Skip to main content
MigenaM
Staff
MigenaM
Staff
February 11, 2026

Technical Tip: FortiAnalyzer rejects the FGFM/OFTP connection attempts with error 'No legal SN found in cert and legacy auth mode disabled/LOGIN_REQUEST_LEGACY error: invalid device id'

  • February 11, 2026
  • 0 replies
  • 905 views
Description This article describes how to resolve a communication issue between FortiGate and FortiAnalyzer with the error 'No legal SN found in cert and legacy auth mode disabled/LOGIN_REQUEST_LEGACY error: invalid device id'.
Scope FortiAnalyzer, FortiGate VM.
Solution

It is possible that after an upgrade to firmware branch v7.4 on FortiGate (v7.4.9) and FortiAnalyzer (v7.4.8), the connection between the devices is lost.

 

If the FortiGate is removed from the FortiAnalyzer at this point, it might not be possible to re-add the device anymore, with the error 'No devices are available for approval.'.

On FortiGate, when trying to set up the connection again, the connection status may show as 'Unauthorized'.

 

When testing connectivity from FortiGate-VM CLI, it shows below error:

 

FGT-VM# execute log fortianalyzer test-connectivity
Testing connectivity to fortianalyzer ...
Failed to get FAZ's status. oftp_connect(global-faz) failed: oftp failed to authenticate.

 

Steps to troubleshoot connectivity issues between FortiGate and FortiAnalyzer may be found in this article:

Troubleshooting Tip: FortiGate to FortiAnalyzer connectivity.

 

However, the following error may be encountered on FortiAnalyzer when trying to re-establish the connection:

 

Error No legal SN found in cert and legacy auth mode disabled
LOGIN_REQUEST_LEGACY error: invalid device id

 

FortiAnalyzer rejects the FGFM/OFTP connection attempts from FortiGate.

 

The error indicates that the FortiGate VM’s client certificate does not contain a 'legal' serial number, and the FortiAnalyzer refuses the device because legacy authentication mode is disabled.

 

To resolve the issue, the following settings need to be made on FortiAnalyzer CLI to enable legacy authentication mode:

 

config system log settings
    set legacy-auth-mode enable
end

 

After enabling this setting, the FortiGate VM should be accepted and show as properly registered in FortiAnalyzer.

 

The 'legacy-auth-mode' setting was introduced in FortiAnalyzer v7.2.10 GA, FortiAnalyzer v7.4.7 GA and FortiAnalyzer v7.6.3 GA. More information can be found in the following article: Technical Tip: Additional information about the 'legacy-auth-mode' setting and certificate on OFTP connection checking on FortiAnalyzer.

 

Related articles:

Technical Tip: FortiAnalyzer in Disconnected status

Troubleshooting Tip: Debugging OFTP connection
    Terms & ConditionsAccessibility statement