Automatic firmware upgrade enhancements 7.4.1

This information is also available in the FortiOS 7.4 Administration Guide: Enabling automatic firmware updates

Several automatic firmware upgrade enhancements are added:

• Automatic patch upgrades are available in the FortiGate Setup wizard.

• Automatic patch upgrades can be enabled or disabled from System > Firmware & Registration.

• By default, entry-level FortiGates (lower than 100 series) have automatic firmware upgrades enabled.

• FortiGates belonging to a Security Fabric or FortiGates under management by a FortiManager cannot enable automatic firmware upgrade.

On FortiOS 7.4.2 and FortiOS 7.4.3, automatic firmware upgrade only allows upgrading to a Mature build. For information about firmware maturity, see Firmware maturity levels.

To configure automatic firmware upgrades from the GUI:

1. Log in to the FortiGate GUI and click Begin.

   

2. Select Enable automatic patch upgrades for v7.4 (default setting).

3. Edit the upgrade and installation settings as needed (Upgrade schedule, Delay by number of days, Install during specified time), then click Save and continue.

   

   If Disable automatic patch upgrades is selected, this can be changed later from the System > Firmware & Registration page by clicking the Disable automatic patch upgrades notification.

4. The Enable Automatic Patch Upgrades dialog opens. Select I acknowledge and click OK to proceed.

   

   The FortiGate will be updated based on the configured schedule when a new patch is available.

5. An email is sent to alert the administrator that the firmware upgrade schedule has changed.

6. Once a patch is detected, an email is sent to alert the administrator that a new image installation is scheduled.

7. After the image installation is completed, an email is sent to alert the administrator that the federated upgrade is complete.

To view the default firmware upgrade settings:

1. Verify the FortiGuard firmware update settings:

   show full system fortiguard | grep firmware
       set auto-firmware-upgrade enable
       unset auto-firmware-upgrade-day
       set auto-firmware-upgrade-delay 3
       set auto-firmware-upgrade-start-hour 2
       set auto-firmware-upgrade-end-hour 4

2. Verify the patch update schedule:

   # diagnose test application forticldd 13
   Scheduled push image upgrade: no
   Scheduled Config Restore: no
   Scheduled Script Restore: no
   Automatic image upgrade: Enabled.
           Next upgrade check scheduled at (local time) Wed Jul 26 03:26:33 2023

   If the FortiGate is part of a Fabric or managed by FortiManager, the Automatic image upgrade option is set to disabled. # diagnose test application forticldd 13 ... Automatic image upgrade: disabled.

To verify the update schedule after a new patch is detected:

# diagnose test application forticldd 13
...
Automatic image upgrade: Enabled.
        Next upgrade check scheduled at (local time) Fri Jul 21 13:50:15 2023
        New image 7.4.2b2600(07004000FIMG0019704002) installation is scheduled to
                start at Sat Jul 22 13:03:56 2023
                end by Sat Jul 22 14:00:00 2023

Sample email after configuring automatic firmware upgrades:

From: DoNotReply@notification.fortinet.net <DoNotReply@notification.fortinet.net>
Sent: Tuesday, July 25, 2023 11:08 AM
To: ********** <*****@fortinet.com>
Subject: Automatic firmware upgrade schedule changed

date=2023-07-25 time=11:07:34 devid="FG81EPTK19000000" devname="FortiGate-81E-POE" eventtime=1690308454221334719 tz="-0700" logid="0100032263" type="event" subtype="system" level="notice" vd="root" logdesc="Automatic firmware upgrade schedule changed" user="system" msg="System patch-level auto-upgrade regular check enabled."

Sample email after a new image installation is scheduled:

From: DoNotReply@notification.fortinet.net <DoNotReply@notification.fortinet.net>
Sent: Friday, July 21, 2023 1:17 PM
To: ********** <*****@fortinet.com>
Subject: Automatic firmware upgrade schedule changed

date=2023-07-21 time=13:16:50 devid="FG81EPTK19000000" devname="FortiGate-81E-POE" eventtime=1689970609076391174 tz="-0700" logid="0100032263" type="event" subtype="system" level="notice" vd="root" logdesc="Automatic firmware upgrade schedule changed" user="system" msg="System patch-level auto-upgrade new image installation scheduled between local time Sat Jul 22 13:03:56 2023 and local time Sat Jul 22 14:00:00 2023."

Sample event logs after the federated upgrade is complete:

date=2023-07-22 time=13:55:37 eventtime=1689972938126416979 tz="-0700" logid="0100032138" type="event" subtype="system" level="critical" vd="root" logdesc="Device rebooted" ui="sfupgraded" action="reboot" msg="User rebooted the device from sfupgraded. The reason is 'upgrade firmware'"

date=2023-07-22 time=13:55:37 eventtime=1689972938126337130 tz="-0700" logid="0100032202" type="event" subtype="system" level="critical" vd="root" logdesc="Image restored" ui="sfupgraded" action="restore-image" status="success" msg="User restored the image from sfupgraded (v7.4.1,build2425 -> v7.4.2,build2426)"

Sample email after the federated upgrade is complete:

From: DoNotReply@notification.fortinet.net <DoNotReply@notification.fortinet.net>
Sent: Friday, July 22, 2023 2:00 PM
To: ********** <*****@fortinet.com>
Subject: A federated upgrade was completed by the root FortiGate

date=2023-07-22 time=14:00:09 devid="FG81EPTK19000000" devname="FortiGate-81E-POE" eventtime=1689973183346851869 tz="-0700" logid="0100022094" type="event" subtype="system" level="information" vd="root" logdesc="A federated upgrade was completed by the root FortiGate" msg="Federated upgrade complete" version="7.4.2"