Skip to main content
Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
December 27, 2021
Solved

trigger/reason of FMG Auto-update

  • December 27, 2021
  • 2 replies
  • 5237 views

We've been using a FMG-VM about 7 months in production, which is now 6.4.8 running. But still see Auto-update happens to a few managed FGTs without any local config changes.

Mostly seems to be harmless when I diff config revisions before and after, which makes me more specious "why needs to happen???". But when I upgraded those FGTs last time, about 30 of them at a time, 2-3 of them got an IPS sensor's content removed 5 - 60 minutes later after the maintenance was completed. TAC said that particular one was probably a bug but closed the case since I already re-installed the policy package and nothing to look at. And no explanation about the random auto-updates.

 

Does anyone know the conditions an auto-update might happen?

 

Toshi

Best answer by Debbie_FTNT

Hey Toshi,

 

an auto-update usually happens after an admin logs in on a managed FortiGate, selects read-write access during the login, and then logs out.
The admin logout prompts the FortiGate to update its config in FortiManager. I'm not sure if the auto-update happens EVERY time or only if configuration changes were undertaken (you might need to compare revisions for that), but it is the admin logout that triggers it.

You could check through your FortiGate system event logs to see if the auto-update times align with admin logouts or other activity.

 

Hope this helps :)

2 replies

Toshi_Esumi
SuperUser
Toshi_EsumiAuthor
SuperUser
December 27, 2021

Sorry I meant to type 6.4.7. We've been waiting for 6.4.8 for a big bug fix.

Debbie_FTNT
Staff & Editor
Debbie_FTNTAnswer
Staff & Editor
December 28, 2021

Hey Toshi,

 

an auto-update usually happens after an admin logs in on a managed FortiGate, selects read-write access during the login, and then logs out.
The admin logout prompts the FortiGate to update its config in FortiManager. I'm not sure if the auto-update happens EVERY time or only if configuration changes were undertaken (you might need to compare revisions for that), but it is the admin logout that triggers it.

You could check through your FortiGate system event logs to see if the auto-update times align with admin logouts or other activity.

 

Hope this helps :)

Toshi_Esumi
SuperUser
Toshi_EsumiAuthor
SuperUser
December 28, 2021

Thanks Debbie. That explains some behaviors related to auto-update. I think it does it regardless any config is changed or not. For those I noticed after the firmware upgrade last time, I think I got in via CLI over SSH to verify they're working as they should after the upgrade then logged out. Wiping out the content of IPS sensor was not expected though. But it happened only to device DB and didn't change actual config on the device.

I wished it was described somewhere in the online manual of FMG and TAC was trained accordingly.

 

Toshi

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
December 28, 2021

No problem, happy to help :).

I just happen to know this as I was part of the FortiManager TAC team a few years ago. They should be aware of this information, and if you ever have a ticket with them, you could suggest they create a KB on this. Might come across as bit odd if I (as non FMG-team member) write one.
Cheers!

Terms & ConditionsAccessibility statement