Fortinet black logo

FortiGate-7000 Handbook

Home FortiGate-7000 5.6.14 FortiGate-7000 Handbook

Firmware upgrades

5.6.14
6.2.3
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
5.4.9
Copy Link
Copy Doc ID 42931b88-172e-11ec-8c53-00505692583a:134341
Download PDF

Firmware upgrades

All of the FIMs and FPMs in your FortiGate-7000 system run the same firmware image. You upgrade the firmware from the primary FIM GUI or CLI just as you would any FortiGate product.

You can perform a graceful firmware upgrade of a FortiGate-7000 FGCP HA cluster by enabling uninterruptible-upgrade and session-pickup. A graceful firmware upgrade only causes minimal traffic interruption.

Upgrading the firmware of a standalone FortiGate-7000, or FortiGate-7000 HA cluster with uninterruptible-upgrade disabled interrupts traffic because the firmware running on the FIMs and FPMs upgrades in one step. These firmware upgrades should be done during a quiet time because traffic will be interrupted during the upgrade process.

A firmware upgrade takes a few minutes, depending on the number of FIMs and FPMs in your FortiGate-7000 system. Some firmware upgrades may take longer depending on factors such as the size of the configuration.

Before beginning a firmware upgrade, Fortinet recommends that you perform the following tasks:

  • Review the latest release notes for the firmware version that you are upgrading to.
  • Verify the recommended upgrade path as documented in the release notes.
  • Back up your FortiGate-7000 configuration.
Note

Fortinet recommends that you review the services provided by your FortiGate-7000 before a firmware upgrade and then again after the upgrade to make sure the services continues to operate normally. For example, you might want to verify that you can successfully access an important server used by your organization before the upgrade and make sure that you can still reach the server after the upgrade, and performance is comparable. You can also take a snapshot of key performance indicators (for example, number of sessions, CPU usage, and memory usage) before the upgrade and verify that you see comparable performance after the upgrade.

If you are operating two FortiGate-7000s in HA mode with uninterruptible-upgrade and session-pickup enabled, firmware upgrades should only cause a minimal traffic interruption. Use the following command to enable these settings. These settings are synchronized to all FIMs and FPMs.

config system ha

set uninterruptible-upgrade enable

set session-pickup enable

end

Verifying that a firmware upgrade is successful

After a FortiGate-7000 cluster firmware upgrade, you should verify that all of the FIMs and FPMs have been successfully upgraded to the new firmware version.

After the firmware upgrade appears to be complete:

  1. Log into the primary FIM and verify that it is running the expected firmware version.
    You can verify the firmware version running on the primary FIM from the dashboard or by using the get system status command.
  2. Log into the other FIMs and the FPMs, and in the same way confirm that they are also running the expected firmware version.
    You can log into individual FIMs or FPMs using the system management IP address and the special port number for each module. For example, https://192.268.1.99:44303 connects to the module in slot 3. The special port number (in this case 44303) is a combination of the service port (for HTTPS the service port is 443) and the slot number (in this example, 03). For more information, see Managing individual FortiGate-7000 FIMs and FPMs.
    If you are using a SMM console port to connect to the primary FIM CLI you can use Ctrl-T to switch between the CLIs of each of the modules.
  3. If one or more of the FIMs or FPMs are not running the correct firmware version, use the procedures described in Upgrading the firmware on an individual FPM to upgrade these FIMs or FPMs.
Previous
Next

Firmware upgrades

All of the FIMs and FPMs in your FortiGate-7000 system run the same firmware image. You upgrade the firmware from the primary FIM GUI or CLI just as you would any FortiGate product.

You can perform a graceful firmware upgrade of a FortiGate-7000 FGCP HA cluster by enabling uninterruptible-upgrade and session-pickup. A graceful firmware upgrade only causes minimal traffic interruption.

Upgrading the firmware of a standalone FortiGate-7000, or FortiGate-7000 HA cluster with uninterruptible-upgrade disabled interrupts traffic because the firmware running on the FIMs and FPMs upgrades in one step. These firmware upgrades should be done during a quiet time because traffic will be interrupted during the upgrade process.

A firmware upgrade takes a few minutes, depending on the number of FIMs and FPMs in your FortiGate-7000 system. Some firmware upgrades may take longer depending on factors such as the size of the configuration.

Before beginning a firmware upgrade, Fortinet recommends that you perform the following tasks:

  • Review the latest release notes for the firmware version that you are upgrading to.
  • Verify the recommended upgrade path as documented in the release notes.
  • Back up your FortiGate-7000 configuration.
Note

Fortinet recommends that you review the services provided by your FortiGate-7000 before a firmware upgrade and then again after the upgrade to make sure the services continues to operate normally. For example, you might want to verify that you can successfully access an important server used by your organization before the upgrade and make sure that you can still reach the server after the upgrade, and performance is comparable. You can also take a snapshot of key performance indicators (for example, number of sessions, CPU usage, and memory usage) before the upgrade and verify that you see comparable performance after the upgrade.

If you are operating two FortiGate-7000s in HA mode with uninterruptible-upgrade and session-pickup enabled, firmware upgrades should only cause a minimal traffic interruption. Use the following command to enable these settings. These settings are synchronized to all FIMs and FPMs.

config system ha

set uninterruptible-upgrade enable

set session-pickup enable

end

Verifying that a firmware upgrade is successful

After a FortiGate-7000 cluster firmware upgrade, you should verify that all of the FIMs and FPMs have been successfully upgraded to the new firmware version.

After the firmware upgrade appears to be complete:

  1. Log into the primary FIM and verify that it is running the expected firmware version.
    You can verify the firmware version running on the primary FIM from the dashboard or by using the get system status command.
  2. Log into the other FIMs and the FPMs, and in the same way confirm that they are also running the expected firmware version.
    You can log into individual FIMs or FPMs using the system management IP address and the special port number for each module. For example, https://192.268.1.99:44303 connects to the module in slot 3. The special port number (in this case 44303) is a combination of the service port (for HTTPS the service port is 443) and the slot number (in this example, 03). For more information, see Managing individual FortiGate-7000 FIMs and FPMs.
    If you are using a SMM console port to connect to the primary FIM CLI you can use Ctrl-T to switch between the CLIs of each of the modules.
  3. If one or more of the FIMs or FPMs are not running the correct firmware version, use the procedures described in Upgrading the firmware on an individual FPM to upgrade these FIMs or FPMs.
Previous
Next