Fortinet black logo

Administration Guide

Firmware Management

Firmware Management

FortiGate device firmware can be updated from the Device Manager > Firmware pane. Upgrades can also be scheduled to occur at a later date.

When workspace is enabled, you must lock a device (or ADOM) to allow firmware upgrade.

The FortiGate device requires a valid firmware upgrade license. Otherwise a Firmware Upgrade License Not Found error is displayed.

When Boot to Alternate Partition After Upgrade is selected, the inactive partition will be upgraded.

In the Device Manager pane, select the Managed Devices group, then click the Firmware tab.

The following information and options are available:

Upgrade Select to upgrade the selected device if the device can be upgraded.
View Release Notes Select to view the release notes for the FortiOS version of the selected device.
Imported Images Select to display the imported images where you can import or delete images.
Refresh Refresh the list.
Column Settings Click to select which columns to display or select Reset to Default to display the default columns.
Device Name The names of the FortiGate devices in the group, organized by firmware version.
Platform The device platform.
Current Build The build installed in the device.
Upgrade Available The current firmware version and build number of the firmware on the device. If an update is available and can be applied to the device, Upgrade can be selected to open the Upgrade Firmware dialog box.
Status The status of the device's license. If the license has expired, the firmware cannot be upgraded.
Upgrade History Right-click a device and select Show Upgrade History to view the device’s upgrade history.
To upgrade a device’s firmware:
  1. Go to Device Manager.
  2. In the tree menu, select a device group, and then click the Firmware tab.
  3. Select a device or device group with an upgrade available that is licensed for firmware upgrades, then click Upgrade in either the toolbar or in the Upgrade Available column. The Upgrade Firmware dialog box opens.

  4. Configure the following settings, then click OK:

    Upgrade to

    Select a firmware version from the drop-down list.

    Boot From Alternate Partition After Upgrade

    Selecting this option causes the device to reboot twice during the upgrade process: first to upgrade the inactive partition, and second to boot back into the active partition.

    Let Device Download Firmware from FortiGuard

    Select this option to download the firmware directly from FortiGuard. If this option is not selected, FortiManager will download the firmware from FortiGuard. Alternatively, you can import the firmware into FortiManager.

    Skip All Intermediate Steps in Upgrade Path if Possible

    FortiManager manages the most optimum upgrade path automatically. Select this option to install the selected version directly without going though the upgrade path.

    Schedule Upgrade

    Select to schedule the upgrade, then enter the date and time for the upgrade.

  5. FortiManager checks the FortiGate disk before upgrading. If the check fails, the following information is displayed, and the upgrade is not performed:

    If the check passes, the upgrade proceeds:

FortiOS devices cannot be upgraded to a version that is higher than the FortiManager that is managing them. This rule is applicable only for major and minor versions. For example, FortiManager 6.2.0 cannot upgrade FortiOS devices to 6.3.0 or 7.0.0. When trying to upgrade FortiOS devices to a version higher than FortiManager, the upgrade process cannot be completed and a warning is shown.

When upgrading FortiGate devices to a firmware version that is not part of the upgrade path (shown by the green check mark), the warning The firmware version is not on firmware upgrade path of selected devices. Upgrading the image may cause the current syntax to break. is shown. Click Upgrade to Recommended X.X.X which shows the recommended version, or Continue to upgrade to the selected version. A warning is also shown when upgrading FortiGate devices to a custom firmware.

The disk on the FortiGate is checked automatically before upgrade. To enable skip disk check run the set skip-disk-check from the command line.

To disable disk check:
  1. Disable disk check by using the CLI:

    config fmupdate fwm-setting

    (fwm-setting)# set skip-disk-check enable

The default setting is disable, which will check the FortiGate disk before upgrading FortiOS.

The following diagnose commands are also available for diagnose fwmanager:

  • show-dev-disk-check-status: Shows whether a device needs a disk check.
  • show-grp-disk-check-status: Shows whether device in a group needs a disk check.

In addition, when you log into FortiOS by using the CLI, you will be informed if you need to run a disk scan, for example:

$ ssh admin@193.168.70.137

WARNING: File System Check Recommended! Unsafe reboot may have caused inconsistency in disk drive.

It is strongly recommended that you check file system consistency before proceeding.

Please run 'execute disk scan 17'

Note: The device will reboot and scan during startup. This may take up to an hour

Firmware Management

FortiGate device firmware can be updated from the Device Manager > Firmware pane. Upgrades can also be scheduled to occur at a later date.

When workspace is enabled, you must lock a device (or ADOM) to allow firmware upgrade.

The FortiGate device requires a valid firmware upgrade license. Otherwise a Firmware Upgrade License Not Found error is displayed.

When Boot to Alternate Partition After Upgrade is selected, the inactive partition will be upgraded.

In the Device Manager pane, select the Managed Devices group, then click the Firmware tab.

The following information and options are available:

Upgrade Select to upgrade the selected device if the device can be upgraded.
View Release Notes Select to view the release notes for the FortiOS version of the selected device.
Imported Images Select to display the imported images where you can import or delete images.
Refresh Refresh the list.
Column Settings Click to select which columns to display or select Reset to Default to display the default columns.
Device Name The names of the FortiGate devices in the group, organized by firmware version.
Platform The device platform.
Current Build The build installed in the device.
Upgrade Available The current firmware version and build number of the firmware on the device. If an update is available and can be applied to the device, Upgrade can be selected to open the Upgrade Firmware dialog box.
Status The status of the device's license. If the license has expired, the firmware cannot be upgraded.
Upgrade History Right-click a device and select Show Upgrade History to view the device’s upgrade history.
To upgrade a device’s firmware:
  1. Go to Device Manager.
  2. In the tree menu, select a device group, and then click the Firmware tab.
  3. Select a device or device group with an upgrade available that is licensed for firmware upgrades, then click Upgrade in either the toolbar or in the Upgrade Available column. The Upgrade Firmware dialog box opens.

  4. Configure the following settings, then click OK:

    Upgrade to

    Select a firmware version from the drop-down list.

    Boot From Alternate Partition After Upgrade

    Selecting this option causes the device to reboot twice during the upgrade process: first to upgrade the inactive partition, and second to boot back into the active partition.

    Let Device Download Firmware from FortiGuard

    Select this option to download the firmware directly from FortiGuard. If this option is not selected, FortiManager will download the firmware from FortiGuard. Alternatively, you can import the firmware into FortiManager.

    Skip All Intermediate Steps in Upgrade Path if Possible

    FortiManager manages the most optimum upgrade path automatically. Select this option to install the selected version directly without going though the upgrade path.

    Schedule Upgrade

    Select to schedule the upgrade, then enter the date and time for the upgrade.

  5. FortiManager checks the FortiGate disk before upgrading. If the check fails, the following information is displayed, and the upgrade is not performed:

    If the check passes, the upgrade proceeds:

FortiOS devices cannot be upgraded to a version that is higher than the FortiManager that is managing them. This rule is applicable only for major and minor versions. For example, FortiManager 6.2.0 cannot upgrade FortiOS devices to 6.3.0 or 7.0.0. When trying to upgrade FortiOS devices to a version higher than FortiManager, the upgrade process cannot be completed and a warning is shown.

When upgrading FortiGate devices to a firmware version that is not part of the upgrade path (shown by the green check mark), the warning The firmware version is not on firmware upgrade path of selected devices. Upgrading the image may cause the current syntax to break. is shown. Click Upgrade to Recommended X.X.X which shows the recommended version, or Continue to upgrade to the selected version. A warning is also shown when upgrading FortiGate devices to a custom firmware.

The disk on the FortiGate is checked automatically before upgrade. To enable skip disk check run the set skip-disk-check from the command line.

To disable disk check:
  1. Disable disk check by using the CLI:

    config fmupdate fwm-setting

    (fwm-setting)# set skip-disk-check enable

The default setting is disable, which will check the FortiGate disk before upgrading FortiOS.

The following diagnose commands are also available for diagnose fwmanager:

  • show-dev-disk-check-status: Shows whether a device needs a disk check.
  • show-grp-disk-check-status: Shows whether device in a group needs a disk check.

In addition, when you log into FortiOS by using the CLI, you will be informed if you need to run a disk scan, for example:

$ ssh admin@193.168.70.137

WARNING: File System Check Recommended! Unsafe reboot may have caused inconsistency in disk drive.

It is strongly recommended that you check file system consistency before proceeding.

Please run 'execute disk scan 17'

Note: The device will reboot and scan during startup. This may take up to an hour