Skip to main content
achacon
Staff
achacon
Staff
March 9, 2026

Troubleshooting Tip: FortiGate AWS PAYG (On-Demand) VM registration process fails

  • March 9, 2026
  • 0 replies
  • 231 views
Description

This article explains how to resolve registration issues for AWS-based FortiGate-VMs in the FortiCare Asset Portal.
Scope FortiOS, AWS.
Solution

On AWS, there are two types of license models available for FortiGate-VMs:

  • Bring Your Own License (BYOL).
  • On-Demand (PAYG).

This document AWS Administration Guide shows how to register the FortiGate-VM with FortiCloud via the Asset Management Portal. However, on some occasions this process might fail at step 7 and instead of requesting the AWS account ID to finish the process, the Asset Portal will show the following:

 

failedregistration.png

 

Although the message indicates that the registration process has completed, when returning to the asset list the FortiGate VM serial number cannot be found.

This issue may occur if the FortiGate-VM was unable to connect to FortiCare during the boot process to update its serial number. In such cases, the following error may be observed on the FortiGate console:

 

Error 1:

 

FortiGate-VM64-AWS login: AWS instance ID: i-11111111111

Requesting FortiCare license: FGTAWSXXXXXXXXXX

Curl FortiCare failed, 28

  

Error 2:

 

System is starting...

Serial number is FGTAWSXXXXXXXXXX

FortiGate-VM64-AWS login: AWS instance ID: i-0a6755931b1XXXXXXX

Requesting FortiCare license: FGTAWSXXXXXXXXXXXX

DNS resolve error

In Error 1, the FortiGate was unable to connect to FortiCare successfully via HTTPS. In Error 2, the FortiGate experienced a DNS resolution issue, which prevented proper connectivity to FortiCare as well.

 
Additionally, upon checking the built-in certificate, the Fortinet_Factory certificate does not include a FortiGate serial number in the Common Name/Subject field. To verify this, run the following commands:

 

FortiGate-VM64-AWS (interim)# config vpn certificate local

FortiGate-VM64-AWS (local) (interim)# get Fortinet_Factory

Name                : Fortinet_Factory

Password            : *

Private-key         : *

Certificate         :

        Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FortiGate, emailAddress = support@fortinet.com

        Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-subca2001, emailAddress = support@fortinet.com

        Valid from: 2016-11-30 19:58:17 GMT

        Valid to: 2056-11-20 19:58:17 GMT

[...]

 

To force FortiGate to re-attempt the FortiCare registration, it is required to run the following CLI command (which will also prompt the FortiGate to reboot): 

execute vm-license <FGTAWSXXXXXXXXXXXX> <----- Replace with the relevant FortiGate-VM serial number.


This command will force the VM to restart since FortiCare registration occurs when the VM is booting up.

 

Monitor the console of the FortiGate VM to ensure there are no errors during the bootup. Once FortiGate is up again, check that the certificate Fortinet_Factory bootup has the S/N in the CN field, and then proceed with the registration process as described in the link shared at the beginning of this ticket.
    Terms & ConditionsAccessibility statement