Firmware
Starting in FortiSwitchOS 7.4.0, the GUI provides OS image signature verification. To see which models support this feature, refer to the FortiSwitch feature matrix. If the BIOS version does not support OS image signature verification, the GUI displays a warning message when you log in.
-
If you upload an unverified firmware image, the GUI displays a “WARNING: This firmware failed signature validation.” message.
-
If you log in to a FortiSwitch unit running an unverified firmware image, the GUI displays an “Unverified Image Detected” message.
-
After you log in to a FortiSwitch unit running an unverified firmware image, the GUI displays a triangle with a red exclamation mark in the title bar.
This section covers the following topics:
- Upgrading the firmware
- Verifying image integrity
- Setting the boot partition
- Restoring or upgrading the BIOS
Upgrading the firmware
Use these procedures to upgrade your FortiSwitch firmware.
Using the GUI
- Go to System > Config > Firmware.
- Click Choose File and then navigate to the firmware image.
- Select Apply.
- If the firmware image is unverified, the GUI displays a “WARNING: This firmware failed signature validation.” message. You must click Continue if you still want to upgrade to this firmware image.
Using the CLI
You can download a firmware image from an FTP server, from a FortiManager unit, from an SFTP server, or from a TFTP server. The FortiSwitch unit reboots and then loads the new firmware.
execute restore image ftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> <password_str>]
execute restore image management-station <version_int>
execute restore image sftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> <password_str>]
execute restore image tftp <filename_str> <server_ipv4_ipv6_fqdn>
The following example shows how to upload a configuration file from a TFTP server to the FortiSwitch unit and restart the FortiSwitch unit with this configuration. The name of the configuration file on the TFTP server is backupconfig
. The IPv4 address of the TFTP server is 192.168.1.23.
execute restore config tftp backupconfig 192.168.1.23
The following example shows how to upload a configuration file from an SFTP server to the FortiSwitch unit and restart the FortiSwitch unit with this configuration. The name of the configuration file on the SFTP server is backupconfig
. The IPv6 address of the SFTP server is 6001:7:7:7::2, and the port number is 2222. To access the SFTP server, you need to add the user name, admin
, and the password, adminpassword
.
execute restore config sftp backupconfig [6001:7:7:7::2]:2222 admin adminpassword
You can also load a firmware image from an FTP or TFTP server without restarting the FortiSwitch unit:
execute stage image ftp <string> <ftp server>[:ftp port]
execute stage image tftp <string> <ip>
To check if the firmware image is verified:
get system status
Verifying image integrity
To verify the integrity of the images in the primary and secondary (if applicable) flash partitions, use the following commands:
execute verify image primary
execute verify image secondary
If the image is corrupted or missing, the command fails with a return code of -1.
For example:
execute verify image primary
Verifying the image in flash......100%
No issue found!
execute verify image secondary
Verifying the image in flash......100%
Bad/corrupted image found in flash!
Command fail. Return code -1
Setting the boot partition
You can specify the flash partition for the next reboot. The system can use the boot image from either the primary or the secondary flash partition:
execute set-next-reboot <primary | secondary>
NOTE: You must disable image rotation before you can use the execute set-next-reboot
command.
If your FortiSwitch model has dual flash memory, you can use the primary and backup partitions for image rotation. By default, this feature is enabled.
config system global
set image-rotation <enable | disable>
end
To list all of the flash partitions:
diagnose sys flash list
Restoring or upgrading the BIOS
You can restore or upgrade the basic input/output system (BIOS) if needed. After a BIOS upgrade, passwords for all FortiSwitch local users must be reconfigured using the config user local
setting.
CAUTION: Only restore or upgrade the BIOS if Customer Support recommends it.
To upgrade or restore the BIOS from the CLI:
execute restore bios tftp <filename_str> <server_ipv4_ipv6_fqdn>
For example:
execute restore bios tftp PPC/FS-3032D/04000009/FS3D323Z14000004.bin 10.105.2.201
The example downloads the BIOS file from the TFTP server at the specified IPv4 address.
NOTE: If the BIOS upgrade fails, do not restart the FortiSwitch unit. Instead, try the CLI command again. If repeating the CLI command does not work, the FortiSwitch unit might require a return merchandise authorization (RMA).