Enabling automatic firmware updates

Automatic firmware upgrades can be enabled so that the FortiGate automatically upgrades when a new FortiOS patch release is available, for increased device security.

When enabled, FortiGates use the FortiGuard upgrade path to check FortiGuard for firmware updates within the same minor release. Checks are performed within a specified time period. When a new patch release is available, a firmware upgrade is scheduled.

After the patch release is successfully installed, an email is sent to the FortiCloud account that the FortiGate is registered to.

By default, entry-level FortiGates (lower than 100 series) have automatic firmware upgrades enabled. Automatic firmware upgrade cannot be enabled for FortiGates belonging to a Security Fabric, FortiGates under management by a FortiManager, or a secondary HA FortiGate. However, HA groups will still have automatic firmware upgrades based on the primary FortiGate. Automatic upgrades will only upgrade to a newer, mature patch within that minor version. For example, a FortiOS version 7.2.x image will only auto-upgrade to another 7.2.x image. It will not upgrade to a 7.4.x image.

Automatic firmware upgrades can be configured from the FortiGate Setup wizard or in the CLI with the following commands:

config system fortiguard
    set auto-firmware-upgrade {enable | disable}
    set auto-firmware-upgrade-day {sunday monday tuesday wednesday thursday friday saturday}
    set auto-firmware-upgrade-start-hour <integer>
    set auto-firmware-upgrade-end-hour <integer>
end

auto-firmware-upgrade {enable | disable}	Enable/disable automatic patch-level firmware upgrades from FortiGuard.
auto-firmware-upgrade-day {sunday monday tuesday wednesday thursday friday saturday}	Enter the allowed day or days of the week to start the automatic patch-level firmware upgrade from FortiGuard.
auto-firmware-upgrade-start-hour <integer>	Set the start time of the designated time window for the automatic patch-level firmware upgrade from FortiGuard (in hours, 0 - 23, default = 2). The actual upgrade time is randomly selected in the time window. See Reviewing upgrade status for more information on confirming the scheduled upgrade time.
auto-firmware-upgrade-end-hour <integer>	Set the end time of the designated time window for the automatic patch-level firmware upgrade from FortiGuard (in hours, 0 - 23, default = 4). When this value it is smaller than the start time, it will be treated as the same time in the next day. The actual upgrade time is randomly selected in the time window. See Reviewing upgrade status for more information on confirming the scheduled upgrade time.

Reviewing upgrade status

The following commands can be used to review the status of the automatic upgrade.

The diagnose test application forticldd 13 command lists when the most recent firmware image upgrade check occurred as well as when the next check is scheduled.

If the FortiGate is part of a Fabric or managed by FortiManager, the Automatic image upgrade option will be set to disabled. # diagnose test application forticldd 13 ... Automatic image upgrade: disabled.

If a newer, valid firmware patch is detected, the show sys federated-upgrade command will list when the firmware upgrade will occur. The firmware upgrade schedule will depend on the configured automatic upgrade settings. If the settings are changed before the upgrade occurs, the image installation will be rescheduled to respect the new requirements.

The show sys federated-upgrade command also lists previous firmware upgrades.

The following debug commands are available for troubleshooting:

# diagnose debug en
# diagnose debug application forticldd -1
# diagnose debug application sfupgraded -1

Example

The following example demonstrates setting automatic firmware upgrades.

To configure automatic firmware upgrades in the CLI:

1. Configure the automatic firmware upgrade schedule:

   config system fortiguard
       set auto-firmware-upgrade enable
       set auto-firmware-upgrade-day sunday monday tuesday wednesday thursday friday saturday
       set auto-firmware-upgrade-start-hour 2
       set auto-firmware-upgrade-end-hour 4
   end

   Sample email after configuring automatic firmware upgrades:

   From: DoNotReply@notification.fortinet.net <DoNotReply@notification.fortinet.net>
   Sent: Tuesday, September 26, 2023 11:08 AM
   To: ********** <*****@fortinet.com>
   Subject: Automatic firmware upgrade schedule changed
   
   date=2023-09-26 time=11:07:34 devid="FG81EPTK19000000" devname="FortiGate-81E-POE" eventtime=1690308454221334719 tz="-0700" logid="0100032263" type="event" subtype="system" level="notice" vd="root" logdesc="Automatic firmware upgrade schedule changed" user="system" msg="System patch-level auto-upgrade regular check enabled."

   The FortiGate will perform a check between the start and end hours set for the firmware upgrade to review if there is an upgrade available.

2. Review the firmware upgrade schedule:

   # diagnose test application forticldd 13
   ...
   Automatic image upgrade: Enabled.
           Next upgrade check scheduled at (local time) Fri Sep 22 13:50:15 2023
           New image 7.2.7b2600(07004000FIMG0019704002) installation is scheduled to
                   start at Sat Sep 23 13:03:56 2023
                   end by Sat Sep 23 14:00:00 2023

   Sample email after a new image installation is scheduled:

   From: DoNotReply@notification.fortinet.net <DoNotReply@notification.fortinet.net>
   Sent: Friday, September 22, 2023 1:17 PM
   To: ********** <*****@fortinet.com>
   Subject: Automatic firmware upgrade schedule changed
   
   date=2023-09-22 time=13:16:50 devid="FG81EPTK19000000" devname="FortiGate-81E-POE" eventtime=1689970609076391174 tz="-0700" logid="0100032263" type="event" subtype="system" level="notice" vd="root" logdesc="Automatic firmware upgrade schedule changed" user="system" msg="System patch-level auto-upgrade new image installation scheduled between local time Sat Sep 23 13:03:56 2023 and local time Sat Sep 23 14:00:00 2023."

   Once the firmware patch is successfully installed, an event log is created to track the change and an email is sent to the FortiCloud account under which the FortiGate is registered.

   Sample event logs after the federated upgrade is complete:

   date=2023-09-23 time=13:55:37 eventtime=1689972938126416979 tz="-0700" logid="0100032138" type="event" subtype="system" level="critical" vd="root" logdesc="Device rebooted" ui="sfupgraded" action="reboot" msg="User rebooted the device from sfupgraded. The reason is 'upgrade firmware'"
   
   date=2023-09-23 time=13:55:37 eventtime=1689972938126337130 tz="-0700" logid="0100032202" type="event" subtype="system" level="critical" vd="root" logdesc="Image restored" ui="sfupgraded" action="restore-image" status="success" msg="User restored the image from sfupgraded (v7.2.6,build2425 -> v7.2.7,build2426)"

   Sample email after the federated upgrade is complete:

   From: DoNotReply@notification.fortinet.net <DoNotReply@notification.fortinet.net>
   Sent: Friday, September 22, 2023 2:00 PM
   To: ********** <*****@fortinet.com>
   Subject: A federated upgrade was completed by the root FortiGate
   
   date=2023-09-22 time=14:00:09 devid="FG81EPTK19000000" devname="FortiGate-81E-POE" eventtime=1689973183346851869 tz="-0700" logid="0100022094" type="event" subtype="system" level="information" vd="root" logdesc="A federated upgrade was completed by the root FortiGate" msg="Federated upgrade complete" version="7.2.7"

To configure automatic firmware upgrades in the GUI:

1. Log in to the FortiGate GUI and click Begin.

2. Select Enable automatic patch upgrades (default setting).

3. Edit the upgrade and installation settings as needed, then click Save and continue.

4. Select I acknowledge and click OK to proceed.

   The FortiGate will be updated based on the configured schedule when a new patch is available.