Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ManpreetSingh
Staff
Staff

Created on ‎07-21-2024 05:12 AM Edited on ‎11-26-2025 10:45 PM By Community Manager

Article Id 326998

Technical Tip: How to disable automatic firmware upgrades on FortiGates

 

Description This article describes how to prevent FortiGate units from being upgraded automatically by FortiManager / Security Fabric (federated upgrade) and by the FortiGuard automatic firmware upgrade feature.
Scope FortiGate, FortiManager.
Solution
  1. Disabling Firmware Upgrades through FortiManager.

To disable automatic firmware upgrades on FortiGate devices managed by FortiManager, perform the following steps:

 

config system central-management
    set allow-push-firmware disable
    set allow-remote-firmware-upgrade disable
end

 

  • set allow-push-firmware disable: Disables the ability to push firmware updates from the central management system (FortiManager) to the FortiGate devices. This prevents firmware updates from being pushed to the devices.
  • set allow-remote-firmware-upgrade disableDisables the ability to perform remote firmware upgrades on the FortiGate devices from the central management system (FortiManager). This prevents remote firmware upgrades from being initiated.     

 

  1. Disabling Auto-Firmware Upgrade through FortiGuard.

To disable the auto-firmware upgrade feature through FortiGuard, perform the following steps:

 

config system fortiguard
    set auto-firmware-upgrade disable  <----- Disable automatic patch-level firmware upgrade from FortiGuard.
    set gui-prompt-auto-upgrade disable
end

 

From the GUI, go to System -> Firmware Registration -> Automatic patch upgrade enabled -> Disable automatic patch upgrades.

atoup-1.jpg

 

atoup-2.jpg

 

config system federated-upgrade
    set status disabled
end

 

This auto-firmware-upgrade feature is only available for FortiGate v7.2.1 and later. See this document: Automatic firmware upgrade control 7.4.5 for more information. 

  • Automatic firmware upgrade cannot be enabled for FortiGates belonging to a Security Fabric, FortiGates under management by a FortiManager, or a secondary HA FortiGate. However, HA groups will still have automatic firmware upgrades based on the primary FortiGate.

  • When automatic firmware upgrades are enabled, FortiSwitch and FortiAP firmware will also be updated as part of the federated update.

  • Automatic upgrades will only upgrade to a newer patch within that major version. For example, a FortiOS version v7.2.x image will only auto-upgrade to another v7.2.x image. It will not upgrade to an image from v7.4.x or prior.

 

Cancel Any Scheduled Upgrades.

Run the following command to cancel any immediate or scheduled upgrades:

 

execute federated-upgrade cancel

 

This command will prompt the user to confirm the cancellation: Type Y and enter.                     
 
Note:
To completely deactivate automatic patch upgrades for a FortiGate connected to FortiGate Cloud, ensure to disable the patch upgrade settings within FortiGate Cloud as well.

Default auto-upgrade behavior changes (7.4.5+ and 7.6.1+).
On certain FortiOS versions (7.4.5+ and 7.6.1+), a new behavior has been introduced on unlicensed or expired supported FortiGate devices. In invalid support contracts or EoES versions, the FortiGate will automatically schedule a firmware upgrade to the latest patch in its current minor version. This is managed through the CLI under 'config system federated-upgrade', where the upgrade schedule becomes visible. However, this scheduled upgrade cannot be cancelled, only postponed for up to seven days using the command 'execute auto-upgrade delay-installation'.
 
There is no limit on the number of times this can be delayed.​ For more details, read the article: Technical Tip: Disable auto-upgrade for unlicensed FortiGates
 
Note:
If from the GUI, under Firmware Registration, there is no Disable automatic patch upgrade, the following path can be checked under System -> FortiGuard.
 
Related article:
Technical Tip: Disable auto-upgrade for unlicensed FortiGates
Troubleshooting Tip: No firmware available from FortiGuard under firmware management
Technical Tip: How to control Automatic Upgrades/Firmware Profiles on FortiGate Cloud
25709
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.