This article describes how FortiGate handles backup images when upgrading and naming images in FortiOS.
Scope
FortiOS.
Solution
FortiGate will keep a backup image when performing an upgrade or downgrade, in case any rollback action is required.
The below command can verify the current firmware version partition is active which means currently running.
Name of partition listed in FortiOS.
The naming of FortiOS are bit different from the command diagnose sys flash list.
As the above image shows, the listed result will be similar to FGT40F-7.0.2-FW-build1639-240313. It is often doubtful to seev7.0.2 if running the command get system status | grep Version, when expecting version v7.2.8 under the firmware partition.
This is due to the different naming of images, navigate to the FortiCloud image download page, and when images are under the download page, start with v7.0 for every 7.x versions, v7.4.x / v7.2.x / v7.0.x. They all will be listed under v7.00 which is the major version.
FGT40F-7.0.2-FW-build1639-240313
The above naming of the image can be read in 2 parts to understand which firmware version of this partition.
v7.0.2: on the major v7.0 (first two digits) and .2 (last digits) means this partition will be v7.2.x. To confirm what exactly the version is, have a look at the build number ‘build1639’.
The build number can be found in the download list as well, build number 1639 also helped to identify that this partition is on v7.2.8.
Below is the backup image partition FGT40F-7.0.2-FW-build1577-240131.
On the major version v7.0 (first two digits) and .2 (last digits) means this partition will be v7.2.x and the build number can be found below which means the backup partition image will be on v7.2.7.
The build number can also be found in the upgrade tools:
Upgrade Path Tool Table
Behaviour of backup image how FortiGate will handle backup image when upgrade/ downgrade.
FortiGate will always keep the current running partition (FortiOS version) as the backup image before upgrading or downgrading.
In the example, it is running the v7.2.8 for the current FortiGate as the below screenshot:
The current partition on FortiGate before any upgrade will be v7.2.8 as active and v7.2.7 as backup.
It has been upgraded the firmware version to v7.4.4. FortiGate will use v7.0.2-Build 1639 (v7.2.8) as a backup image (Last column Active=No) and keep v7.0.4(Version v7.4.4) as the primary image on Firewall (Last column Active=Yes).
Build name for v7.4.4 as below.
When downgrading the firmware version from v7.4.4 to v7.2.8, FortiGate will use v7.4.4 as the back image and v7.2.8 as the primary partition for running the operating system.
In conclusion, FortiGate will always keep destination firmware (Upgrade/downgrade) as an active partition. The backup firmware will always be the firmware version before the upgrade/downgrade. Backup firmware will only be available for physical FortiGate. FortiGate-VM &and Cloud FortiGate-VM do not have a dual boot option.