Fortinet black logo

FortiGate-7000 Handbook

Home FortiGate-7000 5.4.9 FortiGate-7000 Handbook

Installing firmware on an FIM or FPM from the BIOS using a TFTP server

5.4.9
6.2.3
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
5.4.9
Copy Link
Copy Doc ID 13098487-2a56-11e9-94bf-00505692583a:887277
Download PDF

Installing firmware on an FIM or FPM from the BIOS using a TFTP server

Use the procedures in this section to install firmware on a FIM or FPM from a TFTP server after interrupting the boot up sequence from the BIOS.

You might want to use this procedure if you need to reset the configuration of a module to factory defaults by installing firmware from a reboot. You can also use this procedure if you have formatted one or more FIM or FPMs from the BIOS by interrupting the boot process.

This procedure involves creating a connection between a TFTP server and one of the MGMT interfaces of one of the FIMs, using a chassis console port to connect to the CLI of the module that you are upgrading the firmware for, rebooting this module, interrupting the boot from the console session, and installing the firmware.

This section includes two procedures, one for upgrading FIMs and one for upgrading FPMs. The two procedures are very similar but a few details, most notably the local VLAN ID setting are different. If you need to update both FIM and FPMs, you should update the FIMs first as the FPMs can only communicate with the TFTP server through FIM interfaces.

Uploading firmware from a TFTP server to an FIM

Use the following steps to upload firmware from a TFTP server to an FIM. This procedure requires Ethernet connectivity between the TFTP server and one of the FIM's MGMT interfaces.

During this procedure, the FIM will not be able to process traffic so, if possible, perform this procedure when the network is not processing any traffic.

If you are operating an HA configuration, you should remove the FortiGate-7000 from the HA configuration before performing this procedure.

  1. Set up a TFTP server and copy the firmware file to be installed into the TFTP server default folder.

  2. Set up your network to allow traffic between the TFTP server and one of the MGMT interfaces of the FIM to be updated.

    If the MGMT interface you are using is one of the MGMT interfaces connected as a LAG to a switch you must shutdown or disconnect all of the other connections in the LAG from the switch. This includes the MGMT interfaces in the other FIM.

  3. Connect the console cable supplied with your chassis to the Console 1 port on your chassis front panel and to your management computer's RS-232 console port.
  4. Start a terminal emulation program on the management computer. Use these settings:
    Baud Rate (bps) 9600, Data bits 8, Parity None, Stop bits 1, and Flow Control None.
  5. Press Ctrl-T to enter console switch mode.
  6. Repeat pressing Ctrl-T until you have connected to the module to be updated. Example prompt:
    <Switching to Console: FIM02 (9600)>
  7. Optionally log into the FIM's CLI.

  8. Reboot the FIM to be updated.

    You can do this using the execute reboot command from the CLI or by pressing the power switch on the module front panel.

  9. When the FIM starts up, follow the boot process in the terminal session and press any key when prompted to interrupt the boot process.
  10. Press C to set up the TFTP configuration.

  11. Use the BIOS menu to set the following. Only change settings if required.

    [P]: Set image download port: MGMT1 (change if required)

    [D]: Set DHCP mode: Disabled

    [I]: Set local IP address: A temporary IP address to be used to connect to the TFTP server. This address must not be the same as the chassis management IP address and cannot conflict with other addresses on your network

    [S]: Set local Subnet Mask: Set as required for your network.

    [G]: Set local gateway: Set as required for your network.

    [V]: Local VLAN ID: Use -1 to clear the Local VLAN ID.

    [T]: Set remote TFTP server IP address: The IP address of the TFTP server.

    [F]: Set firmware image file name: The name of the firmware file to be installed.

  12. Press Q to quit this menu.

  13. Press R to review the configuration.

    If you need to make any corrections, press C and make the changes as required. When the configuration is correct proceed to the next step.

  14. Press T to start the TFTP transfer.

    The firmware image is uploaded from the TFTP server and installed on the FIM which then reboots. When it starts up the module's configuration is reset to factory defaults. The module's configuration is synchronized to match the configuration of the primary module. The new module reboots again and can start processing traffic.

  15. Verify that the configuration has been synchronized.

    The following command output shows the sync status of the FIMs in a FortiGate-7000 chassis. The field in_sync=1 indicates that the configurations of the modules are synchronized.

    diagnose sys confsync

    status | grep in_sy

    FIM04E3E16000080, Slave, uptime=177426.45, priority=2,

    slot_id=1:2, idx=0, flag=0x0, in_sync=1

    FIM10E3E16000063, Master, uptime=177415.38, priority=1,

    slot_id=1:1, idx=1, flag=0x0, in_sync=1

    If in_sync is not equal to 1 or if a module is missing in the command output you can try restarting the modules in the chassis by entering execute reboot from any module CLI. If this does not solve the problem, contact Fortinet support.

Uploading firmware from a TFTP server to an FPM

Use the following steps to upload firmware from a TFTP server to an FPM. This procedure requires Ethernet connectivity between the TFTP server and one of the MGMT interfaces of one of the FIMs in the same FortiGate-7000 as the FPM.

During this procedure, the FPM will not be able to process traffic so, if possible, perform this procedure when the network is not processing any traffic. However, the other FPMs and the FIMs in the chassis should continue to operate normally and the chassis can continue processing traffic.

If you are operating an HA configuration, you should remove the FortiGate-7000 from the HA configuration before performing this procedure.

  1. Set up a TFTP server and copy the firmware file to be installed into the TFTP server default folder.

  2. Set up your network to allow traffic between the TFTP server and a MGMT interface of one of the FIMs in the chassis that also includes the FPM.

    You can use any MGMT interface of either of the FIMs. If the MGMT interface you are using is one of the MGMT interfaces connected as a LAG to a switch you must shutdown or disconnect all of the other connections in the LAG from the switch. This includes the MGMT interfaces in the other FIM.

  3. Connect the console cable supplied with your chassis to the Console 1 port on your chassis front panel and to your management computer's RS-232 console port.
  4. Start a terminal emulation program on the management computer. Use these settings:
    Baud Rate (bps) 9600, Data bits 8, Parity None, Stop bits 1, and Flow Control None.
  5. Press Ctrl-T to enter console switch mode.
  6. Repeat pressing Ctrl-T until you have connected to the module to be updated. Example prompt:
    <Switching to Console: FPM03 (9600)>
  7. Optionally log into the FPM's CLI.

  8. Reboot the FPM to be updated.

    You can do this using the execute reboot command from the CLI or by pressing the power switch on the module front panel.

  9. When the FPM starts up, follow the boot process in the terminal session and press any key when prompted to interrupt the boot process.
  10. Press C to set up the TFTP configuration.

  11. Use the BIOS menu to set the following. Only change settings if required.

    [P]: Set image download port: The name of the FIM that can connect to the TFTP server (FIM01 is the FIM in slot 1 and FIM02 is the FIM in slot 2).

    [D]: Set DHCP mode: Disabled.

    [I]: Set local IP address: A temporary IP address to be used to connect to the TFTP server. This address must not be the same as the chassis management IP address and cannot conflict with other addresses on your network.

    [S]: Set local Subnet Mask: Set as required for your network.

    [G]: Set local gateway: Set as required for your network.

    [V]: Local VLAN ID: The VLAN ID of the FIM interface that can connect to the TFTP server:

    FIM01 local VLAN IDs

    Interface MGMT1 MGMT2 MGMT3 MGMT4
    Local VLAN ID 11 12 13 14

    FIM02 local VLAN IDs

    Interface MGMT1 MGMT2 MGMT3 MGMT4
    Local VLAN ID 21 22 23 24

    [T]: Set remote TFTP server IP address: The IP address of the TFTP server.

    [F]: Set firmware image file name: The name of the firmware file to be installed.

  12. Press Q to quit this menu.

  13. Press R to review the configuration.

    If you need to make any corrections, press C and make the changes as required. When the configuration is correct proceed to the next step.

  14. Press T to start the TFTP transfer.
    The firmware image is uploaded from the TFTP server and installed on the FPM which then reboots. When it starts up the module's configuration is reset to factory defaults. The module's configuration is synchronized to match the configuration of the primary module. The new module reboots again and can start processing traffic.

  15. Verify that the configuration has been synchronized.
    The following command output shows the sync status of the FIMs in a FortiGate-7000 chassis. The field in_sync=1 indicates that the configurations of the modules are synchronized.

    diagnose sys confsync

    status | grep in_sy

    FIM04E3E16000080, Slave, uptime=177426.45, priority=2,

    slot_id=1:2, idx=0, flag=0x0, in_sync=1

    FIM10E3E16000063, Master, uptime=177415.38, priority=1,

    slot_id=1:1, idx=1, flag=0x0, in_sync=1

    If in_sync is not equal to 1 or if a module is missing in the command output you can try restarting the modules in the chassis by entering execute reboot from any module CLI. If this does not solve the problem, contact Fortinet support.

Previous
Next

Installing firmware on an FIM or FPM from the BIOS using a TFTP server

Use the procedures in this section to install firmware on a FIM or FPM from a TFTP server after interrupting the boot up sequence from the BIOS.

You might want to use this procedure if you need to reset the configuration of a module to factory defaults by installing firmware from a reboot. You can also use this procedure if you have formatted one or more FIM or FPMs from the BIOS by interrupting the boot process.

This procedure involves creating a connection between a TFTP server and one of the MGMT interfaces of one of the FIMs, using a chassis console port to connect to the CLI of the module that you are upgrading the firmware for, rebooting this module, interrupting the boot from the console session, and installing the firmware.

This section includes two procedures, one for upgrading FIMs and one for upgrading FPMs. The two procedures are very similar but a few details, most notably the local VLAN ID setting are different. If you need to update both FIM and FPMs, you should update the FIMs first as the FPMs can only communicate with the TFTP server through FIM interfaces.

Uploading firmware from a TFTP server to an FIM

Use the following steps to upload firmware from a TFTP server to an FIM. This procedure requires Ethernet connectivity between the TFTP server and one of the FIM's MGMT interfaces.

During this procedure, the FIM will not be able to process traffic so, if possible, perform this procedure when the network is not processing any traffic.

If you are operating an HA configuration, you should remove the FortiGate-7000 from the HA configuration before performing this procedure.

  1. Set up a TFTP server and copy the firmware file to be installed into the TFTP server default folder.

  2. Set up your network to allow traffic between the TFTP server and one of the MGMT interfaces of the FIM to be updated.

    If the MGMT interface you are using is one of the MGMT interfaces connected as a LAG to a switch you must shutdown or disconnect all of the other connections in the LAG from the switch. This includes the MGMT interfaces in the other FIM.

  3. Connect the console cable supplied with your chassis to the Console 1 port on your chassis front panel and to your management computer's RS-232 console port.
  4. Start a terminal emulation program on the management computer. Use these settings:
    Baud Rate (bps) 9600, Data bits 8, Parity None, Stop bits 1, and Flow Control None.
  5. Press Ctrl-T to enter console switch mode.
  6. Repeat pressing Ctrl-T until you have connected to the module to be updated. Example prompt:
    <Switching to Console: FIM02 (9600)>
  7. Optionally log into the FIM's CLI.

  8. Reboot the FIM to be updated.

    You can do this using the execute reboot command from the CLI or by pressing the power switch on the module front panel.

  9. When the FIM starts up, follow the boot process in the terminal session and press any key when prompted to interrupt the boot process.
  10. Press C to set up the TFTP configuration.

  11. Use the BIOS menu to set the following. Only change settings if required.

    [P]: Set image download port: MGMT1 (change if required)

    [D]: Set DHCP mode: Disabled

    [I]: Set local IP address: A temporary IP address to be used to connect to the TFTP server. This address must not be the same as the chassis management IP address and cannot conflict with other addresses on your network

    [S]: Set local Subnet Mask: Set as required for your network.

    [G]: Set local gateway: Set as required for your network.

    [V]: Local VLAN ID: Use -1 to clear the Local VLAN ID.

    [T]: Set remote TFTP server IP address: The IP address of the TFTP server.

    [F]: Set firmware image file name: The name of the firmware file to be installed.

  12. Press Q to quit this menu.

  13. Press R to review the configuration.

    If you need to make any corrections, press C and make the changes as required. When the configuration is correct proceed to the next step.

  14. Press T to start the TFTP transfer.

    The firmware image is uploaded from the TFTP server and installed on the FIM which then reboots. When it starts up the module's configuration is reset to factory defaults. The module's configuration is synchronized to match the configuration of the primary module. The new module reboots again and can start processing traffic.

  15. Verify that the configuration has been synchronized.

    The following command output shows the sync status of the FIMs in a FortiGate-7000 chassis. The field in_sync=1 indicates that the configurations of the modules are synchronized.

    diagnose sys confsync

    status | grep in_sy

    FIM04E3E16000080, Slave, uptime=177426.45, priority=2,

    slot_id=1:2, idx=0, flag=0x0, in_sync=1

    FIM10E3E16000063, Master, uptime=177415.38, priority=1,

    slot_id=1:1, idx=1, flag=0x0, in_sync=1

    If in_sync is not equal to 1 or if a module is missing in the command output you can try restarting the modules in the chassis by entering execute reboot from any module CLI. If this does not solve the problem, contact Fortinet support.

Uploading firmware from a TFTP server to an FPM

Use the following steps to upload firmware from a TFTP server to an FPM. This procedure requires Ethernet connectivity between the TFTP server and one of the MGMT interfaces of one of the FIMs in the same FortiGate-7000 as the FPM.

During this procedure, the FPM will not be able to process traffic so, if possible, perform this procedure when the network is not processing any traffic. However, the other FPMs and the FIMs in the chassis should continue to operate normally and the chassis can continue processing traffic.

If you are operating an HA configuration, you should remove the FortiGate-7000 from the HA configuration before performing this procedure.

  1. Set up a TFTP server and copy the firmware file to be installed into the TFTP server default folder.

  2. Set up your network to allow traffic between the TFTP server and a MGMT interface of one of the FIMs in the chassis that also includes the FPM.

    You can use any MGMT interface of either of the FIMs. If the MGMT interface you are using is one of the MGMT interfaces connected as a LAG to a switch you must shutdown or disconnect all of the other connections in the LAG from the switch. This includes the MGMT interfaces in the other FIM.

  3. Connect the console cable supplied with your chassis to the Console 1 port on your chassis front panel and to your management computer's RS-232 console port.
  4. Start a terminal emulation program on the management computer. Use these settings:
    Baud Rate (bps) 9600, Data bits 8, Parity None, Stop bits 1, and Flow Control None.
  5. Press Ctrl-T to enter console switch mode.
  6. Repeat pressing Ctrl-T until you have connected to the module to be updated. Example prompt:
    <Switching to Console: FPM03 (9600)>
  7. Optionally log into the FPM's CLI.

  8. Reboot the FPM to be updated.

    You can do this using the execute reboot command from the CLI or by pressing the power switch on the module front panel.

  9. When the FPM starts up, follow the boot process in the terminal session and press any key when prompted to interrupt the boot process.
  10. Press C to set up the TFTP configuration.

  11. Use the BIOS menu to set the following. Only change settings if required.

    [P]: Set image download port: The name of the FIM that can connect to the TFTP server (FIM01 is the FIM in slot 1 and FIM02 is the FIM in slot 2).

    [D]: Set DHCP mode: Disabled.

    [I]: Set local IP address: A temporary IP address to be used to connect to the TFTP server. This address must not be the same as the chassis management IP address and cannot conflict with other addresses on your network.

    [S]: Set local Subnet Mask: Set as required for your network.

    [G]: Set local gateway: Set as required for your network.

    [V]: Local VLAN ID: The VLAN ID of the FIM interface that can connect to the TFTP server:

    FIM01 local VLAN IDs

    Interface MGMT1 MGMT2 MGMT3 MGMT4
    Local VLAN ID 11 12 13 14

    FIM02 local VLAN IDs

    Interface MGMT1 MGMT2 MGMT3 MGMT4
    Local VLAN ID 21 22 23 24

    [T]: Set remote TFTP server IP address: The IP address of the TFTP server.

    [F]: Set firmware image file name: The name of the firmware file to be installed.

  12. Press Q to quit this menu.

  13. Press R to review the configuration.

    If you need to make any corrections, press C and make the changes as required. When the configuration is correct proceed to the next step.

  14. Press T to start the TFTP transfer.
    The firmware image is uploaded from the TFTP server and installed on the FPM which then reboots. When it starts up the module's configuration is reset to factory defaults. The module's configuration is synchronized to match the configuration of the primary module. The new module reboots again and can start processing traffic.

  15. Verify that the configuration has been synchronized.
    The following command output shows the sync status of the FIMs in a FortiGate-7000 chassis. The field in_sync=1 indicates that the configurations of the modules are synchronized.

    diagnose sys confsync

    status | grep in_sy

    FIM04E3E16000080, Slave, uptime=177426.45, priority=2,

    slot_id=1:2, idx=0, flag=0x0, in_sync=1

    FIM10E3E16000063, Master, uptime=177415.38, priority=1,

    slot_id=1:1, idx=1, flag=0x0, in_sync=1

    If in_sync is not equal to 1 or if a module is missing in the command output you can try restarting the modules in the chassis by entering execute reboot from any module CLI. If this does not solve the problem, contact Fortinet support.

Previous
Next