Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.2.4 Administration Guide

Enabling automatic firmware updates

7.2.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
Copy Link
Copy Doc ID 541164a8-66d4-11ed-96f0-fa163e15d75b:369092
Download PDF

Enabling automatic firmware updates

The auto-firmware-upgrade option can be enabled to automatically update firmware based on the FortiGuard upgrade path. When enabled, the FortiGate will look for an upgrade path and perform an upgrade at a time within the time period specified by the administrator. The upgrade will only be performed on a patch within the same major release version.

config system fortiguard
    set auto-firmware-upgrade {enable | disable}
    set auto-firmware-upgrade-day {sunday monday tuesday wednesday thursday friday saturday}
    set auto-firmware-upgrade-start-hour <integer>
    set auto-firmware-upgrade-end-hour <integer>
end

auto-firmware-upgrade {enable | disable}

Enable/disable automatic patch-level firmware upgrade from FortiGuard.

auto-firmware-upgrade-day {sunday monday tuesday wednesday thursday friday saturday}

Enter the allowed day or days of the week to start the automatic patch-level firmware upgrade from FortiGuard.

auto-firmware-upgrade-start-hour <integer>

Set the start time of the designated time window for the automatic patch-level firmware upgrade from FortiGuard (in hours, 0 - 23, default = 2). The actual upgrade time is randomly selected in the time window.

auto-firmware-upgrade-end-hour <integer>

Set the end time of the designated time window for the automatic patch-level firmware upgrade from FortiGuard (in hours, 0 - 23, default = 4). When this value it is smaller than the start time, it will be treated as the same time in the next day. The actual upgrade time is randomly selected in the time window.

Example

To configure automatic firmware upgrades using the default schedule:
config system fortiguard
    set auto-firmware-upgrade enable
    set auto-firmware-upgrade-day sunday monday tuesday wednesday thursday friday saturday
    set auto-firmware-upgrade-start-hour 2
    set auto-firmware-upgrade-end-hour 4
end
Sample event log after enabling this option with a certain schedule:
date=2022-07-12 time=10:41:52 eventtime=1657647712247415816 tz="-0700" logid="0100032263" type="event" subtype="system" level="notice" vd="vdom1" logdesc="Automatic firmware upgrade schedule changed" user="system" msg="System patch-level auto-upgrade scheduled at local time Wed Jul 13 02:18:36 2022, looking for patch-level upgrade only."
Performing the upgrade:

At the scheduled upgrade time, the FortiGate (forticldd daemon) will only try to upgrade to the latest patch in the same <major.minor> version in the image upgrade matrix.

For example, the following new releases are available in FortiGuard (fictitious build numbers are used to demonstrate the functionality of this feature):

FGTPlatform=FG201E|FGTCurrVersion=7.0.6|FGTCurrBuildNum=0366|FGTUpgVersion=7.2.2|FGTUpgBuildNum=1602|BaselineVersion=DISABLE
FGTPlatform=FG201E|FGTCurrVersion=7.2.1|FGTCurrBuildNum=1224|FGTUpgVersion=7.2.2|FGTUpgBuildNum=1602|BaselineVersion=DISABLE
Sample log event log after a successful upgrade:
date=2022-06-22 time=11:16:38 eventtime=1655921798859111708 tz="-0700" logid="0100032202" type="event" subtype="system" level="critical" vd="root" logdesc="Image restored" ui="forticldd" action="restore-image" status="success" msg="User  restored the image from forticldd (v7.2.1,build1224 -> v7.2.2,build1602)"

Other scenarios

If auto-firmware-upgrade is changed to be disabled, the FortiGate (forticldd daemon) will not perform a scheduled upgrade.

Sample event log after disabling automatic firmware upgrades:
date=2022-06-22 time=10:31:25 eventtime=1655919085881435255 tz="-0700" logid="0100032263" type="event" subtype="system" level="notice" vd="root" logdesc="Automatic firmware upgrade schedule changed" user="system" msg="System patch-level auto-upgrade disabled."

If there is no upgrade image on the server, the forticldd daemon will reschedule the update to the next available time.

Sample debug output:
[874] sch_auto_update_done: No newer build found in the current major release.
[805] fds_schedule_auto_fmwr_upgrade: trace
[844] fds_schedule_auto_fmwr_upgrade: Automatic firmware upgrade is scheduled at (Local) Wed Jun  1 15:52:30 2022
Sample event log after rescheduling the update:
date=2022-06-22 time=12:31:17 eventtime=1655926278277347987 tz="-0700" logid="0100032263" type="event" subtype="system" level="notice" vd="root" logdesc="Automatic firmware upgrade schedule changed" user="system" msg="System patch-level auto-upgrade scheduled at local time Thu Jun 23 12:40:21 2022, looking for patch-level upgrade only."
Previous
Next

Enabling automatic firmware updates

The auto-firmware-upgrade option can be enabled to automatically update firmware based on the FortiGuard upgrade path. When enabled, the FortiGate will look for an upgrade path and perform an upgrade at a time within the time period specified by the administrator. The upgrade will only be performed on a patch within the same major release version.

config system fortiguard
    set auto-firmware-upgrade {enable | disable}
    set auto-firmware-upgrade-day {sunday monday tuesday wednesday thursday friday saturday}
    set auto-firmware-upgrade-start-hour <integer>
    set auto-firmware-upgrade-end-hour <integer>
end

auto-firmware-upgrade {enable | disable}

Enable/disable automatic patch-level firmware upgrade from FortiGuard.

auto-firmware-upgrade-day {sunday monday tuesday wednesday thursday friday saturday}

Enter the allowed day or days of the week to start the automatic patch-level firmware upgrade from FortiGuard.

auto-firmware-upgrade-start-hour <integer>

Set the start time of the designated time window for the automatic patch-level firmware upgrade from FortiGuard (in hours, 0 - 23, default = 2). The actual upgrade time is randomly selected in the time window.

auto-firmware-upgrade-end-hour <integer>

Set the end time of the designated time window for the automatic patch-level firmware upgrade from FortiGuard (in hours, 0 - 23, default = 4). When this value it is smaller than the start time, it will be treated as the same time in the next day. The actual upgrade time is randomly selected in the time window.

Example

To configure automatic firmware upgrades using the default schedule:
config system fortiguard
    set auto-firmware-upgrade enable
    set auto-firmware-upgrade-day sunday monday tuesday wednesday thursday friday saturday
    set auto-firmware-upgrade-start-hour 2
    set auto-firmware-upgrade-end-hour 4
end
Sample event log after enabling this option with a certain schedule:
date=2022-07-12 time=10:41:52 eventtime=1657647712247415816 tz="-0700" logid="0100032263" type="event" subtype="system" level="notice" vd="vdom1" logdesc="Automatic firmware upgrade schedule changed" user="system" msg="System patch-level auto-upgrade scheduled at local time Wed Jul 13 02:18:36 2022, looking for patch-level upgrade only."
Performing the upgrade:

At the scheduled upgrade time, the FortiGate (forticldd daemon) will only try to upgrade to the latest patch in the same <major.minor> version in the image upgrade matrix.

For example, the following new releases are available in FortiGuard (fictitious build numbers are used to demonstrate the functionality of this feature):

FGTPlatform=FG201E|FGTCurrVersion=7.0.6|FGTCurrBuildNum=0366|FGTUpgVersion=7.2.2|FGTUpgBuildNum=1602|BaselineVersion=DISABLE
FGTPlatform=FG201E|FGTCurrVersion=7.2.1|FGTCurrBuildNum=1224|FGTUpgVersion=7.2.2|FGTUpgBuildNum=1602|BaselineVersion=DISABLE
Sample log event log after a successful upgrade:
date=2022-06-22 time=11:16:38 eventtime=1655921798859111708 tz="-0700" logid="0100032202" type="event" subtype="system" level="critical" vd="root" logdesc="Image restored" ui="forticldd" action="restore-image" status="success" msg="User  restored the image from forticldd (v7.2.1,build1224 -> v7.2.2,build1602)"

Other scenarios

If auto-firmware-upgrade is changed to be disabled, the FortiGate (forticldd daemon) will not perform a scheduled upgrade.

Sample event log after disabling automatic firmware upgrades:
date=2022-06-22 time=10:31:25 eventtime=1655919085881435255 tz="-0700" logid="0100032263" type="event" subtype="system" level="notice" vd="root" logdesc="Automatic firmware upgrade schedule changed" user="system" msg="System patch-level auto-upgrade disabled."

If there is no upgrade image on the server, the forticldd daemon will reschedule the update to the next available time.

Sample debug output:
[874] sch_auto_update_done: No newer build found in the current major release.
[805] fds_schedule_auto_fmwr_upgrade: trace
[844] fds_schedule_auto_fmwr_upgrade: Automatic firmware upgrade is scheduled at (Local) Wed Jun  1 15:52:30 2022
Sample event log after rescheduling the update:
date=2022-06-22 time=12:31:17 eventtime=1655926278277347987 tz="-0700" logid="0100032263" type="event" subtype="system" level="notice" vd="root" logdesc="Automatic firmware upgrade schedule changed" user="system" msg="System patch-level auto-upgrade scheduled at local time Thu Jun 23 12:40:21 2022, looking for patch-level upgrade only."
Previous
Next