top of page

Zero Downtime, Maximum Security

Floripi's Standard for Critical Firewall Upgrades

In the world of IT infrastructure, "clicking update" is easy. Keeping a business running while you do it is the hard part.

Verification Complete: The Floripi Core Firewall (Floripi-CORE-FW-01) successfully patched to FortiOS v7.4.11. The "Up to date" status confirms the vulnerability is mitigated and the system is stable.
Fortinet firmware upgrade screen showing v7.4.11 installation for network security compliance managed by Floripi IT Support.

At Floripi, we believe that professional network management isn't just about fixing problems—it's about preventing them. With recent CVEs affecting major firewall vendors, patching is mandatory, but it presents a risk: downtime.

How do we ensure our clients stay secure without interrupting their operations? We follow a strict Test, Implementation, and Backout protocol.

Here is an inside look at the Standard Operating Procedure (SOP) we use when upgrading critical FortiGate infrastructure.

Phase 1: The Pre-Change Verification (The "Test Plan")

Before we even download the firmware, we validate the current state of the network. This "health check" ensures we know exactly what "normal" looks like, so we can spot issues immediately after the change.

Our engineers perform a mandatory checklist including:

  • Connectivity Confirmation: Logging into the firewall to confirm connections and ensuring connected devices are showing as "up" in the Device Inventory.

  • Policy Verification: documenting Firewall Policies and Local-in Policies before the upgrade to compare them afterward.

  • Interface & Routing Checks: Confirming the status of all physical and virtual interfaces (Network > Interfaces) and verifying configured static routes.

  • Security Profiles: We specifically check SSL/SSH Inspection profiles and SSL-VPN settings, as these are often sensitive to firmware changes.

  • Observability: We verify system certificates and check that logs (Forward Traffic, Local Traffic, and System Events) are populating correctly in the SIEM.

Phase 2: The Execution (The "Implementation Plan")

Once the environment is verified, we move to the implementation phase. This is done during a scheduled maintenance window to minimize impact.

  1. Configuration Backup: We manually save the full configuration to a local secure server. Note: For FortiSwitches managed by the Gate, their config is saved within this same file.

  2. The Upgrade Path:

    • We disable the "Automated Patch System" to ensure manual control over the process.

    • For High Availability (HA) clusters, we upgrade the Secondary Firewall first. It becomes the primary unit once the upgrade is complete, ensuring traffic continues to flow.

    • We upload the specific firmware image (e.g., v7.4.11) manually via the System > Firmware menu.

Phase 3: The Safety Net (The "Backout Plan")

This is what separates Floripi from the rest. We never start a change without knowing exactly how to undo it. If latency spikes, VPNs drop, or critical applications fail, we execute the Backout Plan immediately.

Our Rollback Protocol:

  1. Restore Firmware: We revert to the previous stable version (e.g., v7.4.9) via the boot menu or GUI.

  2. Restore Configuration: We do not rely on the post-upgrade config. We navigate to Admin > Configuration > Restore and upload the backup file created in Phase 2.

This ensures that no matter what happens during the update, your business can return to a known operational state within minutes.

Why This Matters for Your Business

Your network is the backbone of your operations. When you hire Floripi, you aren't just getting a technician; you are getting a documented, risk-averse engineering process designed to keep your business online.

Need help securing your infrastructure or managing complex upgrades? Contact Floripi team today. We provide the calm, professional expertise your network deserves.


Comments

bottom of page