Using The Firmware Manager CLI And API

Posted by on | Featured

Using The Firmware Manager CLI And API

Description

This article describes how to use the Firmware Manager CLI and API.

Scope

FortiManager v6.2, v6.4, v7.0.

Solution

1.  The Firmware Manager in FortiManager can be accessed through the GUI, CLI, and API.
To upgrade a FortiGate using Firmware Manager CLI:First, verify the upgrade path. In this example, a VM64 device is upgraded from v5.6.14 to v6.4.7: 

FMG # diagnose fwmanager show-dev-upgrade-path FGT 6.4.7
platform FGVMK6, upgrade path from 6.0.9-335 to 6.4.7-1911:
[6.0.11-387 --> 6.2.9-1234 --> 6.4.7-1911]

possible path:
[6.0.11-387 –> 6.2.9-1234 –> 6.4.7-1911]
[6.0.11-387 –> 6.2.8-1232 –> 6.4.7-1911]

2.  If the device is already registered in FortiManager, the upgrade can be scheduled using: 

diagnose fwmanager set-dev-schedule <device name> <target version> <flags> <YYYY/MM/DD_hh:mm:ss>

null → default options
bool_alt → boot from alternate partition after upgrade
skip_retrieve → do not retrieve configuration
skip_multi_steps → ignore upgrade path
fortiguard_img → download firmware from FortiGuard

Example
FMG # diagnose fwmanager set-dev-schedule FGT 6.4.7 null 2021/12/27_01:00:00:

The system shows the calculated upgrade path and asks for confirmation. Once confirmed, FortiManager creates a scheduled task:

set_dev_schedule: task id = 66

You can view the scheduled upgrade task using CLI or GUI. The output displays details such as device ID, firmware version, scheduled time, and task status.

FMG # diagnose fwmanager get-all-schedule  <-- The command has been removed since v7.0.2.

schedule:

        device_id:      134

        serial:         FGVM010000011238

        boot_alt:       0

        firmware:       06002000

        release:        6.2.10

        buldnum:        1263

        scheduled time: 2021/12/27_01:00:00

        taskid:         66

        sched_seq:      1640604693

        prev_seq:       0

       status:         accepted

 The scheduled task of the upgrade appear at GUI:
 

New CLI commands have been added in FortiManager to manage scheduled upgrade tasks:

Ertiga-kvm09 # diagnose fwmanager profile list

Shows the scheduled upgrade for a single FortiGate device.

Ertiga-kvm09 # diagnose fwmanager profile list-by-device

Displays scheduled upgrade tasks for multiple FortiGate devices.

Ertiga-kvm09 # diagnose fwmanager clear

Deletes all scheduled upgrade tasks.

To check running tasks:

FMG # diagnose dvm task list root running

This output shows active tasks in the root ADOM, including task ID, description, user, status, and start time. 

Note : that, similar to CLI usage, the Firmware Manager API in FortiManager can also be used for firmware upgrades as shown below:

{
"session": "{{session}}",
"id": 1,
"method": "exec",
"params": [{
"data": {
"adom": "root",
"create_task": "enable",
"device": [{ "name": "FGT" }],
"flags": 7,
"image": { "release": "6.4.7" }
},
"url": "um/image/upgrade"
}],
"verbose": 1
}

The flags used in the API correspond to CLI options as follows:

  • Null = 0
  • skip_retrieve = 1
  • skip_multi_steps = 2
  • fortiguard_img = 4
  • fortiguard = 8
  • preview = 16
  • force = 16

    Multiple flags can be combined by adding their values together. For example, fortiguard + skip_retrieve = 9.

    Troubleshooting:

    If the upgrade fails, collect logs while the upgrade is running using:

    diagnose fwmanager fwm-logAlternatively, restart the service using:

    Alternatively, restart the service using:

    diagnose fwmanager service-restart
     
     
     
     
     
Tags: , , , , ,
Comments are closed.