Help
FortiGate Cloud
FortiGate Cloud provides cloud-based management for FortiGate devices.
JNDias
Staff & Editor
Staff & Editor

Created on ‎05-22-2024 09:41 AM Edited on ‎10-23-2025 10:19 PM By Community Manager

Article Id 316549

Technical Tip: Understanding automatic patch upgrade: FortiGate Cloud Premium vs Local Setting

Description This article describes the precedence and independence of automatic patch upgrades between FortiGate Cloud Premium and local FortiGate settings. It clarifies which settings take precedence and how they interact with each other.
Scope

FortiGates using FortiGate Cloud (both Premium and Standard portals), Automatic firmware updates via both FortiGate Cloud and local settings, FortiCloud v24.2.0 and v7.2.
Solution

FortiGates have the option to manage automatic patch upgrades through both FortiGate Cloud and local settings. Below is a detailed explanation of how these settings interact and which takes precedence:

  1. Parallel Operation:

    • The automatic patch feature in FortiGate Cloud operates in parallel with the local FortiGate setting.
    • Users can enable or disable the automatic patch feature in FortiGate Cloud if the FortiGate is registered with a FortiGate Cloud Service subscription.
    • Adjusting the automatic patch setting in the cloud does not affect the local FortiGate setting and vice versa.

  2. Precedence:

    • In cases where an automatic patch upgrade is scheduled on both the cloud and local sides, the upgrade task that is scheduled to occur first will take precedence.
    • If the cloud detects that the firmware version has already been patched on the FortiGate device by the local setting, the cloud will not push another upgrade.

  3. Buffer Period:

    • The auto patch feature on the Cloud side is currently under a 90-day buffer period as recommended by the legal team.
    • This means changes to the auto patch setting on the cloud side will not take immediate effect.

 

Note:

Starting with v7.4.8,v7.6.4, and v8.0.0, a new behavior has been introduced on unlicensed or expired-support FortiGate devices: if support is not valid, the FortiGate will automatically schedule a firmware upgrade to the latest patch in its current minor version. This is managed through the CLI under 'config system federated-upgrade', where the upgrade schedule becomes visible. However, this scheduled upgrade cannot be cancelled, only postponed up to seven days using the command 'execute auto-upgrade delay-installation'. There is no limit on the number of times this can be delayed.​

 

There is no limitation on how many times the schedule can be changed. However, once the new image has been checked and confirmed, the installation must occur within 1–14 days from that date. Regardless of how many times the schedule is modified, it cannot be postponed beyond this 14-day window. For more details, read the article: Technical Tip: Disable auto-upgrade for unlicensed FortiGates.

 

Related documents:

Introduction

Enabling automatic firmware updates

Technical Tip: How to control Automatic Upgrades/Firmware Profiles on FortiGate Cloud

Technical Tip: Security enforcement change for FortiGates provisioned to FortiGate Cloud without act...
Labels:
3547
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.