Downgrading cluster firmware
For various reasons you may need to downgrade the firmware that a cluster is running. You can use the information in this section to downgrade the firmware version running on a cluster.
In most cases you can downgrade the firmware on an operating cluster using the same steps as for a firmware upgrade. A warning message appears during the downgrade but the downgrade usually works and after the downgrade the cluster continues operating normally with the older firmware image.
Downgrading between some firmware versions, especially if features have changed between the two versions, may not always work without the requirement to fix configuration issues after the downgrade.
Only perform firmware downgrades during maintenance windows and make sure you back up your cluster configuration before the downgrade.
If the firmware downgrade that you are planning may not work without configuration loss or other problems, you can use the following downgrade procedure to make sure your configuration is not lost after the downgrade.
To downgrade cluster firmware
This example shows how to downgrade the cluster shown in Example NAT mode HA network topology. The cluster consists of two cluster units (FGT_ha_1 and FGT_ha_2). The port1 and port2 interfaces are connected to networks and the port3 and port4 interfaces are connected together for the HA heartbeat.
This example, describes separating each unit from the cluster and downgrading the firmware for the standalone FortiGates. There are several ways you could disconnect units from the cluster. This example describes using the disconnect from cluster function on the cluster members list GUI page.
- Go to the System Information dashboard widget and backup the cluster configuration.
From the CLI use
execute backup config.
- Go to System > HA and for FGT_ha_1 select the Disconnect from cluster icon.
- Select the port2 interface and enter an IP address and netmask of 10.11.101.101/24 and select OK.
From the CLI you can enter the following command (FG600B3908600705 is the serial number of the cluster unit) to be able to manage the standalone FortiGate by connecting to the port2 interface with IP address and netmask 10.11.101.101/24.
execute ha disconnect FG600B3908600705 port2 10.11.101.101/24
After FGT_ha_1 is disconnected, FGT_ha_2 continues processing traffic.
- Connect to the FGT_ha_1 GUI or CLI using IP address 10.11.101.101/24 and follow normal procedures to downgrade standalone FortiGate firmware.
- When the downgrade is complete confirm that the configuration of 620_ha_1 is correct.
- Set the HA mode of FGT_ha_2 to Standalone and follow normal procedures to downgrade standalone FortiGate firmware.
Network communication will be interrupted for a short time during the downgrade.
- When the downgrade is complete confirm that the configuration of FGT_ha_2 is correct.
- Set the HA mode of FGT_ha_2 to Active-Passive or the required HA mode.
- Set the HA mode of FGT_ha_1 to the same mode as FGT_ha_2.
If you have not otherwise changed the HA settings of the cluster units and if the firmware downgrades have not affected the configurations the units should negotiate and form cluster running the downgraded firmware.