Upgrading FortiGates in most cases is a straightforward process. Usually, it goes smooth and requires minimal admin intervention. It's easy when it's your FortiGate, which was deployed and maintained by you. It's not always the case. You might be working for different customers helping them with Fortinet devices, so you don't maintain them on a daily basis and you are not fully familiar with all the config. Also, you might hit a nasty software bug on a new version. Below I'll give you a few general tips which are extremely useful when planing to upgrade FortiGates.

General (obvious) procedure

  1. Read the Release Notes
  2. Follow Upgrade Path
  3. Create full backup
  4. Download current firmware (for potential rollback)
  5. Make sure that HA is synced and stable (logs)
  6. Upgrade

Useful commands

A full backup can be performed only from CLI:

FGH# execute backup full-config ?
ftp         Backup full config file to FTP server.
tftp        Backup full config file to TFTP server.
usb         Backup full config file to USB disk.
usb-mode    Backup full config file for USB mode.

Check HA status:

FGT# get system ha status


Upgrade 5.4 >>> 5.6

Read my previous article regarding that one.

Firewall rules migrated or configured from CLI

FortiGate is no other than different firewalls. CLI allows for more, which is not always a good thing. One day I was performing an upgrade and noticed that my firewall rules were adjusted:

Before upgrade:

config firewall policy
  edit 1
    set dstaddr "all" "LAN_subnet"

After upgrade:

config firewall policy
  edit 1
    set dstaddr "LAN_subnet"

Upgrade was from 5.6.6 to 6.0.4. I was curious and I checked FortiOS 5.4.5, 5.6.2 and 5.6.11 - none allows in GUI to specify destination address as "all" + "something else". If you try to add "all", it replaces everything else.

During an upgrade, the object "all" was removed from affected rules. Result? Policies blocking too much traffic. Can you be informed about that by FortiGate, not user? Yes, keep reading...

Read the error log

That is the most useful advice, which is not that obvious. Before you perform an upgrade, make sure that the firewall hasn't encountered any errors during the last reboot. Read the logs one more time, after an upgrade to make sure that no configuration was lost during the process.

FGT# diagnose debug config-error-log read

That command should generate an empty output! Remember to execute it before and after an upgrade!