Enabling automatic firmware updates
The auto-firmware-upgrade
option can be enabled to automatically update firmware based on the FortiGuard upgrade path. When enabled, the FortiGate will look for an upgrade path and perform an upgrade at a time within the time period specified by the administrator. The upgrade will only be performed on a patch within the same major release version.
config system fortiguard set auto-firmware-upgrade {enable | disable} set auto-firmware-upgrade-day {sunday monday tuesday wednesday thursday friday saturday} set auto-firmware-upgrade-start-hour <integer> set auto-firmware-upgrade-end-hour <integer> end
auto-firmware-upgrade {enable | disable} |
Enable/disable automatic patch-level firmware upgrade from FortiGuard. |
auto-firmware-upgrade-day {sunday monday tuesday wednesday thursday friday saturday} |
Enter the allowed day or days of the week to start the automatic patch-level firmware upgrade from FortiGuard. |
auto-firmware-upgrade-start-hour <integer> |
Set the start time of the designated time window for the automatic patch-level firmware upgrade from FortiGuard (in hours, 0 - 23, default = 2). The actual upgrade time is randomly selected in the time window. |
auto-firmware-upgrade-end-hour <integer> |
Set the end time of the designated time window for the automatic patch-level firmware upgrade from FortiGuard (in hours, 0 - 23, default = 4). When this value it is smaller than the start time, it will be treated as the same time in the next day. The actual upgrade time is randomly selected in the time window. |
Example
To configure automatic firmware upgrades using the default schedule:
config system fortiguard set auto-firmware-upgrade enable set auto-firmware-upgrade-day sunday monday tuesday wednesday thursday friday saturday set auto-firmware-upgrade-start-hour 2 set auto-firmware-upgrade-end-hour 4 end
Sample event log after enabling this option with a certain schedule:
date=2022-07-12 time=10:41:52 eventtime=1657647712247415816 tz="-0700" logid="0100032263" type="event" subtype="system" level="notice" vd="vdom1" logdesc="Automatic firmware upgrade schedule changed" user="system" msg="System patch-level auto-upgrade scheduled at local time Wed Jul 13 02:18:36 2022, looking for patch-level upgrade only."
Performing the upgrade:
At the scheduled upgrade time, the FortiGate (forticldd daemon) will only try to upgrade to the latest patch in the same <major.minor> version in the image upgrade matrix.
For example, the following new releases are available in FortiGuard (fictitious build numbers are used to demonstrate the functionality of this feature):
FGTPlatform=FG201E|FGTCurrVersion=7.0.6|FGTCurrBuildNum=0366|FGTUpgVersion=7.2.2|FGTUpgBuildNum=1602|BaselineVersion=DISABLE
FGTPlatform=FG201E|FGTCurrVersion=7.2.1|FGTCurrBuildNum=1224|FGTUpgVersion=7.2.2|FGTUpgBuildNum=1602|BaselineVersion=DISABLE
Sample log event log after a successful upgrade:
date=2022-06-22 time=11:16:38 eventtime=1655921798859111708 tz="-0700" logid="0100032202" type="event" subtype="system" level="critical" vd="root" logdesc="Image restored" ui="forticldd" action="restore-image" status="success" msg="User restored the image from forticldd (v7.2.1,build1224 -> v7.2.2,build1602)"
Other scenarios
If auto-firmware-upgrade
is changed to be disabled, the FortiGate (forticldd daemon) will not perform a scheduled upgrade.
Sample event log after disabling automatic firmware upgrades:
date=2022-06-22 time=10:31:25 eventtime=1655919085881435255 tz="-0700" logid="0100032263" type="event" subtype="system" level="notice" vd="root" logdesc="Automatic firmware upgrade schedule changed" user="system" msg="System patch-level auto-upgrade disabled."
If there is no upgrade image on the server, the forticldd daemon will reschedule the update to the next available time.
Sample debug output:
[874] sch_auto_update_done: No newer build found in the current major release. [805] fds_schedule_auto_fmwr_upgrade: trace [844] fds_schedule_auto_fmwr_upgrade: Automatic firmware upgrade is scheduled at (Local) Wed Jun 1 15:52:30 2022
Sample event log after rescheduling the update:
date=2022-06-22 time=12:31:17 eventtime=1655926278277347987 tz="-0700" logid="0100032263" type="event" subtype="system" level="notice" vd="root" logdesc="Automatic firmware upgrade schedule changed" user="system" msg="System patch-level auto-upgrade scheduled at local time Thu Jun 23 12:40:21 2022, looking for patch-level upgrade only."
Automatic firmware upgrades on entry-level FortiGates
Automatic firmware upgrades are enabled by default on entry-level FortiGates (lower than 100 series). Upgrades will be made to the next stable patch. However, if a FortiGate is part of a Security Fabric or managed by FortiManager, the Automatic image upgrade
option is disabled.
To demonstrate the functionality of this feature, this example uses FortiGates that are running and upgrading to fictitious build numbers. |
To view the default firmware upgrade settings:
-
Verify the FortiGuard firmware update settings:
show full system fortiguard | grep firmware set auto-firmware-upgrade enable unset auto-firmware-upgrade-day set auto-firmware-upgrade-delay 3 set auto-firmware-upgrade-start-hour 2 set auto-firmware-upgrade-end-hour 4
-
Verify the patch update schedule:
# diagnose test application forticldd 13 Scheduled push image upgrade: no Scheduled Config Restore: no Scheduled Script Restore: no Automatic image upgrade: Enabled. Next upgrade check scheduled at (local time) Wed Sep 27 03:26:33 2023
If the FortiGate is part of a Fabric or managed by FortiManager, the
Automatic image upgrade
option is set todisabled
.# diagnose test application forticldd 13 ... Automatic image upgrade: disabled.
To verify the update schedule after a new patch is detected:
# diagnose test application forticldd 13 ... Automatic image upgrade: Enabled. Next upgrade check scheduled at (local time) Fri Sep 22 13:50:15 2023 New image 7.2.7b2600(07004000FIMG0019704002) installation is scheduled to start at Sat Sep 23 13:03:56 2023 end by Sat Sep 23 14:00:00 2023
Sample email after configuring automatic firmware upgrades:
From: DoNotReply@notification.fortinet.net <DoNotReply@notification.fortinet.net> Sent: Tuesday, September 26, 2023 11:08 AM To: ********** <*****@fortinet.com> Subject: Automatic firmware upgrade schedule changed date=2023-09-26 time=11:07:34 devid="FG81EPTK19000000" devname="FortiGate-81E-POE" eventtime=1690308454221334719 tz="-0700" logid="0100032263" type="event" subtype="system" level="notice" vd="root" logdesc="Automatic firmware upgrade schedule changed" user="system" msg="System patch-level auto-upgrade regular check enabled."
Sample email after a new image installation is scheduled:
From: DoNotReply@notification.fortinet.net <DoNotReply@notification.fortinet.net> Sent: Friday, September 22, 2023 1:17 PM To: ********** <*****@fortinet.com> Subject: Automatic firmware upgrade schedule changed date=2023-09-22 time=13:16:50 devid="FG81EPTK19000000" devname="FortiGate-81E-POE" eventtime=1689970609076391174 tz="-0700" logid="0100032263" type="event" subtype="system" level="notice" vd="root" logdesc="Automatic firmware upgrade schedule changed" user="system" msg="System patch-level auto-upgrade new image installation scheduled between local time Sat Sep 23 13:03:56 2023 and local time Sat Sep 23 14:00:00 2023."
Sample event logs after the federated upgrade is complete:
date=2023-09-23 time=13:55:37 eventtime=1689972938126416979 tz="-0700" logid="0100032138" type="event" subtype="system" level="critical" vd="root" logdesc="Device rebooted" ui="sfupgraded" action="reboot" msg="User rebooted the device from sfupgraded. The reason is 'upgrade firmware'" date=2023-09-23 time=13:55:37 eventtime=1689972938126337130 tz="-0700" logid="0100032202" type="event" subtype="system" level="critical" vd="root" logdesc="Image restored" ui="sfupgraded" action="restore-image" status="success" msg="User restored the image from sfupgraded (v7.2.6,build2425 -> v7.2.7,build2426)"
Sample email after the federated upgrade is complete:
From: DoNotReply@notification.fortinet.net <DoNotReply@notification.fortinet.net> Sent: Friday, September 22, 2023 2:00 PM To: ********** <*****@fortinet.com> Subject: A federated upgrade was completed by the root FortiGate date=2023-09-22 time=14:00:09 devid="FG81EPTK19000000" devname="FortiGate-81E-POE" eventtime=1689973183346851869 tz="-0700" logid="0100022094" type="event" subtype="system" level="information" vd="root" logdesc="A federated upgrade was completed by the root FortiGate" msg="Federated upgrade complete" version="7.2.7"