How to control Automatic Upgrades/Firmware Profiles on FortiGate Cloud

This article describes the new Automatic Upgrade/Firmware Profile feature that is present in FortiGate Cloud as well as how administrators can control this feature for FortiGates connected with paid FortiGate Cloud subscriptions.

Note that FortiGates connected to FortiGate Cloud using the free-tier (i.e. units without subscription support) will only support the ‘latest-patch’ profile (discussed further below).

Table of Contents

Scope
Solution
General Notes for Automatic Upgrades/Firmware Profiles
How to create custom Firmware Profiles on FortiGate Cloud
How to assign Firmware Profiles to FortiGates on FortiGate Cloud
How to check which Firmware Profiles are assigned to FortiGates on FortiGate Cloud

Scope

FortiGate Cloud, FortiGate.

Solution

FortiGate Cloud v24.2.0 introduced a new feature called Automatic Upgrades which allows administrators to automatically schedule/handle upgrades to the latest patch release for each of their managed FortiGates. Later in FortiGate Cloud version 24.3.0, the feature was refined into the Firmware Profiles option which allows admins to create and assign profiles to further control how upgrades are managed.

Currently, there are two default profiles present in FortiGate Cloud, though it is possible to create custom profiles in addition to these:

(None): While not technically a profile, this option can be set on a cloud-managed FortiGate to disable the automatic-upgrade feature.
This is the default setting for all FortiGates with paid FortiGate Cloud subscriptions.
When viewed on the Asset page under Firmware Profile, the (None) entry will show as a blank entry for each FortiGate.
latest-patch: This built-in profile can be assigned to any FortiGate supported for Automatic Upgrades by FortiGate Cloud, and it enables Automatic Upgrades.
This profile is configured to allow firmware upgrades on any day of the week between 11PM – 2AM (based on the FortiGate’s local timezone)

General Notes for Automatic Upgrades/Firmware Profiles

FortiGates connected to FortiGate Cloud without a paid subscription (i.e. the free-tier) is currently using the (None) profile. However, by Q4 2024 all free-tier FortiGates will be mandatorily assigned to the ‘latest-patch’ profile.
It is necessary to have a paid subscription to FortiGate Cloud for each managed FortiGate to disable Automatic Upgrades. Otherwise, consider disconnecting subscription-less FortiGates from FortiGate Cloud to prevent auto-upgrades.
Automatic Upgrades will follow the Firmware Upgrade Path and will update to the latest revision available for the FortiGate’s major firmware version being used (e.g. FortiGate will upgrade minor revisions but not major revisions). However, configure a custom Firmware Profile that specifies a specific version to upgrade to.
The (None) profile is sufficient to disable Automatic Upgrades for FortiGates with FortiGate Cloud subscriptions, though it is also possible tocreate a profile that has Auto Upgrade explicitly disabled.
FortiGates that are joined to a Security Fabric are NOT supported for Automatic Upgrades. It is possible to attempt to assign a Firmware Profile to a FortiGate that is joined to a Security Fabric, but upon refreshing the FortiGate Cloud page the profile is no longer assigned (this is expected).

How to create custom Firmware Profiles on FortiGate Cloud

Log into FortiGate Cloud (https://login.forticloud.com/) and navigate to Management -> Firmware Profile.
Select the ‘Add’ button to add a new Firmware Profile. The following options are available:
- FortiGate: can select either All supported models or Specify to select all models that the profile may be assigned to. Note that the disk-less and disk-equipped models must be added separately (e.g. FortiGate-60F vs. FortiGate-61F).
- Auto Upgrade Status: can Enable or Disable Auto Upgrades for devices using this profile.
- Firmware Version: can be set to the Latest patch (i.e. latest revision for the major branch that the FortiGate is currently using) or Specify to set a specific version to upgrade to.
- Upgrade Date: can be set to Delay if Firmware Version is set to Latest Patch, otherwise only the Specify option is available.
- Delay by number of days: can be set between 1-14 days, default is 3 days (only when Delay is chosen).
- Days available for Upgrades: Can be set to any day of the week (only when Specify is chosen)
- Preferred Upgrade Time: can select the period where the upgrade may be executed. Options include 11PM – 2AM, 12AM – 3AM, or 1AM – 4AM.
Select OK to complete.

How to assign Firmware Profiles to FortiGates on FortiGate Cloud

Login to FortiGate Cloud and navigate to the Assets page.
Select one or more FortiGates (hold the Shift key to select multiple), ‘Right-Click’ and select Group Management -> Assign Firmware Profile
In the drop-down menu, select the profile to assign.
- Note: If the FortiGate does not have an active subscription to FortiGate Cloud it is only possible to select the latest-patch profile as of Q4 2024.
Select the Submit button once the desired profile has been assigned

How to check which Firmware Profiles are assigned to FortiGates on FortiGate Cloud

Login to FortiGate Cloud and navigate to the Assets page.
Check if Firmware Profile has been added to the current list of columns. If it has not, ‘Right-Click’ on the top line of the Asset table and add the Firmware Profile column. Select Apply after to commit the change.
The Firmware Profile column will list the current profiles assigned to each FortiGate. Note that an empty entry indicates that the (None) profile is being used.