Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
67vwbug
New Contributor

Upgrade Fortigates 5.4.x -> 5.6.10/11 or 6.0.6

Greetings all,

 

We opened a case with Fortinet support on an IPSEC VPN tunnel issue with a Fortigate 60E where the VPN tunnel goes down every 12 hours. They couldn't definitively find a root cause and have advised us to upgrade to a newer version of the firmware. This was a good reminder for us to work towards upgrading all of the Fortigates in our small fleet and do a better job of keeping them up to date going forward.

 

Current hardware and versions:

100D (active/passive HA pair) running 5.4.2

100D running 5.4.2

60E running 5.4.5 <- this is the one having the VPN issue

60E running 5.6.10

 

Questions:

1) Our original plan was to get all firewalls up to 5.6.10, however we noticed that when 5.6.11 was released the upgrade path changed dramatically. We are now wondering if it makes more sense to target the 6.0 train, specifically 6.0.6. We are currently reviewing release notes, but are there any major known issues running 6.0.6 in a production environment or any known issues with the below Fortinet recommended upgrade paths?

 

5.4.2 -> 5.4.4 -> 5.6.2 -> 5.6.6 -> 6.0.4 -> 6.0.6

5.4.5 -> 5.6.2 -> 5.6.6 -> 6.0.4 -> 6.0.6

5.6.10 -> 6.0.6

 

2) Any recommendations on the best way to upgrade an HA pair? This will be the first time upgrading this pair and want to do what we can to give us the best shot at a smooth upgrade and recovery if it goes south. We will be following the standard advice for all of our upgrades such as keeping a copy of the config at each step, having each firmware version downloaded, allowing restoration of firmware/config from USB, and rebooting the firewalls prior to performing the first upgrade. Specifically for an HA pair, I recall reading about verifying that the firewalls are in sync and have found the commands to do so. Any other critical steps to take for upgrading a standalone or HA pair?

 

Thanks in advance!

3 REPLIES 3
Toshi_Esumi
Esteemed Contributor III

I keep warning everybody in this forum but make sure you don't use zones that have the parent non-tagged interface and child vlan sub-interfaces as members. Those vlan interfaces would be thrown out from the zone when you upgrade 5.4.x to 5.6.0-5. If you do have them, find a path avoiding those versions.

hubertzw

Hi,

 

'lesson learnt' from last upgrade - verify if flash on both cluster members is fine, not like this:

 

FW01 (global) $ diag sys flash list Command fail. Return code -1 FW01 (global) $

67vwbug

@Toshi Esumi - We have tagged VLAN sub-interfaces, but we don't use zones.

 

@hubertzw - You mentioned not verifying the flash with the "diag sys flash list" command.  Which command did you end up using, if you don't mind me asking?

Labels
Top Kudoed Authors