Fortinet black logo

FortiGate-6000 and FortiGate-7000 Release Notes

HA graceful upgrade to FortiOS 6.0.6

HA graceful upgrade to FortiOS 6.0.6

Use the following steps to upgrade a FortiGate-6000 or 7000 HA cluster with uninterruptible-upgrade enabled from FortiOS 5.6.7, 5.6.11, or 6.0.4 to FortiOS 6.0.6 Build 6392.

Enabling uninterruptible-upgrade allows you to upgrade the firmware of an operating FortGate-6000 or 7000 HA cluster with only minimal traffic interruption. During the upgrade, the secondary FortiGate upgrades first. Then a failover occurs and the newly upgraded FortiGate becomes the primary FortiGate and the firmware of the new secondary FortiGate upgrades.

This procedure supports upgrading from the following firmware versions:

  • FortiOS 5.6.7 build 4214 or 4261.
  • FortiOS 5.6.11 build 4279.
  • FortiOS 6.0.4 build 6145 or 8405.

Performing this upgrade requires installing an interim upgrade support image before installing the final FortiOS 6.0.6 firmware image.

Starting image Upgrade support image Final image
5.6.7 build 4214 or 4261 6.0.4 build 8428 6.0.6 Build 6392

5.6.11 build 4279

6.0.4 build 8428

6.0.6 Build 6392

6.0.4 build 6145 or 8405 6.0.4 build 8428 6.0.6 Build 6392

You can download the upgrade support image from the https://support.fortinet.com FortiOS 6.0.6 firmware image download folder. The upgrade support images have the following file names:

  • FortiGate 6000F: FGT_6000F-v6-build8428-Upgrade-Support-FORTINET.out
  • FortiGate 7000E: FGT_7000E-v6-build8428-Upgrade-Support-FORTINET.out

To verify that you have installed the correct upgrade support image, after installing it you can use the get system status command or the System Information dashboard widget to verify that the firmware version is FortiOS 6.0.4 B8428.

To perform a graceful upgrade of your FortiGate-6000 or 7000 to FortiOS 6.0.6 Build 6392:

  1. Use the following command to enable uninterruptible-upgrade to support HA graceful upgrade:

    config system ha

    set session-pickup enable

    set uninterruptible-upgrade enable

    end

  2. Download the FortiGate-6000 or 7000 upgrade support image file from the https://support.fortinet.com FortiOS 6.0.6 firmware image folder.

  3. Perform a normal upgrade of your HA cluster using the upgrade support image.

  4. Verify that you have installed the correct interim firmware version. For example, for the FortiGate-7040E:

    get system status
    Version: FortiGate-7040E v6.0.4,build8428,190813 (GA)
    ...
  5. Download the FortiGate-6000 or 7000 FortiOS 6.0.6 build 6392 firmware image file from the https://support.fortinet.com FortiOS 6.0.6 firmware image folder.

  6. Perform a normal upgrade of your HA cluster to FortiOS 6.0.6 Build 6392.

  7. Wait a few minutes, and when the upgrade is complete, verify that you have installed the correct firmware version. For example, for the FortiGate-7040E:

    get system status
    Version: FortiGate-7040E v6.0.6,build6392,190822 (GA)
    ...
  8. After the firmware upgrade, you should manually delete IPsec VPN load balancing flow rules, see Manually deleting IPsec VPN load balancing flow rules.

HA graceful upgrade to FortiOS 6.0.6

Use the following steps to upgrade a FortiGate-6000 or 7000 HA cluster with uninterruptible-upgrade enabled from FortiOS 5.6.7, 5.6.11, or 6.0.4 to FortiOS 6.0.6 Build 6392.

Enabling uninterruptible-upgrade allows you to upgrade the firmware of an operating FortGate-6000 or 7000 HA cluster with only minimal traffic interruption. During the upgrade, the secondary FortiGate upgrades first. Then a failover occurs and the newly upgraded FortiGate becomes the primary FortiGate and the firmware of the new secondary FortiGate upgrades.

This procedure supports upgrading from the following firmware versions:

  • FortiOS 5.6.7 build 4214 or 4261.
  • FortiOS 5.6.11 build 4279.
  • FortiOS 6.0.4 build 6145 or 8405.

Performing this upgrade requires installing an interim upgrade support image before installing the final FortiOS 6.0.6 firmware image.

Starting image Upgrade support image Final image
5.6.7 build 4214 or 4261 6.0.4 build 8428 6.0.6 Build 6392

5.6.11 build 4279

6.0.4 build 8428

6.0.6 Build 6392

6.0.4 build 6145 or 8405 6.0.4 build 8428 6.0.6 Build 6392

You can download the upgrade support image from the https://support.fortinet.com FortiOS 6.0.6 firmware image download folder. The upgrade support images have the following file names:

  • FortiGate 6000F: FGT_6000F-v6-build8428-Upgrade-Support-FORTINET.out
  • FortiGate 7000E: FGT_7000E-v6-build8428-Upgrade-Support-FORTINET.out

To verify that you have installed the correct upgrade support image, after installing it you can use the get system status command or the System Information dashboard widget to verify that the firmware version is FortiOS 6.0.4 B8428.

To perform a graceful upgrade of your FortiGate-6000 or 7000 to FortiOS 6.0.6 Build 6392:

  1. Use the following command to enable uninterruptible-upgrade to support HA graceful upgrade:

    config system ha

    set session-pickup enable

    set uninterruptible-upgrade enable

    end

  2. Download the FortiGate-6000 or 7000 upgrade support image file from the https://support.fortinet.com FortiOS 6.0.6 firmware image folder.

  3. Perform a normal upgrade of your HA cluster using the upgrade support image.

  4. Verify that you have installed the correct interim firmware version. For example, for the FortiGate-7040E:

    get system status
    Version: FortiGate-7040E v6.0.4,build8428,190813 (GA)
    ...
  5. Download the FortiGate-6000 or 7000 FortiOS 6.0.6 build 6392 firmware image file from the https://support.fortinet.com FortiOS 6.0.6 firmware image folder.

  6. Perform a normal upgrade of your HA cluster to FortiOS 6.0.6 Build 6392.

  7. Wait a few minutes, and when the upgrade is complete, verify that you have installed the correct firmware version. For example, for the FortiGate-7040E:

    get system status
    Version: FortiGate-7040E v6.0.6,build6392,190822 (GA)
    ...
  8. After the firmware upgrade, you should manually delete IPsec VPN load balancing flow rules, see Manually deleting IPsec VPN load balancing flow rules.