Downgrading issues for FortiOS

While most potential issues occur during the upgrade process, there are occasional ones that can occur when downgrading firmware.

Configuration Files

There are a few reasons why downgrading is looked at with some trepidation. Let’s use going from 5.2.3 to 5.0.12 as an example.

The number of potential pitfalls increases proportionally with the complexity of the configuration. More settings involved means more places for things to go wrong. The most important thing to take into account is that the configuration file is firmware version specific. It does not operate well with versions of the firmware that it was not written for. You cannot use a configuration file from 5.2.3 on a unit running 5.0.12. 

If you are planning to downgrade and then upgrade to the current firmware version to fix an issue, chances are that somewhere along the upgrade process something was missed or broken. The more likely scenario is that the issue may not be with the firmware you are running, but with something in the configuration file.

A configuration file is essentially a number of CLI commands to the firmware that is run each time the unit is powered on. If there is a syntax error in those commands, the firmware may not behave as intended.

During an upgrade, there is a background process that takes the existing configuration file and changes any commands and settings to comply with the syntax of the new firmware. Skipping a firmware version that should have been part of the upgrade path means that the syntax of one or more commands didn’t get updated to work with the current firmware.

Example:
1. You downgrade the firmware from 5.2.3 to 5.0.12
2. You throw in a factoryreset command to get a nice clean config file
3. After you go through the supported upgrade path to 5.2.3
4. You install the config file from the FortiGate when the firmware was 5.2.3.
5. The result is that you end up with the same issue because of the syntax issues that are still present in the configuration file.

The bad news is that you may need to rebuild your configuration from the ground up. The good news is that you may not have to downgrade and then upgrade. You can start with the firmware already installed. Depending on the issue, you might be able to get away with a simple factory reset, which will give you a brand new configuration file, and then just start customizing your configuration.

If you are comfortable in the CLI, you could use some techniques found in the SysAdmin Note http://cookbook.fortinet.com/t… to cut and paste portions of the existing configuration file into the new one. At some point, you are likely to come across an error as the firmware determines that the syntax is somehow wrong and then you will have to set up that portion of the configuration from scratch.

Generational incompatibility

Fortinet will sometimes produce different generations of the same model of a device. Ideally, the firmware should not be downgraded to a version earlier than what it came with from the factory.

Example:
The FortiGate 3600C generation 3 came with a new NPU DDR chip that the first and second generations of the model did not have. The Support site has a firmware version 5.0.2 for the FortiGate 3600C.This would have been for the first generation of the model but the third generation of the model will not properly run this version of the firmware.