It happens occasionally that a customer has to choose between a Palo and a Forti. While I would always favour the Palo for good reasons, I can understand that the Forti is chosen for cost savings, for example.
Fortunately, there is a hidden way of installing PAN-OS, the operating system from Palo Alto Networks, on FortiGate hardware firewalls. Here’s how you can do it:
I’m using a Fortinet FortiGate FG-501E for this demo with (formerly) FortiOS v7.2.7. I’m upgrading it to PAN-OS 11.1.1.
The main step is to upload and reboot the FortiGate into an alternative image, that is: a PAN-OS image. For generic FortiGates, you must choose the KVM-based PAN-OS images. With the following CLI command on the FortiGate, you can download the image from an TFTP server and reboot into it:
1 |
execute restore image tftp PA-VM-KVM-11.1.1.qcow2 192.168.21.5 |
The whole process in my lab was as follows. Note that you have to acknowledge the upgrade to an “unsupported image”:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
fg2 # execute restore image tftp PA-VM-KVM-11.1.1.qcow2 192.168.21.5 This operation will replace the current firmware version! Do you want to continue? (y/n)y Please wait... Connect to tftp server 192.168.21.5 ... ########################################################## Get image from tftp server OK. Warning: Upgrading to an unsupported image. Do you want to proceed? (y/n)y Checking new firmware integrity ... pass Please wait for system to restart. |
After the reboot, you’re in the normal startup configuration of a Palo Alto firewall. –> Connect to it via the default IPv4 address of 192.168.1.1 with username:password of admin:admin.
In the dashboard, you can see the model and serial number, which are the ones from my FortiGate in this case:
Funnily enough, all those different interface names are used as well, that is:
Soli Deo Gloria.
Photo by Lindsay Henwood on Unsplash.
This worked amazingly! It seems like you also get all licenses enabled as well?! Maybe PAN-OS get confused by the serial of the Fortigate
What a great blog post. Even the instant commit is working, no waiting for slow commits :-)
April Fools’ Day ?
Totally false info , lol
Even the info in first image ( mgmt ip) with second image don’t match.
That’s because the real mgmt-interface (on a Palo) is configured at Device -> Setup -> Interfaces. The “mgmt” interface shown in the screenshot above is just the hardware port which is literally named “mgmt” on this FortiGate FG-501E device. I’m not using this interface in my lab, hence it’s shown as “none” at the IP address column.
Even though, the mgmt ip is shown in the first screenshot doesn’t match the sub-interface port1.21.
Another reason, you mentioned you were using firmware of FortiOS 7.2.8 which was released on 2024-03-14 (16 days ago). As per the first screenshot, the device was running for more than 35 days :)
D’oh! This one goes to you! (Fixed it. Thanks!)
So you recognize the images (and the whole article info by the way)were false?
Same feelings here.. just waiting for the confirmation if this is false or not… (suspense sound)