Fortinet black logo

Handbook

Restoring firmware ('clean install')

Restoring firmware ('clean install')

Restoring (also called re-imaging) the firmware can be useful in the following cases:

  • You are unable to connect to the FortiDDoS-F appliance using the web UI or the CLI
  • You want to install firmware without preserving any existing configuration (that is, perform a “clean install”)

Unlike updating firmware, restoring firmware re-images the boot device. Also, restoring firmware can only be done during a boot interrupt, before network connectivity is available, and therefore requires a local console connection to the CLI. It cannot be done through an SSH or Telnet connection.

Note: This is only valid for hardware models and not for VM. If VM is unresponsive and all troubleshooting steps fail, user can deploy new VM and load the license file.

Alternatively, if you cannot physically access the appliance’s local console connection, connect the appliance’s local console port to a terminal server to which you have network access. Once you have used a client to connect to the terminal server over the network, you will be able to use the appliance’s local console through it. However, be aware that from a remote location, you may not be able to power cycle the appliance if abnormalities occur.

Important: Back up the configuration before completing a clean install.

To restore the firmware
  1. Download the firmware file from the Fortinet Technical Support website.
  2. Connect your management computer to the FortiDDoS-F console port using a RJ-45-to-DB-9 serial cable or a null-modem cable.
  3. Initiate a local console connection from your management computer to the CLI of the FortiDDoS-F appliance, and log in as the admin administrator.
  4. Connect the MGMT1 port of the FortiDDoS-F appliance directly or to the same subnet as a TFTP server.
  5. Copy the new firmware image file to the root directory of the TFTP server.
  6. If necessary, start your TFTP server. (If you do not have one, you can temporarily install and run one such as tftpd on your management computer.)

    TFTP is not secure, and it does not support authentication. You should run it only on trusted administrator-only networks, and never on computers directly connected to the Internet. Turn off tftpd off immediately after completing this procedure.
  7. Verify that the TFTP server is currently running, and that the FortiDDoS-F appliance can reach the TFTP server.
    To use the FortiDDoS-F CLI to verify connectivity, enter the following command:
    execute ping 192.168.1.168
    where 192.168.1.168 is the IP address of the TFTP server.
  8. Enter the following command to restart the FortiDDoS-F appliance: execute reboot
    As the FortiDDoS-F appliances starts, a series of system startup messages appear.
    Press any key to display configuration menu........
  9. Immediately press a key to interrupt the system startup.
    You have only 3 seconds to press a key. If you do not press a key soon enough, the FortiDDoS-F appliance reboots and you must log in and repeat the execute reboot command.

    If you successfully interrupt the start-up process, the following messages appears:
    [G]: Get firmware image from TFTP server.
    [F]: Format boot device.
    [B]: Boot with backup firmware and set as default.
    [Q]: Quit menu and continue to boot with default firmware.
    [H]: Display this list of options.

    Enter G,F,B,Q,or H:


    Please connect TFTP server to Ethernet port "1".
  10. If the firmware version requires that you first format the boot device before installing firmware, type F. Format the boot disk before continuing.
  11. Type G to get the firmware image from the TFTP server. The following message appears:
    Enter TFTP server address [192.168.1.168]:
  12. Type the IP address of the TFTP server and press Enter. The following message appears:
    Enter local address [192.168.1.188]:
  13. Type a temporary IP address that can be used by the FortiDDoS-F appliance to connect to the TFTP server. The following message appears:
    Enter firmware image file name [image.out]:
  14. Type the file name of the firmware image and press Enter. The FortiDDoS-F appliance downloads the firmware image file from the TFTP server and displays a message similar to the following:
    MAC:00219B8F0D94
    ###########################
    Total 28385179 bytes data downloaded.
    Verifying the integrity of the firmware image..
    Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?
  15. Type D.
    The FortiDDoS-F appliance downloads the firmware image file from the TFTP server. The FortiDDoS-F appliance installs the firmware and restarts. The time required varies by the size of the file and the speed of your network connection.
    The FortiDDoS-F appliance reverts the configuration to default values for that version of the firmware.
  16. To verify that the firmware was successfully installed, log in to the CLI and type: get system status
    The firmware version number is displayed.
  17. Either reconfigure the FortiDDoS-F appliance or restore the configuration file.

    • If you are downgrading the firmware to a previous version, and the settings are not fully backwards compatible, the FortiDDoS-F appliance either removes incompatible settings, or uses the feature’s default values for that version of the firmware. You might need to reconfigure some settings.
    • Installing firmware overwrites any FortiGuard IP Reputation Service definitions and disables the service. After any firmware update, re-enable the IP Reputation feature. FortiDDoS downloads current definitions as part of the enabling process.

Restoring firmware ('clean install')

Restoring (also called re-imaging) the firmware can be useful in the following cases:

  • You are unable to connect to the FortiDDoS-F appliance using the web UI or the CLI
  • You want to install firmware without preserving any existing configuration (that is, perform a “clean install”)

Unlike updating firmware, restoring firmware re-images the boot device. Also, restoring firmware can only be done during a boot interrupt, before network connectivity is available, and therefore requires a local console connection to the CLI. It cannot be done through an SSH or Telnet connection.

Note: This is only valid for hardware models and not for VM. If VM is unresponsive and all troubleshooting steps fail, user can deploy new VM and load the license file.

Alternatively, if you cannot physically access the appliance’s local console connection, connect the appliance’s local console port to a terminal server to which you have network access. Once you have used a client to connect to the terminal server over the network, you will be able to use the appliance’s local console through it. However, be aware that from a remote location, you may not be able to power cycle the appliance if abnormalities occur.

Important: Back up the configuration before completing a clean install.

To restore the firmware
  1. Download the firmware file from the Fortinet Technical Support website.
  2. Connect your management computer to the FortiDDoS-F console port using a RJ-45-to-DB-9 serial cable or a null-modem cable.
  3. Initiate a local console connection from your management computer to the CLI of the FortiDDoS-F appliance, and log in as the admin administrator.
  4. Connect the MGMT1 port of the FortiDDoS-F appliance directly or to the same subnet as a TFTP server.
  5. Copy the new firmware image file to the root directory of the TFTP server.
  6. If necessary, start your TFTP server. (If you do not have one, you can temporarily install and run one such as tftpd on your management computer.)

    TFTP is not secure, and it does not support authentication. You should run it only on trusted administrator-only networks, and never on computers directly connected to the Internet. Turn off tftpd off immediately after completing this procedure.
  7. Verify that the TFTP server is currently running, and that the FortiDDoS-F appliance can reach the TFTP server.
    To use the FortiDDoS-F CLI to verify connectivity, enter the following command:
    execute ping 192.168.1.168
    where 192.168.1.168 is the IP address of the TFTP server.
  8. Enter the following command to restart the FortiDDoS-F appliance: execute reboot
    As the FortiDDoS-F appliances starts, a series of system startup messages appear.
    Press any key to display configuration menu........
  9. Immediately press a key to interrupt the system startup.
    You have only 3 seconds to press a key. If you do not press a key soon enough, the FortiDDoS-F appliance reboots and you must log in and repeat the execute reboot command.

    If you successfully interrupt the start-up process, the following messages appears:
    [G]: Get firmware image from TFTP server.
    [F]: Format boot device.
    [B]: Boot with backup firmware and set as default.
    [Q]: Quit menu and continue to boot with default firmware.
    [H]: Display this list of options.

    Enter G,F,B,Q,or H:


    Please connect TFTP server to Ethernet port "1".
  10. If the firmware version requires that you first format the boot device before installing firmware, type F. Format the boot disk before continuing.
  11. Type G to get the firmware image from the TFTP server. The following message appears:
    Enter TFTP server address [192.168.1.168]:
  12. Type the IP address of the TFTP server and press Enter. The following message appears:
    Enter local address [192.168.1.188]:
  13. Type a temporary IP address that can be used by the FortiDDoS-F appliance to connect to the TFTP server. The following message appears:
    Enter firmware image file name [image.out]:
  14. Type the file name of the firmware image and press Enter. The FortiDDoS-F appliance downloads the firmware image file from the TFTP server and displays a message similar to the following:
    MAC:00219B8F0D94
    ###########################
    Total 28385179 bytes data downloaded.
    Verifying the integrity of the firmware image..
    Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?
  15. Type D.
    The FortiDDoS-F appliance downloads the firmware image file from the TFTP server. The FortiDDoS-F appliance installs the firmware and restarts. The time required varies by the size of the file and the speed of your network connection.
    The FortiDDoS-F appliance reverts the configuration to default values for that version of the firmware.
  16. To verify that the firmware was successfully installed, log in to the CLI and type: get system status
    The firmware version number is displayed.
  17. Either reconfigure the FortiDDoS-F appliance or restore the configuration file.

    • If you are downgrading the firmware to a previous version, and the settings are not fully backwards compatible, the FortiDDoS-F appliance either removes incompatible settings, or uses the feature’s default values for that version of the firmware. You might need to reconfigure some settings.
    • Installing firmware overwrites any FortiGuard IP Reputation Service definitions and disables the service. After any firmware update, re-enable the IP Reputation feature. FortiDDoS downloads current definitions as part of the enabling process.