Automatic firmware upgrades for FortiGate appliances with invalid support contracts or that have reached EOES
To enhance security and reduce vulnerabilities, FortiGates that are no longer under a valid Firmware & General Updates (FMWR) license or that have reached End of Engineering Support (EOES) will automatically upgrade to the latest patch within their current minor version. This proactive measure ensures that all devices remain protected with the most up-to-date security features.
The FortiGate checks for a new patch upgrade on FortiGuard daily. If a new patch is discovered and the firmware license is invalid or the FortiGate has reached EOES, it will schedule an upgrade to the new firmware image. While this enforced compliance upgrade cannot be canceled, the installation schedule can be adjusted in two ways:
-
Modify the upgrade schedule using the
config system fortiguardauto-firmware-upgrade-dayorauto-firmware-upgrade-delaycommands. This allows rescheduling multiple times within a 14-day window after the new patch is detected. See Enabling automatic firmware upgrades for more information. -
Use the
execute auto-upgrade delay-installationcommand to postpone the installation for a fixed 7-day period.
The firmware will upgrade to the latest patch in its current minor version. For example, if the current version is FortiOS 7.4.8, the firmware will automatically upgrade to the latest 7.4.x version. It will not upgrade to another minor version, such as 7.6.x.
Example
The following example demonstrates the process of an automatic firmware upgrade from 7.4.8 to 7.4.9 when the current license is found to be invalid. It would also apply if the firmware had passed its EOES date.
At the time that this example was created, FortiOS 7.4.9 was the latest GA build for the 7.4 minor version. If a higher patch is available for this minor version, such as 7.4.10 or later, the firmware would be updated to that version instead.
To review the automatic firmware update:
-
The FortiGate will check the license status and for new firmware images daily:
-
Review the configured firmware check schedule:
# show full system fortiguard set auto-firmware-upgrade-start-hour 1 set auto-firmware-upgrade-end-hour 4
-
Determine when the next firmware check will occur:
# diagnose test application forticldd 13 Scheduled push image upgrade: no Scheduled Config Restore: no Scheduled Script Restore: no Automatic image upgrade: Enabled. New image information may be fetched. Next new image info fetch scheduled at (local time) Mon Oct 20 01:04:11 2025 New image installation may be cancelled by the user. Last new image info fetch executed at (local time) Sun Oct 19 01:34:44 2025
-
-
The FortiGate determines that the license has expired and that a new firmware image is available for a later patch of the current minor version:
-
Review the status of the firmware license:
# diagnose test update info ... System contracts: FMWR,Fri Jan 2 2009The license has expired.
-
Review the current firmware image version:
# get system status | grep Version Version: FortiGate-40F v7.4.8,build2702,250513 (GA.M)
-
Check if there is a new firmware image available:
# diagnose fdsm image-list ... 07004000FIMGXXXXXXXX v7.4 MR4-GA-M P9 b2829 (upgrade)
-
The FortiGate will determine if an automatic upgrade is needed.
# diagnose debug application forticldd -1 ... 2025-10-21 08:37:20 [206] fmwr_contract_expired: Contract expired! 2025-10-21 08:37:20 [1705] auto_upg_img_check: News from FGT: FMWR contract expired? 1 2025-10-21 08:37:20 [1706] auto_upg_img_check: News: Should we force it? 1
In this instance,
1represents an affirmative to the posed questions, so the automatic firmware upgrade should occur due to the expired license. Once the upgrade has been scheduled, it cannot be canceled.
If you were reviewing the procedure for automatically upgrading the firmware when the FortiGate has reached EOES, the debug will display as follows:
# diagnose debug app forticloudd -1 .... [1704] auto_upg_img_check: News from FDS: EOL reached? 1 [1706] auto_upg_img_check: News: Should we force it? 1
-
-
The FortiGate schedules the firmware upgrade based on the defined FortiGuard system configurations.
# diagnose test application forticldd 13 Scheduled push image upgrade: no Scheduled Config Restore: no Scheduled Script Restore: no Automatic image upgrade: Enabled (Forced). New image information may be fetched. Next new image info fetch scheduled at (local time) Tue Oct 28 11:21:40 2025 New image installation will be forced. New image 7.4.9b2829(XXXXXXXX) installation is scheduled to: start at Thu Oct 30 11:28:44 2025 end by Thu Oct 30 12:00:00 2025 Last new image info fetch executed at (local time) Mon Oct 27 11:45:18 2025
The schedule defined by the FortiGuard system configurations can be a day set numerically using
auto-firmware-upgradeor on any specific days for Monday to Sunday usingauto-firmware-day. These settings are mutually exclusive. See Enabling automatic firmware upgrades for more information. -
Postpone the firmware installation by one week:
# execute auto-upgrade delay-installation Postponing auto-upgrade image installation to a week later... Auto-upgrade image installation rescheduled to: start at local time Thu Nov 6 11:29:55 2025 end by local time Thu Nov 6 12:00:00 2025 -
Review the new installation time:
# diagnose test application forticldd 13 Scheduled push image upgrade: no Scheduled Config Restore: no Scheduled Script Restore: no Automatic image upgrade: Enabled (Forced). New image information may be fetched. Next new image info fetch scheduled at (local time) Tue Oct 28 11:21:40 2025 New image installation will be forced. New image 7.4.9b2829(XXXXXXXX) installation is scheduled to: start at Thu Nov 6 11:29:55 2025 end by Thu Nov 6 12:00:00 2025 Last new image info fetch executed at (local time) Mon Oct 27 11:45:18 2025 -
Attempt to cancel the scheduled upgrade:
# execute federated-upgrade cancel The existing upgrades cannot be cancelled. Command fail. Return code 1
The upgrade cannot be canceled once it has been scheduled.
-
During the scheduled upgrade window, the FortiGate will upgrade the firmware.
The
federated-upgradeconfiguration will update for the automatic firmware upgrade.config system federated-upgrade set status initialized set source forced-upgrade set upgrade-id 1 set ha-reboot-controller "FGT40FXXXXXXXX" config node-list edit "FGT40FXXXXXXXX" set timing immediate set maximum-minutes 45 set setup-time 07:14 2025/10/16 UTC set upgrade-path 7-4-7 next end end
Special considerations
The status of the FortiGate may affect the automatic upgrade as follows:
-
If the FortiGate is a part of the Security Fabric, it will not automatically upgrade the firmware. Alternatively, if an upgrade is scheduled, the FortiGate will be unable to join a Security Fabric.
-
If the FortiGate is connected to a FortiManager, it will not automatically upgrade the firmware. Likewise, if an upgrade is scheduled, the FortiGate will still be able to connect with the FortiManager and the automatic firmware upgrade will be canceled.
-
If a FortiGate is part of an HA pair, the enforced, automatic firmware upgrade will proceed as intended for the primary FortiGate. The secondary FortiGate will not perform an enforced, automatic firmware upgrade on its own because the automatic upgrade is disabled on secondary; however, it will receive the upgrade through a cluster upgrade initiated by the primary FortiGate.
-
If an automatic firmware upgrade has been scheduled, it will block any new federated upgrades from occurring.