Restore boot firmware on FortiGate

Restore boot firmware on FortiGate

^{Created: 2021-01-27 01:30:57 | Last modified: 2021-01-27 03:35:34}
^{Access: Read}^{| Views: 240}^{| Rating: +1}^{| Tags: fortigate}
How to restore the boot image for a FortiGate

We had an issue with one of our FortiGate's where the boot image became corrupt and wouldn't boot correctly. We had to format the boot device and then load on a fresh copy of the firmware (we went straight to the highest point release of that release). To do this, we had to setup a TFTP server on a PC which was connected to the management port on the FortiGate. We kept the all of the defaults in the firmware loader inside the FortiGate and set the IP address on the network interface on the PC to 192.168.1.100. Here is the step by step procedure we took.

Setup the TFTP Server

If the boot device has been formatted or the firmware image becomes corrupt, here is the procedure to recover firmware onto a FortiGate device. The image is restored using a TFTP server, in this case we install it on a Windows device and use Open TFTP server

1) Download the TFTP server and install it on a desktop computer

2) Modify the Open TFTP Server Config,

Go into the directory C:\OpenTFTPServer (if that is where you installed it)
Create a directory called 'files' (without the speech marks)
Edit the INI file OpenTFTPServerMT.ini and specify where the home directory is (in this case it is C:\OpenTFTPServer\files)

3) Make sure you have an IP address assigned on your NIC, in this case it is 192.168.1.100 as it is the default for the FortiGate to download to

4) Now run the Stand Alone application

5) Copy the FortiGate firmware image to the files folder you created earlier and rename it to image.out (Renaming to image.out as that is the default filename the firmware loader looks for when applying the firmware)

6) We also had to turn off the Windows firewall as the download doesn't seem to work without doing this (remember to re-enable it once done)

Testing TFTP in Windows

Once the TFTP Serve is setup, you should test that it works from another machine. First you need to enable it on the computer you are using.

1) Go into the control panel => select Programs and Features => On the left hand side, click Turn Windows features on or off

2) Scroll down the TFTP Client and check the box and press OK

3) Once the client has been installed, you can test it with the following commands in Command Prompt

tftp -i [SERVER IP] [GET or PUT] [FILE PATH]

# Example
tftp -i 192.168.1.100 get image.out

Restore the FortiGate firmware

Here is how to recover the FortiGate firmware using the CLI. Connect to the FortiGate using a serial cable and with the serial bitrate settings as outlined below.

Baud Rate (bps): 9600
Data bits: 8
Parity: None
Stop bits:1
Flow Control: None

1) Insert the power into the FortiGate and press any key when you see the message

Please wait for OS to boot, or press any key to display configuration menu......

2) Enable the port to be used, this is the port you have your PC plugged into for the TFTP access. By default this should be the MGMT port on the Fortigate. But you can change this to the DMZ port by selecting C and then P.

3) Review the TFTP information to be used, select R to see this. In this case I am happy with the defaults, these can be changed by selecting C and following the menu there..

4) If you are happy with the above settings, type T to start the transfer. Once the transfer is complete, type D to save it s the default and then Y to confirm. Once the transfer has completed, the FortiGate will boot into this firmware