Fortinet black logo

AWS Administration Guide

Home FortiGate Public Cloud 7.4.0 AWS Administration Guide

Upgrading the deployment

7.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID 94c869ba-eb59-11ed-8e6d-fa163e15d75b:238222
Download PDF

Upgrading the deployment

The following provides steps to apply firmware updates to the FortiGate instances that the AWS Autoscaling deployment deployed.

Caution

Back up all FortiGate configurations prior to upgrading the FortiGate instances.
To upgrade the deployment:
  1. Edit the autoscaling group to suspend the health check, launch, and terminate processes:
    1. In the AWS management console, go to EC2 > Auto Scaling > Auto Scaling Groups.
    2. Edit the desired pay-as-you-go (PAYG) and/or bring your own license (BYOL) autoscaling group.
    3. On the Details tab, go to Advanced Configurations, then click Edit.
    4. From the Suspended Processes dropdown list, select Health Check, Launch, and Terminate.
    5. Click Update to save the changes.
    Caution

    Using the Instance Refresh option is not recommended, as this is designed for truly ephemeral instances, which the FortiGate instances may not be.

  2. Confirm the new AMI ID for PAYG or BYOL as desired for your region.
    Note

    You can find the specific FortiGate AMI ID by going to the marketplace listing for FortiGate PAYG or BYOL, selecting Subscribe, continuing to configuration and confirming the desired region, then copying the AMI ID.

  3. Edit the launch template or create a new one. You will need to create a new template version that references the new FortiGate version's AMI ID, so that autoscaling uses the new version for new instances:
    1. Go to EC2 > Instances > Launch Templates.
    2. Select the desired launch template for FortiGate BYOL and PAYG.
    3. From the Actions menu, select Modify Template (Create new version).
    4. Under Application and OS Images, paste the AMI ID that you confirmed in step 2 in the searchbar.
    5. Select the desired FortiGate marketplace offering.
    6. Click Continue. EC2 may display a warning that your security group rules may be overridden if you proceed. Under Network settings > Firewall (security groups), click Select existing security group, and select the previously selected security group before saving or creating a new version of the launch template.

  4. Edit the BYOL or PAYG autoscaling group and update the launch template version to the new version:
    1. Go to EC2 > Auto Scaling > Auto Scaling Groups.
    2. Select the desired scaling group.
    3. In LAUNCH TEMPLATE, select Edit.
    4. From the Version dropdown list, select the new version.

    5. Click Update.
  5. Manually apply the update to existing instances. Starting the upgrade process on the secondary autoscale FortiGates, then the primary FortiGate, is recommended. The firmware upgrade option is only available when logged in with administrator read-write privileges. Do one of the following:
    1. In FortiOS, go to System > Firmware. Select FortiGuard Firmware, then Backup Config. Upgrade to the latest available firmware.
    2. Log in to FortiOS as the admin user. Go to System Firmware. Under Upload Firmware, browse to and locate the previously downloaded firmware image file. Click Backup config and upgrade. The FortiGate backs up the current configuration to the management computer, uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes.
  6. Resume health check, launch, and terminate processes:
    1. Go to EC2 > Auto Scaling Groups.
    2. Edit the desired autoscaling group.
    3. Go to Advanced Configuration > Edit.
    4. Deselect Health Check, Launch Instances, and Terminate Instances.
    5. Click Update.
Previous
Next

Upgrading the deployment

The following provides steps to apply firmware updates to the FortiGate instances that the AWS Autoscaling deployment deployed.

Caution

Back up all FortiGate configurations prior to upgrading the FortiGate instances.
To upgrade the deployment:
  1. Edit the autoscaling group to suspend the health check, launch, and terminate processes:
    1. In the AWS management console, go to EC2 > Auto Scaling > Auto Scaling Groups.
    2. Edit the desired pay-as-you-go (PAYG) and/or bring your own license (BYOL) autoscaling group.
    3. On the Details tab, go to Advanced Configurations, then click Edit.
    4. From the Suspended Processes dropdown list, select Health Check, Launch, and Terminate.
    5. Click Update to save the changes.
    Caution

    Using the Instance Refresh option is not recommended, as this is designed for truly ephemeral instances, which the FortiGate instances may not be.

  2. Confirm the new AMI ID for PAYG or BYOL as desired for your region.
    Note

    You can find the specific FortiGate AMI ID by going to the marketplace listing for FortiGate PAYG or BYOL, selecting Subscribe, continuing to configuration and confirming the desired region, then copying the AMI ID.

  3. Edit the launch template or create a new one. You will need to create a new template version that references the new FortiGate version's AMI ID, so that autoscaling uses the new version for new instances:
    1. Go to EC2 > Instances > Launch Templates.
    2. Select the desired launch template for FortiGate BYOL and PAYG.
    3. From the Actions menu, select Modify Template (Create new version).
    4. Under Application and OS Images, paste the AMI ID that you confirmed in step 2 in the searchbar.
    5. Select the desired FortiGate marketplace offering.
    6. Click Continue. EC2 may display a warning that your security group rules may be overridden if you proceed. Under Network settings > Firewall (security groups), click Select existing security group, and select the previously selected security group before saving or creating a new version of the launch template.

  4. Edit the BYOL or PAYG autoscaling group and update the launch template version to the new version:
    1. Go to EC2 > Auto Scaling > Auto Scaling Groups.
    2. Select the desired scaling group.
    3. In LAUNCH TEMPLATE, select Edit.
    4. From the Version dropdown list, select the new version.

    5. Click Update.
  5. Manually apply the update to existing instances. Starting the upgrade process on the secondary autoscale FortiGates, then the primary FortiGate, is recommended. The firmware upgrade option is only available when logged in with administrator read-write privileges. Do one of the following:
    1. In FortiOS, go to System > Firmware. Select FortiGuard Firmware, then Backup Config. Upgrade to the latest available firmware.
    2. Log in to FortiOS as the admin user. Go to System Firmware. Under Upload Firmware, browse to and locate the previously downloaded firmware image file. Click Backup config and upgrade. The FortiGate backs up the current configuration to the management computer, uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes.
  6. Resume health check, launch, and terminate processes:
    1. Go to EC2 > Auto Scaling Groups.
    2. Edit the desired autoscaling group.
    3. Go to Advanced Configuration > Edit.
    4. Deselect Health Check, Launch Instances, and Terminate Instances.
    5. Click Update.
Previous
Next