Running an HQIP (Hardware Quick Inspection Package) test - Fortinet D...

http://wiki.diagnose.fortinet.com/index.php/Running_an_HQIP_(Hardw...

Running an HQIP (Hardware Quick Inspection

Package) test
From Fortinet Diagnostic Wiki

Your breadcrumbs: Running an HQIP (Hardware Quick Inspection Package) test

Contents
1 Description
2 Scope
2.1 Fortinet Devices testable by HQIP
2.1.1 FortiAuthenticator
2.1.2 FortiAP (WiFi Access Point)
2.1.3 FortiAnalyzer
2.1.4 FortiBridge
2.1.5 FortiCache
2.1.6 FortiController
2.1.7 FortiDB
2.1.8 FortiDDoS
2.1.9 FortiDNS
2.1.10 FortiExtender
2.1.11 FortiGate / FortiWiFi
2.1.12 FortiGate Rugged
2.1.13 FortiGate Voice
2.1.14 FortiMail
2.1.15 FortiManager
2.1.16 FortiScan
2.1.17 FortiSwitch
2.1.18 FortiWeb
2.1.19 Modules
2.1.19.1 Fortinet Rear Transmission Module
2.1.19.2 Fortinet Security Processing Module
3 Precautions
4 Preparation
4.1 Downloading the Test
4.1.1 If you cannot get the correct HQIP image
4.2 Downloading the Firmware
4.3 Wiring the Device
4.4 Listing of Wiring Diagrams
4.4.1 FortiGates
4.4.1.1 FortiGate 60C
4.4.2 WiFi (Optional)
4.5 Console Connection
4.5.1 Hardware

1 de 12

4/23/2016 10:54 AM

Running an HQIP (Hardware Quick Inspection Package) test - Fortinet D...

http://wiki.diagnose.fortinet.com/index.php/Running_an_HQIP_(Hardw...

4.6 TFTP server

4.7 Connecting to the Device
4.7.1 Terminal Emulator to the Console interface
4.7.2 Computer with the TFTP Server to the Enternet interface
5 Running the Test
5.1 Make sure that everything you will need is on the computer(s)
5.2 Prepare the TFTP server
5.3 Prepare the cabling
5.4 Set the IP address of the TFTP server
5.5 Initiate a console session
5.6 Reboot the device
5.7 Interrupt the boot sequence
5.8 Load the Test
5.8.1 Saving the Test
5.9 Run the Test
5.9.1 Once the test is started
5.10 Save the Output
6 After the Test
6.1 Restore the Firmware
6.2 RMA

Description
HQIP (Hardware Quick Inspection Package) is a hardware diagnostic firmware image that detects hardware
problems on Fortinet products including FortiGate, FortiWifi, FortiAnalyzer, and FortiManager. Running the
HQIP test is as straight forward as downloading the HQIP image for your device from the support site, loading
the image onto your device, setting up Ethernet cables on the interfaces, letting the package run and recording
the results.
If there is an image for your device you can find it on the Fortinet Service and Support site. If there is no image
available for your specific device, you can request one. Turnaround times for new or custom images vary. Share
your experience in the comments below.
What an HQIP test does
Performs tests on a number hardware elements including CPU, Memory, Compact Flash, Hard Disk, and
PCI devices (NIC/ASIC)
Performs actions such as component loop test, factory default restore, and reformat hard drive.

What an HQIP test doesn't do

Detect all hardware malfunctions. Tests for the most common hardware problems are performed.
Diagnose issues that cause a device to reboot or be unstable.
Detect software configuration errors, OS bugs, or OS Kernel Crash issues (one type of OS bug).
Diagnose devices with multiple Hard Drives

2 de 12

4/23/2016 10:54 AM

Running an HQIP (Hardware Quick Inspection Package) test - Fortinet D...

http://wiki.diagnose.fortinet.com/index.php/Running_an_HQIP_(Hardw...

Determining which image to use

The Device Management section of the Customer Service and Support web portal is integrated with the HQIP
Download page. Once you have logged into the site not only does the site know the serial number of your
devices, it knows which models and versions of those models the serial numbers refer to. Once you have
selected which serial number you need to test, the site can determine the appropriate HQIP image. Because the
HQIP images are designed to work with very specific hardware configurations the image will not work on a
hardware configuration that it wasn't designed for, so it is crucial to download the correct image.
In the event that the site offers no result, create an RMA ticket, include the serial number(s) of the devices, and
request the HQIP Image File.

Scope
Fortinet Devices testable by HQIP
This is a listing to Products and the models that have an available download of the HQIP test for their [Expand]
product and model.
As time goes by and more products are developed the number of images will grow. This list may become out of
date so even if you don't see your device listed here check the site for an image just in case.
Select the [Expand] link to the right to see more of this section, including a listing of the devices.

Precautions
You will want to be local to the firewall to perform this test because of the need to console in and set up
the loop-back cabling.
Plan on installing the HQIP image and running the test on the weekend or evening, as the process of
running the test will mean a traffic outage for the duration test until the firmware is back.
Make sure that you have a good backup of the configuration file and that it is for the firmware version
that will be installed on the FortiGate after the test is completed.
The wiring cannot be set up entirely in advance on most devices because when the loop-backs are set up
on the same internal interface that needs to connect to the TFTP server there is a networking conflict and
instead of getting a progress bar made up of "#"s you will get a progress bar of "T"s; indicating a
transmission error. It will make a number of attempts at connection before timing out. The instructions on
Saving the Test indicate the proper time to connect the loop-back cables.
If there is a chance the configuration file is corrupted, reconfigure the FortiGate device from the default
settings.
For HDD issue with multiple disks device, do not run HQIP because this will destroy the data. Ask for
smart test or HDD diagnose command.
There can be difficulties in loading the image on to a device that is configured to be FIPS compliant. If
you suspect that this is the issue, make sure that you have a good copy of the configuration and perform a
factory reset before attempting to load the HQIP image.
There are a number of FortiAnalyzer and FortiMail models with a RAID card (FortiAnalzyer-2000,
FortiMail-2000, FortiAnalzyer-2000A, FortiMail-2000A, FortiAnalzyer-4000A, FortiMail-4000A, etc).
When conducting the HQIP test on any of the models with a RAID card, set the RAID level to 0 so that
HQIP can test each hard disk.

3 de 12

4/23/2016 10:54 AM

Running an HQIP (Hardware Quick Inspection Package) test - Fortinet D...

http://wiki.diagnose.fortinet.com/index.php/Running_an_HQIP_(Hardw...

Preparation
The secret to running a smooth HQIP is preparation. Get all of the components in place before you begin and
the running of the test will be straight forward.

Downloading the Test

[Expand]

Select the [Expand] link to the right to see more of this section.
If you cannot get the correct HQIP image
If you have searched for but cannot find the correct HQIP image for your device the alternative approach is to
open an RMA ticket at https://support.fortinet.com.

Downloading the Firmware

[Expand]

Select the [Expand] link to the right to see more of this section.

Wiring the Device

The HQIP program will supply a wiring diagram should you want to test the interfaces.
The following is an example from the HQIP test of a FortiGate 60C:
Wire the network ports as follow for NIC loopback test.
Internal
[1]+-+ [3]+-+ [WAN1]+-+ [DMZ] [WAN2]
[2] | [4] | [5]
|
|
|
+
| +
| +
|
|
|
+---+ +---+ +------+
+------+

If you do not immediately recognize that this is meant to be a wiring diagram, the translation is: Use Ethernet
cables to connect
Port 1 to Port 2
Port 3 to Port 4
Port WAN1 to Port 5
Port DMZ to Port WAN2

4 de 12

4/23/2016 10:54 AM

Running an HQIP (Hardware Quick Inspection Package) test - Fortinet D...

http://wiki.diagnose.fortinet.com/index.php/Running_an_HQIP_(Hardw...

Listing of Wiring Diagrams

[Expand]

This section is for wiring diagrams of the various devices. Because product lines and models are constantly
being added, or going out of support this section more than any other will be in a state of evolution. We
encourage people to submit diagrams to this section as they use the HQIP test. These diagrams can be in the
form of text based descriptions or ASCII diagrams. When ever possible will will take these and create a more
easily readable graphical version.
Select the [Expand] link to the right to see more of this section.
WiFi (Optional)
To correctly test WIFI from HQIP (for all Fortinet WIFI models), set up a wireless access point with the
following parameters
SSID:

fwqc

IP address: 10.80.2.11

Console Connection
While there is a Console widget in the Web Based Manager (GUI) and in FortiExplorer as well, neither of these
will work for the purposes of installing the HQIP image. These tools require that the device's firmware be
loaded and up and running before they will work. Because the HQIP image needs to be installed from the BIOS,
which is only accessible by interrupting the loading of the firmware a tool/application needs to be used that can

5 de 12

4/23/2016 10:54 AM

Running an HQIP (Hardware Quick Inspection Package) test - Fortinet D...

6 de 12

http://wiki.diagnose.fortinet.com/index.php/Running_an_HQIP_(Hardw...

talk directly to the BIOS. This tool is generally called a terminal emulator and the one that you use will depend
on the operating system of the computer you are using. Almost every operating system, such as Windows,
Linux and MacOS, will have a built-in version of this software. In the Unix like OSs it is usually referred to as
Terminal which is like the Command prompt for Windows but there are commands that can be used to connect
to remoted devices. For Windows users, Hyper-terminal comes with the OS, but the most popular one is a free
software application called Putty, downloadable off of the Internet.
Regardless of which application is used, there are some settings you will want use to connect to the Fortinet
devices. Some tools will work well enough on the default or automatic settings but you may need to enter the
following manually.
Normal Settings
Setting

Value

Bits per second: 9600

Data bits:

Parity:

none

Stop bits:

1
Append line feeds

ASCII setup:

to incoming lines

Known exception(s)
FortiManager and FortiGate 300
Setting

Value

Bits per second: 115000

Data bits:

Parity:

none

Stop bits:

1
Append line feeds

ASCII setup:

to incoming lines

Hardware
In devices that have a console port an appropriate cable will comes supplied with the device. It may not say on
it, but it will be a null modem serial cable that has an internal pinning appropriate to the device. It is important
to keep the cable that comes with the device. It is possible, because of internal pinning patterns within the cable
that the cable from one model will not work on another. Most Fortinet devices will use the same standard cable,
but there are rare exceptions.

4/23/2016 10:54 AM

Running an HQIP (Hardware Quick Inspection Package) test - Fortinet D...

http://wiki.diagnose.fortinet.com/index.php/Running_an_HQIP_(Hardw...

TFTP server
TFTP is the protocol that is used to move the HQIP image, as well as other firmware images from your
computer to the Fortinet Device being tested. These devices, like many networking devices, have a basic TFTP
client built into the BIOS so that they can be firmware can be updated or upgraded.
There are a number of different TFTP servers, depending on the operating system of the computer that can be
installed. A number of them are free. The best TFTP server is likely to be the one that you are most familiar
with and comfortable using. If you've never used one before, there are a few listed in the Fortinet's SysAdmin
Toolkit document (http://docs.fortinet.com/uploaded/files/1703/fortinet_sysadmin_toolkit.pdf) that can be found
in the SysAdmin Notebook section (http://cookbook.fortinet.com/sysadmins-notebook/) of the Fortinet
Cookbook website (http://cookbook.fortinet.com).
While it is often the case that users will put the TFTP server on the computer that they are using to console into
the Fortinet device, there is no rule that says this has to be the case. Some environments may have a computer
on the network that is set aside as a common or centralized TFTP server so that there isn't multiple copies of
firmware on multiple machines. The only requirement is that the Fortinet device and the TFTP server can be
placed on the same physical subnet, even if it is only for the duration of the transfer of the image file.

Connecting to the Device

There are a few configurations of connecting the to the Fortinet device and the basics of these configurations
will be based on a combination of the scenarios below. Keep in mind that while the Computer with the terminal
emulator and the computer hosting the TFTP server are most commonly the same computer, this is not a
requirement. The only requirement for the TFTP server is that it be on the same physical subnet as the Fortinet
device for the duration of the data transfer.
Terminal Emulator to the Console interface
Computer with built-in Serial Port

<-> Console Cable <-> Console Cable

Computer without built-in Serial Port

<-> USB to Serial Adapter <-> Console Cable <-> Console Cable

but with USB ports

Computer with the TFTP Server to the Enternet interface

TFTP
Server
TFTP
Server

Ethernet
cable

<->

Switch or
Hub

<->

Ethernet
cable

<->

Ethernet interface indicated for

model

<->

Ethernet
cable

<->

Ethernet interface indicated for

model

Some TFTP servers are more finicky than others when it comes to recognizing the Ethernet connection when
there is no live device on the other end of the cable, such as when the device is being rebooted, so there may be
confusion on the part of the computer in assigning an interface that is accessible to the TFTP server, so it can be
an advantage to go through a network device to connect to the Ethernet interface on the Fortinet device. If you
have some familiarity with the TFTP server you are using you may be aware of whether or not this will be an
issue.
7 de 12

4/23/2016 10:54 AM

Running an HQIP (Hardware Quick Inspection Package) test - Fortinet D...

http://wiki.diagnose.fortinet.com/index.php/Running_an_HQIP_(Hardw...

While not much of an issue anymore, some older computer network interfaces cannot automatically
detect whether an Ethernet cable is connected to a network device or directly to another computer. If you
have a network interface that cannot automatically determine whether to use MDI or MDI-X you may
have to use a cross-over Ethernet cable if you are connecting directly to the Fortinet device from the
TFTP server.

Running the Test

Make sure that everything you will need is on the computer(s)
Once you have started the test it is not likely that you will be able to connect to the Internet or in some cases
even the rest of the network. You will not want to have to stop part way through to load up something you need.

Prepare the TFTP server

Make sure that the TFTP server is up and running.
Make sure that the TFTP server is listening on the correct network interface
Make sure that the TFTP server is pointing at the directory with the HQIP test file image in it.

Prepare the cabling

Connect the console cable from the computer to the device
Connect the Ethernet cable to the TFTP server. If you know which interface on the device you will be
connecting to in advance you can make that connection as well. In some cases you will have to wait until
the test is running and tells you which interface to use, but you can always make sure the cable will reach
before you start. Often the correct interface will be port 1 of the internal interfaces, but be prepared to
change this if this is not the one your model uses.

Set the IP address of the TFTP server

You don't have to do this first but it is a lot easier if you are not going back and forth between interfaces.
The TFTP client on the Fortinet device will normally use 192.168.1.168 as a default IP address for the
TFTP server so it is easiest to set the IP address of the TFTP server computer to this one. The client will
give you the opportunity to inter an address manually so this is not a hard rule but a convenient option.

Initiate a console session

Make sure your computer is successfully connected to the device through a console session. You show be able
to see a prompt and get responses to key strokes.

Reboot the device

The method of rebooting the device will depend on the model. Some models do not have power switches. The
possible options for rebooting the device are:
Use the Reboot feature in the GUI (if you have already reconfigured the IP address of your computer this
may not be possible)

8 de 12

4/23/2016 10:54 AM

Running an HQIP (Hardware Quick Inspection Package) test - Fortinet D...

http://wiki.diagnose.fortinet.com/index.php/Running_an_HQIP_(Hardw...

Use the reboot command in the CLI (if you have already reconfigured the IP address of your computer
this may not be possible)
Use the power switch to turn the device of and on again (provided the device has such a switch)
Disconnect and reconnect the power to the device

Interrupt the boot sequence

As the device is powering up you should see output on the console session. As soon as you see the "Press any
key to display configuration menu" message, do so to interrupt the normal boot sequence. You need to get
to the BIOS menu to load the test firmware.

Load the Test

Once the Configuration Menu is display you will have a number of options of what to do next.
[G]:
[F]:
[I]:
[B]:
[Q]:
[H]:

Get firmware image from TFTP server.

Format boot device.
Configuration and information.
Boot with backup firmware and set as default.
Quit menu and continue to boot with default firmware.
Display this list of options.

Enter G,F,I,Q,or H:

At the selection window, select G.

At the Enter TFTP server address [192.168.1.168]: prompt...
This is for assigning the IP address of the computer with the TFTP server.
If you have already configured the computer with the default IP address, Pressing the Return key
will use the default value of 192.168.1.168.
If your TFTP server has a different IP address manually enter it here.
At the Enter local address [192.168.1.188]: prompt...
This is for assigning the IP address of the Fortinet device. As long as it is in the same IP address subnet
range as the TFTP server and doesn't conflict with any existing nodes on the network, you can use any IP
address that you want.
If you want to use the default IP address of 192.168.1.188, just press the Return key.
If you want to use another IP address, manually enter it here.
At the Enter File Name [image.out]: prompt...
This is for the name of the file on the TFTP server.
Manually type in the name of the HQIP test file or cut and paste the name into which every
terminal emulator program you are using. An example name is FORTIGATE60C_HQIP_1900.IMG.
The TFTP server is case sensitive with file names so make sure that the name used is correct.
There is a default file name of image.out that can be used if you have renamed the HQIP test file in
advance but it can be a bit of an administrative chore to keep renaming files back and forth.
The file transfer should be displayed on the TFTP server (ensure that the image is located in the
appropriate folder), along with a series of hash "#" characters.
9 de 12

4/23/2016 10:54 AM

Running an HQIP (Hardware Quick Inspection Package) test - Fortinet D...

http://wiki.diagnose.fortinet.com/index.php/Running_an_HQIP_(Hardw...

Saving the Test

After the image has been successfully received, you will be asked how you want the image saved.
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?

When prompted with the choice to save as Default, save as Backup, or Run image without saving, Select "D" or
"B" to save the image on the device. If the image is run without saving there is a risk of the test failing to run
properly.
Before entering a response to this question, consider if you want to test the Ethernet
interfaces with the loop back wiring. If you are, set up the wiring before responding.

Functional check: The HQIP (Hardware Quick Inspection Package) test image is used to check the devices
system function and its interfaces. A console cable connection is required, and the entire console output must be
logged to a file.
HQIP will check almost all components, including CPU, memory, CF, HD and PCI devices (NIC/ASIC). It will
also check the critical benchmarks and system configurations. Observe the console output to make sure there is
no warning stop or error message(s) from the test. For testing FortiGate 5000 and other models with backbone
ports, the inner ports cannot be tested without specific configuration. If any errors or warning stops have
occurred during this test, do not continue with the rest of steps 2 and go to Report.

Run the Test

Normally, the act of saving the HQIP image starts the test. However, there are some models, the test does not
automatically start running once it is loaded. You will know if you have one of these models when nothing
happens after the image file is loaded besides being given a command line prompt.
It will look something like this:
Enter firmware image file name [image.out]: FGT_3600C-HQIP.3.0.0.1019.OUT
MAC:085B0E14D11F8
###################
Total 20491209 bytes data downloaded.
Verifying the integrity of the firmware image..
Total 69632kB unzipped.
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?R
....................................................................
Reading boot image 3956279 bytes.
Initializing firewall...
System is started.

Please press Enter to activate this console.

FORTITEST/FG3K56C3A1380262 ~#

The next step is to enter the command

10 de 12

4/23/2016 10:54 AM

Running an HQIP (Hardware Quick Inspection Package) test - Fortinet D...

11 de 12

http://wiki.diagnose.fortinet.com/index.php/Running_an_HQIP_(Hardw...

diag hqip start

Once the test is started

The test will go through a number of step, most of them will not pause to wait for input.
The different sections of the test will be:
1. System information
2. Memory test
3. CPU test
4. Test Compact Flash and Harddisk.
5. Test USB ports.
6. Test Network interface controller.
7. Test SDHC LED.
8. Test NIC LEDS.
9. Test HA/STATUS LEDS.
There will be output and status indicators through each step of the test but there will also be a summary at the
end of the test laid out in the following format:
============== Fortinet Hardware Quick Inspection Report ==================

BIOS Integrity Check:

System Configuration Verification:
Memory Test:
CPU Test:
USB Test:
HD/FLASH Test:
Network Controller Test:
SDHC LED Test:
NIC LED Test:
HA/ALARM LED Test:

PASS
PASS
PASS
PASS
PASS
PASS
PASS
PASS
PASS
PASS

========== Fortinet Hardware Quick Inspection <xxx PASS xxx> ==============

Save the Output

The HQIP test can be run at any time you choose for your own information but if the purpose is for use in the
RMA process it is best to record the output to a text file to send in to verify the results and make the RMA
process smoother.
The method of saving the output to a text file will depend on the terminal emulator. Some of them will have
built in features that can transfer the output to a file while with others you might have to do some cutting and
pasting.

After the Test

4/23/2016 10:54 AM

Running an HQIP (Hardware Quick Inspection Package) test - Fortinet D...

http://wiki.diagnose.fortinet.com/index.php/Running_an_HQIP_(Hardw...

Restore the Firmware

If all the tests passed successfully, then you will want to restore the firmware. For two reasons you will want to
install a recently downloaded version of the firmware from the support site. However, the build should be the
same as the one that was on the device before the test.
1. At the beginning of the test process, if you chose to save the image as the default image the HQIP test
will load any time the device is rebooted. If you chose to save it as a backup firmware image and
something goes wrong with the primary there will be no backup so it is best to reestablish a proper
configuration of default and backup images during a single planned outage rather than have a second
outage at a later point in time.
1. Presumably, if you are running the HQIP test it must be because something is not working as expecting.
This would be a good time to reinstall a pristine copy of the firmware. At the very least this would
eliminate the firmware installation as a potential source of any issues that you're having. If you do this, it
also makes sense to take the opportunity to include formatting the hard drive as part of the process. At the
configuration menu, before selecting [G], select the [F] option.
Installing a fresh copy of the firmware is the procedure as installing the HQIP test. The only difference is that
instead of using the name of the HQIP image file, the name of the firmware image file should be used.

RMA
If the test shows a failure, the next step is to work with the Technical Assistance Center. Verify whether that the
device is still under warranty. Depending on the symptoms that initiated that lead the test and the results of the
test, they may want to verify that it is not a false positive, but for the most part there should be very little
difficulty in requesting a RMA.
Retrieved from "http://wiki.diagnose.fortinet.com
/index.php?title=Running_an_HQIP_(Hardware_Quick_Inspection_Package)_test&oldid=2514"
This page was last modified on 25 September 2015, at 15:56.
This page has been accessed 52,413 times.
Content is available under Creative Commons Attribution Non-Commercial Share Alike unless otherwise
noted.

12 de 12

4/23/2016 10:54 AM