Fortinet black logo

FortiSwitchOS Administration Guide

Home FortiSwitch 7.4.0 FortiSwitchOS Administration Guide
7.4.0
7.4.3
7.4.2
7.4.1
7.4.0

Firmware

Firmware

Starting in FortiSwitchOS 7.4.0, the GUI provides OS image signature verification. To see which models support this feature, refer to the FortiSwitch feature matrix. If the BIOS version does not support OS image signature verification, the GUI displays a warning message when you log in.

  • If you upload an unverified firmware image, the GUI displays a “WARNING: This firmware failed signature validation.” message.

  • If you log in to a FortiSwitch unit running an unverified firmware image, the GUI displays an “Unverified Image Detected” message.

  • After you log in to a FortiSwitch unit running an unverified firmware image, the GUI displays a triangle with a red exclamation mark in the title bar.

This section covers the following topics:

Upgrading the firmware

Use these procedures to upgrade your FortiSwitch firmware.

Using the GUI
  1. Go to System > Config > Firmware.
  2. Click Choose File and then navigate to the firmware image.

  3. Select Apply.
  4. If the firmware image is unverified, the GUI displays a “WARNING: This firmware failed signature validation.” message. You must click Continue if you still want to upgrade to this firmware image.
Using the CLI

You can download a firmware image from an FTP server, from a FortiManager unit, from an SFTP server, or from a TFTP server. The FortiSwitch unit reboots and then loads the new firmware.

execute restore image ftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> <password_str>]

execute restore image management-station <version_int>

execute restore image sftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> <password_str>]

execute restore image tftp <filename_str> <server_ipv4_ipv6_fqdn>

The following example shows how to upload a configuration file from a TFTP server to the FortiSwitch unit and restart the FortiSwitch unit with this configuration. The name of the configuration file on the TFTP server is backupconfig. The IPv4 address of the TFTP server is 192.168.1.23.

execute restore config tftp backupconfig 192.168.1.23

The following example shows how to upload a configuration file from an SFTP server to the FortiSwitch unit and restart the FortiSwitch unit with this configuration. The name of the configuration file on the SFTP server is backupconfig. The IPv6 address of the SFTP server is 6001:7:7:7::2, and the port number is 2222. To access the SFTP server, you need to add the user name, admin, and the password, adminpassword.

execute restore config sftp backupconfig [6001:7:7:7::2]:2222 admin adminpassword

You can also load a firmware image from an FTP or TFTP server without restarting the FortiSwitch unit:

execute stage image ftp <string> <ftp server>[:ftp port]

execute stage image tftp <string> <ip>

To check if the firmware image is verified:

get system status

Verifying image integrity

To verify the integrity of the images in the primary and secondary (if applicable) flash partitions, use the following commands:

execute verify image primary

execute verify image secondary

If the image is corrupted or missing, the command fails with a return code of -1.

For example:

execute verify image primary

Verifying the image in flash......100%

No issue found!

execute verify image secondary

Verifying the image in flash......100%

Bad/corrupted image found in flash!

Command fail. Return code -1

Setting the boot partition

You can specify the flash partition for the next reboot. The system can use the boot image from either the primary or the secondary flash partition:

execute set-next-reboot <primary | secondary>

NOTE: You must disable image rotation before you can use the execute set-next-reboot command.

If your FortiSwitch model has dual flash memory, you can use the primary and backup partitions for image rotation. By default, this feature is enabled.

config system global

set image-rotation <enable | disable>

end

To list all of the flash partitions:

diagnose sys flash list

Restoring or upgrading the BIOS

You can restore or upgrade the basic input/output system (BIOS) if needed. After a BIOS upgrade, passwords for all FortiSwitch local users must be reconfigured using the config user local setting.

CAUTION: Only restore or upgrade the BIOS if Customer Support recommends it.

To upgrade or restore the BIOS from the CLI:

execute restore bios tftp <filename_str> <server_ipv4_ipv6_fqdn>

For example:

execute restore bios tftp PPC/FS-3032D/04000009/FS3D323Z14000004.bin 10.105.2.201

The example downloads the BIOS file from the TFTP server at the specified IPv4 address.

NOTE: If the BIOS upgrade fails, do not restart the FortiSwitch unit. Instead, try the CLI command again. If repeating the CLI command does not work, the FortiSwitch unit might require a return merchandise authorization (RMA).

Previous
Next

Firmware

Starting in FortiSwitchOS 7.4.0, the GUI provides OS image signature verification. To see which models support this feature, refer to the FortiSwitch feature matrix. If the BIOS version does not support OS image signature verification, the GUI displays a warning message when you log in.

  • If you upload an unverified firmware image, the GUI displays a “WARNING: This firmware failed signature validation.” message.

  • If you log in to a FortiSwitch unit running an unverified firmware image, the GUI displays an “Unverified Image Detected” message.

  • After you log in to a FortiSwitch unit running an unverified firmware image, the GUI displays a triangle with a red exclamation mark in the title bar.

This section covers the following topics:

Upgrading the firmware

Use these procedures to upgrade your FortiSwitch firmware.

Using the GUI
  1. Go to System > Config > Firmware.
  2. Click Choose File and then navigate to the firmware image.

  3. Select Apply.
  4. If the firmware image is unverified, the GUI displays a “WARNING: This firmware failed signature validation.” message. You must click Continue if you still want to upgrade to this firmware image.
Using the CLI

You can download a firmware image from an FTP server, from a FortiManager unit, from an SFTP server, or from a TFTP server. The FortiSwitch unit reboots and then loads the new firmware.

execute restore image ftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> <password_str>]

execute restore image management-station <version_int>

execute restore image sftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> <password_str>]

execute restore image tftp <filename_str> <server_ipv4_ipv6_fqdn>

The following example shows how to upload a configuration file from a TFTP server to the FortiSwitch unit and restart the FortiSwitch unit with this configuration. The name of the configuration file on the TFTP server is backupconfig. The IPv4 address of the TFTP server is 192.168.1.23.

execute restore config tftp backupconfig 192.168.1.23

The following example shows how to upload a configuration file from an SFTP server to the FortiSwitch unit and restart the FortiSwitch unit with this configuration. The name of the configuration file on the SFTP server is backupconfig. The IPv6 address of the SFTP server is 6001:7:7:7::2, and the port number is 2222. To access the SFTP server, you need to add the user name, admin, and the password, adminpassword.

execute restore config sftp backupconfig [6001:7:7:7::2]:2222 admin adminpassword

You can also load a firmware image from an FTP or TFTP server without restarting the FortiSwitch unit:

execute stage image ftp <string> <ftp server>[:ftp port]

execute stage image tftp <string> <ip>

To check if the firmware image is verified:

get system status

Verifying image integrity

To verify the integrity of the images in the primary and secondary (if applicable) flash partitions, use the following commands:

execute verify image primary

execute verify image secondary

If the image is corrupted or missing, the command fails with a return code of -1.

For example:

execute verify image primary

Verifying the image in flash......100%

No issue found!

execute verify image secondary

Verifying the image in flash......100%

Bad/corrupted image found in flash!

Command fail. Return code -1

Setting the boot partition

You can specify the flash partition for the next reboot. The system can use the boot image from either the primary or the secondary flash partition:

execute set-next-reboot <primary | secondary>

NOTE: You must disable image rotation before you can use the execute set-next-reboot command.

If your FortiSwitch model has dual flash memory, you can use the primary and backup partitions for image rotation. By default, this feature is enabled.

config system global

set image-rotation <enable | disable>

end

To list all of the flash partitions:

diagnose sys flash list

Restoring or upgrading the BIOS

You can restore or upgrade the basic input/output system (BIOS) if needed. After a BIOS upgrade, passwords for all FortiSwitch local users must be reconfigured using the config user local setting.

CAUTION: Only restore or upgrade the BIOS if Customer Support recommends it.

To upgrade or restore the BIOS from the CLI:

execute restore bios tftp <filename_str> <server_ipv4_ipv6_fqdn>

For example:

execute restore bios tftp PPC/FS-3032D/04000009/FS3D323Z14000004.bin 10.105.2.201

The example downloads the BIOS file from the TFTP server at the specified IPv4 address.

NOTE: If the BIOS upgrade fails, do not restart the FortiSwitch unit. Instead, try the CLI command again. If repeating the CLI command does not work, the FortiSwitch unit might require a return merchandise authorization (RMA).

Previous
Next