Upgrade information
FortiGate-7000 v5.4.9 build 8110 supports upgrading from any FortiGate-7000 v5.4.5 release.
All of the modules in your FortiGate-7000 run the same firmware image. You upgrade the firmware from the primary FIM GUI or CLI just as you would any FortiGate product. During the upgrade process the firmware of all of the modules in the chassis upgrades in one step. Firmware upgrades should be done during a quiet time because traffic will briefly be interrupted during the upgrade process.
Before beginning a firmware upgrade, Fortinet recommends the following:
- Review the latest release notes for the firmware version that you are upgrading to.
- Verify the recommended upgrade path as documented in the release notes.
- Backup your FortiGate-7000 HA configuration.
- Review the services provided by your FortiGate-7000 before the upgrade and then again after the upgrade to make sure everything continues to operate normally. For example, you might want to verify that you can successfully access a key server used by your organization before the upgrade and make sure after the upgrade that you can still reach the server and that performance is comparable. You could also take a snapshot of key performance indicators (number of sessions, CPU usage, and memory usage) before the upgrade and verify that you see comparable performance after the upgrade .
Upgrading FortiGate-7000 HA cluster firmware
Fortinet recommends upgrading your FortiGate-7000 HA configuration firmware with uninterruptable-upgrade
enabled. With uninterruptable-upgrade
enabled, the FortiGate-7000 HA configuration goes through a multi-step process to upgrade the firmware of all components in the configuration. Since many components are involved, the entire upgrade process may take a few minutes. It all happens automatically and should cause only minor traffic disruptions. Because of the possible disruptions, you should upgrade HA cluster firmware when traffic is low or during a maintenance period.
Use the following command to enable uninterruptable-upgrade:
config system ha
set uninterruptable-upgrade enable
end
The following steps happen in the background when upgrading the firmware running on a FortiGate-7000 HA cluster with uninterruptable-upgrade
enabled.
- The firmware upgrade downloads to the primary (master) FortiGate-7000.
- The primary FortiGate-7000 sends a copy of the firmware upgrade file to the backup (slave) FortiGate-7000.
- The backup FortiGate-7000 upgrades its firmware, restarts, and rejoins the cluster.
- The primary FortiGate-7000 verifies that all members of the backup FortiGate-7000 can process traffic. The firmware upgrade will not proceed until all of the backup FortiGate-7000 components are operating.
- The primary FortiGate-7000 then sends a switchover command and the backup FortiGate-7000 becomes the primary FortiGate-7000.
- The new primary FortiGate-7000 sends gratuitous ARP packets to inform attached network devices to send packets to the new primary FortiGate-7000.
- Traffic switches over to the new primary FortiGate-7000.
- The original primary FortiGate-7000 upgrades its firmware, restarts, and rejoins the cluster as the backup FortiGate-7000.
The amount of time this process takes and the probability of minor traffic disruptions depends on the number of modules in your FortiGate-7000 and on traffic load conditions, the network configuration, and how quickly the gratuitous ARP packets update network devices.