Enhancements to required upgrade when firmware license is invalid or device is EOES
This information is also available in the FortiOS 8.0 Administration Guide:
Since FortiOS 7.4.8 and 7.6.4, FortiGates are required to upgrade to the latest patch when:
-
FortiGate has an invalid firmware license.
-
FortiGate is running a minor FortiOS version that has reached end of engineering support (EOES).
In this enhancement, the FortiGate FortiGuard communication protocol (FCPC) is enhanced to accept a new ForcedUpdate flag as well as the <major>.<minor>.<patch>-<build> version from FortiGate. When a FortiGate observes its firmware license is invalid, it sends FortiGuard a firmware upgrade message with the ForcedUpdate flag and its version, such as 7.4.10-2878.
In turn, FortiGuard server will ignore license check for that device and parse its firmware version. If the major and minor version on the upgrade-from and upgrade-to firmware are the same, the upgrade will be allowed.
Required upgrade does not apply to special builds.
Furthermore logs, notifications, and automation stitches are improved to provide clearer messaging about auto-upgrade and required-upgrade.
This topic contains the following sections:
-
Example 1: FortiGate is required to upgrade while firmware license is invalid
-
Example 2: FortiGate is required to upgrade because EOES is reached
Example 1: FortiGate is required to upgrade while firmware license is invalid
In this hypothetical scenario, a FortiGate is running FortiOS 7.6.7, and its firmware license expired on Friday, January 2, 2026:
System contracts:
FMWR,Fri Jan 2 2026
Checking its auto-upgrade status, the Support Contract Status is marked Expired:
# execute auto-upgrade status
Current Image Reached End of Life: no
Is current firmware a special build: No
Support Contract Status: Expired
Scheduled push image upgrade: no
Scheduled Config Restore: no
Scheduled Script Restore: no
Automatic image upgrade: Enabled.
New image information may be fetched.
New image installation may be cancelled by the user.
Next new image info fetch scheduled at (local time) Wed Apr 1 21:07:59 2026
A new firmware is available on the upgrade path on FortiGuard. FortiGate schedules an upgrade.
# execute auto-upgrade status
Current Image Reached End of Life: no
Is current firmware a special build: No
Support Contract Status: Expired
Scheduled push image upgrade: no
Scheduled Config Restore: no
Scheduled Script Restore: no
Automatic image upgrade: Enabled (Forced).
New image information may be fetched.
New image installation will be forced.
Next new image info fetch scheduled at (local time) Thu Apr 2 21:19:00 2026
New image 7.6.8b3800(07006000FIMG0025906008) installation is scheduled to:
start at Sat Apr 4 14:08:36 2026
end by Sat Apr 4 15:00:00 2026
Last new image info fetch executed at (local time) Wed Apr 1 21:07:59 2026
When the scheduled time is reached, FortiGate will request the download from the FortiGuard server. When FortiGuard server identifies this is a Required-Upgrade, it will bypass license check and allow the firmware image to be downloaded.
FortiGate will install the new image, reboot, and send an email notification to the administrator.
Example 2: FortiGate is required to upgrade because EOES is reached
In this hypothetical scenario, a FortiGate has a valid firmware license but the current firmware has reached the EOES date.
The current firmware version is lower than the patch level image released on FortiGuard server.
Current firmware:
# get system status | grep Version Version: FortiGate-40F v7.6.7,build3679,260330
Available firmware on FortiGuard:
# diagnose fdsm image-list Last update: 895 secs ago. Total: 5 ... ... 07006000FIMG0025906008 v7.6 MR6-GA-F P8 b3800 (upgrade) 07002000FIMG0025902012 v7.2 MR2-GA-F P12 b1800 (downgrade) 07002000FIMG0025902011 v7.2 MR2-NA- b1737 (downgrade)
Upgrade path:
# diagnose fdsm image-upgrade-matrix Last update: 1013 secs ago. Total: 315 v8.0.0.(b150) -> v8.0.1.F(b1234) (id:08000000FIMG0025900001) v7.6.7.(b3679) -> v7.6.8.F(b3800) (id:07006000FIMG0025906008)
Checking its auto-upgrade status, the end of life status is set to yes.
FortiGate-40F (Interim)# execute auto-upgrade status
Current Image Reached End of Life: yes
Is current firmware a special build: No
Support Contract Status: Active
Scheduled push image upgrade: no
Scheduled Config Restore: no
Scheduled Script Restore: no
Automatic image upgrade: Enabled.
New image information may be fetched.
New image installation may be cancelled by the user.
Next new image info fetch scheduled at (local time) Thu Apr 2 14:33:55 2026
To force FortiGate to trigger a manual update-check, run this command:
# execute auto-upgrade check-for-new-image Manually triggering auto-upgrade new image check... Auto-upgrade new image check triggered. Firmware Update from Management Service Upgrade to image 7.6.8b3800-F (07006000FIMG0025906008) has been scheduled between Sat Apr 4 14:21:30 2026 and Sat Apr 4 15:00:00 2026. This upgrade is forced and cannot be cancelled, to delay this upgrade, please use "execute auto-upgrade delay-installation".
The FortiGate is now scheduled to perform the upgrade:
# execute auto-upgrade status
Current Image Reached End of Life: yes
Is current firmware a special build: No
Support Contract Status: Active
Scheduled push image upgrade: no
Scheduled Config Restore: no
Scheduled Script Restore: no
Automatic image upgrade: Enabled (Forced).
New image information may be fetched.
New image installation will be forced.
Next new image info fetch scheduled at (local time) Thu Apr 2 14:51:45 2026
New image 7.6.8b3800(07006000FIMG0025906008) installation is scheduled to:
start at Sat Apr 4 14:21:30 2026
end by Sat Apr 4 15:00:00 2026
Last new image info fetch executed at (local time) Wed Apr 1 17:41:10 2026
Upon the completion of the upgrade, FortiGate will trigger an automation stitch to send the registered FortiCare account owner an email stating:
An automated firmware update has completed successfully. The device FortiGate-40F, serial number FGT40FTK19004135, was updated to firmware version 7.6.8 on 2026-4-4 15:00:06.
This is an informational notification and was generated by automation stitch configuration on FortiGate-40F.
Administrators can delay an upgrade for one (1) week using the command:
# execute auto-upgrade delay-installation
Postponing auto-upgrade image installation to a week later...
Auto-upgrade image installation rescheduled to: start at local time Sat Apr 11 10:12:08 2026
end by local time Sat Apr 11 11:00:00 2026
Automation stitches
Wording in the following default automation stitches has been improved for firmware upgrade:
show system automation-stitch ? name Name. ... Firmware Upgrade Cancelled Firmware Upgrade Complete Firmware Upgrade Notification Firmware Upgrade Scheduled
This section shows the settings for the following automation stitches:
Firmware upgrade canceled
This section shows the settings, trigger, and action for the following default automation stitch: Firmware Upgrade Cancelled. The automation stitch is used when an automatic firmware upgrade is canceled.
-
View the default automation stitch for
Firmware Upgrade Cancelled:show system automation-stitch "Firmware Upgrade Cancelled" config system automation-stitch edit "Firmware Upgrade Cancelled" set description "Automatic firmware upgrade cancelled notification." set trigger "Auto Firmware Upgrade Cancelled" config actions edit 1 set action "Auto Upgrade Cancelled Email Notification" next end next end -
View the trigger:
The
"Auto Firmware Upgrade Cancelled"is the event, and32325is the new logid for"Automatic firmware upgrade image installation was cancelled".config system automation-trigger edit "Auto Firmware Upgrade Cancelled" set description "Automatic firmware upgrade cancelled." set event-type event-log set logid 32325 next end -
View the action:
By default, an email notification is sent to the email address for the FortiCare account. The default email subject and content is shown.
config system automation-action edit "Auto Upgrade Cancelled Email Notification" set description "Send auto upgrade cancelled email notification to the FortiCare email address registered on this device." set action-type email set forticare-email enable set email-to "<name>@<company>.com" set email-subject "Firmware Update Cancelled Notification : %%log.devname%%" set message "Date: %%log.date%% Time: %%log.time%% An automated firmware update has been cancelled on device: %%log.devname%%, serial number %%log.devid%%. This is an informational notification and was generated by automation stitch configuration on %%log.devname%%." next end
Firmware upgrade complete
This section shows the settings, trigger, and action for the following default automation stitch: Firmware Upgrade Complete. The automation stitch is used when an automatic firmware upgrade completes.
-
View the default automation stitch for
Firmware Upgrade Complete:edit "Firmware Upgrade Complete" set description "Automatic firmware upgrade complete notification." set trigger "Auto Firmware Upgrade Complete" config actions edit 1 set action "Auto Upgrade Complete Email Notification" next end next end -
View the trigger:
The
"Auto Firmware Upgrade Complete"is the event, and22096is the new logid for"Automatic firmware upgrade complete successfully".config system automation-trigger edit "Auto Firmware Upgrade Complete" set description "Automatic firmware upgrade complete successfully." set event-type event-log set logid 22096 22094 next end -
View the action:
By default, an email notification is sent to the email address for the FortiCare account. The default email subject and content is shown.
edit "Auto Upgrade Complete Email Notification" set description "Send auto upgrade complete email notification to the FortiCare email address registered on this device." set action-type email set forticare-email enable set email-to "<name>@<company>.com" set email-subject "Firmware Update Notification : %%log.devname%%" set message "An automated firmware update has completed successfully. The device %%log.devname%%, serial number %%log.devid%%, was updated to firmware version %%log.version%% on %%log.date%% %%log.time%%. This is an informational notification and was generated by automation stitch configuration on %%log.devname%%." next end
For example, when an upgrade completes, it is captured in the logs:
183: date=2026-03-06 time=07:16:18 eventtime=1772738177229032043 tz="+1200" logid="0100022096" type="event" subtype="system" level="information" vd="root" logdesc="An automatic firmware upgrade was completed" msg="Automatic upgrade complete" upgradesource="auto-firmware-upgrade" version="7.6.5" nodecount=1 fgtcount=1
Triggered by the default automation stitch, FortiGate sends an email notification about the completed upgrade:
Firmware Update Scheduled Notification : 245
Date: 2026-03-05 Time: 10:30:05
An automated firmware update has completed successfully. The device 245, serial number FG9H1GTB25900162, was updated to firmware version 7.6.5 on Mar 5 10:30:05 2026
This is an informational notification and was generated by automation stitch configuration on 245.
2026-03-05 10:30:05 mail_info:
from:fortinet-notifications.com user:DoNotReply@fortinet-notifications.com
2026-03-05 10:30:05 mail_info:
reverse path:DoNotReply@fortinet-notifications.com
user name:DoNotReply
2026-03-05 10:30:05 to[0]:<name>@<company>.com
2026-03-05 10:30:05 <==_init_mail_info
2026-03-05 10:30:05 create session
Firmware upgrade notification
This section shows the settings, trigger, and action for the following default automation stitch: Firmware Upgrade Notification. The automation stitch notifies administrators when an automatic firmware upgrade fails.
-
View the default automation stitch for
Firmware Upgrade Notification:By default, the notification is disabled. The
"Auto Firmware Upgrade"trigger is for failed upgrade events.edit "Firmware Upgrade Notification" set description "Automatic firmware upgrade notification." set status disable set trigger "Auto Firmware Upgrade" config actions edit 1 set action "Email Notification" next end next end -
View the trigger:
The
"Auto Firmware Upgrade"is the event, and22097is the logid for"Automatic firmware upgrade failed".config system automation-trigger edit "Auto Firmware Upgrade" set description "Automatic firmware upgrade." set event-type event-log set logid 22095 22097 next end -
View the action:
By default, an email notification is sent to the email address for the FortiCare account. The default email subject is the log.
edit "Email Notification" set description "Send a custom email to the specified recipient(s)." set action-type email set forticare-email enable set email-subject "%%log.logdesc%%" next end
Firmware upgrade scheduled
This section shows the settings, trigger, and action for the following default automation stitch: Firmware Upgrade Scheduled. The automation stitch is to notify administrators when an automatic firmware upgrade is scheduled.
-
View the default automation stitch for Firmware Upgrade Scheduled:
config system automation-stitch edit "Firmware Upgrade Scheduled" set description "Automatic firmware upgrade scheduled notification." set trigger "Auto Firmware Upgrade Scheduled" config actions edit 1 set action "Auto Upgrade Scheduled Email Notification" next end next end -
View the trigger:
The
"Auto Firmware Upgrade Scheduled"is the event, and32263is the logid for the system event"Automatic firmware image installation is (re)scheduled".config system automation-trigger edit "Auto Firmware Upgrade Scheduled" set description "Automatic firmware upgrade scheduled." set event-type event-log set logid 32263 next end -
View the action:
By default, an email notification is sent to the email address for the FortiCare account. The default email subject and content is shown.
config system automation-action edit "Auto Upgrade Scheduled Email Notification" set description "Send scheduled auto upgrade email notification to the FortiCare email address registered on this device." set action-type email set forticare-email enable set email-to "<name>@<company>.com" set email-subject "Firmware Update Scheduled Notification : %%log.devname%%" set message "Date: %%log.date%% Time: %%log.time%% An automated firmware update has been scheduled on device: %%log.devname%%, serial number %%log.devid%%. %%log.msg%% This is an informational notification and was generated by automation stitch configuration on %%log.devname%%." next end
Logs
The following log IDs are used with automation stitches for automatic and required upgrades to trigger email notifications:
|
Log ID |
Description |
|---|---|
|
32325 |
Log ID for the |
|
22096 |
Log ID for the |
|
32263 |
Log ID for the |
Notification methods
Several methods are used to notify administrators about a required upgrade.
Before a required upgrade starts, the FortiOS GUI banner shows a new firmware version is available, for example, A new firmware version is available: v7.6.8.
After FortiOS confirms a valid upgrade path for the required upgrade:
-
On the System > Firmware & Registration page:
-
The Upgrade Status column displays Upgrade to v7.6.8 shortly.
-
The Cancel Fabric Upgrade button is grayed out because forced upgrades cannot be canceled.
-
-
The Console prints the following information when scheduled to install the new image:
Auto-upgrade new image check triggered. Firmware Update from Management Service Upgrade to image 7.6.8b3800-F (07006000FIMG0025906008) has been scheduled between Sat Apr 4 14:08: 36 2026 and Sat Apr 4 15:00:00 2026. This upgrade is forced and cannot be cancelled, to delay this upgrade, please use "execute auto-upgrade delay-installation".
-
A default automation stitch triggers FortiGate to send an email notification:
-
FortiGate sends an email notification to the email address for the registered FortiCare account before and after upgrade:
An automated firmware update has completed successfully. The device FortiGate-40F, serial number FGT40FTK<number>, was updated to firmware version 7.6.8 on 2026-4-4 15:00:06. This is an informational notification and was generated by automation stitch configuration on FortiGate-40F.
-