Supported Upgrade Paths – FortiOS

The goal of this document is to make it easier for you to upgrade your FortiGate unit by guiding you to the most likely intermediate firmware upgrades between your current version and the latest version of the firmware. The latest version being the one with the highest patch number in your desired version branch.

Since multiple versions of firmware are often developed at the same time, there are different versions of the upgrade path document, too. There are PDF versions of this information and in those PDFs, the title of the document indicates which version of the firmware is the final destination of the recommended upgrade path options. In this web page we will be showing all of the information in one document the difference in terms of the final result will depend on the table you reference rather than the document. Be sure that you are looking at the correct table for your objective. For instance, if your goal is to upgrade to the latest build of Version 5.0 looking at the Upgrade Path table for 5.2 might give you some options that would appear confusing.

Every time you perform an upgrade to the firmware you should carefully read the release notes of the firmware you are upgrading to. Release notes may include warnings or notices of exceptions. The release notes can be found on the support site in the same directory as the firmware. The Fortinet Support Site can be found at:


For most devices these steps will show the path in steps from your current version to the latest Version, MR, and patch. The steps shown by the Upgrade Steps Table are not the only possible path, but they are supported and have been optimized to achieve the latest version of the firmware in the fewest steps.

Some older FortiGate hardware platforms do not have the resources to effectively use the most recent firmware versions and so do not support firmware updates past a certain version. To see if your device is affected by this check the Product Life Cycle page found at:

If the device you are looking up is not included in the Product Life Cycle page you can go to the Firmware section of the Support Portal and check the first build of each FortiOS version. For example, if there is a firmware build for 5.2.0, there should be one for 5.2.x. If there isn’t one for 5.4.0, you can be fairly sure that the latest build in the 5.2 version is as high as you can upgrade.

The Upgrade path tables

If you are already familiar with the contents and cautionary information found in the document and would like to go directly to the tables, they can be found here:

Scope of the Document

The scope of this document is limited to recommended upgrade practices for the firmware, FortiOS, which is used as the Operating System for the following products:

  • FortiGate
  • FortiWiFi
  • FortiOS-Carrier

This document does not include the upgrade paths for other Fortinet products such as:

  • FortiManager
  • FortiAnalyzer

These products have their own upgrade path documentation.

Location of Upgrade Path documents for other products

Links to upgrade path documents that can also be found on the Cookbook site are listed here:

Upgrade Path documents for the following products are available from the Fortinet Customer Service & Support Site, found at, in the same directory as the firmware images and Release Notes.

  • FortiAnalyzer
  • FortiManager

Example links to Upgrade Guides:

The above links are examples only, as each firmware release for these products has its own document.

Product compatibility

This document does not include any references to release compatibility between Fortinet products. This is an issue that administrators of environments where different Fortinet products are used should be aware of. For instance, a specific version of FortiManager has a range of versions of FortiGate that it will be compatible with. If the FortiGates are upgraded without verifying that the FortiManager will be compatible with them, a situation could arise where the FortiManager will not be able to manage those newly upgraded FortiGates. On the other side of the equation, it is also possible to upgrade a FortiManager beyond the compatibility range of some of the older models of FortiGate.

If you have some older models of FortiGate that cannot be upgraded to current releases of firmware, and some brand new models of FortiGate that cannot run older firmware, the situation can arise where a single FortiManager will not be able to manage all of the FortiGates in the environment. This is an issue that the administrator needs to be aware of when making decisions about which firmware to run.

The compatibility between models is listed in the Release Notes of the products. These should be read and the environment should be planned out as a whole. It is possible that there is no one best option. The administrator will have to weigh the pros and cons of all of the variables and keep in mind what the most important requirements are for the environment.

Source Information

The initial source material for the development of the of the upgrade path table is the upgrade information section found in the Release Notes that are written up for each new build of the FortiOS firmware.

Each time a firmware build comes out it is tested for compatibility with some of the previous builds in both the current version and the version that preceded it. It is not, however necessarily tested with every single build in these two versions. The two, sometimes 3, versions that are supported at the time of release are developed in parallel and not in coordinated schedules so it is possible that the latest build in version 5 was developed long after a lower numbered build in version 5.2. In short, the upgrade testing is done against build that are available at the time of release. The upgrade steps may at times seem like they should be able to make larger jumps, but we will only included upgrade steps that have been tested and proven to work in those tests.

Divergence from the Release Notes

The FortiOS Upgrade path document is initially based on the contents of the Release Notes documents for the firmware, however, periodically, bugs or unexpected combinations of configurations are found that reveal situations the regular compatibility testing did not account for. These updates are incorporated into the Upgrade path document sometimes without being included into rewrites of the Release Notes. Even if these occur in a relative small portion of the cases they are incorporated into the path to make it as close to a “one path fits all” product as possible. While the paths set forth in the Release Notes will work most of the time for most configurations, the relatively small extra effort of an additional upgrade or two is considered a small price to pay for making sure that the odds of a failed upgraded are as low as possible.

The other reason that the Supported Upgrade Paths document can appear different from the Release Notes is more in the form of a change in perspective. A Release Note’s perspective is centered around the firmware version it is describing, so it reaches back to see how many builds back can be successfully upgraded to that version. The Upgrade Path document’s perspective is taken from the device’s current firmware version and attempts to find an efficient path forward.

Using the Upgrade Steps Table

We have tried to make using the tables as simple as possible.

  1. Locate the table that corresponds to the firmware you wish to be running.
  2. Determine which release is currently running on your device.
  3. Find that release/build in the left hand column.
  4. Upgrade from one release to the next based on the releases listed in that row.

All of the paths were developed with the idea in mind that most users would be updating to the latest build of a particular version. If you are looking to upgrade to a specific build that is not the latest for that version number, it is possible, but as you get closer to your target you may want to pay close attention to the Release Notes.


You want to upgrade from 5.0.9 to 5.2.6 but no further. The described path is 5.0.9 > 5.0.11 > 5.0.14 > 5.2.9

As you go from left to right along the upgrade path you will come to a transition that moves your FortiGate past the version you want. In this example, that would be 5.0.14 > 5.2.9. This would be your last transition in the upgrade process, but instead of going all the way to the suggested build, you can go to your target build. Logic would dictate that if you can go from 5.0.14 to 5.2.9 you could go to 5.2.6. You’d be right. It can be done. However, if you check the Release Notes you will find that you can go directly from 5.0.11 to 5.2.6; saving you a step. The step of going from 5.0.11 to 5.0.14 is designed to save steps later in the path when going to 5.2.9 or later builds.

Release numbers

Over the life of the firmware, the designation of the individual releases has changed but this document tries to make these designations as consistent and as easy to understand as possible.

Originally, the version designation was made up of a Version, possibly a major release within that version and possible a patch number within that major release. If one was trying to refer to one of the later patches in a later release of version 4 of the firmware it could be described as Version 4 MR 3 Patch 18.

To make writing the release name simpler a ‘shorthand’ developed using the pattern x.x.x. The numbers shown below are an abbreviated form of the firmware version names.

1st Number Version Number
2nd Number Release Number
3rd Number Patch Number

Example: 3.7.10 = Version 3.0 MR7 Patch 10

Recently, the longer version of describing the release was dropped in favor of the simplified format.So it is not FortiOS Version 5 MR 2 Patch 1. It is simply FortiOS 5.2.1. Within the table, the simplified version is always used when describing the path.

Build Numbers

In cases where there is no indication in the Web-based Manager what the version or build number is you can get the build number from the CLI by entering the command:

get system status

The value in the output of the command for “Branch point” will be the build number.

Max Value Issue

There is a range of builds where the maximum number of some of the objects was lowered, but then a few builds later was raised back up. If a configuration on a device was to have a number of these objects in excess of the lower value when doing an upgrade there could be issues and even data loss so the upgrade paths listed are designed to avoid upgrading into this lower max value range even though the Release Notes state that upgrading to these firmware builds is supported. When the release notes were written the act of increasing the values was not foreseen.

Standalone vs. HA configuration upgrades

If you read the Release Notes for the firmware upgrades you will notice a discrepancy between what the Release Notes say is possible for upgrades and what the Upgrade Steps Table shows.

In version 5 there is a difference in the steps between the patches depending on whether your FortiGate setup is in a standalone or an HA configuration. If you have a standalone setup you can upgrade from Patch 3 (5.0.3) directly to Patch 5 (5.0.5). However, if you are using an HA setup you need to add the intermediate step of going to Patch 4 (5.0.4), otherwise only the slave unit in the configuration will be upgraded to Patch 5.

In the table describing the steps in progressing through the upgrades the most cautious path is listed. This minimizes the possibility of confusion for somebody who has an HA cluster but reads the Release Notes, like everybody should, but was unaware of the known issue with the HA clusters.

Parallel Development

Development of the firmware is usually taking place on two paths at the same time.There is development taking place on the latest path, as well as the previous stable path. For instance if the latest path was 5.0.x then the previous stable path that would still be in development would be 4.3.x. This has 2 significant ramifications as far as upgrades are concerned. The first is that patches are still being built for each of these paths. The second is that because this development is taking place in parallel the number identifiers for the builds do not correspond directly with the sequence in which the builds come out.

Occasionally it will appear as if there are some odd jumps in the upgrade sequence. This has to do with the timing of releases of different versions of the firmware. Later builds of different versions can come out close together and so have a high likelihood of compatibility. This is why 5.0.6 can only upgrade up to 5.0.9 but 4.3.18 can upgrade to 5.0.12

Upgrade Methods

There are two methods of primary methods of upgrading the firmware through the GUI; either from a local file that has been previously downloaded or from the FortiGuard Network.

Upgrading from the Local Drive

When uploading the firmware from the local drive you must already have downloaded it from the Fortinet Support Site at Once you have logged in with the account ID and password that was created when registering the FortiGate, go to the Download section and select the icon for Firmware images. From there it is only a matter of selecting a product, such as a FortiGate and then selecting either HTTPS or FTP download. The layout of the firmware listing in both methods is a hierarchical tree. For instance if you wanted firmware 5.0.7 you would select the v5.00 directory, then the 5.0 directory, then the 5.0.7 directory. Once in the directory scroll down until find the correct firmware file name for your specific model. Then select the file you wish to download.

The file names are intended to be helpful in determining the correct firmware for the model you need. Here are some of the conventions found in the file names.

  • FGT_ = FortiGate
  • FWF_ = FortiWiFi
  • POE = Power over Ethernet
  • VM32/VM64 = Virtual Machine versions of the firmware. The 32 and 64 referring to the bit architecture of the OS.

Firmware going directly on a Fortinet Device will have the .out extension.

Upgrading from the FortiGuard Network

The practice of strategically skipping some firmware versions to optimize the time and efficiency that it takes to get to the latest version is based on using the Upgrade from: Local Hard Drive option. If you try to use the Upgrade from: FortiGuard Network option you will notice that there are a limited number of firmware builds to which you may upgrade, or downgrade. This is because only options that are always going to be safe are available. The logic being that because there are no intermediate options possible, the next consecutive build will always be a safe option.

Because of this limitation in options, it means that you will not be able to use the Upgrade from: FortiGuard Network option to see all of the safe upgrade options. You will either have to use the included upgrade path table or study the Release Notes.

The builds that will be shown will most like be as follows:

For Upgrades:

  • The next build in the current version track

For Downgrades:

  • The previous build in the current version track.
  • The latest build in the previous version track.

Special Builds

Every now and then a “Special Build” is created for some specific purpose and some companies will put these into production. These special builds are not part of the normal upgrade path QA process and therefore have a greater risk of  variance from what is normally expected in an upgrade. The table of the upgrade path is based on the Release Notes of the regular builds and may not have included testing against every special build as well. If you are running a special build, be even more cautious in upgrading than you would normally be.

Why read the Release Notes?

Previously in this document, it was recommended that before upgrading from one version of the firmware to a more recent one that the Release Notes be read. To give an indication of how important it is to read the Release Notes, we have provided a sampling on the next page of some of the possible issues that may have to be dealt with upon upgrading.

To offer some clarification on the contents of this sampling, some of these issues were and are unavoidable because of the nature of the configurations of the FortiGate devices and the networks they were in. The reason for reading the Release Notes is to make sure that users are prepared for changes or potential outages that may occur so that the affected parties can be forewarned and the issues can be dealt with in a timely manner.

  • Ervan Gaptekmania

    Hi to All,
    I have FG-100D running 5.4.2 at my client. From upgrade path, it should be upgraded to 5.4.4 and then 5.4.6. But when I checked into Firmware Management page, I didn’t see firmware 5.4.4 available. There were 5.4.5 and 5.4.6 available. Is it OK to upgrade from 5.4.2 to 5.4.6 directly or I should upgrade to 5.4.5 first?

    • Bruce Davis

      If you look at the Release Notes for 5.4.6, it says that “FortiOS version 5.4.6 officially supports upgrading from version 5.4.4 and later”.
      You could try to upgrade directly and it may work, but it has not been tested and is not officially supported. It may take an extra 10 minutes to do the additional step. I consider that a fair trade off for the higher probability that everything will work smoothly and the lower chance of having to go to my backup config and redo the process after a reinstall of the original firmware. There is also the peace of mind that some issue wont turn up a few month down the road.
      While the 5.4.4 firmware may not appear in the Firmware Management page, it should be available for direct download from the Fortinet Support site.

  • Vassilis Koulouris

    Hi to All,
    Is it possible (in order to avoid the various steps in upgrading) to reset the fortigate unit to factory defaults, simply install the latest image (5.6.2) and perform a new configuration on the unit?
    The unit is a 100D with current fw: v4.0,build0665,130514 (MR3 Patch 14)

    Thank in advance for your help.

    • bdickie

      Yes, you can definitely upgrade to the current (or latest supported) firmware version and re-configure your FortiGate. Following the upgrade path just allows you to keep your configuration after you have upgraded the firmware.

      • Vassilis Koulouris

        Great! Thanks for your prompt response!

  • jordi dominion


    We have to upgrade 2x Fortigate 100D with HA (Active-Active) from 5.0.0 to 5.6. The upgrade path will be:
    5.0.0 292 >> 5.0.2 >> 5.0.3 >> 5.0.4 >> 5.0.7 >> 5.0.9 >> 5.0.11 >> 5.0.14 323 >> 5.2.11 754 => Latest Build

    They are a lot of upgrades…..

    My question is about the best steps for upgrade two fortigates Master-Slave with HA (Active-Active).. I have not experience in fortigate.

    Thanks so much,

    • bdickie

      You can follow this upgrade path with your HA cluster just as if you are upgrading a single FortiGate. Download the firmware, log into the GUI and perform the upgrade. Both FortiGates will upgrade to the new firmware. Repeat until you are up to date. This is a lot of upgrades but most of them should happen without major disruptions to your cluster’s operation.

      Following this upgrade path allows you the best chance to keep your configuration as you upgrade. If this isn’t a priority, you can just reset your FortiGates to factory defaults, install the latest firmware and re-configure them.

      • jordi dominion

        Thanks a lot for your comment bdickie.

        I have read that for upgrade cluster with HA:

        – Configure ha mgmt interface for access GUI Slave
        – Disable HA Sync (set sync-config disable)
        – Upgrade Slave from GUI
        – Upgrade Master from GUI
        – Enable HA Sync

        Is it correct too?

        These fortigates cluster is locate in a Hospital….

        • jordi dominion

          Given that cluster is configurated in HA Active-Active

          • bdickie

            Hello, the option to turn off sync-config is not available for FGCP HA.
            FGCP HA supports upgrading the firmware of the cluster in one step without disabling configuration synchronization. So there is no reason that I am aware of to do anything then update the firmware from the GUI just as you would for a standalone FortiGate.

            Also active-active or active-passive HA does not affect how to upgrade the firmware.

            The sync-config option is only available if you are running FGSP HA
            ( It doesn’t sound to me like you are running FGSP though; since FGSP does not have an active-active mode.

  • Martin Hahmann

    I upgraded my HA cluster FortiGate 100D from 5.2.8 straight to 5.4.5 and it seems my cluster is now constantly failing between the 2 units. I checked the upgrade path below and it says I should have gone to 5.2.10 first. Can I fix this?

    • bdickie

      The main reason for following the upgrade path is to make sure your configuration is updated correctly. So, if you have saved your 5.2.8 configuration you can revert your FortiGates to back to 5.2.8 and restore their configuration, re-establish the cluster and then follow the upgrade path.

      If you have not saved your 5.2.8 configuration you can update your FortiGates to 5.4.5, then reset them to factory defaults, re-create the cluster and re-configure it. Other solutions may be possible with the help of Fortinet Support.

  • Drew

    Hi there,
    Trying to update a 100D that is now in my possession. Current build is FG100D-FW-4.00-535. Do I start at 4.0.0 (build 92) or at build 535 (4.3.7)?

  • Rahul Yadav

    We are planning to upgrade fortigate firewall from version 5.2.7 to 5.4.4, whereas in upgrade path it is written as 5.2.7 > 5.2.9 >5.4.5. So is it possible to upgrade firewall as follows, 5.27. >5.2.9 >5.4.4?
    Thanks in advance.

    • Bruce Davis

      The tables are set up so that the final destination is the latest available build of the various versions of the firmware so I would normally recommend checking the Release Notes of the builds involved but in this case, I remember the situation well enough to say that going from 5.2.9 to 5.4.4 is within the parameters of recommended upgrades.

  • Rajasekar kumanan

    I like to upgrade my firewall OS from version 5.4.4 to latest. Please let me know the stable version of 5.4.x series.

    • Bruce Davis

      The latest version of 5.4.x is listed in the 5.4 table mentioned in the links to “The Upgrade path tables” that is at the bottom of each sub page in this document.

  • Victoria Martin

    Thank you for the information. Luckily, it appears as this issue only affects FortiOS 5.4.1, so unless you need to use that particular build, it should be avoidable.

  • Joel Rennie

    Hi Good day. I would like to upgrade from 5.2.4 to 5.2.11. I am seeing the recommended download path is 5.2.4>>5.2.6>>5.2.11. Where can I get 5.2.6 to download?

  • Patrick Fields

    Our 60D has been constantly going down, or has been increasingly slow. I tried to update from 5.4.0 to 5.4.2 and it fails every time and I have to go back to default and reboot.
    I tried to even downgrade to 5.2.11 to take a different path. I am unable to make any changes to the firmware without.
    I had to use my old Cisco router to keep us up and running, which by the way is running perfect and speed and ping have been perfect. What can i try next?

    • David Keates

      60D has a stupid bug with the firmware upgrade you will need to backup your device and run the upgrade from console using a tftp server. once completed you can upload your configuration again.

      • Victoria Martin

        Hello David,

        Do you have any more information about this bug?

  • AY

    Hi. I’m searching for similar. Currently on 5.00-build292. Looking at the path, does it mean I have to download each version from 5.0.11 >> 5.0.14 first, then to 5.2.11, and then 5.4.5, before finally 5.6.1?

    • Victoria Martin

      Yes, that is the recommended path to take in order to avoid any configuration errors. As always, please remember to back-up your configuration before upgrading.

      • AY

        Thanks Victoria. I am seeing the model we are using, 60D being mentioned above having upgrade issue. As one user has replied (David K), one need to be in front of the unit (console) before attempting to do so? Guess I would need to fly down to each site to complete the update.

        • Victoria Martin

          I have not heard about the bug David mentioned but I have asked him for more information about it.

  • afiq

    hi, my fgt30d current firmware is 5.0, i want to upgrade to 5.4.5,anyone got experience on this?

  • Puneet Tambi

    Post upgrade FG60D with 5.4.4 to 5.6.0, Unable to view the Industrial category Signatures.

    Further we are unable to execute the following command from the CLI:

    config ips global
    set exclude-signatures none

    Following error is being received on CLI on:

    FG60D_FW1# config ips global
    FG60D_FW1 (global) # set exclude-signatures none
    command parse error before ‘exclude-signatures’
    Command fail. Return code -61

    Can anyone help to get the Industrial Category Signatures available.

    • Tim.Sang

      After 5.4 Industrial Signatures are their own license. You will need to purchase the enable license separately.

      • Puneet Tambi

        Why the same is not available in licensing policy then ?

        • Tim.Sang

          I don’t work for Fortinet I cannot answer why. I have worked on beta versions from 5.4, 5.6, 5.8… specifically working on Fortinet in Industrial Controls and between 5.4 and 5.6 there was a decision to make industrial sigs a separate license. I think it is $300 USD per year.
          If you log into your Fortinet Support account you go to Register/Renew, find your firewall, and there should be an option to purchase:

          “FortiGuard Industrial Security Service”.


  • clay conn

    Hey, I have two 200d in an HA cluster. I am trying to go from version 5.2.3 to 5.4.5. If I am reading the chart correctly, I should use the path 5.2.3>5.2.5>5.2.7>5.2.9>5.4.5. Can anyone verify this for me?

    Thank you!

    • Kerrie Newton

      Hello Clay,

      The upgrade path you mentioned is correct. Please remember to create a backup of your configuration before you begin..


  • Me Myself

    Hello , we have a fortigate 200b on v5.2.11 is it corect to asume based upgrade paths that we have to upgrade to 5.4.4 and then to 5.6.0 ?

  • Blair

    Does Fortinet publish the recommended/stable/production versions? This will change with time but it sounds like I should be avoiding 5.6.0 for now. I was wondering what the highest stable recommended version would be. I have a handlful of 60D’s and 300D’s at 5.2.11 right now. I am eyeing the new features in 5.4 and 5.6 with envy. 🙂

    • Victoria Martin

      Hello Blair,

      I would rely on the Release Notes to determine if a new build is appropriate for your environment.

    • ASB

      Version 5.6.0 is much more stable than 5.4.x was (5.4.3 was okay). I went through the pain of 5.4.0, 5.4.1 and 5.4.2. Then I went to 5.6.0 and 5.6.2. All on the 60D and 60E devices. The v5.6 family is better laid out than 5.4, and has been more stable throughout for me.

      Unless there are specific known issues with 5.6 and your device model, I am much happier with it than 5.4

  • Alexandre Baptista

    We just upgrade a FG-500D, from 5.4.4 to 5.6.0 version, After that we loose the connection with the GBIC 1GB.
    Someone can help us?

    • Michael Bazy

      If not done already, you can revert to the previous version by using the following CLIs:
      #exec set-next-reboot primary|secondary
      #exec reboot

      As an addition, I wouldn’t recomment 5.6.0 on a 500D in a production environnment : there are some known issues that can be quite the hassle. Best shot is to work with Fortinet Support Team here.

      • Matt

        Hi Michael,

        Yes, those are the correct commands. However, before you run them, run the following command to see in which partition (primary or secondary) your target revert firmware is located…

        diag sys flash list

        • Michael Bazy

          Hi Matt,

          I used to do that too, but not anymore (starting 5.2) : if you just type the command, it will tell you if a change has been made (or not).

          FortiGate # execute set-next-reboot primary
          Image# 1 is already the default image.
          FortiGate # execute set-next-reboot secondary
          Default image is changed to image# 2.

  • Nica

    Hi. I have fortigate 30D running in firmware version 5.2.2 build 642, May i ask if what latest firmware i can upgrade to this? thank you.

    • HyperBoy

      FGT-30D supports all the latest builds. I’d suggest working with 5.4.5 if this is in production.

    • afiq

      hi nica..have you done upgrade your 30D?my current firmware is 5.0.wanted to upgrade to 5.4,not sure can or not..if you done..need your feedback

  • Lot Tae Za

    Hi, Can I upgrade firmware from 5.2.3 version to 5.2.11 or I need to upgrade version by step in each version before go to latest version

    • KarlE

      That’s what the tables here are for, they show you that you have to perform 4 upgrades in succession, 5.2.3 -> 5.2.5 -> 5.2.7 -> 5.2.9 -> 5.2.11. I know it looks tedious, but you have to follow the upgrade steps, unless you would rather do a factory reset afterwards, then it does not matter. The thing is, FortiOS rewrites some lines of the configuration from one version to the other due to change of syntax, options or defaults, and if you skip a step, you end up with a configuration that is inconsistent or erroneous. Sometimes it may work if your config does not contain any of the affected bits, but it is not worth the risk, as some issues may not be immediately apparent but only show up in the course of operation.

  • Muhammed

    Hi all , I have Fortigate 300C running Firmware 5.2.7 build 718 ,Please advice me which is the latest one for upgrading firmware

  • Brian

    Hi good day to all. I have fortigate 30D running in firmware version 5.2.2 build 642, May i ask if what latest firmware i can upgrade to this? thank you.

  • Todoenlaweb Rommel Malave

    Hello please i need help with fortinet 60c version 4.0 image firewall

  • Daniel Simon Ballester

    Hello, i have a fortigate 200B v5.2.7,build718 (GA) Witch is the last version i can upgrade this fortigate?

    • Bruce Davis

      It’s a bit of a manual process because trying to keep track of all of the difference firmware versions and models would make for a very large table. But the strategy is simple. At the support site, go to the latest build of your current version and see it there is firmware for your model. In your case, you are currently at 5.2.7. The latest version of 5.2 is 5.2.11. There is a 200B listed in the firmware builds for that version. Next, go to the first build of the next version, 5.4.0 and make the same check. There is no firmware for the FortiGate 200B in 5.4.0. In your case the lastest build you can use would be 5.2.11, unless a version 5.2.12 comes out, but you would have to check when that happens.

  • TruthisRequired

    Unfortunately the Upgrade button has disappeared on version 5.4.4. How does firmware get upgraded now?

    • Bruce Davis

      I just looked at a FortiGate running 5.4.4. From the Dashboard, I looked in the “System Information” widget and and in the “Firmware” row there was an “[Update]” link. This linked to the “Firmware Management” page. While the style of the “Upload Firmware” button has changed, it was still there in the interface that I looked at.
      One aspect of the learning curve for all software is the changes to the interfaces that occur as the software goes through upgrades. I know I go through it all the time. However, If these links and buttons are not showing up on your interface, you should contact TAC to troubleshoot your device.

  • Arne Krossbakken

    The Supported Upgrade Path says that you can go directly from 5.2.9/10/11 to 5.4.4, but we now have 2 100Ds and one 80C on remote locations that is not coming back online after that (last) jump. We did several upgrades prior ( 5.0.X >>… >> 5.0.14 >> 5.2.11 ). Is there something we have missed?

    • Bruce Davis

      All other factors being normal, the upgrade path you specified should have worked without issue. The irony of the question is that if it was something that you missed, there is a very low likelihood that you would have put it in the comment post for a reader to see. This is the sort of issue where it is best to contact TAC because while documentation can describe how things are supposed to work, TAC members are better qualified to troubleshoot specific problems.

    • Andy

      I am somewhat new to Fortinet and first thing I was told by TAC when it comes to upgrade is not to bother, unless there is an issue, which totally makes sense. I am really familiar with Check Point and I can tell you that I saw lots of cases where people upgrade because they think its better and then major issues comes up thats really not easy to fix, even if you downgrade to the original version. This is why they always recommend reading the release notes, but as Bruce said, not same issue will happen to everyone, it really depends on the environment and the amount of traffic.

      • ASB

        My personal recommendation is to look at what the new features or fixes are, and determine if they apply to your environment. Then, wait about 1-2 months after a release to see how the new code shakes out. While there is some merit in not moving if things aren’t (obviously) broken, it is also true that you will miss many security fixes this way, and when you finally go to upgrade, you will likely have to take 5 or 6 steps to get there.

        So, based on the criticality of your environment and the level of resources, pick a comfortable spot between “never upgrading” and “instantly upgrading” that works for you.

  • Phill Coleman

    I have two HA pairs of 90D’s and 60D’s located at different sites. I can see from the upgrade path to get to the latest version will take two steps. Can these been done back to back or would you recommend doing the first step upgrade and leaving a week before doing the next?

    • bdickie

      Yes you can do the upgrades back to back. There is no reason to wait, except for maybe a few minutes between upgrades to make sure the cluster is stable before doing the next upgrade.

      • Phill Coleman

        Thank you for the prompt reply 🙂

  • ji

    Hi, after upgrade FG200D with 5.4.4 to 5.6.0,
    Cannot see any “log view” and “fortiview” from forti analyzer. and i recheck FG200D it send log to forti analyzer.
    and forti analyzer “devicer manager page” look good they have log receive. i try to remove device and add again. not work.

    after downgrade to 5.4.4 and restore configuration everything work fine.

    • Victoria Martin


      This may be an issue of compatibility, as FortiOS 5.6.0 is only supported for use with FortiAnalyzer 5.6.0, which has not yet been released. I would recommend waiting for the new FortiAnalyzer release, which should be available soon (and remember to upgrade the FortiAnalyzer before upgrading your FortiGate).

      For more information about compatibility, there is a chart available at

      If the problem still persists when both units are running 5.6.0, then I would suggest contacting Fortinet Support.

      • ji

        this is a big issue. i always read release-notes but i miss. 🙂

  • Zico

    Hello, after upgrading my 60D from 544 to 560, few devices doen’t get acces to internet ( particulary chromecast ). Downgrading to 5.4.4 restores the connection. Any reason why ?

  • Guruprasath

    Hi Guys,

    I update my fortigate 60d to fortiOS5.6. After upgrade GUI is not accessible.
    please help to solve this issue.

  • Viru Rajapur

    Hi as per the below mentioned can i do this or am i missing something in between ?? Please help me.Thank you.

    Fortigate Model 620B Current version -v5.2.7, upgrading to >> 5.2.9>>5.2.10>>

    Fortigate Model 1000C Current version -v5.2.7, upgrading to >> 5.2.9>>5.4.4>>

  • Fima Vaisman

    I have a new FortiGate 60E with FortiOS 5.4.1 build #5577. I want to upgrade it to FortiOS 5.6. Most other routers you download the image from the support site and install. Fortinet has made a simple process difficult to understand – can you point to the location where the image files are and to a step by step process to update. When I click update on the router, it says “System Software is Up to Date” which is clearly not true.

  • Ismael Rivera

    I’m trying to get the proper supported upgrade path for a FortiAnalyzer 100c. The link provided in this doc asked for my support login, yet when I put my credentials it does not work. Upgrade paths for firmware older than 5.0.5 is poorly documented, and not as easily found as the upgrade paths for Fortigate FortiOS. How can I obtain the upgrade path, starting from v4.0mr3patch 8 build 719?

    • Bruce Davis

      Currently, the upgrade information for FortiAnalyzer not in the FAZ upgrade path can be found in the Release Notes, so if you’re trying to find the most efficient sequence to for upgrading from all the version variations to the current version it can take a little bit if researching. I can get you started though.

      I did some research and here’s what I found, in the order that I found it starting at 4.3.8 and working my way forward:
      – 5.0.1 can be upgraded to from 4.3.5 or later
      – FortiAnalyzer v5.0 Patch Release 2 build 0151 officially supports upgrade from FortiAnalyzer
      v5.0 Patch Release 1.
      – Upon upgrading to FortiAnalyzer v5.0 Patch Release 1, your v4.0 MR3 logs are automatically
      converted and inserted into the SQL database. An icon appears at the top right corner after
      login to the Web-based Manager next to the logout and help buttons. This pops-up a small
      window displaying the progress.
      – Upon upgrading from FortiAnalyzer v4.0 MR3 the Web-based Manager incorrectly reports that
      the device is downgrading the firmware version. If you upgrade the firmware version from the
      CLI using the execute restore all-settings CLI command, the message is correct.

      So it looks like from 4.3.8, your next version is 5.0.1.
      5.0.3 is upgradable from 5.0.1
      5.0.4 is upgradable only from 5.0.3

      Then seemingly paradoxically,
      5.0.6 is upgradable from 4.3.7 or later. This probably has to do with the dates of release and parallel development as oppose to just straight version number sequences.
      This should put you in the realm of version where you were able to find so documentation already prepared. I do recommend reading the Release Notes for 5.0.6 carefully as it pertains to your specific situation as there appear to be a few warnings about the upgrade process.

      I hope this helps.

  • Harry

    please my version is 4.0 MR3 I didnt find it in the list, what should be my upgrade path

    • bdickie

      You can contact support or use the release notes (available from the support site) to determine the optimal upgrade path.

    • Tom Mathew

      hi Im also having the same release.
      What is the upgrade path tat you followed

  • 廖威誌

    Hi We have an old device 80C need to upgrade
    now, it using version was 4.3.11
    so if i want to upgrade to 5.2.9
    my path was 4.3.11 >> 4.3.19 >> 5.0.0 >> 5.0.2 >> 5.0.3 >> 5.0.4 >> 5.0.7 >> 5.0.9 >> 5.0.11 >> 5.0.14 >> 5.2.10 ???

    if i don’t want to keep my old config.
    can I using TFTP to install 5.2.10 with format boot device ?


    • bdickie

      Yes, you can use TFTP to install 5.2.10. The only reason to follow the upgrade path is to keep your configuration.

  • Ismael Rivera

    Hope someone can clear something up for me.

    So according to the supported upgrade path that I have for my Fortigate 300C, I have to use the following:
    5.0.3 208 >> 5.0.4 >> 5.0.7 >> 5.0.9 >> 5.0.11 >> 5.0.14

    Does that mean, I have to upgrade to each step one at a time? Meaning If I’m on 5.0.3, and want 5.0.14, I can’t just perform one firmware upgrade (5.0.3 to 5.0.14)?

    Thanks in advance,

    • Victoria Martin

      Hello Ismael,

      You are correct, that is the supported upgrade path to go from 5.0.3 to 5.0.14. This path is recommended in order to make sure your existing configuration isn’t lost during the upgrade process, which could occur if you went directly from 5.0.3 to 5.0.14.

      • Ismael Rivera


        That was a quick response, thank you so much Victoria!


  • Matheus Mumbala

    Ive fortinet 60c with firmware v5.0 build292.
    I’ve just recently started @ this firm and they did not have an IT personel for like 2.5 years.
    Now i want to upgrade this device firmware and its not giving me any option to upgrade.
    If i do click on update it takes me to a page where i can only update from my hard disk..

    Please assist.. been going a lil nuts all day…

  • JimmyJ

    These aren’t entirely valid? Upgrade for example for 5.2.4 to 5.4.4 above shows 3 step upgrade, whereas this PDF, page 10, shows direct upgrade is supported:

    • Altare

      That document is for 5.4.0, not 5.4.4. Also this resource shows the safest path to take, taking in to account HA clusters, which the release notes do not.

  • Victoria Martin

    We have a 5.0 recipe about site-to-site IPsec that you may find helpful, if you want to keep using that version of the firmware:

    • olo

      ok i’ll try.
      Thank u victoria.

  • Olo

    Hello, i have FG 60D with 5.00-build228 (GA Patch 4).
    Which table should i use?

    This is my first time and the only IT support man,i worry if fail or any config not compatible or everything not work well.
    how to prevent that?

    Is it possible to downgrade firmware after FG upgraded?
    Thanks,sorry for bad english.

    • Victoria Martin

      Hello Olo,

      Since you are currently using 5.0.4, you need to use the table for 5.0. Also, while it is possible to downgrade the firmware, doing this is not supported by Fortinet.

  • Huerta

    someone can tell me what version has the build 4234?? I need to upgrade a fortigate 100D v5.0.X that has that build

    • Victoria Martin

      Hi Huerta,

      That number is not one of the standard build numbers for FortiOS 5.0, so I would suggest contacting Support to find out more information about which build you should be using.

  • ARL67

    I have several 60CM on 5.2.10 build742. I don’t see a specific 5.4.4 firmware image in the download section for the 60CM. I see only images for 60D & 60E. Can I use any of these ?

  • Monica

    I am using Fortigate 60D – Firmware 5.2.7 (build 718)…should I download the firmware outlined in my upgrade path 5.27 >> 5.2.9 >> 5.2.10 manually then upgrade to 5.2.9 and the 5.2.10?

    • Victoria Martin

      Yes, it is recommended to follow that upgrade path.

  • ScottS

    I have several 30D firewalls still in the box that I need to configure. These have never been configured. They are at firmware 5.0.9. since there is not a configuration on it can I put the latest 5.4.4 firmware on it? Since there is no configuration issues to worry about is that allowable or do I still need to do all of the steps outlined by the upgrade path?

    • bdickie

      Yes you can go ahead and install the latest firmware without following the upgrade path. The upgrade path is only meant to make sure you don’t loose your own configuration changes during an upgrade.

      • ScottS

        Perfect. That will save me a tone of time.

        • premar

          I would recommend to factory reset the firewalls after the update. Sometimes you migrate faulty default settings.

  • Maicon Pereira

    Hello, regard my environment I need downgrade my currently version v5.2.3,build670 to 5.0.12 after that I will go follow upgrade step by step as you tip. so I wonder it’s possible use the same file configuration through that steps ?

    • Bruce Davis

      There are a few reasons why down grading is looked at with some trepidation. The amount of pitfalls increases proportionally with the complexity of the configuration. The most important thing to take into account is that the configuration file is firmware version specific. It does not play well with versions of the firmware that it was not written for. Right off the bat, you cannot use a configuration file from 5.2.3 on a unit running 5.0.12.
      I might be going out on a limb here but if you are downgrading and then upgrading to the same firmware version, I have to make an educated guess that something is not working properly, possibly because somewhere along the upgrade process something was missed or broken. Chances are the issue may not be with the firmware you are running, but with something in the configuration file.
      The configuration file is essentially a number of CLI commands to the firmware that are run each time the unit is powered on. If there is a syntax error in those commands, the firmware may not behave as intended.
      During an upgrade there is a background process that takes the existing configuration file and changes any commands and settings to comply with the syntax of the new firmware. Skipping an firmware version that should have been part of the upgrade path means that the syntax of one or more commands didn’t get updated to work with the current firmware. This means that even if you downgrade to 5.0.12 with a factory reset, when you go through the supported upgrade path to 5.2.3, which the current config file is from, it may not be advisable to install that configuration file. You could end up with the same issue.
      The bad news is that you may need to rebuild your configuration from the ground up. The good news is that you may not have to down grade and upgrade. You can start with the firmware you have installed now. Depending on the issue, you might be able to get away with a simple factory reset, which will give you a brand new configuration file, and then just start customizing your configuration.
      If you are comfortable in the CLI, you could use some techniques found in the SysAdmin Note to cut and paste portions of the existing configuration file into the new one. At some point you are likely to come across an error as the it determines that the syntax is somehow wrong and then you will have to set up that portion of the configuration from scratch.
      Sorry I couldn’t give you happier news.

      • Maicon Pereira

        Thank you for your explanation!

  • Fidel

    Hi I want to upgrade my FortiAP 5.0 and I have a v5.0,build0271 (GA Patch 6) 80C, I just want to know up until which version of FortiAP is supported by v5.0,build0271 (GA Patch 6) of the 80C

  • أمين مواتسي

    Hi ,please we have downgrade fortigate from FGT_300C-v5-build0688-FORTINET to FGT_300C-v4 -build0632-FORTINET and we crashed the firmware so please can you help us to upgrade to the current version.

    • Judith Haney

      Hello, I recommend you contact Fortinet Support to walk you through the upgrade. Reading the document at will help you make your time with Fortinet Support more efficient. — kind regards,

      • أمين مواتسي

        hello , judith thanks a lot for answering me , i appreciate , God bless you

        • Judith Haney

          My pleasure. — best regards

  • Luis Danilo Ruiz Tórrez

    Hi, I think this version should be 5.0.12

    Version: FortiGate-240D v5.0,build0318,150514 (GA Patch 12)
    Branch point: 318

    My question is, can i upgrade FG directly into 5.2.9??

    As the tables states,
    5.0.12 318 >> 5.2.9 >> 5.4.3

    After 5.2.9 then again I could upgrade into 5.4.3, is that right?

    • Bruce Davis

      As long as the firmware that you are upgrading to supports the model of FortiGate that you’re going to be running it on, you should be able to upgrade from 5.0.12 to 5.2.9 and then to 5.4.3. This does not mean that you shouldn’t bother reading the Release Notes for the versions that you are upgrading to. The table is a simplified version of what is supported. Depending on your configuration, there may be some changes that go along with the upgrade that you will want to be aware of. These can usually be found in the Release Notes.

  • Biswarup Datta

    Hi, I have upgraded from 5.4.1 to 5.4.2. Received an error “Internet-service versioin(3) is not supported” in time of reboot. What should be the probable reason???

    • Bruce Davis

      I have not experienced or heard of that particular error before. The first thing I would do verify is what generated the error. Was it the FortiGate or were you viewing it through a browser when you saw the error.The second thing to do would be to see if your FortiGate is functioning properly. Was the FortiGate successfully upgraded? Is it properly processing traffic? Once you have this information you could contact the Technical Assistance Center for any troubleshooting or ask them to forward the question to Developement.

  • Mahfud Dahyani

    Hi, we have firmware 4.0 MR1 build 209 Patch8 want to upgrade to ver5.0, what step upgrade paths to do.. thanks. from the document we have to start from :
    4.0 MR1
    209 ► 4.2.15 ► 4.3.11 ► 4.3.18 ► 5.0.12 ► 5.2.5 ► 5.40, we can’t find ver 4.2 and 4.3. can we jump to 5.0 for the upgrade ? thanks

  • Jorge

    How can I find the supported upgrade from 5.0.12 to 5.2.7? I only see the option directly to 5.2.9


    • Judith Haney

      Hi Jorge, Page 11 of the Release Notes for 5.2.7 says that “FortiOS version 5.2.7 officially supports upgrade from version 5.0.12 or later” and that document can be found at this link: — Hope that helps!

      • Jorge

        Hi Judith,
        Does it mean upgrade directly from 5.0.12 to 5.2.7 is supported? Thanks for your quick answer!

        • Judith Haney

          Yes Jorge.

  • Aleksandr

    Need help with searching the correct path.
    My Firmware Version v4.0,build0313,110301 (MR2 Patch 4)
    What numbers should I refer to? (4.2.4 313 >> 4.3.6 >> 4.3.11 >> 4.3.18? does build0313 equals to bild 313 from this table?)

    • bdickie

      Yes MR2 Patch 4 can also be expressed as 4.2.4 and yes 0313 and 313 are the same build. We aren’t planning on researching the optimal upgrade paths from 4.2.4. But once you get to any 4.3 build then any of the upgrade paths in the document should get you to 4.3.18 and beyond.

      • Aleksandr

        ok, thx for quick reply

  • Shagma

    Where is the FORTIAP upgrade path document?