The integrity of firmware images downloaded from Fortinet's support portal can be verified using a file checksum. A file checksum that does not match the expected value indicates a corrupt file. The corruption could be caused by errors in transfer or by file modification. A list of expected checksum values for each build of released code is available on Fortinet’s support portal.
Image integrity is also verified when the FortiGate is booting up. This integrity check is done through a cyclic redundancy check (CRC). If the CRC fails, the FortiGate unit will encounter an error during the boot process.
Firmware images are signed and the signature is attached to the code as it is built. When upgrading an image, the running OS will generate a signature and compare it with the signature attached to the image. If the signatures do not match, the new OS will not load.
FortiOS lets you test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure, the FortiGate unit operates using the new firmware image with the current configuration. The new firmware image is not permanently installed. The next time the FortiGate unit restarts, it operates with the originally installed firmware image using the current configuration. If the new firmware image operates successfully, you can install it permanently using the procedure explained in Upgrading the firmware.
For this procedure, you must install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.
- Connect to the CLI using an RJ-45 to USB (or DB-9) or null modem cable.
- Ensure that the TFTP server is running.
- Copy the new firmware image file to the root directory on the TFTP server.
- Ensure that the FortiGate unit can connect to the TFTP server using the
- Restart the FortiGate unit:
execute reboot. The following message is shown:
This operation will reboot the system!
Do you want to continue? (y/n)
y. As the FortiGate unit starts, a series of system startup messages appears.
- When the following messages appears:
Press any key to display configuration menu..........
Immediately press any key to interrupt the system startup.
You have only three seconds to press any key. If you do not press a key during this time, the FortiGate will reboot, and you will have to log in and repeat the
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default
[C]: Configuration and information
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G, F, Q, or H:
- Type G to get the new firmware image from the TFTP server. The following message appears:
Enter TFTP server address [192.168.1.168]:
- Type the address of the TFTP server, then press Enter. The following message appears:
Enter Local Address [192.168.1.188]:
- Type the IP address of the FortiGate unit to connect to the TFTP server.
The IP address must be on the same network as the TFTP server.
Make sure that you do not enter the IP address of another device on this network.
The following message appears:
Enter File Name [image.out]:
- Enter the firmware image file name then press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and the following message appears:
Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]
- Type R. The FortiGate image is installed to system memory and the FortiGate unit starts running the new firmware image, but with its current configuration.
Test the new firmware image as required. When done testing, reboot the FortiGate unit, and the it will resume using the firmware that was running before you installed the test firmware.