Fortinet white logo
Fortinet white logo

Azure Administration Guide

Upgrading the deployment

Upgrading the deployment

An existing FortiGate Autoscale for Azure deployment can be upgraded in one specific scenario:

  • It was deployed with the 2.0.9 template.

To determine which template was used in your deployment, refer to the section Determining the FortiGate Autoscale release version.

Caution

Read these instructions completely before starting an upgrade.

A deployment with the 2.0.9 template can be upgraded only to the 3.3.2 template. During the upgrade, users can optionally consolidate logging and reporting for the FortiGate cluster by integrating FortiAnalyzer 6.2.5 or FortiAnalyzer 6.4.5.

Prerequisites for upgrading

  • Linux Operating System
  • NodeJS 14
  • Azure CLI
  • FortiGate Autoscale for Azure upgrade templates

Obtaining the upgrade templates

The FortiGate Autoscale for Azure upgrade templates are located in the Fortinet Autoscale for Azure GitHub project. Navigate to the 2.0.9 upgrade (3.3.2) release and download fortigate-autoscale-azure.zip.

Unzip this file on your local PC. The templates folder will contain these files:

  • upgrade_fortigate_autoscale_from_2.0.9_to_3.3.2.preparation.json
    This template prepares the environment for the upgrade.
  • upgrade_fortigate_autoscale_from_2.0.9_to_3.3.2.json
    This template performs the upgrade from the 2.0.9 template to the 3.3.2 template and pairs with the optional parameter template.
  • (optional) upgrade_fortigate_autoscale_from_2.0.9_to_3.3.2.params.json
    This parameter template pairs with the upgrade template.
  • upgrade_fortigate_autoscale_from_2.0.9_to_3.3.2.cleanup.json
    This template finalizes the upgrade process.

Before you start an upgrade

Upgrading the deployment requires values from the existing 2.0.9 deployment. The following sections describe how to locate these values.

Locating values from the 2.0.9 deployment

  1. Navigate to the Microsoft.Template Overview by following the steps 1-3 of the section Locating deployment Outputs.
  2. On the Overview page, note the value for the parameter Subscription as you will need it for the upgrade.
  3. Click Outputsand note the values for the parameters resourceGroupName and vNetResourceGroupName as you will need them for the upgrade.
  4. Click Inputs.
  5. Make note of values on this page as you will need them for the upgrade.

Upgrade iteration

Upgrade Iteration is an important parameter throughout the entire process. The allowable values for Upgrade Iteration are limited to the numbers 2 thru 9. This value is used to form a unique name for the new resources related to the upgrade. If there are errors during the upgrade, the entire stack can be rolled back - the Upgrade Iteration value is used to remove the resources which were created.

When performing the upgrade for the first time, set Upgrade Iteration to 2. If errors occur, rollback the upgrade and start over with Upgrade Iteration set to 3. Repeat if necessary, increasing the value of Upgrade Iteration each time.

Note

When a deployment is rolled back, the Key Vault will be soft-deleted. Once the Key Vault is permanently deleted, the Upgrade Iteration number can be reused. To permanently delete the Key Vault, open the AzureCLI and run the upgradeIterationCmdDeleteKeyVaultPermanent command from the Outputs of the cleanup template.

Performing the upgrade

The upgrade solution described here is a rollback-capable solution for preparing, creating, and removing resources. The steps below will guide you through the upgrade process.

Caution

Before starting an upgrade, ensure that the values for the 2.0.9 template deployment have been located.

  1. Deploy the preparation template as described in the section Deploying the preparation template.
  2. Deploy the upgrade template as described in the section Deploying the upgrade template.
  3. Verify the newly deployed resources. For details, refer to the section Verifying the upgrade deployment.
    Note

    Do not start the BYOL or PAYG VMSS until you initialize the database. In other words, ensure the instance number of the VMSS is set to 0.

  4. Initialize the database. For details, refer to the section Initializing the database.
  5. Start the two new VMSS. For details, refer to the section Starting a VMSS.
  6. Observe the FortiGate-VMs running in the two VMSS and ensure they are running correctly.
  7. Deploy the cleanup template. For details, refer to the section Deploying the cleanup template.

Deploying the preparation template

  1. Create a template deployment using the preparation template. For details, refer to the section Creating a template deployment . When prompted for parameters, use values as described in the table below:

    Parameter display name

    2.0.9 template Input

    2.0.9 template Ouput

    Value to use

    Subscription

    *

    *

    Use the value from the 2.0.9 template deployment. Do not change it.

    Resource group

    resourceGroupName

    Resource Name Prefix

    resourceNamePrefix

    Vnet Resource Group Name

    vNetResourceGroupName

    Region

    *

    *

    This value cannot be changed. It is tied to the Resource group.

    Upgrade Iteration

    *

    *

    Refer to the section Upgrade iteration.

    * indicates that there isn’t a value present in the 2.0.9 template Inputs or Outputs.

  2. When deployment of the preparation template has completed, navigate to the Outputs. For details, refer to the section Locating deployment Outputs.
  3. Copy the cmdUpdateAllInOne command.
  4. Open a terminal in your Linux OS.
  5. Log in to your Azure account with the command az login.
  6. Run the command cmdUpdateAllInOne.
  7. Wait for the command to be fully finished.

Deploying the upgrade template

  1. Create a template deployment using the upgrade template. For details, refer to the section Creating a template deployment . For descriptions of the variables, refer to the section Configurable variables. When prompted for parameters, use values as described in the table used when creating a template deployment with the preparation template and from the table below:

    Parameter display name

    2.0.9 template Input

    Value to use

    Access Restriction IP Range

    accessRestrictionIPRange

    Use the value from the 2.0.9 template deployment. May be adjusted to meet the new needs.

    Admin Password

    adminPassword

    Requires manual input. The value from the 2.0.9 template deployment is recommended; a new value may be entered.

    Admin Username

    adminUsername

    Use the value from the 2.0.9 template deployment.

    BYOL Instance Count

    byolInstanceCount

    Use the value from the 2.0.9 template deployment. May be adjusted to meet the new needs.

    FOS Version

    fosVersion

    Use values from the drop-down list. The latest version is recommended.

    Forti Analyzer Autoscale Admin Password

    *

    Follow the instructions in the parameter description.

    Forti Analyzer Autoscale Admin Username

    *

    Forti Analyzer Custom Private IP Address

    *

    Forti Analyzer Instance Type

    *

    Forti Analyzer Integration Options

    *

    Forti Analyzer Version

    *

    Forti Gate PSK Secret

    fortiGatePSKSecret

    Requires manual input. The value from the 2.0.9 template deployment is recommended; a new value may be entered.

    Heart Beat Delay Allowance

    heartBeatDelayAllowance

    Use the value from the 2.0.9 template deployment. May be adjusted to meet the new needs.

    Heart Beat Interval

    heartBeatInterval

    Heart Beat Loss Count

    heartBeatLossCount

    Instance Type

    instanceType

    Key Vault Name

    *

    Follow the instructions in the parameter description.

    Max BYOL Instance Count

    maxBYOLInstanceCount

    Use the value from the 2.0.9 template deployment. May be adjusted to meet the new needs.

    Max PAYG Instance Count

    maxPAYGInstanceCount

    Min BYOL Instance Count

    minBYOLInstanceCount

    Min PAYG Instance Count

    minPAYGInstanceCount

    PAYG Instance Count

    PAYGInstanceCount

    Package Res URL

    packageResURL

    Use the template default value. Do not change it.

    Primary Election Timeout

    masterElectionTimeout

    Use the value from the 2.0.9 template deployment. May be adjusted to meet the new needs.

    Scale In Threshold

    scaleInThreshold

    Scale Out Threshold

    scaleOutThreshold

    Service Plan Tier

    *

    Follow the instructions in the parameter description.

    Service Principal App ID

    restAppID

    Use the value from the 2.0.9 template deployment. Do not change it

    Service Principal App Secret

    restAppSecret

    Service Principal Object ID

    *

    Follow the instructions in the parameter description.

    Storage Account Type

    storageAccountType

    Use the value from the 2.0.9 template deployment. May be adjusted to meet the new needs.

    Subnet1Name

    subnet1Name

    Follow the instructions in the parameter description.

    Subnet2Name

    subnet2Name

    Subnet3Name

    subnet3Name

    Subnet4Name

    subnet4Name

    Vnet Address Space

    vnetAddressSpace

    Use the value from the 2.0.9 template deployment. Do not change it.

    Vnet Name

    vnetName

    If the deployment does not complete successfully, go to the section Troubleshooting the upgrade.

  2. Upload configset files to the Storage account. For details, refer to the section Uploading files to the Storage account.
  3. If you will be using BYOL instances, upload license files to the Storage account.
    Note

    License files from the 2.0.9 deployment can be reused . However, re-using a license will invalidate the FortiGate which is currently using the license.

Verifying the upgrade deployment

The FortiGate Autoscale for Azure 3.3.2 template will be deployed into the Resource Group and a new set of the following 6 resources will be created:

  • Function App
  • App Service plan
  • Application Insights
  • Storage account
  • Azure Cosmos DB account
  • Virtual machine scale set (BYOL)
  • Virtual machine scale set (PAYG)

These resources will be created with the same name as the previous 2.0.9 resources with the iteration number appended. For example, if the Upgrade Iteration is 2, the number appended is 002. Verify that they have been created. For details on verifying components, refer to the section Verifying the deployment.

Initializing the database

Note Do not scale out the BYOL or PAYG VMSS until you initialize the database.
  1. Navigate to the fgt-as-handler function. For details on how to do this, refer to the section To verify the Function App:.
  2. Click Get Function Url to obtain the Function URL:
  3. Open a web browser to run the URL. The expected response is an error as shown below:
  4. Navigate to the cosmos DB account of the current upgrade iteration. For details on how to do this, refer to steps 1 and 2 in the section To verify the database:.
  5. On the right hand side, expand the database FortiGateAutoscale.
  6. Expand the container Settings.
  7. Click on Items.
  8. Confirm that the Settings container has items.

Deploying the cleanup template

  1. Create a template deployment using the cleanup template. For details, refer to the section Creating a template deployment . When prompted for parameters, use values as described in the table below:

    Parameter display name

    2.0.9 template Input

    2.0.9 template Ouput

    Value to use

    Subscription

    *

    *

    Use the value from the 2.0.9 template deployment. Do not change it.

    Resource group

    resourceGroupName

    Resource Name Prefix

    resourceNamePrefix

    Vnet Resource Group Name

    vNetResourceGroupName

    Region

    *

    *

    This value cannot be changed. It is tied to the Resource group.

    Upgrade Iteration

    *

    *

    Use the iteration number for the upgrade iteration you want to continue with

    * indicates that there isn’t a value present in the 2.0.9 template Inputs or Outputs.

  2. When deployment of the cleanup template has completed, navigate to the Outputs.
  3. Copy the command appropriate for your activity:
    • To finalize the upgrade, copy the cleanUpOldComponentCmdDeleteAllInOne command.
    • To roll back the upgrade, copy the upgradeIterationCmdDeleteAllInOne command.
  4. Open a terminal in your Linux OS.
  5. Log in to your Azure account with the command az login.
  6. Run the copied command.
  7. Wait for the command to be fully finished.

Troubleshooting the upgrade

As long as an upgrade process isn't finalized, it is regarded as an incomplete upgrade iteration. Reasons for not finalizing can include errors and user intervention.

In the case of an incomplete upgrade iteration, roll back the upgrade iterationand perform the upgrade again with a different value for Upgrade Iteration. It is suggested that the value be increased by 1 with each successive deployment.

Rolling back an incomplete upgrade iteration

Users have the option of rolling back an upgrade iteration by deploying the cleanup template. When deployed, newly created resources related to the upgrade iteration will be released. It is recommended to rollback right away before starting a new upgrade iteration. This option must be used if all the allowable Upgradte Iteration values (2-9) have been used up.

Note

When a deployment is rolled back, the Key Vault will be soft-deleted. Once the Key Vault is permanently deleted, the Upgrade Iteration number can be reused. To permanently delete the Key Vault, open the AzureCLI and run the upgradeIterationCmdDeleteKeyVaultPermanent command from the Outputs of the cleanup template.

Upgrading the deployment

Upgrading the deployment

An existing FortiGate Autoscale for Azure deployment can be upgraded in one specific scenario:

  • It was deployed with the 2.0.9 template.

To determine which template was used in your deployment, refer to the section Determining the FortiGate Autoscale release version.

Caution

Read these instructions completely before starting an upgrade.

A deployment with the 2.0.9 template can be upgraded only to the 3.3.2 template. During the upgrade, users can optionally consolidate logging and reporting for the FortiGate cluster by integrating FortiAnalyzer 6.2.5 or FortiAnalyzer 6.4.5.

Prerequisites for upgrading

  • Linux Operating System
  • NodeJS 14
  • Azure CLI
  • FortiGate Autoscale for Azure upgrade templates

Obtaining the upgrade templates

The FortiGate Autoscale for Azure upgrade templates are located in the Fortinet Autoscale for Azure GitHub project. Navigate to the 2.0.9 upgrade (3.3.2) release and download fortigate-autoscale-azure.zip.

Unzip this file on your local PC. The templates folder will contain these files:

  • upgrade_fortigate_autoscale_from_2.0.9_to_3.3.2.preparation.json
    This template prepares the environment for the upgrade.
  • upgrade_fortigate_autoscale_from_2.0.9_to_3.3.2.json
    This template performs the upgrade from the 2.0.9 template to the 3.3.2 template and pairs with the optional parameter template.
  • (optional) upgrade_fortigate_autoscale_from_2.0.9_to_3.3.2.params.json
    This parameter template pairs with the upgrade template.
  • upgrade_fortigate_autoscale_from_2.0.9_to_3.3.2.cleanup.json
    This template finalizes the upgrade process.

Before you start an upgrade

Upgrading the deployment requires values from the existing 2.0.9 deployment. The following sections describe how to locate these values.

Locating values from the 2.0.9 deployment

  1. Navigate to the Microsoft.Template Overview by following the steps 1-3 of the section Locating deployment Outputs.
  2. On the Overview page, note the value for the parameter Subscription as you will need it for the upgrade.
  3. Click Outputsand note the values for the parameters resourceGroupName and vNetResourceGroupName as you will need them for the upgrade.
  4. Click Inputs.
  5. Make note of values on this page as you will need them for the upgrade.

Upgrade iteration

Upgrade Iteration is an important parameter throughout the entire process. The allowable values for Upgrade Iteration are limited to the numbers 2 thru 9. This value is used to form a unique name for the new resources related to the upgrade. If there are errors during the upgrade, the entire stack can be rolled back - the Upgrade Iteration value is used to remove the resources which were created.

When performing the upgrade for the first time, set Upgrade Iteration to 2. If errors occur, rollback the upgrade and start over with Upgrade Iteration set to 3. Repeat if necessary, increasing the value of Upgrade Iteration each time.

Note

When a deployment is rolled back, the Key Vault will be soft-deleted. Once the Key Vault is permanently deleted, the Upgrade Iteration number can be reused. To permanently delete the Key Vault, open the AzureCLI and run the upgradeIterationCmdDeleteKeyVaultPermanent command from the Outputs of the cleanup template.

Performing the upgrade

The upgrade solution described here is a rollback-capable solution for preparing, creating, and removing resources. The steps below will guide you through the upgrade process.

Caution

Before starting an upgrade, ensure that the values for the 2.0.9 template deployment have been located.

  1. Deploy the preparation template as described in the section Deploying the preparation template.
  2. Deploy the upgrade template as described in the section Deploying the upgrade template.
  3. Verify the newly deployed resources. For details, refer to the section Verifying the upgrade deployment.
    Note

    Do not start the BYOL or PAYG VMSS until you initialize the database. In other words, ensure the instance number of the VMSS is set to 0.

  4. Initialize the database. For details, refer to the section Initializing the database.
  5. Start the two new VMSS. For details, refer to the section Starting a VMSS.
  6. Observe the FortiGate-VMs running in the two VMSS and ensure they are running correctly.
  7. Deploy the cleanup template. For details, refer to the section Deploying the cleanup template.

Deploying the preparation template

  1. Create a template deployment using the preparation template. For details, refer to the section Creating a template deployment . When prompted for parameters, use values as described in the table below:

    Parameter display name

    2.0.9 template Input

    2.0.9 template Ouput

    Value to use

    Subscription

    *

    *

    Use the value from the 2.0.9 template deployment. Do not change it.

    Resource group

    resourceGroupName

    Resource Name Prefix

    resourceNamePrefix

    Vnet Resource Group Name

    vNetResourceGroupName

    Region

    *

    *

    This value cannot be changed. It is tied to the Resource group.

    Upgrade Iteration

    *

    *

    Refer to the section Upgrade iteration.

    * indicates that there isn’t a value present in the 2.0.9 template Inputs or Outputs.

  2. When deployment of the preparation template has completed, navigate to the Outputs. For details, refer to the section Locating deployment Outputs.
  3. Copy the cmdUpdateAllInOne command.
  4. Open a terminal in your Linux OS.
  5. Log in to your Azure account with the command az login.
  6. Run the command cmdUpdateAllInOne.
  7. Wait for the command to be fully finished.

Deploying the upgrade template

  1. Create a template deployment using the upgrade template. For details, refer to the section Creating a template deployment . For descriptions of the variables, refer to the section Configurable variables. When prompted for parameters, use values as described in the table used when creating a template deployment with the preparation template and from the table below:

    Parameter display name

    2.0.9 template Input

    Value to use

    Access Restriction IP Range

    accessRestrictionIPRange

    Use the value from the 2.0.9 template deployment. May be adjusted to meet the new needs.

    Admin Password

    adminPassword

    Requires manual input. The value from the 2.0.9 template deployment is recommended; a new value may be entered.

    Admin Username

    adminUsername

    Use the value from the 2.0.9 template deployment.

    BYOL Instance Count

    byolInstanceCount

    Use the value from the 2.0.9 template deployment. May be adjusted to meet the new needs.

    FOS Version

    fosVersion

    Use values from the drop-down list. The latest version is recommended.

    Forti Analyzer Autoscale Admin Password

    *

    Follow the instructions in the parameter description.

    Forti Analyzer Autoscale Admin Username

    *

    Forti Analyzer Custom Private IP Address

    *

    Forti Analyzer Instance Type

    *

    Forti Analyzer Integration Options

    *

    Forti Analyzer Version

    *

    Forti Gate PSK Secret

    fortiGatePSKSecret

    Requires manual input. The value from the 2.0.9 template deployment is recommended; a new value may be entered.

    Heart Beat Delay Allowance

    heartBeatDelayAllowance

    Use the value from the 2.0.9 template deployment. May be adjusted to meet the new needs.

    Heart Beat Interval

    heartBeatInterval

    Heart Beat Loss Count

    heartBeatLossCount

    Instance Type

    instanceType

    Key Vault Name

    *

    Follow the instructions in the parameter description.

    Max BYOL Instance Count

    maxBYOLInstanceCount

    Use the value from the 2.0.9 template deployment. May be adjusted to meet the new needs.

    Max PAYG Instance Count

    maxPAYGInstanceCount

    Min BYOL Instance Count

    minBYOLInstanceCount

    Min PAYG Instance Count

    minPAYGInstanceCount

    PAYG Instance Count

    PAYGInstanceCount

    Package Res URL

    packageResURL

    Use the template default value. Do not change it.

    Primary Election Timeout

    masterElectionTimeout

    Use the value from the 2.0.9 template deployment. May be adjusted to meet the new needs.

    Scale In Threshold

    scaleInThreshold

    Scale Out Threshold

    scaleOutThreshold

    Service Plan Tier

    *

    Follow the instructions in the parameter description.

    Service Principal App ID

    restAppID

    Use the value from the 2.0.9 template deployment. Do not change it

    Service Principal App Secret

    restAppSecret

    Service Principal Object ID

    *

    Follow the instructions in the parameter description.

    Storage Account Type

    storageAccountType

    Use the value from the 2.0.9 template deployment. May be adjusted to meet the new needs.

    Subnet1Name

    subnet1Name

    Follow the instructions in the parameter description.

    Subnet2Name

    subnet2Name

    Subnet3Name

    subnet3Name

    Subnet4Name

    subnet4Name

    Vnet Address Space

    vnetAddressSpace

    Use the value from the 2.0.9 template deployment. Do not change it.

    Vnet Name

    vnetName

    If the deployment does not complete successfully, go to the section Troubleshooting the upgrade.

  2. Upload configset files to the Storage account. For details, refer to the section Uploading files to the Storage account.
  3. If you will be using BYOL instances, upload license files to the Storage account.
    Note

    License files from the 2.0.9 deployment can be reused . However, re-using a license will invalidate the FortiGate which is currently using the license.

Verifying the upgrade deployment

The FortiGate Autoscale for Azure 3.3.2 template will be deployed into the Resource Group and a new set of the following 6 resources will be created:

  • Function App
  • App Service plan
  • Application Insights
  • Storage account
  • Azure Cosmos DB account
  • Virtual machine scale set (BYOL)
  • Virtual machine scale set (PAYG)

These resources will be created with the same name as the previous 2.0.9 resources with the iteration number appended. For example, if the Upgrade Iteration is 2, the number appended is 002. Verify that they have been created. For details on verifying components, refer to the section Verifying the deployment.

Initializing the database

Note Do not scale out the BYOL or PAYG VMSS until you initialize the database.
  1. Navigate to the fgt-as-handler function. For details on how to do this, refer to the section To verify the Function App:.
  2. Click Get Function Url to obtain the Function URL:
  3. Open a web browser to run the URL. The expected response is an error as shown below:
  4. Navigate to the cosmos DB account of the current upgrade iteration. For details on how to do this, refer to steps 1 and 2 in the section To verify the database:.
  5. On the right hand side, expand the database FortiGateAutoscale.
  6. Expand the container Settings.
  7. Click on Items.
  8. Confirm that the Settings container has items.

Deploying the cleanup template

  1. Create a template deployment using the cleanup template. For details, refer to the section Creating a template deployment . When prompted for parameters, use values as described in the table below:

    Parameter display name

    2.0.9 template Input

    2.0.9 template Ouput

    Value to use

    Subscription

    *

    *

    Use the value from the 2.0.9 template deployment. Do not change it.

    Resource group

    resourceGroupName

    Resource Name Prefix

    resourceNamePrefix

    Vnet Resource Group Name

    vNetResourceGroupName

    Region

    *

    *

    This value cannot be changed. It is tied to the Resource group.

    Upgrade Iteration

    *

    *

    Use the iteration number for the upgrade iteration you want to continue with

    * indicates that there isn’t a value present in the 2.0.9 template Inputs or Outputs.

  2. When deployment of the cleanup template has completed, navigate to the Outputs.
  3. Copy the command appropriate for your activity:
    • To finalize the upgrade, copy the cleanUpOldComponentCmdDeleteAllInOne command.
    • To roll back the upgrade, copy the upgradeIterationCmdDeleteAllInOne command.
  4. Open a terminal in your Linux OS.
  5. Log in to your Azure account with the command az login.
  6. Run the copied command.
  7. Wait for the command to be fully finished.

Troubleshooting the upgrade

As long as an upgrade process isn't finalized, it is regarded as an incomplete upgrade iteration. Reasons for not finalizing can include errors and user intervention.

In the case of an incomplete upgrade iteration, roll back the upgrade iterationand perform the upgrade again with a different value for Upgrade Iteration. It is suggested that the value be increased by 1 with each successive deployment.

Rolling back an incomplete upgrade iteration

Users have the option of rolling back an upgrade iteration by deploying the cleanup template. When deployed, newly created resources related to the upgrade iteration will be released. It is recommended to rollback right away before starting a new upgrade iteration. This option must be used if all the allowable Upgradte Iteration values (2-9) have been used up.

Note

When a deployment is rolled back, the Key Vault will be soft-deleted. Once the Key Vault is permanently deleted, the Upgrade Iteration number can be reused. To permanently delete the Key Vault, open the AzureCLI and run the upgradeIterationCmdDeleteKeyVaultPermanent command from the Outputs of the cleanup template.