In the event that the firmware upgrade does not load properly and the FortiGate unit will not boot, or continuously reboots, it is best to perform a fresh install of the firmware from a reboot using the CLI. If configured, the firmware can also be automatically installed from a USB drive; see Restoring from a USB drive for details.
This procedure installs a firmware image and resets the FortiGate unit to factory default settings. You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware.
To use this procedure, you must connect to the CLI using the FortiGate console port and a RJ-45 to USB (or DB-9), or null modem cable. You must also install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.
Before beginning this procedure, ensure that you backup the FortiGate unit configuration. See Configuration backups for details. If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the backup configuration file.
Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up to date.
- Connect to the CLI using the RJ-45 to USB (or DB-9) or null modem cable.
- Ensure that the TFTP server is running.
- Copy the new firmware image file to the root directory of the TFTP server.
Ensure that the FortiGate unit can connect to the TFTP server using the
- Restart the FortiGate unit:
execute reboot. The following message is shown:
This operation will reboot the system!
Do you want to continue? (y/n)
y. As the FortiGate unit starts, a series of system startup messages appears.
- When the following messages appears:
Press any key to display configuration menu..........
Immediately press any key to interrupt the system startup.
You have only three seconds to press any key. If you do not press a key during this time, the FortiGate will reboot, and you will have to log in and repeat the
If you successfully interrupt the startup process, the following messages appears:
[C]: Configure TFTP parameters. [R]: Review TFTP parameters. [T]: Initiate TFTP firmware transfer. [F]: Format boot device. [I]: System information. [B]: Boot with backup firmware and set as default. [Q]: Quit menu and continue to boot. [H]: Display this list of options. Enter C,R,T,F,I,B,Q,or H:
- If necessary, type
Cto configure the TFTP parameters, then type
Qto return to the previous menu:
[P]: Set firmware download port. [D]: Set DHCP mode. [I]: Set local IP address. [S]: Set local subnet mask. [G]: Set local gateway. [V]: Set local VLAN ID. [T]: Set remote TFTP server IP address. [F]: Set firmware file name. [E]: Reset TFTP parameters to factory defaults. [R]: Review TFTP parameters. [N]: Diagnose networking(ping). [Q]: Quit this menu. [H]: Display this list of options. Enter P,D,I,S,G,V,T,F,E,R,N,Q,or H:
The IP address must be on the same network as the TFTP server.
Make sure that you do not enter the IP address of another device on this network.
Tget the new firmware image from the TFTP server.
The FortiGate unit loads the firmware.
- Save the firmware as the default (
D) or backup (
B) firmware image, or run the image without saving it (
The FortiGate unit installs the new firmware image and restarts. The installation might take a few minutes to complete.