Automatic firmware upgrades for FortiGate appliances with invalid support contracts or that have reached EOES 7.4.8
|
This information is also available in the FortiOS 7.4 Administration Guide: |
To enhance security and reduce vulnerabilities, FortiGates that are no longer under a valid Firmware & General Updates (FMWR) license or that have reached End of Engineering Support (EOES) will automatically upgrade to the latest patch within their current minor version. This proactive measure ensures that all devices remain protected with the most up-to-date security features.
The FortiGate checks for a new patch upgrade on FortiGuard daily. If a new patch is discovered and the firmware license is invalid or the FortiGate has reached EOES, it will schedule an upgrade to the new firmware image. While this enforced compliance upgrade cannot be canceled, the installation schedule can be adjusted in two ways:
-
Modify the upgrade schedule using the
config system fortiguard auto-firmware-upgrade-dayorauto-firmware-upgrade-delaycommands. This allows rescheduling multiple times within a 14-day window after the new patch is detected. See Enabling automatic firmware upgrades for more information. -
Use the
execute auto-upgrade delay-installationcommand to postpone the installation for a fixed 7-day period.
The firmware will upgrade to the latest patch in its current minor version. For example, if the current version is FortiOS 7.4.8, the firmware will automatically upgrade to the latest 7.4.x version. It will not upgrade to another minor version, such as 7.6.x.
CLI syntax
New CLI commands have been implemented for reviewing and triggering the firmware upgrade schedule.
-
The following diagnose commands have been included:
# diagnose test forticldd 90 # diagnose test forticldd 91 # diagnose test forticldd 92 # diagnose test forticldd 93
Command
Description
test forticldd 90
This command triggers a check for a new firmware image.
test forticldd 91
This command allows you to reschedule the check for new images. test forticldd 92
This command performs the same action as execute auto-upgrade hasten-installation. It is only available on debug images. See execute auto-upgrade in the CLI Reference for more information.test forticldd 93
This command delays the existing, scheduled automatic firmware upgrade installation by one week.
-
The following execute commands have been included:
# execute auto-upgrade status # execute auto-upgrade check-for-new-image # execute auto-upgrade delay-installation
Command
Description
auto-upgrade status
This command displays the current automatic upgrade status. It performs the same action as
diagnose test forticldd 13.auto-upgrade check-for-new-image
This command triggers a check for a new firmware image. It performs the same action as
diagnose test forticldd 90.auto-upgrade delay-installation
This command delays the existing, scheduled automatic firmware upgrade installation by one week. It performs the same action as
diagnose test forticldd 93.
New debug information has been added:
# diagnose test application forticldd 13
Scheduled push image upgrade: no
Scheduled Config Restore: no
Scheduled Script Restore: no
Automatic image upgrade: Enabled.
New image information may be fetched.
Next new image info fetch scheduled at (local time) Mon Oct 20 01:04:11 2025
New image installation may be cancelled by the user.
Last new image info fetch executed at (local time) Sun Oct 19 01:34:44 2025
Example
The following example demonstrates the process of an automatic firmware upgrade when the current license is found to be invalid.
The example demonstrates automatically upgrading the firmware from 7.4.8 to 7.4.9. At the time that this example was created, FortiOS 7.4.9 was the latest GA build for the 7.4 minor version. If a higher patch is available for this minor version, such as 7.4.10 and above, the firmware will update to that version instead.
|
|
The following procedure is also performed for the scenario where a FortiGate's firmware has reached EOES. |
To review the automatic firmware update:
-
The FortiGate will check the license status and for new firmware images daily.
-
Review the configured firmware check schedule:
# show full system fortiguard set auto-firmware-upgrade-start-hour 1 set auto-firmware-upgrade-end-hour 4
-
Determine when the next firmware check will occur:
# diagnose test application forticldd 13 Scheduled push image upgrade: no Scheduled Config Restore: no Scheduled Script Restore: no Automatic image upgrade: Enabled. New image information may be fetched. Next new image info fetch scheduled at (local time) Mon Oct 20 01:04:11 2025 New image installation may be cancelled by the user. Last new image info fetch executed at (local time) Sun Oct 19 01:34:44 2025
-
-
The FortiGate determines that the license has expired and that a new firmware image is available for a later patch of the current minor version.
-
Review the status of the firmware license:
# diagnose test update info ... System contracts: FMWR,Fri Jan 2 2009The license has expired.
-
Review the current firmware image version:
# get system status | grep Version Version: FortiGate-40F v7.4.8,build2795,250523 (GA.M)
-
Check if there is a new firmware image available:
# diagnose fdsm image-list ... 07004000FIMGXXXXXXXX v7.4 MR4-GA-M P9 b2829 (upgrade)
-
The FortiGate will determine if an automatic upgrade is needed.
# diagnose debug application forticldd -1 ... 2025-10-21 08:37:20 [206] fmwr_contract_expired: Contract expired! 2025-10-21 08:37:20 [1705] auto_upg_img_check: News from FGT: FMWR contract expired? 1 2025-10-21 08:37:20 [1706] auto_upg_img_check: News: Should we force it? 1
In this instance,
1represents an affirmative to the posed questions, so the automatic firmware upgrade should occur due to the expired license. Once the upgrade has been scheduled, it cannot be canceled.
If you were reviewing the procedure for automatically upgrading the firmware when the FortiGate has reached EOES, the debug will display as follows:
# diagnose debug app forticloudd -1 .... [1704] auto_upg_img_check: News from FDS: EOL reached? 1 [1706] auto_upg_img_check: News: Should we force it? 1
-
-
The FortiGate schedules the firmware upgrade based on the defined FortiGuard system configurations.
# diagnose test application forticldd 13 Scheduled push image upgrade: no Scheduled Config Restore: no Scheduled Script Restore: no Automatic image upgrade: Enabled (Forced). New image information may be fetched. Next new image info fetch scheduled at (local time) Tue Oct 28 11:21:40 2025 New image installation will be forced. New image 7.4.9b2829(XXXXXXXX) installation is scheduled to: start at Thu Oct 30 11:28:44 2025 end by Thu Oct 30 12:00:00 2025 Last new image info fetch executed at (local time) Mon Oct 27 11:45:18 2025
The schedule defined by the FortiGuard system configurations can be a day set numerically using
auto-firmware-upgradeor on any specific days for Monday to Sunday usingauto-firmware-day. These settings are mutually exclusive. See Enabling automatic firmware updates for more information. -
Postpone the firmware installation by one week:
# execute auto-upgrade delay-installation Postponing auto-upgrade image installation to a week later... Auto-upgrade image installation rescheduled to: start at local time Thu Nov 6 11:29:55 2025 end by local time Thu Nov 6 12:00:00 2025 -
Review the new installation time:
# diagnose test application forticldd 13 Scheduled push image upgrade: no Scheduled Config Restore: no Scheduled Script Restore: no Automatic image upgrade: Enabled (Forced). New image information may be fetched. Next new image info fetch scheduled at (local time) Tue Oct 28 11:21:40 2025 New image installation will be forced. New image 7.4.9b2829(XXXXXXXX) installation is scheduled to: start at Fri Jun 6 11:29:55 2025 end by Fri Jun 6 12:00:00 2025 Last new image info fetch executed at (local time) Mon Oct 27 11:45:18 2025 -
Attempt to cancel the scheduled upgrade:
# execute federated-upgrade cancel The existing upgrades cannot be cancelled. Command fail. Return code 1
The upgrade cannot be canceled once it has been scheduled.
-
During the scheduled upgrade window, the FortiGate will upgrade the firmware.
The
federated-upgradeconfiguration will update for the automatic firmware upgrade.config system federated-upgrade set status initialized set source forced-upgrade set upgrade-id 1 set ha-reboot-controller "FGT40FXXXXXXXX" config node-list edit "FGT40FXXXXXXXX" set timing immediate set maximum-minutes 45 set setup-time 07:14 2025/10/16 UTC set upgrade-path 7-4-9 next end end
Special considerations
The status of the FortiGate may affect the automatic upgrade as follows:
-
If the FortiGate is a part of the Security Fabric, it will not automatically upgrade the firmware. Alternatively, if an upgrade is scheduled, the FortiGate will be unable to join a Security Fabric.
-
If the FortiGate is connected to a FortiManager, it will not automatically upgrade the firmware. Likewise, if an upgrade is scheduled, the FortiGate will still be able to connect with the FortiManager and the automatic firmware upgrade will be canceled.
-
If a FortiGate is part of an HA pair, the enforced, automatic firmware upgrade will proceed as intended for the primary FortiGate. The secondary FortiGate will not perform an enforced, automatic firmware upgrade on its own because the automatic upgrade is disabled on secondary; however, it will receive the upgrade through a cluster upgrade initiated by the primary FortiGate.
-
If an automatic firmware upgrade has been scheduled, it will block any new federated upgrades from occurring.