Technical Tip: Automatic Patch Upgrades

Configurations in the GUI:

Go System -> Firmware & Registration -> Automatic patch upgrades enabled/disabled:

When automatic patch upgrade is enabled, the patch-level upgrade will be scheduled after 'Delay by a number of days' during the specified time.

The patch-level upgrade can also be scheduled by specifying the days of the week during the specified time.

After the patch release is successfully installed, the automation stitch 'Firmware upgrade notification' will be triggered to send an email notification.

Configurations in the CLI:

config system fortiguard
    set auto-firmware-upgrade {enable | disable}
    set auto-firmware-upgrade-day {sunday monday tuesday wednesday thursday friday saturday}
    set auto-firmware-upgrade-delay <integer>
    set auto-firmware-upgrade-start-hour <integer>
    set auto-firmware-upgrade-end-hour <integer>
end

To review the installation window of new patch releases:

   diagnose test application forticldd 13

Scheduled push image upgrade: no
Scheduled Config Restore: no
Scheduled Script Restore: no
Automatic image upgrade: Enabled.
Next upgrade check scheduled at (local time) Thu Sep 7 12:35:37 2023
New image 7.4.1b2463(07004000FIMG0024804001) installation is scheduled to
start at Sun Sep 10 11:48:26 2023
end by Sun Sep 10 23:00:00 2023

The event log after configuring the automatic firmware upgrade:

date=2023-09-08 time=16:21:50 eventtime=1694204482840500060 tz="-0400" logid="0100032263" type="event" subtype="system" level="notice" vd="root" logdesc="Automatic firmware upgrade schedule changed" user="system" msg="System patch-level auto-upgrade regular check enabled."

Note: This alert is triggered every time the FortiGate is rebooted.

The event log after successfully updating firmware:

date=2023-09-08 time=16:21:50 eventtime=1694204482991730680 tz="-0400" logid="0100022094" type="event" subtype="system" level="information" vd="root" logdesc="A federated upgrade was completed by the root FortiGate" msg="Federated upgrade complete" version="7.4.1"

The event log firmware upgrade notification is triggered:

date=2023-09-08 time=16:21:51 eventtime=1694204510384715240 tz="-0400" logid="0100046600" type="event" subtype="system" level="notice" vd="root" logdesc="Automation stitch triggered" stitch="Firmware upgrade notification" trigger="Auto Firmware upgrade" stitchaction="Email Notification" from="log" msg="stitch:Firmware upgrade notification is triggered."

From 7.2.6 & 7.4.0 to 7.4.4 versions the 'auto-firmware-upgrade' CLI setting will be enabled by default in most of the 1 rack unit platforms.

FortiGates which FortiManager manages or acts as Fabric root or Fabric leaf members will not be affected by this change.

The complete list of the platforms which will be affected by this change will be:

FGT-40F.
FGT-40F-3G4G.
FGT-60E.
FGT-60E-DSL.
FGT-60E-DSLJ.
FGT-60E-POE.
FGT-60F.
FGT-61E.
FGT-61F.
FGT-70F.
FGT-71F.
FGT-80E.
FGT-80E-POE.
FGT-80F.
FGT-80F-BP.
FGT-80F-POE.
FGT-81E.
FGT-81E-POE.
FGT-81F.
FGT-81F-POE.
FGT-90E.
FGT-91E.
FGR-60F.
FGR-60F-3G4G.
FGR-70F.
FGR-70F-3G4G.
FWF-40F.
FWF-40F-3G4G.
FWF-60E.
FWF-60E-DSL.
FWF-60E-DSLJ.
FWF-60F.
FWF-61E.
FWF-61F.
FWF-80F-2R.
FWF-81F-2R.
FWF-81F-2R-3G4G-POE.
FWF-81F-2R-POE.

From the 7.4.5 version, the 'auto-firmware-upgrade' CLI setting will be enabled for all models including FortiGate VMs.

Related article:

Technical Tip: Understanding Automatic Patch Upgrade: FortiGate Cloud Premium vs Local Setting