Automation and Firmware Compliance for Fortinet Devices

If you told fresh neophyte network admin me back in the early 90s, with PSTN multiplexers carrying voice and data simultaneously, that I would be writing scripts in the future to automatically push firmware updates to FortiGate firewalls and FortiAPs, I would have been rolling my eyes. And yet, here I am, three cups into the day, buzzing from the hardware hacking village at DefCon and contemplating firmware compliance, and how automation is in fact the future (not to mention the present) when it comes to security operations.

Compliance Needs

You see, the problem with firmware updates is that they are important. Ignore them, and you’re essentially riding a vintage car on bald tires on an icy road — looks cool, but with terrible results. Firmware compliance, for businesses I recently assisted, including banks, in their zero-trust deployments, is not a merely checkbox list. It’s hardening yourself against a never-ending parade of cyberthreats.

When PJ Networks began testing live Fortinet environments, such as FortiGate, FortiAP and the FortiAuthenticator (all from the same family) we immediately identified a trend; many organisations didn’t work to any form of structured firmware lifecycle. The versions were all over the place. Firmware had been updated only a few times in the past few months. Sometimes the version was so ancient it seemed almost prehistoric. And the larger the gap, the bigger the security risk.

Compliance is having constant awareness of exactly which version of software is running where and why, which policies govern updates and so much more. Note For Fortinet gear, the stakes are high: these are the soldiers on the frontline of your network.

In practice: it has to be with the latest firmware but also with your environment proven firmware. This is where many get lost:
Regulatory standards require evidence of compliance, not just intentions, he says.
— Those open doors: Unpatched firmware = vulnerabilities that last.
– Manual updates? And it hurts, makes mistakes and moves slow — and your enemies won’t wait.

Update Workflow

Automating firmware updates is essentially being a blue collar Formula 1 race car: you need it to be fast, but there are also some fail safes.

PJ Networks came up with a workflow that’s FAST and SAFE, the miracle combination. Here’s how the magic works:

1. Audit & Inventory: We begin with a full scan of the Fortinet environments — FortiGate firewalls, FortiAP wireless access points, and FortiAuthenticator appliances. We document the current firmware version compared with the manufacturer’s newest releases.
2. Policy Definition: PJ Networks defines detailed update policies based on your business requirements and the law – PCI-DSS legislation for banks, or regional regulations for data protection.
3. Staging: There are no direct pushes up to production. Instead, they’re run in a controlled sandbox to see how well they will play together and fend off malicious attacks.
4. Automated Rollout & Verification: Following validation, updates are automatically rolled out during scheduled downtime periods. Post-update, an automatic validation takes place to ensure the device works fine.
5. Rollback Trigger: Bad updates? No sweat. Our system will automatically roll-back to the last known good firmware.

This not only cuts errors, but also downtime — a dealbreaker for critical infrastructure.

Scheduling

No one wants critical infrastructure updating firmware at 9 a.m. Monday morning. (Trust me — I am all too aware of this problem.) Plenty of that is art, and art is tricky business.

We collaborate with customers to schedule update windows that:

• Avoid business peak hours.
• Comply with the mandatory audit.
• Reflect changemanagement processes of the organization.

And here’s my possibly controversial take: update now policies that are inflexible can actually be more dangerous if they ignore operational realities. My advice? As always, it’s better to be flexible within a framework. This is not about dripping occasional content; it is about intelligent scheduling, respecting your business rhythm.

Rollback Plans

I can’t reinforce this enough; when delivering firmware always ensure you can roll backwards in a known state.

2003’s Slammer worm, anyone? That taught me early how fast stuff can go to the dogs. Firmware updates are like cooking a complicated dinner: You always add that one spice too early, or you overcook the sauce. Rollback unavailable, it is either grin and bear serving up a mess, or panic to make seconds with time pressure.

In our automation scripts at PJ Networks, rollback testing is a prerequisite, not an option. What we build into our plans:

• Immediate rollbacks if devices fail critical post-update health checks.
• Access to version snapshots already protected, created before the update.
• Rollback logs, which feed into compliance reports (more on those in the next section).

Clients like this, it means peace of mind—confidence that their systems won’t be bricked by some bad code that’s been pushed overnight.

PJ Networks Automation

This is the rubber hitting the road — or the mixer hitting the dough, if that’s your metaphor of choice.

For some years, PJ Networks has been developing its own automation for the Fortinet infrastructure. Here’s why that matters:

• Integration: Our tools directly access firmware data from FortiManager APIs, FortiGate devices and/or FortiAuthenticator units — no manual CSV uploads of error-prone spreadsheets.
• Policy-Driven: This is not about one size fits all. We set the update cycles and compliance thresholds on a per-customer level.
• Rollback Bliss: Rolling back testing and getting your rollback executed that I mentioned, that’s built-in.
• Real-Time Compliance Reporting: Create audit-ready reports of the status of firmware revisions across all of your Fortinet devices in minutes, not days.

And through real experience — such as helping three of the largest banking institutions upgrade their zero-trust architectures — we know what works. PJ Networks’ automation transforms firmware from a task you put off as long as you can into one you can carry out in confidence, risk free.

Audit Reports

Ah, audit reports — the thing nobody likes until you NEED them. Because here’s the thing: Compliance isn’t doing the work, it’s proving you did the work. And if someone tells you that auditing is for the auditors, they obviously haven’t been managing multi-site Fortinet installations.

The PJ Networks reporting module provides:

• Detailed Version Reports: See which firmware was running on each device, when it was last updated, and who updated it.
• Update Success/Failure Logs: Transparency which survives the legal test.
• Rollback Documentation: A rollbacks, reasons, and the steps of remediation taken.
• Policy Compliance Status: Quick view of compliance against your standards.

These reports aren’t merely fodder for auditors; they empower security teams to identify trends and gaps well before anyone mandates a breach discussion.

Quick Take

• Firmware updates on Fortinet gear are super important, but often overlooked.
• Manual updating is just old-fashioned and dangerous.
• PJ Networks fully automates whole lifecycle – from audit, through update, rollback and all the way to compliance reporting.
• Smart scheduling and tried rollback plans are not optional.
• Quality Automation elevates firmware management from a risk to an advantage.

If you’re continuing to manually manage your firmware updates on Fortinet devices—FortiGate, FortiAP, or FortiAuthenticator, you’re behind.

And if I can leave you with anything from the network and security trenches of nearly 30 years, it’s this:
Automation isn’t anti-control — it’s the mechanism for scaling security without burning out your people.

Now back to my coffee and perhaps more hardware hacks taking place in my head. It’s because that’s what sustains me.
—Sanjay Seth
Submitted by: Zakiuddin Rais Cyber Security Advisor, PJ Networks Pvt Ltd