The command 'allow-push-configuration' under 'config system central-management' is used to add control for admin-scp.

CLI:

     config system central-management
            set allow-push-configuration enable 

       end

By default, the setting for allow-push-configuration is enabled and the feature is only used to control SCP backup or restore and configuration or imaging. It is not intended for general installation configuration or configuration synchronization.

When 'set admin-scp enable' is present in 'config sys global', the SCP restore function works after enabling the above push. The SCP restore function is denied after disabling the push.

When 'set admin-scp disable' is present in 'conf sys global', both the SCP backup and restore functions are denied.

Note that FortiManager can only push the configurations to FortiGate using the FGFM protocol. The command does not have any effects on pushed configurations from FortiManager. (Central-management type FortiManager).

However, the command above can be used to control pushing configurations from the FortiGate Cloud Portal (central-management type FortiGuard).

Related article:
Technical Tip: FortiGate Firmware upgrade from FortiGate Cloud stuck in In-Progress state