Restoring firmware (“clean install”)
Restoring (also called re-imaging) the firmware can be useful if:
- You are unable to connect to the FortiWeb appliance using the web UI or the CLI
- You want to install firmware without preserving any existing configuration (i.e. a “clean install”)
- A firmware version that you want to install requires a different size of system partition (see the Release Notes accompanying the firmware)
- A firmware version that you want to install requires that you format the boot device (see the Release Notes accompanying the firmware)
Unlike updating firmware, restoring firmware re-images the boot device, including the signatures that were current at the time that the firmware image file was created. Also, restoring firmware can only be done during a boot interrupt, before network connectivity is available, and therefore requires a local console connection to the CLI. It cannot be done through an SSH or Telnet connection.
Alternatively, if you cannot physically access the appliance’s local console connection, connect the appliance’s local console port to a terminal server to which you have network access. Once you have used a client to connect to the terminal server over the network, you will be able to use the appliance’s local console through it. However, be aware that from a remote location, you may not be able to power cycle the appliance if abnormalities occur.
To restore the firmware
Back up your configuration before beginning this procedure, if possible. Restoring firmware resets the configuration, including the IP addresses of network interfaces. For details about backups, see Backups. For details about reconnecting to a FortiWeb appliance whose network interface configuration was reset, see Connecting to the web UI or CLI. |
- Download the firmware file from the Fortinet Customer Service & Support website:
- Connect your management computer to the FortiWeb console port using a RJ-45-to-DB-9 serial cable or a null-modem cable.
- Initiate a local console connection from your management computer to the CLI of the FortiWeb appliance, and log in as the
admin
administrator, or an administrator account whose access profile contains Read and Write permissions in the Maintenance category. - Connect port1 of the FortiWeb appliance directly or to the same subnet as a TFTP server.
- Copy the new firmware image file to the root directory of the TFTP server.
- If necessary, start your TFTP server. If you do not have one, you can temporarily install and run one such as
tftpd
on your management computer. - Verify that the TFTP server is currently running, and that the FortiWeb appliance can reach the TFTP server.
- Enter the following command to restart the FortiWeb appliance:
- As the FortiWeb appliances starts, a series of system startup messages appear.
- Immediately press a key to interrupt the system startup.
-
If the firmware version requires that you first format the boot device before installing firmware, type
F
. Format the boot disk before continuing. - Type
G
to get the firmware image from the TFTP server. - Type the IP address of the TFTP server and press Enter.
- Type a temporary IP address that can be used by the FortiWeb appliance to connect to the TFTP server.
- Type the file name of the firmware image and press Enter.
- Type
D
. - To verify that the firmware was successfully installed, log in to the CLI and type:
- Either reconfigure the FortiWeb appliance or restore the configuration file. For details, see How to set up your FortiWeb and Restoring a previous configuration.
- Update the attack definitions.
For details, see Connecting to the web UI or CLI.
Because TFTP is not secure, and because it does not support authentication and could allow anyone to have read and write access, you should only run it on trusted administrator-only networks, never on computers directly connected to the Internet. If possible, immediately turn off tftpd off when you are done. |
To use the FortiWeb CLI to verify connectivity, enter the following command:
execute ping 192.0.2.168
where 192.0.2.168
is the IP address of the TFTP server.
execute reboot
Press any key to display configuration menu........
You have only 3 seconds to press a key. If you do not press a key soon enough, the FortiWeb appliance reboots and you must log in and repeat the execute reboot command. |
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G,F,B,Q,or H:
Please connect TFTP server to Ethernet port "1".
The following message appears:
Enter TFTP server address [192.0.2.168]:
The following message appears:
Enter local address [192.0.2.188]:
The following message appears:
Enter firmware image file name [image.out]:
The FortiWeb appliance downloads the firmware image file from the TFTP server and displays a message similar to the following:
MAC:00219B8F0D94
###########################
Total 28385179 bytes data downloaded.
Verifying the integrity of the firmware image..
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?
If the download fails after the integrity check with the error message: invalid compressed format (err=1)
but the firmware matches the integrity checksum on the Fortinet Technical Support website, try a different TFTP server. |
The FortiWeb appliance downloads the firmware image file from the TFTP server. The FortiWeb appliance installs the firmware and restarts. The time required varies by the size of the file and the speed of your network connection.
The FortiWeb appliance reverts the configuration to default values for that version of the firmware.
get system status
The firmware version number is displayed.
If you are downgrading the firmware to a previous version, and the settings are not fully backwards compatible, the FortiWeb appliance may either remove incompatible settings, or use the feature’s default values for that version of the firmware. You may need to reconfigure some settings.
Installing firmware replaces the current attack definitions with those included with the firmware release that you are installing. After you install the new firmware, make sure that your attack definitions are up-to-date. For details, see Uploading signature & geography-to-IP updates.