Fortinet white logo
Fortinet white logo

Administration Guide

Installing firmware from system reboot

Installing firmware from system reboot

In the event that the firmware upgrade does not load properly and the FortiGate unit will not boot, or continuously reboots, it is best to perform a fresh install of the firmware from a reboot using the CLI. If configured, the firmware can also be automatically installed from a USB drive; see Restoring from a USB drive for details.

This procedure installs a firmware image and resets the FortiGate unit to factory default settings. You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware.

To use this procedure, you must connect to the CLI using the FortiGate console port and a RJ-45 to USB (or DB-9), or null modem cable. You must also install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.

Before beginning this procedure, ensure that you backup the FortiGate unit configuration. See Configuration backups and reset for details. If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the backup configuration file.

Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up to date.

To install firmware from a system reboot:
  1. Connect to the CLI using the RJ-45 to USB (or DB-9) or null modem cable.

  2. Ensure that the TFTP server is running.

  3. Copy the new firmware image file to the root directory of the TFTP server.

  4. Ensure that the FortiGate unit can connect to the TFTP server using the execute ping command.

  5. Restart the FortiGate unit: execute reboot. The following message is shown:

    This operation will reboot the system!

    Do you want to continue? (y/n)

  6. Type y. As the FortiGate unit starts, a series of system startup messages appears.

  7. When the following messages appears:

    Press any key to display configuration menu..........

    Immediately press any key to interrupt the system startup.

    You have only three seconds to press any key. If you do not press a key during this time, the FortiGate will reboot, and you will have to log in and repeat the execute reboot command.

    If you successfully interrupt the startup process, the following messages appears:

    [C]: Configure TFTP parameters.
    [R]: Review TFTP parameters.
    [T]: Initiate TFTP firmware transfer.
    [F]: Format boot device.
    [I]: System information.
    [B]: Boot with backup firmware and set as default.
    [Q]: Quit menu and continue to boot.
    [H]: Display this list of options.
    
    Enter C,R,T,F,I,B,Q,or H:
  8. If necessary, type C to configure the TFTP parameters, then type Q to return to the previous menu:

    [P]: Set firmware download port.
    [D]: Set DHCP mode.
    [I]: Set local IP address.
    [S]: Set local subnet mask.
    [G]: Set local gateway.
    [V]: Set local VLAN ID.
    [T]: Set remote TFTP server IP address.
    [F]: Set firmware file name.
    [E]: Reset TFTP parameters to factory defaults.
    [R]: Review TFTP parameters.
    [N]: Diagnose networking(ping).
    [Q]: Quit this menu.
    [H]: Display this list of options.
    
    Enter P,D,I,S,G,V,T,F,E,R,N,Q,or H:

    note icon

    The IP address must be on the same network as the TFTP server.

    Make sure that you do not enter the IP address of another device on this network.

  9. Type T get the new firmware image from the TFTP server.

    The FortiGate unit loads the firmware.

  10. Save the firmware as the default (D) or backup (B) firmware image, or run the image without saving it (R).

    The FortiGate unit installs the new firmware image and restarts. The installation might take a few minutes to complete.

Factory resetting the FortiGate when the password is lost

For security reasons, users who lose their password must have physical access to the FortiGate and perform a TFTP restore of the firmware in order to regain access to the FortiGate. They will not have access to the current running configurations through the FortiGate. Configurations will be reset to the factory default once the firmware is reloaded. This process requires a connection to the TFTP server where the firmware image is stored.

To restore the FortiGate:
Note

This procedure may vary depending on whether the FortiGate is a physical appliance or a VM.

  1. Connect to the console port.

  2. Ensure you can see the FortiGate prompt from the console terminal.

  3. Physically power off the device, then power on the device.

  4. Boot into the boot menu by pressing a key when prompted.

  5. Follow the steps in the previous procedure to reload the firmware. Configurations will be reset to the factory default once the firmware is installed.

  6. Once the firmware reload is complete, log in to the FortiGate to reconfigure the settings.

It is recommended to preform regular configuration backups and to store the backup on a secure server (see Configuration changes in the FortiOS Best Practices for more details). In the event that a password is lost, the configuration backup can be used to restore a configuration after the user completes the firmware installation process. This assumes the user knows the password from the previous backed up configuration. If the user does not know the password, they can still reload the configuration if it is not encrypted.

The following procedure describes how to edit an unencrypted backup configuration file so that the administrator password can be replaced before restoring the file.

To edit the configuration file when a password is lost:
  1. Locate the line in the configuration file where config system admin is defined.

  2. Edit an administrator account with an accprofile set to super_admin. This will ensure you can log in and perform any operations afterward.

  3. Locate the line with set password ENC xxxxxx, and edit it to set a temporary new password in clear text (such as set password cleartextpassword).

  4. Reload the configuration file.

  5. Log in to the console using the temporary password, and then change the password.

Note

The configuration backup allows the administrator to confirm the firmware that the FortiGate is running, so the same firmware can be restored. This information is listed in the first line of the configuration: config-version=FGT61F-7.2.4-FW-build1396-230131:opmode=0:vdom=0:user=admin.

Installing firmware from system reboot

Installing firmware from system reboot

In the event that the firmware upgrade does not load properly and the FortiGate unit will not boot, or continuously reboots, it is best to perform a fresh install of the firmware from a reboot using the CLI. If configured, the firmware can also be automatically installed from a USB drive; see Restoring from a USB drive for details.

This procedure installs a firmware image and resets the FortiGate unit to factory default settings. You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware.

To use this procedure, you must connect to the CLI using the FortiGate console port and a RJ-45 to USB (or DB-9), or null modem cable. You must also install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.

Before beginning this procedure, ensure that you backup the FortiGate unit configuration. See Configuration backups and reset for details. If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the backup configuration file.

Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up to date.

To install firmware from a system reboot:
  1. Connect to the CLI using the RJ-45 to USB (or DB-9) or null modem cable.

  2. Ensure that the TFTP server is running.

  3. Copy the new firmware image file to the root directory of the TFTP server.

  4. Ensure that the FortiGate unit can connect to the TFTP server using the execute ping command.

  5. Restart the FortiGate unit: execute reboot. The following message is shown:

    This operation will reboot the system!

    Do you want to continue? (y/n)

  6. Type y. As the FortiGate unit starts, a series of system startup messages appears.

  7. When the following messages appears:

    Press any key to display configuration menu..........

    Immediately press any key to interrupt the system startup.

    You have only three seconds to press any key. If you do not press a key during this time, the FortiGate will reboot, and you will have to log in and repeat the execute reboot command.

    If you successfully interrupt the startup process, the following messages appears:

    [C]: Configure TFTP parameters.
    [R]: Review TFTP parameters.
    [T]: Initiate TFTP firmware transfer.
    [F]: Format boot device.
    [I]: System information.
    [B]: Boot with backup firmware and set as default.
    [Q]: Quit menu and continue to boot.
    [H]: Display this list of options.
    
    Enter C,R,T,F,I,B,Q,or H:
  8. If necessary, type C to configure the TFTP parameters, then type Q to return to the previous menu:

    [P]: Set firmware download port.
    [D]: Set DHCP mode.
    [I]: Set local IP address.
    [S]: Set local subnet mask.
    [G]: Set local gateway.
    [V]: Set local VLAN ID.
    [T]: Set remote TFTP server IP address.
    [F]: Set firmware file name.
    [E]: Reset TFTP parameters to factory defaults.
    [R]: Review TFTP parameters.
    [N]: Diagnose networking(ping).
    [Q]: Quit this menu.
    [H]: Display this list of options.
    
    Enter P,D,I,S,G,V,T,F,E,R,N,Q,or H:

    note icon

    The IP address must be on the same network as the TFTP server.

    Make sure that you do not enter the IP address of another device on this network.

  9. Type T get the new firmware image from the TFTP server.

    The FortiGate unit loads the firmware.

  10. Save the firmware as the default (D) or backup (B) firmware image, or run the image without saving it (R).

    The FortiGate unit installs the new firmware image and restarts. The installation might take a few minutes to complete.

Factory resetting the FortiGate when the password is lost

For security reasons, users who lose their password must have physical access to the FortiGate and perform a TFTP restore of the firmware in order to regain access to the FortiGate. They will not have access to the current running configurations through the FortiGate. Configurations will be reset to the factory default once the firmware is reloaded. This process requires a connection to the TFTP server where the firmware image is stored.

To restore the FortiGate:
Note

This procedure may vary depending on whether the FortiGate is a physical appliance or a VM.

  1. Connect to the console port.

  2. Ensure you can see the FortiGate prompt from the console terminal.

  3. Physically power off the device, then power on the device.

  4. Boot into the boot menu by pressing a key when prompted.

  5. Follow the steps in the previous procedure to reload the firmware. Configurations will be reset to the factory default once the firmware is installed.

  6. Once the firmware reload is complete, log in to the FortiGate to reconfigure the settings.

It is recommended to preform regular configuration backups and to store the backup on a secure server (see Configuration changes in the FortiOS Best Practices for more details). In the event that a password is lost, the configuration backup can be used to restore a configuration after the user completes the firmware installation process. This assumes the user knows the password from the previous backed up configuration. If the user does not know the password, they can still reload the configuration if it is not encrypted.

The following procedure describes how to edit an unencrypted backup configuration file so that the administrator password can be replaced before restoring the file.

To edit the configuration file when a password is lost:
  1. Locate the line in the configuration file where config system admin is defined.

  2. Edit an administrator account with an accprofile set to super_admin. This will ensure you can log in and perform any operations afterward.

  3. Locate the line with set password ENC xxxxxx, and edit it to set a temporary new password in clear text (such as set password cleartextpassword).

  4. Reload the configuration file.

  5. Log in to the console using the temporary password, and then change the password.

Note

The configuration backup allows the administrator to confirm the firmware that the FortiGate is running, so the same firmware can be restored. This information is listed in the first line of the configuration: config-version=FGT61F-7.2.4-FW-build1396-230131:opmode=0:vdom=0:user=admin.