Supported Upgrade Paths – FortiOS

The goal of this document is to make it easier for you to upgrade your FortiGate unit by guiding you to the most likely intermediate firmware upgrades between your current version and the latest version of the firmware. The latest version being the one with the highest patch number in your desired version branch.

Since multiple versions of firmware are often developed at the same time, there are different versions of the upgrade path document, too. There are PDF versions of this information and in those PDFs, the title of the document indicates which version of the firmware is the final destination of the recommended upgrade path options. In this web page we will be showing all of the information in one document the difference in terms of the final result will depend on the table you reference rather than the document. Be sure that you are looking at the correct table for your objective. For instance, if your goal is to upgrade to the latest build of Version 5.0 looking at the Upgrade Path table for 5.2 might give you some options that would appear confusing.

Every time you perform an upgrade to the firmware you should carefully read the release notes of the firmware you are upgrading to. Release notes may include warnings or notices of exceptions. The release notes can be found on the support site in the same directory as the firmware. The Fortinet Support Site can be found at: https://support.fortinet.com.

 

For most devices these steps will show the path in steps from your current version to the latest Version, MR, and patch. The steps shown by the Upgrade Steps Table are not the only possible path, but they are supported and have been optimized to achieve the latest version of the firmware in the fewest steps.

Some older FortiGate hardware platforms do not have the resources to effectively use the most recent firmware versions and so do not support firmware updates past a certain version. To see if your device is affected by this check the Product Life Cycle page found at: https://support.fortinet.com/Information/ProductLifeCycle.aspx

If the device you are looking up is not included in the Product Life Cycle page you can go to the Firmware section of the Support Portal and check the first build of each FortiOS version. For example, if there is a firmware build for 5.2.0, there should be one for 5.2.x. If there isn’t one for 5.4.0, you can be fairly sure that the latest build in the 5.2 version is as high as you can upgrade.

The Upgrade path tables

If you are already familiar with the contents and cautionary information found in the document and would like to go directly to the tables, they can be found here:

Scope of the Document

The scope of this document is limited to recommended upgrade practices for the firmware, FortiOS, which is used as the Operating System for the following products:

  • FortiGate
  • FortiWiFi
  • FortiOS-Carrier

This document does not include the upgrade paths for other Fortinet products such as:

  • FortiManager
  • FortiAnalyzer

These products have their own upgrade path documentation.

Location of Upgrade Path documents for other products

Links to upgrade path documents that can also be found on the Cookbook site are listed here:

Upgrade Path documents for the following products are available from the Fortinet Customer Service & Support Site, found at https://support.fortinet.com, in the same directory as the firmware images and Release Notes.

  • FortiAnalyzer
  • FortiManager

Example links to Upgrade Guides:

The above links are examples only, as each firmware release for these products has its own document.

Product compatibility

This document does not include any references to release compatibility between Fortinet products. This is an issue that administrators of environments where different Fortinet products are used should be aware of. For instance, a specific version of FortiManager has a range of versions of FortiGate that it will be compatible with. If the FortiGates are upgraded without verifying that the FortiManager will be compatible with them, a situation could arise where the FortiManager will not be able to manage those newly upgraded FortiGates. On the other side of the equation, it is also possible to upgrade a FortiManager beyond the compatibility range of some of the older models of FortiGate.

If you have some older models of FortiGate that cannot be upgraded to current releases of firmware, and some brand new models of FortiGate that cannot run older firmware, the situation can arise where a single FortiManager will not be able to manage all of the FortiGates in the environment. This is an issue that the administrator needs to be aware of when making decisions about which firmware to run.

The compatibility between models is listed in the Release Notes of the products. These should be read and the environment should be planned out as a whole. It is possible that there is no one best option. The administrator will have to weigh the pros and cons of all of the variables and keep in mind what the most important requirements are for the environment.

Source Information

The initial source material for the development of the of the upgrade path table is the upgrade information section found in the Release Notes that are written up for each new build of the FortiOS firmware.

Each time a firmware build comes out it is tested for compatibility with some of the previous builds in both the current version and the version that preceded it. It is not, however necessarily tested with every single build in these two versions. The two, sometimes 3, versions that are supported at the time of release are developed in parallel and not in coordinated schedules so it is possible that the latest build in version 5 was developed long after a lower numbered build in version 5.2. In short, the upgrade testing is done against build that are available at the time of release. The upgrade steps may at times seem like they should be able to make larger jumps, but we will only included upgrade steps that have been tested and proven to work in those tests.

Divergence from the Release Notes

The FortiOS Upgrade path document is initially based on the contents of the Release Notes documents for the firmware, however, periodically, bugs or unexpected combinations of configurations are found that reveal situations the regular compatibility testing did not account for. These updates are incorporated into the Upgrade path document sometimes without being included into rewrites of the Release Notes. Even if these occur in a relative small portion of the cases they are incorporated into the path to make it as close to a “one path fits all” product as possible. While the paths set forth in the Release Notes will work most of the time for most configurations, the relatively small extra effort of an additional upgrade or two is considered a small price to pay for making sure that the odds of a failed upgraded are as low as possible.

The other reason that the Supported Upgrade Paths document can appear different from the Release Notes is more in the form of a change in perspective. A Release Note’s perspective is centered around the firmware version it is describing, so it reaches back to see how many builds back can be successfully upgraded to that version. The Upgrade Path document’s perspective is taken from the device’s current firmware version and attempts to find an efficient path forward.

Using the Upgrade Steps Table

We have tried to make using the tables as simple as possible.

  1. Locate the table that corresponds to the firmware you wish to be running.
  2. Determine which release is currently running on your device.
  3. Find that release/build in the left hand column.
  4. Upgrade from one release to the next based on the releases listed in that row.
lightbulb-icon

All of the paths were developed with the idea in mind that most users would be updating to the latest build of a particular version. If you are looking to upgrade to a specific build that is not the latest for that version number, it is possible, but as you get closer to your target you may want to pay close attention to the Release Notes.

Example:

You want to upgrade from 5.0.9 to 5.2.6 but no further. The described path is 5.0.9 > 5.0.11 > 5.0.14 > 5.2.9

As you go from left to right along the upgrade path you will come to a transition that moves your FortiGate past the version you want. In this example, that would be 5.0.14 > 5.2.9. This would be your last transition in the upgrade process, but instead of going all the way to the suggested build, you can go to your target build. Logic would dictate that if you can go from 5.0.14 to 5.2.9 you could go to 5.2.6. You’d be right. I can be done. However, if you check the Release Notes you will find that you can go directly from 5.0.11 to 5.2.6; saving you a step. The step of going from 5.0.11 to 5.0.14 is designed to save steps later in the path when going to 5.2.9 or later builds.

Release numbers

Over the life of the firmware, the designation of the individual releases has changed but this document tries to make these designations as consistent and as easy to understand as possible.

Originally, the version designation was made up of a Version, possibly a major release within that version and possible a patch number within that major release. If one was trying to refer to one of the later patches in a later release of version 4 of the firmware it could be described as Version 4 MR 3 Patch 18.

To make writing the release name simpler a ‘shorthand’ developed using the pattern x.x.x. The numbers shown below are an abbreviated form of the firmware version names.

1st Number Version Number
2nd Number Release Number
3rd Number Patch Number

Example: 3.7.10 = Version 3.0 MR7 Patch 10

Recently, the longer version of describing the release was dropped in favor of the simplified format.So it is not FortiOS Version 5 MR 2 Patch 1. It is simply FortiOS 5.2.1. Within the table, the simplified version is always used when describing the path.

Build Numbers

In cases where there is no indication in the Web-based Manager what the version or build number is you can get the build number from the CLI by entering the command:

get system status

The value in the output of the command for “Branch point” will be the build number.

Max Value Issue

There is a range of builds where the maximum number of some of the objects was lowered, but then a few builds later was raised back up. If a configuration on a device was to have a number of these objects in excess of the lower value when doing an upgrade there could be issues and even data loss so the upgrade paths listed are designed to avoid upgrading into this lower max value range even though the Release Notes state that upgrading to these firmware builds is supported. When the release notes were written the act of increasing the values was not foreseen.

Standalone vs. HA configuration upgrades

If you read the Release Notes for the firmware upgrades you will notice a discrepancy between what the Release Notes say is possible for upgrades and what the Upgrade Steps Table shows.

In version 5 there is a difference in the steps between the patches depending on whether your FortiGate setup is in a standalone or an HA configuration. If you have a standalone setup you can upgrade from Patch 3 (5.0.3) directly to Patch 5 (5.0.5). However, if you are using an HA setup you need to add the intermediate step of going to Patch 4 (5.0.4), otherwise only the slave unit in the configuration will be upgraded to Patch 5.

In the table describing the steps in progressing through the upgrades the most cautious path is listed. This minimizes the possibility of confusion for somebody who has an HA cluster but reads the Release Notes, like everybody should, but was unaware of the known issue with the HA clusters.

Parallel Development

Development of the firmware is usually taking place on two paths at the same time.There is development taking place on the latest path, as well as the previous stable path. For instance if the latest path was 5.0.x then the previous stable path that would still be in development would be 4.3.x. This has 2 significant ramifications as far as upgrades are concerned. The first is that patches are still being built for each of these paths. The second is that because this development is taking place in parallel the number identifiers for the builds do not correspond directly with the sequence in which the builds come out.

Occasionally it will appear as if there are some odd jumps in the upgrade sequence. This has to do with the timing of releases of different versions of the firmware. Later builds of different versions can come out close together and so have a high likelihood of compatibility. This is why 5.0.6 can only upgrade up to 5.0.9 but 4.3.18 can upgrade to 5.0.12

Upgrade Methods

There are two methods of primary methods of upgrading the firmware through the GUI; either from a local file that has been previously downloaded or from the FortiGuard Network.

Upgrading from the Local Drive

When uploading the firmware from the local drive you must already have downloaded it from the Fortinet Support Site at https://support.fortinet.com/. Once you have logged in with the account ID and password that was created when registering the FortiGate, go to the Download section and select the icon for Firmware images. From there it is only a matter of selecting a product, such as a FortiGate and then selecting either HTTPS or FTP download. The layout of the firmware listing in both methods is a hierarchical tree. For instance if you wanted firmware 5.0.7 you would select the v5.00 directory, then the 5.0 directory, then the 5.0.7 directory. Once in the directory scroll down until find the correct firmware file name for your specific model. Then select the file you wish to download.

The file names are intended to be helpful in determining the correct firmware for the model you need. Here are some of the conventions found in the file names.

  • FGT_ = FortiGate
  • FWF_ = FortiWiFi
  • POE = Power over Ethernet
  • VM32/VM64 = Virtual Machine versions of the firmware. The 32 and 64 referring to the bit architecture of the OS.

Firmware going directly on a Fortinet Device will have the .out extension.

Upgrading from the FortiGuard Network

The practice of strategically skipping some firmware versions to optimize the time and efficiency that it takes to get to the latest version is based on using the Upgrade from: Local Hard Drive option. If you try to use the Upgrade from: FortiGuard Network option you will notice that there are a limited number of firmware builds to which you may upgrade, or downgrade. This is because only options that are always going to be safe are available. The logic being that because there are no intermediate options possible, the next consecutive build will always be a safe option.

Because of this limitation in options, it means that you will not be able to use the Upgrade from: FortiGuard Network option to see all of the safe upgrade options. You will either have to use the included upgrade path table or study the Release Notes.

The builds that will be shown will most like be as follows:

For Upgrades:

  • The next build in the current version track

For Downgrades:

  • The previous build in the current version track.
  • The latest build in the previous version track.

Special Builds

Every now and then a “Special Build” is created for some specific purpose and some companies will put these into production. These special builds are not part of the normal upgrade path QA process and therefore have a greater risk of  variance from what is normally expected in an upgrade. The table of the upgrade path is based on the Release Notes of the regular builds and may not have included testing against every special build as well. If you are running a special build, be even more cautious in upgrading than you would normally be.

Why read the Release Notes?

Previously in this document, it was recommended that before upgrading from one version of the firmware to a more recent one that the Release Notes be read. To give an indication of how important it is to read the Release Notes, we have provided a sampling on the next page of some of the possible issues that may have to be dealt with upon upgrading.

To offer some clarification on the contents of this sampling, some of these issues were and are unavoidable because of the nature of the configurations of the FortiGate devices and the networks they were in. The reason for reading the Release Notes is to make sure that users are prepared for changes or potential outages that may occur so that the affected parties can be forewarned and the issues can be dealt with in a timely manner.

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • Shagma

    Where is the FORTIAP upgrade path document?

  • Aleksandr

    Hello,
    Need help with searching the correct path.
    My Firmware Version v4.0,build0313,110301 (MR2 Patch 4)
    What numbers should I refer to? (4.2.4 313 >> 4.3.6 >> 4.3.11 >> 4.3.18? does build0313 equals to bild 313 from this table?)

    • bdickie

      Yes MR2 Patch 4 can also be expressed as 4.2.4 and yes 0313 and 313 are the same build. We aren’t planning on researching the optimal upgrade paths from 4.2.4. But once you get to any 4.3 build then any of the upgrade paths in the document should get you to 4.3.18 and beyond.

      • Aleksandr

        ok, thx for quick reply

  • Jorge

    Hi!
    How can I find the supported upgrade from 5.0.12 to 5.2.7? I only see the option directly to 5.2.9

    Thanks!

    • Judith Haney

      Hi Jorge, Page 11 of the Release Notes for 5.2.7 says that “FortiOS version 5.2.7 officially supports upgrade from version 5.0.12 or later” and that document can be found at this link: http://docs.fortinet.com/d/fortios-5.2.7-release-notes — Hope that helps!

      • Jorge

        Hi Judith,
        Does it mean upgrade directly from 5.0.12 to 5.2.7 is supported? Thanks for your quick answer!

        • Judith Haney

          Yes Jorge.

  • Mahfud Dahyani

    Hi, we have firmware 4.0 MR1 build 209 Patch8 want to upgrade to ver5.0, what step upgrade paths to do.. thanks. from the document we have to start from :
    4.0 MR1
    patch8
    209 ► 4.2.15 ► 4.3.11 ► 4.3.18 ► 5.0.12 ► 5.2.5 ► 5.40, we can’t find ver 4.2 and 4.3. can we jump to 5.0 for the upgrade ? thanks

  • Biswarup Datta

    Hi, I have upgraded from 5.4.1 to 5.4.2. Received an error “Internet-service versioin(3) is not supported” in time of reboot. What should be the probable reason???

    • Bruce Davis

      I have not experienced or heard of that particular error before. The first thing I would do verify is what generated the error. Was it the FortiGate or were you viewing it through a browser when you saw the error.The second thing to do would be to see if your FortiGate is functioning properly. Was the FortiGate successfully upgraded? Is it properly processing traffic? Once you have this information you could contact the Technical Assistance Center for any troubleshooting or ask them to forward the question to Developement.

  • Luis Danilo Ruiz Tórrez

    Hi, I think this version should be 5.0.12

    Version: FortiGate-240D v5.0,build0318,150514 (GA Patch 12)
    Branch point: 318

    My question is, can i upgrade FG directly into 5.2.9??

    As the tables states,
    5.0.12 318 >> 5.2.9 >> 5.4.3

    After 5.2.9 then again I could upgrade into 5.4.3, is that right?

    • Bruce Davis

      As long as the firmware that you are upgrading to supports the model of FortiGate that you’re going to be running it on, you should be able to upgrade from 5.0.12 to 5.2.9 and then to 5.4.3. This does not mean that you shouldn’t bother reading the Release Notes for the versions that you are upgrading to. The table is a simplified version of what is supported. Depending on your configuration, there may be some changes that go along with the upgrade that you will want to be aware of. These can usually be found in the Release Notes.

  • أمين مواتسي

    Hi ,please we have downgrade fortigate from FGT_300C-v5-build0688-FORTINET to FGT_300C-v4 -build0632-FORTINET and we crashed the firmware so please can you help us to upgrade to the current version.

    • Judith Haney

      Hello, I recommend you contact Fortinet Support to walk you through the upgrade. Reading the document at http://cookbook.fortinet.com/how-to-work-with-fortinet-support/ will help you make your time with Fortinet Support more efficient. — kind regards,
      J.

      • أمين مواتسي

        hello , judith thanks a lot for answering me , i appreciate , God bless you

        • Judith Haney

          My pleasure. — best regards