Skip to content

Roll Back a Firmware Upgrade

Symptom: upgraded firmware, system misbehaves (boot loop, features broken, performance regression). Need to roll back.

Option 1: Switch Boot Partition (Easiest)

FortiGate has two firmware slots. The previous version stays in the inactive slot until next upgrade overwrites it.

# Check current partitions:
get system status
# Look for "Image build", "Last reboot reason", and which partition is active.

# Switch to the other partition:
execute set-next-reboot primary    # or secondary, whichever holds the OLDER version
execute reboot

After reboot, you're on the old firmware again.

Option 2: Restore from Pre-Upgrade Backup

If you took a backup before upgrading:

  1. Boot the system somehow (even if buggy).
  2. Restore config: see Back Up and Restore Configuration.
  3. Note: this restores CONFIG, not firmware. Use Option 1 to roll back firmware.

Option 3: TFTP Recovery (Worst Case)

When the FortiGate is bricked / boot-loops / doesn't respond:

  1. Connect Console Cable.
  2. Have a TFTP server reachable on the same network with the OLD firmware .out file.
  3. Power-cycle the FortiGate.
  4. During boot, press any key when prompted to enter boot menu.
  5. Select TFTP firmware load option.
  6. Enter TFTP server IP and firmware filename.
  7. FortiGate downloads and installs.
  8. Reboots into recovered firmware.
  9. Restore config from backup.

This procedure works for any model that supports console TFTP recovery (most do).

Option 4: USB Recovery

Some newer models support USB stick:

  1. Format USB FAT32.
  2. Copy old firmware .out to root.
  3. Plug into FortiGate USB port.
  4. Reboot, select USB load in boot menu.

After Rollback

  • Verify firmware version: get system status.
  • Test critical functions: routing, policies, VPN, admin GUI.
  • Re-activate licenses if needed: System → FortiGuard → Update licenses now.

Why Did It Fail?

Before re-attempting the upgrade:

  • Read the release notes for known issues with your model.
  • Verify supported upgrade path (you may need an intermediate version).
  • Test the new firmware on a non-production FortiGate first if possible.