Upgrading firmware
From the Device Manager pane, you can update firmware for managed devices.
Upgrades can be scheduled to occur at a later date using firmware templates. See Firmware templates.
When workspace is enabled, you must lock a device (or ADOM) to allow firmware upgrade.
The FortiGate device requires a valid firmware upgrade license. Otherwise a Firmware Upgrade License Not Found error is displayed.
When Boot to Alternate Partition After Upgrade is selected, the inactive partition will be upgraded. |
FortiGate devices must have a valid Firmware & General Updates (FMWR) contract in order for firmware updates to be performed through FortiManager. This applies to firmware images from FortiGuard and images that are manually uploaded to FortiManager. When a FortiGate device is added to the FortiManager, a 24 hour grace period is provided in which firmware updates can be applied without a license to allow time for the FMWR contract information to synchronize from FortiCare. FortiManager expects the managed device to be on the same FortiCloud account, or have the device serial number added in FortiGuard's auth list. |
To upgrade firmware for managed devices:
- Go to Device Manager > Device & Groups.
- In the toolbar, select Table View from the dropdown menu.
- In the tree menu, select the device group name, for example, Managed FortiGate.
Devices in the group are displayed in the content pane.
- Select one or more devices, and select Firmware Upgrade from the More menu.
The Upgrade Firmware dialog box opens.
- Configure the following settings, then click OK:
Upgrade to
Select a firmware version from the drop-down list.
Boot From Alternate Partition After Upgrade
Selecting this option causes the device to reboot twice during the upgrade process: first to upgrade the inactive partition, and second to boot back into the active partition.
Let Device Download Firmware from FortiGuard
Select this option to download the firmware directly from FortiGuard. If this option is not selected, FortiManager will download the firmware from FortiGuard. Alternatively, you can import the firmware into FortiManager.
Skip All Intermediate Steps in Upgrade Path if Possible
FortiManager manages the most optimum upgrade path automatically. Select this option to install the selected version directly without going though the upgrade path.
FortiManager checks the FortiGate disk before upgrading. If the check fails, the following information is displayed, and the upgrade is not performed:
If the check passes, the upgrade proceeds:
FortiOS devices cannot be upgraded to a version that is higher than the FortiManager that is managing them. This rule is applicable only for major and minor versions. For example, FortiManager 6.2.0 cannot upgrade FortiOS devices to 6.3.0 or 7.0.0. When trying to upgrade FortiOS devices to a version higher than FortiManager, the upgrade process cannot be completed and a warning is shown. When upgrading FortiGate devices to a firmware version that is not part of the upgrade path (shown by the green check mark), the warning The firmware version is not on firmware upgrade path of selected devices. Upgrading the image may cause the current syntax to break. is shown. Click Upgrade to Recommended X.X.X which shows the recommended version, or Continue to upgrade to the selected version. A warning is also shown when upgrading FortiGate devices to a custom firmware. |
The disk on the FortiGate is checked automatically before upgrade. To enable skip disk check run the |
To disable disk check:
- Disable disk check by using the CLI:
config fmupdate fwm-setting
(fwm-setting)# set check-fgt-disk disable
The default setting is enable
, which will check the FortiGate disk before upgrading FortiOS.
The following diagnose commands are also available for diagnose fwmanager
:
show-dev-disk-check-status
: Shows whether a device needs a disk check.show-grp-disk-check-status
: Shows whether device in a group needs a disk check.
In addition, when you log into FortiOS by using the CLI, you will be informed if you need to run a disk scan, for example:
$ ssh admin@193.168.70.137
WARNING: File System Check Recommended! Unsafe reboot may have caused inconsistency in disk drive.
It is strongly recommended that you check file system consistency before proceeding.
Please run 'execute disk scan 17'
Note: The device will reboot and scan during startup. This may take up to an hour