Firmware upgrades in FGSP
FGSP supports cluster members using different firmware versions with some limitations. This allows for cluster members to be upgraded without needing to remove them from the cluster or network. You can find details on the requirements to support different firmware versions in the cluster in Different FortiGate models.
If your cluster’s current and target firmware are supported, you may upgrade each member one by one without any need to disconnect the member.
Otherwise, the following steps are recommended to upgrade the firmware of FortiGates in an FGSP deployment. Follow these steps whether or not you have enabled standalone configuration synchronization.
This example FGSP deployment has two FortiGates, FGT-1 and FGT-2.
To upgrade the firmware in an FGSP deployment:
- Switch all traffic to FGT-1:
- Configure the load balancer or router that distributes traffic between the FortiGates to send all traffic to FGT-1.
- Disconnect FGT-2 from the network.
Make sure to also disconnect the interfaces that allow heartbeat and synchronization communication with FGT-1. This is to prevent FGT-2 from communicating with FGT-1.
- Upgrade the firmware on FGT-2.
- Reconnect the traffic interfaces on FGT-2, but not the interfaces used for heartbeat and synchronization communication with FGT-1.
- Switch all traffic to the newly upgraded FGT-2:
- Configure the load balancer or router that distributes traffic between the FortiGates to send all traffic to FGT-2.
- Upgrade the firmware on FGT-1 (while heartbeat and synchronization communication with FGT-2 remains disconnected).
- Reconnect the FGT-2 interfaces that allow heartbeat and synchronization communication between FGT-1 and FGT-2.
- Restore the original traffic distribution between FGT-1 and FGT-2:
- Configure the load balancer or router to distribute traffic to both FortiGates in the FGSP deployment.