Fortinet Enable unsigned firmware

When working with Fortinet Support, you may sometimes receive a special debug firmware image for troubleshooting a specific issue.

These debug builds are not always handled the same way as normal GA firmware images. In some cases, the FortiGate bootloader may reject the image or fail the firmware validation process unless the bootloader security level is lowered.

This guide explains how to access the FortiGate bootloader menu and change the firmware security level before installing or booting a debug firmware image provided by Fortinet Support.

When is this needed?

This procedure is typically only relevant when Fortinet TAC or Fortinet Support provides a special debug firmware image and instructs you to use it.

You may need this if:

  • Fortinet has provided a debug firmware build
  • The appliance refuses to boot the debug image
  • Firmware validation fails during boot
  • TAC asks you to lower or disable firmware image validation
  • You are recovering or testing a FortiGate using TFTP firmware transfer

This should not be used as a normal firmware upgrade procedure.

Important warning

Only change this setting when instructed by Fortinet Support.

Lowering the firmware security level reduces how strictly the FortiGate bootloader validates the firmware image. This is useful for some debug images, but it should not be left unnecessarily relaxed in production environments.

After troubleshooting is completed, you should normally return the appliance to the security level recommended by Fortinet or reinstall a normal signed GA firmware release.

Accessing the FortiGate boot menu

Connect to the FortiGate using a serial console.

Reboot the FortiGate.

During boot, you will see the following prompt:

Please wait for OS to boot, or press any key to display configuration menu..

Press any key to enter the bootloader menu.

You should then see:

[C]: Configure TFTP parameters.
[R]: Review TFTP parameters.
[T]: Initiate TFTP firmware transfer.
[F]: Format boot device.
[I]: System information.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot.
[H]: Display this list of options.

Enter C,R,T,F,I,B,Q,or H:Code language: CSS (css)

Open the system information menu

From the boot menu, select:

I

This opens the system information menu:

[S]:  Set serial port baudrate.
[R]:  Set restricted mode.
[T]:  Set menu timeout.
[U]:  Set security level.
[C]:  Set FortiCare registration.
[I]:  Display system information.
[E]:  Reset system configuration.
[P]:  Normal POST test.
[Q]:  Quit this menu.
[H]:  Display this list of options.

Enter S,R,T,U,C,I,E,P,Q,or H:Code language: CSS (css)

Change the firmware security level

Select:

U





You will then see the available security levels:




[0]: Level 0 - Check image silently
[1]: Level 1 - Check image with result only
[2]: Level 2 - Check image and reinforce validity

Enter security level setting [1]:Code language: CSS (css)




Security level options





Level 0




[0]: Level 0 - Check image silentlyCode language: CSS (css)









This is the lowest validation level.





Use this only if Fortinet Support specifically instructs you to disable or lower firmware validation for a debug image.





Level 1




[1]: Level 1 - Check image with result onlyCode language: JavaScript (javascript)




This checks the firmware image and displays the validation result.





This is often the default setting and may still allow some debug firmware images, depending on the appliance model and firmware build.




[2]: Level 2 - Check image and reinforce validityCode language: CSS (css)




Level 2




[2]: Level 2 - Check image and reinforce validity
Code language: CSS (css)




This is the strictest level.





If a debug firmware image fails validation, this level may prevent the image from booting.





Example: setting security level to 1





In this example, the FortiGate is configured to use security level 1:




[0]: Level 0 - Check image silently
[1]: Level 1 - Check image with result only
[2]: Level 2 - Check image and reinforce validity

Enter security level setting [1]: 1Code language: CSS (css)




This means the FortiGate will check the image and display the result, but it will not use the strictest validation mode.





Example: disabling or lowering validation for debug firmware





If Fortinet Support instructs you to disable or reduce firmware validation, you may be asked to set the level to:





From the main boot menu, you can either continue booting:




[Q]: Quit menu and continue to boot.Code language: JavaScript (javascript)