FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
The article outlines a situation where, for compliance reasons, the firmware on FortiAPs must remain consistent, but they are automatically upgraded as soon as they are connected to the FortiGate.
Scope
FortiAP, FortiGate.
Solution
This behavior is expected when an image is uploaded onto the FortiGate for the FortiAPs and the image-download feature during join is enabled by default.
config global
config wireless-controller global
set image-download enable
end
Verify there is an existing image uploaded on the FortiGate using below command:
execute wireless-controller list-wtp-image
To stop the force upgrade, remove all the images uploaded using the below command:
execute wireless-controller delete-wtp-image all
Another method is to completely disable the image download from global settings:
config global
config wireless-controller global
set image-download disable
end
The feature can be disabled for a specific set of devices that are part of the same Operation Profile, or a single device that is the only member of the particular Operation Profile.
config wireless-controller wtp edit <name> set image-download disable next end
Another configuration that can trigger the upgrade is "firmware-provision-on-authorization" under vdom's wireless-controller settings, ensure this is disabled which is the default behavior.
config vdom edit <vdom name> config wireless-controller settings set firmware-provision-on-authorization disable end
