Testing new firmware
The integrity of a firmware images downloaded from Fortinet's support portal can be verified using a file checksum. A file checksum that does not match the expected value indicates a corrupt file. The corruption could be caused by errors in transfer or by file modification. A list of expected checksum values for each build of released code is available on Fortinet’s support portal.
Image integrity is also verified when the FortiGate is booting up. This integrity check is done through cyclic redundancy check (CRC). If the CRC fails, the Fortinet unit will error during the boot process, preventing suboptimal operation of the device.
Lastly, firmware images are signed and the signature is attached to the code as it is built. When upgrading an image, the running OS will generate a signature and compare it with the signature attached to the image. If the signatures do not match, the new OS will not load.
Testing before installation
FortiOS enables you to test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure, the FortiGate unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed. The next time the FortiGate unit restarts, it operates with the originally installed firmware image using the current configuration. If the new firmware image operates successfully, you can install it permanently using the procedure Testing new firmware .
To use this procedure, you must connect to the CLI using the FortiGate console port and a RJ-45 to DB-9 or null modem cable. This procedure temporarily installs a new firmware image using your current configuration.
For this procedure, you must install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.
To test the new firmware image
- Connect to the CLI using a RJ-45 to DB-9 or null modem cable.
- Make sure the TFTP server is running.
- Copy the new firmware image file to the root directory of the TFTP server.
- Make sure the FortiGate unit can connect to the TFTP server using the
execute ping
command. - Enter the following command to restart the FortiGate unit:
execute reboot
- As the FortiGate unit reboots, press any key to interrupt the system startup. As the FortiGate unit starts, a series of system startup messages appears.
When the following messages appears:
Press any key to display configuration menu....
- Immediately press any key to interrupt the system startup.
You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiGate unit reboots and you must login and repeat the execute reboot command. |
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default
[C]: Configuration and information
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G, F, Q, or H:
- Type G to get the new firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
- Type the address of the TFTP server and press Enter.
The following message appears:
Enter Local Address [192.168.1.188]:
- Type an IP address of the FortiGate unit to connect to the TFTP server.
The IP address must be on the same network as the TFTP server.
Make sure you do not enter the IP address of another device on this network. |
The following message appears:
Enter File Name [image.out]:
- Enter the firmware image file name and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and the following appears.
Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]
- Type
R
.
The FortiGate image is installed to system memory and the FortiGate unit starts running the new firmware image, but with its current configuration.
You can test the new firmware image as required. When done testing, you can reboot the FortiGate unit, and the FortiGate unit will resume using the firmware that was running before you installed the test firmware.