Sunday, October 1, 2023

Upgrade FortiGate HA Cluster Firmware

Here's a Fortinet link in performing a FortiGate High Availability (HA) cluster firmware upgrade. The process is very similar to a standalone FortiGate upgrade. You only upload or transfer the firmware to the Primary FortiGate device.

You can upgrade firmware on all nodes in a cluster from the primary node.

The following process occurs when you perform the HA upgrade procedure:

 

  1. The primary node pushes the firmware image to the member nodes.
  2. The primary node notifies the member nodes of the upgrade, and it takes their user traffic during the upgrade.
  3. The upgrade command is run on the member nodes, the systems are rebooted, and the member nodes send the primary node an acknowledgment that upgrade has been completed.
  4. The upgrade command is run on the primary node, and it reboots. When the system is rebooting, a member node assumes primary status, and the traffic fails over from the former primary node to the new primary node.

 

After the upgrade process is completed, the system determines whether the original node becomes the primary node, according to the HA Override setting:

 

  • If Override is enabled, the cluster considers the Device Priority setting. Both nodes usually make a second failover in order to resume their original roles.
  • If Override is disabled, the cluster considers uptime first. The original primary node will have a smaller uptime due to the order of reboots during the firmware upgrade. Therefore it will not resume its active role; instead, the node with the greatest uptime will remain the new primary node. A second failover will not occur.

 

Reboot times vary by the appliance model, and also by differences between the original firmware version and the firmware version you are installing.

 

There's also a debate in the Fortinet support forum and some in Reddit whether you can directly upgrade a new FortiGate to the target FortiOS. Some Fortinet folks strictly encourage to follow the upgrade path even in a new device in order to avoid corruption and other unforeseen issues, i.e. "brick" the device.

 

Here's the result taken from ChatGPT which is slightly different from the Fortinet doc, i.e. upload firmware on both Primary and Secondary ForitGate units.



Upgrading the firmware on a FortiGate High Availability (HA) cluster involves several steps to ensure a smooth and seamless transition. Here's a general guide on how to upgrade the firmware on a FortiGate HA cluster:

Important Note: Before proceeding with the firmware upgrade, make sure to read the release notes for the new firmware version to understand any potential compatibility issues or new features.

    Backup Configuration:
        Log in to the primary FortiGate unit and backup the current configuration. Go to System > Dashboard > Status > Backup and create a backup of the configuration.

    Download Firmware:
        Download the firmware image for the desired version from the Fortinet Support Portal (https://support.fortinet.com/).

    Upload Firmware to Both Units:
        Log in to both the primary and secondary FortiGate units.
        Navigate to System > Firmware and upload the firmware image to both units.


    Verify Compatibility:
        Confirm that the firmware version you're upgrading to is compatible with your hardware and any other devices in your network, including switches, routers, and third-party devices.

    Upgrade the Secondary Unit:
        Initiate the firmware upgrade on the secondary unit first. This helps ensure that you always have one active unit during the upgrade process.
            Go to System > Dashboard > Status > System Information and click on the "Update" link next to the secondary unit's firmware version.
            Follow the on-screen instructions to upload and install the new firmware on the secondary unit.

    Failover to the Secondary Unit:
        After upgrading the secondary unit, perform a failover to make it the active unit. This can be done manually or automatically depending on your HA configuration.
            To manually failover, go to System > Dashboard > Status > HA and click on the "Failover" button.
            To configure automatic failover, go to System > HA > Advanced > Configurations and set the appropriate options.

    Test the Secondary Unit:
        Verify that the secondary unit is functioning correctly as the active unit. Check for any issues or configuration discrepancies.

    Upgrade the Primary Unit:
        Once the secondary unit is confirmed to be working as expected, initiate the firmware upgrade on the primary unit.
            Go to System > Dashboard > Status > System Information and click on the "Update" link next to the primary unit's firmware version.
            Follow the on-screen instructions to upload and install the new firmware on the primary unit.

    Failover Back to the Primary Unit:
        After upgrading the primary unit, perform a failover back to the primary unit if it's not set to automatically fail back.

    Test and Monitor:
        After the upgrade is complete and both units are operating normally, thoroughly test your network to ensure that all services and configurations are functioning as expected.

    Clean Up:
        Once you're confident that the upgrade was successful, you can delete any backup configuration files and older firmware versions to free up storage space.

Always refer to the official Fortinet documentation and release notes for your specific FortiGate model and firmware version for detailed and up-to-date instructions. Additionally, consider performing these upgrades during a maintenance window to minimize disruption to your network services.


You can check the current firmware in FortiGate GUI by going to Global VDOM: Status > System Infromation > Firmware: v7.2.4 build1396.

This is the Primary FortiGate current firmware.

This is the Secondary FortiGate current firmware.

You can also use the get system status command to verify the current firmware Version.

 

FW01_PRI # get system status

Version: FortiGate-40F v7.2.4,build1396,230131 (GA.F)

Firmware Signature: certified

Virus-DB: 1.00000(2018-04-09 18:07)

Extended DB: 1.00000(2018-04-09 18:07)

AV AI/ML Model: 0.00000(2001-01-01 00:00)

IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 0.00000(2001-01-01 00:00)

APP-DB: 6.00741(2015-12-01 02:30)

INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)

IPS Malicious URL Database: 1.00001(2015-01-01 01:01)

IoT-Detect: 0.00000(2022-08-17 17:31)

Serial-Number: FGT40FTKxxxxP0S

BIOS version: 05000021

System Part-Number: P24680-04

Log hard disk: Not available

Hostname: FW01_PRI

Private Encryption: Disable

Operation Mode: NAT

Current virtual domain: internet

Max number of virtual domains: 10

Virtual domains status: 2 in NAT mode, 0 in TP mode

Virtual domain configuration: multiple

FIPS-CC mode: disable

Current HA mode: a-p, primary

Cluster uptime: 114 days, 21 hours, 45 minutes, 42 seconds

Cluster state change time: 2023-03-22 13:32:22

Branch point: 1396

Release Version Information: GA

System time: Tue Jul 11 16:37:30 2023

Last reboot reason: warm reboot

 

 

Check the FortiOS upgrade path and release notes in the Fortinet support link.

 

Select Product: FortiGate > click Upgrade Path > select Current Product: FortiGate-40F > select Current FortiOS Version: 7.2.4 > select Upgrade To FortiOS Version: 7.2.5 > click GO.

 

The Recommended Upgrade Path is displayed.

 

Go to Download tab > click v7.00 folder/directory.

Locate the firmware folder sub-directory and find the file for the FortiGate product/platform.


Click Checksum to view the MD5 and SHA-512 Checksum code. Click HTTPS (hyperlink) to download the firmware file.

Before performing the firmware upgrade, check if the High Availability (HA) pair are synchronized under Global VDOM > System > HA.

The upgrade is only performed in the Primary FortiGate. The Primary will send a copy of the firmware to the Secondary (Passive) FortiGate, the Secondary will be the first to be upgraded and then it will auto reboot to reflect the new firmware version.

 

The Primary will be the next to be upgraded and then automatically reboot.

 

To perform the HA Active-Passive firmware upgrade, select VDOM: Global > System > Fabric Management > select the Device > Upgrade.

 

Go to File Upload > click Browse > locate the firmware file.

Click Confirm and Backup Config.

Click Continue.



The Secondary FortiGate (left ping window) went offline due to the upgrade process.

 

Primary FortiGate (right ping window) will remain online/active.

 


The Secondary FortiGate became HA: Primary and Firmware was updated: v7.2.5 build 1517.

The Primary FortiGate automatically went offline due to the upgrade while Secondary FortiGate remained online (Primary/Active).

The Primary FortiGate went back online again.

The Primary FortiGate became the Primary/Active again and firmware was updated: 7.2.5 build 1517.

The HA Active-Passive firmware upgrade procedure finished around 10 minutes.

 

HA re-synchronized and the Primary FortiGate became Primary again since it has a higher Priority: 200.