Fortinet black logo

FortiGate-6000 Handbook

Home FortiGate-6000 5.6.11 FortiGate-6000 Handbook

Firmware upgrades

5.6.11
7.0.15
7.0.14
7.0.13
7.0.12
7.0.10
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.10
6.4.8
6.4.6
6.4.2
6.2.16
6.2.16
6.2.15
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.7
6.2.6
6.2.4
6.2.3
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
5.4.10
Copy Link
Copy Doc ID 246cb95f-e60f-11e9-8977-00505692583a:530315
Download PDF

Firmware upgrades

Both management boards and all of the FPCs in a FortiGate-6000 HA cluster run the same firmware image. You upgrade the firmware from the GUI or CLI by logging into the primary FortiGate-6000 and installing the firmware image.

If uninterruptable-upgrade and session-pickup are enabled, firmware upgrades should only cause a minimal traffic interruption. Use the following command to enable these settings (they should be enabled by default). These settings are synchronized.

config system ha

set uninterruptable-upgrade enable

set session-pickup enable

end

When these settings are enabled, the primary FortiGate-6000 management board uploads firmware to the secondary FortiGate-6000 management board. The secondary management board uploads the firmware to all of the FPCs in the secondary FortiGate-6000. Then the management board and all of the FPCs in the secondary ForiGate-6000 upgrade their firmware, reboot, and resynchronize.

Then all traffic fails over to the secondary FortiGate-6000 which becomes the new primary FortiGate-6000. Then the management board and the FPCs in the new secondary FortiGate-6000 upgrade their firmware and rejoin the cluster. Unless override is enabled, the new primary FortiGate-6000 continues to operate as the primary FortiGate-6000.

Normally you would want to enable uninterruptable-upgrade to minimize traffic interruptions. But uninterruptable-upgrade does not have to be enabled. In fact, if a traffic interruption is not going to cause any problems, you can disable uninterruptable-upgrade so that the firmware upgrade process takes less time.

As well some firmware upgrades may not support uninterruptable-upgrade. For example, uninterruptable-upgrade may not be supported if the firmware upgrade also includes a DP3 processor firmware upgrade. Make sure to review the release notes before running a firmware upgrade to verify whether or not enabling uninterruptable-upgrade is supported to upgrade to that version.

Previous
Next

Firmware upgrades

Both management boards and all of the FPCs in a FortiGate-6000 HA cluster run the same firmware image. You upgrade the firmware from the GUI or CLI by logging into the primary FortiGate-6000 and installing the firmware image.

If uninterruptable-upgrade and session-pickup are enabled, firmware upgrades should only cause a minimal traffic interruption. Use the following command to enable these settings (they should be enabled by default). These settings are synchronized.

config system ha

set uninterruptable-upgrade enable

set session-pickup enable

end

When these settings are enabled, the primary FortiGate-6000 management board uploads firmware to the secondary FortiGate-6000 management board. The secondary management board uploads the firmware to all of the FPCs in the secondary FortiGate-6000. Then the management board and all of the FPCs in the secondary ForiGate-6000 upgrade their firmware, reboot, and resynchronize.

Then all traffic fails over to the secondary FortiGate-6000 which becomes the new primary FortiGate-6000. Then the management board and the FPCs in the new secondary FortiGate-6000 upgrade their firmware and rejoin the cluster. Unless override is enabled, the new primary FortiGate-6000 continues to operate as the primary FortiGate-6000.

Normally you would want to enable uninterruptable-upgrade to minimize traffic interruptions. But uninterruptable-upgrade does not have to be enabled. In fact, if a traffic interruption is not going to cause any problems, you can disable uninterruptable-upgrade so that the firmware upgrade process takes less time.

As well some firmware upgrades may not support uninterruptable-upgrade. For example, uninterruptable-upgrade may not be supported if the firmware upgrade also includes a DP3 processor firmware upgrade. Make sure to review the release notes before running a firmware upgrade to verify whether or not enabling uninterruptable-upgrade is supported to upgrade to that version.

Previous
Next