[FortiGate/Alert] Automatic firmware update is enabled by default (less than 100 series) [v7.2.6/v7.4.1]

Firewall (UTM)

What is the firmware automatic update function?

FortiGate added automatic firmware update functionality from firmware versions 7.2.1 and 7.4.0.

When this feature is first added, it is disabled by default, and when enabled, it behaves as follows.

  • Check for updates daily.
  • If new firmware is found, the new firmware installation will be scheduled after the configured number of delay days.
  • At the scheduled upgrade time, FortiGate attempts to upgrade to the latest patch of the same [major.minor] version as the current version (only performs patch level upgrades)

The configuration item to enable/disable automatic firmware updates is set auto-firmware-upgrade in config system fortiguard.

config system fortiguard
    set auto-firmware-upgrade <disable|enable>
end

If this setting item is set to the default value, the item will not be displayed using the show command, and you will need to execute show full-configuration to display it.

Automatic firmware updates are enabled by default on entry models

The firmware automatic update function was initially disabled by default, but from v7.2.6/v7.4.1 onwards, it has been changed to enabled by default for entry models (less than 100 series).
*Applicable to FortiGate-40 to 90 series

From now on, automatic firmware updates must be explicitly disabled.

In general, firmware updates for network devices are carefully verified and verified in advance.

Therefore, it is not a good idea to leave the firmware updated automatically (without permission).

Therefore, disabling the automatic firmware update feature should be a routine when configuring the FortiGate in the future.
*For applicable models

Precautions when upgrading to v7.2.6/v7.4.1 or later

Please be careful when upgrading from a version earlier than v7.2.6/v7.4.1 to v7.2.6/v7.4.1 or later.

If automatic firmware update is disabled before the version update and is upgraded to v7.2.6/v7.4.1 or later, automatic firmware update will be enabled.

Therefore, it is necessary to disable automatic firmware updates after upgrading.

Points to note when comparing configurations before and after version upgrade

Starting from v7.2.6/v7.4.1, the firmware automatic update feature is enabled by default.

Therefore, if the setting value is enable, the corresponding setting item will not be displayed using the show command.

  • In versions earlier than v7.2.6/v7.4.1, if automatic firmware update is disabled by default, the corresponding setting item is not displayed by the show command.
  • In v7.2.6/v7.4.1 and later versions, if automatic firmware update is enabled by default, the corresponding setting item is not displayed by the show command.

In other words, after upgrading from a version earlier than v7.2.6/v7.4.1 to v7.2.6/v7.4.1 or later, if you compare the configurations obtained using the show command, no differences will appear for the relevant setting items. Therefore, it may be overlooked.

For accurate comparison you need to run show full-configuration.

References

Enable automatic firmware updates 7.2.1 | New Features
docs.fortinet.com
Changes in default behavior | FortiOS Release Notes
docs.fortinet.com
Changes in default behavior | FortiOS Release Notes
docs.fortinet.com
config system fortiguard | CLI Reference
docs.fortinet.com
FortiGate Mastery Web Book
Getting Started with FortiGate How to access the GUI of factory default FortiGate Basic knowledge about configuration co...
network-knowledge.work
2021.11.01

スポンサーリンク

Comments

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.

タイトルとURLをコピーしました