Fortinet black logo

Handbook

Testing

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:555901
Download PDF

Testing

The integrity of firmware images downloaded from Fortinet's support portal can be verified using a file checksum. A file checksum that does not match the expected value indicates a corrupt file. The corruption could be caused by errors in transfer or by file modification. A list of expected checksum values for each build of released code is available on Fortinet’s support portal.

Image integrity is also verified when the FortiGate is booting up. This integrity check is done through a cyclic redundancy check (CRC). If the CRC fails, the FortiGate unit will encounter an error during the boot process.

Lastly, firmware images are signed and the signature is attached to the code as it is built. When upgrading an image, the running OS will generate a signature and compare it with the signature attached to the image. If the signatures do not match, the new OS will not load.

Testing before installation

FortiOS lets you test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure, the FortiGate unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed. The next time the FortiGate unit restarts, it operates with the originally installed firmware image using the current configuration. If the new firmware image operates successfully, you can install it permanently using the procedure explained in Upgrading.

To use this procedure, you must connect to the CLI using the FortiGate console port and an RJ-45 to DB-9 or null modem cable. This procedure temporarily installs a new firmware image using your current configuration.

For this procedure, you must install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.

To test the new firmware image:
  1. Connect to the CLI using an RJ-45 to DB-9 or null modem cable.
  2. Make sure the TFTP server is running.
  3. Copy the new firmware image file to the root directory of the TFTP server.
  4. Make sure the FortiGate unit can connect to the TFTP server using the execute ping command.
  5. Enter the following command to restart the FortiGate unit: execute reboot
  6. As the FortiGate unit reboots, press any key to interrupt the system startup. As the FortiGate unit starts, a series of system startup messages appears: Press any key to display configuration menu....
  7. Immediately press any key to interrupt the system startup.

    note icon

    You have only three (3) seconds to press any key. If you do not press a key quickly enough, the FortiGate unit reboots and you must log in and repeat the execute reboot command.

  8. If you successfully interrupt the startup process, the following messages appears:

    [G]: Get firmware image from TFTP server.

    [F]: Format boot device.

    [B]: Boot with backup firmware and set as default

    [C]: Configuration and information

    [Q]: Quit menu and continue to boot with default firmware.

    [H]: Display this list of options.

    Enter G, F, Q, or H:

  9. Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]:
  10. Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]:
  11. Type an IP address of the FortiGate unit to connect to the TFTP server. The IP address must be on the same network as the TFTP server.

    note icon

    Make sure you do not enter the IP address of another device on this network.

  12. The following message appears: Enter File Name [image.out]:
  13. Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and the following appears: Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]
  14. Type R. The FortiGate image is installed to system memory and the FortiGate unit starts running the new firmware image, but with its current configuration.

You can test the new firmware image as required. When done testing, you can reboot the FortiGate unit, and the FortiGate unit will resume using the firmware that was running before you installed the test firmware.

Testing

The integrity of firmware images downloaded from Fortinet's support portal can be verified using a file checksum. A file checksum that does not match the expected value indicates a corrupt file. The corruption could be caused by errors in transfer or by file modification. A list of expected checksum values for each build of released code is available on Fortinet’s support portal.

Image integrity is also verified when the FortiGate is booting up. This integrity check is done through a cyclic redundancy check (CRC). If the CRC fails, the FortiGate unit will encounter an error during the boot process.

Lastly, firmware images are signed and the signature is attached to the code as it is built. When upgrading an image, the running OS will generate a signature and compare it with the signature attached to the image. If the signatures do not match, the new OS will not load.

Testing before installation

FortiOS lets you test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure, the FortiGate unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed. The next time the FortiGate unit restarts, it operates with the originally installed firmware image using the current configuration. If the new firmware image operates successfully, you can install it permanently using the procedure explained in Upgrading.

To use this procedure, you must connect to the CLI using the FortiGate console port and an RJ-45 to DB-9 or null modem cable. This procedure temporarily installs a new firmware image using your current configuration.

For this procedure, you must install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.

To test the new firmware image:
  1. Connect to the CLI using an RJ-45 to DB-9 or null modem cable.
  2. Make sure the TFTP server is running.
  3. Copy the new firmware image file to the root directory of the TFTP server.
  4. Make sure the FortiGate unit can connect to the TFTP server using the execute ping command.
  5. Enter the following command to restart the FortiGate unit: execute reboot
  6. As the FortiGate unit reboots, press any key to interrupt the system startup. As the FortiGate unit starts, a series of system startup messages appears: Press any key to display configuration menu....
  7. Immediately press any key to interrupt the system startup.

    note icon

    You have only three (3) seconds to press any key. If you do not press a key quickly enough, the FortiGate unit reboots and you must log in and repeat the execute reboot command.

  8. If you successfully interrupt the startup process, the following messages appears:

    [G]: Get firmware image from TFTP server.

    [F]: Format boot device.

    [B]: Boot with backup firmware and set as default

    [C]: Configuration and information

    [Q]: Quit menu and continue to boot with default firmware.

    [H]: Display this list of options.

    Enter G, F, Q, or H:

  9. Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]:
  10. Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]:
  11. Type an IP address of the FortiGate unit to connect to the TFTP server. The IP address must be on the same network as the TFTP server.

    note icon

    Make sure you do not enter the IP address of another device on this network.

  12. The following message appears: Enter File Name [image.out]:
  13. Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and the following appears: Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]
  14. Type R. The FortiGate image is installed to system memory and the FortiGate unit starts running the new firmware image, but with its current configuration.

You can test the new firmware image as required. When done testing, you can reboot the FortiGate unit, and the FortiGate unit will resume using the firmware that was running before you installed the test firmware.