Skip to main content
MHabib
MHabib
New Member
January 16, 2025
Question

Autoupdate is off, still getting "Fortigate update now failed"

  • January 16, 2025
  • 3 replies
  • 2289 views

I have disabled the autoupdate and coud communication on our Fortigate firewall, running v7.0.14. But, the logs are showing the "Fortigate update now failed" every minute. wondering how to get rid of these messages?

3 replies

kaman
Staff
kaman
Staff
January 19, 2025

Hi MHabib,

Does the license status in the GUI show a green icon? If not can you try to install the license manually once and check to see if the issue is gone then?

For details on how to install it you can use the following article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Procedure-to-apply-FortiGate-firewall-license/ta-p/198781


The reported issue might be with FortiGate not getting updates from FortiGuard and the License for IPS showing "Not Licensed."


You can run the "execute update-now" command to trigger a manual FortiGuard update on the FortiGate device. Afterward, check if the license update has been successfully applied to the firewall.


Usually such issues happens when there is a communication issue between FortiGate Firewall and Fortiguard Servers.


https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-License-Subscription-failed-to-Update/ta-p/299369

Please execute the following commands and verify if the update was successful. If it wasn't, kindly attach the error logs here for further investigation.


diagnose debug reset
diagnose debug application update -1
diagnose debug enable
execute update-now


If you have found a solution, please like and accept it to make it easily accessible to others.


Regards,
Aman

 

    MHabib
    MHabibAuthor
    New Member
    January 20, 2025

    The firewalls are installed in an air gapped environment, even though the license is not installed but IPS and other Fortiguard services are off, cloud communication is disabled, do we still need to install the license?

    kaman
    Staff
    kaman
    Staff
    January 20, 2025

    Hi MHabib,

    Since You're in an air-gapped environment (FGT not permitted to the internet), you can disable all communication to Fortiguard/Forticloud, below is the explanation for each command:

    config system global
    set fds-statistics disable # -> disable sending IPS, Application Control, and AntiVirus data to FortiGuard
    unset fgd-alert-subscription # -> disable retrieve alert from Fortiguard
    end


    config system fortiguard
    set fortiguard-anycast disable # -> Disable Anycast method for update, by default in v6.4, 7.0, and 7.2 we use anycast. Meanwhile older version (6.0,6.2) use unicast method
    set auto-join-forticloud disable # -> automatic connection and login to FortiCloud (we use closed environment, no need to login to forticloud)
    set antispam-force-off enable -> Disable Fortiguard antispam caching
    set outbreak-prevention-force-off enable -> disable FortiGuard Virus Outbreak Prevention cache
    set webfilter-force-off enable -> Disable Fortiguard Webfilter caching
    end


    config system autoupdate tunneling
    set status disable # -> Disable web proxy tunneling for communication to Fortiguard
    end


    config system autoupdate schedule
    set status disable # -> Disable schedule update for signature such as IPS + AV

    end

    config log fortiguard setting
    set status disable # -> Disable logging to Forticloud
    end


    Reference:
    https://docs.fortinet.com/document/fortigate/6.2.0/new-features/569561/disable-all-cloud-communication


    If you have found a solution, please like and accept it to make it easily accessible to others.


    Regards,
    Aman

      MHabib
      MHabibAuthor
      New Member
      January 21, 2025

      all above command were already applied, only exception was "set fortiguard-anycast disable". I have applied this as well but made no difference.

      Terms & ConditionsAccessibility statement