FortiGate Cloud v24.2.0 introduced a new feature called Automatic Upgrades which allows administrators to automatically schedule/handle upgrades to the latest patch release for each of the managed FortiGates. Later in FortiGate Cloud version 24.3.0, the feature was refined into the Firmware Profiles option which allows admins to create and assign profiles to further control how upgrades are managed.

Currently, user can create custom profiles and assign to FortiGates with a paid-tier FortiGate Cloud subscription:

• (None): While not technically a profile, this option can be set on a cloud-managed FortiGate to un-assign a firmware profile from FortiGate.
  • This is the default setting for all FortiGates with paid FortiGate Cloud subscriptions.
  • When viewed on the Asset page under Firmware Profile, the (None) entry will show as a blank entry for each FortiGate.

General Notes for Firmware Profiles:

• Automatic Upgrades will follow the Firmware Upgrade Path and will update to the latest revision available for the FortiGate's minor firmware version being used (for example, FortiGate will automatically upgrade patch revisions but not major or minor revisions). An administrator can also configure a custom Firmware Profile that specifies a version to upgrade to.
• The (None) profile is equivalent to un-assigning the firmware profile for FortiGates.
• FortiGates that are a part of a Security Fabric are NOT supported for Firmware Profile. FortiGates that are under management of a FortiManager are also NOT supported for Firmware Profile. It is possible to attempt to assign a Firmware Profile to a FortiGate that is joined to a Security Fabric, but upon refreshing the FortiGate Cloud page the profile is no longer assigned (this is expected).

Disabling Firmware Profiles:

Applying the latest patch ensures that newly discovered vulnerabilities do not impact production FortiGates. It is therefore recommended to use this option even when there is an option to disable this setting on a paid subscription.

However, in circumstances where a customer would like to manually perform the upgrades, these methods can be used:

• The (None) profile is sufficient to disable a Firmware Profile for FortiGates with FortiGate Cloud subscriptions.
  
  

Note:

FortiGate Cloud firmware profile is independent of the local 'automatic patch-level upgrade' described in the FortiOS Administration Guide. Configuring a FortiGate Cloud firmware profile including 'None' will neither prevent nor force the local patch-level upgrade function. See the KB article Technical Tip: Understanding Automatic Patch Upgrade: FortiGate Cloud Premium vs Local Setting.

To assign a firmware profile in FortiGate Cloud, select the FortiGate -> Group Management -> Assign Firmware Profile:

How to create custom Firmware Profiles on FortiGate Cloud:

1. Log in to FortiGate Cloud (https://login.forticloud.com/) and navigate to Management -> Firmware Profile.
2. Select the 'Add' button to add a new Firmware Profile. The following options are available:
   • FortiGate: it is possible to select either All supported models or specify to select all models that the profile may be assigned to. Note that the disk-less and disk-equipped models must be added separately (e.g. FortiGate-60F vs. FortiGate-61F).
   • Auto Upgrade Status: can Enable or Disable Auto Upgrades for devices using this profile.
   • Firmware Version: can be set to the Latest patch (i.e. latest revision for the minor branch that the FortiGate is currently using) or Specify to set a specific version to upgrade to.
   • Upgrade Date: can be set to Delay if Firmware Version is set to Latest Patch, otherwise only the Specify option is available.
   • Delay by number of days: can be set between 1-14 days, default is 3 days (only when Delay is chosen).
   • Days available for Upgrades: Can be set to any day of the week (only when Specify is chosen).
   • Preferred Upgrade Time: can select the period during which the upgrade may be executed. Options include 11PM - 2AM, 12AM - 3AM, or 1AM - 4AM.
     
     
3. Select OK to complete.

How to assign Firmware Profiles to FortiGates on FortiGate Cloud:

1. Log in to FortiGate Cloud and navigate to the Assets page.
2. Select one or more FortiGates (hold the Shift key to select multiple), 'Right-Click', and select Group Management -> Assign Firmware Profile.
3. In the drop-down menu, select the profile to assign.
4. Select the Submit button once the desired profile has been assigned.

Note:

The 'Enable|Disable' option for 'Auto Upgrade Status ' has been removed from the v25.1a 'Firmware profile' to simplify UI design.

How to check which Firmware Profiles are assigned to FortiGates on FortiGate Cloud:

1. Log in to FortiGate Cloud and navigate to the Assets page.
2. Check if the Firmware Profile has been added to the current list of columns. If it has not, Right-Click on the top line of the Asset table and add the Firmware Profile column. Select Apply after to commit the change.
3. The Firmware Profile column will list the current profiles assigned to each FortiGate. Note that an empty entry indicates that the (None) profile is being used. 

Note:

By February 28, 2025, FortiGates that do not currently have an active FortiGate Cloud subscription will need to update to the most recent firmware patch within seven days of the patch GA release. See Technical Tip: Security enforcement change for FortiGates provisioned to FortiGate Cloud without act... for details.

Related documents:

Technical Tip: Understanding Automatic Patch Upgrade: FortiGate Cloud Premium vs Local Setting

Firmware Profile - FortiGate Cloud administration guide

How to disable management tunnel to FortiGate Cloud

FortiGate Cloud 25.1.0 Frequently asked questions