Table of Contents
- 1 Supported upgrade paths
- 2 Upgrade methods
- 3 Special builds
- 4 Why read the Release Notes?
- 5 Supported models
- 6 Potential upgrade issues
- 6.1 Standalone vs. HA configuration upgrades
- 6.2 Max Value issues
- 6.3 Failure of secondary WAN IP for admin access
- 6.4 Changing of Category Numbers
- 6.5 Web filter category removal and FortiManager
- 6.6 HA virtual MAC address changes
- 6.7 Features removed or changed
- 6.8 Combination of variables that produce unexpected results
- 7 Downgrading issues
- 8 Upgrade issues specific to 5.6.x
- 9 Upgrade issues specific to 5.4.x
This page contains information, which will help you to prepare for the upgrade of FortiOS on your FortiGate unit. Before you begin an upgrade you need to:
- know where to find information about upgrade paths
- understand the different upgrade methods, and which one is right for your environment
- understand possible issues you could encounter
- understand possible downgrade issues
Supported upgrade paths
Supported upgrade path information is available on the Fortinet Customer Service & Support site. This requires credentials on the site.
To view supported upgrade path information:
- Go to https://support.fortinet.com
- From the Download menu, select Firmware Images.
- On the Upgrade Path tab, select:
- Current Product
- Current FortiOS Version
- Upgrade To FortiOS Version
- Click Go.
More than just FortiOS can be upgraded
During an upgrade, it is possible that more than just FortiOS has improved. UTM engines like the IPS engine or databases like the antivirus database may have been upgraded. These new engines or database overwrite the existing ones on your FortiGate. To be sure that you have the latest definitions and signatures in these new components, you should consider running the command
execute update-now as soon as any upgrades are completed and you have reestablished Internet connectivity.
Older firmware versions
Use the Supported Upgrade Path utility on the Fortinet Customer Service & Support site to determine your optimal upgrade path. However, if you have older firmware versions that are covered by the utility (before 5.2.9), we have some tables to help bring your FortiGate up to the levels of the utility on the support site.
The tables include:
Using the tables instead of the Supported Upgrade Path utility
We recommend using a supported version of the firmware. We realize that there are some outlier circumstances that require the use of an older firmware version. These tables are designed to go up to the latest build of a major firmware version. To keep the tables from becoming unwieldy, they do not all go back to the first version of the firmware.
If you are attempting to upgrade to the latest build of 5.0 or 5.2, the tables go back to 4.2.15. Most users run a more current than 4.2.15. If you upgrade from an even earlier version of the firmware, the 4.3 table has been set up to show how to get to 4.3.19 from any of the earlier versions, going all the way back to 2.50.10
Some older FortiGate hardware platforms do not have the resources to effectively use the most recent firmware versions and so do not support firmware updates past a certain version. To see if your device is affected by this check the Product Life Cycle page found at https://support.fortinet.com/Information/ProductLifeCycle.aspx
It is important to note that the upgrade path information for FortiOS does not include any references to release compatibility between Fortinet products. The compatibility between models is listed in the Release Notes for each product, which will help you plan out your environment as a whole. The administrator will need to weigh the pros and cons of all of the variables and decide what the most important requirements are for the environment.
For instance, a specific version of FortiManager may be compatible with a range of FortiGate versions. Before you upgrade, you must verify which FortiManager is compatible with them. Otherwise, a situation could arise where the FortiManager is not able to manage those newly upgraded FortiGates. It is also possible to upgrade a FortiManager beyond the compatibility range of some of the FortiGate models.
If you have older FortiGate models that you cannot upgrade to current firmware releases, and a brand new FortiGate model that cannot run older firmware, a single FortiManager will not be able to manage all of the different FortiGates in the environment.
Over the life of the firmware, the designation of the individual releases has changed. This article tries to make these designations as consistent and as easy to understand as possible.
Originally, the version designation was made up of a Version, possibly a major release within that version and possible a patch number within that major release. If one was trying to refer to one of the later patches in a later release of version 4 of the firmware it could be described as Version 4 MR 3 Patch 18.
To make the release name simpler, a ‘shorthand’ developed using the pattern x.x.x. The numbers shown below are an abbreviated form of the firmware version names.
|1st Number||Version Number|
|2nd Number||Release Number|
|3rd Number||Patch Number|
Example: 3.7.10 = Version 3.0 MR7 Patch 10
The longer version of describing the release was eventually dropped in favor of the simplified format. Within the described paths, the simplified version is always used when describing the path.
In cases where there is no indication in the Web-based Manager what the version or build number is, you can get the build number from the CLI by entering the command:
get system status
The value of the command output for “Branch point” is the build number.
Firmware development is usually occurring on two paths at the same time. Development takes place on the latest path, as well as the previous stable path. For example, if the latest path is 5.0.x, then the previous stable path that would still be in development would be 4.3.x. This has two significant ramifications as far as upgrades are concerned. The first is that patches are still built for each of these paths. The second is that because this development takes place in parallel, the number identifiers for the builds do not correspond directly with the sequence in which the builds come out.
Occasionally, it appears as if there are some odd jumps in the upgrade sequence. This has to do with the timing of releases of different firmware versions. Later builds of different versions can come out close together and therefore have a high likelihood of compatibility. This is why you can only upgrade 5.0.6 only to 5.0.9 but you can upgrade 4.3.18 all the way to 5.0.12.
There are two methods of upgrading the firmware using the GUI:
- from a local file that has been previously downloaded
- from the FortiGuard Network.
Upgrading from the local drive
When uploading the firmware from the local drive, you must already have downloaded it from the Fortinet Support Site at https://support.fortinet.com/. After you log in with the account ID and password that was created when registering the FortiGate, go to the Download section and select the icon for Firmware images. From there it is only a matter of selecting a product, such as a FortiGate and then selecting either HTTPS or FTP download. The layout of the firmware listing in both methods is a hierarchical tree. For instance, if you wanted firmware 5.0.7 you would select the v5.00 directory, then the 5.0 directory, then the 5.0.7 directory. Once in the directory scroll down until you find the correct firmware file name for your specific model. Then select the file you wish to download.
The file names are intended to be helpful in determining the correct firmware for the model you need. Here are some of the conventions found in the file names.
- FGT_ = FortiGate
- FWF_ = FortiWiFi
- POE = Power over Ethernet
- VM32/VM64 = Virtual Machine versions of the firmware. The 32 and 64 referring to the bit architecture of the OS.
Firmware going directly to a Fortinet Device will have the
Upgrading from the FortiGuard Network
The practice of strategically skipping some firmware versions to optimize the time and efficiency that it takes to get to the latest version is based on using the Upgrade from: Local Hard Drive option. If you try to use the Upgrade from: FortiGuard Network option you will notice that there is a limited number of firmware builds to which you may upgrade or downgrade. This is because only options that are always going to be safe are available. The logic being that because there are no intermediate options possible, the next consecutive build will always be a safe option.
Because of this limitation in options, you will not be able to use the Upgrade from: FortiGuard Network option to see all of the safe upgrade options. You will either have to use the included upgrade path table or study the Release Notes.
The builds that will be shown will most like be as follows:
- The next build in the current version track
- The previous build in the current version track.
- The latest build in the previous version track.
Every now and then a “Special Build” is created for some specific purpose and some companies will put these into production. These special builds are not part of the normal upgrade path QA process and therefore have a greater risk of variance from what is normally expected in an upgrade. The table of the upgrade path is based on the Release Notes of the regular builds and may not have included testing against every special build as well. If you are running a special build, be even more cautious in upgrading than you would normally be.
Why read the Release Notes?
Previously in this document, it was recommended that before upgrading from one version of the firmware to a more recent one that the Release Notes be read. To give an indication of how important it is to read the Release Notes, we have provided a sampling on the next page of some of the possible issues that may have to be dealt with upon upgrading.
To offer some clarification on the contents of this sampling, some of these issues were and are unavoidable because of the nature of the configurations of the FortiGate devices and the networks they were in. The reason for reading the Release Notes is to make sure that users are prepared for changes or potential outages that may occur so that the affected parties can be forewarned and the issues can be dealt with in a timely manner.
While it is not necessarily an upgrade issue, one very good reason for reading the Release Notes is to verify that your model of FortiGate is supported by the firmware. The reasons for a particular model not being supported can be:
- The hardware was out of development when the firmware was released
- The hardware was developed after the firmware was released
- The hardware doesn’t have enough resources to run effectively using the firmware
- Only some models were included in the development of the firmware.
There are some instances where a model may not be supported by only some builds of the firmware. But just because a model appears to go out of support does not mean that the situation will continue moving forward. It’s worth checking to make sure.
For example, the FortiGate/FortiWiFi 80C and 81CM were not supported by the 5.4.0 firmware. There is no version 5.4.0 firmware for these models. However, these models were brought back into the supported list for 5.4.1. This presents a slightly different problem than normal for the people using the upgrade path tables as some of those paths could refer to upgrading to 5.4.0 before upgrading to 5.4.1 or one of the later versions of 5.4.
The solution is relatively straightforward. Use the 5.2 table to upgrade to the latest version of 5.2. From there, it should be easy to then use the 5.4 table to upgrade to whatever is the latest version of 5.4, effectively skipping right over 5.4.0.
Potential upgrade issues
These are some examples of issues, in no particular order, that have been brought to the attention of the Technical Assistance Center or the Documentation Team that could impact the success of a firmware upgrade.
Standalone vs. HA configuration upgrades
In version 5 there is a difference in the steps between the patches depending on whether your FortiGate setup is in a standalone or an HA configuration. If you have a standalone setup, you can upgrade from Patch 3 (5.0.3) directly to Patch 5 (5.0.5). However, if you are using an HA setup, you need to add the intermediate step of going to Patch 4 (5.0.4). Otherwise, only the slave unit in the configuration will be upgraded to Patch 5.
In the table describing the steps in progressing through the upgrades the most cautious path is listed. This minimizes the possibility of confusion for somebody who has an HA cluster but reads the Release Notes, like everybody should, but was unaware of the known issue with the HA clusters.
Max Value issues
- There is a range of builds where the maximum number of some of the objects was lowered, but then a few builds later were raised back up. If the configuration on a device was to have a number of these objects in excess of the lower value when doing an upgrade, there could be issues and even data loss. The upgrade paths listed are designed to avoid upgrading into this lower max value range even though the Release Notes state that upgrading to these firmware builds is supported. When the release notes were written the act of increasing the values was not foreseen.
- Seemingly unrelated features can sometimes affect Max Value parameters after an upgrade. For instance, a feature introduced in 5.4 affected the max number of application control sensors. The feature added a “
sniffer-profile“, which could not be deleted, upon the creation of a VDOM. The normal max number of application sensors could be 32 but if you had 10 VDOMs, that number was effectively usable sensors (32 – 10 = 22).
Failure of secondary WAN IP for admin access
There is an issue with the 5.2.4 version of the firmware that affects a very specific configuration. In dual-wan setups, after upgrading to FortiOS 5.2.4, the secondary WAN IP cannot be used for administrative HTTPS access or SSL-VPN. PING and VIP using the second WAN as an external interface will work fine.
Packets are correctly sent to the second WAN IP address but the reply is sent through the other WAN interface.
Most instances will not be affected by this, but the upgrade path table has been modified to avoid 5.2.4 just to avoid any possible impact.
Loss of secondary IP address for everyone
Similar to the above issue with secondary IP addresses and admin access there is an even more significant example of losing the secondary IP address. At one point, a number of the upgrade paths to the 5.4 version of the firmware involved going to 5.4.0. This worked well enough until the system was upgraded to 5.4.1 at which point any secondary IP addresses were lost. This problem did not exist when going directly from a 5.2.x version to 5.4.1 so the tables were changed to bypass 5.4.0. This cannot be done if you are already on 5.4.0, so if you do upgrade from 5.4.0 to a more recent version, remember to record any instances of a secondary IP address on any of the interfaces so that they can be added manually after the upgrade.
Changing of Category Numbers
When looking at the FortiGuard Web filter categories or Application categories in the GUI, we see the names that indicate what they refer to. However, in the firmware code, these categories are referenced by an integer and not a text string. Periodically, the list of categories changes, whether by the number growing larger or smaller. If the list changes, then so do the object values in that list. If your policies are such that everything is wide open, you are not likely to see an issue. However, if there are carefully crafted restrictions in place.
Web filter category removal and FortiManager
Sometimes an issue in the upgrade process will not affect the FortiGate itself but will not affect one of the other devices connecting to the FortiGate. This issue similar to the changing Category numbers issue, but it differs in that it affects the FortiManager rather than the FortiGate itself.
Instead of changing the subject of a category, there is an instance where a category was completely removed from the list of categories. Firmware upgrades developed soon after the removal of the category sanitized the configuration file. Later firmware versions ignored the category if it was left in the configuration file. An upgrade from 4.3.18 to 5.0.12 may leave the category in place, but this does not affect the FortiGate. However, if FortiManager, running a current version of its firmware, tries to work with a configuration file with the removed category in it, an error message is triggered.
To determine if your FortiGate may affect the FortiGate later on, run this simple check.
- Save your configuration file to your hard drive
- Open it in your favorite text or code editor.
- Go to the “
config webfilter profile” section.
- Check to see if any of the web filter profiles are set to perform an action on category 32 or if you’re feeling lazy, do a search for “
set category 32“
If you find a reference to category 32 and you have already upgraded past FortiOS 4.3.18, go into your configuration using the CLI, and remove any references to category 32 and proceed as close as possible to the upgrade path below.
To completely remove the chance of this affecting the FortiManager, use the following path when upgrading the FortiGate:
4.3.18 > 5.0.2 > 5.0.4 > 5.0.6 > 5.0.10
After reaching 5.0.10, proceed as normal.
This path was not added to the main table as it is a somewhat isolated case.
HA virtual MAC address changes
HA virtual MAC addresses are created for each FortiGate interface based on that interface’s index number. Between FortiOS 4.3 and 5.0 interface indexing changed. After upgrading a cluster to FortiOS 5.0 the virtual MAC addresses assigned to individual FortiGate interfaces may be different. You can use the
get hardware nic command to view the virtual MAC address of each FortiGate interface.
The practical consequences of this could be seen in a situation where, in a very security conscious environment, there is some blocking or allowing of traffic based on mac addresses. When the firewall’s mac address is not on the list of allowed addresses any traffic going through the firewall is likely to be problematic.
Features removed or changed
While not an issue that will potentially stop the FortiGate from working, this issue will sometimes make it worthwhile to keep a close eye on the performance of your FortiGate after an upgrade to ensure everything is still doing what it was before the upgrade.
Example: Logtraffic function
For instance, when upgrading from 4.3 to version 5, the
logtraffic-start function is disabled by default.
In version 4.3, the
extended-traffic-logoption in config log [memory|disk|fortianalyzer|syslog] filter controlled the session start logging. In version 5.0, this is controlled by
logtraffic-start in the policy settings. If before the upgrade, the”extended-traffic-log” was enabled, the
logtraffic-start in policy settings will be disabled. More often than not this is the default setting of after an upgrade.
While for some users the loss of this function may be inconsequential, to other users this function might be useful. This is another reason to read the Release Notes; checking to verify that features commonly used in your environment will be there after the upgrade.
Example: Disk Logging
In version 4.3, logging to the local disk was possible only if Disk Logging was enabled and by default, it was disabled. Enabling the feature could be done either through the GUI or the CLI. In 5.0, not only was the feature disabled by default, but enabling it could only be done through the CLI, and even then, a message would appear stating that Logging to the local disk could seriously impact performance and that it should not be done. Despite the warning, it was possible to override the disabling of the feature and turn it on. In version 5.2, for devices that had only a single hard drive, it is not possible to override the disabling of the feature. The feature is still part of the firmware and available through the CLI, just not to all models.
Example: config system autoupdate override
When upgrading to 5.0.12 the
config systemautoupdate override function is removed. This feature was used to specify an alternate FDS server, usually a FortiManager, in the event that the FortiGuard Distribution Network(FDN) was unavailable.
Combination of variables that produce unexpected results
Every now and then a specific combination of variables will produce a side effect that is completely unexpected. Most of the time, these side effects may not even be noticed but occasionally there can be some loss of functionality.
Example: Link aggregation
One such example of this occurs when upgrading a FortiGate 600C from 4.3.18 to 5.0.11. If the FortiGate is configured to use Link Aggregation Control Protocol and an upgrade is done directly from 4.3.18 to 5.0.11, the VLANs under LACP will disappear and WiFi mesh devices show up below it.
In order to prevent this from happening an upgrade to 5.0.7 needs to occur before the upgrade to 5.0.11. The reason that this path is not part of the table, is that this situation refers to only 1 model and with a particular configuration.
Example: Application Control
When upgrading from 5.0 to 5.2, there is a curious time delay on a side effect involving Application Control profiles. If you have an Application Control profile that has some categories included, as well as some individual Application Control signatures, and you upgrade from 5.0 to 5.2 everything will work as it did before. There is the slight side effect that you will no longer see the individual signatures in the GUI, but the functionality will still be there. The problem arises when the profile is actually edited. Editing the profile removes the individual signatures. The only way to correct the error is to manually enter them in again.
While most potential issues occur during the upgrade process, there are occasional ones that can occur when downgrading firmware.
There are a few reasons why downgrading is looked at with some trepidation. Let’s use going from 5.2.3 to 5.0.12 as an example.
The number of potential pitfalls increases proportionally with the complexity of the configuration. More settings involved means more places for things to go wrong. The most important thing to take into account is that the configuration file is firmware version specific. It does not operate well with versions of the firmware that it was not written for. You cannot use a configuration file from 5.2.3 on a unit running 5.0.12.
If you are planning to downgrade and then upgrade to the current firmware version to fix an issue, chances are that somewhere along the upgrade process something was missed or broken. The more likely scenario is that the issue may not be with the firmware you are running, but with something in the configuration file.
A configuration file is essentially a number of CLI commands to the firmware that is run each time the unit is powered on. If there is a syntax error in those commands, the firmware may not behave as intended.
During an upgrade, there is a background process that takes the existing configuration file and changes any commands and settings to comply with the syntax of the new firmware. Skipping a firmware version that should have been part of the upgrade path means that the syntax of one or more commands didn’t get updated to work with the current firmware.
- You downgrade the firmware from 5.2.3 to 5.0.12
- You throw in a
factoryresetcommand to get a nice clean config file
- After you go through the supported upgrade path to 5.2.3
- You install the config file from the FortiGate when the firmware was 5.2.3.
- The result is that you end up with the same issue because of the syntax issues that are still present in the configuration file.
The bad news is that you may need to rebuild your configuration from the ground up. The good news is that you may not have to downgrade and then upgrade. You can start with the firmware already installed. Depending on the issue, you might be able to get away with a simple factory reset, which will give you a brand new configuration file, and then just start customizing your configuration.
If you are comfortable in the CLI, you could use some techniques found in the SysAdmin Note https://cookbook.fortinet.com/t… to cut and paste portions of the existing configuration file into the new one. At some point, you are likely to come across an error as the firmware determines that the syntax is somehow wrong and then you will have to set up that portion of the configuration from scratch.
Fortinet will sometimes produce different generations of the same model of a device. Ideally, the firmware should not be downgraded to a version earlier than what it came with from the factory.
The FortiGate 3600C generation 3 came with a new NPU DDR chip that the first and second generations of the model did not have. The Support site has a firmware version 5.0.2 for the FortiGate 3600C.This would have been for the first generation of the model but the third generation of the model will not properly run this version of the firmware.
Upgrade issues specific to 5.6.x
Use of Port 4433
This issue usually occurs when the Admin access port for HTTPS access is changed due to an SSL-VPN using 443.
The new FTM-push feature in 5.6.0 uses port 4433 by default. If a SysAdmin has changed the HTTP or HTTPS access port to 4433 before the upgrade and FTM is enabled on the interface, once the upgrade has been completed, FTM is now using this feature and the SysAdmin can be prevented from accessing the administrative features of the FortiGate through the GUI.
- The CLI doesn’t give any warnings regarding this issue.
- Removing FTM from the
allowaccesssetting does not get back the GUI access.
- If this issue is encountered, temporarily reset the admin ports back to their default settings to regain GUI access.
There is an issue with IPsec tunnels when upgrading from 5.4.5 to 5.6.0, but only between these two versions. Going from 5.4.4 to 5.6.0 doesn’t present an issue. If you do upgrade between these two versions any Phase 1 psksecrets will have to be reset.
Upgrade issues specific to 5.4.x
FortiOS 5.2 allowed configurations to use wildcard FQDN objects in the firewall policies. This functionality was removed starting in 5.4. If a user has a firewall running FOS 5.2 with firewall rules configured to use wildcard FQNDs, when the customer upgrades the firewall to FOS 5.4.x or later, the firewall rules using wildcard FQDNs will be deleted. This can cause unexpected traffic to pass or be blocked.