Upgrading firmware
From the Device Manager pane, you can update firmware for managed devices.
Upgrades can be scheduled to occur at a later date using firmware templates. See Firmware templates.
When workspace is enabled, you must lock a device (or ADOM) to allow firmware upgrade.
The FortiGate device requires a valid firmware upgrade license. Otherwise a Firmware Upgrade License Not Found error is displayed.
When Boot to Alternate Partition After Upgrade is selected, the inactive partition will be upgraded. |
FortiGate devices must have a valid Firmware & General Updates (FMWR) contract in order for firmware updates to be performed through FortiManager. This applies to firmware images from FortiGuard and images that are manually uploaded to FortiManager. When a FortiGate device is added to the FortiManager, a 24 hour grace period is provided in which firmware updates can be applied without a license to allow time for the FMWR contract information to synchronize from FortiCare. FortiManager expects the managed device to be on the same FortiCloud account, or have the device serial number added in FortiGuard's auth list. |
To upgrade firmware for managed devices:
-
Go to Device Manager > Device & Groups.
-
In the toolbar, select Table View from the dropdown menu.
-
In the tree menu, select the device group name, for example, Managed FortiGate.
Devices in the group are displayed in the content pane.
-
Select one or more devices, and select Firmware Upgrade from the More menu.
The Device Firmware Upgrade dialog box opens.
-
Configure the following settings, then click OK:
Schedule Upgrade View scheduled upgrades. This option is only displayed when selecting one device. You can selected an entry in the table and click Cancel Schedule to cancel the scheduled upgrade. Setup Firmware Upgrade Configure the firmware upgrade method using a firmware template or a custom firmware upgrade configuration. Firmware Templates
Click the Firmware Templates dropdown to select an existing firmware template, or click the Create New icon to create a new firmware template for use. See Creating firmware templates
The upgrade will start based on the schedule configured in the template or when the upgrade is manually started. See Upgrading devices now.
Custom
Select a firmware version to upgrade to in the Upgrade To field. Once a firmware version is selected, the following additional options are displayed:
Boot from Alternate Partition After Upgrade Applies only to FortiGates.
Select to upgrade the inactive partition. Clear to skip the inactive partition during upgrade.
Selecting this option causes the device to reboot twice during the upgrade process: first to upgrade the inactive partition, and second to boot back into the active partition.
Let Device Download Firmware from FortiGuard Select to have the device download the firmware from FortiGuard for the upgrade.
Clear to have the device download the firmware from FortiManager.
Upgrade Path
Select one of the following options:
-
Skip All Intermediate Steps in Upgrade Path If Possible: Select to skip some builds in an upgrade path.
-
Follow The Recommended Upgrade Path: Select to install all builds in an upgrade path.
The Follow The Recommended Upgrade Path feature is not supported when FortiManager is operating in a closed network. Each image in the path must instead be imported to FortiManager and manually pushed to the managed devices in the correct order. You can view the recommended upgrade path at support.fortinet.com.
Only upgrade FortiGate Clusters with all members up
When enabled, if any HA secondary node is down, the firmware upgrade will be skipped for the HA cluster.
Schedule Upgrade Configure a schedule for the firmware upgrade in hours or by specifying a date/time. Firmware Upgrade History View the firmware upgrade history for the selected device. This option is only displayed when selecting one device -
FortiManager checks the FortiGate disk before upgrading. If the check fails, a message indicates the failure, and the upgrade is not performed.
If the check passes, the upgrade proceeds.
FortiOS devices cannot be upgraded to a version that is higher than the FortiManager that is managing them. This rule is applicable only for major and minor versions. For example, FortiManager 6.2.0 cannot upgrade FortiOS devices to 6.3.0 or 7.0.0. When trying to upgrade FortiOS devices to a version higher than FortiManager, the upgrade process cannot be completed and a warning is shown. When upgrading FortiGate devices to a firmware version that is not part of the upgrade path (shown by the green check mark), the warning The firmware version is not on firmware upgrade path of selected devices. Upgrading the image may cause the current syntax to break. is shown. Click Upgrade to Recommended X.X.X which shows the recommended version, or Continue to upgrade to the selected version. A warning is also shown when upgrading FortiGate devices to a custom firmware. |
The disk on the FortiGate is checked automatically before upgrade. To enable skip disk check run the |
To disable disk check:
- Disable disk check by using the CLI:
config fmupdate fwm-setting
(fwm-setting)# set check-fgt-disk disable
The default setting is enable
, which will check the FortiGate disk before upgrading FortiOS.
The following diagnose commands are also available for diagnose fwmanager
:
show-dev-disk-check-status
: Shows whether a device needs a disk check.show-grp-disk-check-status
: Shows whether device in a group needs a disk check.
In addition, when you log into FortiOS by using the CLI, you will be informed if you need to run a disk scan, for example:
$ ssh admin@193.168.70.137
WARNING: File System Check Recommended! Unsafe reboot may have caused inconsistency in disk drive.
It is strongly recommended that you check file system consistency before proceeding.
Please run 'execute disk scan 17'
Note: The device will reboot and scan during startup. This may take up to an hour