y/n)

7. Type y.

8. The FortiGate unit reverts to the old firmware version, resets the configuration to factory defaults, and restarts.

This process takes a few minutes.

9. Reconnect to the CLI.

10. To restore your previous configuration, if needed, use the command:

execute restore config <name_str> <tftp_ip4>

11. Update antivirus and attack definitions using the command:

execute update-now.

Reverting to a previous firmware version – web-based manager

The following procedures revert the FortiGate unit to its factory default configuration and deletes any configuration settings. If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the backup configuration file.

Always remember to back up your configuration before making any changes to the firmware.

To revert to a previous firmware version

1. Go to System > Dashboard > Status and locate the System Information widget.

2. Beside Firmware Version, select Update.

3. Type the path and filename of the firmware image file, or select Browse and locate the file.

4. Select OK.

The FortiGate unit uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the FortiGate login. This process takes a few minutes.