In the case when FortiGate has established a connection with Azure SDN properly, either from the GUI or the CLI
diagnose system sdn status
SDN Connector    Type    Status
-------------------------------------------------------------
SDN_CONNECTOR    azure     up
Even though the connection is up and online, when attempting to create a firewall address object related to the Azure SDN connector, the address can be created with no issue
The problem will be that the address cannot be matched from Azure, as shown below, showing 0.
Running a debug of:
diagnose debug application azd -1
Outputs are similar to below:
dialup_server # azd sdn connector test: prepare to update
azd sdn connector test: start updater process 10234
azd sdn connector test: start updating
azd sdn connector test: graphql: will collect addresses from subscriptions:
a0c5e8d6-d35f-4950-8afd-dc74c32a6e07 (APAC-TAC)
azd sdn connector test: graphql: query vnet resources
azd sdn connector test: graphql: query nic & vm resources
azd sdn connector test: graphql: found nic addresses: 331
azd sdn connector test: graphql: query load balancer resources
azd sdn connector test: graphql: found lb addresses: 31
azd sdn connector test: graphql: query application gateway resources
azd sdn connector test: graphql: found app gw addresses: 0
azd sdn connector test: graphql: query VMSS list
azd sdn connector test: graphql: found VMSS(uniform): 0
azd sdn connector test: graphql: query AKS cluster list
azd sdn connector test: graphql: found AKS cluster: 0
azd sdn connector test: refresh service tag
azd sdn connector test: refreshing service tags
azd sdn connector test: subscriptions/a0c5e8d6-d35f-4950-8afd-dc74c32a6e07/providers/Microsoft.Network/locations/westus2/serviceTags?api-version=2023-09-01
sdn test firewall addr change
azd sdn connector test: refresh service tags successfully
azd sdn connector test: found 1465 service tags from Azure
azd sdn connector test: start updating IP addresses
.
.
.
The debug command stops at updating the IP address.
In this case, verify under Azure portal -> IAM -> Role assignment-> Choose SDN app registration that is having the issue with, ensure the 'contributor' role assignment has been given.
Once that is done, wait for 5 minutes and re-create the firewall address or restart the SDN connector process on the FortiGate; the address can be pulled successfully
Restart the process using.
diagnose debug application azd 3
The successful result would be:
From the debug output, it should be expected below similar output:
dialup_server # azd sdn connector test: prepare to update
azd sdn connector test: start updater process 10234
azd sdn connector test: start updating
azd sdn connector test: graphql: will collect addresses from subscriptions:
a0c5e8d6-d35f-4950-8afd-dc74c32a6e07 (APAC-TAC)
azd sdn connector test: graphql: query vnet resources
azd sdn connector test: graphql: query nic & vm resources
azd sdn connector test: graphql: found nic addresses: 331
azd sdn connector test: graphql: query load balancer resources
azd sdn connector test: graphql: found lb addresses: 31
azd sdn connector test: graphql: query application gateway resources
azd sdn connector test: graphql: found app gw addresses: 0
azd sdn connector test: graphql: query VMSS list
azd sdn connector test: graphql: found VMSS(uniform): 0
azd sdn connector test: graphql: query AKS cluster list
azd sdn connector test: graphql: found AKS cluster: 0
azd sdn connector test: refresh service tag
azd sdn connector test: refreshing service tags
azd sdn connector test: subscriptions/a0c5e8d6-d35f-4950-8afd-dc74c32a6e07/providers/Microsoft.Network/locations/westus2/serviceTags?api-version=2023-09-01
sdn test firewall addr change
azd sdn connector test: refresh service tags successfully
azd sdn connector test: found 1465 service tags from Azure
azd sdn connector test: start updating IP addresses
azd sdn connector test: checking firewall address object sdn, vd 0
address sdn num change 0/474
address added: 474
104.x.x.0/20
104.x.xx.52/31
.
.
.
104.x.x.0/21
104.x.x.0/22
| 
