To check the status of the auto-firmware-upgrade feature on FortiGate, the following command can be used:

diagnose test application forticldd 13 

As an example, the following output is seen after executing this command on a device that has the option enabled:

diagnose test application forticldd 13
Scheduled push image upgrade: no
Scheduled Config Restore: no
Scheduled Script Restore: no
Automatic image upgrade: Enabled.
        Next upgrade check scheduled at (local time) Wed Nov 27 01:28:10 2024

The view in the GUI is as follows:

With this configuration, it is expected for the device to auto-upgrade if there is an available patch found.

There are cases, however, that this does not happen, even if it is configured.

The reason for this is that after configuring the option, the Security Fabric might have been enabled.

In general, the status of the Security Fabric can be found with the command below:

show system csf 

Or:

show full-configuration system csf

The outputs will be as seen when the status is disabled:

config system csf
end

And:

config system csf
    set status disable
    set forticloud-account-enforcement enable
end

As a next step, the Security Fabric feature will be enabled:

config system csf

    set status enable

    set group-name TEST

end

After entering 'end', the following message will appear:

Auto firmware upgrade in system.fortiguard has been paused since this FortiGate has joined a security fabric. The upgarde will resume automatically when this FortiGate is released from the security fabric. The upgrade status may be viewed using the following command diagnose test application forticldd 13.

This means that after the Security Fabric is enabled on the device, the configuration for the auto-upgrade feature will be automatically disabled.

The outputs to the 'diagnose test application forticldd 13' command:

diagnose test application forticldd 13
Scheduled push image upgrade: no
Scheduled Config Restore: no
Scheduled Script Restore: no
Automatic image upgrade: Disabled.

Trying to get the auto-firmware upgrade under 'system fortiguard' will not return any value:

show system fortiguard | grep auto-firmware-upgrade

Even upon attempting to add the 'auto-firmware-upgrade' settings again under 'system fortiguard', the status will still show as 'disable':

config system fortiguard

      set auto-firmware-upgrade enable

      set auto-firmware-upgrade-delay 3

      set auto-firmware-upgrade-start-hour 1

      set auto-firmware-upgrade-end-hour 4

end

And:

diagnose test application forticldd 13
Scheduled push image upgrade: no
Scheduled Config Restore: no
Scheduled Script Restore: no
Automatic image upgrade: Disabled.

After disabling the security fabric and trying to add the auto-firmware-upgrade steps one more time, the status will be as follows:

config system csf

     set status disable

end

And:

diagnose test application forticldd 13
Scheduled push image upgrade: no
Scheduled Config Restore: no
Scheduled Script Restore: no
Automatic image upgrade: Enabled.
Next upgrade check scheduled at (local time) Thu Nov 28 03:33:12 2024

Related documents:

Enabling automatic firmware updates

Technical Tip: How to disable automatic firmware upgrades on FortiGates 

Technical Tip: Behavior changed for auto-firmware-upgrade feature in FortiOS 7.4.5/7.6.0