FortiAP unit firmware upgrade
There are multiple ways you can upgrade the FortiAP unit firmware:
- You can enable newly discovered FortiAPs to be automatically upgraded to the latest compatible firmware. This happens once after the FortiAP is authorized by the WiFi controller.
- You can enable automatic firmware updates on your FortiGate which checks for patch upgrades for your FortiGates, FortiSwitches, and FortiAPs. If a compatible upgrade is available, FortiGate automatically downloads and installs them at a scheduled time.
- You can manually view and upgrade the FortiAP firmware from the FortiGate unit.
When upgrading multiple APs, you can enable Hitless Rolling upgrade where FortiAPs are upgraded in a staggered process so that they can continue to provide Wi-Fi service.
Checking the FortiAP unit firmware version
To view the list of FortiAP units that the FortiGate unit manages, go to WiFi and Switch Controller > Managed FortiAPs. The OS Version column shows the current firmware version running on each AP.
Enabling automatic FortiAP upgrade after authorization
You can enable the automatic federated upgrade of a FortiAP unit upon discovery and authorization by the WiFi controller. When you enable this feature, newly discovered FortiAPs are automatically upgraded to the latest compatible firmware from FortiGuard Distribution Service (FDS).
To enable automatic FortiAP upgrade - GUI:
- Go to WiFI & Switch Controller > WiFi Settings and enable FortiAP auto firmware provisioning.
- Click Apply.
-
Connect and authorize a FortiAP.
The FortiAP will be upgraded to the latest compatible firmware from FDS.
To enable automatic FortiAP upgrade - CLI:
-
Enable
firmware-provision-on-authorization
via the CLI:config wireless-controller setting set firmware-provision-on-authorization enable set darrp-optimize-schedules "default-darrp-optimize" end
-
Connect and authorize a FortiAP.
The FortiAP will be upgraded to the latest compatible firmware from FDS.
When |
Enabling automatic firmware updates
Automatic firmware updates will upgrade your FortiGates, FortiSwitches, and FortiAPs at a scheduled time.
When you enable automatic firmware updates, it upgrades the FortiAP directly to the target version and does not follow an upgrade path. Refer to the Supported Upgrade Path documentation to ensure you follow the proper upgrade path. |
To enable automatic firmware updates - GUI:
- Go to System > Firmware & Registration and click Automatic patch upgrades disabled.
- Select Enable automatic patch upgrades for vX.X.
-
Select a date and time for when you want to schedule your upgrade.
-
Click OK.
To enable automatic firmware updates - CLI:
Enable automatic firmware upgrade and schedule a day and time to upgrade.
config system fortiguard set auto-firmware-upgrade enable set auto-firmware-upgrade-day sunday monday tuesday wednesday thursday friday saturday set auto-firmware-upgrade-delay 0 set auto-firmware-upgrade-start-hour 17 set auto-firmware-upgrade-end-hour 19 end
The auto-upgrade time is scheduled daily, between 5:00 p.m. and 7:00 p.m.
Upgrading FortiAP firmware from the FortiGate unit
You can manually upgrade the FortiAP firmware using either the GUI or the CLI. Only the CLI method can update all FortiAP units at once.
To upgrade FortiAP unit firmware - GUI:
- Go to WiFi and Switch Controller > Managed FortiAPs.
- Right-click the FortiAP unit in the list and select Upgrade.
or
Click the row of the FortiAP that you want to upgrade, and click Edit. In Firmware, click Upgrade. - You can upgrade using FortiGuard, or select Browse and locate the firmware upgrade file.
- Click Upgrade.
- When the upgrade process completes, select OK.
The FortiAP unit restarts.
To upgrade FortiAP unit firmware - CLI:
- Upload the FortiAP image to the FortiGate unit.
For example, the Firmware file is FAP_22A_v4.3.0_b0212_fortinet.out and the server IP address is 192.168.0.100.
execute wireless-controller upload-wtp-image tftp FAP_22A_v4.3.0_b0212_fortinet.out 192.168.0.100
If your server is FTP, change
tftp
toftp
, and if necessary add your user name and password at the end of the command. - Verify that the image is uploaded:
execute wireless-controller list-wtp-image
- Upgrade the FortiAP units:
exec wireless-controller reset-wtp all
If you want to upgrade only one FortiAP unit, enter its serial number instead of
all
.
Upgrading FortiAP firmware from the FortiAP unit
You can connect to a FortiAP unit's internal CLI to update its firmware from a TFTP server on the same network. This method does not require access to the wireless controller.
- Place the FortiAP firmware image on a TFTP server on your computer.
- Connect the FortiAP unit to a separate private switch or hub or directly connect to your computer via a cross-over cable.
- Change your computer IP address to 192.168.1.3.
- Using SSH, connect to IP address 192.168.1.2.
This IP address is overwritten if the FortiAP is connected to a DHCP environment. Ensure that the FortiAP unit is in a private network with no DHCP server. - Login with the username "admin" and no password.
- Enter the following command.
For example, the FortiAP image file name is FAP_22A_v4.3.0_b0212_fortinet.out.restore FAP_22A_v4.3.0_b0212_fortinet.out 192.168.1.3
Enabling Hitless Rolling AP upgrade
When upgrading FortiAPs using the Hitless Rolling upgrade method, an algorithm considers the reach of neighboring APs and their locations. The APs are then upgraded in staggered process with some APs being immediately upgraded while others continue to provide Wi-Fi service to clients and are placed in a standby queue. Once the SSIDs on the initial upgraded APs are able to serve clients, the APs in the standby queue begin upgrading.
The following CLI commands for configuring Hitless Rolling AP upgrades are available at both global settings and per-VDOM settings:
Enabling Hitless Rolling Upgrade at the global level
config wireless-controller global set rolling-wtp-upgrade {Enable | disable} set rolling-wtp-upgrade-threshold <integer> end
rolling-wtp-upgrade |
Enable/disable rolling WTP upgrade (default = disable). Note: Enabling this at the global-level will enforce all managed FortiAPs in all VDOMs to implement the rolling upgrade, regardless of the VDOM-level settings. |
|
Minimum signal level/threshold in dBm required for the managed WTP to be included in rolling WTP upgrade (-95 to -20, default = -80). |
Enabling Hitless Rolling Upgrade at the per-VDOM level
config wireless-controller setting set rolling-wtp-upgrade {Enable | disable} end
rolling-wtp-upgrade |
Enable/disable rolling WTP upgrade (default = disable). Note: Enabling this at the VDOM-level will let managed FortiAPs in the current VDOM to implement the rolling upgrade, regardless of the global-level setting. |
Executing Hitless Rolling Upgrade
exec wireless-controller rolling-wtp-upgrade <all>|<SN>|<wtp-group>
rolling-wtp-upgrade |
Select which APs you want to upgrade with the Hitless Rolling upgrade. You can select all APs, by their WTP serial number, or WTP group. |
To configure Hitless Rolling AP upgrade - GUI
-
Before you can run Hitless Rolling AP upgrade from the GUI, you must first enable
rolling-wtp-upgrade
and configure therolling-wtp-upgrade-threshold
level in the CLI.config wireless-controller global set rolling-wtp-upgrade enable set rolling-wtp-upgrade-threshold -70 end
config wireless-controller setting set rolling-wtp-upgrade enable end
-
From the FortiGate GUI, go to WiFi & Switch Controller > Managed FortiAPs.
-
Select multiple FortiAPs of the same model, and then right-click and select Upgrade.
The Upgrade FortiAPs window loads.
-
Upload the FortiAP image file and click Upgrade.
The FortiAPs are automatically upgraded using the Hitless Rolling upgrade method.
-
Some FortiAPs immediately begin upgrading while others are marked with "ISSU queued". In-Service Software Upgrade (ISSU) indicates that these are the standby APs that continue to provide Wi-Fi service to clients and are queued to be upgraded later.
-
Once the first batch of FortiAPs are upgraded and can provide service, the ISSU queued FortiAPs will begin upgrading.
To configure Hitless Rolling AP upgrade - CLI
-
Enable
rolling-wtp-upgrade
at either the global or VDOM level and configure therolling-wtp-upgrade-threshold
level.config wireless-controller global set rolling-wtp-upgrade enable set rolling-wtp-upgrade-threshold -70 end
config wireless-controller setting set rolling-wtp-upgrade enable end
-
Upload FortiAP images to FortiGate and check the image list. In this example, FAP231F is uploaded:
execute wireless-controller upload-wtp-image tftp /FortiAP/v7.00/images/build0626/FAP_231F-v7-build0626-FORTINET.out 172.18.52.254
-
Verify the uploaded FortiAP images:
execute wireless-controller list-wtp-image WTP Images on AC: ImageName ImageSize(B) ImageInfo ImageMTime … FP231F-v7.4.2-build0626-IMG.wtp 37605058 FP231F-v7.4-build0626 Mon Nov 27 10:39:53 2023
-
Run the Rolling WTP Upgrade and prepare to check the FortiAP upgrade status.
exec wireless-controller rolling-wtp-upgrade all
-
The FortiAPs begin upgrading on a rolling basis. You can use
diagnose wireless-controller wlac -c ap-upd
to check the upgrade process.diagnose wireless-controller wlac -c ap-upd 1,50,66 0-FP231FTF23037012 FP231F-v7.4-build0591 ==> FP231F-v7.4-build0626 ws (0-10.233.10.7:5246) upd-download,3 5% <- The image download has started (may still be blocked by concurrent AP image downloading limit) 2,50,66 0-FP231FTF23037026 FP231F-v7.4-build0591 ==> FP231F-v7.4-build0626 ws (0-10.233.10.3:5246) upd-download,3 6% 3,50,66 0-FP231FTF23037047 FP231F-v7.4-build0591 ==> FP231F-v7.4-build0626 ws (0-10.233.10.24:5246) upd-download,3 6% … 15,50,66 0-FP431FTF23000559 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.40:5246) upd-enqueue-issu,4 0% <- In queue for rolling AP upgrade to avoid Wi-Fi service drop 16,50,66 0-FP431FTF23021146 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.42:5246) upd-enqueue-issu,4 0% … 19,50,66 0-FP433FTF21001215 FP433F-v7.4-build0591 ==> FP433F-v7.4-build0626 ws (0-10.233.30.41:5246) upd-enqueue-issu,4 0% …