Skip to main content
nevan
Staff
nevan
Staff
December 8, 2025

Technical Tip: FortiGate automation stitch repeatedly triggered by system log

  • December 8, 2025
  • 0 replies
  • 516 views
Description This article describes the issue of an automation stitch being repeatedly triggered by a system log on a FortiGate device, causing multiple email alerts to be sent. The article provides a step-by-step solution to resolve this issue.
Scope FortiGate.
Solution

To configure the automation stitch for the Cloud server connection and disconnection incident and alert can be sent through Email as well. The following article can be reviewed: Technical Tip: Automation stitch for cloud server connection and disconnection events.

 

After configuration, the connected and disconnected logs can appear as below.

Example Log (FortiGate Cloud server connected):

 

date=2025-11-09 time=11:22:45 devname="FGT60F" devid="FGT60FTK21012345" logid="0100022915" type="event" subtype="system" level="information" vd="root" eventtime=1731153765000000000 logdesc="FortiGate Cloud server connected" msg="FortiGate Cloud server connection established successfully" service="FortiGate Cloud" status="connected" src=192.168.1.99 srcip=192.168.1.99 dst="FortiGate Cloud" dstip=173.243.138.210 srcintf="wan1" srcintfrole="wan" proto=6 duration=2 sentbyte=542 rcvdbyte=612 action="connect" eventid=22915

 

Example Log (FortiGate Cloud server disconnected):

 

date=2025-11-09 time=13:45:09 devname="FGT60F" devid="FGT60FTK21012345" logid="0100022913" type="event" subtype="system" level="warning" vd="root" eventtime=1731162309000000000 logdesc="FortiGate Cloud server disconnected" msg="FortiGate Cloud server connection lost" service="FortiGate Cloud" status="disconnected" src=192.168.1.99 srcip=192.168.1.99 dst="FortiGate Cloud" dstip=173.243.138.210 srcintf="wan1" srcintfrole="wan" proto=6 sentbyte=145 rcvdbyte=60 action="disconnect" eventid=22913 reason="connection timeout"

 

But even though there are no disconnection events, the connected logs are triggering frequently, which can happen when auto-join FortiCloud is enabled.

 

CLI:

config system fortiguard
    set auto-join-forticloud enable<--
end

 

Frequent 'FortiGate Cloud server connected' logs occur when the FortiGate repeatedly re-establishes the cloud session due to short timeouts, link instability, or upstream session resets. 

 

CLI:

config log fortiguard setting
    set status enable
    set conn-timeout <1-3600>
end


The default value is 10 seconds of the timeout. Increasing the conn-timeout value or adjusting it according to the scenario and enabling reliable logging stabilizes the connection.

Related article:
Troubleshooting Tip: FortiCloud connection failure
      Terms & ConditionsAccessibility statement