Updating the firmware
Your FortiWeb comes with the latest operating system (firmware) when shipped. However, if a new version released since your appliance shipped, you should install it before you continue the installation.
Fortinet periodically releases FortiWeb firmware updates to include enhancements and address security issues. Once you register your FortiWeb, firmware is available for download through Fortinet Customer Service & Support at:
Installing new firmware can overwrite attack signature packages using the versions of the packages that were current at the time that the firmware image was built. To avoid repeat updates, update the firmware before updating your FortiGuard packages.
New firmware can also introduce new features which you must configure for the first time.
For information about a particular firmware release, see the Release Notes for that release at:
http://docs.fortinet.com/fortiweb/release-information
In addition to major releases that contain new features, Fortinet releases patch releases that resolve specific issues without containing new features and/or changes to existing features. It is recommended to download and install patch releases as soon as they are available. |
See also
Testing new firmware before installing it
You can test a new firmware image by temporarily running it from memory, without saving it to disk. By keeping your existing firmware on disk, if the evaluation fails, you do not have to re-install your previous firmware. Instead, you can quickly revert to your existing firmware by simply rebooting the FortiWeb appliance.
To test a new firmware image
- Download the firmware file from the Fortinet Technical Support website:
- Connect your management computer to the FortiWeb console port using a RJ-45-to-DB-9 serial cable or a null-modem cable.
- Initiate a connection from your management computer to the CLI of the FortiWeb appliance.
For details, see Connecting to the web UI or CLI. - Connect port1 of the FortiWeb appliance directly or to the same subnet as a TFTP server.
- Copy the new firmware image file to the root directory of the TFTP server.
- If necessary, start your TFTP server. If you do not have one, you can temporarily install and run one such as
tftpd
on your management computer: - Verify that the TFTP server is currently running, and that the FortiWeb appliance can reach the TFTP server.
- Enter the following command to restart the FortiWeb appliance:
- As the FortiWeb appliances starts, a series of system startup messages appear.
- Immediately press a key to interrupt the system startup.
- Type
G
to get the firmware image from the TFTP server. - Type the IP address of the TFTP server and press Enter.
- Type a temporary IP address that can be used by the FortiWeb appliance to connect to the TFTP server.
- Type the firmware image file name and press Enter.
- Type
R
. - To verify that the new firmware image was loaded, log in to the CLI and type:
- Test the new firmware image.
Windows: http://tftpd32.jounin.net
Mac OS X: From the Terminal, enter the man tftp
command.
Because TFTP is not secure, and because it does not support authentication and could allow anyone to have read and write access, you should only run it on trusted administrator-only networks, never on computers directly connected to the Internet. If possible, immediately turn off tftpd off when you are done. |
To use the FortiWeb CLI to verify connectivity, enter the following command:
execute ping 192.168.1.168
where 192.168.1.168
is the IP address of the TFTP server.
execute reboot
Press any key to display configuration menu........
You have only three seconds to press a key. If you do not press a key soon enough, the FortiWeb appliance reboots and you must log in and repeat the execute reboot command. |
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G,F,B,Q,or H:
Please connect TFTP server to Ethernet port "1".
The following message appears:
Enter TFTP server address [192.168.1.168]:
The following message appears:
Enter local address [192.168.1.188]:
The following message appears:
Enter firmware image file name [image.out]:
The FortiWeb appliance downloads the firmware image file from the TFTP server and displays a message similar to the following:
MAC:00219B8F0D94
###########################
Total 28385179 bytes data downloaded.
Verifying the integrity of the firmware image..
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?
If the download fails after the integrity check with the error message:invalid compressed format (err=1) but the firmware matches the integrity checksum on the Fortinet Technical Support website, try a different TFTP server. |
The FortiWeb image is loaded into memory and uses the current configuration, without saving the new firmware image to disk.
get system status
- If the new firmware image operates successfully, you can install it to disk, overwriting the existing firmware, using the procedure Installing firmware.
- If the new firmware image does not operate successfully, reboot the FortiWeb appliance to discard the temporary firmware and resume operation using the existing firmware.
See also
Installing firmware
You can use either the web UI or the CLI to upgrade or downgrade the appliance’s operating system.
If you are installing a firmware version that requires a different size of system partition, you may be required to format the boot device before installing the firmware by re-imaging the boot device. Consult the Release Notes. In that case, do not install the firmware using this procedure. Instead, see Restoring firmware (“clean install”).
Firmware changes are either:
- an update to a newer version
- a reversion to an earlier version
To determine if you are updating or reverting the firmware, go to System > Status > Status and in the System Information widget, see the Firmware Version row. (Alternatively, in the CLI, enter the command get system status
.)
For example, if your current firmware version is:
FortiWeb-VM 4.32,build0531,111031
changing to
FortiWeb-VM 4.32,build0530,110929
an earlier build number (530) and date (110929
means September 29, 2011), indicates that you are reverting.
Back up all parts of your configuration before beginning this procedure. Some backup types do not include the full configuration. For full backup instructions, see Backups. Reverting to an earlier firmware version could reset settings that are not compatible with the new firmware. For example, FortiWeb 5.0 configuration files are not compatible with previous firmware versions. If you later decide to downgrade to FortiWeb 4.4.6 or earlier, your FortiWeb appliance will lose its configuration. To restore the configuration, you will need a backup that is compatible with the older firmware. For details about reconnecting to a FortiWeb appliance whose network interface configuration was reset, see Connecting to the web UI or CLI. |
To install firmware via the web UI
- Download the firmware file from the Fortinet Technical Support website:
https://support.fortinet.com/ - Log in to the web UI of the FortiWeb appliance as the
admin
administrator, or an administrator account whose access profile contains Read and Write permissions in the Maintenance category. - Go to System > Status > Status.
- In the System Information widget, in the Firmware Version row, click Update.
The Firmware Upgrade/Downgrade dialog appears. - Click Browse to locate and select the firmware file that you want to install, then click OK.
- Click OK.
- Clear the cache of your web browser and restart it to ensure that it reloads the web UI and correctly displays all interface changes. For details, see your browser's documentation.
- To verify that the firmware was successfully installed, log in to the web UI and go to System > Status > Status.
In the System Information widget, the Firmware Version row indicates the currently installed firmware version. - If you want to install alternate firmware on the secondary partition, follow Installing alternate firmware.
- Continue with Changing the “admin” account password.
Updating firmware on an HA pair requires some additions to the usual steps for a standalone appliance. For details, see Updating firmware on an HA pair. |
Your management computer uploads the firmware image to FortiWeb. FortiWeb installs the firmware and restarts. The time required varies by the size of the file and the speed of your network connection.
If you are downgrading the firmware to a previous version, and the settings are not fully backwards compatible, the FortiWeb appliance may either remove incompatible settings, or use the feature’s default values for that version of the firmware. You may need to reconfigure some settings. |
Installing firmware replaces the current attack definitions with those included in the firmware release that you're installing. If you are updating or rearranging an existing deployment, after you install new firmware, make sure that your attack definitions are up-to-date. For details, see Manually initiating update requests. |
To install firmware via the CLI
- Download the firmware file from the Fortinet Customer Service & Support website:
https://support.fortinet.com/ - Connect your management computer to the FortiWeb console port using a RJ-45-to-DB-9 serial cable or a null-modem cable.
- Initiate a connection from your management computer to the CLI of the FortiWeb appliance, and log in as the
admin
administrator, or an administrator account whose access profile contains Read and Write permissions in the Maintenance category. For details, see Permissions. - Connect port1 of the FortiWeb appliance directly or to the same subnet as a TFTP server.
- Copy the new firmware image file to the root directory of the TFTP server.
- If necessary, start your TFTP server. If you do not have one, you can temporarily install and run one such as
tftpd
on your management computer: - Verify that the TFTP server is currently running, and that the FortiWeb appliance can reach the TFTP server.
- Enter the following command to download the firmware image from the TFTP server to FortiWeb:
- Type
y
. - To verify that the firmware was successfully installed, log in to the CLI and type:
- If you want to install alternate firmware on the secondary partition, follow Installing alternate firmware.
- Continue with Changing the “admin” account password.
If you are downgrading the firmware to a previous version, FortiWeb reverts the configuration to default values for that version of the firmware. You will need to reconfigure FortiWeb or restore the configuration file from a backup. For details, see Connecting to the web UI or CLI and, if you opt to restore the configuration, Restoring a previous configuration.
Updating firmware on an HA pair requires some additions to the usual steps for a standalone appliance. For details, see Updating firmware on an HA pair. |
Windows: http://tftpd32.jounin.net
Mac OS X: From the Terminal, enter the man tftp
command.
Because TFTP is not secure, and because it does not support authentication and could allow anyone to have read and write access, you should only run it on trusted administrator-only networks, never on computers directly connected to the Internet. If possible, immediately turn off tftpd off when you are done. |
To use the FortiWeb CLI to verify connectivity, enter the following command:
execute ping 192.168.1.168
where 192.168.1.168
is the IP address of the TFTP server.
execute restore image tftp <name_str> <tftp_ipv4>
where <name_str>
is the name of the firmware image file and <tftp_ipv4>
is the IP address of the TFTP server. For example, if the firmware image file name is image.out
and the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image tftp image.out 192.168.1.168
One of the following messages appears:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
or:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)
The FortiWeb appliance downloads the firmware image file from the TFTP server. The FortiWeb appliance installs the firmware and restarts:
MAC:00219B8F0D94
###########################
Total 28385179 bytes data downloaded.
Verifying the integrity of the firmware image.
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?
The time required varies by the size of the file and the speed of your network connection.
If the download fails after the integrity check with the error message:invalid compressed format (err=1) but the firmware matches the integrity checksum on the Fortinet Technical Support website, try a different TFTP server. |
get system status
The firmware version number is displayed.
Installing firmware replaces the current FortiGuard packages with those included with the firmware release that you are installing. If you are updating or rearranging an existing deployment, after you install new firmware, make sure that your attack definitions are up-to-date. For details, see Manually initiating update requests. |
See also
Updating firmware on an HA pair
Installing firmware on an HA pair is similar to installing firmware on a single, standalone appliance.
If downgrading to a previous version, do not use this procedure. The HA daemon on the standby appliance might detect that the main appliance has older firmware, and attempt to upgrade it to bring it into sync, undoing your downgrade.
Instead, switch out of HA, downgrade each appliance individually, then switch them back into HA mode.
To ensure minimal interruption of service to clients, use the following steps.
This update procedure is only valid for upgrading from FortiWeb 4.0 MR4 or later. If you are upgrading from FortiWeb 4.0 MR3 or earlier, the active appliance will not automatically send the new firmware to the standby appliance(s); you must quickly connect to the standby and manually install the new firmware while the originally active appliance is upgrading and rebooting. Alternatively, switch the appliances out of HA mode, upgrade them individually, then switch them back into HA mode. |
To update the firmware of an HA pair
- Verify that both of the members in the HA pair are powered on and available on all of the network interfaces that you have configured. If required ports are not available, HA port monitoring could inadvertently trigger an additional failover and traffic interruption during the firmware update.
- Log in to the web UI of the primary appliance as the
admin
administrator. - Install the firmware on the primary appliance. For details, see Installing firmware. When installing via the web UI, a message will appear after your web browser has uploaded the file:
Alternatively, log on with an administrator account whose access profile contains Read and Write permissions in the Maintenance category. For details, see Permissions.
Sending the new firmware file to the standby. Please wait and keep the web GUI untouched...
Closing your browser window or using the back or forward buttons can interrupt the upgrade process, resulting in a split brain problem — both the upgrade of the initial master and HA will be interrupted, because both appliances will believe they are the main appliance. |
The primary appliance will transmit the firmware file to the standby appliance over its HA link.The standby appliance will upgrade its firmware first; on the active appliance, this will be recorded in an event log message such as:
Member (FV-1KC3R11111111) left HA group
After the standby appliance reboots and indicates via the HA heartbeat that it is up again, the primary appliance will begin to update its own firmware. During that time, the standby appliance will temporarily become active and process your network’s traffic. After the original appliance reboots, it indicates via the HA heartbeat that it is up again. Which appliance will assume the active role of traffic processing depends on your configuration (see How HA chooses the active appliance):
- If FortiWeb high availability (HA) is enabled, the cluster will consider your FortiWeb high availability (HA) setting. Therefore both appliances usually make a second failover in order to resume their original roles.
- If FortiWeb high availability (HA) is disabled, the cluster will consider uptime first. The original primary appliance will have a smaller uptime due to the order of reboots during the firmware upgrade. Therefore it will not resume its active role; instead, the standby will remain the new primary appliance. A second failover will not occur.
Reboot times vary by the appliance model, and also by differences between the original firmware and the firmware you are installing, which may require the installer to convert the configuration and/or disk partitioning schemes to be compatible with the new firmware version.
See also
Installing alternate firmware
You can install alternate firmware which can be loaded from its separate partition if the primary firmware fails. This can be accomplished via the web UI or CLI.
To install alternate firmware via the web UI
- Download the firmware file from the Fortinet Customer Service & Support website:
https://support.fortinet.com/ - Log in to the web UI of the FortiWeb appliance as the
admin
administrator, or an administrator account whose access profile contains Read and Write permissions in the Maintenance category. - Go to System > Maintenance > Backup & Restore.
To access this part of the web UI, your administrator account’s access profile must have Read and Writepermission to items in the Maintenancecategory. For details, see Permissions. - Select the Local Backup tab.
- In the Firmware area, in the row of the alternate partition, click Upload and Reboot.
The Firmware Upgrade/Downgrade dialog appears. - For From, select the hard disk from which you want to install the firmware file.
- Click Browse to locate and select the firmware file that you want to install, then click OK.
- Click OK.
- Clear the cache of your web browser and restart it to ensure that it reloads the web UI and correctly displays all interface changes. For details, see your browser's documentation.
- To verify that the firmware was successfully installed, log in to the web UI and go to System > Status > Status.
Updating firmware on an HA pair requires some additions to the usual steps for a standalone appliance. For details, see Updating firmware on an HA pair. |
Your management computer uploads the firmware image to FortiWeb. FortiWeb installs the firmware and restarts. The time required varies by the size of the file and the speed of your network connection.
If you are downgrading the firmware to a previous version, and the settings are not fully backwards compatible, the FortiWeb appliance may either remove incompatible settings, or use the feature’s default values for that version of the firmware. You may need to reconfigure some settings. |
In the System Information widget, the Firmware Version row indicates the currently installed firmware version.
To install alternate firmware via the CLI
- Download the firmware file from the Fortinet Technical Support website:
https://support.fortinet.com/ - Connect your management computer to the FortiWeb console port using a RJ-45-to-DB-9 serial cable or a null-modem cable.
- Initiate a connection from your management computer to the CLI of the FortiWeb appliance, and log in as the
admin
administrator, or an administrator account whose access profile contains Read and Write permissions in the Maintenance category. For details, see Permissions. - Connect port1 of the FortiWeb appliance directly or to the same subnet as a TFTP server.
- Copy the new firmware image file to the root directory of the TFTP server.
- If necessary, start your TFTP server. If you do not have one, you can temporarily install and run one such as
tftpd
on your management computer: - Verify that the TFTP server is currently running, and that the FortiWeb appliance can reach the TFTP server.
- Enter the following command to restart the FortiWeb appliance:
- Immediately press a key to interrupt the system startup.
- Type
G
to get the firmware image from the TFTP server. - Type the IP address of the TFTP server and press Enter.
- Type a temporary IP address that can be used by the FortiWeb appliance to connect to the TFTP server.
- Type the firmware image file name and press Enter.
- Type
B
.
Windows: http://tftpd32.jounin.net
Mac OS X: From the Terminal, enter the man tftp
command.
Because TFTP is not secure, and because it does not support authentication and could allow anyone to have read and write access, you should only run it on trusted administrator-only networks, never on computers directly connected to the Internet. If possible, immediately turn off tftpd off when you are done. |
To use the FortiWeb CLI to verify connectivity, enter the following command:
execute ping 192.168.1.168
where 192.168.1.168
is the IP address of the TFTP server.
execute reboot
As the FortiWeb appliances starts, a series of system startup messages appear.
Press any key to display configuration menu........
You have only 3 seconds to press a key. If you do not press a key soon enough, the FortiWeb appliance reboots and you must log in and repeat the execute reboot command. |
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G,F,B,Q,or H:
Please connect TFTP server to Ethernet port "1".
The following message appears:
Enter TFTP server address [192.168.1.168]:
The following message appears:
Enter local address [192.168.1.188]:
The following message appears:
Enter firmware image file name [image.out]:
The FortiWeb appliance downloads the firmware image file from the TFTP server and displays a message similar to the following:
MAC:00219B8F0D94
###########################
Total 28385179 bytes data downloaded.
Verifying the integrity of the firmware image.
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?
If the download fails after the integrity check with the error message:invalid compressed format (err=1) but the firmware matches the integrity checksum on the Fortinet Technical Support website, try a different TFTP server. |
The FortiWeb appliance saves the backup firmware image and restarts. When the FortiWeb appliance reboots, it is running the primary firmware.
See also
Booting from the alternate partition
System > Maintenance > Backup & Restore lists the firmware versions currently installed on your FortiWeb appliance.
Each appliance can have up to two firmware versions installed. Each firmware version is stored in a separate partition. The partition whose firmware is currently running is noted with a white check mark in a green circle in the Active column.
To boot into alternate firmware via the web UI
Install firmware onto the alternate partition. For details, see Installing alternate firmware.
- Go to System > Maintenance > Backup & Restore, and select the Local Backup tab.
- In the Firmware area, click Boot alternate firmware.
A warning message appears. - Click OK.
A message appears instructing you to refresh your browser in a few minutes after the appliance has booted the other firmware.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.
To boot into alternate firmware via the local console CLI
- Install firmware onto the alternate partition. For details, see Installing alternate firmware.
- Connect your management computer to the FortiWeb console port using a RJ-45-to-DB-9 serial cable or a null-modem cable.
- Initiate a connection from your management computer to the CLI of the FortiWeb appliance, and log in as the
admin
administrator, or an administrator account whose access profile contains Read and Write permissions in the Maintenance category. - Enter the following command to restart the FortiWeb appliance:
- As the FortiWeb appliances starts, a series of system startup messages appear.
- Type
B
to reboot and use the backup firmware.
For details, see Connecting to the web UI or CLI.
execute reboot
Press any key to display configuration menu........
Immediately press a key to interrupt the system startup.
You have only 3 seconds to press a key. If you do not press a key soon enough, the FortiWeb appliance reboots and you must log in and repeat the execute reboot command. |
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G,F,B,Q,or H:
Please connect TFTP server to Ethernet port "1".