Fortinet black logo

New Features

7.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0

Support Hitless Rolling AP upgrade 7.4.2

Support Hitless Rolling AP upgrade 7.4.2

This release introduces Hitless Rolling upgrades for FortiAPs. When upgrading FortiAPs, an algorithm considers the reach of neighboring APs and their locations. The APs are then upgraded in staggered process with some APs being immediately upgraded while others continue to provide Wi-Fi service to clients and are placed in a standby queue. Once the SSIDs on the initial upgraded APs are able to serve clients, the APs in the standby queue begin upgrading.

CLI changes

The following CLI commands for configuring Hitless Rolling AP upgrades have been added to both global settings and per-VDOM settings:

Enabling Hitless Rolling Upgrade at the global level
config wireless-controller global
  set rolling-wtp-upgrade {Enable | disable}
  set rolling-wtp-upgrade-threshold <integer>
end
rolling-wtp-upgrade

Enable/disable rolling WTP upgrade (default = disable).

Note: Enabling this at the global-level will enforce all managed FortiAPs in all VDOMs to implement the rolling upgrade, regardless of the VDOM-level settings.

rolling-wtp-upgrade-threshold

Minimum signal level/threshold in dBm required for the managed WTP to be included in rolling WTP upgrade (-95 to -20, default = -80).
Enabling Hitless Rolling Upgrade at the per-VDOM level
config wireless-controller setting
  set rolling-wtp-upgrade {Enable | disable}
end
rolling-wtp-upgrade

Enable/disable rolling WTP upgrade (default = disable).

Note: Enabling this at the VDOM-level will let managed FortiAPs in the current VDOM to implement the rolling upgrade, regardless of the global-level setting.
Executing Hitless Rolling Upgrade
exec wireless-controller rolling-wtp-upgrade <all>|<SN>|<wtp-group>
rolling-wtp-upgrade

Select which APs you want to upgrade with the Hitless Rolling upgrade. You can select all APs, by their WTP serial number, or WTP group.
To configure Hitless Rolling AP upgrade - GUI

  1. Before you can run Hitless Rolling AP upgrade from the GUI, you must first enable rolling-wtp-upgrade and configure the rolling-wtp-upgrade-threshold level in the CLI.

    config wireless-controller global
  set rolling-wtp-upgrade enable
  set rolling-wtp-upgrade-threshold -70
end
    config wireless-controller setting
  set rolling-wtp-upgrade enable
end

  2. From the FortiGate GUI, go to WiFi & Switch Controller > Managed FortiAPs.

  3. Select multiple FortiAPs of the same model, and then right-click and select Upgrade.

    The Upgrade FortiAPs window loads.

  4. Upload the FortiAP image file and click Upgrade.

    The FortiAPs are automatically upgraded using the Hitless Rolling upgrade method.

  5. Some FortiAPs immediately begin upgrading while others are marked with "ISSU queued". In-Service Software Upgrade (ISSU) indicates that these are the standby APs that continue to provide Wi-Fi service to clients and are queued to be upgraded later.

  6. Once the first batch of FortiAPs are upgraded and can provide service, the ISSU queued FortiAPs will begin upgrading.

To configure Hitless Rolling AP upgrade - CLI

  1. Enable rolling-wtp-upgrade at either the global or VDOM level and configure the rolling-wtp-upgrade-threshold level.

    config wireless-controller global
  set rolling-wtp-upgrade enable
  set rolling-wtp-upgrade-threshold -70
end
    config wireless-controller setting
  set rolling-wtp-upgrade enable
end

  2. Upload FortiAP images to FortiGate and check the image list. In this example, FAP231F is uploaded:

    execute wireless-controller upload-wtp-image tftp /FortiAP/v7.00/images/build0626/FAP_231F-v7-build0626-FORTINET.out 172.18.52.254

  3. Verify the uploaded FortiAP images:

    execute wireless-controller list-wtp-image
WTP Images on AC:
ImageName                              ImageSize(B)   ImageInfo             ImageMTime
…
FP231F-v7.4.2-build0626-IMG.wtp        37605058       FP231F-v7.4-build0626  Mon Nov 27 10:39:53 2023

  4. Run the Rolling WTP Upgrade and prepare to check the FortiAP upgrade status.

    exec wireless-controller rolling-wtp-upgrade all

  5. Promptly check the FortiAP upgrade status to verify that the APs are upgrading:

    diagnose wireless-controller wlac -c ap-upd

1,50,66 0-FP231FTF23037012 FP231F-v7.4-build0591 ==> FP231F-v7.4-build0626 ws (0-10.233.10.7:5246) upd-download,3 5%           <- The image download has started (may still be blocked by concurrent AP image downloading limit)
2,50,66 0-FP231FTF23037026 FP231F-v7.4-build0591 ==> FP231F-v7.4-build0626 ws (0-10.233.10.3:5246) upd-download,3 6%
3,50,66 0-FP231FTF23037047 FP231F-v7.4-build0591 ==> FP231F-v7.4-build0626 ws (0-10.233.10.24:5246) upd-download,3 6%
…
15,50,66 0-FP431FTF23000559 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.40:5246) upd-enqueue-issu,4 0%      <- In queue for rolling AP upgrade to avoid Wi-Fi service drop
16,50,66 0-FP431FTF23021146 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.42:5246) upd-enqueue-issu,4 0%
…
19,50,66 0-FP433FTF21001215 FP433F-v7.4-build0591 ==> FP433F-v7.4-build0626 ws (0-10.233.30.41:5246) upd-enqueue-issu,4 0%
…

  6. After a few minutes, check the FortiAP upgrade status again to see any changes:

    diagnose wireless-controller wlac -c ap-upd

1,44,66 0-FP231FTF23037012 FP231F-v7.4-build0626 ws (0-10.233.10.7:5246) upd-ap-up,58      <- The AP has reconnected after image upgrade
…
7,44,66 0-FP231FTF23037232 FP231F-v7.4-build0626 ws (0-10.233.10.36:5246) upd-ssid-up,5    <- The AP's SSIDs are UP after image upgrade
…
15,44,66 0-FP431FTF23000559 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.40:5246) upd-enqueue-issu,404 0%      <- Still in queue for rolling AP upgrade to avoid Wi-Fi service drop
16,44,66 0-FP431FTF23021146 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.42:5246) upd-enqueue-issu,404 0%
…
19,44,66 0-FP433FTF21001215 FP433F-v7.4-build0591 ==> FP433F-v7.4-build0626 ws (0-10.233.30.41:5246) upd-enqueue-issu,404 0%
…

  7. After a few more minutes, check the FortiAP upgrade status again to see APs in the queue begin upgrading:

    diagnose wireless-controller wlac -c ap-upd

1,48,66 0-FP231FTF23037012 FP231F-v7.4-build0626 ws (0-10.233.10.7:5246) upd-ssid-up,6
…
15,48,66 0-FP431FTF23000559 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.40:5246) upd-download,12 48%      <- Previously queued APs have begun the upgrade process since enough SSIDs from other APs are up to provide service
16,48,66 0-FP431FTF23021146 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.42:5246) upd-download,12 49%
…
19,48,66 0-FP433FTF21001215 FP433F-v7.4-build0591 ==> FP433F-v7.4-build0626 ws (0-10.233.30.41:5246) upd-download,12 47%
…
Previous
Next

Support Hitless Rolling AP upgrade 7.4.2

This release introduces Hitless Rolling upgrades for FortiAPs. When upgrading FortiAPs, an algorithm considers the reach of neighboring APs and their locations. The APs are then upgraded in staggered process with some APs being immediately upgraded while others continue to provide Wi-Fi service to clients and are placed in a standby queue. Once the SSIDs on the initial upgraded APs are able to serve clients, the APs in the standby queue begin upgrading.

CLI changes

The following CLI commands for configuring Hitless Rolling AP upgrades have been added to both global settings and per-VDOM settings:

Enabling Hitless Rolling Upgrade at the global level
config wireless-controller global
  set rolling-wtp-upgrade {Enable | disable}
  set rolling-wtp-upgrade-threshold <integer>
end
rolling-wtp-upgrade

Enable/disable rolling WTP upgrade (default = disable).

Note: Enabling this at the global-level will enforce all managed FortiAPs in all VDOMs to implement the rolling upgrade, regardless of the VDOM-level settings.

rolling-wtp-upgrade-threshold

Minimum signal level/threshold in dBm required for the managed WTP to be included in rolling WTP upgrade (-95 to -20, default = -80).
Enabling Hitless Rolling Upgrade at the per-VDOM level
config wireless-controller setting
  set rolling-wtp-upgrade {Enable | disable}
end
rolling-wtp-upgrade

Enable/disable rolling WTP upgrade (default = disable).

Note: Enabling this at the VDOM-level will let managed FortiAPs in the current VDOM to implement the rolling upgrade, regardless of the global-level setting.
Executing Hitless Rolling Upgrade
exec wireless-controller rolling-wtp-upgrade <all>|<SN>|<wtp-group>
rolling-wtp-upgrade

Select which APs you want to upgrade with the Hitless Rolling upgrade. You can select all APs, by their WTP serial number, or WTP group.
To configure Hitless Rolling AP upgrade - GUI

  1. Before you can run Hitless Rolling AP upgrade from the GUI, you must first enable rolling-wtp-upgrade and configure the rolling-wtp-upgrade-threshold level in the CLI.

    config wireless-controller global
  set rolling-wtp-upgrade enable
  set rolling-wtp-upgrade-threshold -70
end
    config wireless-controller setting
  set rolling-wtp-upgrade enable
end

  2. From the FortiGate GUI, go to WiFi & Switch Controller > Managed FortiAPs.

  3. Select multiple FortiAPs of the same model, and then right-click and select Upgrade.

    The Upgrade FortiAPs window loads.

  4. Upload the FortiAP image file and click Upgrade.

    The FortiAPs are automatically upgraded using the Hitless Rolling upgrade method.

  5. Some FortiAPs immediately begin upgrading while others are marked with "ISSU queued". In-Service Software Upgrade (ISSU) indicates that these are the standby APs that continue to provide Wi-Fi service to clients and are queued to be upgraded later.

  6. Once the first batch of FortiAPs are upgraded and can provide service, the ISSU queued FortiAPs will begin upgrading.

To configure Hitless Rolling AP upgrade - CLI

  1. Enable rolling-wtp-upgrade at either the global or VDOM level and configure the rolling-wtp-upgrade-threshold level.

    config wireless-controller global
  set rolling-wtp-upgrade enable
  set rolling-wtp-upgrade-threshold -70
end
    config wireless-controller setting
  set rolling-wtp-upgrade enable
end

  2. Upload FortiAP images to FortiGate and check the image list. In this example, FAP231F is uploaded:

    execute wireless-controller upload-wtp-image tftp /FortiAP/v7.00/images/build0626/FAP_231F-v7-build0626-FORTINET.out 172.18.52.254

  3. Verify the uploaded FortiAP images:

    execute wireless-controller list-wtp-image
WTP Images on AC:
ImageName                              ImageSize(B)   ImageInfo             ImageMTime
…
FP231F-v7.4.2-build0626-IMG.wtp        37605058       FP231F-v7.4-build0626  Mon Nov 27 10:39:53 2023

  4. Run the Rolling WTP Upgrade and prepare to check the FortiAP upgrade status.

    exec wireless-controller rolling-wtp-upgrade all

  5. Promptly check the FortiAP upgrade status to verify that the APs are upgrading:

    diagnose wireless-controller wlac -c ap-upd

1,50,66 0-FP231FTF23037012 FP231F-v7.4-build0591 ==> FP231F-v7.4-build0626 ws (0-10.233.10.7:5246) upd-download,3 5%           <- The image download has started (may still be blocked by concurrent AP image downloading limit)
2,50,66 0-FP231FTF23037026 FP231F-v7.4-build0591 ==> FP231F-v7.4-build0626 ws (0-10.233.10.3:5246) upd-download,3 6%
3,50,66 0-FP231FTF23037047 FP231F-v7.4-build0591 ==> FP231F-v7.4-build0626 ws (0-10.233.10.24:5246) upd-download,3 6%
…
15,50,66 0-FP431FTF23000559 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.40:5246) upd-enqueue-issu,4 0%      <- In queue for rolling AP upgrade to avoid Wi-Fi service drop
16,50,66 0-FP431FTF23021146 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.42:5246) upd-enqueue-issu,4 0%
…
19,50,66 0-FP433FTF21001215 FP433F-v7.4-build0591 ==> FP433F-v7.4-build0626 ws (0-10.233.30.41:5246) upd-enqueue-issu,4 0%
…

  6. After a few minutes, check the FortiAP upgrade status again to see any changes:

    diagnose wireless-controller wlac -c ap-upd

1,44,66 0-FP231FTF23037012 FP231F-v7.4-build0626 ws (0-10.233.10.7:5246) upd-ap-up,58      <- The AP has reconnected after image upgrade
…
7,44,66 0-FP231FTF23037232 FP231F-v7.4-build0626 ws (0-10.233.10.36:5246) upd-ssid-up,5    <- The AP's SSIDs are UP after image upgrade
…
15,44,66 0-FP431FTF23000559 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.40:5246) upd-enqueue-issu,404 0%      <- Still in queue for rolling AP upgrade to avoid Wi-Fi service drop
16,44,66 0-FP431FTF23021146 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.42:5246) upd-enqueue-issu,404 0%
…
19,44,66 0-FP433FTF21001215 FP433F-v7.4-build0591 ==> FP433F-v7.4-build0626 ws (0-10.233.30.41:5246) upd-enqueue-issu,404 0%
…

  7. After a few more minutes, check the FortiAP upgrade status again to see APs in the queue begin upgrading:

    diagnose wireless-controller wlac -c ap-upd

1,48,66 0-FP231FTF23037012 FP231F-v7.4-build0626 ws (0-10.233.10.7:5246) upd-ssid-up,6
…
15,48,66 0-FP431FTF23000559 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.40:5246) upd-download,12 48%      <- Previously queued APs have begun the upgrade process since enough SSIDs from other APs are up to provide service
16,48,66 0-FP431FTF23021146 FP431F-v7.4-build0591 ==> FP431F-v7.4-build0626 ws (0-10.233.30.42:5246) upd-download,12 49%
…
19,48,66 0-FP433FTF21001215 FP433F-v7.4-build0591 ==> FP433F-v7.4-build0626 ws (0-10.233.30.41:5246) upd-download,12 47%
…
Previous
Next