How to Load FortiGate Firmware via TFTP & BIOS
Description
Scope
This article describes how to download and install firmware from a local TFTP server via the BIOS, under CLI control.
This procedure applies to:
- FortiGate devices
- Firmware recovery scenarios
- Boot device failure situations
- TFTP firmware installation under console control
Solution
This article describes how to download and install firmware from a local TFTP server via the BIOS, under CLI control.
It is also necessary to install firmware using the local TFTP server if the following message appears on the console:
OPEN BOOT DEVICE FAILED
Some devices would report this as:
Default firmware boot failed!
Caution
Installing firmware from a local TFTP server under console control will reset the FortiGate unit to factory default settings.
Consider backing up the configuration (using the GUI or CLI commands below) before starting the TFTP server firmware upgrade:
execute backup configexecute backup ipsuserdefsig
The first command backs up the configuration, and the second one backs up the IPS custom signatures, if any.
Components
- A null modem, or RJ-45 to DB9 console cable, is supplied with the FortiGate.
- An Ethernet RJ45 cable.
- A terminal client, such as a PC running HyperTerminal (Windows).
- A TFTP server.
Physical Connection
To connect to the FortiGate over the console connection, follow the steps outlined in:
Technical Tip: How to connect to the FortiGate and FortiAP console port.
The connection can be made on any Ethernet port. In this case, the WAN1 or MGMT interface.
Download the required firmware and verify the MD5 checksum.
Download the Firmware Image
Download the required images from the support portal page:
Support -> Support -> Firmware Download
Select and download the specific firmware version needed, as shown below.
Install the TFTP Server
Download and install a TFTP server on the computer.
Viable options are:
- TFTPD64
- SolarWinds TFTP Server
Disable the Windows firewall or any other third-party packet filtering application (for example, Trend Micro LightWeight Filter Driver).
Why Windows Firewall Needs to Be Temporarily Disabled
During a FortiGate firmware upgrade using TFTP, the device operates as follows:
- It first initiates communication with the PC hosting the TFTP server.
- It then dynamically uses random high UDP ports to transfer the firmware image.
When Windows filtering is enabled:
- UDP port 69 (used by TFTP) or dynamically assigned UDP ports may be blocked.
- Windows may permit the initial connection but block the subsequent firmware data transfer.
- As a result, the FortiGate remains waiting for the TFTP server, causing the upgrade process to appear stalled and preventing it from proceeding.
Prepare the Firmware File
Create a directory and name it something like:
TFTP
Move the firewall image to that directory.
Rename the firmware image file to:
image.out
The reason for renaming the image to image.out is to have a much shorter file name compared with the default file name when the file is downloaded from support.fortinet.com.
If the file name is not changed, it can cause the TFTP file transfer to fail with the following error:
tftp error 1 (file not found.) try to recover...
Configure the PC Ethernet Interface
Set the system’s Ethernet interface IP as follows (the IP can be from any subnet):
IP address: 10.10.10.1
Subnet mask: 255.255.255.0
Default Gateway: 10.10.10.115
Note 1
Ensure that only the firmware file named image.out is present in the TFTP server’s Current Directory.
If other files are in the directory, FortiGate may fail to load the firmware, even if the file name matches image.out.
Note 2
After formatting the FortiGate, it is normal for the SolarWinds TFTP Server not to display the IP address 10.10.10.1 in the binding list, as shown in the image below.
This can be disregarded to proceed with the subsequent steps.
Note 3
The connected network adapter will not show as connected, and the NIC port on the PC will not light up until the file transfer begins.
Connect to the Console Port
Connect the computer to the FortiGate unit using the null modem cable.
For detailed steps for this connection, see this article:
Technical Tip: How to connect to the FortiGate console port.
Terminal Client Communication Parameters
8 bits
no parity
1 stop bit
9600 baud
Flow Control = None
For the FortiGate-300:
115000 baud
Access the BIOS Menu
Restart the FortiGate.
When the console displays the following message, press any key:
Please wait for OS to boot, or press any key to display the configuration menu.
FortiGate-81E (12:47-03.03.2017) Ver:05000007 Serial number: FGT81E*********1 CPU: 1000MHz Total RAM: 2 GB Initializing boot device... Initializing MAC... nplite#0 Please wait for OS to boot, or press any key to display the configuration menu.
Format the Device
When a list of choices with individual letters of the alphabet appears, press F to format the device.
[C]: Configure TFTP parameters.
[R]: Review TFTP parameters.
[T]: Initiate TFTP firmware transfer.
[F]: Format boot device.
[I]: System information.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot.
[H]: Display this list of options.
Enter C,R,T,F,I,B,Q,or H:
It will erase data in boot device. Continue? [yes/no]:yes
Formatting..........done
Done.
After that, the device will boot again.
Again, a list of choices with letters will appear.
Press R to review TFTP parameters.
Enter C,R,T,F,I,B,Q,or H:R
Image download port: WAN1
DHCP status: Disabled
Local VLAN ID: <NULL>
Local IP address: 10.10.10.115
Local subnet mask: 255.255.255.0
Local gateway: 10.10.10.1
TFTP server IP address: 10.10.10.1
Firmware file name: image.out
Note
If the Firmware file name is more than a certain number of characters, it will say:
image not found
Reduce the number of characters in the file name on the TFTP server.
Configure TFTP Parameters
Once again, a list of choices with letters will appear.
Press C to configure TFTP parameters.
[C]: Configure TFTP parameters.
[R]: Review TFTP parameters.
[T]: Initiate TFTP firmware transfer.
[F]: Format boot device.
[I]: System information.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot.
[H]: Display this list of options.
Enter C,R,T,F,I,B,Q,or H:C
Change the parameters to be in line with the TFTP server configuration.
[P]: Set firmware download port.
[D]: Set DHCP mode.
[I]: Set local IP address.
[S]: Set local subnet mask.
[G]: Set local gateway.
[V]: Set local VLAN ID.
[T]: Set remote TFTP server IP address.
[F]: Set firmware file name.
[E]: Reset TFTP parameters to factory defaults.
[R]: Review TFTP parameters.
[N]: Diagnose networking(ping).
[Q]: Quit this menu.
[H]: Display this list of options.
Set Local IP Address
Enter P,D,I,S,G,V,T,F,E,R,N,Q,or H:
Enter local IP address [10.1.1.115]: 10.10.10.115
.done
Set Local Subnet Mask
Enter P,D,I,S,G,V,T,F,E,R,N,Q,or H:
Enter local subnet mask [255.255.255.0]: 255.255.255.0
.done
Set Local Gateway
Enter P,D,I,S,G,V,T,F,E,R,N,Q,or H:
Enter remote TFTP server IP address [10.1.1.1]: 10.10.10.1
.done
Set TFTP Server IP Address
Enter P,D,I,S,G,V,T,F,E,R,N,Q,or H:
Enter remote TFTP server IP address [10.1.1.1]: 10.10.10.1
.done
Set Firmware File Name
Enter P,D,I,S,G,V,T,F,E,R,N,Q,or H:
Enter firmware file name [FGT_100F-v7.0.0-build0066-FORTINET.out]: image.out
.done
Quit the Menu
Enter P,D,I,S,G,V,T,F,E,R,N,Q,or H:
Note
The link light on the FortiGate port used for firmware download and connected machine port will not blink or show up until the TFTP firmware transfer is initiated.
The firmware image download Port can be changed from option P.
Initiate the TFTP Firmware Transfer
Press T to initiate the TFTP firmware transfer.
Please connect TFTP server to Ethernet port 'WAN1'.
MAC: 94:ff:3c:6e:e9:66
Connect to tftp server 10.10.10.1 ...
Note
At times, the file transfer might not yield any errors or indicate that a connection to the TFTP server is being initiated, and it may appear to be stalled, as illustrated below:
Please connect TFTP server to Ethernet port 'WAN1'.
MAC: 94:ff:3c:6e:e9:66
Gathering a Wireshark capture on the interface linked to the TFTP server would reveal that the destination port is unreachable.
Review the TFTP server settings and make sure that the security level is set to none and the advanced TFTP options are set as follows:
After making these changes, the transfer of the file will start successfully.
Successful Firmware Transfer
After this is connected and the transfer has begun, the screen will start filling with the # symbol.
This means that the TFTP transfer has started successfully.
#######################################################################################################################################################################################
Image Received.
Checking image... OK
This firmware image is certified!
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?D
Programming the boot device now. The system must re-layout the boot device to install this firmware.
The default and backup firmware will be lost.
Continue:[Y/N]?Y
.. OK
Verifying... OK
.done
Booting OS...
Initializing firewall...
System is starting...
Resizing shared data partition...done
Formatting shared data partition ... done!
Starting system maintenance...
Scanning /dev/mmcblk0p1... (100%)
Scanning /dev/mmcblk0p3... (100%)
FortiGate-81E login: admin
Password:
You are forced to change your password. Please input a new password.
New Password:
Confirm Password:
Welcome!
Restore Access After Formatting
After formatting the device, it will be reachable again using the default IP:
192.168.1.99/24
So, the laptop connected to the management interface must have an IP address of this subnet, and then it will be possible to restore the configuration file via GUI and CLI.
Notes / Tips
Note
If formatting needs to be completed due to a lost admin password and an existing backup configuration has to be re-imported, make sure that the password configuration line has been removed.
Edit the backup config text file with a text editor such as Notepad++, delete the set password line from the configuration, and save the file as a new file with a .conf extension.
Firmware Loading Errors
If any error occurs while loading the firmware, the error will be similar to the following:
Fatal error: Loading FOS fails!
Please power cycle. System halted.
Or:
Fatal error: AV engine file authentication failed!
Please power cycle. System halted.
Additional Notes
- While transferring the image through the TFTP server, it is necessary to make sure the Windows firewall or antivirus is disabled.
- If WI-FI is connected, it needs to be disconnected while transferring the firmware image.
- If the
connect to TFTP servercontinues to show a bunch ofT T T T T T Tinstead of########, there is an issue with downloading the firmware to the FortiGate.
One of the issues could be wrongly naming the image file.
Ensure that the .out was not repeated twice in the image name.
Hyper-V Consideration
Consider when the PC is running Hyper-V.
Windows automatically enables a virtual switch filter driver on the NICs.
This will interfere with network traffic like:
- TFTP (UDP/69)
- Broadcast traffic
That might be the reason why the FortiGate device cannot pull the file even though the TFTP server is running.
FAQ
What does OPEN BOOT DEVICE FAILED mean on a FortiGate?
It indicates that the FortiGate failed to boot the firmware image and firmware recovery through TFTP may be required.
What happens when formatting a FortiGate using TFTP?
The FortiGate unit is reset to factory default settings.
Why should the firmware file be renamed to image.out?
A shorter filename helps prevent TFTP transfer failures caused by long firmware filenames.
What is the default FortiGate IP after formatting?
192.168.1.99/24
Why does the console display TTTTT instead of ######?
This indicates an issue downloading the firmware image to the FortiGate.
Why should Windows Firewall be disabled during the transfer?
Windows Firewall may block UDP port 69 or dynamically assigned UDP ports required for TFTP transfers.