I saw some conversation about stopping auto-upgrade on FGTs before after 7.2.8. And, we're doing it manually for those FGTs that are NOT managed by FMG. Then when we tried the same for those managed by FMG, the change was rejected because it's managed by FMG.
And solution is in this KB:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-disable-automatic-firmware-upgrades...

But it's not totally clear about the behavior for those command:

config system central-management
    set allow-push-firmware disable
    set allow-remote-firmware-upgrade disable
end

What we want to set up is:
1. Stop FMG pushing auto-firmware upgrade to managed FGTs
2. Also stop FGT upgrading firmware by itself
3. We still want to upgrade those managed FGT firmware via FMG manually

To accomplish this,
config system central-management
    set allow-push-firmware disable
end
Would this good enough if either pushed this via a template or script (to database and/or device directly)?
And, do we still need to push below via a template/scrip to stop FGT doing autoupgrade by itself?

config system fortiguard
    set auto-firmware-upgrade disable
    set gui-prompt-auto-upgrade disable
end

Thanks,


Toshi