Upgrading FortiGate to FortiOS 7.4.2 Without an Active Support Contract

Standard upgrade and downgrade methods are blocked, but workarounds such as booting from the secondary partition or reinstalling via TFTP allow reverting to earlier versions.

Introduction

FortiOS 7.4.2 introduces new firmware upgrade restrictions for FortiGate devices without an active support contract, as outlined in the FortiOS 7.4 “New Features” Guide. This document explains the limitations, observed behaviors, and available workarounds for upgrading or downgrading FortiGate devices running FortiOS 7.4.2 without a valid support contract.

Firmware Upgrade and Downgrade Restrictions

FortiOS 7.4.2 imposes the following restrictions on FortiGate devices with expired support contracts:

  • Upgrades to Major or Minor Releases: Upgrades to higher major or minor versions (e.g., from 7.4 to 7.6 or 8.0) are not permitted.

  • Upgrades Within Minor Releases: Upgrades to higher patch builds within the same minor release (e.g., from 7.4.2 to 7.4.3) are blocked.

  • Downgrades: Downgrades to any previous version, including earlier patch builds (e.g., from 7.4.2 to 7.4.1), are not allowed via standard methods.

Testing Observations

Testing via the WebUI (System > Firmware & Registration) and CLI (exec restore image) confirmed that downgrades are blocked. Upgrades to higher patch builds (e.g., 7.4.3) are also restricted for devices without an active support contract.

Workarounds for Downgrading

To downgrade a FortiGate running FortiOS 7.4.2 without a support contract, use one of the following methods:

  1. Boot from Secondary Partition:

    • Set the device to boot from the secondary partition:

      # exec set-next-reboot secondary
# exec reboot

    • This allows the device to boot into the firmware version stored in the secondary partition if it contains an earlier version.

  2. Format and Reinstall via TFTP:

    • Format the boot device and upload a new firmware image using TFTP to install an earlier version.

Example Scenarios

Scenario 1: Downgrade and Configuration Restore

  • Device: FG140E-PoE running FortiOS 7.4.2, expired support contract.

  • Steps:

    1. Create a configuration backup on 7.4.2.

    2. Boot to the secondary partition running 7.4.1.

    3. Upgrade to 7.4.4 (if permitted by other conditions).

    4. Restore the 7.4.2 configuration backup.

  • Result: The device runs 7.4.4 with the 7.4.2 configuration, while the secondary partition remains on 7.4.1.

Scenario 2: Update with Primary and Secondary Partitions

  • Device: FortiGate running 7.4.1 (Build 2463-230830) on the primary partition.

  • Steps:

    1. Set the device to boot from the primary partition:

      # exec set-next-reboot primary
# exec reboot

    2. Perform the update.

  • Result: The update is applied to the secondary partition, preserving the primary partition’s 7.4.1 firmware.

Conclusion

FortiOS 7.4.2 enforces strict firmware upgrade and downgrade restrictions for FortiGate devices without an active support contract. Standard upgrade and downgrade methods are blocked, but workarounds such as booting from the secondary partition or reinstalling via TFTP allow reverting to earlier versions. Administrators should carefully plan firmware changes and maintain configuration backups to ensure operational continuity.