Skip to main content
aionescu
Staff
aionescu
Staff
March 16, 2026

Technical Tip: Explanation of AutoUpdate process and generated logs in the configuration revision history

  • March 16, 2026
  • 0 replies
  • 454 views
Description This article describes the AutoUpdate process and the generated logs in the configuration revision history.
Scope FortiManager.
Solution

There are 3 methods to automatically sync the changes made on the FortiGate side:

  1. Initiated by FortiGate: The FortiGate sends the CLI configuration change (diff only) to FortiManager.
  • If the changes are device-level only, the Config Status changes to Auto-Update, and Policy Package Status remains in its previous state.
  • If the changes include firewall (ADOM db) objects, the Config Status is still Auto-Update, but the Policy Status changes to Out of Sync. Or if the policy package was previously Modified, then the status will change to ConflictImport is required to recover the Policy Package from Out-of-Sync/Conflict if the change on the FortiGate was made intentionally. If not, install the Policy Package to override the policy-related changes made on the FortiGate.

 

In this case, the Configuration Revision History will indicate 'AutoUpdate', Created by user 'AutoUpdate', and the Comments 'Auto update from device'.

 

FMG log.png

 

  1. Initiated by FortiManager: If the FortiGate fails to initiate the first Auto-Update method, FortiManager will notice the mgmt-csum mismatch with the next FGFM keepalive and will try to retrieve the configuration changes. In this case, FortiManager will retrieve the entire FortiGate configuration and will then perform an internal diff operation to identify the unique changes that were performed on the FortiGate. If the process is successful, the Config Status and Policy Package Status will be updated in the same manner as in the first case.

 

This time, the revision history entry will indicate 'AutoUpdate', Created by user 'AutoUpdate', but the Comments column will contain 'Autoretrieve merged config'.

 

FMG log 2.png

 

  1. If the second method fails, FortiManager falls back to a full Auto-Retrieve, retrieving the entire FortiGate configuration, but instead of merging the 'diff', it will fully apply it to the Device Manager database configuration. This operation is identical to a manual retrieve, so the Config Status changes to Synchronized and the Policy Package Status to Unknown.

     

 

The Revision History entry will indicate an 'AutoRetrieve' by user 'AutoRetrieve', and the Comment 'Retrieve'.

 

FMG log 3.png

 

As best practice, it is highly recommended to always modify settings on FortiManager and not on FortiGate.
Terms & ConditionsAccessibility statement