Frequently asked questions

What do I do if FortiOS returns an Invalid Username or Password/FortiCloud Internal Error/HTTP 400 error when activating FortiGate Cloud on the FortiOS GUI?

Do the following:

1. Ensure that you can log into FortiGate Cloud via a web browser using the same username and password that you attempted to activate FortiGate Cloud with on the FortiOS GUI.
2. Confirm that the FortiGate can ping logctrl1.fortinet.com or globallogctrl.fortinet.net.
3. Connect via Telnet to the resolved IP address from step 2 using port 443.
4. Ensure that the FortiGate Cloud account password length is less than 20 characters.
5. If running FortiOS 5.4 or older versions, ensure that the FortiGate Cloud account password does not include special characters, as these FortiOS versions do not support this.
6. If the FortiGate is a member of a high availability (HA) pair, ensure that you activate FortiGate Cloud on the primary device. Activate FortiGate Cloud on the primary FortiGate as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes. FortiGate Cloud activation on the primary FortiGate activates FortiGate Cloud on the secondary FortiGate. Local FortiGate Cloud activation on the secondary FortiGate fails.
7. Enable FortiGate Cloud debug in the CLI. The get command displays the device timezone, while the diagnose debug console timestamp enable command shows the date timestamp for the debug logs.

   config system global

   get

   end

   diagnose debug console timestamp enable

   execute fortiguard-log domain

   diagnose debug application forticldd -1

   diagnose debug enable

   execute fortiguard-log login email password

   Email any debug output to admin@forticloud.com.

8. If you see the HTTP 400 error, enable HTTP debug with the diagnose debug application httpsd -1 command.

Why can I log into the FortiGate Cloud but not activate the FortiGate Cloud account in FortiOS with the same credentials?

FortiOS 5.4 and older versions do not support passwords with special characters. If you are running FortiOS 5.4 or an older version and attempting to activate a FortiGate Cloud account with a password that includes special characters, the activation fails. You must remove special characters from the password, or upgrade to FortiOS 5.6 or a later version.

How can I move a FortiGate from account A to account B in the same region?

See To move a FortiGate/FortiWifi deployed to FortiGate Cloud to another account:.

How can I activate my FortiGate Cloud on HA-paired FortiGates?

Activate FortiGate Cloud on the primary FortiGate as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes. FortiGate Cloud activation on the primary FortiGate activates FortiGate Cloud on the secondary FortiGate. Local FortiGate Cloud activation on the secondary FortiGate fails.

You can also disable HA on both devices, activate FortiGate Cloud on each device, then enable HA.

How can I establish a management tunnel connection between my FortiGate and FortiGate Cloud?

config system central-management

set type fortiguard

end

diagnose fdsm contract-controller-update

fnsysctl killall fgfmd

What do I do if a FortiGate added by its cloud key stays in an inactive state for more than 24 hours?

1. Check the FortiGate network settings and ensure that port 443 is not blocked.
2. Connect via Telnet to logctrl1.fortinet.com or globallogctrl.fortinet.net (if FortiOS supports Anycast) through port 443.
3. In the FortiOS GUI, activate FortiGate Cloud as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes.

What do I do if the "Device is already in inventory" message appears when importing a FortiGate by key?

This message means that the device has already been added to an account inventory. Another user may have tried to add the device to another account. If you cannot find the device on the Inventory page, contact cs@fortinet.com.

What do I do if the invalid key message appears when importing a FortiGate by key?

The FortiCloud key is for one-time use only. Log into the FortiGate and activate FortiGate Cloud as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes instead. If you cannot connect to the FortiOS GUI, contact cs@fortinet.com to reenable the key.

What do I do if FortiGate Cloud activation via the FortiOS GUI succeeds, but I cannot find the FortiGate in the FortiGate Cloud portal?

When a new FortiGate is added to FortiGate Cloud, FortiGate Cloud dispatches it to the global or Europe region based on its IP address geolocation. If the FortiGate warranty region is Japan, FortiGate Cloud dispatches it to the Japan region.

How can I move a FortiGate from region A to region B?

1. Log in to FortiGate Cloud region A.
2. Undeploy the device.
3. Verify that the device has returned to the Inventory page.
4. Switch the portal to region B.
5. Go to Inventory and deploy the device.

How can I connect to FortiGate by remote access?

You must set the FortiOS central management setting to FortiCloud. The management tunnel status must be up. See How can I establish a management tunnel connection between my FortiGate and FortiGate Cloud?. See To remotely access a device:.

How can I activate FortiGate Cloud using a different email FortiCare account when FortiOS does not allow entering another email?

execute fortiguard-log login <email> <password>

What do I do if the migrate notice still appears after successful migration?

The migrate notice appears when FortiOS detects different email addresses used for FortiCare and FortiGate Cloud. FortiOS has a known issue that it is case-sensitive when verifying an email address. For example, FortiOS may consider example@mail.com and Example@mail.com as different email addresses. Contact cs@fortinet.com to ensure both accounts use all lower-case letters.

What do I do if FortiDeploy does not work?

1. Ensure that the FortiManager settings are correct and the device can connect to FortiManager.
2. Confirm that the central management setting on the device is set to FortiCloud.
3. Ensure that the device can connect to logctrl1.fortinet.com via port 443.
4. Import the device to the inventory by FortiCloud key. See To deploy a FortiGate/FortiWifi to FortiGate Cloud using the FortiCloud or FortiDeploy key:.
5. Deploy the device to FortiManager, then power up the device. If the device is already powered up, run execute fortiguard-log join.
6. If the FortiCloud key has been used and is invalid for reuse, log into the device GUI and activate FortiGate Cloud as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes.

What do I do if FortiOS does not upload logs?

Gather debug logs for the following commands, then send the debug output to fortigatecloud@forticloud.com. Check log upload settings on the FortiGate and ensure that it is configured to send logs to FortiGate Cloud:

execute telnet <log server IP address> 514

diagnose test application forticldd 1

diagnose test application miglogd 6

diagnose debug application miglogd -1

diagnose debug enable

What do I do if FortiGate Cloud cannot retrieve logs from FortiOS when data source is set as FortiGate Cloud?

Ensure that you can see logs in the FortiGate Cloud portal.

In poor network conditions, increase the timeout period to avoid connection timeout:

config log fortiguard setting

set conn-timeout 120

end

How can I export more than 1000 lines of logs?

See To download logs:.

How can I receive a daily report by email?

Ensure that FortiGate Cloud generated the scheduled report and that you have added the email address. See Reports.

Why does FortiGate not submit files for Sandbox scanning?

Check the FortiGate settings:

• For FortiOS 6.2 and later versions:
  • Ensure that FortiGate Cloud has been activated.
  • Go to Security Profiles > AntiVirus. Ensure that Suspicious Files Only or All Supported Files is enabled.
• For FortiOS 6.0 and earlier versions:
  • Go to System > Feature Visibility, then enable FortiSandbox Cloud.
  • Go to Security Fabric > Settings. Enable Sandbox Inspection.
  • Go to Security Profiles > AntiVirus. Ensure that Suspicious Files Only or All Supported Files is enabled.
  • Go to Policy & Objects > IPv4 Policy. Enable antivirus for the policy in use.

What backup retention does FortiGate Cloud provide?

Backup does not have storage limits. For licensed devices, the retention period is one year.

How does automatic backup work?

Automatic backup is either per session or day. FortiGate setting changes from FortiOS or FortiGate Cloud trigger backup. If there is no changes to FortiGate settings, FortiGate Cloud does not perform a backup. See To enable auto backup:.

What does it mean if a geolocation attribute configuration change log/alert is received?

This is a feature to sync a FortiGate device's geolocation information between the FortiOS GUI, FortiGate Cloud, and the Asset Management portal. When a new device is being provisioned, or there is a change in a provisioned device's IP address, or a user moves a device to another location on the map view, its new geolocation attributes are pushed to the device via the management tunnel with username as FortiGateCloud. Since the geolocation database may not be entirely accurate, it is possible that a device is placed at a wrong location on the map, but you can move the device to its correct location on Map View.

What do I do if FortiGate Cloud does not reflect a new hostname on a FortiGate or FortiGate Cloud overwrites a new FortiGate hostname?

To synchronize the local hostname on a FortiGate and in FortiGate Cloud, compare the times of the FortiGate Cloud portal change and the local hostname modification on the device GUI. Use whichever time is the latest.

• When you change the hostname within the FortiGate Cloud portal, FortiGate Cloud pushes the change to the device via the management tunnel.
• When you change the hostname within the device GUI, the device only sends the new hostname to FortiGate Cloud with its next FCP UpdateMgr request.

To ensure that FortiGate Cloud can immediately reflect hostname changes, you can run the diagnose fdsm contract-controller-update command in the CLI after changing the hostname:

Can I revert back from FortiGate Cloud 2.0 after upgrade?

Once the upgrade to FortiGate Cloud 2.0 is complete, you cannot revert back within the FortiGate Cloud portal. If you want to revert your FortiGate Cloud environment, contact the support team as soon as possible.

Why is my FortiGate deployed to a region other than global (U.S. or Europe)?

There are several possible cases:

• The FortiGate has a physical IP address outside of North America, and thus FortiGate Cloud's dispatcher server deploys the device according to its IP address's geolocation.
• When activating FortiGate Cloud from the web UI, for some FortiOS versions, the user could choose a region to deploy the device. The default region is global, and the user could optionally select Europe or U.S.
• For U.S. government orders, the FortiGate has a US-Government license key burnt in BIOS, and therefore such a device could only be provisioned to the US region of FortiGate Cloud. For a FortiGate VM instance, the default server location is usa, and therefore, to provision a VM instance to another region other than US, you must first change its server location configuration to 'automatic'.

How do I check if my FortiGate has been preset for a specific server location?

In CLI, browse for update-server-location under system fortiguard settings. For a device with a USG license key, update-server-location does not apply, so you can use the get system status to check for License Status: US-Government(USG).

Can I change the server location configuration?

Yes, for non-USG FortiGates, run the following commands in CLI to change this configuration:

config system fortiguard

set update-server-location <usa>|<automatic/any>|<eu>

end

If my FortiGate's server location is automatic/any, how do I deploy it to my preferred region?

You may choose the preferred region from the web UI FortiGate Cloud activation page, or run the following commands in the CLI: exe fortiguard-log login <email> <password> <GLOBAL|EUROPE|US>.

Can I migrate logs uploaded or reports generated to a different region?

No, you cannot migrate existing data cannot to another region. FortiGate Cloud only uploads new data to the new region from the time that you updated the region settings.

How do I choose my region for the FortiGate Cloud (Premium) portal?

FortiGate Cloud (Premium)’s region is the region from which the upgrade is initiated. Once upgraded, you cannot simultaneously use other regions in the FortiGate Cloud (Premium) portal. Using a different account or enabling multitenancy is recommended for multiregion scenarios.

How do I change my region in the FortiGate Cloud (Premium) portal?

Migrating to another region for the same account is not permitted as the data cannot be allowed to move across the regions. Instead, creating a new account and reprovisioning the devices to the new account is recommended.

How do I transfer a FortiGate to a FortiGate Cloud that is under the same FortiCloud account that it is registered to?

See To transfer a FortiGate to a FortiGate Cloud instance that is under the same FortiCloud account that it is registered to:.

What should I do if I accidentally upgrade FortiOS to 7.4.2 or higher on a FortiGate without a FortiGate Cloud Service subscription and remote access to the device becomes read-only?

For the following FortiOS versions, the remote access feature requires a FortiGate Cloud Service subscription license on the FortiGate to have read and write access:

• 7.4.2 and later versions
• 7.2.8 and later versions
• 7.0.14 and later versions

If you are considering or in the process of purchasing the license, contact our Support team. They can apply a short-term trial license to your device to resolve the issue. Alternatively, you can access your FortiGate via its web interface. If you do not have access to the FortiGate's web interface, contact our Support team with a description of the situation.