| Description | This article describes the process to disable the management tunnel between FortiGate and FortiGate Cloud. |
| Scope | FortiGate Cloud, FortiGate v6.4 and later. |
| Solution |
In some cases it may be necessary to temporarily disable the management connection from individual FortiGate units to FortiGate Cloud while maintaining logging connectivity.
config system central-management set type none end
set type ? fortimanager FortiManager. fortiguard Central management of this FortiGate using FortiCloud. none No central management. end
Effect of disabling central-management: While the management tunnel is disabled in this way, FortiGate will show as offline in FortiGate Cloud, and it is no longer possible to monitor or manage the FortiGate remotely from the FortiGate Cloud portal.
Disabling the management tunnel should only be done with caution, as it disables the following FortiGate Cloud functions. :
However, FortiGate will still send logs to FortiGate Cloud.
It is still possible to retrieve FortiGate Cloud logs to the FortiGate for local viewing.
Automatic firmware upgrade: As of November 1 2024, the 'latest patch' firmware profile applies for all FortiGates running FortiOS v7.2 and earlier without a FortiGate Cloud subscription. If FortiGate has a management tunnel to FortiGate Cloud with no subscription, it is subject to automatic patch-level upgrades.
If the management tunnel to FortiGate Cloud is disabled, an automatic firmware upgrade from the Firmware Profile assigned in FortiGate Cloud does not occur.
set auto-firmware-upgrade disable end
set auto-firmware-upgrade ? disable Disable automatic patch-level firmware upgrade to latest version from FortiGuard. end
When an automatic patch-level upgrade occurs, the firewall upgrades to the latest GA release in its existing minor version. For example, a FortiGate running v7.2.7 would upgrade to the latest v7.2.x release following a recommended upgrade path. A FortiOS 'upgrade path' is a platform-specific series of firmware upgrades that may include multiple steps, see 'FortiGate/FortiOS recommended Upgrade Path' for more detail.
Verification: On the FortiGate, the command 'diagnose test application forticldd 1' will show the management type as 'NONE' if remote management was disabled.
diagnose test application forticldd 1 System=FGT Platform=FGT61F Connection vdom: root, id=0, ha=primary. acct_id=username@domain.com acct_st=OK
FortiGuard interface selection: method=auto specify=FortiGuard log: status=enabled, full=overwrite, ssl_opt=1, source-ip=0.0.0.0
Centra Management: type=NONE, flags=000000bf.
active-tasks=0
rpdb_ver=00000002 rpdb6_ver=00000002
Disabling patch-level automatic upgrades is not a Best Practice for most deployments: It is important to keep up-to-date on available firmware patches since they often contain important stability patches or vulnerability fixes. Disabling automatic firmware upgrades should only be done with a robust upgrade management plan in place and a full understanding of the risks of running unpatched firmware.
When the management tunnel is enabled, a High Availability cluster managed by FortiGate Cloud shows only the primary as Online:
In this scenario, the management tunnel to FortiGate Cloud has not yet been disabled even though the secondary device shows offline.
To disable the management tunnel for a High Availability cluster, the procedure is the same as the one described earlier in this article for a standalone FortiGate: update 'config system central-management' on the primary device with 'set type none'.
FortiGate Cloud shows management tunnel down How to send a notification from FortiGate Cloud Premium when FortiGate goes offline |
