Upgrading The Firmware Running On Individual Fims Or Fpms; Upgrading Fim Firmware - Fortinet FortiGate-7000F Series System Manual

Firmware upgrades
1. Log into the primary FIM and verify t hat it is running the expected firmware version.
You can verify the firmware version running on the primary FIM from the System Information dashboard widget or
by using the get system status command.
2. Confirm that the FortiGate-7000F is synchronized.
Go to Monitor > Configuration Sync Monitor to verify the configuration status of the FIMs and FPMs. You can
also use the diagnose sys confsync status | grep in_sy command to see if the FIMs and FPMs are all
synchronized. In the command output, in_sync=1 means the FIM or FPM is synchronized. In_sync=0 means the
FIM or FPM is not synchronized, which could indicated the FIM or FPM is running a different firmware build than the
primary FIM.
3. Optionally, you can also log into the other FIM and FPMs, and in the same way confirm that they are also running
the expected firmware version and are synchronized.

Upgrading the firmware running on individual FIMs or FPMs

You can install firmware on individual FIMs or FPMs by logging into the FIM or FPM GUI or CLI. You can also setup a
console connection to the FortiGate-7000F front panel SMM and install firmware on individual FIMs or FPMs from a
TFTP server after interrupting the FIM or FPM boot up sequence from the BIOS.
Normally you wouldn't need to upgrade the firmware on individual FIMs or FPMs because the FortiGate-7000F keeps
the firmware on all of the FIMs and FPMs synchronized. However, FIM or FPM firmware may go out of sync in the
following situations:
Communication issues during a normal FortiGate-7000F firmware upgrade.
l
Installing a replacement FIM or FPM that is running a different firmware version.
l
Installing firmware on or formatting an FIM or FPM from the BIOS.
l
To verify the firmware v ersions on each FIM or FPM you can check individual FIM and FPM GUIs or enter the get
system status command from each FIM or FPM CLI. You can also use the diagnose sys confsync status |
grep in_sy command to see if the FIMs and FPMs are all synchronized. In the command output, in_sync=1 means
the FIM or FPM is synchronized. In_sync=0 means the FIM or FPM is not synchronized, which could indicated the
FIM or FPM is running a different firmware build than the primary FIM.
The procedures in this section work for FIMs or FPMs in a standalone FortiGate-7000F. These procedures also work for
FIMs or FPMs in the primary FortiGate-7000F in an HA configuration. To upgrade firmware on an FIM or FPM in the
secondary FortiGate-7000F in an HA configuration, you should either remove the secondary FortiGate-7000F from the
HA configuration or cause a failover so that the secondary FortiGate-7000F becomes the primary FortiGate-7000F.
In general, if you need to update both FIMs and FPMs in the same FortiGate-7000F, you should update the FIMs first as
the FPMs can only communicate through FIM interfaces.

Upgrading FIM firmware

Use the following procedure to upgrade the firmware running on a single FIM. For this procedure to work, you must
connect at least one of the FIM MGMT interfaces to a network. You must also be able to log in to the FIM GUI or CLI from
that MGMT interface. If you perform the firmware upgrade from the CLI, the FIM must be able to communicate with an
FTP or TFTP server.
During the upgrade, the FIM will not be able to process traffic. H owever, the other FIM and the FPMs should continue to
operate normally.
FortiGate-7121F System Guide
Fortinet Technologies Inc.
38