Saturday, July 19, 2014

FortiAP 28C was bricked by upgrading to 5.2 GA

I update  my fortinet AP28C to software version  5.2GA and bricked it. This was not good !

The  FortiExplorer Application sees the device,  but fails to connects via the cli  access.  Also none of the ethernet ports came active after the upgrade. So obvious the fortigate wif-controller would fail at managing the AP.

The moment of fear or relief after submitting to yes  }

{ Fortiexplorer  cli access  error  }

{ Downgrading back to 5.0.7 , restored my unit back to being functional }

{ Now after  downgrading to 5.0.7 we are back to normal and the FortiExplorer can access the console }

key points

  • because of  the usb-management only, you have the console emulated by fortiexplorer application
  • you have no other choice,  but to  downgrade to recover
  • Like the 5.2GA firmware on  the  firewall appliance, this newly release code  has major problems for this AP 
  • always backup your configuration b4 any upgrades
  • keep a copy the existing as-is running image,  before any major or minor software upgrades
  • The lack of a console,  does  not give you  too much help or insight & restrict what little diagnostic evidence you can collect
 btw: The hardware date stamp is approx  1year old ( 2013-7 ). This is my 4th  time since June, I've been burned  by a 5.2GA software upgrade all of which required a downgrade to restore device and network connectivity.

I hope we will see better in the future code releases from Fortinet.


Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- socpuppets ---dot---com

    ^    ^
=( % % )=
      /   \


  1. Just as an idea:
    Have you tried a full format + new firmware install + load old config file?

    I have been with Fortinet since ver.3 of FortiOS and I have went this road at least twice (with 200B unit at the time). First time it worked, the second time... well, the second time, I have taken the config file and followed it as a check list to redo the entire config of a system from scratch completely manually. Today we are talking about almost 9000 lines of code, at the time it was a bit shorter.

    Moral: any major change in the hands of Fortinet becomes a real nightmare for users. Just wait for 6-8 months (at least) to make sure that: everyone gets the training for new OS, major bugs are fixed and the deployment base is large enough to be able to get answers online.

    1. Sashkashurik,

      Thanks for the reply. It's almost impossible to do a interruption w/FortiExplorer and when I could, theirs no reformat option. Just to get firmware via tftp using option "G" iirc.

      Their should be no excuse for a simple firmware upgrade from 5.0.7 to 5.2GA on FAP imho. And the migration pathv5.0.6-7 to v5.2.0 should have worked as specified by fortinet and the v5.2.0 release notes.

      Just like you, I've been involved with fortistuff since v3.0, Nope let me make that since v2.8. Let me ask you the following;

      Q1: Do you need to re-format bootflash and rebuild a configuration on a cisco ASA every time you go thru a upgrade?

      Q2: Do you need to re-format system disk and rebuild a configuration on a Juniper SRX every time you go thru a upgrade?

      The answers for all, should be no be a simple "no".

      This is fortinet reaping the same crap as in their earlier expedition of FortiOS, " placing junk OS builds and letting the customer find the problems". The real moral of this story, if everybody waited 6-8 months and did no new software upgrades, they would not known of the problems or bugs. Fortinet needs to start a true QC program for products and using some methods of QA to ensure the customer is getting a good product regardless if it's hardware or software imho.

      My post was to alert anybody else that might want to upgrade a FAP28C

      fwiw: if you try the upgrade from the WebGUI the image comes up as invalid. I believe the image is bad from the start, even tho the md5 checksum matches. I will post a followup later about this.