How to upgrade FortiGate using FortiManager
Description
This article explains how to upgrade FortiGate devices using FortiManager.
Scope
Any supported FortiGate or FortiManager version.
Solution
Prerequisite:
The FortiGate must have a valid upgrade license (FMWR). To verify the license on FortiManager, use the following CLI command:
diagnose fmupdate fds-dump subs
1. Upgrade a FortiGate:
In Device Manager → Managed FortiGate, open the target FortiGate device. In the Firmware Version section, select Upgrade Firmware to start the upgrade process.
2. Select the required firmware version or image and click Upgrade to proceed.
Note:
From version 7.4 onwards, a new layout is introduced. There is no separate “backup configuration” option in FortiManager. Instead, the Revision History feature should be used to create a snapshot of the current FortiGate configuration for backup purposes.
3. A prompt will appear before the upgrade. Select “Let Device Download Firmware from FortiGuard” only if the firmware is not already imported into FortiManager. Then click OK to continue.
4. Track the progress of the upgrade. Wait for it to complete successfully.
Alternatively, upgrade using a Firmware Template:
1. Assign a firmware template in FortiManager under Device Manager → Firmware Templates → Create New.
2.Create a new firmware template and select the device platform and desired firmware version in the Upgrade Details section.
3. It is recommended to perform the upgrade using the suggested upgrade path available under the Upgrade Path option in FortiManager.
4. After creating the firmware template, assign the device to it by right-clicking the template and selecting Assign to Device/Group in FortiManager. Then move the FortiGate devices to the Selected Entries section and click OK to confirm.
5.The devices assigned to the Firmware Template will be displayed in FortiManager.
6.Check the Device Manager page in FortiManager to confirm that the firmware template has been assigned to the managed devices.
7.To perform the upgrade, return to the firmware templates in FortiManager, right-click the appropriate template, and select Upgrade Now. This will start the upgrade process for the FortiGate devices.
8.Select OK to proceed with upgrading the devices assigned to the template and wait for the process to complete successfully in FortiManager.
Solution for FortiGate HA Cluster managed by FortiManager:
A FortiGate HA cluster is upgraded through FortiManager in the same way as a standalone device. In the Firmware Template, the Assign Device section shows only the primary unit because FortiManager communicates with the cluster through the primary FortiGate. The secondary unit is upgraded automatically if the HA cluster is healthy and functioning properly.
During the upgrade process, it is recommended to collect debug logs from both FortiManager and FortiGate for troubleshooting purposes.
Debug from FortiManager:
diagnose fwmanager fwm-log <----- Live debug when upgrading FortiGate.
Debug from FortiGate: (Possibly run through the console):
Lotus-kvm05 # diagnose debug cli 8
Lotus-kvm05 # diagnose debug enable
The task Job will be displayed from the Task Monitor at FortiManager.
Complete the task from FortiManager:
Note: Upgrading FortiGate HA clusters using FortiManager could cause a network outage if triggered while a disk check is required on the FortiGate.
Troubleshooting:
The following CLI commands are used for troubleshooting firmware issues from
FortiManager:
diagnose fwmanager fwm-log
diagnose fwmanager service-restart
Note:
When upgrading a FortiGate HA cluster through FortiManager, first check whether disk checking is enabled. If a disk check prompt appears on the firewall, FortiManager will reboot the primary unit before sending the firmware image. The correct process is to reboot the primary firewall first, followed by the secondary unit.
However, FortiManager does not wait for the primary device to fully come online before rebooting the secondary. In cases where high-end devices (such as 3600, 4400, or similar models) take longer than 5 minutes to reboot, FortiManager may send the reboot command to the secondary as well. This can result in both units rebooting at the same time, causing network interruption. In such cases, the primary device may upgrade successfully while the secondary remains on the previous firmware version.
To avoid this issue, it is recommended to disable disk check on fmupdate before starting the upgrade using the following command:
config fmupdate fwm-setting
set check-fgt-disk disable
end