Supported Upgrade Paths – FortiOS

Supported Models

While it is not necessarily an upgrade issue, one very good reason for reading the Release Notes is to verify that your model of FortiGate is supported by the firmware. The reasons for a particular model not being supported can be:

  • The hardware was out of development when the firmware was released
  • The hardware was developed after the firmware was released
  • The hardware doesn’t have enough resources to run effectively using the firmware
  • Only some models were included in the development of the firmware.

There are some instances where a model may not be supported by only some builds of the firmware. But just because a model appears to go out of support does not mean that the situation will continue moving forward. It’s worth checking to make sure.

For example, the FortiGate/FortiWiFi 80C and 81CM were not supported by the  5.4.0 firmware. There is no version 5.4.0  firmware for these models. However, these models were brought back into the supported list for 5.4.1. This presents a slightly different problem than normal for the people using the upgrade path tables as some of those paths could refer to upgrading to 5.4.0 before upgrading to 5.4.1 or one of the later versions of 5.4.

The solution is relatively straightforward. Use the 5.2 table to upgrade to the latest version of 5.2. From there, it should be easy to then use the 5.4 table to upgrade to whatever is the latest version of 5.4, effectively skipping right over 5.4.0.

Potential upgrade issues

These are some issues, in no particular order, that have been brought to the attention of the Technical Assistance Center or the Documentation Team that could result during the course of a firmware upgrade.

Failure of secondary WAN IP for admin access

There is an issue with the 5.2.4 version of the firmware that affects a very specific configuration. In dual-wan setups, after upgrading to FortiOS 5.2.4, the secondary WAN IP cannot be used for administrative HTTPS access or SSL-VPN. PING and VIP using the second WAN as an external interface will work fine.

Packets are correctly sent to the second WAN IP address but the reply is sent through the other WAN interface.

Most instances will not be affected by this, but the upgrade path table has been modified to avoid 5.2.4 just to avoid any possible impact.

Loss of secondary IP address for everyone

Similar to the above issue with secondary IP addresses and admin access there is an even more significant example of losing the secondary IP address. At one point, a number of the upgrade paths to the 5.4 version of the firmware involved going to 5.4.0. This worked well enough until the system was upgraded to 5.4.1 at which point any secondary IP addresses were lost. This problem did not exist when going directly from a 5.2.x version to 5.4.1 so the tables were changed to bypass 5.4.0. This cannot be done if you are already on 5.4.0, so if you do upgrade from 5.4.0 to a more recent version, remember to record any instances of a secondary IP address on any of the interfaces so that they can be added manually after the upgrade.

Changing of Category Numbers

When looking at the FortiGuard Web filter categories or Application categories in the GUI we see the nice easily understood names that indicate what they refer to but in the code of the firmware these categories are referenced by an integer and not a text string. Periodically the list of categories changes, whether by the number growing larger or smaller it doesn’t matter. If the list changes then so do the values of objects in that list. If your policies are everything is wide open you are not likely to see an issue but if there are carefully crafted restrictions in place.

Web filter category removal and FortiManager

Sometimes an issue in the upgrade process will not affect the FortiGate itself but one of the other devices connecting to the FortiGate. This issue has the same flavor as the changing of Category numbers issue, but it differs in that it affects the FortiManager rather than the FortiGate itself.

Instead of changing the subject of a category, there is an instance where a category was completely removed from the list of categories. Firmware upgrades developed soon after the removal of the category sanitized the configuration file. Later firmware versions ignored the category if it was left in the configuration file. An upgrade from 4.3.18 to 5.0.12 may leave the category in place, but this does not effect the FortiGate. However, if FortiManager, running a current version of its firmware, tries to work with a configuration file with the removed category in it, an error message is triggered.

To determine if your FortiGate may affect the FortiGate later on, run this simple check.

  1. Save your configuration file to your hard drive
  2. Open it in your favorite text or code editor.
  3. Go to the “config webfilter profile” section.
  4. Check to see if any of the webfilter profiles are set to perform an action on category 32 or if you’re feeling lazy, do a search for “set category 32

If you find a reference to category 32 and you have already upgraded past FortiOS 4.3.18, go into your configuration using the CLI, and remove any references to category 32 and proceed as close as possible to the upgrade path below.

To completely remove the chance of this effecting the FortiManager, use the following path when upgrading the FortiGate:

4.3.18 > 5.0.2 > 5.0.4 > 5.0.6 > 5.0.10

There appears to be a large number of intermediate steps where the sanitizing of the configuration file should be taking place. This is because references to the category were not removed all at once. It first disappeared from the GUI and then from various points within the CLI and the firmware code.

After reaching 5.0.10 proceed as normal.

This path was not added to the main table as it is a somewhat isolated case.

HA Virtual MAC Address Changes

HA virtual MAC addresses are created for each FortiGate interface based on that interface’s index number. Between FortiOS 4.3 and 5.0 interface indexing changed. After upgrading a cluster to FortiOS 5.0 the virtual MAC addresses assigned to individual FortiGate interfaces may be different. You can use the get hardware nic command to view the virtual MAC address of each FortiGate interface.

The practical consequences of this could be seen in a situation where, in a very security conscious environment, there is some blocking or allowed traffic based on mac addresses. When the firewall’s mac address is not on the list of allowed addresses any traffic going through the firewall is likely to be problematic.

Changing of Logging Settings

There was a case where upgrading a few builds too far, in a very specific scenario, changed a logging setting. When going from one of the 4.3 builds to one of the earlier 5.0 builds, VDOM policies that also had IPS profiles had one of the log setting change from logging all traffic to logging only UTM events. The upgrade path works in all other respects; it just a case of having to go through the affected policies and change the setting.

Oddly enough, if the upgrade had gone all the way to 5.0.8, the issue would not have occurred.

Familiar features removed or changed

While not an issue that will potentially stop the FortiGate from working, this issue will sometimes make it worthwhile to keep a close eye on the performance of your FortiGate after an upgrade to make sure everything is still doing what it was before the upgrade.

Example: Logtraffic function

For instance, when upgrading from 4.3 to version 5, the logtraffic-start function is disabled by default.

In version 4.3, the extended-traffic-logoption in config log [memory|disk|fortianalyzer|syslog] filter controlled the session start logging. In version 5.0, this is controlled by logtraffic-start in the policy settings. If before the upgrade, the”extended-traffic-log” was enabled, the logtraffic-start in policy settings will be disabled. More often than not this is the default setting of after an upgrade.

While for some users the loss of this function may be inconsequential, to other users this function might be useful. This is another reason to read the Release Notes; checking to verify that features commonly used in your environment will be there after the upgrade.

Example: Disk Logging

In version 4.3, logging to the local disk was only possible if Disk Logging was enabled and by default, it was disabled. Enabling the feature could be done either through the GUI or the CLI. In 5.0, not only was the feature disabled by default, but enabling it could only be done through the CLI, and even then, a message would appear stating that Logging to the local disk could seriously impact performance and that it should not be done. Despite the warning, it was possible to override the disabling of the feature and turn it on. In version 5.2, for devices that had only a single hard drive, it is not possible to override the disabling of the feature. The feature is still part of the firmware and available through the CLI, just not to all models.

This brings up an interesting situation regarding the Release Notes. The fact that this feature was, by default disabled in 5.0 is mentioned in the Release Notes for 5.0. Because, the feature was still disabled between 5.0 and 5.2, although more strictly, it was not referred to the Release Notes for 5.2. If one is steadily upgrading the firmware on devices as they come out and reading the Release Notes, the evolution can be seen and this is not an issue. But making the jump from 4.3 to 5.2, and not reading the Release Notes of the intermediate firmware builds can lead to finding a feature missing that was expected to be there if you happen to have one of the specific models affected.

Example: config system autoupdate override

When upgrading to 5.0.12 the config systemautoupdate override function is removed. This feature was used to specify an alternate FDS server, usually a FortiManager, in the event that the FortiGuard Distribution Network(FDN) was unavailable.

Combination of variables that produce unexpected results

Every single possibility of variables cannot be tested, so every now and then a specific combination of variables will produce a side effect that is completely unexpected. Most of the time these side effects may not even be noticed but occasionally there can be some loss of functionality.

Example: Link Aggregation

One such example of this occurs when upgrading a FortiGate 600C from 4.3.18 to 5.0.11. If the FortiGate is configured to use Link Aggregation Control Protocol and an upgrade is done directly from 4.3.18 to 5.0.11, the VLANs under LACP will disappear and WiFi mesh devices show up below it.

In order to prevent this from happening an upgrade to 5.0.7 needs to occur before the upgrade to 5.0.11. The reason that this path is not part of the table, is that this situation refers to only 1 model and with a particular configuration.

Example: Application Control

When upgrading from 5.0 to 5.2, there is a curious time delay on a side effect involving Application Control profiles. If you have an Application Control profile that has some categories included, as well as some individual Application Control signatures, and you upgrade from 5.0 to 5.2 everything will work as it did before. There is the slight side effect that you will no longer see the individual signatures in the GUI, but the functionality will still be there. The problem arises when the profile is actually edited. Editing the profile removes the individual signatures. The only way to correct the error is to manually enter them in again.

Downgrading issues

While most potential issues occur during the upgrade process there are occasional ones that can occur when downgrading firmware.

Configuration  Files

There are a few reasons why downgrading is looked at with some trepidation. For the sake of clarity, we’ll use going from 5.2.3 to 5.0.12 as an example case.
The number of potential pitfalls increases proportionally with the complexity of the configuration. More settings involved means more places for things to go wrong. The most important thing to take into account is that the configuration file is firmware version specific. It does not play well with versions of the firmware that it was not written for. You cannot use a configuration file from 5.2.3 on a unit running 5.0.12.
If you are planning to downgrade and then upgrade to the current firmware version to fix an issue, chances are that somewhere along the upgrade process something was missed or broken. The more likely scenario is that the issue may not be with the firmware you are running, but with something in the configuration file.
The configuration file is essentially a number of CLI commands to the firmware that are run each time the unit is powered on. If there is a syntax error in those commands, the firmware may not behave as intended.
During an upgrade, there is a background process that takes the existing configuration file and changes any commands and settings to comply with the syntax of the new firmware. Skipping a firmware version that should have been part of the upgrade path means that the syntax of one or more commands didn’t get updated to work with the current firmware. This means that even if you downgrade to 5.0.12 and throw in a factory reset to get a nice clean config file, after you go through the supported upgrade path to 5.2.3, which the current config file is from, it may not be advisable to install that configuration file. You could end up with the same issue.
The bad news is that you may need to rebuild your configuration from the ground up. The good news is that you may not have to downgrade and then upgrade. You can start with the firmware already installed. Depending on the issue, you might be able to get away with a simple factory reset, which will give you a brand new configuration file, and then just start customizing your configuration.
If you are comfortable in the CLI, you could use some techniques found in the SysAdmin Note… to cut and paste portions of the existing configuration file into the new one. At some point, you are likely to come across an error as the firmware determines that the syntax is somehow wrong and then you will have to set up that portion of the configuration from scratch.

Generational incompatibility

Fortinet will sometimes produce different generations of the same model of a device. Ideally, the firmware should not be downgraded to a version earlier that what it came with from the factory.


The FortiGate 3600C generation 3 came with a new NPU DDR chip that the first and second generations of the model did not have. The Support site has a firmware version 5.0.2 for the FortiGate 3600C.This would have been for the first generation of the model but the third generation of the model will not properly run this version of the firmware.

Supported upgrade path tables

Currently, these are the supported FortiOS firmware versions:

* Note: The end of support date for FortiOS v4.3 was March 19th, 2014, unless the device does not support FortiOS 5.0 or higher. In those cases, the end of support date is March 19th, 2017.

To keep the tables from becoming unwieldy, they do not all go back to the first version of the firmware. While there may be some instances where an upgrade is needed from an unsupported version of the firmware to one of the supported versions, the assumption has been made that the bulk of our readers/users are relatively current.

The 3 main tables, which show the supported upgrade paths to the most recent publicly available instance of the supported versions will have as its earliest starting point, the last version and patch of the latest of the unsupported versions of the firmware.

Example: if the oldest version of the supported firmware is 5.0 the earliest starting point for each of the tables will be from that last patch in version 4.3, which is 4.3.18.

If by some chain of events you are tasked with upgrading a device that has an even earlier version of the firmware, a table has been set up to show how to get from any of the earlier and unsupported versions to the latest patch in the latest version of the unsupported software and then you can switch to the table intended for the supported version of your choice

  • Carlos

    I would like to know how much time it takes to upgrade from version 5.2.9 to 5.2.11

    • Bruce Davis

      It will depend on the model of the device, but from clicking the upgrade button to being able to login again, the range usually falls between 5 and 10 minutes to go through the install of the firmware and the reboot process. This is based on installing the firmware file from a USB or a computer on the same LAN as the device. If you are downloading the the firmware file over the Internet, if will depend on the bandwidth of your connection, for the downloading of the file. Then it’s just a matter of multiplying that time by the number of build you need to go through to get to the intended level.

  • Mbaye Lo

    I have FG-200B running 5.2.1. From upgrade path, it should be upgraded from 5.2.1 to 5.6.2, following the steps :

    5.2.1 >> 5.2.3 >> 5.2.5 >> 5.2.7 >> 5.2.9 >> 5.4.4 >> 5.6.2

    I found and downloaded all frimeware files except for 5.4.4 and 5.6.2. Does that mean that my FG-200B is not compatible with these frimware versions ?

    On the downlod list I also found two file types : FGT_200B_POE-v5-build… and FGT_200B-v5-build…, which one should I download ?

    Thank you very much for your help ?


  • Ervan Gaptekmania

    Hi to All,
    I have FG-100D running 5.4.2 at my client. From upgrade path, it should be upgraded to 5.4.4 and then 5.4.6. But when I checked into Firmware Management page, I didn’t see firmware 5.4.4 available. There were 5.4.5 and 5.4.6 available. Is it OK to upgrade from 5.4.2 to 5.4.6 directly or I should upgrade to 5.4.5 first?

    • Bruce Davis

      If you look at the Release Notes for 5.4.6, it says that “FortiOS version 5.4.6 officially supports upgrading from version 5.4.4 and later”.
      You could try to upgrade directly and it may work, but it has not been tested and is not officially supported. It may take an extra 10 minutes to do the additional step. I consider that a fair trade off for the higher probability that everything will work smoothly and the lower chance of having to go to my backup config and redo the process after a reinstall of the original firmware. There is also the peace of mind that some issue wont turn up a few month down the road.
      While the 5.4.4 firmware may not appear in the Firmware Management page, it should be available for direct download from the Fortinet Support site.

  • Vassilis Koulouris

    Hi to All,
    Is it possible (in order to avoid the various steps in upgrading) to reset the fortigate unit to factory defaults, simply install the latest image (5.6.2) and perform a new configuration on the unit?
    The unit is a 100D with current fw: v4.0,build0665,130514 (MR3 Patch 14)

    Thank in advance for your help.

    • bdickie

      Yes, you can definitely upgrade to the current (or latest supported) firmware version and re-configure your FortiGate. Following the upgrade path just allows you to keep your configuration after you have upgraded the firmware.

      • Vassilis Koulouris

        Great! Thanks for your prompt response!

      • Er Anupam Roy

        Hi Sir,

        just take the back up and we can upgrade right , nothing else

  • jordi dominion


    We have to upgrade 2x Fortigate 100D with HA (Active-Active) from 5.0.0 to 5.6. The upgrade path will be:
    5.0.0 292 >> 5.0.2 >> 5.0.3 >> 5.0.4 >> 5.0.7 >> 5.0.9 >> 5.0.11 >> 5.0.14 323 >> 5.2.11 754 => Latest Build

    They are a lot of upgrades…..

    My question is about the best steps for upgrade two fortigates Master-Slave with HA (Active-Active).. I have not experience in fortigate.

    Thanks so much,

    • bdickie

      You can follow this upgrade path with your HA cluster just as if you are upgrading a single FortiGate. Download the firmware, log into the GUI and perform the upgrade. Both FortiGates will upgrade to the new firmware. Repeat until you are up to date. This is a lot of upgrades but most of them should happen without major disruptions to your cluster’s operation.

      Following this upgrade path allows you the best chance to keep your configuration as you upgrade. If this isn’t a priority, you can just reset your FortiGates to factory defaults, install the latest firmware and re-configure them.

      • jordi dominion

        Thanks a lot for your comment bdickie.

        I have read that for upgrade cluster with HA:

        – Configure ha mgmt interface for access GUI Slave
        – Disable HA Sync (set sync-config disable)
        – Upgrade Slave from GUI
        – Upgrade Master from GUI
        – Enable HA Sync

        Is it correct too?

        These fortigates cluster is locate in a Hospital….

        • jordi dominion

          Given that cluster is configurated in HA Active-Active

          • bdickie

            Hello, the option to turn off sync-config is not available for FGCP HA.
            FGCP HA supports upgrading the firmware of the cluster in one step without disabling configuration synchronization. So there is no reason that I am aware of to do anything then update the firmware from the GUI just as you would for a standalone FortiGate.

            Also active-active or active-passive HA does not affect how to upgrade the firmware.

            The sync-config option is only available if you are running FGSP HA
            ( It doesn’t sound to me like you are running FGSP though; since FGSP does not have an active-active mode.

  • Martin Hahmann

    I upgraded my HA cluster FortiGate 100D from 5.2.8 straight to 5.4.5 and it seems my cluster is now constantly failing between the 2 units. I checked the upgrade path below and it says I should have gone to 5.2.10 first. Can I fix this?

    • bdickie

      The main reason for following the upgrade path is to make sure your configuration is updated correctly. So, if you have saved your 5.2.8 configuration you can revert your FortiGates to back to 5.2.8 and restore their configuration, re-establish the cluster and then follow the upgrade path.

      If you have not saved your 5.2.8 configuration you can update your FortiGates to 5.4.5, then reset them to factory defaults, re-create the cluster and re-configure it. Other solutions may be possible with the help of Fortinet Support.

  • Drew

    Hi there,
    Trying to update a 100D that is now in my possession. Current build is FG100D-FW-4.00-535. Do I start at 4.0.0 (build 92) or at build 535 (4.3.7)?

  • Rahul Yadav

    We are planning to upgrade fortigate firewall from version 5.2.7 to 5.4.4, whereas in upgrade path it is written as 5.2.7 > 5.2.9 >5.4.5. So is it possible to upgrade firewall as follows, 5.27. >5.2.9 >5.4.4?
    Thanks in advance.

    • Bruce Davis

      The tables are set up so that the final destination is the latest available build of the various versions of the firmware so I would normally recommend checking the Release Notes of the builds involved but in this case, I remember the situation well enough to say that going from 5.2.9 to 5.4.4 is within the parameters of recommended upgrades.

  • Rajasekar kumanan

    I like to upgrade my firewall OS from version 5.4.4 to latest. Please let me know the stable version of 5.4.x series.

    • Bruce Davis

      The latest version of 5.4.x is listed in the 5.4 table mentioned in the links to “The Upgrade path tables” that is at the bottom of each sub page in this document.

  • Victoria Martin

    Thank you for the information. Luckily, it appears as this issue only affects FortiOS 5.4.1, so unless you need to use that particular build, it should be avoidable.

  • Joel Rennie

    Hi Good day. I would like to upgrade from 5.2.4 to 5.2.11. I am seeing the recommended download path is 5.2.4>>5.2.6>>5.2.11. Where can I get 5.2.6 to download?

  • Patrick Fields

    Our 60D has been constantly going down, or has been increasingly slow. I tried to update from 5.4.0 to 5.4.2 and it fails every time and I have to go back to default and reboot.
    I tried to even downgrade to 5.2.11 to take a different path. I am unable to make any changes to the firmware without.
    I had to use my old Cisco router to keep us up and running, which by the way is running perfect and speed and ping have been perfect. What can i try next?

    • David Keates

      60D has a stupid bug with the firmware upgrade you will need to backup your device and run the upgrade from console using a tftp server. once completed you can upload your configuration again.

      • Victoria Martin

        Hello David,

        Do you have any more information about this bug?

  • AY

    Hi. I’m searching for similar. Currently on 5.00-build292. Looking at the path, does it mean I have to download each version from 5.0.11 >> 5.0.14 first, then to 5.2.11, and then 5.4.5, before finally 5.6.1?

    • Victoria Martin

      Yes, that is the recommended path to take in order to avoid any configuration errors. As always, please remember to back-up your configuration before upgrading.

      • AY

        Thanks Victoria. I am seeing the model we are using, 60D being mentioned above having upgrade issue. As one user has replied (David K), one need to be in front of the unit (console) before attempting to do so? Guess I would need to fly down to each site to complete the update.

        • Victoria Martin

          I have not heard about the bug David mentioned but I have asked him for more information about it.

  • afiq

    hi, my fgt30d current firmware is 5.0, i want to upgrade to 5.4.5,anyone got experience on this?

  • Puneet Tambi

    Post upgrade FG60D with 5.4.4 to 5.6.0, Unable to view the Industrial category Signatures.

    Further we are unable to execute the following command from the CLI:

    config ips global
    set exclude-signatures none

    Following error is being received on CLI on:

    FG60D_FW1# config ips global
    FG60D_FW1 (global) # set exclude-signatures none
    command parse error before ‘exclude-signatures’
    Command fail. Return code -61

    Can anyone help to get the Industrial Category Signatures available.

    • Tim.Sang

      After 5.4 Industrial Signatures are their own license. You will need to purchase the enable license separately.

      • Puneet Tambi

        Why the same is not available in licensing policy then ?

        • Tim.Sang

          I don’t work for Fortinet I cannot answer why. I have worked on beta versions from 5.4, 5.6, 5.8… specifically working on Fortinet in Industrial Controls and between 5.4 and 5.6 there was a decision to make industrial sigs a separate license. I think it is $300 USD per year.
          If you log into your Fortinet Support account you go to Register/Renew, find your firewall, and there should be an option to purchase:

          “FortiGuard Industrial Security Service”.


  • clay conn

    Hey, I have two 200d in an HA cluster. I am trying to go from version 5.2.3 to 5.4.5. If I am reading the chart correctly, I should use the path 5.2.3>5.2.5>5.2.7>5.2.9>5.4.5. Can anyone verify this for me?

    Thank you!

    • Kerrie Newton

      Hello Clay,

      The upgrade path you mentioned is correct. Please remember to create a backup of your configuration before you begin..


  • Me Myself

    Hello , we have a fortigate 200b on v5.2.11 is it corect to asume based upgrade paths that we have to upgrade to 5.4.4 and then to 5.6.0 ?

  • Blair

    Does Fortinet publish the recommended/stable/production versions? This will change with time but it sounds like I should be avoiding 5.6.0 for now. I was wondering what the highest stable recommended version would be. I have a handlful of 60D’s and 300D’s at 5.2.11 right now. I am eyeing the new features in 5.4 and 5.6 with envy. 🙂

    • Victoria Martin

      Hello Blair,

      I would rely on the Release Notes to determine if a new build is appropriate for your environment.

    • ASB

      Version 5.6.0 is much more stable than 5.4.x was (5.4.3 was okay). I went through the pain of 5.4.0, 5.4.1 and 5.4.2. Then I went to 5.6.0 and 5.6.2. All on the 60D and 60E devices. The v5.6 family is better laid out than 5.4, and has been more stable throughout for me.

      Unless there are specific known issues with 5.6 and your device model, I am much happier with it than 5.4

  • Alexandre Baptista

    We just upgrade a FG-500D, from 5.4.4 to 5.6.0 version, After that we loose the connection with the GBIC 1GB.
    Someone can help us?

    • Michael Bazy

      If not done already, you can revert to the previous version by using the following CLIs:
      #exec set-next-reboot primary|secondary
      #exec reboot

      As an addition, I wouldn’t recomment 5.6.0 on a 500D in a production environnment : there are some known issues that can be quite the hassle. Best shot is to work with Fortinet Support Team here.

      • Matt

        Hi Michael,

        Yes, those are the correct commands. However, before you run them, run the following command to see in which partition (primary or secondary) your target revert firmware is located…

        diag sys flash list

        • Michael Bazy

          Hi Matt,

          I used to do that too, but not anymore (starting 5.2) : if you just type the command, it will tell you if a change has been made (or not).

          FortiGate # execute set-next-reboot primary
          Image# 1 is already the default image.
          FortiGate # execute set-next-reboot secondary
          Default image is changed to image# 2.

  • Nica

    Hi. I have fortigate 30D running in firmware version 5.2.2 build 642, May i ask if what latest firmware i can upgrade to this? thank you.

    • HyperBoy

      FGT-30D supports all the latest builds. I’d suggest working with 5.4.5 if this is in production.

    • afiq

      hi nica..have you done upgrade your 30D?my current firmware is 5.0.wanted to upgrade to 5.4,not sure can or not..if you done..need your feedback

  • Lot Tae Za

    Hi, Can I upgrade firmware from 5.2.3 version to 5.2.11 or I need to upgrade version by step in each version before go to latest version

    • KarlE

      That’s what the tables here are for, they show you that you have to perform 4 upgrades in succession, 5.2.3 -> 5.2.5 -> 5.2.7 -> 5.2.9 -> 5.2.11. I know it looks tedious, but you have to follow the upgrade steps, unless you would rather do a factory reset afterwards, then it does not matter. The thing is, FortiOS rewrites some lines of the configuration from one version to the other due to change of syntax, options or defaults, and if you skip a step, you end up with a configuration that is inconsistent or erroneous. Sometimes it may work if your config does not contain any of the affected bits, but it is not worth the risk, as some issues may not be immediately apparent but only show up in the course of operation.

    • Yash Singone

      Hi team,
      i have fg800c in HA running ios 5.2.8, i want to update 5.4. plz suggest better path to update ios

  • Muhammed

    Hi all , I have Fortigate 300C running Firmware 5.2.7 build 718 ,Please advice me which is the latest one for upgrading firmware

  • Brian

    Hi good day to all. I have fortigate 30D running in firmware version 5.2.2 build 642, May i ask if what latest firmware i can upgrade to this? thank you.

  • Todoenlaweb Rommel Malave

    Hello please i need help with fortinet 60c version 4.0 image firewall

  • Daniel Simon Ballester

    Hello, i have a fortigate 200B v5.2.7,build718 (GA) Witch is the last version i can upgrade this fortigate?

    • Bruce Davis

      It’s a bit of a manual process because trying to keep track of all of the difference firmware versions and models would make for a very large table. But the strategy is simple. At the support site, go to the latest build of your current version and see it there is firmware for your model. In your case, you are currently at 5.2.7. The latest version of 5.2 is 5.2.11. There is a 200B listed in the firmware builds for that version. Next, go to the first build of the next version, 5.4.0 and make the same check. There is no firmware for the FortiGate 200B in 5.4.0. In your case the lastest build you can use would be 5.2.11, unless a version 5.2.12 comes out, but you would have to check when that happens.

  • TruthisRequired

    Unfortunately the Upgrade button has disappeared on version 5.4.4. How does firmware get upgraded now?

    • Bruce Davis

      I just looked at a FortiGate running 5.4.4. From the Dashboard, I looked in the “System Information” widget and and in the “Firmware” row there was an “[Update]” link. This linked to the “Firmware Management” page. While the style of the “Upload Firmware” button has changed, it was still there in the interface that I looked at.
      One aspect of the learning curve for all software is the changes to the interfaces that occur as the software goes through upgrades. I know I go through it all the time. However, If these links and buttons are not showing up on your interface, you should contact TAC to troubleshoot your device.

  • Arne Krossbakken

    The Supported Upgrade Path says that you can go directly from 5.2.9/10/11 to 5.4.4, but we now have 2 100Ds and one 80C on remote locations that is not coming back online after that (last) jump. We did several upgrades prior ( 5.0.X >>… >> 5.0.14 >> 5.2.11 ). Is there something we have missed?

    • Bruce Davis

      All other factors being normal, the upgrade path you specified should have worked without issue. The irony of the question is that if it was something that you missed, there is a very low likelihood that you would have put it in the comment post for a reader to see. This is the sort of issue where it is best to contact TAC because while documentation can describe how things are supposed to work, TAC members are better qualified to troubleshoot specific problems.

    • Andy

      I am somewhat new to Fortinet and first thing I was told by TAC when it comes to upgrade is not to bother, unless there is an issue, which totally makes sense. I am really familiar with Check Point and I can tell you that I saw lots of cases where people upgrade because they think its better and then major issues comes up thats really not easy to fix, even if you downgrade to the original version. This is why they always recommend reading the release notes, but as Bruce said, not same issue will happen to everyone, it really depends on the environment and the amount of traffic.

      • ASB

        My personal recommendation is to look at what the new features or fixes are, and determine if they apply to your environment. Then, wait about 1-2 months after a release to see how the new code shakes out. While there is some merit in not moving if things aren’t (obviously) broken, it is also true that you will miss many security fixes this way, and when you finally go to upgrade, you will likely have to take 5 or 6 steps to get there.

        So, based on the criticality of your environment and the level of resources, pick a comfortable spot between “never upgrading” and “instantly upgrading” that works for you.

  • Phill Coleman

    I have two HA pairs of 90D’s and 60D’s located at different sites. I can see from the upgrade path to get to the latest version will take two steps. Can these been done back to back or would you recommend doing the first step upgrade and leaving a week before doing the next?

    • bdickie

      Yes you can do the upgrades back to back. There is no reason to wait, except for maybe a few minutes between upgrades to make sure the cluster is stable before doing the next upgrade.

      • Phill Coleman

        Thank you for the prompt reply 🙂

  • ji

    Hi, after upgrade FG200D with 5.4.4 to 5.6.0,
    Cannot see any “log view” and “fortiview” from forti analyzer. and i recheck FG200D it send log to forti analyzer.
    and forti analyzer “devicer manager page” look good they have log receive. i try to remove device and add again. not work.

    after downgrade to 5.4.4 and restore configuration everything work fine.

    • Victoria Martin


      This may be an issue of compatibility, as FortiOS 5.6.0 is only supported for use with FortiAnalyzer 5.6.0, which has not yet been released. I would recommend waiting for the new FortiAnalyzer release, which should be available soon (and remember to upgrade the FortiAnalyzer before upgrading your FortiGate).

      For more information about compatibility, there is a chart available at

      If the problem still persists when both units are running 5.6.0, then I would suggest contacting Fortinet Support.

      • ji

        this is a big issue. i always read release-notes but i miss. 🙂

  • Zico

    Hello, after upgrading my 60D from 544 to 560, few devices doen’t get acces to internet ( particulary chromecast ). Downgrading to 5.4.4 restores the connection. Any reason why ?

  • Guruprasath

    Hi Guys,

    I update my fortigate 60d to fortiOS5.6. After upgrade GUI is not accessible.
    please help to solve this issue.

  • Viru Rajapur

    Hi as per the below mentioned can i do this or am i missing something in between ?? Please help me.Thank you.

    Fortigate Model 620B Current version -v5.2.7, upgrading to >> 5.2.9>>5.2.10>>

    Fortigate Model 1000C Current version -v5.2.7, upgrading to >> 5.2.9>>5.4.4>>

  • Fima Vaisman

    I have a new FortiGate 60E with FortiOS 5.4.1 build #5577. I want to upgrade it to FortiOS 5.6. Most other routers you download the image from the support site and install. Fortinet has made a simple process difficult to understand – can you point to the location where the image files are and to a step by step process to update. When I click update on the router, it says “System Software is Up to Date” which is clearly not true.

  • Ismael Rivera

    I’m trying to get the proper supported upgrade path for a FortiAnalyzer 100c. The link provided in this doc asked for my support login, yet when I put my credentials it does not work. Upgrade paths for firmware older than 5.0.5 is poorly documented, and not as easily found as the upgrade paths for Fortigate FortiOS. How can I obtain the upgrade path, starting from v4.0mr3patch 8 build 719?

    • Bruce Davis

      Currently, the upgrade information for FortiAnalyzer not in the FAZ upgrade path can be found in the Release Notes, so if you’re trying to find the most efficient sequence to for upgrading from all the version variations to the current version it can take a little bit if researching. I can get you started though.

      I did some research and here’s what I found, in the order that I found it starting at 4.3.8 and working my way forward:
      – 5.0.1 can be upgraded to from 4.3.5 or later
      – FortiAnalyzer v5.0 Patch Release 2 build 0151 officially supports upgrade from FortiAnalyzer
      v5.0 Patch Release 1.
      – Upon upgrading to FortiAnalyzer v5.0 Patch Release 1, your v4.0 MR3 logs are automatically
      converted and inserted into the SQL database. An icon appears at the top right corner after
      login to the Web-based Manager next to the logout and help buttons. This pops-up a small
      window displaying the progress.
      – Upon upgrading from FortiAnalyzer v4.0 MR3 the Web-based Manager incorrectly reports that
      the device is downgrading the firmware version. If you upgrade the firmware version from the
      CLI using the execute restore all-settings CLI command, the message is correct.

      So it looks like from 4.3.8, your next version is 5.0.1.
      5.0.3 is upgradable from 5.0.1
      5.0.4 is upgradable only from 5.0.3

      Then seemingly paradoxically,
      5.0.6 is upgradable from 4.3.7 or later. This probably has to do with the dates of release and parallel development as oppose to just straight version number sequences.
      This should put you in the realm of version where you were able to find so documentation already prepared. I do recommend reading the Release Notes for 5.0.6 carefully as it pertains to your specific situation as there appear to be a few warnings about the upgrade process.

      I hope this helps.

  • Harry

    please my version is 4.0 MR3 I didnt find it in the list, what should be my upgrade path

    • bdickie

      You can contact support or use the release notes (available from the support site) to determine the optimal upgrade path.

    • Tom Mathew

      hi Im also having the same release.
      What is the upgrade path tat you followed

  • 廖威誌

    Hi We have an old device 80C need to upgrade
    now, it using version was 4.3.11
    so if i want to upgrade to 5.2.9
    my path was 4.3.11 >> 4.3.19 >> 5.0.0 >> 5.0.2 >> 5.0.3 >> 5.0.4 >> 5.0.7 >> 5.0.9 >> 5.0.11 >> 5.0.14 >> 5.2.10 ???

    if i don’t want to keep my old config.
    can I using TFTP to install 5.2.10 with format boot device ?


    • bdickie

      Yes, you can use TFTP to install 5.2.10. The only reason to follow the upgrade path is to keep your configuration.

  • Ismael Rivera

    Hope someone can clear something up for me.

    So according to the supported upgrade path that I have for my Fortigate 300C, I have to use the following:
    5.0.3 208 >> 5.0.4 >> 5.0.7 >> 5.0.9 >> 5.0.11 >> 5.0.14

    Does that mean, I have to upgrade to each step one at a time? Meaning If I’m on 5.0.3, and want 5.0.14, I can’t just perform one firmware upgrade (5.0.3 to 5.0.14)?

    Thanks in advance,

    • Victoria Martin

      Hello Ismael,

      You are correct, that is the supported upgrade path to go from 5.0.3 to 5.0.14. This path is recommended in order to make sure your existing configuration isn’t lost during the upgrade process, which could occur if you went directly from 5.0.3 to 5.0.14.

      • Ismael Rivera


        That was a quick response, thank you so much Victoria!


  • Matheus Mumbala

    Ive fortinet 60c with firmware v5.0 build292.
    I’ve just recently started @ this firm and they did not have an IT personel for like 2.5 years.
    Now i want to upgrade this device firmware and its not giving me any option to upgrade.
    If i do click on update it takes me to a page where i can only update from my hard disk..

    Please assist.. been going a lil nuts all day…

  • JimmyJ

    These aren’t entirely valid? Upgrade for example for 5.2.4 to 5.4.4 above shows 3 step upgrade, whereas this PDF, page 10, shows direct upgrade is supported:

    • Altare

      That document is for 5.4.0, not 5.4.4. Also this resource shows the safest path to take, taking in to account HA clusters, which the release notes do not.

  • Victoria Martin

    We have a 5.0 recipe about site-to-site IPsec that you may find helpful, if you want to keep using that version of the firmware:

    • olo

      ok i’ll try.
      Thank u victoria.

  • Olo

    Hello, i have FG 60D with 5.00-build228 (GA Patch 4).
    Which table should i use?

    This is my first time and the only IT support man,i worry if fail or any config not compatible or everything not work well.
    how to prevent that?

    Is it possible to downgrade firmware after FG upgraded?
    Thanks,sorry for bad english.

    • Victoria Martin

      Hello Olo,

      Since you are currently using 5.0.4, you need to use the table for 5.0. Also, while it is possible to downgrade the firmware, doing this is not supported by Fortinet.

  • Huerta

    someone can tell me what version has the build 4234?? I need to upgrade a fortigate 100D v5.0.X that has that build

    • Victoria Martin

      Hi Huerta,

      That number is not one of the standard build numbers for FortiOS 5.0, so I would suggest contacting Support to find out more information about which build you should be using.

  • ARL67

    I have several 60CM on 5.2.10 build742. I don’t see a specific 5.4.4 firmware image in the download section for the 60CM. I see only images for 60D & 60E. Can I use any of these ?

  • Monica

    I am using Fortigate 60D – Firmware 5.2.7 (build 718)…should I download the firmware outlined in my upgrade path 5.27 >> 5.2.9 >> 5.2.10 manually then upgrade to 5.2.9 and the 5.2.10?

    • Victoria Martin

      Yes, it is recommended to follow that upgrade path.

  • ScottS

    I have several 30D firewalls still in the box that I need to configure. These have never been configured. They are at firmware 5.0.9. since there is not a configuration on it can I put the latest 5.4.4 firmware on it? Since there is no configuration issues to worry about is that allowable or do I still need to do all of the steps outlined by the upgrade path?

    • bdickie

      Yes you can go ahead and install the latest firmware without following the upgrade path. The upgrade path is only meant to make sure you don’t loose your own configuration changes during an upgrade.

      • ScottS

        Perfect. That will save me a tone of time.

        • premar

          I would recommend to factory reset the firewalls after the update. Sometimes you migrate faulty default settings.

  • Maicon Pereira

    Hello, regard my environment I need downgrade my currently version v5.2.3,build670 to 5.0.12 after that I will go follow upgrade step by step as you tip. so I wonder it’s possible use the same file configuration through that steps ?

    • Bruce Davis

      There are a few reasons why down grading is looked at with some trepidation. The amount of pitfalls increases proportionally with the complexity of the configuration. The most important thing to take into account is that the configuration file is firmware version specific. It does not play well with versions of the firmware that it was not written for. Right off the bat, you cannot use a configuration file from 5.2.3 on a unit running 5.0.12.
      I might be going out on a limb here but if you are downgrading and then upgrading to the same firmware version, I have to make an educated guess that something is not working properly, possibly because somewhere along the upgrade process something was missed or broken. Chances are the issue may not be with the firmware you are running, but with something in the configuration file.
      The configuration file is essentially a number of CLI commands to the firmware that are run each time the unit is powered on. If there is a syntax error in those commands, the firmware may not behave as intended.
      During an upgrade there is a background process that takes the existing configuration file and changes any commands and settings to comply with the syntax of the new firmware. Skipping an firmware version that should have been part of the upgrade path means that the syntax of one or more commands didn’t get updated to work with the current firmware. This means that even if you downgrade to 5.0.12 with a factory reset, when you go through the supported upgrade path to 5.2.3, which the current config file is from, it may not be advisable to install that configuration file. You could end up with the same issue.
      The bad news is that you may need to rebuild your configuration from the ground up. The good news is that you may not have to down grade and upgrade. You can start with the firmware you have installed now. Depending on the issue, you might be able to get away with a simple factory reset, which will give you a brand new configuration file, and then just start customizing your configuration.
      If you are comfortable in the CLI, you could use some techniques found in the SysAdmin Note to cut and paste portions of the existing configuration file into the new one. At some point you are likely to come across an error as the it determines that the syntax is somehow wrong and then you will have to set up that portion of the configuration from scratch.
      Sorry I couldn’t give you happier news.

      • Maicon Pereira

        Thank you for your explanation!

  • Fidel

    Hi I want to upgrade my FortiAP 5.0 and I have a v5.0,build0271 (GA Patch 6) 80C, I just want to know up until which version of FortiAP is supported by v5.0,build0271 (GA Patch 6) of the 80C

  • أمين مواتسي

    Hi ,please we have downgrade fortigate from FGT_300C-v5-build0688-FORTINET to FGT_300C-v4 -build0632-FORTINET and we crashed the firmware so please can you help us to upgrade to the current version.

    • Judith Haney

      Hello, I recommend you contact Fortinet Support to walk you through the upgrade. Reading the document at will help you make your time with Fortinet Support more efficient. — kind regards,

      • أمين مواتسي

        hello , judith thanks a lot for answering me , i appreciate , God bless you

        • Judith Haney

          My pleasure. — best regards

  • Luis Danilo Ruiz Tórrez

    Hi, I think this version should be 5.0.12

    Version: FortiGate-240D v5.0,build0318,150514 (GA Patch 12)
    Branch point: 318

    My question is, can i upgrade FG directly into 5.2.9??

    As the tables states,
    5.0.12 318 >> 5.2.9 >> 5.4.3

    After 5.2.9 then again I could upgrade into 5.4.3, is that right?

    • Bruce Davis

      As long as the firmware that you are upgrading to supports the model of FortiGate that you’re going to be running it on, you should be able to upgrade from 5.0.12 to 5.2.9 and then to 5.4.3. This does not mean that you shouldn’t bother reading the Release Notes for the versions that you are upgrading to. The table is a simplified version of what is supported. Depending on your configuration, there may be some changes that go along with the upgrade that you will want to be aware of. These can usually be found in the Release Notes.

  • Biswarup Datta

    Hi, I have upgraded from 5.4.1 to 5.4.2. Received an error “Internet-service versioin(3) is not supported” in time of reboot. What should be the probable reason???

    • Bruce Davis

      I have not experienced or heard of that particular error before. The first thing I would do verify is what generated the error. Was it the FortiGate or were you viewing it through a browser when you saw the error.The second thing to do would be to see if your FortiGate is functioning properly. Was the FortiGate successfully upgraded? Is it properly processing traffic? Once you have this information you could contact the Technical Assistance Center for any troubleshooting or ask them to forward the question to Developement.

  • Mahfud Dahyani

    Hi, we have firmware 4.0 MR1 build 209 Patch8 want to upgrade to ver5.0, what step upgrade paths to do.. thanks. from the document we have to start from :
    4.0 MR1
    209 ► 4.2.15 ► 4.3.11 ► 4.3.18 ► 5.0.12 ► 5.2.5 ► 5.40, we can’t find ver 4.2 and 4.3. can we jump to 5.0 for the upgrade ? thanks

  • Jorge

    How can I find the supported upgrade from 5.0.12 to 5.2.7? I only see the option directly to 5.2.9


    • Judith Haney

      Hi Jorge, Page 11 of the Release Notes for 5.2.7 says that “FortiOS version 5.2.7 officially supports upgrade from version 5.0.12 or later” and that document can be found at this link: — Hope that helps!

      • Jorge

        Hi Judith,
        Does it mean upgrade directly from 5.0.12 to 5.2.7 is supported? Thanks for your quick answer!

        • Judith Haney

          Yes Jorge.

  • Aleksandr

    Need help with searching the correct path.
    My Firmware Version v4.0,build0313,110301 (MR2 Patch 4)
    What numbers should I refer to? (4.2.4 313 >> 4.3.6 >> 4.3.11 >> 4.3.18? does build0313 equals to bild 313 from this table?)

    • bdickie

      Yes MR2 Patch 4 can also be expressed as 4.2.4 and yes 0313 and 313 are the same build. We aren’t planning on researching the optimal upgrade paths from 4.2.4. But once you get to any 4.3 build then any of the upgrade paths in the document should get you to 4.3.18 and beyond.

      • Aleksandr

        ok, thx for quick reply

  • Shagma

    Where is the FORTIAP upgrade path document?