Upgrading a firewall is something that should be compared to upgrading the operating system on your computer. It is not to be taken lightly. Make sure that everything is backed up and that you have options available if things go awry. Assuming it all seems to work, you also want a list of things to do in order to confirm that everything is working properly. Finally, you need enough time to do it. All really simple stuff, but what does this mean in relation to upgrading your FortiGate? It means, you follow these simple steps:
Backup and store old configuration (full configuration backup from CLI).
Digging into this a little, step 1 is easy to understand. Do a full backup of your old configuration. This is all part of your disaster recovery plan. If the upgrade fails in some way you need to make sure you can get the Firewall back up and running. The best way to do this is to get it back to a state where you know what the behavior was. For more information, refer to Performing a configuration backup.
Have copy of old firmware available.
Step 2, is also part of your disaster recovery. If the upgrade fails you might be able to switch the active partition. You need to be prepared for the worst case scenario where you cannot do that. This means that you will need your old firmware.
Have disaster recovery option on standby - especially if remote.
Step 3, is your plan for what to do in the event of a critical failure. As we are talking FortiGate this means that your firewall does not come back after the upgrade. What this means is that you need to be able to get to the console port in order to find out why. Maybe it is DHCP and the IP changed, maybe the OS is corrupt, who knows. Get to the console and find out.
There could be a simple fix. If not, then be prepared for a format and TFTP reload.
Read the release notes, including the upgrade path and bug information.
Step 4, READ THE RELEASE NOTES. They contain all kinds of information, known bugs, fixed bugs even upgrade issues like lost configuration settings. Not all upgrade information is ever contained in any products release notes. That does not mean they are devoid of good/useful information. Read them, digest them, then a few days later read them again.
Double check everything.
Step 5, do a double check of everything. Is your TFTP server working, does your console connection function, is there anything in the release notes that could impact your upgrade procedure, do you have your configuration backed up? Make sure that you have done everything.
Step 6, do the upgrade. Doing an upgrade does not take very long, a few minutes (less a lot of times) but make sure that you schedule enough time for it. At the end of the day an upgrade can succeed or fail. If it succeeds, you want some time to check/confirm that any important features you have are working (VPNs etc). If it fails, you will need time to sort things out.