Fortinet Document Library

Version:


Table of Contents

21.4.0
Download PDF
Copy Link

Frequently asked questions

What do I do if FortiOS returns an "Invalid Username or Password"/"FortiCloud Internal Error"/"HTTP 400" error when activating FortiGate Cloud on the FortiOS GUI?

Do the following:

  1. Ensure that you can log into FortiGate Cloud via a web browser using the same username and password that you attempted to activate FortiGate Cloud with on the FortiOS GUI.
  2. Confirm that the FortiGate can ping logctr1.fortinet.com or globallogctrl.fortinet.net. This is the Anycast FortiADC hostname for devices running FortiOS 6.2.5 or FortiOS 6.4.
  3. Connect via Telnet to the resolved IP address from step 2 using port 443.
  4. Ensure that the FortiGate Cloud account password length is less than 20 characters.
  5. If running FortiOS 5.4 or older versions, ensure that the FortiGate Cloud account password does not include special characters, as these FortiOS versions do not support this.
  6. If the FortiGate is a member of a high availability (HA) pair, ensure that you activate FortiGate Cloud on the primary device. Activate FortiGate Cloud on the primary FortiGate as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes. FortiGate Cloud activation on the primary FortiGate activates FortiGate Cloud on the secondary FortiGate. Local FortiGate Cloud activation on the secondary FortiGate will fail.
  7. Enable FortiGate Cloud debug in the CLI. The get command displays the device timezone, while the diagnose debug console timestamp enable command shows the date timestamp for the debug logs.

    config system global

    get

    end

    diagnose debug console timestamp enable

    execute fortiguard-log domain

    diagnose debug app forticldd -1

    diagnose debug enable

    execute fortiguard-log login email password

    Email any debug output to admin@forticloud.com.

  8. If you see the HTTP 400 error, enable HTTP debug with the diagnose debug app httpsd -1 command.

Why can I log into the FortiGate Cloud but not activate the FortiGate Cloud account in FortiOS with the same credentials?

FortiOS 5.4 and older versions do not support passwords with special characters. If you are running FortiOS 5.4 or an older version and attempting to activate a FortiGate Cloud account with a password that includes special characters, the activation fails. You must remove special characters from the password, or upgrade to FortiOS 5.6 or a later version.

How can I change the FortiGate Cloud account ID from A to B?

See To replace a FortiGate Cloud user account ID with a new email address:.

How can I move a FortiGate from account A to account B in the same region?

See To move a FortiGate/FortiWifi deployed to FortiGate Cloud to another account:.

How can I activate my FortiGate Cloud on HA-paired FortiGates?

Activate FortiGate Cloud on the primary FortiGate as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes. FortiGate Cloud activation on the primary FortiGate activates FortiGate Cloud on the secondary FortiGate. Local FortiGate Cloud activation on the secondary FortiGate will fail.

You can also disable HA on both devices, activate FortiGate Cloud on each device, then enable HA.

How can I see management tunnel status in FortiOS?

config system central-management

set type fortiguard

end

diagnose fdsm contract-controller-update

fnsysctl killall fgfmd

What do I do if a FortiGate added by its cloud key stays in an inactive state for more than 24 hours?

  1. Check the FortiGate network settings and ensure that port 443 is not blocked.
  2. Connect via Telnet to logctrl1.fortinet.com or globallogctrl.fortinet.net (if FortiOS supports Anycast) through port 443.
  3. In the FortiOS GUI, activate FortiGate Cloud as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes.

What do I do if the "Device is already in inventory" message appears when importing a FortiGate by key?

This message means that the device has already been added to an account inventory. Another user may have tried to add the device to another account. If you cannot find the device on the Inventory page, contact cs@fortinet.com.

What do I do if the invalid key message appears when importing a FortiGate by key?

The FortiCloud key is for one-time use only. Log into the FortiGate and activate FortiGate Cloud as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes instead. If you cannot connect to the FortiOS GUI, contact cs@fortinet.com to reenable the key.

What do I do if FortiGate Cloud activation via the FortiOS GUI succeeds, but I cannot find the FortiGate in the FortiGate Cloud portal?

When a new FortiGate is added to FortiGate Cloud, it is dispatched to the global or Europe region based on its IP address geolocation. If the FortiGate warranty region is Japan, it is dispatched to the Japan region.

How can I move a FortiGate from region A to region B?

  1. Log in to FortiGate Cloud region A.
  2. Undeploy the device.
  3. Verify that the device has returned to the Inventory page.
  4. Switch the portal to region B.
  5. Go to Inventory and deploy the device.

How can I connect to FortiGate by remote access?

You must set the FortiOS central management setting to FortiCloud. The management tunnel status must be up. See How can I see management tunnel status in FortiOS?. See To remotely access a device:.

How can I activate FortiGate Cloud using a different email FortiCare account when FortiOS does not allow entering another email?

execute fortiguard-log login <email> <password>

What do I do if the migrate notice still appears after successful migration?

The migrate notice appears when FortiOS detects different email addresses used for FortiCare and FortiGate Cloud. FortiOS has a known issue that it is case-sensitive when verifying an email address. For example, FortiOS may consider example@mail.com and Example@mail.com as different email addresses. Contact cs@fortinet.com to ensure both accounts use all lower-case letters.

What do I do if FortiDeploy does not work?

  1. Ensure that the FortiManager settings are correct and the device can connect to FortiManager.
  2. Confirm that the central management setting on the device is set to FortiCloud.
  3. Ensure that the device can connect to logctrl1.fortinet.com via port 443.
  4. Import the device to the inventory by FortiCloud key. See To deploy a FortiGate/FortiWifi to FortiGate Cloud using the FortiCloud key:.
  5. Deploy the device to FortiManager, then power up the device. If the device is already powered up, run execute fortiguard-log join.
  6. If the FortiCloud key has been used and is invalid for reuse, log into the device GUI and activate FortiGate Cloud as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes.

What do I do if FortiOS does not upload logs?

Gather debug logs for the following commands, then send the debug output to admin@forticloud.com:

execute telnet <Log server IP address> 514

diagnose test app forticldd 1

diagnose test app miglogd 6

diagnose debug app miglogd -1

diagnose debug enable

What do I do if logs cannot be retrieved from FortiOS when data source is set as FortiGate Cloud?

Ensure that you can see logs in the FortiGate Cloud portal.

In poor network conditions, increase the timeout period to avoid connection timeout:

config log fortiguard setting

set conn-timeout 120

end

How can I export more than 1000 lines of logs?

See To download logs:.

How can I receive a daily report by email?

Ensure that the scheduled report has been generated and that the email address has been added. See Reports.

Why is FortiGate not submitting files for Sandbox scanning?

Check the FortiGate settings:

  • For FortiOS 6.2 and later versions:
    • Ensure that FortiGate Cloud has been activated.
    • Go to Security Profiles > AntiVirus. Ensure that Suspicious Files Only or All Supported Files is enabled.
  • For FortiOS 6.0 and earlier versions:
    • Go to System > Feature Visibility, then enable FortiSandbox Cloud.
    • Go to Security Fabric > Settings. Enable Sandbox Inspection.
    • Go to Security Profiles > AntiVirus. Ensure that Suspicious Files Only or All Supported Files is enabled.
    • Go to Policy & Objects > IPv4 Policy. Enable antivirus for the policy in use.

What public IP addresses and ports does FortiGate Cloud use?

FortiGate Cloud uses the TCP ports 80, 443, 514, 541, and UDP ports 5246/5247. IP address ranges differ depending on the region:

Region

IP address range

Global

208.91.113.0/24, 173.243.132.0/24

Japan

208.91.113.0/24, 173.243.132.0/24

Subnet is 210.7.96.0/24. Gateway IP address is 210.7.96.1.

Germany

154.52.10.0/24

France

154.45.6.0/24

What backup retention does FortiGate Cloud provide?

Backup does not have storage limits. For licensed devices, the retention period is one year. For unlicensed devices, the retention period is seven days.

How does automatic backup work?

Automatic backup is either per session or day. FortiGate setting changes from FortiOS or FortiGate Cloud trigger backup. If there is no changes to FortiGate settings, FortiGate Cloud does not perform a backup. See To enable auto backup:.

Frequently asked questions

What do I do if FortiOS returns an "Invalid Username or Password"/"FortiCloud Internal Error"/"HTTP 400" error when activating FortiGate Cloud on the FortiOS GUI?

Do the following:

  1. Ensure that you can log into FortiGate Cloud via a web browser using the same username and password that you attempted to activate FortiGate Cloud with on the FortiOS GUI.
  2. Confirm that the FortiGate can ping logctr1.fortinet.com or globallogctrl.fortinet.net. This is the Anycast FortiADC hostname for devices running FortiOS 6.2.5 or FortiOS 6.4.
  3. Connect via Telnet to the resolved IP address from step 2 using port 443.
  4. Ensure that the FortiGate Cloud account password length is less than 20 characters.
  5. If running FortiOS 5.4 or older versions, ensure that the FortiGate Cloud account password does not include special characters, as these FortiOS versions do not support this.
  6. If the FortiGate is a member of a high availability (HA) pair, ensure that you activate FortiGate Cloud on the primary device. Activate FortiGate Cloud on the primary FortiGate as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes. FortiGate Cloud activation on the primary FortiGate activates FortiGate Cloud on the secondary FortiGate. Local FortiGate Cloud activation on the secondary FortiGate will fail.
  7. Enable FortiGate Cloud debug in the CLI. The get command displays the device timezone, while the diagnose debug console timestamp enable command shows the date timestamp for the debug logs.

    config system global

    get

    end

    diagnose debug console timestamp enable

    execute fortiguard-log domain

    diagnose debug app forticldd -1

    diagnose debug enable

    execute fortiguard-log login email password

    Email any debug output to admin@forticloud.com.

  8. If you see the HTTP 400 error, enable HTTP debug with the diagnose debug app httpsd -1 command.

Why can I log into the FortiGate Cloud but not activate the FortiGate Cloud account in FortiOS with the same credentials?

FortiOS 5.4 and older versions do not support passwords with special characters. If you are running FortiOS 5.4 or an older version and attempting to activate a FortiGate Cloud account with a password that includes special characters, the activation fails. You must remove special characters from the password, or upgrade to FortiOS 5.6 or a later version.

How can I change the FortiGate Cloud account ID from A to B?

See To replace a FortiGate Cloud user account ID with a new email address:.

How can I move a FortiGate from account A to account B in the same region?

See To move a FortiGate/FortiWifi deployed to FortiGate Cloud to another account:.

How can I activate my FortiGate Cloud on HA-paired FortiGates?

Activate FortiGate Cloud on the primary FortiGate as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes. FortiGate Cloud activation on the primary FortiGate activates FortiGate Cloud on the secondary FortiGate. Local FortiGate Cloud activation on the secondary FortiGate will fail.

You can also disable HA on both devices, activate FortiGate Cloud on each device, then enable HA.

How can I see management tunnel status in FortiOS?

config system central-management

set type fortiguard

end

diagnose fdsm contract-controller-update

fnsysctl killall fgfmd

What do I do if a FortiGate added by its cloud key stays in an inactive state for more than 24 hours?

  1. Check the FortiGate network settings and ensure that port 443 is not blocked.
  2. Connect via Telnet to logctrl1.fortinet.com or globallogctrl.fortinet.net (if FortiOS supports Anycast) through port 443.
  3. In the FortiOS GUI, activate FortiGate Cloud as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes.

What do I do if the "Device is already in inventory" message appears when importing a FortiGate by key?

This message means that the device has already been added to an account inventory. Another user may have tried to add the device to another account. If you cannot find the device on the Inventory page, contact cs@fortinet.com.

What do I do if the invalid key message appears when importing a FortiGate by key?

The FortiCloud key is for one-time use only. Log into the FortiGate and activate FortiGate Cloud as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes instead. If you cannot connect to the FortiOS GUI, contact cs@fortinet.com to reenable the key.

What do I do if FortiGate Cloud activation via the FortiOS GUI succeeds, but I cannot find the FortiGate in the FortiGate Cloud portal?

When a new FortiGate is added to FortiGate Cloud, it is dispatched to the global or Europe region based on its IP address geolocation. If the FortiGate warranty region is Japan, it is dispatched to the Japan region.

How can I move a FortiGate from region A to region B?

  1. Log in to FortiGate Cloud region A.
  2. Undeploy the device.
  3. Verify that the device has returned to the Inventory page.
  4. Switch the portal to region B.
  5. Go to Inventory and deploy the device.

How can I connect to FortiGate by remote access?

You must set the FortiOS central management setting to FortiCloud. The management tunnel status must be up. See How can I see management tunnel status in FortiOS?. See To remotely access a device:.

How can I activate FortiGate Cloud using a different email FortiCare account when FortiOS does not allow entering another email?

execute fortiguard-log login <email> <password>

What do I do if the migrate notice still appears after successful migration?

The migrate notice appears when FortiOS detects different email addresses used for FortiCare and FortiGate Cloud. FortiOS has a known issue that it is case-sensitive when verifying an email address. For example, FortiOS may consider example@mail.com and Example@mail.com as different email addresses. Contact cs@fortinet.com to ensure both accounts use all lower-case letters.

What do I do if FortiDeploy does not work?

  1. Ensure that the FortiManager settings are correct and the device can connect to FortiManager.
  2. Confirm that the central management setting on the device is set to FortiCloud.
  3. Ensure that the device can connect to logctrl1.fortinet.com via port 443.
  4. Import the device to the inventory by FortiCloud key. See To deploy a FortiGate/FortiWifi to FortiGate Cloud using the FortiCloud key:.
  5. Deploy the device to FortiManager, then power up the device. If the device is already powered up, run execute fortiguard-log join.
  6. If the FortiCloud key has been used and is invalid for reuse, log into the device GUI and activate FortiGate Cloud as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes.

What do I do if FortiOS does not upload logs?

Gather debug logs for the following commands, then send the debug output to admin@forticloud.com:

execute telnet <Log server IP address> 514

diagnose test app forticldd 1

diagnose test app miglogd 6

diagnose debug app miglogd -1

diagnose debug enable

What do I do if logs cannot be retrieved from FortiOS when data source is set as FortiGate Cloud?

Ensure that you can see logs in the FortiGate Cloud portal.

In poor network conditions, increase the timeout period to avoid connection timeout:

config log fortiguard setting

set conn-timeout 120

end

How can I export more than 1000 lines of logs?

See To download logs:.

How can I receive a daily report by email?

Ensure that the scheduled report has been generated and that the email address has been added. See Reports.

Why is FortiGate not submitting files for Sandbox scanning?

Check the FortiGate settings:

  • For FortiOS 6.2 and later versions:
    • Ensure that FortiGate Cloud has been activated.
    • Go to Security Profiles > AntiVirus. Ensure that Suspicious Files Only or All Supported Files is enabled.
  • For FortiOS 6.0 and earlier versions:
    • Go to System > Feature Visibility, then enable FortiSandbox Cloud.
    • Go to Security Fabric > Settings. Enable Sandbox Inspection.
    • Go to Security Profiles > AntiVirus. Ensure that Suspicious Files Only or All Supported Files is enabled.
    • Go to Policy & Objects > IPv4 Policy. Enable antivirus for the policy in use.

What public IP addresses and ports does FortiGate Cloud use?

FortiGate Cloud uses the TCP ports 80, 443, 514, 541, and UDP ports 5246/5247. IP address ranges differ depending on the region:

Region

IP address range

Global

208.91.113.0/24, 173.243.132.0/24

Japan

208.91.113.0/24, 173.243.132.0/24

Subnet is 210.7.96.0/24. Gateway IP address is 210.7.96.1.

Germany

154.52.10.0/24

France

154.45.6.0/24

What backup retention does FortiGate Cloud provide?

Backup does not have storage limits. For licensed devices, the retention period is one year. For unlicensed devices, the retention period is seven days.

How does automatic backup work?

Automatic backup is either per session or day. FortiGate setting changes from FortiOS or FortiGate Cloud trigger backup. If there is no changes to FortiGate settings, FortiGate Cloud does not perform a backup. See To enable auto backup:.