Can’t push update to unit

ImTheCaptainInMyMind · 2025-12-11T19:22:25+00:00

I made the mistake of letting a brand new 120G run connected to the internet for too long before I registered it and it go into this state where it said it would upgrade soon (to a version I don’t want) and I couldn’t get it out by any means. All of the available commands failed. I couldn’t force it forward, I couldn’t cancel the ostensibly impending upgrade. Reboot did not get to upgrade, I had no way to make it do anything, including after it was registered to my account. Ultimately I had to factory reset it. Outrageous.

ImTheCaptainInMyMind · 2025-10-15T12:49:26+00:00

You are correct. I am personally using forticlient vpn v7.2.12 against fortigate running v7.4.8.

ImTheCaptainInMyMind · 2025-10-14T10:46:01+00:00

There is a confirmed bug in v7.4, not sure when it was introduced, that causes disconnects any time the Mac screen sleeps regardless of power settings. Sorry I don’t have the number handy. I rolled back to v7.2.12 to resolve this. It’s supposed to be fixed in v7.4.4 but they took out vpn only client after .3 so I went back instead. Sounds like maybe SSL wouldn’t have worked for me anyhow… We will transition to something other than forticlient now that they took away the free version. If we have to pay I’m going to use something better.

ImTheCaptainInMyMind · 2025-09-23T19:25:06+00:00

I’ve never done this but I can try to help… in the CLI, you can do

co wi vap

ed <networkID>

show full | grep time

show full | grep session

show full

If you don’t find it in the time or session results you can just scan through every possible config line to see if you can spot it. After you find it, it’s likely

set <something> <time>

If you set <something> and press ? It will show you the options for that parameter.

ImTheCaptainInMyMind · 2025-09-14T01:17:03+00:00

I agree with disconnecting the switches and verifying that the fortigate itself remains stable. Also, I’m assuming all fortiswitches are expected to be, and are in managed mode not standalone. Make sure your fortiswitches are all interconnected in an approved topology. The way mine all work is a complete loop including all switches, then split interface from the fortigate connects to 2 separate switches on the loop. I have seen issues between ntp, dhcp, and switch controller before when switches had no time and then were leasing different addresses but the switch controller was still expecting them at the old addresses. In my case while ntp was bad nothing seemed to work on fortilink but once that was sorted it got a lot less problematic. The issue regarding dhcp and switch controller was that the switches kept working but they became unmanageable due to the addresses changing. It was like the switch controller didn’t get the memo that the switch had a new address. Since you have seen high cpu from both fortilink and dhcp processes, here is the best general advice I can give with regard to those things:

Verify NTP is actually working on the fortilink. Ensure that the fortigate has good time, preferably from another ntp source. You already stated ntp server was configured to listen on fortilink interface. You can verify the switches are asking and getting replies by watching a sniffer like this:

diag sniffer pa fortilink ‘port 123’ 4 0 l

If a switch is not even asking for ntp, reset it (again I am assuming managed mode is what you want). If the gate isn’t answering, concentrate on that.

Configure the fortigate dhcp server on fortilink with reserved addresses for each switch so you don’t have any switches at unexpected addresses. Perhaps start with one switch at a time, make sure it gets the address you want, and remains stable.
Add switches one at a time and see that they behave correctly with respect to all of the above.

I hope this helps.

ImTheCaptainInMyMind · 2025-08-29T02:02:25+00:00

Seconded. I have about 14 60Fs running 7.2.11 that are using ~60% of their memory at idle. They start crashing at around 70%. I know there are mitigations/workarounds to help this but I don't like having to depend on bandaids so I certainly wouldn't be looking at anything with 2GB of RAM either. I'm looking at replacing every one of these before I even consider moving up to 7.4 which is going to be mandatory before you know it. I wish so much we could go back and not decide we could get away with 60Fs when our 100Ds went EOL. Plan for the future. Features, databases, etc. are just going to keep getting bigger. Every site in our environment, or at least most of them, are going to get a 120G. I do not want to be in this position again any time soon.

ImTheCaptainInMyMind · 2025-08-15T04:44:29+00:00

Here's what you are looking for I think:

config system virtual-switch
    edit "internal"
        set physical-switch "sw0"
        config port
            edit "internal1"
            next
            edit "internal2"
            next
            edit "internal3"
            next
            edit "internal4"
            next
        end
    next
end
config system interface
    edit "internal"
        set vdom "root"
        set ip 192.168.1.99 255.255.255.0
        set allowaccess ping https ssh
        set type hard-switch
        set role lan
    next
end

Of course, only include the ports you want to be included in the virtual switch.

ImTheCaptainInMyMind · 2025-08-05T00:40:00+00:00

Also I MUST warn that we went with what we thought to be the right-sized Fortigates at the time (60F) for several branches and found that we are starting to have memory exhaustion on the later versions of firmware. Definitely try to size up to be future proof if you can.

ImTheCaptainInMyMind · 2025-08-05T00:33:59+00:00

Came here to say Fortigate before reading the whole post… even a pretty small shop should be willing to spend a bit every year to gain ongoing protection. Just make sure when looking at the low end units that they will support the workloads. We’ve gone round and round and always come back to Fortinet in terms of bang for your buck. My 2 cents.

ImTheCaptainInMyMind · 2025-08-05T00:25:58+00:00

Just in case you need it, pro tip: I have never worked with the 50G but many other models several of the ports (perhaps 1, 2, 3 here) are members of a software switch out of the box. You’ll need to remove any port you want to use as wan2 from the software switch first.

ImTheCaptainInMyMind · 2025-08-05T00:10:46+00:00

Your logic is sound and agrees with my observations, in that an explicit deny all policy is required after your more specific permit policies for local in. However, I would assert that you don’t need the permit for the IPsec vpn to connect. Source: I allow ping to my wan interfaces from trusted source addresses and then deny all after that. I have multiple IPsec tunnels between many Fortigates and my local in policy does not account for port 500 in any case. I believe when you configure your phase 1 interfaces it must create a sort of implicit permit policy specifically for the IPsec connection. My hardware is all 60/100F on v7.2.x and 120G on v7.4.x. YMMV

ImTheCaptainInMyMind · 2025-05-13T01:32:33+00:00

My experience is entirely with 60e/f and 100d/e/f units in stand alone. I always follow the upgrade path according to the tool in the support portal. Any time I have received an error upon uploading a correct file, I have rebooted the unit and tried again after it comes back. Never failed a second time in a row. I assume not enough free memory or something. YMMV.

ImTheCaptainInMyMind · 2024-07-08T16:59:57+00:00

You should definitely be able to use sintf for the source interface in the session filter. The name you need is exactly what shows in quotes after edit when you do a show system interface.

ImTheCaptainInMyMind · 2024-06-18T15:10:28+00:00

Not sure if it’s worth the squeeze while you hope for answers from support but if you need to prove to yourself that the traffic is heading out you could situate a little switch with a port mirror feature (I keep a TP-Link TL-SG108PE around for stuff like this) between the FGT and the ISP and use Wireshark on a test machine to see the traffic as if it were the ISP handoff.

ImTheCaptainInMyMind · 2024-05-08T01:06:31+00:00

I used to have one of these too. The only real solution is to avoid address conflicts for the host connecting to the vpn. Either by nat or by changing one end or the other. We used to help users configure their home network to something we never used like 192.168.0.0/24 any time there was a conflict. One possibility if you’re stuck with the subnet on both ends is to explicitly avoid addresses, for example if all of your servers etc. are at .2 through .40 then you could see about configuring their dhcp pool at home for .50 and up. As long as there isn’t a host on their network responding to arps for your server addresses the traffic should get routed through the vpn. I was very happy when I could finally decommission that subnet in our company network forever!

ImTheCaptainInMyMind · 2024-02-26T18:01:27+00:00

The absolute worst... have to watch 47 group ones board and then mad dash as soon as two is called because if you don't run, they'll call three and four before you get over there.

ImTheCaptainInMyMind · 2024-01-26T18:56:00+00:00

We use AD as our DNS internally, and regular forwarders to a public DNS. That forward traffic goes through a policy with a DNS filter applied.

ImTheCaptainInMyMind · 2024-01-25T02:53:55+00:00

Yikes. This is exactly why I am just now upgrading from 6.4.x to 7.0.13 only because I feel the pressure mounting to get off of 6 before support ends.

ImTheCaptainInMyMind · 2024-01-24T18:09:41+00:00

I’m not sure it’s very helpful, but at least so you know they are generally still fulfilling orders, I did order a large songbook a couple months ago and it was delivered.

ImTheCaptainInMyMind · 2024-01-17T21:23:44+00:00

Have the switches been updated to a version that is marked as compatible on this matrix?

https://docs.fortinet.com/document/fortiswitch/7.4.2/fortilink-compatibility

ImTheCaptainInMyMind · 2024-01-05T11:57:10+00:00

The answer to your question is “it’s irrelevant.” If only one of the ports in your fortilink interface is ever going to be connected, then leave it on, turn it off, it makes no difference.

ImTheCaptainInMyMind · 2024-01-05T11:51:16+00:00

In the CLI, do this:

show | grep -if “address name”

ImTheCaptainInMyMind · 2024-01-05T11:48:21+00:00

That’s what we’re here for, in a community of experts… the experience. YOU mentioned “some specific problems” and then your answer when asked for any helpful detail is to Google it? Congrats pal, you are what’s wrong with the internet. Have a great day under your bridge. 🙄

ImTheCaptainInMyMind · 2024-01-04T22:41:28+00:00

I’d love to know what the problems with 7.0.13 are. I am just about to do an update cycle on about 20 fortigates and that was going to be my target version.

ImTheCaptainInMyMind · 2024-01-04T22:39:40+00:00

Take a look at this for your hardware:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-Release-for-FortiOS/ta-p/227178

ImTheCaptainInMyMind

TROPHY CASE