Skip to main content

FORTIGATE ACTIVE PASSIVE UPGRADE

FORTIGATE ACTIVE PASSIVE UPGRADE :

This blog post shows the detailed procedures to follow and to upgrade the firmware in the Fortigate Firewall. This Post was supports for any platform or the Version you are going to upgrade in the Fortigate Firewall

This Post was divided into three parts : Pre-Upgrade Process Upgrade Process Post-Upgrade Process

PRE UPGRADE STEPS:


1   1)   Go to the below website and check the Upgrade Path
https://docs.fortinet.com/upgrade-tool



2)      Next Login to the Fortigate Console and check the HA Status ( it is to be In sync and higher Priority enabled for the required primary device)


3)      Login to the Console and give the command
Config global – get sys ha status

Also check session pickup is in enable to avoid session interruptions in failover.


4)      Download all the Firmware’s and the md5 files in the list and check with the software MD5sum.exe to avoid the download errors.
NOTE: Must and should configuration backup have to take for every version in the above steps because During an upgrade, there is a background process that takes the existing configuration file and changes any commands and settings to comply with the syntax of the new firmware. Skipping a firmware version that should have been part of the upgrade path means that the syntax of one or more commands didn’t get updated to work with the current firmware

5)      Get ready with the Console access for the Disaster recovery plan, ensure you are able to login through console before upgrade.

UPGRADE PROCESS: 

And click the Upgrade, Fortigate will upgrade the slave device first and make the slave reboot.
So there is no impact because the slave device is in the standby mode.
Once the slave device come up with the new firmware then the slave send an heartbeat message to make it as a primary and the old primary device upgrade itself and will automatically reboot.
Now the Primary is the Slave device
And the Secondary is the Old Primary device

We have enabled override and given the priority to the higher value for the old primary device(which is in the slave) so it automatically negotiates and become primary.

Check the get sys ha status command and check the sync status is in sync
Once it is in sync
Repeat the same process for all the versions until you get the required version 6.0.8 

     POST UPGRADE PROCESS: 

              1)  Check both the devices are in the sync and the required device is in the active state
        2)  Check both the devices are in the sync and the required device is in the active state                


            Backup once and  Check the traffic flow


REVERT BACK PROCESS IF ANY ISSUES:


Follow the Path the same in the reverse order to downgrade to the 5.4.7 as shown below
6.0.8 –  5.6.11 – 5.6.9– 5.4.9-5.4.7
Once you are in the 5.4.7 then upload the backup configuration file taken from the old 5.4.7 version

Or else install the 5.4.7 directly and perform factory reset then upload the configuration backup file of 5.4.7



NOTE: Must and should configuration backup have to take for every version in the above steps because During an upgrade, there is a background process that takes the existing configuration file and changes any commands and settings to comply with the syntax of the new firmware. Skipping a firmware version that should have been part of the upgrade path means that the syntax of one or more commands didn’t get updated to work with the current firmware



                                                                                                                                      Written By
                                                                                                                                     G Sudhakar
                                                                                                                                  Network Engineer

Popular posts from this blog

UPGRADING EOS in the ARISTA Switches

UPGRADING EOS in the ARISTA Switches: EOS is the Firmware for Arista Switches whereas IOS for Cisco. This blog post shows the detailed procedures to follow and to upgrade the EOS in the Arista Switches. This Post was supports for any platform or the Version you are going to upgrade in the Arista Switches. This Post was divided into three parts : Pre-Upgrade Process Upgrade Process Post-Upgrade Process PRE-UPGRADING-PROCESS: 1       1)        Check the Upgrade Path tool by clicking the below link. https://www.arista.com/en/support/mlag-portal/mlaglist and confirm it is in mlag issu compatible 2)       Check if the  STP agent is restartable by giving the command switch-1# show spanning-tree bridge detail | grep agent Stp agent restartable                      :      ...

OSI Model in Telugu

Layer 2 Security Feature : Dynamic ARP inspection

 We all know about how the ARP works and the importance of it to send the traffic to the endhost, it translates the IP to the mac address. Before we know about the dynamic arp inspection we would need to understand about the ARP poisoining, it is an man in the middle attack works by poisoining the ARP cache database.  IP to mac address tables are stored in the arp cache database in the switch or router. Hacker can poison the arp database by rewriting his own mac address for the default gateway IP so all the users traffic will redirect to the hacker laptop which causes the successful man in the middle attack. Dynamic ARP inspection works by inspecting the ARP cache database with the help of dhcp snooping database. Yesterday I explained the dhcp snooping so you can look into the article to  know how it works. It records the assigned IP with the mac addresses in the dhcp snooping table so the arp inspection would use the dhcp snooping database to find the correct IP to MAC a...