How Selecting an alternate firmware for the next boot

FortiGate has the ability to keep two images on its flash drive even after a firmware upgrade. Considering an upgrade of different versions such as 7.4.7 from 7.2.11, 7.2.11 becomes the backup and can be accessed and set as default via CLI.

This is a very useful feature for critical environments that require less downtime and rollback in case of failure during the upgrade process or in the event of a malfunction in the new version, in our example 7.4.7.

To change the boot initialization:

#get system status | grep Version:
#diagnose sys flash list

The first command will inform the current version of the firmware present on the drive, performing a filter to bring only the line with the information necessary to identify which partition is being used for boot as default and its version, “build”.

The second command will list and identify the use of the partitions by the firmware versions present on the drive, allowing later selection for boot. The number on the left, in the partition column, 1 and 2 are respectively primary and secondary.

For our example, the unit was previusly upgraded from 7.2.11 to 7.4.7. and both firmwares are presents in the flash.

After identifying the firmware version and which partition it is in, we will change the boot to build 2731, which is firmware version 7.4.7. The following is the sequence of commands to change the boot:

#execute set-next-reboot primary
#execute reboot

And confirm.

The result after the reboot.

Considering that Fortinet documentation states that downgrading to previous firmware versions results in the loss of settings on all models, only the following settings are retained:

• operation mode
• interface IP/management IP
• static route table
• DNS settings
• admin user account
• session helpers
• system access profiles

This feature does not apply to Virtualized Firewall.