Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.4.10 Administration Guide
    7.4.10
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Automatic firmware upgrades for FortiGate appliances with invalid support contracts or that have reached EOES

    Automatic firmware upgrades for FortiGate appliances with invalid support contracts or that have reached EOES

    To enhance security and reduce vulnerabilities, FortiGates that are no longer under a valid Firmware & General Updates (FMWR) license or that have reached End of Engineering Support (EOES) will automatically upgrade to the latest patch within their current minor version. This proactive measure ensures that all devices remain protected with the most up-to-date security features.

    The FortiGate checks for a new patch upgrade on FortiGuard daily. If a new patch is discovered and the firmware license is invalid or the FortiGate has reached EOES, it will schedule an upgrade to the new firmware image. While this enforced compliance upgrade cannot be canceled, the installation schedule can be adjusted in two ways:

    • Modify the upgrade schedule using the config system fortiguard auto-firmware-upgrade-day or auto-firmware-upgrade-delay commands. This allows rescheduling multiple times within a 14-day window after the new patch is detected. See Enabling automatic firmware upgrades for more information.

    • Use the execute auto-upgrade delay-installation command to postpone the installation for a fixed 7-day period.

    The firmware will upgrade to the latest patch in its current minor version. For example, if the current version is FortiOS 7.4.8, the firmware will automatically upgrade to the latest 7.4.x version. It will not upgrade to another minor version, such as 7.6.x.

    Example

    The following example demonstrates the process of an automatic firmware upgrade from 7.4.8 to 7.4.9 when the current license is found to be invalid. It would also apply if the firmware had passed its EOES date.

    At the time that this example was created, FortiOS 7.4.9 was the latest GA build for the 7.4 minor version. If a higher patch is available for this minor version, such as 7.4.10 or later, the firmware would be updated to that version instead.

    To review the automatic firmware update:

    1. The FortiGate will check the license status and for new firmware images daily:

      1. Review the configured firmware check schedule:

        # show full system fortiguard
set auto-firmware-upgrade-start-hour 1
set auto-firmware-upgrade-end-hour 4

      2. Determine when the next firmware check will occur:

        # diagnose test application forticldd 13
Scheduled push image upgrade: no
Scheduled Config Restore: no
Scheduled Script Restore: no
Automatic image upgrade: Enabled.
        New image information may be fetched.
        Next new image info fetch scheduled at (local time) Mon Oct 20 01:04:11 2025
        New image installation may be cancelled by the user.
        Last new image info fetch executed at (local time) Sun Oct 19 01:34:44 2025

    2. The FortiGate determines that the license has expired and that a new firmware image is available for a later patch of the current minor version:

      1. Review the status of the firmware license:

        # diagnose test update info
...
System contracts:
    FMWR,Fri Jan  2 2009

        The license has expired.

      2. Review the current firmware image version:

        # get system status | grep Version
Version: FortiGate-40F v7.4.8,build2702,250513 (GA.M)

      3. Check if there is a new firmware image available:

        # diagnose fdsm image-list
...
07004000FIMGXXXXXXXX  v7.4 MR4-GA-M P9 b2829 (upgrade)

      4. The FortiGate will determine if an automatic upgrade is needed.

        # diagnose debug application forticldd -1
...
2025-10-21 08:37:20 [206] fmwr_contract_expired: Contract expired!
2025-10-21 08:37:20 [1705] auto_upg_img_check: News from FGT: FMWR contract expired? 1
2025-10-21 08:37:20 [1706] auto_upg_img_check: News: Should we force it? 1

        In this instance, 1 represents an affirmative to the posed questions, so the automatic firmware upgrade should occur due to the expired license. Once the upgrade has been scheduled, it cannot be canceled.

        Note

        If you were reviewing the procedure for automatically upgrading the firmware when the FortiGate has reached EOES, the debug will display as follows:

        # diagnose debug app forticloudd -1
....
[1704] auto_upg_img_check: News from FDS: EOL reached? 1
[1706] auto_upg_img_check: News: Should we force it? 1

    3. The FortiGate schedules the firmware upgrade based on the defined FortiGuard system configurations.

      # diagnose test application forticldd 13
Scheduled push image upgrade: no
Scheduled Config Restore: no
Scheduled Script Restore: no
Automatic image upgrade: Enabled (Forced).
        New image information may be fetched.
        Next new image info fetch scheduled at (local time) Tue Oct 28 11:21:40 2025
        New image installation will be forced.
        New image 7.4.9b2829(XXXXXXXX) installation is scheduled to:
                start at Thu Oct 30 11:28:44 2025
                end by Thu Oct 30 12:00:00 2025
        Last new image info fetch executed at (local time) Mon Oct 27 11:45:18 2025
      Note

      The schedule defined by the FortiGuard system configurations can be a day set numerically using auto-firmware-upgrade or on any specific days for Monday to Sunday using auto-firmware-day. These settings are mutually exclusive. See Enabling automatic firmware upgrades for more information.

    4. Postpone the firmware installation by one week:

      # execute auto-upgrade delay-installation
Postponing auto-upgrade image installation to a week later...
Auto-upgrade image installation rescheduled to: start at local time Thu Nov  6 11:29:55 2025
        end by local time Thu Nov  6 12:00:00 2025

    5. Review the new installation time:

      # diagnose test application forticldd 13
Scheduled push image upgrade: no
Scheduled Config Restore: no
Scheduled Script Restore: no
Automatic image upgrade: Enabled (Forced).
        New image information may be fetched.
        Next new image info fetch scheduled at (local time) Tue Oct 28 11:21:40 2025
        New image installation will be forced.
        New image 7.4.9b2829(XXXXXXXX) installation is scheduled to:
                start at Thu Nov  6 11:29:55 2025
                end by Thu Nov  6 12:00:00 2025
        Last new image info fetch executed at (local time) Mon Oct 27 11:45:18 2025

    6. Attempt to cancel the scheduled upgrade:

      # execute federated-upgrade cancel
The existing upgrades cannot be cancelled.
Command fail. Return code 1

      The upgrade cannot be canceled once it has been scheduled.

    7. During the scheduled upgrade window, the FortiGate will upgrade the firmware.

      The federated-upgrade configuration will update for the automatic firmware upgrade.

      config system federated-upgrade
    set status initialized
    set source forced-upgrade
    set upgrade-id 1
    set ha-reboot-controller "FGT40FXXXXXXXX"
    config node-list
        edit "FGT40FXXXXXXXX"
            set timing immediate
            set maximum-minutes 45
            set setup-time 07:14 2025/10/16 UTC
            set upgrade-path 7-4-7
        next
    end
end

    Special considerations

    The status of the FortiGate may affect the automatic upgrade as follows:

    • If the FortiGate is a part of the Security Fabric, it will not automatically upgrade the firmware. Alternatively, if an upgrade is scheduled, the FortiGate will be unable to join a Security Fabric.

    • If the FortiGate is connected to a FortiManager, it will not automatically upgrade the firmware. Likewise, if an upgrade is scheduled, the FortiGate will still be able to connect with the FortiManager and the automatic firmware upgrade will be canceled.

    • If a FortiGate is part of an HA pair, the enforced, automatic firmware upgrade will proceed as intended for the primary FortiGate. The secondary FortiGate will not perform an enforced, automatic firmware upgrade on its own because the automatic upgrade is disabled on secondary; however, it will receive the upgrade through a cluster upgrade initiated by the primary FortiGate.

    • If an automatic firmware upgrade has been scheduled, it will block any new federated upgrades from occurring.

    Previous
    Next

    Automatic firmware upgrades for FortiGate appliances with invalid support contracts or that have reached EOES

    Automatic firmware upgrades for FortiGate appliances with invalid support contracts or that have reached EOES

    To enhance security and reduce vulnerabilities, FortiGates that are no longer under a valid Firmware & General Updates (FMWR) license or that have reached End of Engineering Support (EOES) will automatically upgrade to the latest patch within their current minor version. This proactive measure ensures that all devices remain protected with the most up-to-date security features.

    The FortiGate checks for a new patch upgrade on FortiGuard daily. If a new patch is discovered and the firmware license is invalid or the FortiGate has reached EOES, it will schedule an upgrade to the new firmware image. While this enforced compliance upgrade cannot be canceled, the installation schedule can be adjusted in two ways:

    • Modify the upgrade schedule using the config system fortiguard auto-firmware-upgrade-day or auto-firmware-upgrade-delay commands. This allows rescheduling multiple times within a 14-day window after the new patch is detected. See Enabling automatic firmware upgrades for more information.

    • Use the execute auto-upgrade delay-installation command to postpone the installation for a fixed 7-day period.

    The firmware will upgrade to the latest patch in its current minor version. For example, if the current version is FortiOS 7.4.8, the firmware will automatically upgrade to the latest 7.4.x version. It will not upgrade to another minor version, such as 7.6.x.

    Example

    The following example demonstrates the process of an automatic firmware upgrade from 7.4.8 to 7.4.9 when the current license is found to be invalid. It would also apply if the firmware had passed its EOES date.

    At the time that this example was created, FortiOS 7.4.9 was the latest GA build for the 7.4 minor version. If a higher patch is available for this minor version, such as 7.4.10 or later, the firmware would be updated to that version instead.

    To review the automatic firmware update:

    1. The FortiGate will check the license status and for new firmware images daily:

      1. Review the configured firmware check schedule:

        # show full system fortiguard
set auto-firmware-upgrade-start-hour 1
set auto-firmware-upgrade-end-hour 4

      2. Determine when the next firmware check will occur:

        # diagnose test application forticldd 13
Scheduled push image upgrade: no
Scheduled Config Restore: no
Scheduled Script Restore: no
Automatic image upgrade: Enabled.
        New image information may be fetched.
        Next new image info fetch scheduled at (local time) Mon Oct 20 01:04:11 2025
        New image installation may be cancelled by the user.
        Last new image info fetch executed at (local time) Sun Oct 19 01:34:44 2025

    2. The FortiGate determines that the license has expired and that a new firmware image is available for a later patch of the current minor version:

      1. Review the status of the firmware license:

        # diagnose test update info
...
System contracts:
    FMWR,Fri Jan  2 2009

        The license has expired.

      2. Review the current firmware image version:

        # get system status | grep Version
Version: FortiGate-40F v7.4.8,build2702,250513 (GA.M)

      3. Check if there is a new firmware image available:

        # diagnose fdsm image-list
...
07004000FIMGXXXXXXXX  v7.4 MR4-GA-M P9 b2829 (upgrade)

      4. The FortiGate will determine if an automatic upgrade is needed.

        # diagnose debug application forticldd -1
...
2025-10-21 08:37:20 [206] fmwr_contract_expired: Contract expired!
2025-10-21 08:37:20 [1705] auto_upg_img_check: News from FGT: FMWR contract expired? 1
2025-10-21 08:37:20 [1706] auto_upg_img_check: News: Should we force it? 1

        In this instance, 1 represents an affirmative to the posed questions, so the automatic firmware upgrade should occur due to the expired license. Once the upgrade has been scheduled, it cannot be canceled.

        Note

        If you were reviewing the procedure for automatically upgrading the firmware when the FortiGate has reached EOES, the debug will display as follows:

        # diagnose debug app forticloudd -1
....
[1704] auto_upg_img_check: News from FDS: EOL reached? 1
[1706] auto_upg_img_check: News: Should we force it? 1

    3. The FortiGate schedules the firmware upgrade based on the defined FortiGuard system configurations.

      # diagnose test application forticldd 13
Scheduled push image upgrade: no
Scheduled Config Restore: no
Scheduled Script Restore: no
Automatic image upgrade: Enabled (Forced).
        New image information may be fetched.
        Next new image info fetch scheduled at (local time) Tue Oct 28 11:21:40 2025
        New image installation will be forced.
        New image 7.4.9b2829(XXXXXXXX) installation is scheduled to:
                start at Thu Oct 30 11:28:44 2025
                end by Thu Oct 30 12:00:00 2025
        Last new image info fetch executed at (local time) Mon Oct 27 11:45:18 2025
      Note

      The schedule defined by the FortiGuard system configurations can be a day set numerically using auto-firmware-upgrade or on any specific days for Monday to Sunday using auto-firmware-day. These settings are mutually exclusive. See Enabling automatic firmware upgrades for more information.

    4. Postpone the firmware installation by one week:

      # execute auto-upgrade delay-installation
Postponing auto-upgrade image installation to a week later...
Auto-upgrade image installation rescheduled to: start at local time Thu Nov  6 11:29:55 2025
        end by local time Thu Nov  6 12:00:00 2025

    5. Review the new installation time:

      # diagnose test application forticldd 13
Scheduled push image upgrade: no
Scheduled Config Restore: no
Scheduled Script Restore: no
Automatic image upgrade: Enabled (Forced).
        New image information may be fetched.
        Next new image info fetch scheduled at (local time) Tue Oct 28 11:21:40 2025
        New image installation will be forced.
        New image 7.4.9b2829(XXXXXXXX) installation is scheduled to:
                start at Thu Nov  6 11:29:55 2025
                end by Thu Nov  6 12:00:00 2025
        Last new image info fetch executed at (local time) Mon Oct 27 11:45:18 2025

    6. Attempt to cancel the scheduled upgrade:

      # execute federated-upgrade cancel
The existing upgrades cannot be cancelled.
Command fail. Return code 1

      The upgrade cannot be canceled once it has been scheduled.

    7. During the scheduled upgrade window, the FortiGate will upgrade the firmware.

      The federated-upgrade configuration will update for the automatic firmware upgrade.

      config system federated-upgrade
    set status initialized
    set source forced-upgrade
    set upgrade-id 1
    set ha-reboot-controller "FGT40FXXXXXXXX"
    config node-list
        edit "FGT40FXXXXXXXX"
            set timing immediate
            set maximum-minutes 45
            set setup-time 07:14 2025/10/16 UTC
            set upgrade-path 7-4-7
        next
    end
end

    Special considerations

    The status of the FortiGate may affect the automatic upgrade as follows:

    • If the FortiGate is a part of the Security Fabric, it will not automatically upgrade the firmware. Alternatively, if an upgrade is scheduled, the FortiGate will be unable to join a Security Fabric.

    • If the FortiGate is connected to a FortiManager, it will not automatically upgrade the firmware. Likewise, if an upgrade is scheduled, the FortiGate will still be able to connect with the FortiManager and the automatic firmware upgrade will be canceled.

    • If a FortiGate is part of an HA pair, the enforced, automatic firmware upgrade will proceed as intended for the primary FortiGate. The secondary FortiGate will not perform an enforced, automatic firmware upgrade on its own because the automatic upgrade is disabled on secondary; however, it will receive the upgrade through a cluster upgrade initiated by the primary FortiGate.

    • If an automatic firmware upgrade has been scheduled, it will block any new federated upgrades from occurring.

    Previous
    Next