Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Support Hitless Rolling AP upgrade 7.4.2

    Support Hitless Rolling AP upgrade 7.4.2

    Note

    This information is also available in the FortiWiFi and FortiAP 7.4 Configuration Guide:

    This release introduces Hitless Rolling upgrades for FortiAPs. When upgrading FortiAPs, an algorithm considers the reach of neighboring APs and their locations. The APs are then upgraded in staggered process with some APs being immediately upgraded while others continue to provide Wi-Fi service to clients and are placed in a standby queue. Once the SSIDs on the initial upgraded APs are able to serve clients, the APs in the standby queue begin upgrading.

    CLI changes

    The following CLI commands for configuring Hitless Rolling AP upgrades have been added to both global settings and per-VDOM settings:

    Enabling Hitless Rolling Upgrade at the global level
    config wireless-controller global
  set rolling-wtp-upgrade {Enable | disable}
  set rolling-wtp-upgrade-threshold <integer>
end
    rolling-wtp-upgrade

    Enable/disable rolling WTP upgrade (default = disable).

    Note: Enabling this at the global-level will enforce all managed FortiAPs in all VDOMs to implement the rolling upgrade, regardless of the VDOM-level settings.

    rolling-wtp-upgrade-threshold

    Minimum signal level/threshold in dBm required for the managed WTP to be included in rolling WTP upgrade (-95 to -20, default = -80).
    Enabling Hitless Rolling Upgrade at the per-VDOM level
    config wireless-controller setting
  set rolling-wtp-upgrade {Enable | disable}
end
    rolling-wtp-upgrade

    Enable/disable rolling WTP upgrade (default = disable).

    Note: Enabling this at the VDOM-level will let managed FortiAPs in the current VDOM to implement the rolling upgrade, regardless of the global-level setting.
    Executing Hitless Rolling Upgrade
    exec wireless-controller rolling-wtp-upgrade <all>|<SN>|<wtp-group>
    rolling-wtp-upgrade

    Select which APs you want to upgrade with the Hitless Rolling upgrade. You can select all APs, by their WTP serial number, or WTP group.
    To configure Hitless Rolling AP upgrade - GUI

    1. Before you can run Hitless Rolling AP upgrade from the GUI, you must first enable rolling-wtp-upgrade and configure the rolling-wtp-upgrade-threshold level in the CLI.

      config wireless-controller global
  set rolling-wtp-upgrade enable
  set rolling-wtp-upgrade-threshold -70
end
      config wireless-controller setting
  set rolling-wtp-upgrade enable
end

    2. From the FortiGate GUI, go to WiFi & Switch Controller > Managed FortiAPs.

    3. Select multiple FortiAPs of the same model, and then right-click and select Upgrade.

      The Upgrade FortiAPs window loads.

    4. Upload the FortiAP image file and click Upgrade.

      The FortiAPs are automatically upgraded using the Hitless Rolling upgrade method.

    5. Some FortiAPs immediately begin upgrading while others are marked with "ISSU queued". In-Service Software Upgrade (ISSU) indicates that these are the standby APs that continue to provide Wi-Fi service to clients and are queued to be upgraded later.

    6. Once the first batch of FortiAPs are upgraded and can provide service, the ISSU queued FortiAPs will begin upgrading.

    To configure Hitless Rolling AP upgrade - CLI

    1. Enable rolling-wtp-upgrade at either the global or VDOM level and configure the rolling-wtp-upgrade-threshold level.

      config wireless-controller global
  set rolling-wtp-upgrade enable
  set rolling-wtp-upgrade-threshold -70
end
      config wireless-controller setting
  set rolling-wtp-upgrade enable
end

    2. Upload FortiAP images to FortiGate and check the image list. In this example, FAP231F is uploaded:

      execute wireless-controller upload-wtp-image tftp /FortiAP/v7.00/images/build0626/FAP_231F-v7-build0626-FORTINET.out 172.18.52.254

    3. Verify the uploaded FortiAP images:

      execute wireless-controller list-wtp-image
WTP Images on AC:
ImageName                              ImageSize(B)   ImageInfo             ImageMTime
…
FP231F-v7.4.2-build0626-IMG.wtp        37605058       FP231F-v7.4-build0626  Mon Nov 27 10:39:53 2023

    4. Run the Rolling WTP Upgrade and prepare to check the FortiAP upgrade status.

      exec wireless-controller rolling-wtp-upgrade all

    5. Promptly check the FortiAP upgrade status to verify that the APs are upgrading:

      diagnose wireless-controller wlac -c ap-upd

1,50,66 0-FP231FTF23037012 FP231F-v7.4-build0591 ==> FP231F-v7.4-build0626 ws (0-10.233.10.7:5246) upd-download,3 5%           <- The image download has started (may still be blocked by concurrent AP image downloading limit)
2,50,66 0-FP231FTF23037026 FP231F-v7.4-build0591 ==> FP231F-v7.4-build0626 ws (0-10.233.10.3:5246) upd-download,3 6%
3,50,66 0-FP231FTF23037047 FP231F-v7.4-build0591 ==> FP231F-v7.4-build0626 ws (0-10.233.10.24:5246) upd-download,3 6%
…
15,50,66 0-FP431FTF23000559 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.40:5246) upd-enqueue-issu,4 0%      <- In queue for rolling AP upgrade to avoid Wi-Fi service drop
16,50,66 0-FP431FTF23021146 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.42:5246) upd-enqueue-issu,4 0%
…
19,50,66 0-FP433FTF21001215 FP433F-v7.4-build0591 ==> FP433F-v7.4-build0626 ws (0-10.233.30.41:5246) upd-enqueue-issu,4 0%
…

    6. After a few minutes, check the FortiAP upgrade status again to see any changes:

      diagnose wireless-controller wlac -c ap-upd

1,44,66 0-FP231FTF23037012 FP231F-v7.4-build0626 ws (0-10.233.10.7:5246) upd-ap-up,58      <- The AP has reconnected after image upgrade
…
7,44,66 0-FP231FTF23037232 FP231F-v7.4-build0626 ws (0-10.233.10.36:5246) upd-ssid-up,5    <- The AP's SSIDs are UP after image upgrade
…
15,44,66 0-FP431FTF23000559 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.40:5246) upd-enqueue-issu,404 0%      <- Still in queue for rolling AP upgrade to avoid Wi-Fi service drop
16,44,66 0-FP431FTF23021146 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.42:5246) upd-enqueue-issu,404 0%
…
19,44,66 0-FP433FTF21001215 FP433F-v7.4-build0591 ==> FP433F-v7.4-build0626 ws (0-10.233.30.41:5246) upd-enqueue-issu,404 0%
…

    7. After a few more minutes, check the FortiAP upgrade status again to see APs in the queue begin upgrading:

      diagnose wireless-controller wlac -c ap-upd

1,48,66 0-FP231FTF23037012 FP231F-v7.4-build0626 ws (0-10.233.10.7:5246) upd-ssid-up,6
…
15,48,66 0-FP431FTF23000559 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.40:5246) upd-download,12 48%      <- Previously queued APs have begun the upgrade process since enough SSIDs from other APs are up to provide service
16,48,66 0-FP431FTF23021146 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.42:5246) upd-download,12 49%
…
19,48,66 0-FP433FTF21001215 FP433F-v7.4-build0591 ==> FP433F-v7.4-build0626 ws (0-10.233.30.41:5246) upd-download,12 47%
…
    Previous
    Next

    Support Hitless Rolling AP upgrade 7.4.2

    Support Hitless Rolling AP upgrade 7.4.2

    Note

    This information is also available in the FortiWiFi and FortiAP 7.4 Configuration Guide:

    This release introduces Hitless Rolling upgrades for FortiAPs. When upgrading FortiAPs, an algorithm considers the reach of neighboring APs and their locations. The APs are then upgraded in staggered process with some APs being immediately upgraded while others continue to provide Wi-Fi service to clients and are placed in a standby queue. Once the SSIDs on the initial upgraded APs are able to serve clients, the APs in the standby queue begin upgrading.

    CLI changes

    The following CLI commands for configuring Hitless Rolling AP upgrades have been added to both global settings and per-VDOM settings:

    Enabling Hitless Rolling Upgrade at the global level
    config wireless-controller global
  set rolling-wtp-upgrade {Enable | disable}
  set rolling-wtp-upgrade-threshold <integer>
end
    rolling-wtp-upgrade

    Enable/disable rolling WTP upgrade (default = disable).

    Note: Enabling this at the global-level will enforce all managed FortiAPs in all VDOMs to implement the rolling upgrade, regardless of the VDOM-level settings.

    rolling-wtp-upgrade-threshold

    Minimum signal level/threshold in dBm required for the managed WTP to be included in rolling WTP upgrade (-95 to -20, default = -80).
    Enabling Hitless Rolling Upgrade at the per-VDOM level
    config wireless-controller setting
  set rolling-wtp-upgrade {Enable | disable}
end
    rolling-wtp-upgrade

    Enable/disable rolling WTP upgrade (default = disable).

    Note: Enabling this at the VDOM-level will let managed FortiAPs in the current VDOM to implement the rolling upgrade, regardless of the global-level setting.
    Executing Hitless Rolling Upgrade
    exec wireless-controller rolling-wtp-upgrade <all>|<SN>|<wtp-group>
    rolling-wtp-upgrade

    Select which APs you want to upgrade with the Hitless Rolling upgrade. You can select all APs, by their WTP serial number, or WTP group.
    To configure Hitless Rolling AP upgrade - GUI

    1. Before you can run Hitless Rolling AP upgrade from the GUI, you must first enable rolling-wtp-upgrade and configure the rolling-wtp-upgrade-threshold level in the CLI.

      config wireless-controller global
  set rolling-wtp-upgrade enable
  set rolling-wtp-upgrade-threshold -70
end
      config wireless-controller setting
  set rolling-wtp-upgrade enable
end

    2. From the FortiGate GUI, go to WiFi & Switch Controller > Managed FortiAPs.

    3. Select multiple FortiAPs of the same model, and then right-click and select Upgrade.

      The Upgrade FortiAPs window loads.

    4. Upload the FortiAP image file and click Upgrade.

      The FortiAPs are automatically upgraded using the Hitless Rolling upgrade method.

    5. Some FortiAPs immediately begin upgrading while others are marked with "ISSU queued". In-Service Software Upgrade (ISSU) indicates that these are the standby APs that continue to provide Wi-Fi service to clients and are queued to be upgraded later.

    6. Once the first batch of FortiAPs are upgraded and can provide service, the ISSU queued FortiAPs will begin upgrading.

    To configure Hitless Rolling AP upgrade - CLI

    1. Enable rolling-wtp-upgrade at either the global or VDOM level and configure the rolling-wtp-upgrade-threshold level.

      config wireless-controller global
  set rolling-wtp-upgrade enable
  set rolling-wtp-upgrade-threshold -70
end
      config wireless-controller setting
  set rolling-wtp-upgrade enable
end

    2. Upload FortiAP images to FortiGate and check the image list. In this example, FAP231F is uploaded:

      execute wireless-controller upload-wtp-image tftp /FortiAP/v7.00/images/build0626/FAP_231F-v7-build0626-FORTINET.out 172.18.52.254

    3. Verify the uploaded FortiAP images:

      execute wireless-controller list-wtp-image
WTP Images on AC:
ImageName                              ImageSize(B)   ImageInfo             ImageMTime
…
FP231F-v7.4.2-build0626-IMG.wtp        37605058       FP231F-v7.4-build0626  Mon Nov 27 10:39:53 2023

    4. Run the Rolling WTP Upgrade and prepare to check the FortiAP upgrade status.

      exec wireless-controller rolling-wtp-upgrade all

    5. Promptly check the FortiAP upgrade status to verify that the APs are upgrading:

      diagnose wireless-controller wlac -c ap-upd

1,50,66 0-FP231FTF23037012 FP231F-v7.4-build0591 ==> FP231F-v7.4-build0626 ws (0-10.233.10.7:5246) upd-download,3 5%           <- The image download has started (may still be blocked by concurrent AP image downloading limit)
2,50,66 0-FP231FTF23037026 FP231F-v7.4-build0591 ==> FP231F-v7.4-build0626 ws (0-10.233.10.3:5246) upd-download,3 6%
3,50,66 0-FP231FTF23037047 FP231F-v7.4-build0591 ==> FP231F-v7.4-build0626 ws (0-10.233.10.24:5246) upd-download,3 6%
…
15,50,66 0-FP431FTF23000559 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.40:5246) upd-enqueue-issu,4 0%      <- In queue for rolling AP upgrade to avoid Wi-Fi service drop
16,50,66 0-FP431FTF23021146 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.42:5246) upd-enqueue-issu,4 0%
…
19,50,66 0-FP433FTF21001215 FP433F-v7.4-build0591 ==> FP433F-v7.4-build0626 ws (0-10.233.30.41:5246) upd-enqueue-issu,4 0%
…

    6. After a few minutes, check the FortiAP upgrade status again to see any changes:

      diagnose wireless-controller wlac -c ap-upd

1,44,66 0-FP231FTF23037012 FP231F-v7.4-build0626 ws (0-10.233.10.7:5246) upd-ap-up,58      <- The AP has reconnected after image upgrade
…
7,44,66 0-FP231FTF23037232 FP231F-v7.4-build0626 ws (0-10.233.10.36:5246) upd-ssid-up,5    <- The AP's SSIDs are UP after image upgrade
…
15,44,66 0-FP431FTF23000559 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.40:5246) upd-enqueue-issu,404 0%      <- Still in queue for rolling AP upgrade to avoid Wi-Fi service drop
16,44,66 0-FP431FTF23021146 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.42:5246) upd-enqueue-issu,404 0%
…
19,44,66 0-FP433FTF21001215 FP433F-v7.4-build0591 ==> FP433F-v7.4-build0626 ws (0-10.233.30.41:5246) upd-enqueue-issu,404 0%
…

    7. After a few more minutes, check the FortiAP upgrade status again to see APs in the queue begin upgrading:

      diagnose wireless-controller wlac -c ap-upd

1,48,66 0-FP231FTF23037012 FP231F-v7.4-build0626 ws (0-10.233.10.7:5246) upd-ssid-up,6
…
15,48,66 0-FP431FTF23000559 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.40:5246) upd-download,12 48%      <- Previously queued APs have begun the upgrade process since enough SSIDs from other APs are up to provide service
16,48,66 0-FP431FTF23021146 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.42:5246) upd-download,12 49%
…
19,48,66 0-FP433FTF21001215 FP433F-v7.4-build0591 ==> FP433F-v7.4-build0626 ws (0-10.233.30.41:5246) upd-download,12 47%
…
    Previous
    Next