- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiOS 5.2.10 - 5.4.1 RMA Claimed
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiOS 5.2.10 - 5.4.1 RMA Claimed
Hi,
As per the TAC recommendations we had to Flash Format the 100D and eventually it didn't came back up. FortiOS version 5.2.10
So we have got the RMA claimed with FortiOS 5.4.1. Since the support contract was 24x7 but we received the device on 4th day after the claim was initiated and was bit in hurry to live it. So we have imported the config of 5.2.10 to 5.4.1 and started working. This was 3 weeks back. Link Monitor was configured with 2 ISP's
Started facing issues with all the options enabled on a single policy that is UTM, Deep inspection & SSL Certificate that users complaining that Websites are not opening properly "the webpage is unreachable", Error Connection Timeout, Error Connection Closed, DNS Host Suffix issues on three major browsers
As per TAC, The current configuration which you have on the fortigate is corrupted as well. Hence, you will have to flash format the box. Install 5.2.10 and reload configuration of 5.2.10. Then you can go to firmware 5.4.1 following a proper upgrade path. Upgrade path information is present in the support portal. Unfortunately, you will have to redo all the configurations which you had done on 5.4.1 in those 3 weeks
If UTM features in disabled in policy then there is no issue in Browsing
Since their is a lot of configuration done, device was running in Head Office. If we try to redo the complete config than it will take around 3-4 days of downtime which is not possible at all. Further if something missed out than it will be managed afterwards.
Is there any work around for converting the configuration of 5.2.10 to 5.4.1, remove Link-Monitor config part and again configure WAN LLB in order to minimize the downtime to max 1 day.
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Was your 100D firewall working properly when running 5.2.10?
Do you have a config backup when it was running 5.2.10 successfully?
What prompted using or upgrading to FortiOS 5.4.1?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes 100D was working fine before, before RMA the device was having ongoing CPU spike issues and have to restart the firewall sometimes 2-3 times a day or after 7-10 working days
Yes i have the backup with me
New device came with 5.4.1, I didnt downgraded it
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having both a backup from v5.2.10 and v5.4.1, you can obtain a diff to get a 'recipe' of what your changed in the 3 weeks. Both FortiOS versions do have their differences but depending on what you see in the diff you could paste in blocks of code (config) one at a time - all 'live', with no downtime.
Of course you will have to be extremely careful in doing this.
You could better do this offline - just modify a copy of the v5.2 config to incorporate the changes. If to avoid downtime is your primary concern then I would prefer to do the merge offline.
This will get difficult when you come to features which syntax has changed from v5.2 to v5.4. One of it being WLLB / SD-WAN.
Finally, take the FGT offline, downgrade to v5.2.10 and restore the amended config. Check `diag debug conf read` to see which parts didn't work. Before re-loading, clear it with `diag debug conf clear`.
A lot of hassle only because you didn't prepare the replacement unit properly, i.e. downgrade to the version used currently. v5.4.1 isn't a 'gold' version either, once you have cleared this mess up you should upgrade to v5.4.10 as soon as possible to get over the most prominent bugs fixed in the meantime.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ede,
So in short we have to flash format the device first and install 5.2.10 after that we can upgrade to 5.4.1 and later on to 5.4.10
I have made changes in Policy Routes, Policies, Address & Address Groups
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you don't need to flash format.
An exec factory-reset on cli will do a reset to factory defaults.
Then downgrade it to 5.2.10.
Then Apply your 5.2.10 config backup.
Then upgrade to 5.4.10 accoarding to the upgrade path specfied in the fortinet support portal.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
After factory-reset, I will only have to upload the firmware 5.2.10 from the Firmware Management > Upload
It will then downgrade the Firmware from 5.4.1 to 5.2.10
Correct me if I am wrong
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes! Factroy default does not require any upgrade paths.
Once you have installed 5.2.10 and reapplied your config you must follow the upgrad path to 5.4.xx in order to not corrupt your config.
You could also try to use FortiConverter to convert your config but I made the experience that this doesn't work very well.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok thanks, i will update you once i try this tonight
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sw2090 says:
you don't need to flash format.
TAC says:
The current configuration which you have on the fortigate is corrupted as well. Hence, you will have to flash format the box. Install 5.2.10 and reload configuration of 5.2.10. Then you can go to firmware 5.4.1 following a proper upgrade path. Upgrade path information is present in the support portal.
@sw2090: sorry, you should have read the original post. This advice will lead the OP into trouble.
TAC suspects (and I do as well) that the filesystem on flash is corrupt, probably by wear and tear of the flash itself, with single cells failing.
The only remedy is to reformat the flash. All flash cells are tested and defective ones are excluded, then a new filesystem is created on top of this. Of course, this will erase all of the information stored: firmware, configuration, logs, certificates etc. You restore the firmware using the boot procedure (and a TFTP server) and then restore the saved backup copy of the old config.
From there, I would upgrade (following the recommended upgrade path, found in Support portal) up to v5.4.10 and re-configure the changes you've made in the last 3 weeks. Address objects, groups and policies can all be added without downtime.
In contrast, a factoryreset just resets all settings to a default value. This will neither repair the filesystem nor test the hardware. You will run into just the same situation as before.
In the long run you should consider getting a replacement hardware. I suspect that you activate logging to disk. The flash disk onboard is not suited for heavy logging. Each write operation will shorten the life time of the flash. Newer FGTs have SSDs which are suited for logging. IMHO, if you need detailed logs, get a FortiAnalyzer.
Keep current backups of your config. Either automatically (config system global - set revision- enable) onto flash, or on an external USB drive. And never skip the recommended upgrades if you are interested in a valid config.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
-
FortiGate
6,491 -
FortiClient
1,295 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.