Upgrading the firmware on a standalone Fortigate unit or units in an HA cluster


Understanding upgrade paths:
Each firmware version has an upgrade path requirement from older versions.
Most of the time when you are in a MR (major release) patch level, you can upgrade straight to any patch level within the MR.
ex:
1) currently, a fortigate unit is running 4.0 MR3 patch 3.
2) You wish to upgrade it to 4.0 MR3 patch 11.
3) You can simply upgrade it directly to 4.0 MR3 patch 11.

Most of the time when you are upgrading from a MR to the next MR, you can upgrade straight to any patch level in the next MR
as long as you are at the highest patch level in the lower/previous MR.
ex:
1) currently, a fortigate unit is running 4.0 MR2 patch 3.
2) You wish to upgrade it to 4.0 MR3 patch 11.
3) You must first upgrade it to 4.0 MR2 patch 13 (highest 4.0 MR2 patch).
4) Then you can upgrade to 4.0 MR3 patch 11.
You should ALWAYS refer to the release notes of the firmware release you wish to upgrade your unit.
Even, for comfort, just open a ticket with Support to verify the upgrade path.
FTP info:
Procedure to upgrade a standalone Fortigate:
1) Grab the existing firmware version .out file from the FTP and store it locally.
2) Grab the target firmware version(s) .out file(s) from the FTP and store it/them locally.
3) Backup the current config to the hg repo you know you keep of your firewall configs, and keep a copy locally in case of problem.
4) Check to see the booted/running partition:
1
2
conf global
diag sys flash list | grep Yes
5) On the System>Dashboard>Status screen, within the System Informatoon Widget, click Firmware Version> Update. If the System Information Widget is unavailable, add it by clicking the + Widget icon near the top.
6) Keep Local Hard Disk selected and click Choose File, selecting the target firmware .out file. Keep boot to the new firmware checked. Click OK and allow the firmware to upload.
The firmware upgrade procedure will also affect the configuration, possibly rewriting some lines.
7) The system should reboot in under 15 minutes.
8) If you need to upgrade the firmware again (in the case of multiple steps in the upgrade path), remember to backup the config at each step, repeating the exact process detailed.
Procedure to upgrade all HA cluster members (with downtime, as recommended by Fortigate):
1) Grab the existing firmware version .out file from the FTP and store it locally.
2) Grab the target firmware version(s) .out file(s) from the FTP and store it/them locally.
3) Backup the current config to the hg repo you know you keep of your firewall configs, and keep a copy locally in case of problem.
4) Set uninterruptable-upgrade to disabled:
1
2
3
4
config global
config system ha
set uninterruptable-upgrade disable
end
Note that this is the recommended procedure from Fortinet. It is possible to upgrade without affecting bringing the cluster down, and allowing it to pass traffic if you leave `uninterruptable-upgrade` to `enabled`. This affects the procedure by doubling the time it takes to upgrade (since the master upgrades the subordinate(s) first, allows it to reboot, then promotes it to primary, then upgrades itself). Clearly, there is more room for error, and if you can afford it, state a maintenance window and `uninterruptable-upgrade disable`.
5) Check to see the booted/running partition:
1
2
conf global
diag sys flash list | grep Yes
6) On the System>Dashboard>Status screen, within the System Informatoon Widget, click Firmware Version> Update. If the System Information Widget is unavailable, add it by clicking the + Widget icon near the top.
7) Keep Local Hard Disk selected and click Choose File, selecting the target firmware .out file. Keep boot to the new firmware checked. Click OK and allow the firmware to upload.
The firmware upgrade procedure will also affect the configuration, possibly rewriting some lines.
8) The system should reboot in under 15 minutes.
Roll back procedure:
Things went mildly wrong:
1) Check the currently running firmware image/partition and the other partitions (FLDB* is not a firmware partition):
1
diag sys flash list
2) Configure the next reboot to use the alternate partition, which should be the partition for which you were running previously:
1
2
3
conf global
execute set-next-reboot secondary
execute reboot
3) Reboot may take up to 10 minutes.
4) Be happy.
Things went horribly wrong:
You’ve installed, waited over 15 minutes and nothing.
1) Grab the console cable
2) Configure something (putty for instance) to 9600 baud, 8-n-1 (8 data bits, no parity, 1 stop bit), no flow control.
3) With putty opened, unplug and replug the power to the Fortigate unit.
4) During boot, you should see “Press any key to display configuration menu…” for three seconds. Press a key during that time.
5) You will see the configuration menu. Hit the B key to boot from the backup partition and set as the primary partition.
6) Be happy.
Things went terribly horribly wrong:
You’ve installed, waited over 15 minutes, performed the procedure above and nothing on reboot.
1) Grab a TFTP server from the internet (there are several free ones, I prefer tftpd32). By default, TFTP uses UDP port 69, so make sure that’s opened on any firewalls between the TFTP server and the fortigate.
2) Place a copy of the old firmware .out file in the home directory of the TFTP server (you should already have this file).
If you don’t, look at the first line of the saved config file you have for “config-version” to see the firmware version that the config will work with, then download it from the Fortigate FTP.
3) Start the TFTP server (probably after you’ve placed the file).
4) Grab the console cable
5) Configure something (putty for instance) to 9600 baud, 8-n-1 (8 data bits, no parity, 1 stop bit), no flow control.
6) With putty opened, unplug and replug the power to the Fortigate unit.
7) During boot, you should see “Press any key to display configuration menu…” for three seconds. Press a key during that time.
8) You will see the configuration menu. Hit the G key to grab a firmware image from the TFTP server.
9) Enter the TFTP server’s IP address, and the Fortigate’s client IP. (note that the interface on the Fortigate will not be ‘up’ until you’ve configured all settings, and FortiOS begins searching for the .out file on the TFTP)
10) Enter the firmware .out file name.
11) Hit D to load the firmware as the default firmware
12) After rebooting, the following are the default configurations for the 60C. I am unsure if they vary by model:
internal 192.168.1.99
WAN1 10.0.0.1
DMZ 10.10.10.1
Default admin username   admin
Default admin password   <none>
13) You should be able to access the web UI from the internal interface and restore the backed up config.

Comments

Popular posts from this blog

Traffic Shaping With Fortigate