Use the following procedure to upload firmware from a TFTP server to an FPM. To perform the upgrade, you must first upload the firmware file to the TFTP server on one of the FIMs.
This procedure also involves connecting to the FPM CLI using a FortiGate-7000F front panel SMM console port, rebooting the FPM, interrupting the boot from the console session, and following FPM BIOS prompts to install the firmware from the FIM TFTP server.
During this procedure, the FPM will not be able to process traffic. However, the other FPMs and the FIMs should continue to operate normally.
Set up a TFTP server and copy the firmware file into the TFTP server default folder.
Set up your network to allow traffic between the TFTP server and the MGMT1 or MGMT2 interface of one of the FIMs.
Log into the CLI of the FIM.
Enter the following command to upload the firmware file from the TFTP server to the FIM:
execute upload image tftp <firmware-filename> comment <tftp-server-ip-address>
Enter the following command to verify that the firmware file has been uploaded to the FIM:
fnsysctl ls /data2/tftproot/
Confirm the internal address of FIM, which is also the address of the FIM's TFTP server:
fnsysctl ifconfig base-tftp
base-tftp Link encap:Ethernet HWaddr 06:76:A0:75:E8:F1
inet addr:169.254.254.1 Bcast:169.254.254.255 Mask:255.255.255.0
The internal IP addresses of each FIM and FPM is
Using the console cable supplied with your FortiGate-7000F, connect the SMM Console 1 port on the FortiGate-7000F to the USB port on your management computer.
Start a terminal emulation program on the management computer. Use these settings:
Baud Rate (bps) 9600, Data bits 8, Parity None, Stop bits 1, and Flow Control None.
Press Ctrl-T to enter console switch mode.
Repeat pressing Ctrl-T until you have connected to the module to be updated. Example prompt:
<Switching to Console: FPM03 (9600)>
Optionally log into the FPM's CLI.
Reboot the FPM.
You can do this using the
execute rebootcommand from the FPM's CLI or by pressing the power switch on the FPM front panel.
When the FPM starts up, follow the boot process in the terminal session and press any key when prompted to interrupt the boot process.
To set up the TFTP configuration, press C.
Use the BIOS menu to set the following. Change settings only if required.
[P]: Set image download port:FIM01 TFTP Server (the FIM that you uploaded the firmware file to).
[D]: Set DHCP mode:Disabled.
[I]: Set local IP address:The internal IP address of the FPM. For example, if you are installing firmware on the FPM in slot 5, the local IP address of the FPM in slot 5 is 169.254.254.5.
[S]: Set local Subnet Mask: 255.255.255.0.
[G]: Set local gateway: 169.254.254.1.
[V]: Local VLAN ID: Should be set to
<none>. (use -1 to set the Local VLAN ID to
[T]: Set remote TFTP server IP address: The internal IP address of the FIM that you uploaded to the firmware file to. For example: 169.254.254.1 for the FIM in slot 1.
[F]: Set firmware image file name: The name of the firmware file that you want to install.
To quit this menu, press Q.
To review the configuration, press R.
To make corrections, press C and make the changes as required. When the configuration is correct proceed to the next step.
To start the TFTP transfer, press T.
The firmware image is uploaded from the TFTP server of the FIM and installed on the FPM. The FPM then restarts with its configuration reset to factory defaults. After restarting, the FPM configuration is synchronized to match the configuration of the primary FPM. The FPM restarts again and can start processing traffic.
Once the FPM restarts, verify that the correct firmware is installed.
You can do this from the FPM GUI dashboard or from the FPM CLI using the
get system statuscommand.
Verify that the configuration has been synchronized.
The following command output shows the sync status of a FortiGate-7121F. The field
in_sync=1indicates that the configurations of the FIMs and FPMs are synchronized.
diagnose sys confsync status | grep in_sy FIM21FTB21000068, Secondary, uptime=210445.62, priority=2, slot_id=1:1, idx=1, flag=0x0, in_sync=1 FIM21FTB21000063, Primary, uptime=351403.75, priority=1, slot_id=1:2, idx=0, flag=0x0, in_sync=1 FPM20FTB20990039, Secondary, uptime=351253.83, priority=18, slot_id=1:5, idx=2, flag=0x64, in_sync=1 FPM20FTB20990047, Secondary, uptime=352.27, priority=16, slot_id=1:3, idx=3, flag=0x64, in_sync=1 FPM20FTB20990078, Secondary, uptime=227839.73, priority=17, slot_id=1:4, idx=4, flag=0x64, in_sync=1 FPM20FTB20990091, Secondary, uptime=351248.85, priority=22, slot_id=1:9, idx=5, flag=0x64, in_sync=1 FPM20FTB20990095, Secondary, uptime=351240.13, priority=20, slot_id=1:7, idx=6, flag=0x64, in_sync=1 FPM20FTB21900096, Secondary, uptime=351272.50, priority=24, slot_id=1:11, idx=7, flag=0x64, in_sync=1 FPM20FTB21900179, Secondary, uptime=351247.07, priority=19, slot_id=1:6, idx=8, flag=0x64, in_sync=1 FPM20FTB21900182, Secondary, uptime=351242.02, priority=25, slot_id=1:12, idx=9, flag=0x64, in_sync=1 FPM20FTB21900203, Secondary, uptime=351228.51, priority=21, slot_id=1:8, idx=10, flag=0x64, in_sync=1 FPM20FTB21900211, Secondary, uptime=351252.93, priority=23, slot_id=1:10, idx=11, flag=0x64, in_sync=1 FPM20FTB20990047, Secondary, uptime=351252.27, priority=16, slot_id=1:3, idx=2, flag=0x4, in_sync=1 FIM21FTB21000063, Primary, uptime=351403.75, priority=1, slot_id=1:2, idx=0, flag=0x0, in_sync=1 FIM21FTB21000068, Secondary, uptime=210445.62, priority=2, slot_id=1:1, idx=1, flag=0x0, in_sync=1 FPM20FTB20990078, Secondary, uptime=227839.73, priority=17, slot_id=1:4, idx=2, flag=0x4, in_sync=1
FIMs and FPMs that are missing or that show
in_sync=0are not synchronized. To synchronize an FIM or FPM that is not synchronized, log into the CLI of the FIM or FPM and restart it using the
execute rebootcommand . If this does not solve the problem, contact Fortinet Support at https://support.fortinet.com.
The command output also shows that the uptime of the FPM in slot 3 is lower than the uptime of the other modules, indicating that the FPM in slot 3 has recently restarted.
If you enter the
diagnose sys confsync status | grep in_sycommand before the FPM has restarted, it will not appear in the command output. As well, the Configuration Sync Monitor will temporarily show that it is not synchronized.