Updating firmware

This topic includes the following information:

• Upgrade considerations
• Updating firmware using the web UI
• Updating firmware using the CLI
• Downgrading firmware

Upgrade considerations

The following considerations help you determine whether to follow a standard or non-standard upgrade procedure:

• HA—Updating firmware on an HA cluster requires some additions to the usual steps for a standalone appliance. See Updating firmware on an HA cluster
• Downgrades—Special guidelines apply when you downgrade firmware to an earlier version. See Downgrading firmware. In some cases, the downgrade path requires reimaging. Take care to study the release notes for each version in your downgrade path.
• Re-imaging—If you are installing a firmware version that requires a different size of system partition, you might be required to re-image the boot device.

Important: Read the release notes for release-specific upgrade considerations.

Updating firmware using the web UI

Figure  146 shows the user interface for managing firmware. Firmware can be loaded on two disk partitions. You can use the web UI to boot the firmware version stored on the alternate partition or to upload and boot firmware updates (either upgrades or downgrades).

Figure  146:  Firmware update page

Before you begin:

• Download the firmware file from the Fortinet Technical Support website.
• Read the release notes for the version you plan to install.
• Important: Back up your configuration before beginning this procedure. If you revert to an earlier firmware version, the running configuration is erased, and you must restore a saved configuration. We recommend you restore a configuration you knew to be working effectively on the firmware version you revert to. Some 4.2 settings are incompatible with 4.1.x, so we recommend you not restore a 4.2 configuration to a 4.1.x system.
• Make a note of configurations that are disabled in your active configuration. Configurations that are not enabled are not preserved in the upgrade. For example, if a custom HTTP service port, log remote port, or event log port have been configured and then disabled in 4.1.11, the port information is not preserved in the upgrade to 4.2.1.
• You must have super user permission (user admin) to upgrade firmware.

To install firmware:

1. Go to System > Maintenance > Backup & Restore tab.
2. Under Firmware Upgrade/Downgrade, use the controls to select the firmware file that you want to install and click Update and Reboot icon.

Clear the cache of your web browser and restart it to ensure that it reloads the web UI.

Updating firmware using the CLI

This procedure is provided for CLI users.

Before you begin:

• Read the release notes for the version you plan to install. If information in the release notes is different from this documentation, follow the instructions in the release notes.
• You must be able to use TFTP to transfer the firmware file to the FortiDDoS system. If you do not have a TFTP server, download and install one, like tftpd, on a server located on the same subnet as the FortiDDoS system.
• Download the firmware file from the Fortinet Technical Support website.
• Copy the firmware image file to the root directory of the TFTP server.
• Back up your configuration before beginning this procedure. Reverting to an earlier firmware version could reset settings that are not compatible with the new firmware.
• Make a note of configurations that are disabled in your active configuration. Configurations that are not enabled are not preserved in the upgrade. For example, if a custom HTTP service port, log remote port, or event log port have been configured and then disabled in 4.1.11, the port information is not preserved in the upgrade to 4.2.1.
• You must have super user permission (user admin) to upgrade firmware.

To install firmware via the CLI:

1. Connect your management computer to the FortiDDoS console port using an RJ-45-to-DB-9 serial cable or a null-modem cable.
2. Initiate a connection to the CLI and log in as the user admin.
3. Use an Ethernet cable to connect FortiDDoS port1 to the TFTP server directly, or connect it to the same subnet as the TFTP server.
4. If necessary, start the TFTP server.
5. Enter the following command to transfer the firmware image to the FortiDDoS system:

execute restore image tftp <filename_str> <tftp_ipv4>

where <filename_str> is the name of the firmware image file and <tftp_ipv4> is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is 192.168.1.168, enter:

execute restore image tftp image.out 192.168.1.168

One of the following message appears:

This operation will replace the current firmware version!
Do you want to continue? (y/n)

or:

Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)

6. Type y.

The system installs the firmware and restarts:

MAC:00219B8F0D94

###########################

Total 28385179 bytes data downloaded.

Verifying the integrity of the firmware image.

Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?

7. To verify that the firmware was successfully installed, use the following command:

get system status

The firmware version number is displayed.

If the download fails after the integrity check with the error message invalid compressed format (err=1,but the firmware matches the integrity checksum on the Fortinet Technical Support website, try a different TFTP server.

TFTP is not secure, and it does not support authentication. You should run it only on trusted administrator-only networks, and never on computers directly connected to the Internet. Turn off tftpd off immediately after completing this procedure.

Downgrading firmware

You can use the web UI or CLI to downgrade to a previous software image. The commands are the same as for upgrading. However, special guidelines apply:

• When the image version is different from than the existing version, the initializing code also updates the TP2 ASIC image to match the correct version in the image. In other words, if you upgrade or downgrade software, the procedure also upgrades or downgrades the TP2 ASIC image.
• Always keep a back up of the configuration before you change the software image (upgrade or downgrade). For example, before you upgrade to 4.2.1, save a copy of the 4.1.11 configuration and label it 4.1.11.
• Upgrades preserve the running configuration, but downgrades do not. When you downgrade, the running configuration is erased, including the management IP address.
• You must use a console port connection to reconfigure the management interface.
• After you have configured the management interface, you can restore the earlier configuration. We recommend you restore a configuration you knew to be working effectively on the firmware version you revert to. Some 4.2 settings are incompatible with 4.1.x, so we recommend you not restore a 4.2 configuration to a 4.1.x system. Instead, if you downgrade from 4.2.1 to 4.1.11, we recommend you restore the 4.1.11 configuration.
• After the configuration is restored, the system reboots, and the restored configuration will be in effect.