Technical Tip: How to control Automatic Upgrades/Firmware Profiles on FortiGate Cloud

FortiGate Cloud v24.2.0 introduced a new feature called Automatic Upgrades which allows administrators to automatically schedule/handle upgrades to the latest patch release for each of the managed FortiGates. Later in FortiGate Cloud version 24.3.0, the feature was refined into the Firmware Profiles option which allows admins to create and assign profiles to further control how upgrades are managed.

Currently, there are two default profiles present in FortiGate Cloud, though it is possible to create custom profiles in addition to these:

• (None): While not technically a profile, this option can be set on a cloud-managed FortiGate to disable the automatic-upgrade feature.
  • This is the default setting for all FortiGates with paid FortiGate Cloud subscriptions.
  • When viewed on the Asset page under Firmware Profile, the (None) entry will show as a blank entry for each FortiGate.
• latest-patch: This built-in profile can be assigned to any FortiGate supported for Automatic Upgrades by FortiGate Cloud, and it enables Automatic Upgrades. This profile is configured to allow firmware upgrades on any day of the week between 11PM - 2AM (based on FortiGate's local timezone)

General Notes for Automatic Upgrades/Firmware Profiles:

• FortiGates connected to FortiGate Cloud without a paid subscription (i.e. the free-tier) is currently using the (None) profile. However, as of November 1 2024, all free-tier FortiGates will be automatically assigned to the 'latest-patch' profile. 
• Automatic Upgrades will follow the Firmware Upgrade Path and will update to the latest revision available for the FortiGate's minor firmware version being used (e.g. FortiGate will automatically upgrade patch revisions but not major or minor revisions). For FortiGates with a paid FortiGate Cloud subscription, an administrator can configure a custom Firmware Profile that specifies a version to upgrade to.
• The (None) profile is sufficient to disable Automatic Upgrades for FortiGates with FortiGate Cloud subscriptions, though it is also possible to create a profile that has Auto Upgrade explicitly disabled.
• FortiGates that are joined to a Security Fabric are NOT supported for Automatic Upgrades. It is possible to attempt to assign a Firmware Profile to a FortiGate that is joined to a Security Fabric, but upon refreshing the FortiGate Cloud page the profile is no longer assigned (this is expected).

Disabling Automatic Upgrades/Firmware Profiles:

Applying the latest patch ensures that newly discovered vulnerabilities do not impact production FortiGates. It is therefore recommended to use this option even when there is an option to disable this setting on a paid subscription.

However, in circumstances where a customer would like to manually perform the upgrades, these methods can be used:

• The (None) profile is sufficient to disable Automatic Upgrades for FortiGates with FortiGate Cloud subscriptions, though it is also possible to create a profile that has Auto Upgrade explicitly disabled.
• For managed FortiGates without a paid subscription to FortiGate Cloud, an administrator can configure the FortiGate to disable  FortiGate Cloud management. This will disable all FortiGate Cloud remote management functions for that specific FortiGate, including firmware upgrade by FortiGate Cloud. See the article 'How to disable management tunnel to FortiGate Cloud'.

How to create custom Firmware Profiles on FortiGate Cloud:

1. Log into FortiGate Cloud (https://login.forticloud.com/) and navigate to Management -> Firmware Profile.
2. Select the 'Add' button to add a new Firmware Profile. The following options are available:
   • FortiGate: can select either All supported models or Specify to select all models that the profile may be assigned to. Note that the disk-less and disk-equipped models must be added separately (e.g. FortiGate-60F vs. FortiGate-61F).
   • Auto Upgrade Status: can Enable or Disable Auto Upgrades for devices using this profile.
   • Firmware Version: can be set to the Latest patch (i.e. latest revision for the minor branch that the FortiGate is currently using) or Specify to set a specific version to upgrade to.
   • Upgrade Date: can be set to Delay if Firmware Version is set to Latest Patch, otherwise only the Specify option is available.
   • Delay by number of days: can be set between 1-14 days, default is 3 days (only when Delay is chosen).
   • Days available for Upgrades: Can be set to any day of the week (only when Specify is chosen).
   • Preferred Upgrade Time: can select the period where the upgrade may be executed. Options include 11PM - 2AM, 12AM - 3AM, or 1AM - 4AM.
3. Select OK to complete.

How to assign Firmware Profiles to FortiGates on FortiGate Cloud:

1. Login to FortiGate Cloud and navigate to the Assets page.
2. Select one or more FortiGates (hold the Shift key to select multiple), 'Right-Click', and select Group Management -> Assign Firmware Profile.
   
3. In the drop-down menu, select the profile to assign.
   Note: If the FortiGate does not have an active subscription to FortiGate Cloud it is only possible to select the latest-patch profile as of November 1 2024.
4. Select the Submit button once the desired profile has been assigned.

How to check which Firmware Profiles are assigned to FortiGates on FortiGate Cloud:

1. Login to FortiGate Cloud and navigate to the Assets page.
   
   
2. Check if Firmware Profile has been added to the current list of columns. If it has not, 'Right-Click' on the top line of the Asset table and add the Firmware Profile column. Select Apply after to commit the change.
3. The Firmware Profile column will list the current profiles assigned to each FortiGate. Note that an empty entry indicates that the (None) profile is being used. 

Related articles:

Technical Tip: Understanding Automatic Patch Upgrade: FortiGate Cloud Premium vs Local Setting

Firmware Profile