Version:


Table of Contents

22.4.0
Download PDF
Copy Link

Frequently asked questions

What do I do if FortiOS returns an Invalid Username or Password/FortiCloud Internal Error/HTTP 400 error when activating FortiGate Cloud on the FortiOS GUI?

Do the following:

  1. Ensure that you can log into FortiGate Cloud via a web browser using the same username and password that you attempted to activate FortiGate Cloud with on the FortiOS GUI.
  2. Confirm that the FortiGate can ping logctr1.fortinet.com or globallogctrl.fortinet.net. This is the Anycast FortiADC hostname for devices running FortiOS 6.2.5 or FortiOS 6.4.
  3. Connect via Telnet to the resolved IP address from step 2 using port 443.
  4. Ensure that the FortiGate Cloud account password length is less than 20 characters.
  5. If running FortiOS 5.4 or older versions, ensure that the FortiGate Cloud account password does not include special characters, as these FortiOS versions do not support this.
  6. If the FortiGate is a member of a high availability (HA) pair, ensure that you activate FortiGate Cloud on the primary device. Activate FortiGate Cloud on the primary FortiGate as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes. FortiGate Cloud activation on the primary FortiGate activates FortiGate Cloud on the secondary FortiGate. Local FortiGate Cloud activation on the secondary FortiGate will fail.
  7. Enable FortiGate Cloud debug in the CLI. The get command displays the device timezone, while the diagnose debug console timestamp enable command shows the date timestamp for the debug logs.

    config system global

    get

    end

    diagnose debug console timestamp enable

    execute fortiguard-log domain

    diagnose debug app forticldd -1

    diagnose debug enable

    execute fortiguard-log login email password

    Email any debug output to admin@forticloud.com.

  8. If you see the HTTP 400 error, enable HTTP debug with the diagnose debug app httpsd -1 command.

Why can I log into the FortiGate Cloud but not activate the FortiGate Cloud account in FortiOS with the same credentials?

FortiOS 5.4 and older versions do not support passwords with special characters. If you are running FortiOS 5.4 or an older version and attempting to activate a FortiGate Cloud account with a password that includes special characters, the activation fails. You must remove special characters from the password, or upgrade to FortiOS 5.6 or a later version.

How can I change the FortiGate Cloud account ID from A to B?

See To replace a FortiGate Cloud user account ID with a new email address:.

How can I move a FortiGate from account A to account B in the same region?

See To move a FortiGate/FortiWifi deployed to FortiGate Cloud to another account:.

How can I activate my FortiGate Cloud on HA-paired FortiGates?

Activate FortiGate Cloud on the primary FortiGate as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes. FortiGate Cloud activation on the primary FortiGate activates FortiGate Cloud on the secondary FortiGate. Local FortiGate Cloud activation on the secondary FortiGate will fail.

You can also disable HA on both devices, activate FortiGate Cloud on each device, then enable HA.

How can I see management tunnel status in FortiOS?

config system central-management

set type fortiguard

end

diagnose fdsm contract-controller-update

fnsysctl killall fgfmd

What do I do if a FortiGate added by its cloud key stays in an inactive state for more than 24 hours?

  1. Check the FortiGate network settings and ensure that port 443 is not blocked.
  2. Connect via Telnet to logctrl1.fortinet.com or globallogctrl.fortinet.net (if FortiOS supports Anycast) through port 443.
  3. In the FortiOS GUI, activate FortiGate Cloud as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes.

What do I do if the "Device is already in inventory" message appears when importing a FortiGate by key?

This message means that the device has already been added to an account inventory. Another user may have tried to add the device to another account. If you cannot find the device on the Inventory page, contact cs@fortinet.com.

What do I do if the invalid key message appears when importing a FortiGate by key?

The FortiCloud key is for one-time use only. Log into the FortiGate and activate FortiGate Cloud as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes instead. If you cannot connect to the FortiOS GUI, contact cs@fortinet.com to reenable the key.

What do I do if FortiGate Cloud activation via the FortiOS GUI succeeds, but I cannot find the FortiGate in the FortiGate Cloud portal?

When a new FortiGate is added to FortiGate Cloud, it is dispatched to the global or Europe region based on its IP address geolocation. If the FortiGate warranty region is Japan, it is dispatched to the Japan region.

How can I move a FortiGate from region A to region B?

  1. Log in to FortiGate Cloud region A.
  2. Undeploy the device.
  3. Verify that the device has returned to the Inventory page.
  4. Switch the portal to region B.
  5. Go to Inventory and deploy the device.

How can I connect to FortiGate by remote access?

You must set the FortiOS central management setting to FortiCloud. The management tunnel status must be up. See How can I see management tunnel status in FortiOS?. See To remotely access a device:.

How can I activate FortiGate Cloud using a different email FortiCare account when FortiOS does not allow entering another email?

execute fortiguard-log login <email> <password>

What do I do if the migrate notice still appears after successful migration?

The migrate notice appears when FortiOS detects different email addresses used for FortiCare and FortiGate Cloud. FortiOS has a known issue that it is case-sensitive when verifying an email address. For example, FortiOS may consider example@mail.com and Example@mail.com as different email addresses. Contact cs@fortinet.com to ensure both accounts use all lower-case letters.

What do I do if FortiDeploy does not work?

  1. Ensure that the FortiManager settings are correct and the device can connect to FortiManager.
  2. Confirm that the central management setting on the device is set to FortiCloud.
  3. Ensure that the device can connect to logctrl1.fortinet.com via port 443.
  4. Import the device to the inventory by FortiCloud key. See To deploy a FortiGate/FortiWifi to FortiGate Cloud using the FortiCloud key:.
  5. Deploy the device to FortiManager, then power up the device. If the device is already powered up, run execute fortiguard-log join.
  6. If the FortiCloud key has been used and is invalid for reuse, log into the device GUI and activate FortiGate Cloud as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes.

What do I do if FortiOS does not upload logs?

Gather debug logs for the following commands, then send the debug output to admin@forticloud.com:

execute telnet <Log server IP address> 514

diagnose test app forticldd 1

diagnose test app miglogd 6

diagnose debug app miglogd -1

diagnose debug enable

What do I do if logs cannot be retrieved from FortiOS when data source is set as FortiGate Cloud?

Ensure that you can see logs in the FortiGate Cloud portal.

In poor network conditions, increase the timeout period to avoid connection timeout:

config log fortiguard setting

set conn-timeout 120

end

How can I export more than 1000 lines of logs?

See To download logs:.

How can I receive a daily report by email?

Ensure that the scheduled report has been generated and that the email address has been added. See Reports.

Why is FortiGate not submitting files for Sandbox scanning?

Check the FortiGate settings:

  • For FortiOS 6.2 and later versions:
    • Ensure that FortiGate Cloud has been activated.
    • Go to Security Profiles > AntiVirus. Ensure that Suspicious Files Only or All Supported Files is enabled.
  • For FortiOS 6.0 and earlier versions:
    • Go to System > Feature Visibility, then enable FortiSandbox Cloud.
    • Go to Security Fabric > Settings. Enable Sandbox Inspection.
    • Go to Security Profiles > AntiVirus. Ensure that Suspicious Files Only or All Supported Files is enabled.
    • Go to Policy & Objects > IPv4 Policy. Enable antivirus for the policy in use.

What public IP addresses and ports does FortiGate Cloud use?

FortiGate Cloud uses the TCP ports 80, 443, 514, 541, and UDP ports 5246/5247. IP address ranges differ depending on the region:

Region

IP address range

Global

208.91.113.0/24, 173.243.132.0/24

Japan

208.91.113.0/24, 173.243.132.0/24

Subnet is 210.7.96.0/24. Gateway IP address is 210.7.96.1.

Germany

154.52.10.0/24

France

154.45.6.0/24

What backup retention does FortiGate Cloud provide?

Backup does not have storage limits. For licensed devices, the retention period is one year. For unlicensed devices, the retention period is seven days.

How does automatic backup work?

Automatic backup is either per session or day. FortiGate setting changes from FortiOS or FortiGate Cloud trigger backup. If there is no changes to FortiGate settings, FortiGate Cloud does not perform a backup. See To enable auto backup:.

What does it mean if a geolocation attribute configuration change log/alert is received?

This is a new feature to sync a FortiGate device's geolocation information between the FortiOS GUI, FortiGate Cloud, and the Asset Management portal. When a new device is being provisioned, or there is a change in a provisioned device's IP address, or a user moves a device to another location on the map view, its new geolocation attributes will be pushed to the device via the management tunnel with username as FortiGateCloud. Since the geolocation database may not be entirely accurate, it is possible that a device is placed at a wrong location on the map, but you can move the device to its correct location on Map View.

What do I do if FortiGate Cloud does not reflect a new hostname on a FortiGate or FortiGate Cloud overwrites a new FortiGate hostname?

To synchronize the local hostname on a FortiGate and in FortiGate Cloud, compare the times of the FortiGate Cloud portal change and the local hostname modification on the device GUI. Use whichever time is the latest.

  • When you change the hostname within the FortiGate Cloud portal, FortiGate Cloud pushes the change to the device via the management tunnel.
  • When you change the hostname within the device GUI, the device only sends the new hostname to FortiGate Cloud with its next FCP UpdateMgr request.

To ensure that FortiGate Cloud can immediately reflect hostname changes, you can run the diagnose fdsm contract-controller-update command in the CLI after changing the hostname:

Can I revert back from FortiGate Cloud 2.0 after upgrade?

Once the upgrade to FortiGate Cloud 2.0 is complete, you cannot revert back within the FortiGate Cloud portal. If you want to revert your FortiGate Cloud environment, contact the support team as soon as possible.

Why is my ForitGate deployed to a region other than global (U.S. or Europe)?

There are several possible cases:

  • The FortiGate has a physical IP address outside of North America, and thus FortiGate Cloud's dispatcher server deploys the device according to its IP address's geolocation.
  • When activating FortiGate Cloud from the web UI, for some FortiOS versions, the user could choose a region to deploy the device. The default region is global, and the user could optionally select Europe or U.S.
  • For U.S. government orders, FortiGate will have US-Government license key burnt in BIOS, and therefore such a device could only be provisioned to the US region of FortiGate Cloud. For a FortiGate VM instance, the default server location is usa, and therefore, to provision a VM instance to another region other than US, you will need to first change its server location configuration to 'automatic'.

How do I check if my FortiGate has been preset for a specific server location?

In CLI, browse for update-server-location under system fortiguard settings. For a device with a USG license key, update-server-location does not apply, so you can use the get system status to check for License Status: US-Government(USG).

Can I change the server location configuration?

Yes, for non-USG FortiGates, run the following commands in CLI to change this configuration:

config system fortiguard

set update-server-location <usa>|<automatic/any>|<eu>

end

If my FortiGate's server location is automatic/any, how do I deploy it to my preferred region?

You may choose the preferred region from the web UI FortiGate Cloud activation page, or run the following commands in the CLI: exe fortiguard-log login <email> <password> <GLOBAL|EUROPE|US>.

Can I migrate logs uploaded or reports generated to a different region?

No, you cannot migrate existing data cannot to another region. FortiGate Cloud only uploads new data to the new region from the time that you updated the region settings.

How do I choose my region for the FortiGate Cloud (Premium) portal?

FortiGate Cloud (Premium)’s region is the region from which the upgrade is initiated. Once upgraded, you cannot simultaneously use other regions in the FortiGate Cloud (Premium) portal. Using a different account or enabling multitenancy is recommended for multiregion scenarios.

How do I change my region in the FortiGate Cloud (Premium) portal?

Migrating to another region for the same account is not permitted as the data cannot be allowed to move across the regions. Instead, creating a new account and reprovisioning the devices to the new account is recommended.

Frequently asked questions

What do I do if FortiOS returns an Invalid Username or Password/FortiCloud Internal Error/HTTP 400 error when activating FortiGate Cloud on the FortiOS GUI?

Do the following:

  1. Ensure that you can log into FortiGate Cloud via a web browser using the same username and password that you attempted to activate FortiGate Cloud with on the FortiOS GUI.
  2. Confirm that the FortiGate can ping logctr1.fortinet.com or globallogctrl.fortinet.net. This is the Anycast FortiADC hostname for devices running FortiOS 6.2.5 or FortiOS 6.4.
  3. Connect via Telnet to the resolved IP address from step 2 using port 443.
  4. Ensure that the FortiGate Cloud account password length is less than 20 characters.
  5. If running FortiOS 5.4 or older versions, ensure that the FortiGate Cloud account password does not include special characters, as these FortiOS versions do not support this.
  6. If the FortiGate is a member of a high availability (HA) pair, ensure that you activate FortiGate Cloud on the primary device. Activate FortiGate Cloud on the primary FortiGate as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes. FortiGate Cloud activation on the primary FortiGate activates FortiGate Cloud on the secondary FortiGate. Local FortiGate Cloud activation on the secondary FortiGate will fail.
  7. Enable FortiGate Cloud debug in the CLI. The get command displays the device timezone, while the diagnose debug console timestamp enable command shows the date timestamp for the debug logs.

    config system global

    get

    end

    diagnose debug console timestamp enable

    execute fortiguard-log domain

    diagnose debug app forticldd -1

    diagnose debug enable

    execute fortiguard-log login email password

    Email any debug output to admin@forticloud.com.

  8. If you see the HTTP 400 error, enable HTTP debug with the diagnose debug app httpsd -1 command.

Why can I log into the FortiGate Cloud but not activate the FortiGate Cloud account in FortiOS with the same credentials?

FortiOS 5.4 and older versions do not support passwords with special characters. If you are running FortiOS 5.4 or an older version and attempting to activate a FortiGate Cloud account with a password that includes special characters, the activation fails. You must remove special characters from the password, or upgrade to FortiOS 5.6 or a later version.

How can I change the FortiGate Cloud account ID from A to B?

See To replace a FortiGate Cloud user account ID with a new email address:.

How can I move a FortiGate from account A to account B in the same region?

See To move a FortiGate/FortiWifi deployed to FortiGate Cloud to another account:.

How can I activate my FortiGate Cloud on HA-paired FortiGates?

Activate FortiGate Cloud on the primary FortiGate as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes. FortiGate Cloud activation on the primary FortiGate activates FortiGate Cloud on the secondary FortiGate. Local FortiGate Cloud activation on the secondary FortiGate will fail.

You can also disable HA on both devices, activate FortiGate Cloud on each device, then enable HA.

How can I see management tunnel status in FortiOS?

config system central-management

set type fortiguard

end

diagnose fdsm contract-controller-update

fnsysctl killall fgfmd

What do I do if a FortiGate added by its cloud key stays in an inactive state for more than 24 hours?

  1. Check the FortiGate network settings and ensure that port 443 is not blocked.
  2. Connect via Telnet to logctrl1.fortinet.com or globallogctrl.fortinet.net (if FortiOS supports Anycast) through port 443.
  3. In the FortiOS GUI, activate FortiGate Cloud as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes.

What do I do if the "Device is already in inventory" message appears when importing a FortiGate by key?

This message means that the device has already been added to an account inventory. Another user may have tried to add the device to another account. If you cannot find the device on the Inventory page, contact cs@fortinet.com.

What do I do if the invalid key message appears when importing a FortiGate by key?

The FortiCloud key is for one-time use only. Log into the FortiGate and activate FortiGate Cloud as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes instead. If you cannot connect to the FortiOS GUI, contact cs@fortinet.com to reenable the key.

What do I do if FortiGate Cloud activation via the FortiOS GUI succeeds, but I cannot find the FortiGate in the FortiGate Cloud portal?

When a new FortiGate is added to FortiGate Cloud, it is dispatched to the global or Europe region based on its IP address geolocation. If the FortiGate warranty region is Japan, it is dispatched to the Japan region.

How can I move a FortiGate from region A to region B?

  1. Log in to FortiGate Cloud region A.
  2. Undeploy the device.
  3. Verify that the device has returned to the Inventory page.
  4. Switch the portal to region B.
  5. Go to Inventory and deploy the device.

How can I connect to FortiGate by remote access?

You must set the FortiOS central management setting to FortiCloud. The management tunnel status must be up. See How can I see management tunnel status in FortiOS?. See To remotely access a device:.

How can I activate FortiGate Cloud using a different email FortiCare account when FortiOS does not allow entering another email?

execute fortiguard-log login <email> <password>

What do I do if the migrate notice still appears after successful migration?

The migrate notice appears when FortiOS detects different email addresses used for FortiCare and FortiGate Cloud. FortiOS has a known issue that it is case-sensitive when verifying an email address. For example, FortiOS may consider example@mail.com and Example@mail.com as different email addresses. Contact cs@fortinet.com to ensure both accounts use all lower-case letters.

What do I do if FortiDeploy does not work?

  1. Ensure that the FortiManager settings are correct and the device can connect to FortiManager.
  2. Confirm that the central management setting on the device is set to FortiCloud.
  3. Ensure that the device can connect to logctrl1.fortinet.com via port 443.
  4. Import the device to the inventory by FortiCloud key. See To deploy a FortiGate/FortiWifi to FortiGate Cloud using the FortiCloud key:.
  5. Deploy the device to FortiManager, then power up the device. If the device is already powered up, run execute fortiguard-log join.
  6. If the FortiCloud key has been used and is invalid for reuse, log into the device GUI and activate FortiGate Cloud as To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: describes.

What do I do if FortiOS does not upload logs?

Gather debug logs for the following commands, then send the debug output to admin@forticloud.com:

execute telnet <Log server IP address> 514

diagnose test app forticldd 1

diagnose test app miglogd 6

diagnose debug app miglogd -1

diagnose debug enable

What do I do if logs cannot be retrieved from FortiOS when data source is set as FortiGate Cloud?

Ensure that you can see logs in the FortiGate Cloud portal.

In poor network conditions, increase the timeout period to avoid connection timeout:

config log fortiguard setting

set conn-timeout 120

end

How can I export more than 1000 lines of logs?

See To download logs:.

How can I receive a daily report by email?

Ensure that the scheduled report has been generated and that the email address has been added. See Reports.

Why is FortiGate not submitting files for Sandbox scanning?

Check the FortiGate settings:

  • For FortiOS 6.2 and later versions:
    • Ensure that FortiGate Cloud has been activated.
    • Go to Security Profiles > AntiVirus. Ensure that Suspicious Files Only or All Supported Files is enabled.
  • For FortiOS 6.0 and earlier versions:
    • Go to System > Feature Visibility, then enable FortiSandbox Cloud.
    • Go to Security Fabric > Settings. Enable Sandbox Inspection.
    • Go to Security Profiles > AntiVirus. Ensure that Suspicious Files Only or All Supported Files is enabled.
    • Go to Policy & Objects > IPv4 Policy. Enable antivirus for the policy in use.

What public IP addresses and ports does FortiGate Cloud use?

FortiGate Cloud uses the TCP ports 80, 443, 514, 541, and UDP ports 5246/5247. IP address ranges differ depending on the region:

Region

IP address range

Global

208.91.113.0/24, 173.243.132.0/24

Japan

208.91.113.0/24, 173.243.132.0/24

Subnet is 210.7.96.0/24. Gateway IP address is 210.7.96.1.

Germany

154.52.10.0/24

France

154.45.6.0/24

What backup retention does FortiGate Cloud provide?

Backup does not have storage limits. For licensed devices, the retention period is one year. For unlicensed devices, the retention period is seven days.

How does automatic backup work?

Automatic backup is either per session or day. FortiGate setting changes from FortiOS or FortiGate Cloud trigger backup. If there is no changes to FortiGate settings, FortiGate Cloud does not perform a backup. See To enable auto backup:.

What does it mean if a geolocation attribute configuration change log/alert is received?

This is a new feature to sync a FortiGate device's geolocation information between the FortiOS GUI, FortiGate Cloud, and the Asset Management portal. When a new device is being provisioned, or there is a change in a provisioned device's IP address, or a user moves a device to another location on the map view, its new geolocation attributes will be pushed to the device via the management tunnel with username as FortiGateCloud. Since the geolocation database may not be entirely accurate, it is possible that a device is placed at a wrong location on the map, but you can move the device to its correct location on Map View.

What do I do if FortiGate Cloud does not reflect a new hostname on a FortiGate or FortiGate Cloud overwrites a new FortiGate hostname?

To synchronize the local hostname on a FortiGate and in FortiGate Cloud, compare the times of the FortiGate Cloud portal change and the local hostname modification on the device GUI. Use whichever time is the latest.

  • When you change the hostname within the FortiGate Cloud portal, FortiGate Cloud pushes the change to the device via the management tunnel.
  • When you change the hostname within the device GUI, the device only sends the new hostname to FortiGate Cloud with its next FCP UpdateMgr request.

To ensure that FortiGate Cloud can immediately reflect hostname changes, you can run the diagnose fdsm contract-controller-update command in the CLI after changing the hostname:

Can I revert back from FortiGate Cloud 2.0 after upgrade?

Once the upgrade to FortiGate Cloud 2.0 is complete, you cannot revert back within the FortiGate Cloud portal. If you want to revert your FortiGate Cloud environment, contact the support team as soon as possible.

Why is my ForitGate deployed to a region other than global (U.S. or Europe)?

There are several possible cases:

  • The FortiGate has a physical IP address outside of North America, and thus FortiGate Cloud's dispatcher server deploys the device according to its IP address's geolocation.
  • When activating FortiGate Cloud from the web UI, for some FortiOS versions, the user could choose a region to deploy the device. The default region is global, and the user could optionally select Europe or U.S.
  • For U.S. government orders, FortiGate will have US-Government license key burnt in BIOS, and therefore such a device could only be provisioned to the US region of FortiGate Cloud. For a FortiGate VM instance, the default server location is usa, and therefore, to provision a VM instance to another region other than US, you will need to first change its server location configuration to 'automatic'.

How do I check if my FortiGate has been preset for a specific server location?

In CLI, browse for update-server-location under system fortiguard settings. For a device with a USG license key, update-server-location does not apply, so you can use the get system status to check for License Status: US-Government(USG).

Can I change the server location configuration?

Yes, for non-USG FortiGates, run the following commands in CLI to change this configuration:

config system fortiguard

set update-server-location <usa>|<automatic/any>|<eu>

end

If my FortiGate's server location is automatic/any, how do I deploy it to my preferred region?

You may choose the preferred region from the web UI FortiGate Cloud activation page, or run the following commands in the CLI: exe fortiguard-log login <email> <password> <GLOBAL|EUROPE|US>.

Can I migrate logs uploaded or reports generated to a different region?

No, you cannot migrate existing data cannot to another region. FortiGate Cloud only uploads new data to the new region from the time that you updated the region settings.

How do I choose my region for the FortiGate Cloud (Premium) portal?

FortiGate Cloud (Premium)’s region is the region from which the upgrade is initiated. Once upgraded, you cannot simultaneously use other regions in the FortiGate Cloud (Premium) portal. Using a different account or enabling multitenancy is recommended for multiregion scenarios.

How do I change my region in the FortiGate Cloud (Premium) portal?

Migrating to another region for the same account is not permitted as the data cannot be allowed to move across the regions. Instead, creating a new account and reprovisioning the devices to the new account is recommended.