| Description | This article describes the process to disable the management tunnel between FortiGate and FortiGate Cloud. |
| Scope | FortiGate Cloud, FortiGate v6.4 and later. |
| Solution |
The management connection from individual FortiGate units to FortiGate Cloud can be disabled for troubleshooting purposes.
In previous FortiGate Cloud versions, it was possible to disable the management tunnel and continue sending logs to FortiGate Cloud while maintaining an earlier GA firmware release. Starting February 28 2025, a FortiGate without a FortiGate Cloud subscription must be running the latest GA patch release of its current firmware branch in order to access FortiGate Cloud services. FortiGate Cloud services including logging will be paused for devices running earlier patch releases, even if the management tunnel is disabled.
A notice regarding this change has been sent to customers. See this KB article Technical Tip: Security enforcement change for FortiGates provisioned to FortiGate Cloud without act... for more details.
config system central-management set type none end
set type ? fortimanager FortiManager. fortiguard Central management of this FortiGate using FortiCloud. none No central management. end
Effect of disabling central-management: While the management tunnel is disabled in this way, FortiGate will show as offline in FortiGate Cloud, and it is no longer possible to monitor or manage the FortiGate remotely from the FortiGate Cloud portal.
Disabling the management tunnel should only be done with caution, as it disables the following FortiGate Cloud functions:
FortiGate will still send logs to FortiGate Cloud as long as it is running the latest GA patch of its firmware release.
It is also possible to retrieve FortiGate Cloud logs to the FortiGate for local viewing.
Automatic firmware upgrade: From November 1 2024 until early Q1 2025, the 'latest patch' firmware profile was applied for all FortiGate devices without a FortiGate Cloud subscription running FortiOS v7.2 and earlier. If such FortiGate had a management tunnel to FortiGate Cloud and had no FortiGate Cloud subscription, it was subject to automatic patch-level using the 'latest patch' firmware profile.
After February 28 2025, enforcing latest patch firmware for devices accessing FortiGate Cloud services without a subscription is done by pausing access to these services while the FortiGate is not running the latest GA firmware release in its current branch. FortiGate Cloud will no longer perform automatic firmware upgrade for devices without a FortiGate Cloud subscription. (Devices with a FortiGate Cloud subscription will continue to their previous upgrade behavior according to the Firmware Profile assigned in FortiGate Cloud).
If the management tunnel to FortiGate Cloud is disabled, automatic firmware upgrade from the Firmware Profile assigned in FortiGate Cloud does not occur.
set auto-firmware-upgrade disable end
set auto-firmware-upgrade ? disable Disable automatic patch-level firmware upgrade to latest version from FortiGuard. end
When an automatic patch-level upgrade occurs, the firewall upgrades to the latest GA release in its existing minor version. For example, a FortiGate running v7.2.7 would upgrade to the latest v7.2.x release following a recommended upgrade path. A FortiOS 'upgrade path' is a platform-specific series of firmware upgrades that may include multiple steps, see 'FortiGate/FortiOS recommended Upgrade Path' for more detail.
Verification: On the FortiGate, the command 'diagnose test application forticldd 1' will show the management type as 'NONE' if remote management was disabled.
diagnose test application forticldd 1 System=FGT Platform=FGT61F Connection vdom: root, id=0, ha=primary. acct_id=username@domain.com acct_st=OK
FortiGuard interface selection: method=auto specify=FortiGuard log: status=enabled, full=overwrite, ssl_opt=1, source-ip=0.0.0.0
Centra Management: type=NONE, flags=000000bf.
active-tasks=0
rpdb_ver=00000002 rpdb6_ver=00000002
Disabling patch-level automatic upgrades is not a Best Practice for most deployments: It is important to keep up-to-date on available firmware patches since they often contain important stability patches or vulnerability fixes. Disabling automatic firmware upgrades should only be done with a robust upgrade management plan in place and a full understanding of the risks of running unpatched firmware.
When the management tunnel is enabled, a High Availability cluster managed by FortiGate Cloud shows only the primary as Online:
In this scenario, the management tunnel to FortiGate Cloud has not yet been disabled even though the secondary device shows offline.
To disable the management tunnel for a High Availability cluster, the procedure is the same as the one described earlier in this article for a standalone FortiGate. This configuration is synced between devices:
config system central-management set type none end
FortiGate Cloud shows management tunnel down How to send a notification from FortiGate Cloud Premium when FortiGate goes offline |
