Fortinet black logo

Administration Guide

Upgrading firmware

Upgrading firmware

From the Device Manager pane, you can update firmware for managed devices.

Upgrades can be scheduled to occur at a later date using firmware templates. See Firmware templates.

When workspace is enabled, you must lock a device (or ADOM) to allow firmware upgrade.

The FortiGate device requires a valid firmware upgrade license. Otherwise a Firmware Upgrade License Not Found error is displayed.

When Boot to Alternate Partition After Upgrade is selected, the inactive partition will be upgraded.

To upgrade firmware for managed devices:
  1. Go to Device Manager > Device & Groups.
  2. In the toolbar, select Table View from the dropdown menu.
  3. In the tree menu, select the device group name, for example, Managed FortiGate.

    Devices in the group are displayed in the content pane.

  4. Select one or more devices, and select Firmware Upgrade from the More menu.

    The Upgrade Firmware dialog box opens.

  5. Configure the following settings, then click OK:

    Upgrade to

    Select a firmware version from the drop-down list.

    Boot From Alternate Partition After Upgrade

    Selecting this option causes the device to reboot twice during the upgrade process: first to upgrade the inactive partition, and second to boot back into the active partition.

    Let Device Download Firmware from FortiGuard

    Select this option to download the firmware directly from FortiGuard. If this option is not selected, FortiManager will download the firmware from FortiGuard. Alternatively, you can import the firmware into FortiManager.

    Skip All Intermediate Steps in Upgrade Path if Possible

    FortiManager manages the most optimum upgrade path automatically. Select this option to install the selected version directly without going though the upgrade path.

  6. FortiManager checks the FortiGate disk before upgrading. If the check fails, the following information is displayed, and the upgrade is not performed:

    If the check passes, the upgrade proceeds:

FortiOS devices cannot be upgraded to a version that is higher than the FortiManager that is managing them. This rule is applicable only for major and minor versions. For example, FortiManager 6.2.0 cannot upgrade FortiOS devices to 6.3.0 or 7.0.0. When trying to upgrade FortiOS devices to a version higher than FortiManager, the upgrade process cannot be completed and a warning is shown.

When upgrading FortiGate devices to a firmware version that is not part of the upgrade path (shown by the green check mark), the warning The firmware version is not on firmware upgrade path of selected devices. Upgrading the image may cause the current syntax to break. is shown. Click Upgrade to Recommended X.X.X which shows the recommended version, or Continue to upgrade to the selected version. A warning is also shown when upgrading FortiGate devices to a custom firmware.

The disk on the FortiGate is checked automatically before upgrade. To enable skip disk check run the set skip-disk-check from the command line.

To disable disk check:
  1. Disable disk check by using the CLI:

    config fmupdate fwm-setting

    (fwm-setting)# set skip-disk-check enable

The default setting is disable, which will check the FortiGate disk before upgrading FortiOS.

The following diagnose commands are also available for diagnose fwmanager:

  • show-dev-disk-check-status: Shows whether a device needs a disk check.
  • show-grp-disk-check-status: Shows whether device in a group needs a disk check.

In addition, when you log into FortiOS by using the CLI, you will be informed if you need to run a disk scan, for example:

$ ssh admin@193.168.70.137

WARNING: File System Check Recommended! Unsafe reboot may have caused inconsistency in disk drive.

It is strongly recommended that you check file system consistency before proceeding.

Please run 'execute disk scan 17'

Note: The device will reboot and scan during startup. This may take up to an hour

Upgrading firmware

From the Device Manager pane, you can update firmware for managed devices.

Upgrades can be scheduled to occur at a later date using firmware templates. See Firmware templates.

When workspace is enabled, you must lock a device (or ADOM) to allow firmware upgrade.

The FortiGate device requires a valid firmware upgrade license. Otherwise a Firmware Upgrade License Not Found error is displayed.

When Boot to Alternate Partition After Upgrade is selected, the inactive partition will be upgraded.

To upgrade firmware for managed devices:
  1. Go to Device Manager > Device & Groups.
  2. In the toolbar, select Table View from the dropdown menu.
  3. In the tree menu, select the device group name, for example, Managed FortiGate.

    Devices in the group are displayed in the content pane.

  4. Select one or more devices, and select Firmware Upgrade from the More menu.

    The Upgrade Firmware dialog box opens.

  5. Configure the following settings, then click OK:

    Upgrade to

    Select a firmware version from the drop-down list.

    Boot From Alternate Partition After Upgrade

    Selecting this option causes the device to reboot twice during the upgrade process: first to upgrade the inactive partition, and second to boot back into the active partition.

    Let Device Download Firmware from FortiGuard

    Select this option to download the firmware directly from FortiGuard. If this option is not selected, FortiManager will download the firmware from FortiGuard. Alternatively, you can import the firmware into FortiManager.

    Skip All Intermediate Steps in Upgrade Path if Possible

    FortiManager manages the most optimum upgrade path automatically. Select this option to install the selected version directly without going though the upgrade path.

  6. FortiManager checks the FortiGate disk before upgrading. If the check fails, the following information is displayed, and the upgrade is not performed:

    If the check passes, the upgrade proceeds:

FortiOS devices cannot be upgraded to a version that is higher than the FortiManager that is managing them. This rule is applicable only for major and minor versions. For example, FortiManager 6.2.0 cannot upgrade FortiOS devices to 6.3.0 or 7.0.0. When trying to upgrade FortiOS devices to a version higher than FortiManager, the upgrade process cannot be completed and a warning is shown.

When upgrading FortiGate devices to a firmware version that is not part of the upgrade path (shown by the green check mark), the warning The firmware version is not on firmware upgrade path of selected devices. Upgrading the image may cause the current syntax to break. is shown. Click Upgrade to Recommended X.X.X which shows the recommended version, or Continue to upgrade to the selected version. A warning is also shown when upgrading FortiGate devices to a custom firmware.

The disk on the FortiGate is checked automatically before upgrade. To enable skip disk check run the set skip-disk-check from the command line.

To disable disk check:
  1. Disable disk check by using the CLI:

    config fmupdate fwm-setting

    (fwm-setting)# set skip-disk-check enable

The default setting is disable, which will check the FortiGate disk before upgrading FortiOS.

The following diagnose commands are also available for diagnose fwmanager:

  • show-dev-disk-check-status: Shows whether a device needs a disk check.
  • show-grp-disk-check-status: Shows whether device in a group needs a disk check.

In addition, when you log into FortiOS by using the CLI, you will be informed if you need to run a disk scan, for example:

$ ssh admin@193.168.70.137

WARNING: File System Check Recommended! Unsafe reboot may have caused inconsistency in disk drive.

It is strongly recommended that you check file system consistency before proceeding.

Please run 'execute disk scan 17'

Note: The device will reboot and scan during startup. This may take up to an hour