Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hsawalmeh
Staff
Staff

Created on ‎10-10-2025 09:59 AM Edited on ‎10-15-2025 01:18 AM By Moderator

Article Id 414696

Technical Tip: Disable auto-upgrade for unlicensed FortiGates

Description This article describes a quick fix for the issue starting with FortiOS v7.4.8, v7.6.4, and v8.0.0, unlicensed FortiGate devices automatically schedule non-cancelable firmware upgrades.
Scope FortiGate.
Solution

Starting with FortiOS versions 7.4.8 and 7.6.4, a new behavior has been introduced on unlicensed or expired-support FortiGate devices. See Automatic firmware upgrades for FortiGate appliances with invalid support contracts or that have rea....

 

If support is not valid, the FortiGate will automatically schedule a firmware upgrade to the latest patch in its current minor version. This is managed through the CLI under 'config system federated-upgrade', where the upgrade schedule becomes visible. However, this scheduled upgrade cannot be cancelled, only postponed up to seven days using the command 'execute auto-upgrade delay-installation'. There is no limitation on how many times the schedule can be changed. However, once the new image has been checked and confirmed, the installation must occur within 1–14 days from that date. Regardless of how many times the schedule is modified, it cannot be postponed beyond this 14-day window.

 

For some users, especially those in sensitive environments or with strict change control, unexpected automatic upgrades can be disruptive. The lack of a true cancellation option poses operational challenges if maintenance windows or specific upgrade requirements exist.​

 

Quick Solution: FortiManager Configuration:

A simple workaround is to connect the FortiGate to a FortiManager, which immediately cancels the automatic upgrade process. This can be achieved by entering the following CLI commands:

config system central-management 
    set type fortimanager
end
 
After configuring the above commands, the following message will appear.
 
The Serial Number for FortiManager is not entered.
In order to verify identity of FortiManager serial number is needed.
If serial number is not set, connection will be set as unverified.
FortiGate can establish a connection to obtain the serial number now.Do you want to try to connect now? (y/n)n
 
Press 'n'. The configuration will be committed. Otherwise, it will continuously display the same message.
 
No FortiManager IP is required in the configuration for versions beginning with 7.2.9, 7.4.4, and 7.6.0. The forced upgrade mechanism will be disabled simply by enabling the FortiManager management type.​

From a security hardening perspective, note that this does not open any additional inbound ports on the firewall. This is instead controlled by the FMG-Access setting, regardless of the central-management setting, see Technical Tip: Explaining FMG-Access on FortiGate Interface Settings. If FortiManager will not be in use, it is recommended to disable FMG-Access on all interfaces.
698
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.