Fortinet black logo

FortiGate-6000 Administration Guide

Home FortiGate / FortiOS 7.4.3 FortiGate-6000 Administration Guide
7.4.3
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5

Installing firmware on an individual FPC

Installing firmware on an individual FPC

You may want to install firmware on an individual FPC to resolve a software-related problem with the FPC or if the FPC is not running the same firmware version as the management board. The following procedure describes how to transfer a new firmware image file to the FortiGate 6000F internal TFTP server and then install the firmware on an FPC.

  1. Copy the firmware image file to a TFTP server, FTP server, or USB key.

  2. To upload the firmware image file onto the FortiGate 6000F internal TFTP server, from the management board CLI, enter one of the following commands.

    • To upload the firmware image file from an FTP server:

      execute upload image ftp <image-file-and-path> <comment> <ftp-server-address> <username> <password>

    • To upload the firmware image file from a TFTP server:

      execute upload image tftp <image-file> <comment> <tftp-server-address>

    • To upload the firmware image file from a USB key plugged into the FortiGate 6000F USB port:

      execute upload image usb <image-file-and-path> <comment>

  3. Enter the following command to confirm that the firmware image is available on the internal tftp server.

    fnsysctl ls data2/tftproot

    This command lists the files and folders available in the tftproot directory, one of them should be the image file that you uploaded to the TFTP server in the previous step.

  4. Enter the following command to check the IP address of the internal TFTP server:

    fnsysctl ifconfig base-tftp
base-tftp Link encap:Ethernet HWaddr 02:1C:BA:54:92:9B
        inet addr:169.254.255.1 Bcast:169.254.255.255 Mask:255.255.255.0
        UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1
        RX packets:346263 errors:0 dropped:0 overruns:0 frame:0
        TX packets:346193 errors:0 dropped:0 overruns:0 carrier:0
        collisions:0 txqueuelen:1000
        RX bytes:17315539 (16.5 MB) TX bytes:270658277 (258.1 MB)

    The IP address in the inet addr field is the IP address of the internal TFTP server and should be 169.254.255.1.

  5. Use the execute system console-server command to log into to the console of the FPC that you want to install the new firmware on.

    For example, to log into the console of the FPC in slot 3 enter

    execute system console-server connect 3

    Log into the console using your FortiGate 6000F administrator name and password.

  6. Restart the FPC. You can do this from the FPC console by accessing the global configuration and entering the execute reboot command:

    config system global

    execute reboot

  7. When the FPC starts up, follow the boot process in the console session, and press any key when prompted to interrupt the boot process.

  8. To set up the TFTP configuration, press C.

  9. Use the BIOS menu to set the following. Change settings only if required.

    [P]: Set image download port: MGMT1

    [D]: Set DHCP mode: Disabled

    [I]: Set local IP address: Enter an IP address on the same network as the TFTP sever IP address. For example, if the TFTP server IP address is 169.254.255.1, set the local IP address to 169.254.255.2.

    [S]: Set local Subnet Mask: 255.255.255.0

    [G]: Set local gateway: 169.254.255.1 (same as the TFTP server IP address).

    [V]: Local VLAN ID: Should be set to <none>. (use -1 to set the Local VLAN ID to <none>.)

    [T]: Set remote TFTP server IP address: 169.254.255.1 (The IP address of the internal TFTP server.)

    [F]: Set firmware image file name: The name of the firmware image file uploaded to the internal TFTP server.

  10. To quit this menu, press Q.

  11. To review the configuration, press R.
    To make corrections, press C and make the changes as required.

    When the configuration is correct, proceed to the next step.

  12. To start the TFTP transfer, press T.
    The FPC downloads the firmware image from the internal TFTP server and installs it. The FPC then restarts with its configuration reset to factory defaults. The configuration is then synchronized from the management board to the FPC. The FPC restarts again, rejoins the cluster, and is ready to process traffic.

  13. To verify that the configuration of the FPC has been synchronized, enter the diagnose sys confsync status | grep in_sy command. The command output below shows an example of the synchronization status of some of the FPCs in an HA cluster of two FortiGate 6301F devices. The field in_sync=1 indicates that the configuration of the FPC is synchronized. 

    FPC6KFT018901327, Secondary, uptime=615368.33, priority=19, slot_id=1:1, idx=1, flag=0x4, in_sync=1
F6KF31T018900143, Primary, uptime=615425.84, priority=1, slot_id=1:0, idx=0, flag=0x10, in_sync=1 
FPC6KFT018901372, Secondary, uptime=615319.63, priority=20, slot_id=1:2, idx=1, flag=0x4, in_sync=1
F6KF31T018900143, Primary, uptime=615425.84, priority=1, slot_id=1:0, idx=0, flag=0x10, in_sync=1
FPC6KFT018901346, Secondary, uptime=423.91, priority=21, slot_id=1:3, idx=1, flag=0x4, in_sync=1

    FPCs that are missing or that show in_sync=0 are not synchronized. To synchronize an FPC that is not synchronized, log into the CLI of the FPC and restart it using the execute reboot command. If this does not solve the problem, contact Fortinet Support at https://support.fortinet.com.

    The example output also shows that the uptime of the FPC in slot 3 is lower than the uptime of the other FPCs, indicating that the FPC in slot 3 has recently restarted.

    If you enter the diagnose sys confsync status | grep in_sy command before an FPC has completely restarted, it will not appear in the output. Also, the Cluster Status dashboard widget will temporarily show that it is not synchronized.

Previous
Next

Installing firmware on an individual FPC

You may want to install firmware on an individual FPC to resolve a software-related problem with the FPC or if the FPC is not running the same firmware version as the management board. The following procedure describes how to transfer a new firmware image file to the FortiGate 6000F internal TFTP server and then install the firmware on an FPC.

  1. Copy the firmware image file to a TFTP server, FTP server, or USB key.

  2. To upload the firmware image file onto the FortiGate 6000F internal TFTP server, from the management board CLI, enter one of the following commands.

    • To upload the firmware image file from an FTP server:

      execute upload image ftp <image-file-and-path> <comment> <ftp-server-address> <username> <password>

    • To upload the firmware image file from a TFTP server:

      execute upload image tftp <image-file> <comment> <tftp-server-address>

    • To upload the firmware image file from a USB key plugged into the FortiGate 6000F USB port:

      execute upload image usb <image-file-and-path> <comment>

  3. Enter the following command to confirm that the firmware image is available on the internal tftp server.

    fnsysctl ls data2/tftproot

    This command lists the files and folders available in the tftproot directory, one of them should be the image file that you uploaded to the TFTP server in the previous step.

  4. Enter the following command to check the IP address of the internal TFTP server:

    fnsysctl ifconfig base-tftp
base-tftp Link encap:Ethernet HWaddr 02:1C:BA:54:92:9B
        inet addr:169.254.255.1 Bcast:169.254.255.255 Mask:255.255.255.0
        UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1
        RX packets:346263 errors:0 dropped:0 overruns:0 frame:0
        TX packets:346193 errors:0 dropped:0 overruns:0 carrier:0
        collisions:0 txqueuelen:1000
        RX bytes:17315539 (16.5 MB) TX bytes:270658277 (258.1 MB)

    The IP address in the inet addr field is the IP address of the internal TFTP server and should be 169.254.255.1.

  5. Use the execute system console-server command to log into to the console of the FPC that you want to install the new firmware on.

    For example, to log into the console of the FPC in slot 3 enter

    execute system console-server connect 3

    Log into the console using your FortiGate 6000F administrator name and password.

  6. Restart the FPC. You can do this from the FPC console by accessing the global configuration and entering the execute reboot command:

    config system global

    execute reboot

  7. When the FPC starts up, follow the boot process in the console session, and press any key when prompted to interrupt the boot process.

  8. To set up the TFTP configuration, press C.

  9. Use the BIOS menu to set the following. Change settings only if required.

    [P]: Set image download port: MGMT1

    [D]: Set DHCP mode: Disabled

    [I]: Set local IP address: Enter an IP address on the same network as the TFTP sever IP address. For example, if the TFTP server IP address is 169.254.255.1, set the local IP address to 169.254.255.2.

    [S]: Set local Subnet Mask: 255.255.255.0

    [G]: Set local gateway: 169.254.255.1 (same as the TFTP server IP address).

    [V]: Local VLAN ID: Should be set to <none>. (use -1 to set the Local VLAN ID to <none>.)

    [T]: Set remote TFTP server IP address: 169.254.255.1 (The IP address of the internal TFTP server.)

    [F]: Set firmware image file name: The name of the firmware image file uploaded to the internal TFTP server.

  10. To quit this menu, press Q.

  11. To review the configuration, press R.
    To make corrections, press C and make the changes as required.

    When the configuration is correct, proceed to the next step.

  12. To start the TFTP transfer, press T.
    The FPC downloads the firmware image from the internal TFTP server and installs it. The FPC then restarts with its configuration reset to factory defaults. The configuration is then synchronized from the management board to the FPC. The FPC restarts again, rejoins the cluster, and is ready to process traffic.

  13. To verify that the configuration of the FPC has been synchronized, enter the diagnose sys confsync status | grep in_sy command. The command output below shows an example of the synchronization status of some of the FPCs in an HA cluster of two FortiGate 6301F devices. The field in_sync=1 indicates that the configuration of the FPC is synchronized. 

    FPC6KFT018901327, Secondary, uptime=615368.33, priority=19, slot_id=1:1, idx=1, flag=0x4, in_sync=1
F6KF31T018900143, Primary, uptime=615425.84, priority=1, slot_id=1:0, idx=0, flag=0x10, in_sync=1 
FPC6KFT018901372, Secondary, uptime=615319.63, priority=20, slot_id=1:2, idx=1, flag=0x4, in_sync=1
F6KF31T018900143, Primary, uptime=615425.84, priority=1, slot_id=1:0, idx=0, flag=0x10, in_sync=1
FPC6KFT018901346, Secondary, uptime=423.91, priority=21, slot_id=1:3, idx=1, flag=0x4, in_sync=1

    FPCs that are missing or that show in_sync=0 are not synchronized. To synchronize an FPC that is not synchronized, log into the CLI of the FPC and restart it using the execute reboot command. If this does not solve the problem, contact Fortinet Support at https://support.fortinet.com.

    The example output also shows that the uptime of the FPC in slot 3 is lower than the uptime of the other FPCs, indicating that the FPC in slot 3 has recently restarted.

    If you enter the diagnose sys confsync status | grep in_sy command before an FPC has completely restarted, it will not appear in the output. Also, the Cluster Status dashboard widget will temporarily show that it is not synchronized.

Previous
Next