Help
FortiGate Cloud
FortiGate Cloud provides cloud-based management for FortiGate devices.
pjang
Staff
Staff

Created on ‎08-13-2024 12:04 AM Edited on ‎02-04-2025 09:57 PM By Community Manager

Article Id 332474

Technical Tip: How to control Automatic Upgrades/Firmware Profiles on FortiGate Cloud

Description

This article describes the new Automatic Upgrade/Firmware Profile feature that is present in FortiGate Cloud as well as how administrators can control this feature for FortiGates connected with paid FortiGate Cloud subscriptions.

 

FortiGates connected to FortiGate Cloud using the free-tier (i.e. units without subscription support) will only support the 'latest-patch' profile as of November 1 2024 (discussed further below).
Scope FortiGate Cloud, FortiGate.
Solution

FortiGate Cloud v24.2.0 introduced a new feature called Automatic Upgrades which allows administrators to automatically schedule/handle upgrades to the latest patch release for each of the managed FortiGates. Later in FortiGate Cloud version 24.3.0, the feature was refined into the Firmware Profiles option which allows admins to create and assign profiles to further control how upgrades are managed.

 

Currently, there are two default profiles present in FortiGate Cloud, though it is possible to create custom profiles in addition to these:

  • (None): While not technically a profile, this option can be set on a cloud-managed FortiGate to disable the automatic-upgrade feature.
    • This is the default setting for all FortiGates with paid FortiGate Cloud subscriptions.
    • When viewed on the Asset page under Firmware Profile, the (None) entry will show as a blank entry for each FortiGate.
  • latest-patch: This built-in profile can be assigned to any FortiGate supported for Automatic Upgrades by FortiGate Cloud, and it enables Automatic Upgrades. This profile is configured to allow firmware upgrades on any day of the week between 11PM - 2AM (based on FortiGate's local timezone).

 

General Notes for Automatic Upgrades/Firmware Profiles:

  • FortiGates connected to FortiGate Cloud without a paid subscription (i.e. the free-tier) is currently using the (None) profile. However, as of November 1, 2024, all free-tier FortiGates will be automatically assigned to the 'latest-patch' profile. It is possible to create a new firmware profile, but Custom firmware profiles cannot be assigned to FortiGates connected to FortiGate Cloud without a paid subscription.
  • Automatic Upgrades will follow the Firmware Upgrade Path and will update to the latest revision available for the FortiGate's minor firmware version being used (e.g. FortiGate will automatically upgrade patch revisions but not major or minor revisions). For FortiGates with a paid FortiGate Cloud subscription, an administrator can configure a custom Firmware Profile that specifies a version to upgrade to.
  • The (None) profile is sufficient to disable Automatic Upgrades for FortiGates with FortiGate Cloud subscriptions, though it is also possible to create a profile that has Auto Upgrade explicitly disabled.
  • FortiGates that are a part of a Security Fabric are NOT supported for Automatic Upgrades. FortiGates that are under management of a FortiManager are also NOT supported for Automatic Upgrades. It is possible to attempt to assign a Firmware Profile to a FortiGate that is joined to a Security Fabric, but upon refreshing the FortiGate Cloud page the profile is no longer assigned (this is expected).

 

Disabling Automatic Upgrades/Firmware Profiles:

Applying the latest patch ensures that newly discovered vulnerabilities do not impact production FortiGates. It is therefore recommended to use this option even when there is an option to disable this setting on a paid subscription.

However, in circumstances where a customer would like to manually perform the upgrades, these methods can be used:

  • The (None) profile is sufficient to disable Automatic Upgrades for FortiGates with FortiGate Cloud subscriptions, though it is also possible to create a profile that has Auto Upgrade explicitly disabled.
  • For managed FortiGates without a paid subscription to FortiGate Cloud, an administrator can configure the FortiGate to disable  FortiGate Cloud management. This will disable all FortiGate Cloud remote management functions for that specific FortiGate, including firmware upgrades by FortiGate Cloud. See the article 'How to disable management tunnel to FortiGate Cloud'.
 

To assign a firmware profile in FortiGate Cloud, select the FortiGate -> Group Management -> Assign Firmware Profile:

 

Assign_Firmware_profile.png

 

How to create custom Firmware Profiles on FortiGate Cloud:

  1. Log into FortiGate Cloud (https://login.forticloud.com/) and navigate to Management -> Firmware Profile.
  2. Select the 'Add' button to add a new Firmware Profile. The following options are available:
    • FortiGate: it is possible to select either All supported models or Specify to select all models that the profile may be assigned to. Note that the disk-less and disk-equipped models must be added separately (e.g. FortiGate-60F vs. FortiGate-61F).
    • Auto Upgrade Status: can Enable or Disable Auto Upgrades for devices using this profile.
    • Firmware Version: can be set to the Latest patch (i.e. latest revision for the minor branch that the FortiGate is currently using) or Specify to set a specific version to upgrade to.
    • Upgrade Date: can be set to Delay if Firmware Version is set to Latest Patch, otherwise only the Specify option is available.
    • Delay by number of days: can be set between 1-14 days, default is 3 days (only when Delay is chosen).
    • Days available for Upgrades: Can be set to any day of the week (only when Specify is chosen).
    • Preferred Upgrade Time: can select the period where the upgrade may be executed. Options include 11PM - 2AM, 12AM - 3AM, or 1AM - 4AM.
  3. Select OK to complete.

 

AddFirmwareProfile.png

 

How to assign Firmware Profiles to FortiGates on FortiGate Cloud:

  1. Login to FortiGate Cloud and navigate to the Assets page.
  2. Select one or more FortiGates (hold the Shift key to select multiple), 'Right-Click', and select Group Management -> Assign Firmware Profile.
  3. In the drop-down menu, select the profile to assign.
    Note: If the FortiGate does not have an active subscription to FortiGate Cloud it is only possible to select the latest-patch profile as of November 1, 2024.
  4. Select the Submit button once the desired profile has been assigned.

 

How to check which Firmware Profiles are assigned to FortiGates on FortiGate Cloud:

  1. Login to FortiGate Cloud and navigate to the Assets page.
  2. Check if the Firmware Profile has been added to the current list of columns. If it has not, 'Right-Click' on the top line of the Asset table and add the Firmware Profile column. Select Apply after to commit the change.
  3. The Firmware Profile column will list the current profiles assigned to each FortiGate. Note that an empty entry indicates that the (None) profile is being used. 

 

firm_prof.PNG

 

Note:

By February 28, 2025, FortiGates that do not currently have an active FortiGate Cloud subscription will need to update to the most recent firmware patch within seven days of the patch GA release. See Technical Tip: Security enforcement change for FortiGates provisioned to FortiGate Cloud without act... for details.

 

Related articles:

Technical Tip: Understanding Automatic Patch Upgrade: FortiGate Cloud Premium vs Local Setting

Firmware Profile

How to disable management tunnel to FortiGate Cloud

FortiGate Cloud 25.1.0 Frequently asked questions
Labels:
10150
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.