If you're managing a FortiGate device without an active support contract, there are important limitations to consider when it comes to firmware updates. While it's understandable that firmware development requires funding, the latest FortiOS 7.4.2 update introduces some significant restrictions that go beyond the norm.
Previously, FortiGate devices without support contracts could not upgrade to higher major or minor versions but could still upgrade to higher patch builds. However, with FortiOS 7.4.2, even downgrading to previous versions within the same major version is no longer possible. This means you can't revert to an earlier version, even if you encounter issues or compatibility problems with the latest update.
Furthermore, as of February 8, 2024, upgrading within the same minor release (e.g., from 7.4.2 to 7.4.3) is also blocked for devices without active support contracts.
To work around these restrictions, you can boot from the secondary partition or format the boot device and upload a new firmware image via TFTP.
Downgrade Commands:
To boot from the secondary partition:
# exec set-next-reboot secondary
# exec reboot
Solution
The following CLI command lists the FortiOS image files installed in both partitions:
FGT # diag sys flash list
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FGT61E-6.04-FW-build1778-201021 253920 87604 35% Yes
2 FGT61E-6.04-FW-build1803-201209 253920 88660 35% No
3 ETDB-84.00660 3021708 200120 7% No
Image build at Dec 9 2020 22:27:52 for b1803
As per the above output, partition 1 can be seen to be active and holds the current firmware (6.4.3, while the secondary is on 6.4.4).
Backup the configuration first before reverting to the previous firmware by using the following commands through the CLI and select which firmware should be used at the next reboot:
FGT # execute set-next-reboot {primary | secondary} <-----In this example it will be secondary.
FGT # execute set-next-reboot secondary
Default image is changed to image# 2.
Primary and Secondary simply refer to partition number 1 or partition number 2 respectively. Partition number 3 can be ignored.
Once the secondary partition that is to be used to boot the device has been selected, reboot the FortiGate.
This can be done using the command:
FGT # execute reboot
The CLI command can then be used to verify that the FortiGate has rebooted from the secondary partition (see the example below):
FGT # diag sys flash list
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FGT61E-6.04-FW-build1778-201021 253920 87604 35% No
2 FGT61E-6.04-FW-build1803-201209 253920 88660 35% Yes
3 ETDB-84.00660 3021708 200120 7% No
Image build at Dec 9 2020 22:27:52 for b1803
VDOM administrators do not have permission to run this command. It must be executed by a super administrator.
After an upgrade, this will automatically change (here from 6.4.4 to 6.4.5):
FGT # diag sys flash list
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FGT61E-6.04-FW-build1828-210217 253920 87396 34% Yes
2 FGT61E-6.04-FW-build1803-201209 253920 88660 35% No
3 ETDB-84.00660 3021708 157240 7% No
Image build at Feb 17 2021 20:43:28 for b1828
Note:
- Rebooting the FortiGate from the other partition will cause the loss of any configuration changes that were made since the upgrade. It is preferable to use Notepad++ with Compare Plugins to quickly highlight the difference between the backup configuration before reloading and the backup of the currently running configuration.
- In HA environments, the command needs to be applied to each unit in the cluster individually. This is not synchronized and will not automatically take effect on other units in the cluster.
- FortiToken licenses once added to any of the units, are kept and shared between the units of the cluster. Therefore, a reboot (or shutdown) of a unit in HA should not impact the operation or usage of FortiTokens through the remaining unit. When a downgrade is performed as above, the unit will load the previous configuration (with FortiTokens in the same state and assigned as they were before the last upgrade). This may be useful when the token licenses are not validated correctly following an upgrade.
To format the boot device and upload a new firmware image via TFTP, you can refer to the FortiGate documentation for detailed instructions.
Disclaimer: This information is provided for informational purposes only. The author is not responsible for any consequences that may occur. Readers should proceed with their own responsibility and refer to official FortiGate documentation for guidance.
It's essential for FortiGate users to be aware of these restrictions and plan their firmware updates accordingly, especially if they do not have an active support contract. Ensuring compatibility and stability with each update is crucial, as reverting to a previous version may not always be an option.
Important Note: Please check your secondary backup before upgrading, as it may be an old one. After downgrading and upgrading to 7.4.3, please restore the active backup to the new partition
No comments:
Post a Comment