Understanding automatic patch upgrade: FortiGate Cloud Premium vs Local Setting
Description
This article explains the priority and independence of automatic patch upgrades between **FortiGate Cloud Premium and local FortiGate settings, and how both configurations interact and which one takes precedence.
Scope
FortiGate devices using FortiGate Cloud (both Premium and Standard portals), automatic firmware updates via FortiGate Cloud and local settings, and FortiCloud versions v24.2.0 and v7.2.
Solution
FortiGates have the option to manage automatic patch upgrades through both FortiGate Cloud and local settings. Below is a detailed explanation of how these settings interact and which takes precedence:
1. Parallel Operation:
The automatic patch feature in FortiGate Cloud works independently in parallel with the local settings of FortiGate.
Users can enable or disable automatic patching from FortiGate Cloud if the device is registered with a FortiGate Cloud service subscription.
Changes made in the cloud do not affect local FortiGate settings, and changes in local settings do not affect the cloud configuration.
2. Precedence:
When an automatic patch upgrade is scheduled on both FortiGate Cloud and local FortiGate settings, the upgrade that is scheduled first will take priority.
If FortiGate Cloud detects that the firmware has already been updated through the local setting, it will not initiate another upgrade.
3.Buffer Period:
The auto patch feature on the Cloud side is currently under a 90-day buffer period as recommended by the legal team.
This means changes to the auto patch setting on the cloud side will not take immediate effect.
Note:
Starting from FortiGate v7.4.8, v7.6.4, and v8.0.0, a new behavior applies to unlicensed or expired-support devices. If the support contract is not valid, the system will automatically schedule a firmware upgrade to the latest patch within the current minor version. This is managed through the CLI under config system federated-upgrade, where the scheduled upgrade can be viewed. The upgrade cannot be cancelled, but it can be delayed for up to 7 days using the command execute auto-upgrade delay-installation, with no limit on how many times the delay can be applied.Once the new image is verified and confirmed, the installation must be completed within 1–14 days. Even if the schedule is modified multiple times, the upgrade cannot be postponed beyond this 14-day window.