Fortinet white logo
Fortinet white logo

Upgrade instructions

Upgrade instructions

Caution

Back up your configuration before beginning this procedure. While no data loss should occur if the procedures below are correctly followed, it is recommended a full backup is made before proceeding and the user will be prompted to do so as part of the upgrade process.

For information on how to back up the FortiAuthenticator configuration, see the FortiAuthenticator Administration Guide.

Hardware and VM support

FortiAuthenticator 6.4.7 supports:

  • FortiAuthenticator 200D
  • FortiAuthenticator 200E
  • FortiAuthenticator 300F
  • FortiAuthenticator 400C
  • FortiAuthenticator 400E
  • FortiAuthenticator 800F
  • FortiAuthenticator 1000D
  • FortiAuthenticator 2000E
  • FortiAuthenticator 3000D
  • FortiAuthenticator 3000E
  • FortiAuthenticator 3000F
  • FortiAuthenticator VM (VMWare, Hyper-V, KVM, Xen, Azure, AWS, Oracle OCI, and Alibaba Cloud)

Image checksums

To verify the integrity of the firmware file, use a checksum tool to compute the firmware file’s MD5 checksum. Compare it with the checksum indicated by Fortinet. If the checksums match, the file is intact.

MD5 checksums for software releases are available from the Fortinet Support website.

Customer service and support image checksum tool

After logging in to the web site, in the menus at the top of the page, click Download, then click Firmware Image Checksums.

In the Image File Name field, enter the firmware image file name including its extension, then click Get Checksum Code.

Upgrading from FortiAuthenticator 4.x/5.x/6.x

FortiAuthenticator 6.4.7 build 1054 officially supports upgrades from previous versions by following these supported FortiAuthenticator upgrade paths:

  • If currently running FortiAuthenticator 6.0.5 or older, first upgrade to 6.0.7, then upgrade to 6.4.7, else the following message will be displayed: Image validation failed: The firmware image model number is different from the appliance's.

  • If currently running FortiAuthenticator 6.0.7, then upgrade to 6.4.7 directly.

  • If currently running FortiAuthenticator between 6.1.0 and 6.2.0, first upgrade to 6.3.3, then upgrade to 6.4.7.

  • If currently running FortiAuthenticator 6.2.1 or later, then upgrade to 6.4.7 directly.

Note

When upgrading existing KVM and Xen virtual machines to FortiAuthenticator 6.4.7 from FortiAuthenticator 6.0.7, you must first increase the size of the virtual hard disk drive containing the operating system image (not applicable for AWS & OCI Cloud Marketplace upgrades). See Upgrading KVM / Xen virtual machines.

Upgrade to and from FortiAuthenticator 6.0.6 is not recommended.

Firmware upgrade process

First, back up your configuration, then follow the procedure below to upgrade the firmware.

Before you can install FortiAuthenticator firmware, you must download the firmware image from the Fortinet Support website, then upload it from your computer to the FortiAuthenticator unit.

  1. Log in to the Fortinet Support website. In the Download section of the page, select the Firmware Images link to download the firmware.
  2. To verify the integrity of the download, go back to the Download section of the login page and click the Firmware Image Checksums link.
  3. Log in to the FortiAuthenticator unit’s web-based manager using the admin administrator account.
  4. Upload the firmware and begin the upgrade.
    When upgrading from FortiAuthenticator 6.0.4 and earlier:
    1. Go to System > Dashboard > Status.
    2. In the System Information widget, in the Firmware Version row, select Upgrade. The Firmware Upgrade or Downgrade dialog box opens.
    3. In the Firmware section, select Choose File, and locate the upgrade package that you downloaded.
    When upgrading from FortiAuthenticator 6.1.0 or later.
    1. Click on the administrator name in the upper-right corner of the GUI to display the dropdown menu, and click Upgrade.
    2. In the Firmware Upgrade or Downgrade section, select Upload a file, and locate the upgrade package that you downloaded.
  5. Select OK to upload the file to the FortiAuthenticator.

    Your browser uploads the firmware file. The time required varies by the size of the file and the speed of your network connection. When the file transfer is complete, the following message is shown:

    It is recommended that a system backup is taken at this point. Once complete, click Start Upgrade.

    Wait until the unpacking, upgrade, and reboot process completes (usually 3-5 minutes), then refresh the page.

Tooltip

Due to a known issue in 6.0.x and earlier releases, the port5 and port6 fiber ports are inverted in the GUI for FAC-3000E models (i.e. port5 in the GUI corresponds to the physical port6 and vice-versa).

This is resolved in 6.1.0 and later, however, the upgrade process does not swap these configurations automatically. If these ports are used in your configuration during the upgrade from 6.0.x to 6.1.0 and later, you will need to physically swap the port5 and port6 fibers to avoid inverting your connections following the upgrade.

Upgrading KVM / Xen virtual machines

When upgrading existing KVM and Xen virtual machines from FortiAuthenticator 6.0.7 to 6.4.7, it is necessary to manually increase the size of the virtual hard disk drive which contains the operating system image before starting the upgrade. This requires file system write-access to the virtual machine disk drives, and must be performed while the virtual machines are in an offline state, fully powered down.

Note

If your virtual machine has snapshots, the resize commands detailed below will exit with an error. You must delete the snapshots in order to perform this resize operation. Please make a separate copy of the virtual disk drives before deleting snapshots to ensure you have the ability to rollback.

Use the following command to run the resize on KVM:

qemu-img resize /path/to/fackvm.qcow2 1G

Use the following command to run the resize on Xen:

qemu-img resize /path/to/facxen.qcow2 1G

After this command has been completed, you may proceed with the upgrade from 6.0.7 to 6.4.7

Recovering improperly upgraded KVM / Xen virtual machines

If the upgrade was performed without completing the resize operation above, the virtual machine will fail to properly boot, instead displaying many initd error messages. If no snapshots are available, manual recovery is necessary.

To recover your virtual machine, you will need to replace the operating system disk with a good copy, which also requires write-access to the virtual hard disks in the file system while the virtual machines are in an offline state, fully powered down.

To recover an improperly upgraded KVM virtual machine:
  1. Download the 6.0.7 GA ZIP archive for KVM, FAC_VM_KVM-v6-build0059-FORTINET.out.kvm.zip.
  2. Extract the archive, then replace your virtual machine's fackvm.qcow2 with the one from the archive.
  3. Execute the following command:
    qemu-img resize /path/to/fackvm.qcow2 1G
To recover an improperly upgraded Xen virtual machine:
  1. Download the 6.0.7 GA ZIP archive for Xen, FAC_VM_XEN-v6-build0059-FORTINET.out.xen.zip.
  2. Extract the archive, then replace your virtual machine's facxen.qcow2 with the one from the archive.
  3. Execute the following command:
    qemu-img resize /path/to/facxen.qcow2 1G

Upgrade instructions

Upgrade instructions

Caution

Back up your configuration before beginning this procedure. While no data loss should occur if the procedures below are correctly followed, it is recommended a full backup is made before proceeding and the user will be prompted to do so as part of the upgrade process.

For information on how to back up the FortiAuthenticator configuration, see the FortiAuthenticator Administration Guide.

Hardware and VM support

FortiAuthenticator 6.4.7 supports:

  • FortiAuthenticator 200D
  • FortiAuthenticator 200E
  • FortiAuthenticator 300F
  • FortiAuthenticator 400C
  • FortiAuthenticator 400E
  • FortiAuthenticator 800F
  • FortiAuthenticator 1000D
  • FortiAuthenticator 2000E
  • FortiAuthenticator 3000D
  • FortiAuthenticator 3000E
  • FortiAuthenticator 3000F
  • FortiAuthenticator VM (VMWare, Hyper-V, KVM, Xen, Azure, AWS, Oracle OCI, and Alibaba Cloud)

Image checksums

To verify the integrity of the firmware file, use a checksum tool to compute the firmware file’s MD5 checksum. Compare it with the checksum indicated by Fortinet. If the checksums match, the file is intact.

MD5 checksums for software releases are available from the Fortinet Support website.

Customer service and support image checksum tool

After logging in to the web site, in the menus at the top of the page, click Download, then click Firmware Image Checksums.

In the Image File Name field, enter the firmware image file name including its extension, then click Get Checksum Code.

Upgrading from FortiAuthenticator 4.x/5.x/6.x

FortiAuthenticator 6.4.7 build 1054 officially supports upgrades from previous versions by following these supported FortiAuthenticator upgrade paths:

  • If currently running FortiAuthenticator 6.0.5 or older, first upgrade to 6.0.7, then upgrade to 6.4.7, else the following message will be displayed: Image validation failed: The firmware image model number is different from the appliance's.

  • If currently running FortiAuthenticator 6.0.7, then upgrade to 6.4.7 directly.

  • If currently running FortiAuthenticator between 6.1.0 and 6.2.0, first upgrade to 6.3.3, then upgrade to 6.4.7.

  • If currently running FortiAuthenticator 6.2.1 or later, then upgrade to 6.4.7 directly.

Note

When upgrading existing KVM and Xen virtual machines to FortiAuthenticator 6.4.7 from FortiAuthenticator 6.0.7, you must first increase the size of the virtual hard disk drive containing the operating system image (not applicable for AWS & OCI Cloud Marketplace upgrades). See Upgrading KVM / Xen virtual machines.

Upgrade to and from FortiAuthenticator 6.0.6 is not recommended.

Firmware upgrade process

First, back up your configuration, then follow the procedure below to upgrade the firmware.

Before you can install FortiAuthenticator firmware, you must download the firmware image from the Fortinet Support website, then upload it from your computer to the FortiAuthenticator unit.

  1. Log in to the Fortinet Support website. In the Download section of the page, select the Firmware Images link to download the firmware.
  2. To verify the integrity of the download, go back to the Download section of the login page and click the Firmware Image Checksums link.
  3. Log in to the FortiAuthenticator unit’s web-based manager using the admin administrator account.
  4. Upload the firmware and begin the upgrade.
    When upgrading from FortiAuthenticator 6.0.4 and earlier:
    1. Go to System > Dashboard > Status.
    2. In the System Information widget, in the Firmware Version row, select Upgrade. The Firmware Upgrade or Downgrade dialog box opens.
    3. In the Firmware section, select Choose File, and locate the upgrade package that you downloaded.
    When upgrading from FortiAuthenticator 6.1.0 or later.
    1. Click on the administrator name in the upper-right corner of the GUI to display the dropdown menu, and click Upgrade.
    2. In the Firmware Upgrade or Downgrade section, select Upload a file, and locate the upgrade package that you downloaded.
  5. Select OK to upload the file to the FortiAuthenticator.

    Your browser uploads the firmware file. The time required varies by the size of the file and the speed of your network connection. When the file transfer is complete, the following message is shown:

    It is recommended that a system backup is taken at this point. Once complete, click Start Upgrade.

    Wait until the unpacking, upgrade, and reboot process completes (usually 3-5 minutes), then refresh the page.

Tooltip

Due to a known issue in 6.0.x and earlier releases, the port5 and port6 fiber ports are inverted in the GUI for FAC-3000E models (i.e. port5 in the GUI corresponds to the physical port6 and vice-versa).

This is resolved in 6.1.0 and later, however, the upgrade process does not swap these configurations automatically. If these ports are used in your configuration during the upgrade from 6.0.x to 6.1.0 and later, you will need to physically swap the port5 and port6 fibers to avoid inverting your connections following the upgrade.

Upgrading KVM / Xen virtual machines

When upgrading existing KVM and Xen virtual machines from FortiAuthenticator 6.0.7 to 6.4.7, it is necessary to manually increase the size of the virtual hard disk drive which contains the operating system image before starting the upgrade. This requires file system write-access to the virtual machine disk drives, and must be performed while the virtual machines are in an offline state, fully powered down.

Note

If your virtual machine has snapshots, the resize commands detailed below will exit with an error. You must delete the snapshots in order to perform this resize operation. Please make a separate copy of the virtual disk drives before deleting snapshots to ensure you have the ability to rollback.

Use the following command to run the resize on KVM:

qemu-img resize /path/to/fackvm.qcow2 1G

Use the following command to run the resize on Xen:

qemu-img resize /path/to/facxen.qcow2 1G

After this command has been completed, you may proceed with the upgrade from 6.0.7 to 6.4.7

Recovering improperly upgraded KVM / Xen virtual machines

If the upgrade was performed without completing the resize operation above, the virtual machine will fail to properly boot, instead displaying many initd error messages. If no snapshots are available, manual recovery is necessary.

To recover your virtual machine, you will need to replace the operating system disk with a good copy, which also requires write-access to the virtual hard disks in the file system while the virtual machines are in an offline state, fully powered down.

To recover an improperly upgraded KVM virtual machine:
  1. Download the 6.0.7 GA ZIP archive for KVM, FAC_VM_KVM-v6-build0059-FORTINET.out.kvm.zip.
  2. Extract the archive, then replace your virtual machine's fackvm.qcow2 with the one from the archive.
  3. Execute the following command:
    qemu-img resize /path/to/fackvm.qcow2 1G
To recover an improperly upgraded Xen virtual machine:
  1. Download the 6.0.7 GA ZIP archive for Xen, FAC_VM_XEN-v6-build0059-FORTINET.out.xen.zip.
  2. Extract the archive, then replace your virtual machine's facxen.qcow2 with the one from the archive.
  3. Execute the following command:
    qemu-img resize /path/to/facxen.qcow2 1G