https://community.fortinet.com On the Forum you can ask questions or take part in discussions. https://community.fortinet.com/support-forum-92/fortigate-40c-won-t-boot-only-pwr-led-on-no-console-output-213771 Hello everyone,I recently got a used FortiGate 40C from a company. I successfully registered and transferred it to my FortiCloud account and everything seemed fine at first.However, today when I tried to power it on, it doesn’t boot properly anymore:The PWR LED stays solid (on).The WAN port LEDs blink when I connect cables.The LAN port LED does not blink at all when cables are connected.When I connect via console cable, I get no output on the terminal (I tested the cable with another fortigate and it works normally).It looks like the device is stuck and not completing the boot process.Has anyone experienced something similar with a FortiGate 40C? Is there any recovery method (like TFTP or firmware reload) that I could try, or does this usually indicate a hardware failure?Any help or guidance would be greatly appreciated.Thanks in advance! Support Forum Wed, 24 Jun 2026 00:10:39 +0200 https://community.fortinet.com/support-forum-92/forticlient-android-ikev2-saml-228471 Hello,Has anyone managed to get a working configuration for FortiClient on Android while using SAML?According to the documentation this should be possible but for some reason I cannot seem to figure out this isnt working, something else that throws me off is the config with X.509 certificates in order to be able to configure the SAML port, while having EAP disabled and SSO enabled.I have a working setup for windows clients working, a separate IPsec tunnel from the one I’ve conducted my tests using a networkid but on the Android phone after the IdP prompt where I enter the credentials it doesnt do anything.FGT: 7.4.11FCT: 7.4.6IdP: Keycloak Support Forum Tue, 23 Jun 2026 22:03:39 +0200 https://community.fortinet.com/fortigate-3/technical-tip-recommended-release-for-fortios-116639 Description This article exists to help users determine the most appropriate software release for FortiOS. The recommendations stated below are the latest as of February 2026 and are reviewed and updated every quarter.   The information in this document is not meant to be exhaustive and is intended to serve as general guidance to customers, especially in cases of mass deployments/upgrades. When working with Fortinet SEs, Professional Services, or TAC: it is important to refer to their specific guidance. Additional FAQ added for related questions about this article. Subscribe/RSS feed by clicking on the three-dotted menu button to keep up to date on the latest changes to this article.  Scope This document is a general recommendation of FortiOS Software recommendations for general customer deployments for general stability and is updated quarterly. For customers who may be leveraging the latest features, the latest FortiOS versions may be more applicable. Solution Product Family Product Details Recommended Release End of Engineering Support Passed (Y/N) Low End FortiGateRugged-35D 6.2.17 Y   FortiGate-30E 6.2.17 Y   FortiWiFi-30E 6.2.17 Y   FortiGate-30G 7.4.11 N   FortiGate-31G 7.4.11 N   FortiWiFi-30G 7.4.11 N   FortiGate-40F   7.6.6 N   FortiWiFi-40F 7.6.6 N   FortiGate-40F-3G4G 7.6.6 N   FortiWiFi-40F-3G4G 7.6.6 N   FortiGate-50E 6.2.17 Y   FortiWiFi-50E 6.2.17 Y   FortiGate-51E 6.2.17 Y   FortiWiFi-51E 6.2.17 Y   FortiGate-52E 6.2.17 Y   FortiGate-50G/51G and variants 7.6.6 N   FortiWiFi-50G/51G and variants 7.6.6 N   FortiGate-60E 7.4.11 N   FortiWifi-60E 7.4.11 N   FortiGate-60F 7.6.6 N   FortiWiFi-60F 7.6.6 N   FortiGate-61F 7.6.6 N   FortiWiFi-61F 7.6.6 N   FortiGateRugged-60F 7.6.6 N   FortiGateRugged-60F-3G4G 7.6.6 N   FortiGate-70F 7.6.6 N   FortiGate-71F 7.6.6 N   FortiGateRugged-70F 7.6.6 N   FortiGateRugged-70F-3G4G 7.6.6 N   FortiGate-70G/71G and variants 7.6.6 N   FortiWiFi-70G/71G and variants 7.6.6 N   FortiGate-80E 7.4.11 N   FortiGate-81E 7.4.11 N   FortiGate-80F 7.6.6 N   FortiGate-81F 7.6.6 N   FortiGate-90E 7.4.11 N   FortiGate-90G 7.6.6 N   FortiGate-91G 7.6.6 N   FortiGate-98D-POE 6.0.18 Y Mid Range FortiGate-100E 7.2.11 Y   FortiGate-101E 7.2.11 Y   FortiGate-100F 7.6.6 N   FortiGate-101F 7.6.6 N   FortiGate-120G 7.6.6 N   FortiGate-121G 7.6.6 N   FortiGate-140E 7.4.11 N   FortiGate-200E 7.6.6 N   FortiGate-200F 7.6.6 N   FortiGate-201E 7.6.6 N   FortiGate-201F 7.6.6 N   FortiGate-200G/201G 7.6.6 N   FortiGate-240D 6.0.18 Y   FortiGate-280D 6.0.18 Y   FortiGate-300E 7.6.6 N   FortiGate-301E 7.6.6 N   FortiGate-400E 7.6.6 N   FortiGate-400E-BYPASS 7.6.6 N   FortiGate-401E 7.6.6 N   FortiGate-400F 7.6.6 N   FortiGate-401F 7.6.6 N   FortiGate-500E 7.6.6 N   FortiGate-501E 7.6.6 N   FortiGate-600E 7.6.6 N   FortiGate-600F 7.6.6 N   FortiGate-601E 7.6.6 N   FortiGate-601F 7.6.6 N   FortiGate-800D 7.6.6 N   FortiGate-900D 7.6.6 N   FortiGate-900G 7.6.6 N   FortiGate-901G 7.6.6 N High End FortiGate-1000D 7.6.6 N   FortiGate-1000F 7.6.6 N   FortiGate-1001F 7.6.6 N   FortiGate-1100E 7.6.6 N   FortiGate-1101E 7.6.6 N   FortiGate-1200D 7.0.19 Y   FortiGate-1500D 7.2.13 Y   FortiGate-1500DT 7.2.13 Y   FortiGate-1800F 7.6.6 N   FortiGate-1801F 7.6.6 N   FortiGate-2000E 7.6.6 N   FortiGate-2200E 7.6.6 N   FortiGate-2201E 7.6.6 N   FortiGate-2500E 7.6.6 N   FortiGate-2600F 7.6.6 N   FortiGate-2601F 7.6.6 N   FortiGate-3000D 7.6.6 N   FortiGate-3000F 7.6.6 N   FortiGate-3001F 7.6.6 N   FortiGate-3100D 7.6.6 N   FortiGate-3200D 7.6.6 N   FortiGate-3200F 7.6.6 N   FortiGate-3201F 7.6.6 N   FortiGate-3300E 7.6.6 N   FortiGate-3301E 7.6.6 N   FortiGate-3400E 7.6.6 N   FortiGate-3401E 7.6.6 N   FortiGate-3500F 7.6.6 N   FortiGate-3501F 7.6.6 N   FortiGate-3600E 7.6.6 N   FortiGate-3601E 7.6.6 N   FortiGate-3700D 7.6.6 N   FortiGate-3700F 7.6.6 N   FortiGate-3701F 7.6.6 N   FortiGate-3800D 7.0.19 Y   FortiGate-3960E 7.6.6 N   FortiGate-3980E 7.6.6 N   FortiGate-4200F 7.6.6 N   FortiGate-4201F 7.6.6 N   FortiGate-4400F 7.6.6 N   FortiGate-4401F 7.6.6 N   FortiGate-4800F 7.6.6 N   FortiGate-4801F 7.6.6 N   FortiGate-5001D 6.4.16 Y   FortiGate-5001E 7.6.6 N   FortiGate-5001E1 7.6.6 N Chassis Based FortiGate FortiGate-6000F / 7000E / 7000F 7.6.6 N Virtual Machines FortiGate-VM64    -        all versions 7.6.6 N   Engineering  Special Builds:In certain cases, critical bug fixes are made available on Engineering special builds. These builds are not available on support.fortinet.com. If running into any issues specific to the environment which is not already fixed in existing releases, contact Fortinet TAC Support to investigate the issue.Special builds are meant to be deployed for a limited time frame and customers are advised to move to the next maintenance build with their fixes as soon as it is available. Engineering special builds are fully supported by the Fortinet Advanced Support team and, in some specific instances, by Fortinet TAC Support.   Note: AC and DC models use the same firmware image.   FAQ: What does it need to take into consideration when deciding on the release to use? Review the latest release notes to check if any known issues could impact the deployment. Subscribe and Review relevant PSIRT notifications : https://www.fortiguard.com/rss-feeds. What is taken into consideration for a Recommended Release? Typically Recommended Releases are also labeled as 'Mature' releases. Significant field deployment of 40,000 or more FortiGates that have installed the recommended build. No high-severity vulnerabilities that are without mitigating steps or workarounds. How often is the Recommended Release KB reviewed? Recommended Release KB article is reviewed and updated quarterly. Why do some platforms differ in releases? New platforms may be on initial New Product Introduction release and will have GA builds in a staggered process after FortiOS GA has been released. Older products may not support the latest recommended FortiOS release and hence the recommended release will be the latest FortiOS the device can support. How the latest updates are kept up on this Article?  In the top right corner of the article select the three-dotted menu button and select 'Subscribe to RSS Feed'. Or login to the Fortinet Community Account and in the top right corner of the article click on the three-dotted menu button and select 'Subscribe'. An email will be received when this page is updated. Related article:Recommended Release for FortiManager and FortiAnalyzer.   FortiGate Tue, 23 Jun 2026 20:17:41 +0200 https://community.fortinet.com/fortigate-3/technical-tip-enforcing-pbkdf2-as-hash-function-for-administrator-accounts-in-fortios-v7-2-11-and-later-220652 Description This article describes how to ensure PBKDF2 is used to hash administrator passwords after upgrading FortiOS. Scope FortiGate v7.2, v7.4, v7.6. Solution Starting from FortiOS v7.2.11, 7.4.8, and 7.6.1, the hash function used to securely store firewall administrator credentials in configuration is updated from SHA256 to PBKDF2. When first upgrading from an earlier version, administrator passwords are still stored as SHA256 hashes until the matching administrator logs in successfully. Notes: In FortiOS v7.2.10, v7.4.7, v7.6.0, and earlier, the hash function is SHA256. 'SH2' denotes SHA256. 'PB2' denotes PBKDF2.   Example configuration after upgrade (FortiOS v7.2.11): In this example, the built-in administrator 'admin' has already logged in to the firewall successfully, so the associated credential was automatically updated.   config system admin     edit "admin"                                        <----- Default admin.         set accprofile "super_admin"         set vdom "root"         set password ENC PB2Ow+O8B  -----snip-----   <----- PBKDF2.     next     edit "test_super_admin"         set accprofile "super_admin"         set vdom "root"         set password ENC SH2aZtOA   -----snip-----    <----- SHA256, same as previous firmware.     next     edit "test_prof_admin"         set accprofile "prof_admin"         set vdom "root"         set password ENC SH2r7JR7v  -----snip-----    <----- SHA256, same as previous firmware.     next end To enforce a PBKDF2 hash for all administrators: Require all administrators to log in to the firewall at least once on the updated firmware version. Manually update the password of any remaining administrators using a super_admin account.   FortiGate # config system admin FortiGate (admin) # edit test_super_admin FortiGate (test_super_admin) # set password <new_password>Please enter current administrator password: ******** <----- Password of logged in administrator. FortiGate (test_super_admin) # show   config system admin     edit "test_super_admin"         set accprofile "super_admin"         set vdom "root"         set password ENC PB2N/Htll  -----snip-----   <----- PBKDF2.     next end FortiGate (test) # next FortiGate (admin) # end   Note: For backwards compatibility, by default, the previous SHA256 hashes remain stored in the hidden 'old-password' setting after the password setting is updated to a PBKDF2 hash. The 'old-password' setting is not visible to administrators logged in to the firewall, but can be observed in a configuration backup taken by a super_admin.   config system admin     edit "admin"         set old-password ENC SH2G6rKGG -----snip-----   <----- SHA256.         set accprofile "super_admin"         set vdom "root"         set password ENC PB2Ow+O8B  -----snip-----   <----- PBKDF2.     next ... end   To fully remove SH2 hashes stored in old-password, enable the 'login-lockout-upon-weaker-encryption' setting in system password-policy. A warning shows asking the administrator to confirm the configuration change. In FortiOS v7.2.x and v7.4.x, the equivalent setting is 'login-lockout-upon-downgrade'.   config system password-policy set login-lockout-upon-weaker-encryption enable endThe setting "login-lockout-upon-weaker-encryption" enhances the resistance of stored passwords against brute force attacks.Once enabled, changing the FortiOS firmware to a version where safer passwords are unsupported will lock out administrative users.Do you want to continue? (y/n)y   Related documents: New features or enhancements 7.2.11 Enhanced administrator password security 7.6.5 Troubleshooting Tip: Unable to login with local administrator after upgrade from FortiOS v7.2.11 to v7.4.7 and below FortiGate Tue, 23 Jun 2026 18:55:34 +0200 https://community.fortinet.com/fortimanager-27/technical-tip-how-to-create-firmware-template-using-fortimanager-api-225977 Description   This article describes how to create Firmware Template(s) using FortiManager JSON API.   Scope   FortiManager.   Solution   To create a Firmware Template:   { "method": "add", "params": [ { "data": { "name": "Test_Firmware_Template", // Template Name "type": "fwmprof", "description": "Firmware Template", "fwmprof setting": { "image-source": null, "schedule-day": null, "schedule-type": "none", "enforced version": [ { "flags": 104, "product": "fgt", "platform": "FortiGate-31G", // "platform": "FGT-Default" for all FGTs. "version": "7.4.10-b2867", "upgrade-path": "auto" }, // Can add multiple entries to separte product/version/platform. // For FSW, FAP, FEX flags will be 0. { "flags": 0, "platform": "FSW-Default", "product": "fsw", "upgrade-path": "auto", "version": "7.6.6-b1137" }, { "flags": 0, "platform": "FAP-Default", "product": "fap", "upgrade-path": "auto", "version": "7.6.4-b1078" }, { "flags": 0, "platform": "FXT-Default", "product": "fex", // "product": "fem" --> for FortiExtender-Modem. "upgrade-path": "auto", "version": "7.6.4-b0478" } ] } }, "url": "pm/fwmprof/adom/{{ADOM}}" } ], "id": "1", "session": "{{session}}" }   The 'flags' key is used to set Upgrade Options. The default 'flags' value is set to 104, meaning 'Only upgrade FortiGate Clusters with all members up', 'Skip FortiGate Disk Check', and 'Skip FortiGate Auto Scan Disk' are enabled. It is not required for FortiSwitch, FortiAP, and FortiExtender firmware template entries. The bitmap values for flags are as follows: Boot from alternate partition after upgrade = 1. Only upgrade FortiGate Clusters with all members up = 8. Skip FortiGate Disk Check = 32. Skip FortiGate Auto Scan Disk = 64.   To enable 'Let Device Download Firmware From FortiGuard' set:   "image-source": "fds"   To skip intermediate steps in the upgrade path (not recommended), set:   "upgrade-path": "skip"​   To schedule the Firmware template: For schedule once:   "schedule-day": null, "schedule-end-time": "2026-03-19 14:08", "schedule-start-time": "2026-03-19 14:08", "schedule-type": "once"​   Daily Schedule:   "schedule-day": null, "schedule-end-time": "14:08", "schedule-start-time": "14:08", "schedule-type": "daily"​   Weekly Schedule:   "schedule-day": d "sunday", "monday", "tuesday", "wednesday" ], "schedule-end-time": "14:08", "schedule-start-time": "14:08", "schedule-type": "weekly"   Related documents: Technical Tip: Using FortiManager API Fortinet Development Network (FNDN) - FortiManager Technical Tip: How to create IPsec Template and assign to a device using JSON API Technical Tip: How to create a CLI Template and Pre-Run CLI Template using JSON API Technical Tip: How to create SD-WAN Template and assign to a device using JSON API Technical Tip: How to create and delete SD-WAN Overlay Template using FortiManager API FortiManager Tue, 23 Jun 2026 18:46:46 +0200 https://community.fortinet.com/fortigate-3/technical-tip-required-tools-to-restore-firmware-and-configuration-after-an-rma-141963 Description This article describes the required tools for restoring firmware and configuration to numerous Fortinet products after an RMA. Scope FortiGate, FortiMail, FortiSandbox, FortiSwitch. Solution Below are the tools required for this operation.   Console Cable.     A serial console cable and possibly a USB/Serial adapter are required.   This will connect the technician's computer to the FortiGate console port.   RJ45 Cable.     An RJ45 cable is required. It will connect the technician's computer to the FortiGate Ethernet management port.   Terminal emulator client.   A terminal emulator client is required. PuTTY is a well-known client and is a good fit for the job. Download it from the official website by selecting 'Download PuTTY' and choosing 'putty.exe'.     The above image shows the default view after opening PuTTY. The default connection mode is SSH. The IP must be entered in the 'Host Name (or IP address)' field. Afterwards, select 'Open' to start the session.   For console serial access, the COM port number is required. To find out the COM port number on Windows OS, perform the following steps: Windows Key + R. Enter 'devmgmt.msc' then select 'OK. Scroll to the section 'Ports (COM & LPT)'. Retrieve the COM port number. It is 3 in this example.       Once the COM port number is known, select 'Serial' and then change the 'Serial line' value if necessary to the value found out previously. Run the connection by selecting 'Open'. Connection speed should not be changed as 9600 is the appropriate value to access the FortiGate console. For FortiSwitch, the Speed is 115200.     Console output can be saved in a text file if required. It is usually recommended to have a backup of the operation as a text file.   To do so, 'right-click' on the title bar and select 'Change Settings'. Go to logging and then select 'All session output' and the target file.       TFTP server setup.   If a firmware upgrade is required for the operation, the technician should have a TFTP server ready to serve a firmware image to the FortiGate.   The Tftpd64 application will accomplish this. To download the application, go to the GitHub page and select 'Download page'. Choose either 'tftpd64…exe' or 'tftpd32…exe' and install it.   After that, create the 'C:\temp\images' directory and 'Browse' in the application to select the new directory. This will be the root directory of the TFTP server.     All images and configurations that should be uploaded to the FortiGate should be in the TFTP root directory folder. Related article: Technical Tip: Formatting and loading FortiGate firmware image using TFTP  FortiGate Tue, 23 Jun 2026 18:43:24 +0200 https://community.fortinet.com/support-forum-92/because-user-checked-box-remember-password-now-will-not-connect-nor-ask-for-duo-authentication-228480 we have tried uninstalling the program and running the FCCleanuninstall program, rebooted after each step, ran installer: still will not ask for user’s credentials not DUO authentication Support Forum Tue, 23 Jun 2026 17:52:56 +0200 https://community.fortinet.com/fortigate-3/troubleshooting-tip-issues-when-using-discord-voice-channels-through-fortigate-225768 Description This article describes a scenario in which Discord is operational and its categories are allowed in both WebFilter and Application Control. The traffic is consistently logged as allowed in both the traffic forward logs and security logs. However, when joining any voice channel on Discord, no audio can be heard. Scope FortiGate. Solution Discord services use Cloudflare CDNs, especially for audio resources.   For this reason, it is recommended to create a rule above the authentication rules allowing access to Cloudflare via ISDB.   This ensures that all traffic related to Discord voice channels matches this rule first.   Below is an example of the correct way to create the rule:   FortiGate Tue, 23 Jun 2026 17:31:23 +0200 https://community.fortinet.com/fortigate-3/troubleshooting-tip-https-gui-access-fails-on-fortigate-v7-6-5-while-ssh-remains-accessible-224114 DescriptionThis article describes an issue where GUI access to a FortiGate running v7.6.5 is lost without any configuration changes. However, SSH access to the device continues to function normally.ScopeFortiGate v7.6.5.SolutionAdministrators may be unable to access the GUI using either the internal or external IP address of the FortiGate. However, SSH access works as expected.The issue occurs without any configuration changes. The same behavior is observed when using different certificates, including:Fortinet_Factory.Fortinet_GUI_Server.Self-sign. Changing the HTTPS management port does not resolve the issue.The following crashes may be observed in the 'diagnose debug crashlog read' output.1212: 2026-01-13 11:11:53 <00233> Node.JS restarted: (unhandled rejection) 1213: 2026-01-13 11:11:53 <00233> "Failed to get token." 1214: 2026-01-13 11:11:53 <00233> 1215: 2026-01-13 11:11:53 <00233> Node.JS restarted: (unhandled rejection) 1216: 2026-01-13 11:11:53 <00233> "Failed to get token." 1217: 2026-01-13 11:11:53 <00233> 1218: 2026-01-13 11:11:53 <00233> Node.JS restarted: (unhandled rejection) 1219: 2026-01-13 11:11:53 <00233> "Failed to get token." 1220: 2026-01-13 11:11:53 <00233> 1221: 2026-01-13 11:11:53 <00233> Node.JS restarted: (unhandled rejection) 1222: 2026-01-13 11:11:53 <00233> "Failed to get token."No output is seen in the httpsd debug output of 'diagnose debug application httpsd -1' when attempting to access the GUI of the FortiGate.Restarting the httpsd process does not resolve the issue.fnsysctl killall httpsdCPU and memory utilization is normal on the FortiGate.get sys performance statusNo local-in policies are configured that would block GUI access.config firewall local-in-policy show fullStarting from FortiOS v7.6.4, a new internal daemon called http_authd has been introduced. This daemon centralizes the administrative web authentication and authorization functions required by web service processes.After upgrading to FortiOS v7.6.4, administrators may notice a new process named http_authd appearing in system process listings, such as diagnose sys top or fnsysctl ps.For troubleshooting administrator web login issues in v7.6.4 and later, the following debug commands can be used to view authentication-related logs: diagnose debug reset diagnose debug console timestamp enable diagnose debug application http_authd -1 diagnose debug enable To stop debugging, run the following commands: diagnose debug disablendiagnose debug reset Packet capture confirms that the FortiGate receives the TCP SYN packet for GUI access, but the FortiGate immediately responds with a TCP RST.It is also observed that a TCP socket was not opened for the httpsd process.5.587905 mgmt in 172.29.126.87.49777 -> 172.29.200.231.44445: syn 589825187 5.587990 mgmt out 172.29.200.231.44445 -> 172.29.126.87.49777: rst 0 ack 589825188  diagnose sys tcpsock | grep httpsd This behavior indicates that the TCP socket for the httpsd process is not successfully opened, resulting in the connection being reset by the FortiGate. This issue has been resolved in:v7.6.7 (scheduled to be released in April 2026).v8.0.0 (scheduled to be released in March 2026). These timelines for firmware release are estimated and may be subject to change.Workaround:It is recommended to first attempt clearing the administrative sessions. If the issue persists, reboot the FortiGate to restore the GUI access or upgrade the firmware to fixed versions via the CLI.Upgrading the firmware via the CLI Technical Tip: How to upgrade FortiGate firmware (Specifically, see the 'Upgrading the firmware through the CLI' section).Technical Tip: Multiple ways to list and disconnect administrators logged in to a FortiGate FortiGate Tue, 23 Jun 2026 16:53:32 +0200 https://community.fortinet.com/fortiddos-15/technical-tip-steps-to-convert-backup-file-from-fortiddos-400b-to-200f-228477 DescriptionThis article describes the steps to follow when converting a backup file between different FortiDDoS hardware models.ScopeFortiDDoS F and FortiDDOS B models.SolutionThere is no supported tool to automatically convert a FortiDDoS 400B configuration backup to a FortiDDoS 200F backup. Since these are different hardware generations (B-series and F-series), a direct restore is generally not supported.Option 1 (recommended): Reconfigure the new FortiDDoS appliance from scratch and manually recreate the configuration.Option 2 (best effort): Open a TAC case and provide the following:Phase 1: Converting a backup file.Both FortiDDoS Backups.The TAC team can review the files and attempt a configuration conversion on a best-effort basis using a CLI script, as migrations between different FortiDDoS models and serial numbers are not guaranteed to be fully supported and may require manual adjustments.Attach Current cabling topology on the existing FortiDDoS to the case while it is still in production, including the interconnections of each SPP with the ISP Internet links and the LAN segments. This information will facilitate the migration and help ensure the new FortiDDoS is deployed with the same traffic flow and connectivity design.Document the following parameters before migration (physical cabling and interface assignments) on both FortiDDoS systems:Management port (subnet/mask).Default Gateway.DNS server(s).NTP server(s).SPP settings (ISP and LAN connectivity mapping)Services protected behind each SPP.The feature configuration on the FortiDDoS-F platform differs significantly from the FortiDDoS-B series. Therefore, new feature profiles will need to be created and tuned for each SPP rather than reusing the existing B-series configuration.Phase 2: FortiDDoS tuning.Learning phase – allow at least one week.Configuration and tuning:Review and tune the feature profiles for each SPP.Configure and adjust thresholds in Detection Mode.False positive review:Review logs and monitor for false-positive drops for several days.Adjust feature profiles and thresholds as needed.Enable Prevention Mode and monitor traffic behavior. FortiDDoS Tue, 23 Jun 2026 16:47:55 +0200 https://community.fortinet.com/fortigate-3/troubleshooting-tip-acme-certificate-auto-renewal-fails-with-an-error-unable-to-retrieve-certificate-chain-228475 DescriptionThis article describes a known issue, and workaround to said issue, with renewing ACME certificates on FortiOS.ScopeFortiOS versions starting from v7.4.9, FortiOS v7.6 GA.SolutionThe following errors may be encountered while renewing an ACME certificate on FortiGate:GUI: 'Unable to create certificate'.CLI: 'Unable to retrieve certificate chain'.CLI: 'Too many failed authorizations'.The issue is triggered due to a conflicting ike-tcp-port configured as a 443 port, and a udp-fallback-tcp setting applied on the phase1-interface.There are available workarounds to renew the certificate:Preferred: Set 'ike-tcp-port' to a port different than 443, or set transport udp in phase1-interface. It will allow the ACME client to serve tls-alpn-01 challenges on port 443. Refer to Technical Tip: How to use TCP as transport for IKE/IPsec traffic.If the preferred option is not possible: Enable speedtest-server on port 443:config system global set speedtest-server enable set speedtestd_ctrl_port 443 endMake sure no interface is configured with 'set allowaccess speed-test'.Execute these commands to restart the ACME service:diagnose sys acme regenerate-client-config diagnose sys acme restartRelated document:Automatically provision a certificate FortiGate Tue, 23 Jun 2026 16:07:29 +0200 https://community.fortinet.com/fortiappsec-cloud-60/technical-tip-explaining-the-difference-between-fortiappsec-platform-and-region-228474 DescriptionThis article describes the difference between Platform and Region.ScopeFortiAppSec Cloud.SolutionWhen onboarding, an application admin will have the option to onboard the application to Azure/AWS/GCP so that the application will be onboarded to any of these platforms.Once the platform is chosen and the application is onboarded, the admin can not change the platform again.In the event of a situation where the admin needs to switch the platform, the only option is to delete the application and re-onboard the application with the required platform.However, when onboarding the application, the admin selects the region for the Scrubbing Center, which can still be changed even after onboarding the application.If, for example, the admin chooses the Frankfurt region when onboarding the application, then later, it is required to change the region to the Netherlands: the region can be changed without deleting the application. FortiAppSec Cloud Tue, 23 Jun 2026 16:01:49 +0200 https://community.fortinet.com/fortiweb-40/troubleshooting-tip-resolving-api-gateway-issue-with-jwt-authentication-on-fortiweb-228472 DescriptionThis article describes how to troubleshoot a FortiWeb API Gateway JWT authentication failure where FortiWeb is unable to extract or parse the JWT from the HTTP request.ScopeFortiWeb.SolutionThe issue may appear with errors similar to the following:API gateway: cannot get api keyOr:JWT header parse failed failed to parse JSON data: unexpected character API Key verification failed Action: DENYThe issue can be triggered when the Verification Mode under the API rule is set to API Key Verification, while the API user is set to JWT.The issue can be fixed by disabling the API key verification and switch to JWT public key under the API Gateway Rule:config waf api-rules  edit "JWT Verification" set api-key-verification disable  set verification-mode jwt-public-key set jwt-public-key <PEM_encoded_public_key>If the issue still persists, consider upgrading to the latest version of FortiWeb, as newer releases include multiple Azure OAuth/JWT enhancements and compatibility improvements.The following commands can be used to debug the API Gateway module:diagnose debug reset diagnose debug flow filter module-detail api-gateway 7 diagnose debug flow trace start diagnose debug timestamp enable diagnose debug enable FortiWeb Tue, 23 Jun 2026 15:04:16 +0200 https://community.fortinet.com/fortigate-3/troubleshooting-tip-macos-ikev2-dial-up-vpn-fails-with-peer-certificate-is-invalid-227693 DescriptionThis article describes an issue with connecting to IPsec Dial-up VPN using a macOS FortiClient. ScopeFortiGate v7.4.FortiClient macOS. SolutionWhen using FortiClient macOS to connect to an IPsec Dial-up VPN using IKEv2 with certificate authentication, the error 'Peer Certificate is Invalid' is observed. The same configuration works with FortiClient Window OS, Android, iOS phone.The following article discusses the recommended configuration for certificate authentication for IPsec IKEv2: Technical Tip: Certificate authentication for FortiClient remote access dialup IPsec clients with SAML user authentication.The dial-up VPN configuration is as follows:config vpn ipsec phase1-interface edit "VPN" set type dynamic set interface "x1" set ike-version 2 set authmethod signature set peertype peergrp set net-device disable set mode-cfg enable set proposal aes256-sha256 set dpd on-idle set dhgrp 14 set eap enable set eap-identity send-request set eap-cert-auth enable set certificate "test.com.ca" set peergrp "USER-VPN" set ipv4-start-ip 192.168.250.150 set ipv4-end-ip 192.168.250.250 set ipv4-netmask 255.255.255.0 set dns-mode auto set ipv4-split-include "Internal" set dpd-retryinterval 60 next end config vpn ipsec phase2-interface edit "BOD_VPN" set phase1name "VPN" set proposal aes256-sha256 set dhgrp 14 next endWhen collecting the debugs, the following error 'unexpected payload type 41' is observed. Diagnose commands:diagnose debug application ike -1 diagnose debug enableOutput: ike V=root:0:BOD_VPN:472031: sent IKE msg (AUTH_RESPONSE): 103.199.6.2:4500->103.108.136.10:62140, len=206, vrf=0, id=866e7f95868e762f/4bd5ee6f963d1932:00000001, oif=25 ike V=root:0: comes 103.108.136.10:62140->103.199.6.2:4500,ifindex=25,vrf=0,len=84.... ike V=root:0: IKEv2 exchange=INFORMATIONAL id=866e7f95868e762f/4bd5ee6f963d1932:00000002 len=80 ike 0: in :hash omitted] ike 0:BOD_VPN:472031: dec hash omitted] ike V=root:0:BOD_VPN:472031: responder received EAP msg ike V=root:0:BOD_VPN:472031: unexpected payload type 41 ike V=root:0:BOD_VPN:472031: schedule delete of IKE SA 866e7f95868e762f/4bd5ee6f963d1932The same debug outputs can be exported from FortiClient. Refer to Technical Tip: How to generate and export Debug logs from various platforms running with FortiClient and FortiClient EMS. Locate the folder named 'iked' logs. 0x68e4 Default 0x0 2081 0 iked: com.fortinet.forticlient:IPSec] ca_setauth: auth length 663 0x68e4 Default 0x0 2081 0 iked: com.fortinet.forticlient:IPSec] sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth 0x68e4 Default 0x0 2081 0 iked: com.fortinet.forticlient:IPSec] config_free_proposals: free 0x104e19870 0x68e1 Default 0x0 2079 0 iked: com.fortinet.forticlient:IPSec] ca_getreq: found CA /DC=test/DC=com/DC=test/CN=test 0x68e1 Default 0x0 2079 0 iked: com.fortinet.forticlient:IPSec] ca_cert_local: certificate key mismatch 0x68e1 Default 0x0 2079 0 iked: com.fortinet.forticlient:IPSec] spi=0x5b76dd3aafc1ee78: ca_getreq: found cert with matching ID but without matching key. 0x68e1 Default 0x0 2079 0 iked: com.fortinet.forticlient:IPSec] ca_getreq: found local certificate <certificate name> 0x68e4 Default 0x0 2081 0 iked: com.fortinet.forticlient:IPSec] ikev2_pld_auth: method RSA_SIG length 256 0x68e4 Default 0x0 2081 0 iked: com.fortinet.forticlient:IPSec] ikev2_pld_payloads: decrypted payload EAP nextpayload NONE critical 0x00 length 9 0x68e4 Default 0x0 2081 0 iked: com.fortinet.forticlient:IPSec] spi=0x5b76dd3aafc1ee78: ikev2_pld_eap: REQUEST id 19 length 5 EAP-IDENTITY 0x68e4 Default 0x0 2081 0 iked: com.fortinet.forticlient:IPSec] spi=0x5b76dd3aafc1ee78: sa_state: SA_INIT -> AUTH_REQUEST 0x68e4 Default 0x0 2081 0 iked: com.fortinet.forticlient:IPSec] policy_lookup: peerid '/CN=*.test.com.ca' 0x68e4 Default 0x0 2081 0 iked: com.fortinet.forticlient:IPSec] proposals_negotiate: score 4 0x68e4 Default 0x0 2081 0 iked: com.fortinet.forticlient:IPSec] policy_lookup: setting policy 'vpn' 0x68e4 Default 0x0 2081 0 iked: com.fortinet.forticlient:IPSec] ikev2_ike_auth: awaiting response from CA process 0x68e1 Default 0x0 2079 0 iked: com.fortinet.forticlient:IPSec] ca_validate_pubkey: unsupported public key type ASN1_DN 0x68e1 Default 0x0 2079 0 iked: com.fortinet.forticlient:IPSec] ca_validate_cert: /CN=*.test.com.ca unable to get local issuer certificate 0x68e4 Default 0x0 2081 0 iked: com.fortinet.forticlient:IPSec] ikev2_getimsgdata: imsg 25 rspi 0x1d92ec273c838fb2 ispi 0x5b76dd3aafc1ee78 initiator 1 sa valid type 4 data length 1627 0x68e4 Default 0x0 2081 0 iked: com.fortinet.forticlient:IPSec] spi=0x5b76dd3aafc1ee78: ikev2_dispatch_cert: peer certificate is invalid 0x68e4 Default 0x0 2081 0 iked: com.fortinet.forticlient:IPSec] FCT send error. server addr: 103.199.6.2, error code: -304Workaround:Ensure the root CA certificate/any intermediate CA is/are imported to the local user machine.Upgrade to FortiOS v7.6.2. This FortiOS version works with FortiClient macOS. FortiGate Tue, 23 Jun 2026 14:38:28 +0200 https://community.fortinet.com/support-forum-92/enable-disable-ztna-destinations-219444 HI EMS adminsBoth EMS and FCT are 7.4.4.On Forticlient, ZTNA Destinations tab, I noticed there is a button to disable/enable ZTNA.I couldn't find a way to remove this button. I thought this should be doable from EMS on the ZTNA profile but didn't find such feature.The other problem is that ZTNA is disabled by default on FCT, and the user has to enable by clicking the button it in order to work. My requirement is to enable it by default and remove the button. This is because many users are not familiar with FCT and we try to make your experience as simple as possible.Any idea if this is doable and on how to do it? Support Forum Tue, 23 Jun 2026 13:46:16 +0200 https://community.fortinet.com/fortisiem-34/technical-tip-resolving-content-update-failed-on-importing-default-dashboard-error-227872 DescriptionThis article describes how to resolve the issue where FortiSIEM content update fails while importing the default dashboard XML file.ScopeFortiSIEM.SolutionDuring content update, the following error may be observed: ImportingXMLfile:/opt/phoenix/cache/content/data/phoenix/data-definition/DefaultH5Dashboards.xmlChecked the error in the app server logs, which should be like below:java.lang.Exception: Http response error code : 500, error msg: <?xjml version="1.0" encoding="UTF-8" standalone="yes"?> <response requestId="0" timestamp="1771331409580"> <error code="255"> <description>Unknown error</description> </error> </response> at com.ph.phoenix.tool.cmd.CommandHelper.validationResponse(CommandHelper.java:9) at com.ph.phoenix.tool.cmd.ConfigXmlImportCommand.importFile(ConfigXmlImportCommand.java:129) at com.ph.phoenix.tool.cmd.ConfigXmlImportCommand.importData(ConfigXmlImportCommand.java:81) at com.ph.phoenix.tool.cmd.ConfigXmlImportCommand.executeCommand(ConfigXmlImportCommand.java:57) at com.ph.phoenix.tool.cmd.AbstractCommand.execute(AbstractCommand.java:89) at com.ph.phoenix.tool.PhoenixCLI.main(PhoenixCLI.java:46)The issue was resolved using the following steps:Delete from ph_dashboard.Reimport the dashboard:# cd /opt/phoenix/data-definition/# /opt/phoenix/deployment/phoenixCLI.sh import -host localhost -port 8181 -cust system -user admin -pass $(phLicenseTool --showDatabasePassword) -type H5Dashboard -file "DefaultH5Dashboards.xml"# /opt/phoenix/deployment/importSD.sh localhost 5432 phoenixdb phoenix $(phLicenseTool --showDatabasePassword) INITDATAFrom GUI: Rerun the content update successfully. FortiSIEM Tue, 23 Jun 2026 13:13:15 +0200 https://community.fortinet.com/support-forum-92/fortinac-f-compatibility-with-aruba-tp-link-sophos-and-unifi-devices-228470 Hello everyone,Can anyone confirm whether FortiNAC-F fully supports (or has been successfully integrated) with the following:Aruba 1930 switches TP-Link TL-SG1016PE switches Sophos AP55C access points UniFi U6 Mesh Pro access pointsSpecifically, I’m interested in understanding:Level of support (CLI/SNMP/API… etc) Visibility and control capabilities (profiling, enforcement, VLAN assignment, etc.) Any known limitations or required workaroundsThanks in advance. Support Forum Tue, 23 Jun 2026 12:58:57 +0200 https://community.fortinet.com/fortisiem-216/content-update-default-dashboard-228467 Hello, I have same problem as here  But I have a question:How, to do step 1: ​​​​​​Delete from ph_dashboard.?Also how to make sure this process will not affect the operation of FortiSIEM? FortiSIEM Tue, 23 Jun 2026 12:14:22 +0200 https://community.fortinet.com/fortisiem-216/apache-service-keeps-stopping-when-running-phxctl-reboot-228451 Hello, I notice that Apache service keeps stopping when running phxctl reboot or phxctl stop. like above and this do not stop at all unless pressing CTRL + Cwhat is causing this problem? FortiSIEM Tue, 23 Jun 2026 12:08:08 +0200 https://community.fortinet.com/forticlient-4/troubleshooting-tip-web-application-that-is-still-blocked-after-whitelisting-228464 DescriptionThis article describes the steps to troubleshoot instances where a web application remains inaccessible despite being previously whitelisted.ScopeFortiClient EMS.SolutionVerify that the web application is correctly included in the allowed list within the web filter profile.Check for FortiClient notifications on the endpoint indicating the application is blocked.Review firewall events to identify the specific block logs.Determine if the application is being blocked because its category (e.g., Storage Backup) is restricted in the firewall profile. To resolve this, configure an application override to allow the traffic. FortiClient Tue, 23 Jun 2026 10:30:13 +0200 https://community.fortinet.com/forticlient-4/troubleshooting-tip-forticlient-stuck-on-register-to-ems-server-during-invitation-authentication-228463 DescriptionThis article describes steps to resolve an issue where the FortiClient Zero Trust Telemetry remains stuck on the 'Connecting to EMS' loading screen without prompting for user credentials.ScopeFortiClient EMS v7.0, v7.2, and v7.4 onwards.SolutionUpon entering the invitation code, the application remains stuck on the connecting to EMS screen without prompting for user credentials.Troubleshooting steps:Install a SAML tracer browser extension (e.g., SAML Tracer).Initiate the connection and capture the SAML request in the browser to identify the identity being passed to the EMS.Review the captured SAML request to ensure the correct user account is being sent to the EMS.Clear the browser's cache and cookies.Restart the FortiClient invitation process. When prompted, make sure to sign in with the correct user credentials. FortiClient Tue, 23 Jun 2026 10:23:36 +0200 https://community.fortinet.com/fortigate-3/technical-tip-firewall-ssh-local-key-host-key-are-not-syncing-over-ha-for-g-series-fortigate-on-fortios-version-7-4-228462 DescriptionThis article demonstrates the behavior of configuring SSH host-key or local-key on G series FortiGate HA cluster running firmware version 7.4. When this is configured on a G-series FortiGate HA cluster running firmware version 7.4, the host/local-key does not get synced over HA. This is fixed in FortiOS version 7.6.5 onwards.ScopeFortiGate G series on firmware version 7.4.SolutionHA is initially in-sync:Configure ‘firewall ssh host-key’. This is an example host-key that can be configured to test this.config firewall ssh host-key     edit "test"         set type ECDSA         set nid 384         set ip 10.191.1.231         set public-key "AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBH7XZSU8K/xnXxkFoT7/TqY56E2q6CfZLY+zArVImvAnnB6HW9gbHh+jpIFNvi/uDNLGDz/oVAMw8lHA5EGCBsIgK9A+erhb633LorfePonfRe9W4rUSNlzp48gIiGybCg=="     next endAfter configuring the SSH host-key (the same behavior is seen on local-key), the HA goes out-of-sync:On the FortiGate GUI, System -> HA, the HA is out-of-sync. After hovering the mouse over the ‘Not Synchronized’ text, the respective object that caused the HA to go out-of-sync can be seen:Verifying this in the CLI, the ‘firewall ssh host-key’ configuration on the secondary firewall is not present and did not sync over HA:This is a known issue that happens on FortiGate G series firewalls running the version 7.4 firmware. This issue is not seen on FortiGate G series running FortiOS firmware version 7.6.6. Workaround:Manually configure the ‘firewall ssh host/local-key’ on the secondary firewall in the HA cluster. FortiGate Tue, 23 Jun 2026 10:14:27 +0200 https://community.fortinet.com/support-forum-92/fortigate-issue-virtual-server-504-gateway-timeout-with-firmware-7-6-5-and-7-6-6-222794  Hello everyone, Recently I’ve encountered issues with FortiOS 7.6.5 and 7.6.6.We are running an on‑premises Exchange Server with access via OWA/ECP.Instead of a regular VIP, we publish this using a Virtual Server (load balancer) on the FortiGate.No ZTNA, FortiProxy, Endpoint Management, just a FortiGate with access to Exchange.The setup is straightforward: HTTPS on port 443, a public record, a wildcard certificate, and a mapping to the real server.With FortiOS 7.6.4 everything works correctly and OWA/ECP loads as expected. However, after upgrading to 7.6.5 or 7.6.6, opening the OWA page immediately results in:504 Gateway Timeout: remote server did not respond to the proxy.No changes have been made to the Exchange Server configuration — only the FortiGate firmware upgrade.Rolling back to 7.6.4 resolves the issue, but we would prefer to stay on the latest version.Has anyone experienced this, or does someone have an idea what might cause it? Best regards,Tim Support Forum Tue, 23 Jun 2026 10:08:34 +0200 https://community.fortinet.com/forticlient-4/troubleshooting-tip-how-to-resolve-error-code-2711-when-upgrading-forticlient-228461 DescriptionThis article describes an issue that occurs when upgrading FortiClient on a Windows machine and receiving the error code 2711.ScopeFortiClient.SolutionAttempting to upgrade FortiClient on Windows 11 laptops fails.After checking the FortiClient installation log, the following error shows up:MSI (s) (58:6C) 11:15:22:477]: Transforming table Error. MSI (s) (58:6C) 11:15:22:478]: Product: FortiClient -- The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2711. The arguments are: Feature_FtdataScan, This is caused by the user having enabled either the 'Privileged Access Agent' or 'Data Protection' module when creating the upgrade package, while these modules were not enabled during the initial deployment.Once a new upgrade package is created without either module enabled, the installation completes successfully. FortiClient Tue, 23 Jun 2026 10:00:40 +0200 https://community.fortinet.com/fortigate-3/technical-note-potential-cause-of-https-post-tls-1-3-connection-failures-through-web-application-firewall-waf-profile-in-fortigate-228460 DescriptionThis article describes a scenario in which an HTTPS POST request using TLS 1.3 to a web server behind a FortiGate may fail due to the handling of the 'HTTP/1.1 Expect: 100-continue' mechanism when both Web Application Firewall (WAF) and SSL Deep Inspection are enabled.ScopeFortiGate, Web Application Firewall.SolutionTopology:Client -> FortiGate (WAF + SSL deep inspection enabled)  -> Web Server (172.16.81.6).In this deployment, the FortiGate is configured as a Virtual Server that provides HTTPS access to the backend web server.Virtual Server configuration:config firewall vip edit "Test Web Server" set type server-load-balance set server-type https set extip 172.16.80.6 set extintf "port1" set h2-support disable set extport 443 config realservers edit 1 set ip 172.16.81.6 set port 443 set verify-cert disable next end set ssl-mode full set ssl-certificate "server" set ssl-min-version tls-1.2 next end This Virtual Server is referenced as the destination object in the corresponding firewall policy to allow inbound HTTPS access to the backend web server. As part of a standard FortiGate WAF deployment, both a Web Application Firewall (WAF) profile and an SSL Deep Inspection profile are applied to the policy. Reference:Technical Tip: How to configure a Web Application Firewall (WAF) to protect a web server behind FortiGateFirewall Policy Configuration:config firewall policy edit 79 set name "Test Web Services" set srcintf "port1" set dstintf "port2" set action accept set srcaddr "all" set dstaddr "Test Web Server" set schedule "always" set service "HTTPS" set utm-status enable set inspection-mode proxy set ssl-ssh-profile "Protect Server" set waf-profile "default" set logtraffic all set logtraffic-start enable next endSSL Deep Inspection Profile:The SSL Deep Inspection profile is configured with a server certificate replacement certificate ('Protecting Server' certificate) as shown below.config firewall ssl-ssh-profile edit "Protect Server" config ssl set inspect-all deep-inspection set min-allowed-ssl-version tls-1.2 end config https set ports 443 set quic inspect end config ftps end config imaps end config pop3s end config smtps end config ssh set ports 22 set status disable end config dot set status disable set quic inspect end set server-cert-mode replace set server-cert "server" next endUnder normal conditions, this configuration successfully handles most HTTPS traffic destined for the backend web server.However, connection failures may occur when the client initiates an HTTPS POST request containing the HTTP header 'Expect: 100-contine'.According to the HTTP/1.1 specification, the purpose of the Expect: 100-continue header is to allow a client to defer transmission of the POST request body until the server confirms that it is willing to accept it. This prevents unnecessary transmission of large payloads when the server is likely to reject the request.The typical exchange is as follows:The client sends the HTTP request headers, including Expect: 100-continue.The server responds with:HTTP/1.1 100 ContinueThe client then sends the POST request body.In the affected scenario, the client remains in a waiting state until timeout because it never receives the expected 100 Continue response from the server.However, in this situation, the client side may be stuck in the state of waiting for the response of '100-continue' message from server side until timeout. By looking at the WAD debug on the FortiGate, it shows that the FortiGate successfully receives and parses the POST request header containing Expect: 100-continue.However, the request is not forwarded to the backend server, preventing the server from generating the required 100 Continue response.2026-03-27 15:47:57.097571 1p:2315]5r:4604907] wad_dump_http_request :2915 hreq=0x7f93c4fd7ce8 Received request from client: 58.179.218.18:49387 POST /Services/Testpayment.asmx HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: http://test.org/request Host: test.payment.com Transfer-Encoding: chunked Expect: 100-continue Connection: Keep-Alive >V]2026-03-27 15:47:57.097577 7p:2315]5r:4604907] wad_http_marker_uri :1270 path=/Services/Testpayment.asmx len=23 >V]2026-03-27 15:47:57.097582 2p:2315]5r:4604907] wad_http_parse_host :1649 host_len=25 2026-03-27 15:47:57.097586 6p:2315]5r:4604907] wad_http_parse_host :1681 host=t25]test.payment.com 2026-03-27 15:47:57.097591 1p:2315]5r:4604907] wad_http_str_canonicalize :2196 enc=0 path=/Services/Payments.asmx len=23 changes=0 >V]2026-03-27 15:47:57.097594 4p:2315]5r:4604907] wad_http_normalize_uri :2586 host_len=25 path_len=23 query_len=0 2026-03-27 15:47:57.097598 8p:2315]5r:4604907] wad_http_req_detect_special :16102 captive_portal detected: false, preflight=(null) >V]2026-03-27 15:47:57.097606 6p:2315]5r:4604907] wad_http_req_exec_act :14489 request(0x7f93c4fd7ce8), intercept(pass), block(0) >V]2026-03-27 15:47:57.097610 0p:2315]5r:4604907] wad_http_req_exec_act :14578 dst_addr_type=1 wc_nontp=0 sec_web=1 web_cache=0 req_bypass=0 2026-03-27 15:47:57.097617 7p:2315]5r:4604907] wad_http_urlfilter_check :386 uri_norm=1 inval_host=0 inval_url=0 scan-hdr/body=1/1 url local=0 block=0 user-cat=0 allow=0 ftgd=0 keyword=0 wisp=0 2026-03-27 15:47:57.097622 2p:2315]5r:4604907] wad_http_req_proc_waf :1375 req=0x7f93c4fd7ce8 ssl.deep_scan=1 proto=10 exempt=0 waf=(nil) body_len=18446744073709551615 ua= skip_scan=0 2026-03-27 15:47:57.097626 6p:2315]5r:4604907] wad_http_waf_access_control :1239 2026-03-27 15:47:57.097630 0p:2315]5r:4604907] wad_http_req_proc_waf_body :1334 >V]2026-03-27 15:47:57.097633 3p:2315]5r:4604907] wad_http_strm_read_body :963 http stream 0x7f93c5009e28 body_type=1 body_len=18446744073709551615 >V]2026-03-27 15:47:57.097637 7p:2315]5r:4604907] wad_http_clt_read_sync :2027 hs=0x7f93c5009df8 pause=(0/0x0) ret=1 execute=wad_http_strm_read_chunk_size >V]2026-03-27 15:47:57.097643 3p:2315]5r:4604907] wad_tcp_port_window_adjust :475 tcp_port 0x7f93c56a9438 window-type auto-tuning set 1 SNDBUF 131072 RCVBUF 528000 CLAMP 8388608 2026-03-27 15:47:57.097716 6p:2315]5r:4604907] wad_tcp_port_flush :1582 sock 155 write (1,223,223) n_written=223 tcp_port 0x7f93c56a9438 >2315] write e(1,223) (17 03 03 00 da 3b 14 66 07 88 40 da 2b 24 79 7b 01 7d e7 d7 01 47 9f 7d a1 4f 29 ec 9e 2b 4a 1d 04 e2 1e 72 f5 d3 28 58 af be e9 26 fe a6 a5 65 44 2f 30 dc 44 36 7a 49 34 f5 39 7e cc b0 d1 27 a6 a1 66 24 49 33 de bf 03 02 d 2 72 e7 7a 52 7c 7e 4e 2b 98 1a 91 62 92 8a d1 45 5d 73 73 f0 d5 05 f2 40 27 38 c0 38 6e 3f 7f 65 bb 8c cd ef 46 88 48 f3 ce 17 21 5f 28 e4 c3 05 26 95 eb c1 8e 9d f9 36 10 27 50 90 5e 1d 16 74 f7 f1 eb 1c 0e 2b 9b ac ab bc 5d 8d 01 2f f0 eb bc c 9 cd 07 49 5f ef 53 91 14 de 4d 9d 27 24 fa 8b 3a a3 b2 71 7d f7 27 e7 51 1f d7 1a 13 be 87 3e fa 90 33 37 13 e5 82 78 71 68 f2 fc 36 a7 bb f7 f5 6c d7 f7 1b 9e 75 25 1a 6d 51 53 ce 0e 0c 2d c8 ec b3 )(.....;.f..@.+$y{.}...G.}.O)..+J....r..(X...& ...eD/0.D6zI4.9~...'..f$I3.....r.zR|~N+...b...E]ss....@'8.8n?.e....F.H...!_(...&......6.'P.^..t.....+....]../......I_.S...M.'$..:..q}.'.Q......>..37...xqh..6....l....u%.mQS...-...)] 2026-03-27 15:47:57.104808 8p:2316] ipsapp ses 4895038 send msg 10628 len 2464 dir 0 count 1 2026-03-27 15:47:57.104825 5p:2316] ipsapp ses 4895038 send writing msg 0 of 1, for length 2464 2026-03-27 15:47:57.104831 1p:2316] ipsapp us 122 write (1,3016) >V]2026-03-27 15:47:57.105260 0p:2316] wad_mem_c_free :176 freeing memory not in bucket >V]2026-03-27 15:47:57.105273 3p:2316] wad_mem_c_malloc :138 size 65568 exceeds max_elm_size (18392); not using bucket 2026-03-27 15:47:57.105287 7p:2316] ipsapp us 122 read (0,65536) 2026-03-27 15:47:57.105294 4p:2316] ipsapp ses 4895038 msg 10627 eval response dir 0 act 0 app 0 proto 0 tlv_len 0 2026-03-27 15:47:57.105298 8p:2316] ipsapp ses 4895038 msg 10628 eval response dir 0 act 0 app 0 proto 1 tlv_len 0This behavior occurs because the WAF profile expects the complete HTTP request, including both the request headers and body, before forwarding the request to the backend server. However, when the client sends a request containing the 'Expect: 100-continue header', it waits for a '100-Continue response' before transmitting the request body. This creates a deadlock condition, as the FortiGate waits for the body before forwarding the request, and the client waits for the '100 Continue response' before sending the body. As a result, neither side progresses and the client eventually experiences a timeout.This issue happens in the FortiOS version before FortiOS v7.6.5. From FortiOS v7.6.5, starting from FortiOS v7.6.5, the WAF processing logic has been enhanced to handle this scenario correctly. When the FortiGate receives an HTTPS POST request containing 'the Expect: 100-continue header', the WAF inspects the request headers and forwards them to the backend server after validation, without waiting for the request body. This allows the backend server to return the 100 Continue response and prevents the deadlock condition described above.  FortiGate Tue, 23 Jun 2026 09:56:12 +0200 https://community.fortinet.com/support-forum-92/trunk-between-fortiswitch-and-cisco-switch-and-fs-connected-to-fg-228459     If i connect S1 “Fortiswitch” to S2 “Cisco ”   Using trunk port and in trunk port I allowed VLAN 20 only on FortiGate  i create policy to route between VlAN 10 and VLAN 20 Can PC1 in VLAN 10 ping to PC2 in VLAN 20 and if yes why and if no Why ?      2. Is trunk port control traffic between different Vlan when i allowed VLAN 20 only in trunk or FortiGate will control traffic between different vlan ?  Support Forum Tue, 23 Jun 2026 09:39:41 +0200 https://community.fortinet.com/fortiedr-20/technical-tip-explanation-of-device-security-information-228458 DescriptionThis article provides details about Device Security information.ScopeFortiEDR Collector v6.1 and above.SolutionDevice Security information is a feature introduced in the latest Collector 6.1+ versions. Device Security information allows the EDR console to show security information.This information is shared by the collector if the latest versions are running on the devices.EDR manager, by default, will classify the device as Compliant or Partially compliant, depending on the device status.Windows device:For Windows collectors, the following information is provided:IsWindowsFirewallEnabledIsWSCRegisteredIsBitlockerEnabledIsUACEnabledIsWindowsUpdatedmacOS device:For macOS collectors, the following information is provided:IsSipEnabledIsGateKeeperEnabledIHostFirewall EnabledIsDiskEncryptionEnabledIn several cases, if the device is compliant but still not showing on an EDR console, a restart/reboot on the collector side may be needed. FortiEDR Tue, 23 Jun 2026 09:13:16 +0200 https://community.fortinet.com/fortimail-26/technical-tip-post-upgrade-validation-checklist-for-fortimail-228454 DescriptionThis article describes how to validate the operation of FortiMail after a firmware upgrade.ScopeFortiMail.SolutionAfter upgrading FortiMail firmware, perform the following validation checks to confirm that the system is operating normally.Verify firmware version.Navigate to Dashboard -> Status.Confirm that the displayed firmware version matches the intended upgrade version.Alternatively, from the CLI:get system statusVerify the firmware build and version information.Confirm system services are running.Verify that all FortiMail services have started successfully.Review:Status page.Email logs.System alerts.Check for any service startup failures or unexpected warnings.Verify mail flow.Send a test email:From an external sender to an internal recipient.From an internal sender to an external recipient.Confirm that:Messages are delivered successfully.No unusual delays occur.Mail logs show successful delivery.Check the mail queue.Navigate to Monitor -> Mail Queue.Verify that:Mail queues are processing normally.No significant increase in queued messages is observed.No messages remain stuck in the queue.Verify DNS resolution.Confirm that FortiMail can resolve external domains.This is especially important after VM migrations, network changes, or infrastructure maintenance.Review logs for DNS-related errors.Verify antivirus and antispam services.Confirm that security scanning services are functioning correctly.Verify:Antivirus updates are current.Antispam services are operational.Security profiles remain enabled.Verify that mail policies are in place.Review configured:Access control policies.IP Policies.Recipient policies.Confirm that all expected configurations remain intact after the upgrade.Review system logs.Navigate to Monitor -> Log.Check for:Service failures.Database errors.Network connectivity issues.Licensing errors.Investigate any recurring critical or warning events.Verify HA status (if applicable).For HA deployments: navigate to System -> High Availability.Verify that:All members are online.Synchronization status is normal.The cluster is functioning as expected.10. Monitor the system.Monitor the system for several hours after the upgrade.Pay attention to:Mail processing performance.Resource utilization.User-reported issues.Unexpected log entries. FortiMail Tue, 23 Jun 2026 08:12:43 +0200 https://community.fortinet.com/fortiadc-7/troubleshooting-tip-unable-to-select-a-specific-vdom-as-the-only-option-when-creating-a-tacacs-or-radius-administrator-account-228453 DescriptionThis article describes a solution where it is not possible to select a specific VDOM as the only option when creating a TACACS+ or RADIUS administrator account.ScopeFortiADC and FortiADC VM.SolutionExample:The FortiADC has 3 VDOMs (root, vd1, and vd2).There is a requirement to create administrator account with access to only VDOM vd1.However, when creating the account, FortiADC gives an error when the VDOM root is not selected, which defeats the original requirement for only the VDOM 'vd1'.The error is due to the selected TACACS+ or RADIUS servers configured in the VDOM root.The TACACS+ or RADIUS servers need to be created in the respective VDOM. For this example, it is VDOM vd1.After selecting the correct TACACS+ or RADIUS servers respectively, it no longer gives an error when only VDOM 'vd1' is selected.Related documents:Creating administrator usersRemote Server FortiADC Tue, 23 Jun 2026 07:38:37 +0200 https://community.fortinet.com/support-forum-92/fortigate-debug-flow-functions-228409 in FortiGate troubleshooting, you already know diagnose debug flow is the single most useful diagnostic tool on the platform — and also one of the most intimidating the first few times you read its raw output. A live capture throws dozens of lines at you per packet, each tagged with a func= value that tells you exactly which internal processing stage that line belongs to.Enabling Function Names in Debug FlowBefore any of this is useful, you need function names switched on in your capture:diagnose debug flow filter addr <ip-address>diagnose debug flow show function-name enablediagnose debug flow show iprope enablediagnose debug console timestamp enablediagnose debug enablediagnose debug flow trace start 100 A quick clarification worth knowing: function names appear to be produced in the output regardless of whether show function-name enable is set, but Fortinet still recommends explicitly enabling it. The show iprope enable line is separate and important on its own — it reveals the hidden iprope rule checks, which is the internal table of policies and rules that traffic gets matched against, including forward traffic rules like Firewall Policies and local-in policies.For the full official syntax reference and version-specific notes (including the NP7 packet-flow exceptions), see Fortinet’s own Debugging the packet flow documentation.To stop the capture once you’ve got what you need:diagnose debug flow trace stopdiagnose debug disablediagnose debug reset A Note Before the Reference TablesLine numbers next to each func= entry in real debug output (e.g. line=5824) are not stable across FortiOS versions — the same function appears at different line numbers depending on build, since they’re just pointers into that version’s compiled binary. This guide deliberately omits line numbers as a memorized reference for that reason. What’s stable, and worth learning, is the function name itself and the message pattern that accompanies it. Always read the line number live off your own capture, never from a guide.1. Packet ReceptionFunction What It Means Example Message print_pkt_detail The first line for almost every packet — confirms FortiGate received it, on which VDOM, with which protocol, ports, and ingress interface “vd-root:0 received a packet(proto=6, 213.13.146.142:443->85.xyz.xyz.xyz:63853) tun_id=0.0.0.0 from wan1. flag , seq…” 2. Session Lookup and Tuple ResolutionFunction What It Means Example Message resolve_ip_tuple_fast Fast-path lookup checking whether the packet matches an existing session “Find an existing session, id-00000e90, reply direction” resolve_ip_tuple Slow-path resolution used when a brand-new session needs to be allocated “allocate a new session-013004ac” init_ip_session_common Session allocation, including tunnel-bound traffic “allocate a new session-762651ef, tun_id=10.165.1.249” 3. RoutingFunction What It Means Example Message vf_ip4_route_input Route lookup showing the selected gateway and outgoing interface “find a route: gw-192.168.11.254 via port6” vf_ip_route_input_common Route lookup variant seen on some traffic types/builds “find a route: flag=00000000 gw-10.89.2.146 via port5” 4. Policy Matching (iprope)iprope is the internal table of policies and rules that traffic is matched against, including forward traffic rules such as Firewall Policies and local-in policies.Function What It Means Example Message iprope_dnat_check Checks for a matching DNAT/VIP rule ahead of forward policy lookup “in-mIPSec36], out-I]” → “result: skb_flags-02000008, vid-20, ret-no-match, act-accept, flag-00000000” iprope_dnat_tree_check Sub-check within the DNAT matching tree “len=0” iprope_fwd_check Forward policy check, showing ingress/egress interface plus app/URL category if already known “in-wIPSec36], out-rport5], skb_flags-02000008, vid-20, app_id: 0, url_cat_id: 0” __iprope_tree_check Internal tree-matching step during forward policy evaluation “gnum-100004, use addr/intf hash, len=4” __iprope_check Generic policy-group check result — used for session-helper groups (SIP/SCCP) as well as forward policy groups “gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000” __iprope_check_one_policy Confirms exactly which numbered firewall policy matched “policy-2 is matched, act-accept” iprope_policy_group_check Policy-group level check — commonly seen failing in captive portal and SSL VPN source-address denial scenarios “after check: ret-matched, act-drop, flag-00000020, flag2-00000000” iprope_fwd_auth_check Authentication portal check on the forward path “iprope_auth_portal_check() result: ret-matched, act-drop” iprope_reverse_dnat_tree_check Reverse-direction DNAT tree check on reply-direction packets “len=0”  One last practical note that ties back to where this whole reference series started: if you’re working through this on a fresh or RMA’d unit and the debug flow output looks fine but the unit itself won’t pass any traffic at all, double check it’s actually licensed before chasing a packet-flow problem that isn’t really there — see how to upload a FortiGate license via TFTP when there’s no internet access if that’s the case. Support Forum Tue, 23 Jun 2026 07:23:50 +0200 https://community.fortinet.com/support-forum-92/azure-vwan-and-fortigate-managed-app-nva-deployment-using-terraform-is-it-worth-it-228412 Hey guys,I'm failrly new to terraform and I was curious if fortigate managed app deployment within Azure vWAN is a good option/approach? Keeping in mind that rest of the infrastructure (vWAN, HUB/s, VNETs, NSGs, subnets..etc) is deployed using terraform, would there be any harm if NVAs are deployed manually?ps NVA deployment would be one time setup, no multiple environments (dev, prod, test) nor requirements for NVAs to be deployed more oftenEvery comment is appreciated  Support Forum Tue, 23 Jun 2026 07:22:19 +0200 https://community.fortinet.com/support-forum-92/fortipam-failed-login-via-ssms-228290 Hi, We have FortiPAM. We have our users who use SqlServer Mgmt Studio for connecting to database and they using windows integrated authentication. External users have also account and they connect the same while they are logged on some domain PCs. But sometimes external users need to connect from their own laptops which doesnt belong to domains. We created secret with sql template and ssms launcher and when they launch we see that SSMS is not run with user who can log choosing option windows integrated authentication and also login is failed because natively it using sql server authentication.Is there anyway to say fortipam agent when launch secret to run as different user ssms (using defined credential in secreet)? I see that is option With FortiPam 1.9 and FortiClient 8.0. I have PAM with 1.9 version but i dont see 8.0 version of PAM agent? Can someone help or give some idea how to enable users to connect to db? Support Forum Tue, 23 Jun 2026 07:22:01 +0200 https://community.fortinet.com/support-forum-92/assign-different-user-accounts-to-have-access-to-different-networks-in-fortiedge-cloud-228431 For FortiEdge Cloud, how do you assign different user accounts to have access to different networks?I believe this used to be accomplished using the Multi Tenancy license and sub accounts, correct?Since this can’t be ordered anymore and is going away, how do you do it using the new organization method? Support Forum Tue, 23 Jun 2026 06:34:02 +0200 https://community.fortinet.com/support-forum-92/fortios-7-6-7-ikev2-ipsec-vpn-stopped-working-after-upgrade-228398 Hello.First, I apologize for my imperfect English. Recently, I started learning about networking using FortiGate.When running FortiOS v7.6.6, I configured IKEv2/IPsec VPN on a FortiGate 60F.At that time, the VPN connection worked correctly.However, after upgrading the FortiGate to FortiOS v7.6.7, the VPN connection stopped working.No VPN configuration changes were made between the upgrade and the failure.Based on the FortiGate logs and packet captures taken with Wireshark,I suspect that during the certificate authentication process,the intermediate certificate that should be sent from the server to the client is no longer being transmitted. After rolling back to FortiOS v7.6.6, the VPN connection started working again.I also confirmed that the VPN connection works on FortiOS v7.6.7when the R12 intermediate certificate is manually imported into Windows.This seems to indicate that the client is not receiving the intermediate certificate from the FortiGate during authentication.The following observations were made from the logs and packet captures:The AUTH response payload length became approximately one quarter of its previous size. The AUTH response was fragmented into 2 packets instead of 5 packets. The total packet size remained almost unchanged. Most other values remained unchanged, except for expected differences such as MAC addresses, IP addresses, and timestamps.Because of these observations, I suspect that some certificate-related data may be missing from the AUTH response.I really hope you will help me identify the cause or provide guidance regarding this issue. The following is the environment used for my verification.FortiOS : v7.6.7 FortiGate model : FortiGate 60F VPN protocol : IKEv2/IPsec authentication method : certificate + EAP-MSCHAPv2 Server certificate issuer : Let’s encrypt Windows trusted root certificate : ISRG root X1 intermediate certificate  in FortiGate: R12 tunnel creation method : created by wizard (when FortiOS is v7.6.6) VPN client : Windows built-in VPN clientHas anyone experienced similar behavior after upgrading to FortiOS v7.6.7?Due to security considerations, I cannot share packet captures publicly.However, I can provide sanitized log outputs if needed.Thank you for your time. Support Forum Tue, 23 Jun 2026 03:43:18 +0200 https://community.fortinet.com/support-forum-92/how-to-retrieve-current-log-insert-lag-time-value-228450 Sporadically our Fortianalyzer (7.4.9) will stop sending logs to our main syslog log collector (Is still collecting from other systems).  The “Log Insert Lag Time” will get up to 18 or so hours and keep climbing, when it should be like 20-30 seconds.   When the analyzer is rebooted, logs start to flow and the time slowly starts to normal, and everything is ok. I’ve been trying to get that value via a command line, or SNMP to feed our PRTG system to monitor when it happens before it gets out of control.  But, it seems to be allusive.  Maybe I’m missing something?  Perhaps there is another tell sign that I can look at?  Or is it a feature request?Thanks! Support Forum Tue, 23 Jun 2026 02:30:56 +0200 https://community.fortinet.com/support-forum-92/automated-certificate-replacement-vendors-fortiadc-load-balancers-208245 To automate our Layer7 VIPs which use 1 year Certificates - We are starting to look at 3rd party vendor to assist with Certificate replacement that are quickly marching towards 47 days:  https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days  I have been doing this once a year....but to do it every month manually I cannot/do not want to imagine due to the inordinate time suck to coordinate with all the developers to validate/test...it feels like an endless loop I would rather have no part in. Has anyone successfully used a 3rd party vendor like Digicert or Venafi to set this up with your FortiADC-VM load balancer.  It seems like they support LetsEncrypt (Open Source)/ Buypass (European) - but I would prefer to buy a product with full support.  This type of functionality seems to be quite sparse and I am having difficulty finding any products compatible with my FortiADC-VM load balancer running 7.6.2.  I understand it supports the ACME prototcol...but again....hard to find any detailed documentation on this particular subject. Any input/guidance on this subject will be much appreciated...Thanks. Support Forum Mon, 22 Jun 2026 18:35:40 +0200 https://community.fortinet.com/fortigate-3/technical-tip-fortigate-security-fabric-is-unable-to-show-firewall-objects-in-conflict-known-issue-184381 Description This article describes a known-issue with firewall object synchronization in the Fortinet Security Fabric. Admins may notice the following symptoms related to this issue: FortiGates in the Security Fabric will display a warning indicating that there are firewall object conflicts between the Root and Downstream FortiGates. An orange 'Fabric Conflicts' warning may appear in the top-right corner when visiting a sub-section of Policy & Objects in the web GUI (such as Addresses). Hovering over this warning will display a message stating 'Objects in this table conflict with other FortiGates in the Fabric', as well as a button to 'Review firewall object conflicts'. When viewing the Firewall Object Synchronization page on the FortiGate, no entries will be displayed (i.e. blank white page and/or 'No results' shown). Additionally, an error message will appear in the bottom-right corner stating 'Error occurred while synchronizing tables'. Scope FortiGate, Security Fabric. Solution FortiGates within the Security Fabric can configure and synchronize firewall objects (such as address, service, and schedule objects) between one another. In the event of a conflict between members of the Fabric (such as a mismatch between object names), the FortiGate has a wizard that can be used to identify and resolve these conflicts. See the Additional Reading section below for more information regarding Security Fabric synchronization.   With that in mind, a known issue can occur when there is a significant number of object conflicts/differences (e.g. roughly 100 conflicts or more) between two FortiGates in the same Security Fabric. When this occurs, the symptoms mentioned above in the Description can occur where the FortiGate is unable to display the list of object conflicts and assist in the conflict resolution process. As a workaround, it is possible to manually compare the FortiGates various firewall object lists (under Policy & Objects) and manually resolve the differences.   Figure 1: Review firewall object conflicts   Figure 2: Firewall Object Synchronization page. Note the 'error occurred while synchronizing tables' message.   With that being said, this issue has been identified by the Fortinet development team as Issue #863126, and it has since been resolved as of v7.0.13, v7.2.6, and v7.4.1. Admins are recommended to upgrade to the listed versions or later to resolve the issue, and it is not necessary to resolve the fabric object conflicts beforehand (the synchronisation wizard can assist with conflict resolution afterwards).   On v7.4.8, the same error, 'Firewall Objects conflict', is classified as a GUI issue and is resolved: After restarting the downstream FortiGate and root FortiGate. Creating a new temporary address object with fabric-object enabled.   Related documents: Synchronizing objects across the Security Fabric Improvements to synchronizing objects across the Security Fabric v6.4.4 FortiGate Mon, 22 Jun 2026 17:57:19 +0200 https://community.fortinet.com/support-forum-92/restrict-ipsec-vpn-to-certain-countries-228439 Hi all,I read this article about restricting ipsec connections to certain countries.https://community.fortinet.com/fortigate-3/technical-tip-restrict-ipsec-vpn-access-to-certain-countries-94688When I attempt to implement it, I find that I cannot select any wan interfaces in an address object.In the article example (below image) it shows External (wan1) in the interface field but when I create a new address object it doesn’t show any active physical wan interfaces in the interface field.Would using the Zone that contains the wan interface work? We are running a Fortigate 81F with 7.4.12thanks Support Forum Mon, 22 Jun 2026 17:12:10 +0200 https://community.fortinet.com/fortiap-5/technical-tip-enable-the-6-ghz-band-on-the-fortiap-for-india-region-228448 DescriptionThis article describes steps to enable the new 6 GHz band on the FortiAP for the India regionScopeFortiAP v7.6.5 GA, FortiGate v7.6.7 GA, FortiAP-G (WiFi 6E) and K (WiFi 7) series indoor models.SolutionThe new 6 GHz band is supported in India starting with FortiAP v7.4.7, v7.6.4 GA, and later firmware versions. In order to enable 6 GHz channels in the FortiAP profile, the FortiGate should be running new FortiOS v7.6.7, v8.0.0 GA, or higher versions.To activate the 6 GHz radio, a 'WPA3-Enterprise-only' SSID should be mapped to the 6 GHz radio on the FortiAP profile.Only WiFi clients that are WiFi 6E (802.11ax) or WiFi 7 (802.11be) chipsets can operate on the 6 GHz band. Ensure the Windows Laptop Wireless Network Adapter drivers are up to date on the WiFi clients.Refer to the Fortinet guide to WiFi 6 + 7 Design and Planning: Introduction.The following are example screenshots where a Windows Laptop using an 'Intel(R) Wi-Fi 6E AX211 160MHz' WiFi chipset client successfully connected to a WPA3-Enterprise-only SSID operating on the 6 GHz band on the FortiAP-431G and FortiAP-241K v7.6.5 GA in India on the FortiGate v7.6.7 GA firmware:WPA3-Enterprise-only SSID:FortiAP-431G operating on the 6 GHz operating channel 17:WiFi 6E (11ax) Laptop and Smartphone connected to the 6 GHz band on FortiAP-431G:FortiAP-241K operating on the 6 GHz operating channel 81:WiFi 6E (11ax) Laptop connected to 6 GHz band on FortiAP-241K:Note:Starting from FortiAP v8.0.0 and above, only FortiAP-231K, 241K, 23JK, and 441K models support 6 GHz in India. Refer to issue 1247542 in FortiAP v8.0.0's release notes: Introduction.Related documents:New feature 1170645 (enable 6GHz channels 1 ~ 93 for India): New features or enhancements.New feature 1151101 (added a 6GHz channel utilization chart for FortiAP G and K series on the FortiGate Dashboard) on the new FortiOS v8.0.0 GA firmware: New features or enhancements.FortiAP series access points data sheetFortinet wireless product matrix FortiAP Mon, 22 Jun 2026 16:33:52 +0200 https://community.fortinet.com/fortigate-3/technical-tip-allow-certain-websites-using-static-url-filter-and-block-all-other-websites-without-using-fortiguard-category-based-filter-223956 Description This article describes how to allow certain websites by using a static URL filter list whilst blocking all other websites using a static URL filter list, all without using a FortiGuard category-based filter. Scope FortiGate. Solution Steps to create a URL filter list: Create a web filter profile by going to Security Profiles -> Web Filter -> Create new. Enable the URL filter option under the Static URL Filter. Select 'Create New' to create a new entry in the URL filter. Add the allowed domain with Action 'Monitor' or 'Allow' with the 'Enable' status.     Repeat the same for all other allowed domains. Select 'Create New' to create a new entry in the URL filter. Select 'Wildcard' Set Action 'Block' with status 'Enable'. In the URL field, keep *, which means it will block anything.     In the following example, the domains www.msn.com and https://ping.eu have been allowed, but all other URLs have been blocked, all by using a static URL filter list without using a FortiGuard category-based filter. This web filter profile has been configured in the policy, and all of the traffic will be blocked, except for access to https://www.msn.com and https://ping.eu.     CLI Reference:   config webfilter urlfilter     edit 1         set name "Auto-webfilter-urlfilter_4lgtg8uv8"             config entries                  edit 1                      set url "www.msn.com"                      set action monitor                  next                  edit 2                      set url "ping.eu"                      set action monitor                  next                  edit 3                      set url "*"                      set type wildcard                      set action block                  next              end     next end config webfilter profile     edit "Restricted_Profile"         config web             set urlfilter-table 1 end   Additionally, check the forward traffic logs or web filter security event logs to verify whether all of the websites are blocked except for the allowed websites.     Related articles: Technical Tip: Web filtering order of execution Technical Tip: Use static URL filtering without FortiGuard Web Filter license Technical Tip: Allow all website using static url filter without using Fortiguard category based filter FortiGate Mon, 22 Jun 2026 16:30:46 +0200 https://community.fortinet.com/support-forum-92/change-ip-address-of-device-in-fortianalyzer-2224 Hello,I have tried to change the IP-address of a device connected to a FortiAnalyzer.However, it seems not possible to change the IP-address, in the webb-GUI. When reading user guidelines, I figured  it should be possible to do this,See attached picture. Any idea on how I can do this? Do really I have to remove the device completely from the analyzer and then add it again? Erik Support Forum Mon, 22 Jun 2026 16:10:16 +0200 https://community.fortinet.com/support-forum-92/need-advice-after-3-attempts-at-nse-5-secure-wireless-lan-7-4-administrator-228434 Hi everyone,I’m reaching out because I’m a bit stuck. I've taken the Fortinet NSE 5 - Secure Wireless LAN 7.4 Administrator exam (FCP_FWF_AD-7.4) three times now and haven’t been able to pass it .To prepare, I’ve gone through all the official study materials, watched the training videos, and done practice exams multiple times. I feel like I understand the concepts, but something isn't clicking on the actual exam.For those who have successfully passed, what did you do differently?I have a few specific questions: Exam Content: The exam has a "Pass/Fail" grading system . Does anyone have insight into how the questions are weighted or what the score distribution looks like? Study Strategy: The official course recommends a background in FortiGate and FortiAuthenticator, as well as basic wireless knowledge . I have a foundation there, but what are the "make or break" topics to focus on? Practice Exams: I've been using practice tests, but I saw a recent post mentioning that many exam questions are updated frequently, so relying on older materials might not be enough . Any recommendations for the most up-to-date practice resources? Real-World Experience: The exam seems to test scenario-based knowledge . How crucial is hands-on experience with FortiAPs and the FortiGate wireless controller for passing? Is there a way to build this without a production environment? Any tips or guidance would be greatly appreciated. Thanks! Support Forum Mon, 22 Jun 2026 16:08:47 +0200 https://community.fortinet.com/fortiweb-40/troubleshooting-tip-logout-page-enters-redirect-loop-due-to-content-routing-url-mismatch-228446 DescriptionThis article explains a scenario where users are unable to log out of a web application published through FortiWeb and encounter a browser error indicating excessive redirects (HTTP 307).ScopeFortiWeb.SolutionUsers may experience a redirect loop when accessing or logging out of an application published through FortiWeb.The issue may occur when the configured Content Routing URL does not match all application URL variations.In the scenario investigated in this article, the Content Routing policy was configured to match the following:/fss/However, requests for URLs containing the following did not match as expected:/fssThis caused the backend application to issue repeated HTTP redirects and resulted in an infinite redirect loop.To resolve the issue, modify the Content Routing match prefix to this:/fssThis allows both URL formats to be handled correctly:/fss /fss/After updating the Content Routing policy, the logout process completes successfully and the redirect loop is resolved. FortiWeb Mon, 22 Jun 2026 14:28:21 +0200 https://community.fortinet.com/fortiadc-7/technical-tip-acme-tls-alpn-01-validation-fails-due-to-incorrect-dns-resolution-of-the-fortiadc-virtual-server-228444 DescriptionThis article describes a scenario where ACME TLS-ALPN-01 certificate enrollment fails on FortiADC because the domain name used during validation resolves to an IP address different from the FortiADC Virtual Server configured to handle the challenge.ScopeFortiADC.SolutionWhen attempting to generate an ACME certificate using the TLS-ALPN-01 challenge method, the enrollment process may fail with errors similar to the following:TLSAlpn01ChallengeValidator::TryGetChallengeCert: IPv4 address TLS connection failed to return certificate. TLSAlpn01ChallengeValidator::GetChallengeCertificate: Connection to x.x.x.x:443 timed out.The above errors may be a result of the Fully Qualified Domain Name (FQDN) configured for ACME validation resolving to an IP address different from the IP address configured on the FortiADC HTTPS Virtual Server responsible for handling the TLS-ALPN-01 challenge.As a result, the ACME provider attempting to establish a TLS connection to the wrong destination is unable to retrieve the challenge certificate.Verify the following items when troubleshooting ACME TLS-ALPN-01 validation failures:Confirm that the FQDN used during ACME enrollment resolves to the FortiADC Virtual Server IP address configured for the challenge process.Confirm that TCP port 443 is reachable from the ACME provider.Confirm that the HTTPS Virtual Server is associated with the correct Client SSL Profile.Confirm that the Client SSL Profile references the intended Local Certificate Group.Confirm that the certificate was created using the ACME enrollment workflow rather than imported as a standard local certificate.After correcting the DNS resolution so that the FQDN resolved to the Virtual Server IP address configured for ACME validation, the TLS-ALPN-01 challenge completed successfully, and the certificate was issued and installed on FortiADC.Additional information:For ACME TLS-ALPN-01 validation and certificate renewal, the ACME provider must be able to establish a TLS connection to TCP port 443 on the endpoint associated with the enrolled FQDN.When using an ACME certificate for the FortiADC administrative interface, a reachable HTTPS Virtual Server on port 443 may still be required for the TLS-ALPN-01 challenge even when the administrative GUI is configured to listen on a different port.Related document:Generating an ACME Certificate (Automated Enrollment) FortiADC Mon, 22 Jun 2026 13:49:12 +0200 https://community.fortinet.com/fortisiem-34/troubleshooting-tip-parser-apply-fails-due-to-references-to-a-non-existent-parser-227867 DescriptionThis article describes how to resolve the issue where parser configuration changes cannot be applied because parser test events fail with references to a parser that does not exist in the GUI.ScopeFortiSIEM.SolutionWhile applying parser configuration changes from the GUI: Admin -> Device Support -> Parser.The apply operation may fail, and the Test Parser window may show permanently failing test events similar to the following:Expected parser: ZscalerNSSParser.Used parser: ZscalerJsonParser.Although the parser ZscalerNSSParser is not present in the GUI, stale back-end references still exist in the system, causing parser tests to fail.Example user symptom:It is impossible to apply any parser configuration changes. When selecting Apply, the Test Parser dialog shows permanently failing test events.The issue may occur after upgrades or content updates, where older parser references remain in backend configuration files even though the parser itself no longer exists in the GUI.Validation:Run the following command from the Super node:cd /opt/phoenix/config/xmlls -l Zscaler*Example output:-rwxr-xr-x 1 admin admin 73874 Jan 20 01:03 ZscalerJsonParser.xml-rwxr-xr-x 1 admin admin 16326 Jan 20 01:03 ZscalerNSSParser.xml-rwxr-xr-x 1 admin admin 3548 Jan 20 01:03 ZscalerParser.xmlIf the old parser XML file exists in the backend filesystem but the parser is not visible from the GUI, the environment is impacted by this issue.Workaround:Move the stale parser XML file.Run the following on all Super nodes:cd /opt/phoenix/config/xmlmv ZscalerNSSParser.xml /tmpTake a backup of the existing parser test files and move them from this directory:/data/custParser/Example:mkdir -p /tmp/custParser_backupmv /data/custParser/* /tmp/custParser_backup/Clear the cache and restart the application server.HA deployment:Perform the following steps one node at a time. Start with the Super Leader first.Restart the app server on the Super as shown below:ps -ef | grep javaagentkill -9 <PID>For example: if the 'ps' command gives the PID '2360025', run the following:kill -9 2360025After the GUI becomes accessible again on the Leader node, repeat the same procedure one-by-one on each follower node.Recommended order:Super Leader.Follower 1.Follower 2.Ensure GUI access is restored before proceeding to the next node.Non-HA deployment:For non-HA deployments, perform the cache cleanup and application server restart only on the Super node.Additional validation:The parser validator can be manually tested using the following command:/opt/phoenix/bin/phParserValidator -i /data/custParser/inputTest_<ID>.xml -o /data/custParser/outputTest_<ID>.xmlFor example:/opt/phoenix/bin/phParserValidator -i /data/custParser/inputTest_1776689001930.xml -o /data/custParser/outputTest_1776689001930.xmlAPI connectivity validation:Verify the parser API connectivity by using the following:curl -vk https://localhost:443/phoenix/rest/config/eventAttributeTypecurl -vk https://<Super-IP>:443/phoenix/rest/config/eventAttributeTypeEnsure the API responds successfully and that there is no proxy or intermediate connectivity issue affecting parser operations.Result: After completing the above steps, parser tests should pass successfully, and parser configuration changes can be applied normally from the GUI. FortiSIEM Mon, 22 Jun 2026 10:53:14 +0200 https://community.fortinet.com/support-forum-92/strange-search-results-in-the-ems-console-224691 We recently upgraded from 7.4.4 to 7.4.5.In the meantime, the workstations have also been replaced with Windows 11 and are now Azure AD (Entra ID) Joined instead of AD joinedDeployment at workplaces is done via Intune / Patch my PCWhen I currently do a search in the Forticlient EMS console for an endpoint, I see the endpoint, but also 3 or 4 other endpoints in the search result. These "extra" endpoints can be seen with every searchI only expect to see the one endpoint I'm looking forIs there a duplicate GUID, Hash, or something like that somewhere? Support Forum Mon, 22 Jun 2026 09:20:39 +0200 https://community.fortinet.com/fortigate-3/technical-tip-high-cpu-utilization-by-the-zebos-launcher-process-on-the-secondary-fortigate-228437 DescriptionThis article describes a possible reason why the zebos_launcher process may cause high CPU usage on the secondary FortiGate.ScopeFortiGate v7.2, v7.4, v7.6, v8.0.SolutionIn an HA Active-Passive, an issue may arise when multiple routes are added or removed rapidly and repeatedly. This can cause performance degradation in the zebos_launcher process on the secondary FortiGate. The primary FortiGate is not affected by this.Run Time: 19 days, 19 hours and 12 minutes 6U, 0N, 4S, 90I, 0WA, 0HI, 0SI, 0ST; 24140T, 14424F zebos_launcher 30406 R 95.5 1.8 0 bcm.user 2183 S < 8.0 0.5 14 iked 3898 S 3.5 1.0 5 flcfgd 3931 S 1.0 0.2 8 ipsengine 8930 S < 0.5 0.7 10 hasync 3905 S < 0.5 0.3 9For example:In an IPsec dial-up HUB and Spoke topology, multiple branches may try to negotiate the same subnet repeatedly, because it is erroneously defined in the phase-2 selectors of the spokes. This may generate multiple additions and removals of the same route. This can be tracked in the IKE debugs.diagnose debug reset diagnose debug console timestamp enable diagnose debug application ike -1 026-06-13 08:56:12.341680 ike V=root:0:VPNTest:61974337: responder creating new child 2026-06-13 08:56:12.341717 ike V=root:0:VPNTest:61974337:396774934: peer proposal: 2026-06-13 08:56:12.341729 ike V=root:0:VPNTest:61974337:396774934: TSi_0 0:192.168.10.0-192.168.10.255:0 <Output truncated in this example> 2026-06-13 08:56:12.344273 ike V=root:0:VPNTest:396774921: moving route 10.130.145.0/255.255.255.0 oif VPNTest(72) metric 210 priority 1 to 0:VPNTest:396774934 2026-06-13 08:56:12.472735 ike V=root:0:VPNTest:396774934: moving route 10.130.145.0/255.255.255.0 oif VPNTest(72) metric 210 priority 1 to 0:VPNTest:396774949 2026-06-13 08:56:12.479007 ike V=root:0:VPNTest:396774949: moving route 10.130.145.0/255.255.255.0 oif VPNTest(72) metric 210 priority 1 to 0:VPNTest:396774951 2026-06-13 08:56:12.614841 ike V=root:0:VPNTest:396774951: moving route 10.130.145.0/255.255.255.0 oif VPNTest(72) metric 210 priority 1 to 0:VPNTest:396774968To fix the high CPU issue, identify why the same subnet is added and removed repeatedly.The Fortinet Engineering team is aware of this issue, and it is currently tracked under the Issue ID #1279665. The fix for this issue is currently scheduled in FortiOS v8.0.1. The 'zebos_launcher' process is optimized to handle the empty routes on the secondary FortiGate more efficiently.Related articles:Technical Tip: What ZebOS isTechnical Tip: High Memory Utilization on FortiGate by 'zebos_launcher' FortiGate Sun, 21 Jun 2026 21:56:28 +0200 https://community.fortinet.com/support-forum-92/fortibleed-posts-deletion-228433 I have a question, maybe for a mod. Thursday morning I started seeing fortibleed posts being flagged and deleted by mods. That was the earliest I ever heard of it.Is there a reason for this? This obviously was very valid and could have helped the fortinet community be one step ahead of the intruders that would abuse it.Why were those posts deleted ? It was our earliest warning to defense. Support Forum Sun, 21 Jun 2026 21:27:21 +0200 https://community.fortinet.com/fortigate-3/technical-tip-packet-loss-passing-through-interfaces-of-type-redundant-211952 Description This article describes a software issue that causes packet loss, authentication failures, and session drops when using interfaces of type 'redundant' on specific FortiGate models and FortiOS versions. Scope FortiGate-70/71G, 90/91G v7.4.7 and v7.4.8. Solution Symptom of the problem: Packet loss. Authentication failures. Session drops. Not able to connect to SSH.   The symptoms detailed above will occur only for traffic with a source or destination passing through any interface configured as 'redundant'. Reproduction scenarios. Scenario 1: After upgrading from v7.2.11 or v7.4.7 to v7.4.8, FortiGate-70/71G and 90/91G with interfaces of type 'redundant' may experience packet loss and disconnections (poor quality, failure to establish TCP connections such as SSH). Scenario 2: On v7.4.7 and v7.4.8, after an unexpected power loss and reboot, FortiGate-70/71G and 90/91G with interfaces of type 'redundant' may experience packet loss and disconnections until the device is rebooted again.   Below are three workarounds available to handle this issue:   Workaround 1: Disable auto-asic-offload to resolve the issue in v7.4.8. This may cause performance degradation.   config firewall policy     edit <id>         set auto-asic-offload disable    end          Workaround 2: Change the interface type from 'redundant' to 'aggregated'. To perform the workaround, this KB article can be followed: Technical Tip: Changing interface type from 'Redundant' to 'Aggregate'.                             Workaround 3: Use a single interface if aggregation is not required.   Solution (Updated):  The final solution is already implemented in Known issues 7.4.9 and Known issues 7.6.4. FortiGate Sun, 21 Jun 2026 18:10:42 +0200 https://community.fortinet.com/fortigate-3/technical-tip-psu-sensing-does-not-work-for-fortigaterugged-60f-70f-in-non-isolated-positive-earth-environments-199463 Description   This article describes that the FortiGateRugged-60F/70F DC presence LED may not correctly reflect/detect that one of the DC feeds is down in certain -48VDC environments where users have 2x -48VDC feeds and both feeds are non-isolated positive ground power source.   Scope   FortiGateRugged-60F/70F (Gen 3): P25210-31 and after, FortiGateRugged-60F/70F (Gen 5): P25210-50 and after.   If the user uses a positive ground source (-48V) and the redundant power sources are not isolated. This would result in an issue that would affect the DC presence detection LED behavior.    Solution   The drawings below illustrate the DC LED issue: The below illustrates the correct behavior where the positive ground sources are isolated:     The below illustrates the incorrect behavior where the positive ground sources are not isolated.     This issue only occurs in the case of positive ground sources that are not isolated. It is recommended to use isolated power sources for power redundancy systems. The issue does NOT affect customers using negative ground power sources and also does not have any impact on other areas of hardware functionality and no impact on safety and regulatory standards for the FortiGateRugged-60F/70F Gen3/Gen5. FortiGate Sun, 21 Jun 2026 17:44:22 +0200 https://community.fortinet.com/support-forum-92/the-best-agnet-versions-for-fortinac-fortinac-os-7-6-5-is-9-4-0-93-or-what-is-the-most-optimal-228432 Now i have Fortinac with version 7.6.5 Fortinac-os and i have agent is 9.4.0.93 i need to know if this is most suitable version for agent or not and if i plan to upgrade it what should i do if i made in the scan policy check latest persistent agent and i also edit the registery key of LoginDialogDisabled Support Forum Sun, 21 Jun 2026 13:34:10 +0200 https://community.fortinet.com/forticare-service-development-210/trial-license-for-fortigate-vm-learning-certification-204147 I am currently preparing for the Fortinet Certified Professional (FCP) certification in Network Security. As part of my hands-on learning and practical lab setup, I have successfully installed the FortiGate VM on my local environment.However i am finding it hard to access the GUI of the FortiGate VM due to absence of a trial license.i have tried this commands execute vm-license-options account-id xxxx@fortinet.comexecute vm-license-options account-password xxxxxxxexecute vm-licenseIt showed the error "Requesting Forticare Trial license, proxy:(null)failed to download VM license"I would like to kindly request help in acquiring trial license for the FortiGate VM. This is meant exclusively for my study and practice and learning experience. Community help will be very much appreciated FortiCare Service Development Sun, 21 Jun 2026 10:01:22 +0200 https://community.fortinet.com/fortigate-3/technical-tip-traffic-denied-by-policy-0-96728 Description This article discussesSite-to-site VPN configuration between AZURE and FortiGate. When Azure sends a ping to FortiGate then Fortigate responds and when FortiGate initiates the ping traffic Azure then it is dropped by Policy 0.   Scope   FortiGateSolution The traffic is being denied by policy 0 since the captive portal was enabled on the interface level.When the authentication is disabled on the interface then traffic will move from the correct policy.This is the error message that usually gets in the flow debug.   id=20085 trace_id=548 func=iprope_policy_group_check line=4367 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"id=20085 trace_id=548 func=fw_forward_handler line=599 msg="Denied by forward policy check (policy 0)"   To resolve this issue, disable the captive portal on the interface or add an exemption or enable the captive portal on the policy level.Note:The above issue occurred in site-to-site VPN. It can be valid for the normal traffic flow as well. Ping might work sometimes, but other services will be denied. Another scenario where the policy will not match is when the Schedule or Service in the Policy is modified. Related article:Technical Tip: Error 'policy-0 is matched, act- drop'  FortiGate Sun, 21 Jun 2026 08:36:33 +0200 https://community.fortinet.com/support-forum-92/fortibleed-question-about-admin-accounts-228427 Good day everyone,I have been trying to look for this or googling it.However, one of our non-production firewalls was hit by this FortiBleed. unfortunatly the logging does not show much.I've gone through the firewall to see what exciting things was done. and I noticed the firewall has 13 administrator accounts now. (It's connected to FortiGate Cloud)Did anyone else experience that accounts was created? and any other things to look out for?Hope you could share some experiences! Support Forum Sat, 20 Jun 2026 21:13:32 +0200 https://community.fortinet.com/support-forum-92/edit-interface-name-on-fortigate-with-high-availability-configuration-228414 Hi , would like to ask if there is a way to edit interface name on fortigate. In particular in configuration of 4 fortigates  with High Availability, where one is master other slaves. If in this configuration the method used to change interface name is to download backup configuration file of master FW edit the configuration file and load it with interface name changes, would this be a correct approach? Or maybe something should be done also on the slaves configuration? Or the best way would be to delate interface and re do it with the new name? Many thanks! Support Forum Sat, 20 Jun 2026 21:08:41 +0200 https://community.fortinet.com/forticlient-4/technical-tip-paths-to-be-excluded-in-3rd-party-security-applications-when-running-forticlient-fortisase-agent-concurrently-208780 Description This article describes the FortiClient path lists to be excluded in third-party security applications and software, such as Antivirus, EDR, and XDR, when running the FortiClient/FortiSASE agent concurrently. The paths apply to both the FortiClient EMS solution and the FortiSASE solution. Scope FortiClient. Solution As a best practice, whenever considering running FortiClient/FortiSASE agent in parallel with other third-party security applications such as Antivirus, EDR, and XDR, it is suggested to configure FortiClient folder/file paths in the third-party security application's exclusion list.   This is to prevent any conflict and crashes, performance degradation, false positives and detection, and reduced effectiveness due to overlapping features when they interfere with each other's processes.   Paths to be excluded for MacOS:      /Library/Application Support/Fortinet/FortiClient/bin/fctservctl    /Library/Application Support/Fortinet/FortiClient/bin/epctrl    /Library/Application Support/Fortinet/FortiClient/bin/ftgdagent    /Library/Application Support/Fortinet/FortiClient/bin/fmon    /Library/Application Support/Fortinet/FortiClient/bin/scanunit    /Library/Application Support/Fortinet/FortiClient/bin/vulscan    /Library/Application Support/Fortinet/FortiClient/bin/fctappfw    /Library/Application Support/Fortinet/FortiClient/bin/fssoavgent_launchagent    /Library/Application Support/Fortinet/FortiClient/bin/fssoavgent_launchdaemon    /Library/Application Support/Fortinet/FortiClient/bin/fctctld    /Library/Application Support/Fortinet/FortiClient/bin/sslvpnd    /Library/Application Support/Fortinet/FortiClient/bin/racoon    /Library/Application Support/Fortinet/FortiClient/bin/racoonctl    /Library/Application Support/Fortinet/FortiClient/bin/fctupdate    /Library/Application Support/Fortinet/FortiClient/bin/fctupgrade /Applications/FortiClient.app/Contents/MacOS/FortiClient /Applications/FortiClient.app/Contents/Resources/runtime.helper/FortiClientAgent.app/MacOS /FortiClientAgent /Applications/FortiClient.app/Contents/Resources/runtime.helper/FortiClientUpdate.app/Contents /MacOS/FortiClientUpdate Paths to be excluded for Linux:   /opt/forticlient/* /etc/forticlient/*   Paths to be excluded for Windows:   %ProgramFiles%\Fortinet\FortiClient\FCVbltScan.exe %ProgramFiles%\Fortinet\FortiClient\FortiAvatar.exe %ProgramFiles%\Fortinet\FortiClient\ipsec.exe %ProgramFiles%\Fortinet\FortiClient\FortiClient.exe %ProgramFiles%\Fortinet\FortiClient\FortiClient_Diagnostic_Tool.exe %ProgramFiles%\Fortinet\FortiClient\av_task.exe %ProgramFiles%\Fortinet\FortiClient\AzureToken.exe %ProgramFiles%\Fortinet\FortiClient\EPCUserAvatar.exe %ProgramFiles%\Fortinet\FortiClient\fcappdb.exe %ProgramFiles%\Fortinet\FortiClient\fcaptmon.exe %ProgramFiles%\Fortinet\FortiClient\FCAuth.exe %ProgramFiles%\Fortinet\FortiClient\FCCOMInt.exe %ProgramFiles%\Fortinet\FortiClient\FCConfig.exe %ProgramFiles%\Fortinet\FortiClient\FCDBLog.exe %ProgramFiles%\Fortinet\FortiClient\FCHelper64.exe %ProgramFiles%\Fortinet\FortiClient\fcmonitor.exe %ProgramFiles%\Fortinet\FortiClient\FctSecSvr.exe %ProgramFiles%\Fortinet\FortiClient\fmon.exe %ProgramFiles%\Fortinet\FortiClient\fortiae.exe %ProgramFiles%\Fortinet\FortiClient\FortiClientConsole.exe %ProgramFiles%\Fortinet\FortiClient\FortiClientSecurity.exe %ProgramFiles%\Fortinet\FortiClient\FortiElevate.exe %ProgramFiles%\Fortinet\FortiClient\FortiESNAC.exe %ProgramFiles%\Fortinet\FortiClient\fortifws.exe %ProgramFiles%\Fortinet\FortiClient\FortiGuardAgent.exe %ProgramFiles%\Fortinet\FortiClient\FortiProxy.exe %ProgramFiles%\Fortinet\FortiClient\FortiScand.exe %ProgramFiles%\Fortinet\FortiClient\FortiSettings.exe %ProgramFiles%\Fortinet\FortiClient\FortiSSLVPNdaemon.exe %ProgramFiles%\Fortinet\FortiClient\FortiSSLVPNsys.exe %ProgramFiles%\Fortinet\FortiClient\FortiTcs.exe %ProgramFiles%\Fortinet\FortiClient\FortiTray.exe %ProgramFiles%\Fortinet\FortiClient\FortiUSBmon.exe %ProgramFiles%\Fortinet\FortiClient\FortiVPN.exe %ProgramFiles%\Fortinet\FortiClient\fortivrs.exe %ProgramFiles%\Fortinet\FortiClient\FortiWF.exe %ProgramFiles%\Fortinet\FortiClient\FSSOMA.exe %ProgramFiles%\Fortinet\FortiClient\scheduler.exe %ProgramFiles%\Fortinet\FortiClient\submitv.exe %ProgramFiles%\Fortinet\FortiClient\update_task.exe %ProgramFiles%\Fortinet\FortiClient\vcm2.exe %windir%\System32\drivers\fortiapd_74.sys %windir%\System32\drivers\FortiAptFilter_74.sys %windir%\System32\drivers\fortielam.sys %windir%\System32\drivers\FortiFilter.sys %windir%\System32\drivers\fortimon3_74.sys%windir%\System32\drivers\fortips_74.sys%windir%\System32\drivers\FortiRMA.sys %windir%\System32\drivers\FortiShield_74.sys %windir%\System32\drivers\fortisniff2_74.sys %windir%\System32\drivers\fortitransctrl_74.sys %windir%\System32\drivers\fortiwf2_74.sys   %appdata%\FortiClient%LOCALAPPDATA%\FortiClientC:\Program Files\Fortinet\FortiClient FortiClient Sat, 20 Jun 2026 14:12:01 +0200 https://community.fortinet.com/support-forum-92/forticlient-ipsec-vpn-how-to-configure-228426 FortiGate 90G (FortiOS 7.4.12) - FortiClient IPsec VPN (7.4.3) Times Out, No UDP 500/4500 Traffic SeenI am configuring a remote-access IPsec VPN using the FortiClient Dialup VPN Wizard on a FortiGate 90G running FortiOS 7.4.12.Environment: WAN Interface (x1): 184.180.43.35/28 Gateway: 184.180.43.33 Dynamic DNS/FQDN: vpn2.dhansol.com FortiClient VPN Version: 7.4.3.4726 Testing from home Internet (external network) VPN Configuration: IKE Version 1 Aggressive Mode XAuth enabled User Group: VPN_ONSITE_USERS Client IP Pool: 10.10.70.10 - 10.10.70.99 Split Tunnel enabled VPN Policy created by wizard: Source Interface: DHN-ONSITE Destination Interface: VPN_VLAN50 Destination Subnet: 10.10.50.0/24 Phase1 Configuration: type dynamic interface x1 mode aggressive mode-cfg enable xauthtype auto authusrgrp VPN_ONSITE_USERS Verification Performed: WAN connectivity verified. FortiGate can ping Internet. vpn2.dhansol.com resolves correctly to 184.180.43.35. Public IP responds to ping from external network. Tunnel object exists: diagnose vpn tunnel list name=DHN-ONSITE status=up mode=dialup User group exists and contains the VPN users. Problem:FortiClient returns:"Timeout while connecting to vpn2.dhansol.com"The most interesting finding is:diagnose sniffer packet x1 "udp port 500 or udp port 4500" 4 0 ashows:0 packets received by filterwhile connection attempts are being made.No IKE debug messages appear and:diagnose vpn ike gateway listreturns no active gateways.Question:If FortiClient 7.4.3 is configured for IKEv1/Aggressive Mode with PSK and XAuth, what would cause the FortiGate to see zero UDP 500/4500 traffic during connection attempts? Are there any known FortiClient 7.4.x interoperability issues with FortiOS 7.4.12 dialup IPsec VPNs or additional settings required on FortiGate 90G? Support Forum Sat, 20 Jun 2026 09:32:43 +0200 https://community.fortinet.com/support-forum-92/fortiztna-user-based-mac-binding-228422 Hello , can we do user based ztna web proxy with using local user of Fortigate local database with mac binding , mean ztna web proxy is opened with only same user with same mAc of machine , otherwise rejected  Support Forum Sat, 20 Jun 2026 08:24:11 +0200 https://community.fortinet.com/support-forum-92/change-captive-portal-ip-interface-doesn-t-work-azure-saml-228419 Hi everyone,I'm trying to change the redirect IP address of the authentication portal on a FortiGate running version 7.4.12.I currently have a captive portal that intercepts user traffic and authenticates users via SAML with Entra ID.The issue is that after changing the IP address under: FGT_1 (auth-portal) # showconfig firewall auth-portal set portal-addr "10.0.0.1:1003"endand, of course, updating the SAML configuration on both the FortiGate and Entra ID, when a user tries to log in using the new IP address (10.2.0.1), the FortiGate redirects them to: https://10.2.0.1:1003/fgtauthHowever, the connection just times out, as if port 1003 isn't listening.If I switch everything back to the original IP address, the authentication works normally again.I inherited this firewall already configured this way, so I'm not sure if there's another setting I should be checking.Has anyone experienced this before or knows what else I should look at?Thanks in advance! Support Forum Sat, 20 Jun 2026 07:39:04 +0200 https://community.fortinet.com/support-forum-92/fg-200f-fortios-7-4-12-packet-loss-stalls-only-when-nat-t-is-enabled-remote-access-ipsec-ikev2-228333 Hi all,I’m troubleshooting a remote access IPsec issue on a FortiGate 200F running FortiOS 7.4.12 and wanted to see if anyone else has run into something similar.When NAT-T is enabled, remote users get noticeable packet loss / stalls over the tunnel during normal traffic — pings, file transfers, throughput tests, that kind of thing. When NAT-T is disabled, it gets a lot better.A few things I’ve already confirmed:the tunnel comes up fine the issue is reproducible when NAT-T is enabled the issue improves significantly when NAT-T is disabled I tested with NPU offload both enabled and disabled with offload enabled, tunnel error counters were higher on the problematic tunnel with offload disabled, those RX errors were much lower or zero in my captures, but the user-visible stalls still weren’t fully explained by the lower-level counters PDQ snapshots looked balanced during testing HPE dropping stayed at 0 in the snapshots I collected anomaly-drop output was empty we also contacted our ISP and they ruled out any issues on their side this is not happening with just one VPN client — we’re seeing it across multiple VPN clients, so it does not look like a single client ISP / local connection problemAt this point I’m mostly trying to figure out if anyone else has seen FG-200F / SoC4 / 7.4.12 behave badly specifically with NAT-T enabled on IPsec, where the tunnel stays up and traffic partially works, but there are intermittent stalls or packet loss under load.I already have a TAC case open, so I’m not trying to bypass support — just curious whether anyone else has seen the same pattern, or knows of a bug / workaround related to it.Thanks. Support Forum Fri, 19 Jun 2026 20:55:11 +0200 https://community.fortinet.com/support-forum-92/fortigate-40f-firewall-upgrade-firmware-7-2-12-to-7-4-12-issue-228406 Fortigate 40F firewall upgrade firmware 7.2.12 to 7.4.12 then firewall goes to memory conserve mode issue how to reslove Support Forum Fri, 19 Jun 2026 18:45:53 +0200 https://community.fortinet.com/support-forum-92/wan1-stopped-working-228284 WAN1 STOPPED WORKING- I have two FortiGate 60F setups as stack (HA1 and HA2)- I have Juniper router - I have a Rogers modem with 2 public IP 187.x.x.x/30 and 184.x.x.x/30- link 1: Rogers modem port1 > FG60F WAN1- link 2: Rogers modem port2 > Juniper router- I also have a 2nd ISP (TELUS) for failover- WAN1 link shows Green UP in the GUI; WAN1 led light is blinking green/yellowProblem: WAN1 is not pulling the public ip whether in static or DHCPTS:- reboot the modem, connect my laptop with correct IP details used in FG60F (SM, GW and IP) = WORKING- leave Juniper plugged in = WORKING- turned off the modem for 10mins, removed the laptop, reconnected the FG60F = FAILED- Juniper still working- Replaced modem, reprovisioned and performed laptop testing again and still working. - Tried disconnecting Juniper from Rogers modem and leave only FG60F connected = FAILED- Internet works because of WAN2 (TELUS)Question:1. Why WAN1 not pulling the public IP? why there is no internet from WAN1? 2. Why my laptop works and not the  FG60F? 3. Will it be a MAC address issue? Note: before the incident, Rogers had a network update (node migration) and after that it suddenly stopped working. The fact that my laptop works with the FG60F ip assumes that there is no issue with the modem (per Rogers). Badly need help or suggestions. Thanks. Support Forum Fri, 19 Jun 2026 17:39:02 +0200 https://community.fortinet.com/support-forum-92/fortibleed-228424 Based on the news by SOC Radar I have a customer asking what should he do. In spite of the news I was not able to find any, let´s call it official, comment from Fortinet.I had the customer to open a ticket.Has anyone any experience or knowledge of this Fortibleed?Thanks  Support Forum Fri, 19 Jun 2026 17:36:21 +0200 https://community.fortinet.com/support-forum-92/how-to-push-fortinac-persistent-agent-to-all-windows-pcs-using-group-policy-and-how-to-make-logindialogdisabled-with-1-value-to-disable-windows-popup-credentials-228379 How to push Fortinac persistent agent to all Windows PCs using group policy on Fortinac 7.6 and also disable windows popup for credentials using registry keys ? Support Forum Fri, 19 Jun 2026 16:22:37 +0200 https://community.fortinet.com/support-forum-92/no-response-from-https-helpdesk-training-fortinet-com-support-home-160908 I passed my exam 7 days ago. I made mistakes with the registered email on PearsonVUE. I know know that was the problem. I should have used my company's email when I registered. I contacted Fortinet support to associate my FortiID but no response.https://ftnt.freshdesk.com/support/solutions/articles/73000524133 I contacted PearsonVUE, but they asked me to contact Fortinet. How? How can I reach Fortinet training support?They said I can create a ticket with them on the above link. But nobody is monitoring that ticketing system. Just wait for another 2-3 weeks? I need to provide it to my company. :(  Support Forum Fri, 19 Jun 2026 16:11:35 +0200 https://community.fortinet.com/support-forum-92/advpn-spoke-to-spoke-not-communicating-228313 HI everyone i am deploying Hub and Spoke ADVPN BGP over Loopback Topology in Real Environemnt . After Deploy full configuration follow by Fortinett Documents i can see Spoke A can talk to Hub and Spoke B can talk to Hub but when Spoke A try to Talk to Spoke B it create Shortcut Tunnel but after shortcut they cannot talk to Each other... When i check in Spoke A routes for Spoke B it showing next hope Underlay/WAN not Overlay/VPN. same at Spoke B for Spoke A . can anyone know that in BGP Over loopback what could be the issue that Spoke to Spoke cannot send traffic via Overlay after shortcut?Port1 and Port2 are WAN Underlay Ports .Spoke-A-Dent # get router info routing-table allCodes: K - kernel, C - connected, S - static, R - RIP, B - BGPO - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate defaultRouting table for VRF=0S* 0.0.0.0/0 [1/0] via 192.168.3.254, port1, [1/0][1/0] via 192.168.4.254, port2, [1/0]C 10.0.1.64/26 is directly connected, Com-ADVPNC 10.0.1.65/32 is directly connected, Com-ADVPNB 172.16.254.0/24 [200/0] via 172.16.254.252 (recursive via Com-ADVPN tunnel 192.168.3.252), 00:21:13C 172.16.254.1/32 is directly connected, BGP-LOB 172.16.254.2/32 [200/0] via 172.16.254.2 (recursive via 192.168.3.254, port1), 00:20:07(recursive via 192.168.4.254, port2), 00:20:07S 172.16.254.252/32 [15/0] via Com-ADVPN tunnel 192.168.3.252, [1/0]B 172.31.220.0/24 [200/0] via 172.16.254.2 (recursive via 192.168.3.254, port1), 00:20:07(recursive via 192.168.4.254, port2), 00:20:07B 172.31.247.0/24 [200/0] via 172.16.254.252 (recursive via Com-ADVPN (ADVPN )tunnel 192.168.3.252), 00:21:13C 172.31.253.0/24 is directly connected, port3(LAN)C 192.168.3.0/24 is directly connected, port1(WAN Internet Port)C 192.168.4.0/24 is directly connected, port2(WAN Internet Port) Support Forum Fri, 19 Jun 2026 15:15:42 +0200 https://community.fortinet.com/support-forum-92/what-is-the-difference-between-fsso-and-rsso-228415 Hello everyone!I have a question: What is the difference between Fortinet Single Sign-On (FSSO) and Radius Single Sign-On (RSSO)? What are the biggest differences between them? In what situations should I use FSSO and RSSO? Can I combine both?If I want to use them for user authentication during VPN connections, which one is best?Thank you! Support Forum Fri, 19 Jun 2026 14:52:27 +0200 https://community.fortinet.com/fortigate-3/technical-tip-fortigate-vms-in-microsoft-azure-running-on-mana-microsoft-azure-network-adapter-enabled-hosts-227310 DescriptionThis article describes the support for new MANA (Microsoft Azure Network Adapter) hardware for existing VM Size Families. The new hardware provides higher throughputs and lower latency, and is only supported on FortiOS v7.6.1 and later. Previous FortiOS versions 7.6.0 and below do not support the new MANA Network Interface.Microsoft plans to roll out the MANA NIC on legacy Infrastructure (Standard_Dv5 and lower). This change will impact all FortiOS versions below 7.6.1 that are paired with MANA NIC, and will cause the network driver to switch to the default synthetic path driver (NetVsc).The use of the network driver (NetVsc) can result in lower firewall throughput compared to the Mellanox ConnectX hardware equivalent.  Thus impacting the performance of FortiGate-VM deployed on Azure.Scope FortiGate-VM on Azure Cloud.SolutionTo prevent FortiGate VMs from being provisioned on MANA-enabled hosts, it is recommended to use the temporary opt-out mechanism (effective until May 31st 2027) by applying the appropriate tags, as outlined in the MANA support for Network Virtual Appliances (NVAs).Note that any VMs that are stopped (deallocated), restarted, or redeployed may be reassigned to MANA-enabled hosts and therefore impacted by this change. Tagging resources appropriately can help temporarily alleviate this issue.To take full advantage of new MANA hardware and Azure Boost performance enhancements and features, upgrade to FortiOS v7.6.1 and later, which would provide support for the new MANA network cards with higher throughput and reliability.Related documents:Instance Size SupportMANA support for Network Virtual Appliances (NVAs) FortiGate Fri, 19 Jun 2026 10:47:27 +0200 https://community.fortinet.com/support-forum-92/unable-to-import-ipsec-config-via-intune-failed-every-time-228247 Hi Fortinet team,So, we are upgrading our VPN to the latest software version, and we are changing from SSL VPN to IPSEC VPN, and we are thinking to deploy it via Intune, but we have encountered failures when trying to install the package.We follow the next steps:Changed the encrypted Preshared Key inside the conf file for the actual Preshared key Create Installer.ps1 with the following command: Start-Process -FilePath "C:\Program Files\Fortinet\FortiClient\FCConfig.exe" -ArgumentList "-m vpn -f <"$ConfigFile"> -o import -i 1 -p <"ConfigPassword"> -Wait  Inside Intune we set up detection rule for the reg key: “HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\IPSec\Tunnels\IPSEC VPN” The weird part is that if we try running the Installer.ps1 locally/manually it works perfectly fine and it imports the conf file without issue but if we runs it via Intune, it directly says Installation Failed  Can you please help us? Support Forum Fri, 19 Jun 2026 08:58:22 +0200 https://community.fortinet.com/support-forum-92/fortigate-mfa-228399 Can we use third party authenticator like google auth in Fortigate? Support Forum Fri, 19 Jun 2026 07:58:37 +0200 https://community.fortinet.com/support-forum-92/fortigate-admin-mfa-228400 Currently using FortiToken for MFA on our fleet of gates and been looking at switching over to SAML via Entra to take advantage of conditional access policies + our ITDR against the accounts.Looking for other experiences to see if people are currently doing this and if they are any known issues or drawbacks to this change.  Support Forum Fri, 19 Jun 2026 06:59:28 +0200 https://community.fortinet.com/support-forum-92/manual-upload-license-fail-228360 I try to build a new box of model 601F. Firstly, when i tried to manual upload license, it showed upload fail. please help  Support Forum Fri, 19 Jun 2026 06:15:00 +0200 https://community.fortinet.com/support-forum-92/cannot-deploy-scep-certificate-to-android-via-intune-217672 Hello, for the last two weeks I have been trying to connect FCEMS (7.4.4) to Intune to deploy ztna certificate to Android devices (Samsung S25, Android 16, work profile). I have ran into a brick wall of device being stuck in „MDM Deployment Status Pending“ and the intune polocy to deploy SCEP certificate having error without any further details. I have been following this guide Provisioning ZTNA certificates to FortiClient mobile using Intune | FortiClient 7.4.0 | Fortinet Document LibraryI walked through it multiple times with the same result. Maybe I am missing something? Can someone please help, if you have such setup in working order? :) I have configured the app with correct permisisons in intune and set up MDM integration in FCEMS. Have user with correct licences.In intune app configuration policies have set up:Go to Apps > App configuration policies. Create a new policy.Add key-value pairs. The intune_device_id key is mandatory. All other keys are optional. Intune supports the following app configuration keys for FortiClient mobile. The table indicates which keys apply for Android and for iOS:So the only config i put in was device ID like this (I am using invitation codes so I am not filling ems server od ip) The internal certificates were uploaded to the Android Forticlient, I had no way of importing them manually, so I created new policies in Intune to import those – this was successful.After registering the Android Forticlient I see this in FCEMS  Here it is stuck forever, because in Intune, the EMS ROOT CA and SCEP CA are deployed correctly, but SCEP CERT is not. Clicking on the policy displays no error.I have looked what exactly is in the policy There is link to SCEP server URLs. When I try to open the URL from the work profile of the Android device, it works – ie. It says „failed to decode scep request: missing operation“ which should be fine because I am just opening it in browser at this point and not supplying any real request.Page display as signed, connection is secured, certificate trusted  (SCEP CA)So from what it looks, the Intune part is OK, the profile gets deployed, the phone can connect to SCEP server in there, but then something fails after connection to *FCEMS*:4001/Default/scep FCEMS log displays nothing about this, only that MDM profile was provisioned two days ago. Althrough I have enabled debug logging just about hour back, so maybe later something will appear… Communication from phone to fcems on port 4001 is working - this is whole log of all communication from phone to fcems, there is nothing else that is blocked.  Could someone please help with this issue? Thank you Regards Martin  Support Forum Thu, 18 Jun 2026 22:29:36 +0200 https://community.fortinet.com/support-forum-92/fortimanager-7-6-6-deployment-issue-on-nutanix-vm-os-not-booting-228395 Hello Team,We are currently attempting to deploy FortiManager 7.6.6 on a Nutanix-hosted virtual machine by following the official Fortinet documentation:https://docs.fortinet.com/document/fortimanager-private-cloud/7.6.0/nutanix-administration-guide/118677/deploying-fortimanager-on-nutanixDeployment DetailsPlatform: Nutanix VM Image Used: FortiManager 7.6.6 (KVM qcow2 image) Reference Guide: As mentioned aboveIssue DescriptionWe have followed all the steps from the documentation and successfully deployed the VM. However, the FortiManager appliance does not boot correctly.From our observations (see attached screenshots), it appears that:The operating system present on the attached disk is not loading/booting properly. The system seems stuck during the boot process or fails to initialize.ObservationsThe qcow2 image used is the latest recommended version for FortiManager (7.6.6). The deployment steps were executed as per the official guide. No obvious configuration errors were identified during the VM creation process.Request for AssistanceWe would appreciate your guidance on the following:Any known issues with FortiManager 7.6.6 qcow2 images on Nutanix Additional configuration or compatibility requirements specific to Nutanix Troubleshooting steps to resolve the boot issuePlease let us know if any additional logs or details are required.Thank you in advance for your support. Support Forum Thu, 18 Jun 2026 20:53:58 +0200 https://community.fortinet.com/support-forum-92/monthly-wan-availability-and-reachability-reporting-with-fortianalyzer-without-sd-wan-228378 Hello everyone,we have a customer who would like to generate a monthly report using FortiAnalyzer that includes the following information:WAN gateway availability over the reporting period (monthly uptime/availability) Reachability of defined WAN targets (e.g. public IP addresses or external services) from the FortiGate Information about when WAN failover events occurred, including timestamps A summary of all failover incidents within the reporting periodThe environment does not use SD-WAN. Standard WAN interfaces and failover mechanisms are configured.Is it possible to create such a report using FortiAnalyzer?I don't have any knowledge of SQL, and despite extensive research, I have no idea how to implement this. If necessary, I would recommend Fortinet Professional Services to the customer.Any guidance or best practices would be appreciated.Thank you.KRNiko Support Forum Thu, 18 Jun 2026 20:47:51 +0200 https://community.fortinet.com/fortimanager-27/technical-tip-how-to-check-fortimanager-database-integrity-prior-to-firmware-upgrade-100766 Description   This article describes how to check the FortiManager databases prior to a firmware upgrade. It is recommended to check the integrity of FortiManager databases before upgrading - see FortiManager firmware upgrade paths. If there are any errors found, the user can fix them before performing the upgrade.   It is also recommended to take a backup of the FortiManager configuration before executing the commands below.   Scope   FortiManager.   Solution   Check the integrity of the Policy Manager database by using the following command:   diagnose pm2 check-integrity all   Example output:   diagnose pm2 check-integrity all --- pragma integrity_check adom db --- --- total: 23 ok. --- pragma integrity_check device db --- --- total: 5 ok. --- pragma integrity_check global db --- --- total: 2 ok. --- pragma integrity_check ips db --- --- total: 5 ok. --- pragma integrity_check task db --- --- total: 1 ok. --- pragma integrity_check ncmdb db --- --- total: 26 ok.   Check the integrity of the Device Manager database by using the following command:   diagnose dvm check-integrity   Note: The diagnose dvm check-integrity command should not be used in FortiManager 7.4.8 to check the integrity of the Device Manager database. This command can corrupt the device database. See bug ID 1228166 in the FortiManager 7.4.8 release notes under Known Issues (it is resolved in 7.4.9, 7.6.5 and 8.0.0).   Example output:   diagnose dvm check-integrity [1/11] Checking object memberships        ... correct [2/11] Checking adom nodes                ... correct [3/11] Checking device nodes              ... correct [4/11] Checking device vdoms              ... correct [5/11] Checking duplicate device vdoms    ... correct [6/11] Checking device ADOM memberships   ... correct [7/11] Checking device HA Secondary       ... correct [8/11] Checking device clusters           ... correct [9/11] Checking groups                    ... correct [10/11] Checking group membership          ... correct [11/11] Checking task database             ... correct   Check the integrity of ADOM configurations in the database by using the following command:   diagnose cdb check adom-integrity   Example output:   diagnose cdb check adom-integrity General updating - adom FAZ200D       ... ....100%  No errors General updating - adom FAZ200F       ... .....20%..100%    No errors General updating - adom FortiCarrier  ... ...100%   No errors General updating - adom FortiFirewall ... ...100%   No errors General updating - adom root          ... .....50%..100%  No errors General updating - adom Global        ... .....30%.100%     No errors   Check the integrity of the policy packages by using the following command:   diagnose cdb check policy-packages root        (Run it on the ADOM 'root', as an example.)   Example output:   diagnose cdb check policy-packages root       [1/7] Checking Scope                     ... correct       [2/7] Checking Dynamic mappings          ... correct       [3/7] Checking Policy package settings   ... correct       [4/7] Checking Cross-linked objs         ... correct       [5/7] Checking Object parent mismatch    ... correct       [6/7] Checking Undeleted objs            ... correct       [7/7] Checking Controller package status ... correct Adom Global       [1/4] Checking Policy package settings   ... correct       [2/4] Checking Cross-linked objs         ... correct       [3/4] Checking Object parent mismatch    ... correct       [4/4] Checking Undeleted objs            ... correct   Check the integrity of the object configuration database, reference table, ADOM database, DVM database, and invalid policy package and template installation targets by using the following command:   diagnose cdb upgrade check +all   Example output:   diagnose cdb upgrade check +all   Checking: Object config database integrity No error found.   Checking: Reference table integrity No error found.   Checking: Repair invalid object sequence No error found.   Checking: Reassign duplicated uuid in ADOM database No error found.   Checking: Resync and add any missing vdoms from device database to DVM database No error found.   Checking: Invalid policy package and template install target No error found.   Checking: Firewall address wrong FQDN type No error found.   Checking: Delete invalid device level mapping for normalized interface No error found.   Checking: Delete invalid orphan entries No error found.   Checking: drop table of user group guest No error found.   Checking: Invalid assign status entries No error found.   Checking: Copy section title from previous policy config No error found.   Checking: Fix invalid created timestamp No error found.   Related articles: Technical Tip: Upgrading FortiManager/FortiAnalyzer Technical Tip: How to upgrade an ADOM on FortiManager FortiManager Thu, 18 Jun 2026 20:32:07 +0200 https://community.fortinet.com/support-forum-92/vpn-phase-2-stops-working-after-azure-fortigate-vm-live-migration-116370 Hello, Trying to understand what happened and how to prevent it in the future: - Running FortiGate-VM in an Azure VM.- This FG has a custom site-to-site IPSec tunnel to on-prem. This effectively connects the virtual data centre to the on-premises data centre. Tunnel is initiated from Azure.- Suddenly, the tunnel no longer works. Phase 2 will not go up.- The first sign of trouble is this: Unavailable : Live Migration (Unplanned)At Thursday, October 13, 2022 at 7:29:19 PM EDT, the Azure monitoring system received the following information regarding your Virtual machine:This virtual machine was paused for 0.675000 seconds due to a memory-preserving Live Migration operation. No additional action is required from you at this time. Recommended StepsNo action is required  - A couple of minutes after this, alerts start going off that connectivity has been lost.- After some trouble shooting, pinging, checking routes, connectivity, rebooting, firmware upgrade, etc. it is determined that Phase 2 simply won't go up. There are timeouts and retries, but no other obvious cause. Config has not changed anywhere, everything else seems to work just fine, it's just this phase 2 that won't work.- I decide to recreate the tunnel on the originating side, on the FG-VM. Same exact parameters as the previous one, I literally copy / paste everything.- Voila, tunnel immediately works again. So: - It was not a config change issue.- It was not an actual connectivity issue. It appears as if that live migration of the VM broke something. My best bet is that there's some persisted entropy, encryption key, salt, or something like that, tied to the hardware or the environment. When the live migration occurred, something stopped working because the environment changed. On physical platforms, coding something that for example uses the MAC key as a "salt" isn't a big deal, as it would never change. But on a VM, it's a problem. 1) Am I right? Or not? Could there be some other explanation as to why a tunnel needs to be re-created? If so what might be the reasons?2) If I am right, it's now a bug, as this should not happen! VM's can move in all sorts of ways, regardless of the hosting platform (Azure, VSphere, etc.). Can't have a tunnel completely stop working and need to be recreated when a basic virtualization operation occurs. Any insight would be much appreciated ... Thanks,J.F.  Support Forum Thu, 18 Jun 2026 13:59:06 +0200 https://community.fortinet.com/support-forum-92/fortigate-ha-cluster-three-member-direct-ha-question-228359 Dear Community,I have cluster on siteA with primary and secondary. Their ha interface connected with a direct cable. Also there are x1 ports in the hbdev configuration via a switch. Now I would like to add a third fortigate to the cluster but this is on siteB. The x1 ports are connected via switch on L2 between siteA and siteB. While the hb interfaces are only connected on siteA devices (primary and secondary) with direct cable without switch. Because the hbdv setting mirroring between the primary and secondary units, I think the x1 should be the higher priority in the hbdv setting. But what should I do with the dircet ha config? Should I have to remove it? Or should it remain in the hbdev config with lower priority as a “backup between devices on siteA”? In this last case the remote siteB new fortigate (subordinate secondary) will see its hb interface as permanent dead, and will ignore it?thank you Support Forum Thu, 18 Jun 2026 13:41:36 +0200 https://community.fortinet.com/support-forum-92/how-to-authenticate-ip-phones-in-fortinac-using-local-database-of-registered-hosts-228358 now i have situation i want to register ip phones in my company manually and if there is no registered ip phone  as rogue i mean so i need to block its traffic but doesn’t block data traffic behind it how to achieve this using fortinac? Support Forum Thu, 18 Jun 2026 13:38:45 +0200 https://community.fortinet.com/support-forum-92/fnac-persistent-agent-uninstall-228375 When the device connect to the network and if the persistent agent uninstalled then how we can block the access?I try simulate even the PA was uninstalled the device can connect and PA status showing green in the host. Support Forum Thu, 18 Jun 2026 13:33:12 +0200 https://community.fortinet.com/support-forum-92/persistent-agent-with-wilcard-ssl-228272 Can we use wildcard certificate for persistent agent? I have this log from the client when the Persisten Agent using valid wildcard certificate.Wildcard cert!Peername “nac.mydomain.com” matches wilcard “*.mydomain.com”Refusing to connect to trust_DISTRUST nac.mydomain.com|*.mydomain.comConnection failed! 1SslStreamtransport::disconnect()SslStreamtransport::disconnect() NOT joined rxBoostThread because this IS the receive threadSslStreamtransport::disconnect() joined threads, free-ing the SSL State Support Forum Thu, 18 Jun 2026 12:18:42 +0200 https://community.fortinet.com/support-forum-92/vpn-manager-7-6-7-cannot-find-addr-load-vpn-node-failed-228263 Hi i have create lots of VPN definitions in the VPN Manager and assign them to Managed fortigates.  When i try and install the policy i quickly get this error.  "cannot find addr xxxx" "load vpn node x failed".   the object is there but need to be loaded on the GW.   even tryig with a policy with no VPN in the rules also fails.    Any ideas?    Support Forum Thu, 18 Jun 2026 11:36:21 +0200 https://community.fortinet.com/support-forum-92/ems-administrator-saml-on-10443-gives-404-message-207807 When configuring a FortiClient EMS server (v.7.4.1b1872) on Linux for Administrator SAML SSO with Entra/Azure it works if I use the default SP Address (<FQDN>), but we'll be locking down port 443 from external access and I would like to use 10443 for the SAML SSO. When configured the same way adding 10443 per the small blurb of instructions (<FQDN>:10443) it returns an EMS 404 error stating "The requested URL was not found on this server." If I reconfigure that same SAML entry to just the <FQDN>, updating the appropriate fields and certificate, it works. I have confirmed that port 10443 is open. The URL in the browser looks correct for the ACS link (https://<FQDN>:10443/saml/default/<UniqueKey>/acs). I don't see any issues off hand, and MS does report a successful log in. Attempting to log in as a unapproved user does result in the expected O365 "you do not have permission to log in" page. The server has been rebooted with the desired settings in place with no change. Because of the anecdotal evidence, the issue appears to be that despite the EMS stating to use the specific ACS link with the included 10443 port, it isn't actually registering that link within itself to accept the credentials- thus a 404 error. Since it works without using the specific port, my guess would be that it does not recognize the port or potentially updating the config to include the port is breaking the config. Is there a way to view this configuration from a config file instead of through the UI? Any insight would be appreciated. Support Forum Thu, 18 Jun 2026 10:59:23 +0200 https://community.fortinet.com/support-forum-92/fortigate-vm-evaluation-license-228370 I need A support to get a fortigate VM Evaluation license for FFUMEUREFUFF9554 Support Forum Thu, 18 Jun 2026 10:18:09 +0200 https://community.fortinet.com/customer-service-42/customer-service-tip-license-file-missing-for-fortiedr-on-prem-device-228371 Description: This article describes how to obtain the license file for a FortiEDR On-Prem device when the license file is not available under the License & Key section in the Fortinet Support Portal.Scope: FortiCloud Portal, FortiEDR On-Prem.Solution: Users may notice that the License & Key section in FortiCloud Support Portal does not display the license file for their FortiEDR On-Prem instance.This behavior is expected, as the license file download option for all FortiEDR On-Prem deployments has been removed from the FortiCloud Portal.To obtain the FortiEDR On-Prem license file, follow these steps:Log in to the Fortinet Support Portal.Navigate to: Services -> Cloud Services -> FortiEDR.Ensure the product registration has been completed successfully.Once registration is complete, the license blob will be available for download on the same page.Download the license blob from Cloud Portal.Loading the License:In the FortiEDR On-Prem console, select Load New License.The LOAD NEW LICENSE window will open.Copy the license string from: Support Portal → Services → Cloud Services → FortiEDR.Paste the license string into the LOAD NEW LICENSE window.Select Load License to complete the process. Customer Service Thu, 18 Jun 2026 10:06:42 +0200 https://community.fortinet.com/fortisiem-34/troubleshooting-tip-clickhouse-storage-configured-in-gui-but-not-reflected-in-backend-228365 DescriptionThis article describes how to resolve an issue where ClickHouse storage configured for a Supervisor or Worker node in the FortiSIEM GUI does not appear correctly in the backend. This may result in missing mount points, uninitialized storage paths, or ClickHouse services failing to start.Scope FortiSIEM Supervisor and Worker nodes using ClickHouse storage.SolutionThe inconsistency can be fixed by manually configuring the storage and ClickHouse services on the affected node by performing the following steps:Note: Replace 'X' in the disk name '/dev/sdX' in steps 1, 3, and 4 before following the steps.Wipe existing filesystem signatures:wipefs -a /dev/sdXCreate the mount directory:mkdir /data-clickhouse-hot-1Format the disk as XFS:mkfs.xfs /dev/sdXAdd the disk to /etc/fstab:echo "UUID=$(blkid /dev/sdX | awk -F'"' '{print $2}') /data-clickhouse-hot-1 xfs defaults 0 0" >> /etc/fstabMount the filesystem and reload systemd:mount -a systemctl daemon-reload df -hCreate ClickHouse directory structure:mkdir /data-clickhouse-hot-1/clickhouseSet ownership for ClickHouse:chown -R clickhouse.clickhouse /data-clickhouse-hot-1/Restart the ClickHouse server:systemctl restart clickhouse-serverVerify ClickHouse directory initialization:ls -ltrh /data-clickhouse-hot-1/clickhouse/Restart and enable monitoring services:systemctl restart phClickHouseMonitor systemctl enable phClickHouseMonitor systemctl enable clickhouse-serverValidate ClickHouse databases:clickhouse-client -q "select * from system.databases"Enable ClickHouse in the FortiSIEM configuration file.Edit the FortiSIEM configuration file:vi /opt/phoenix/config/phoenix_config.txtLocate the following block::BEGIN ClickHouse]Under this block, change the ClickHouse enable flag:enable=falseTo:enable=trueCheck service status:phstatus FortiSIEM Thu, 18 Jun 2026 07:23:40 +0200 https://community.fortinet.com/fortigate-3/technical-tip-forticlient-vpn-android-fails-to-establish-a-vpn-connection-with-ikev2-and-saml-with-mfa-enabled-226672 Description This article describes the issue of FortiClient VPN Android failing to establish a VPN connection with IKEv2 and SAML authentication when  Multifactor authentication (MFA) is enabled. Scope FortiGate, FortiClient Android. Solution When using FortiClient on Android with SAML authentication and Multifactor authentication (MFA) enabled, the application may unexpectedly close or dismiss the authentication screen when the user switches between FortiClient and the MFA application. As a result, the active authentication session is lost, and the user is unable to complete the login process after returning to FortiClient.   This issue is specific to SAML authentication when Multifactor authentication (MFA) is involved. If SAML authentication is used without MFA (for example, IPsec VPN with SAML only on Android), this behavior does not occur, and authentication completes successfully.     Additionally, the FortiClient app may close immediately when minimized or when switching quickly between applications. This behavior further complicates completing multi-factor authentication on Android devices.   This issue is related to the FortiClient Android application and is currently under investigation by the FortiClient engineering team.   Workarounds: Enable Android split-screen (multi-window) mode to keep FortiClient active while completing MFA, or: Avoid using Multifactor authentication (MFA), if feasible, until the issue is resolved.   Related document: Getting started FortiGate Thu, 18 Jun 2026 06:49:25 +0200 https://community.fortinet.com/support-forum-92/new-fortigate-70g-setup-question-228349 We just purchased a fortigate 70g firewall, and I am having some issues getting it connected to our existing network. For context the existing network consists of 3 cisco switches with multiple vlans setup. I have configured a Trunk port on the cisco switch and connected the fortigate to it, the issue I am having is getting the interface on the fortigate to talk to my network. What I want to have is 1 port act as the Mgmt port accessible by admin workstations thats on the "mgmt vlan", then have the various vlans added so i can give them internet access. What is the best way to go about this? Should i setup sub vlans interfaces on 1 physical port, or setup a vlan switch? This is my first fortigate so i am not familiar with it yet. Thanks.  Support Forum Thu, 18 Jun 2026 06:35:49 +0200 https://community.fortinet.com/support-forum-92/ha-out-of-sync-v7-6-6-228340 Hi all,Yesterday I noticed that my FortiGate HA cluster went into an out-of-sync state.I tried recalculating the HA checksums on both nodes and also rebooted the secondary unit, but the cluster is still showing out of sync.Has anyone experienced this before? Is this a known bug in FortiOS 7.6.6, or is there another troubleshooting step I might be missing?FortiOS Version: 7.6.6 Build 3653Any advice would be appreciated. Thanks! Support Forum Thu, 18 Jun 2026 06:34:47 +0200 https://community.fortinet.com/support-forum-92/rule-to-allow-http-https-traffic-to-a-specific-domain-is-allowing-all-http-https-traffic-228287 I’m trying to create a rule to allow traffic to a specific public domain or list of domains, from my internal users.  Traffic that doesn’t match the “whitelisted” destination domain(s) should flow down through the existing rules.  The following seems to be allowing all HTTP/HTTPS traffic, not just the traffic to the target domain.  The Fortigate is running 7.2.13.If I enable the rule below, I see traffic in the log matching this rule, that is destined to all kinds of other domains.  I don’t want to affect traffic to any other domains, and want traffic not destined to the “whitelisted” domains to just flow down through the other existing firewall rules.Ive tried using a “simple” URLfliter (as below) as well as a wildcard filter, but no matter what I’ve tried the rule seems to be matching way more traffic than I intend. config webfilter urlfilter............    edit 6        set name "Auto-webfilter-urlfilter_f7yxvxpub"        config entries            edit 1                set url "canva.com"                set action allow            next        end    nextendconfig webfilter profile............    edit "Whitelist-Domains"        set options block-invalid-url        config web            set urlfilter-table 6            set blocklist enable        end        config ftgd-wf        end    nextend config firewall policy    edit 143        set status disable        set name "Allow-Whitelist-Domains-LAN"        set srcintf "LAN_ZONE"        set dstintf "INTERNET_ZONE"        set action accept        set srcaddr "all"        set dstaddr "all"        set schedule "always"        set service "HTTP" "HTTPS"        set utm-status enable        set av-profile "default"        set webfilter-profile "Whitelist-Domains"        set logtraffic all        set nat enable    nextend  Support Forum Thu, 18 Jun 2026 02:56:08 +0200 https://community.fortinet.com/support-forum-92/ipv4-policy-not-working-228334 Apologies for what I hope my struggles are merely from being a novice user of Fortigate products. I am now managing my first Fortigate 60E and trying to get port forwarding to work for a specific source. Actually, I do have port forwarding working for a specific source, but only one source. When I try to add any other source to a rule or even a separate rule for the source in question, it doesn’t work. I can’t remember if the source IP address that works was setup in some special way in the past, I am unable to find differences. So, I use the CLI to debug and really do not understand why the differences. First of all, here are the rules, both WebTent and WebTent DC are single IP addresses. As you can see, I am forwarding port 5022 to an internal IP port 22, this works from WebTent, but not WebTent-DC. So, for the debug, I see this for traffic when coming from WebTent and it works…FGT60ETK18001521 # diagnose debug flow filter saddr < my WebTent IP address >FGT60ETK18001521 # diagnose debug flow trace start 100FGT60ETK18001521 # diagnose debug enableFGT60ETK18001521 # id=20085 trace_id=267 func=print_pkt_detail line=4903 msg="vd-root received a packet(proto=6, < my WebTent IP address >:3285->< wan address >:5022) from wan2. flag , seq 203916275, ack 0, win 65535"id=20085 trace_id=267 func=init_ip_session_common line=5047 msg="allocate a new session-079fa6dc"id=20085 trace_id=267 func=fw_pre_route_handler line=182 msg="VIP-192.168.1.50:22, outdev-wan2"id=20085 trace_id=267 func=__ip_session_run_tuple line=2894 msg="DNAT < wan address >:5022->192.168.1.50:22"Now, from WebTent-DC…FGT60ETK18001521 # diagnose debug flow filter saddr < my WebTent-DC IP address >FGT60ETK18001521 # diagnose debug flow trace start 100FGT60ETK18001521 # diagnose debug enableFGT60ETK18001521 # id=20085 trace_id=269 func=print_pkt_detail line=4903 msg="vd-root received a packet(proto=6, < my WebTent-DC IP address >:35125->< wan address >:5022) from wan2. flag , seq 3558509990, ack 0, win 65535"id=20085 trace_id=269 func=init_ip_session_common line=5047 msg="allocate a new session-079fae18"id=20085 trace_id=269 func=vf_ip_route_input_common line=2583 msg="find a route: flag=80000000 gw-< wan address > via root"id=20085 trace_id=269 func=fw_local_in_handler line=391 msg="iprope_in_check() check failed on policy 0, drop" Could someone help me see what I must be missing that doesn’t allow WebTent-DC to connect? I am not aware of any “apply” button and understand the Fortigate should save the configuration automatically. Support Forum Thu, 18 Jun 2026 01:16:33 +0200 https://community.fortinet.com/support-forum-92/best-strategy-for-upgrading-a-mixed-fortigate-environment-40f-60e-and-70f-looking-for-community-experience-228354 Hello everyone,I'm planning a maintenance window to upgrade the FortiGate firewalls in our environment, and I'd like to hear from those who have gone through a similar scenario.I've already completed an inventory of all devices, reviewed the Fortinet recommended firmware versions, and validated every upgrade path using the Fortinet Upgrade Path Tool. At this point, my questions are more about strategy than technical execution.Our current environment is as follows:Hostname Model Current Firmware Target Firmware FGT-HQ 70F 7.4.3 7.4.12 FGT-BR01 60E 7.4.3 7.4.12 FGT-BR02 60E 7.4.7 7.4.12 FGT-BR03 40F 7.4.11 7.4.12 FGT-BR04 40F 7.6.1 7.6.7 FGT-BR05 40F 7.6.6 7.6.7 FGT-BR06 40F 7.2.11 7.2.13 (or migrate to a newer branch) Additional information:Production environment. We use IPsec Site-to-Site VPNs, SD-WAN, security policies, NAT, VIPs, and SSL VPN. A full configuration backup will be taken before every upgrade. All firmware upgrades will strictly follow the paths recommended by the Fortinet Upgrade Path Tool, including every intermediate version. Each upgrade step will be fully validated before proceeding to the next one.One important point is that our FortiGate 60E units will be replaced by FortiGate 40G appliances in the coming months. Because of that, I'm trying to determine the best long-term strategy.In your opinion, which approach would make the most sense?Upgrade each device only to the latest Mature release within its current branch (7.4.12 and 7.6.7) and keep it there until the hardware replacement. Take this opportunity to migrate the entire environment to the 7.6 branch for better standardization. Keep the 60E units on the 7.4 branch until they are replaced by the 40G models, while maintaining the newer 40F units on the 7.6 branch.I'd also appreciate your thoughts on the following:Have you experienced any significant issues running FortiOS 7.6.7 in production? Do you still consider FortiOS 7.4.12 a solid choice for enterprise environments? If you were in my situation, would you migrate the 60E units to a newer branch, or simply keep them on a stable release until they are replaced? Are there any lessons learned or best practices you would recommend before starting this upgrade project?Any real-world experience or recommendations would be greatly appreciated.Thank you in advance! Support Forum Wed, 17 Jun 2026 21:19:05 +0200 https://community.fortinet.com/support-forum-92/how-do-you-transfer-a-call-to-someone-s-voicemail-227962 How do you transfer a call to someone’s voicemail?  In this case, a secretary has her boss’ extension programmed as a soft key on her phone so she can answer it.  A call comes in on her boss’ like, she answers, and would like to transfer it to her boss’ voicemail.  Nothing I’ve found online seems to work (I’ve read dial *9 + extension, dial **9 + extension - neither work)….  Any suggestions? Support Forum Wed, 17 Jun 2026 21:14:44 +0200 https://community.fortinet.com/fortisiem-216/the-collector-upload-buffer-and-memory-usage-are-continuously-increasing-225391 Hi everyone,I’m currently facing an issue where my collector’s upload buffer and memory usage are continuously increasing.After some research, I found a potential fix related to PH_PARSER_FILE_STAT_FAILURE on a forum. However, when I attempted to execute the recommended commands (such as chmod and chown), I encountered "Permission Denied" and "Invalid User" errors, which prevented the fix from being applied.Has anyone encountered this specific behavior before? Specifically:How do you properly resolve the PH_PARSER_FILE_STAT_FAILURE when the parser is under heavy load?What are the correct permission/ownership settings for the /opt/phoenix/cache/parser/ directory to avoid these errors?Any assistance or guidance would be greatly appreciated. Thank you! Troubleshooting Tip: How to troubleshoot collector... - Fortinet Community    FortiSIEM Wed, 17 Jun 2026 19:29:45 +0200 https://community.fortinet.com/support-forum-92/fortigate-gui-keeps-logging-out-on-vm-trial-setup-228339 Hello,We are testing a FortiGate-VM trial setup, but the GUI still logs out immediately after login.We have already verified the following: GUI certificate is set correctly. Admin idle timeout has been increased. https is enabled on the management interface. NTP time sync is correct. httpsd process is running normally. We also tested: different browser, incognito mode, cleared cache and cookies, login from the correct trusted host / source IP. Even after all of the above, the GUI still kicks us out after login, while SSH access remains stable.Has anyone seen this behavior on FortiGate-VM trial or evaluation mode? Is there any other VM-specific GUI setting or known issue we should check?Thank you. Support Forum Wed, 17 Jun 2026 14:22:26 +0200 https://community.fortinet.com/support-forum-92/fortigate-7-6-7-default-usernamer-and-password-228336 Hi, I just downloaded the fortigateOS 7.6.7 into my GNS3,but when cli,i tryUsername:adminPassword:blank it fails to authenticateAnyone has any idea? Support Forum Wed, 17 Jun 2026 13:01:16 +0200 https://community.fortinet.com/support-forum-92/certificate-chain-not-reflecting-on-admin-gui-228283 I have a Sectigo Certificate which i am trying to attach to admin GUI on port 443 ..i am not using any SSL VPN on the fortigates.. i built the file as leaf + intermediate + root and uploaded it under local → certificates.. additionally also uploaded intermediate separately under CA - Remote Certs .. but still when i try to check the cert validitiy via openssl or ssl labs it says that chain is missing and the chain is not reflecting at all.. i even tried attaching the certificate as a pfx but still the same issue..  any help is appreciated in resolving this..  Thanks Support Forum Wed, 17 Jun 2026 12:55:57 +0200 https://community.fortinet.com/fortigate-3/troubleshooting-tip-excessive-memory-consumption-by-httpsd-daemon-triggers-memory-conserve-mode-on-fortigate-224115 Description This article describes an issue where the httpsd process consumes excessive memory, causing the FortiGate to enter memory conserve mode. Scope FortiGate v7.4.9, v7.4.10, v7.4.11. Solution FortiGate devices running FortiOS v7.4.9, v7.4.10 and v7.4.11 may enter memory conserve mode due to high memory utilization caused by the httpsd process (approximately 50–70% memory usage).   In some cases, this condition may result in partial configuration loss, particularly affecting locally installed certificates.At the time of the issue, CPU utilization of the httpsd daemon may also spike to 80–100%, as shown in the sample output below:   diagnose sys top 2 50 httpsd 2617 R 82.1 11.2 2httpsd 2617 S 81.0 14.1 0httpsd 2617 R 82.0 16.8 10httpsd 2617 R 86.1 19.7 2httpsd 2617 R 81.0 22.4 0httpsd 2617 R 85.0 25.3 2httpsd 2617 S 84.1 28.1 6httpsd 2617 R 79.0 30.7 2httpsd 2617 R 86.0 33.6 2httpsd 2617 R 82.1 36.3 2httpsd 2617 R 81.0 39.0 2httpsd 2617 R 85.0 41.9 7httpsd 2617 R 82.1 44.6 7httpsd 2617 R 78.0 47.3 6httpsd 2617 R 84.0 50.0 6httpsd 2617 R 98.0 51.1 6httpsd 2617 R 99.9 51.8 6httpsd 2617 R 99.9 52.6 6httpsd 2617 R 99.9 52.6 6httpsd 2617 R 99.0 52.6 6httpsd 2617 S 76.0 52.6 2 In environments where the FortiGate HA cluster manages a large number of downstream devices (for example, 20+ FortiSwitches and FortiAPs), the issue may be triggered when navigating to: Security Fabric -> Logical/Physical Topology. Within 5-10 seconds of accessing this menu, the httpsd process may consume approximately 60% of system memory, triggering: Memory conserve mode. Temporary traffic interruption and session drops. Notably, the httpsd daemon may consume high memory even when administrative HTTPS access and Device identification across the unit are disabled.   This issue is currently under investigation by the development team. The article will be updated with the latest information once a fix is available. Workaround: Configure a Python script to terminate the httpsd daemon whenever the httpsd daemon appears in the output of 'diagnose sys top-mem'.A local workaround consists of creating an automation script in the FortiGate:   config system auto-script    edit "restart_https"        set interval 28800         <----- Interval of time in seconds to execute the task, for example, every 8 hours.        set repeat 0               <----- Time of repeats, 0 means always. The default is 1.        set start auto             <---- If set to auto, the process would start by the system automatically; manual is the default, where it is necessary to start the process.        set script "fnsysctl killall httpsd"    nextend FortiGate Wed, 17 Jun 2026 12:27:47 +0200 https://community.fortinet.com/fortigate-3/troubleshooting-tip-fortigate-70g-with-newer-bios-version-fails-to-boot-after-downgrade-to-fortios-v7-2-225906 Description This article describes an issue where FortiGate 70G devices with BIOS version 0600020x may hang at the 'Initializing firewall…' stage after installing FortiOS 7.2.x firmware. Scope FortiGate 70G with BIOS version 0600020X, FortiOS v7.2. Solution After installing FortiOS v7.2 on a FortiGate 70G running BIOS 0600020X, the device consistently stops at the 'Initializing firewall…' stage during boot and does not proceed any further. When the same FortiOS releases are used with an older BIOS (0600010X), the FortiGate 70G boots normally with no hang observed.   To check the BIOS version:   get system status | grep BIOS BIOS version: 06000202 <----- Affected BIOS version.   Example console log from TFTP install on an affected unit:   Image Received. Checking image... OK This firmware image is certified. Save as Default firmware/Backup firmware/Run image without saving:iD/B/R]?D Programming the boot device now... OK Verifying... OK Booting OS... Initializing firewall...        After the 'Initializing firewall…' message appears on an affected system, there is no further console output, the device does not complete the startup sequence, and it does not become reachable.   The issue is not triggered by any particular upgrade method. It occurs both after device format and loading an affected version, or after downgrade from an unaffected version to an affected version.   This behavior has only been observed on FortiGate 70G devices running FortiOS v7.2 together with a 0600020X BIOS version. It has not been reported on devices running v7.4 firmware, or devices with an older 0600010X BIOS version. This issue is under investigation and there is currently no reported workaround. FortiGate Wed, 17 Jun 2026 12:00:39 +0200 https://community.fortinet.com/fortinac-f-57/technical-tip-identify-the-user-entry-taken-into-consideration-by-the-fortinac-access-policy-engine-when-evaluating-a-host-228348 DescriptionThis article describes how the FortiNAC policy engine selects the user to be evaluated when the host has a different combination of 'Logged on User' and 'Registered To' attributes.ScopeFortiNAC-F.SolutionWhen FortiNAC registers the host to the user for the first time, it creates a User to Host relationship by populating the "Registered To" field with the user.This entry does not change anymore until the host is manually deleted or is aged out based on the Aging settings.The 'Logged On User' is used for tracking the current working user. This is a dynamic entry that changes based on user activity.In the first example below, the host was first registered to 'UserSales'. This user logs out of their computer, and the 'Logged On User' entry is cleared. The FortiNAC policy engine will still take into consideration the 'UserSales' when evaluating the current policy to be applied to the host.If both the 'Registered To' and 'Logged on User' fields are empty, FortiNAC will not use any user attributes in policy evaluation.In the second example, a new user, 'UserFinance', logs in to the same Host PCX.FortiNAC populates the 'Logged on User' with the UserFinance, which is the current working user active on the host.The policy matching engine will use the attributes of "UserFinance" when looking for a matching policy. The user 'UserSales' is not taken into consideration.It is recommended to base the access control on the User Identity. That should be used as the primary element when creating policies and defining matching criteria. After that, include Host and adapter attributes in order to create a unique and granular matching profile.In case only Host or Adapter unique attributes are used, a new user can gain a network access level that should not be allowed or does not comply with the least privilege principle.Related article:Technical Tip: FortiNAC v7.6 LDAP group membership based on 'User' or 'Device' type Registration FortiNAC-F Wed, 17 Jun 2026 11:54:55 +0200