| Solution | Step 1: Before involving the TAC Support. Preliminary investigation will require an evaluation and consideration of the following: Section A. Access the free comprehensive information resources available to apply the recommended configurations and troubleshooting tips: - Fortinet Community Knowledge Base (central hub for articles and technical tips on all Fortinet products).
- Fortinet Official Documentation (Admin Guides, Reference Manuals, Release Information, and Deployment Guides).
- Fortinet Video Library (Video Deployment Guides).
- FortiGuard Labs (The FortiGuard Security Portal provides summaries of the latest internet threats, security advisories across popular vendor technologies, and access to the latest publications).
Section B. Determine the eligibility for the support request: Below are services that are uniquely tailored and independently obtained, outside the boundaries of the support ticket. - FortiCare Professional Services, for New Implementations and Migrations, will require this service to be purchased separately to assist in designing, planning, optimizing, evolving, operating, and deploying standardized infrastructure (Contact Us).
- Advanced Services, purchased separately to perform more in-depth investigations, including RCA analysis, upgrade assistance, and software recommendations (Contact Us).
- New Service! Managed FortiGate Service, optimal for onboarding new equipment, purchased separately to help streamline and optimize network infrastructure by using Fortinet security best practices and ITIL methodologies. Deploy FortiGate devices, adhere to security standards, and improve efficiency. Evaluate, implement, and verify configuration changes. To respond immediately to security incidents, identify configuration weaknesses, and implement proactive security measures (Contact Us).
- FortiConverter Service, a one-time license, is required and purchased separately to perform configuration conversion and migration between FortiGate models or other vendors (Contact Us). Support related to FortiConverter Service will require a paid license, and tickets can be accessed through this portal: FortiConverter Service.
- New Service! FortiGuard Security Advisory and Incident Response Services (Forensic Analysis) is purchased separately to assist organizations in assessing and improving current security postures while effectively responding to digital threats through advanced digital forensics and incident response capabilities. These services provide organizations with expert insights into their existing security landscape, identifying vulnerabilities and weaknesses that cyber threats may exploit. This service is not limited to Fortinet family products (Contact Us).
Section C. Important prerequisites: - A support contract is necessary for the FortiGate device with the serial number (SN) provided and any related Fortinet Fabric products, such as FortiAP, FortiClient-EMS, FortiManager, FortiCloud, and FortiSwitch, etc.
- Verify the support contract for the Fortinet product from the Fortinet Support Portal -> Product List (select product SN) -> Entitlement.
- If there is a fabric-related issue, a separate ticket should be opened to involve subject matter experts for an in-depth analysis of the affected product or solution.
- A valid support contract is required for the fabric linked to the device or product identified by its serial number (SN).
- If only a FortiGate support contract is available, a limited and best-effort investigation will be carried out.
- Missing features are considered NFR (New Feature Request) is not subject to a support ticket. Requesting a feature can be performed only through the local sales representative (Contact Us).
- Operating a FortiGate device with a FortiOS version that aligns with the Product Life Cycle is essential for the progress of the investigation.
- When third-party products and services are connected, like ISPs, upstream and downstream routers, firewalls, virtual machines, PBX/VoIP systems, cloud infrastructure, servers, workstations, and endpoints, the investigation will be handled from the perspective of FortiGate.
- The client representative (Network Administrator) needs to present supporting documentation, including debug information, captures, analyses, reference guides, or Fortinet resources, when describing the issue.
- Work with the TAC engineer to perform the necessary tests and ensure all relevant parties are included in a thorough investigation, as excluding key participants can limit progress and potentially delay resolving the issue.
- Each ticket can address only one technical issue. Duplicate tickets reporting the same problem will be merged into the main ticket and managed by the same TAC engineer.
- Configuration conversion and migration between FortiGate models and other vendors require a one-time license, which is not handled through the ticket process (refer to Section B, 4).
- Before performing any updates or upgrades, make sure to thoroughly review the FortiOS Release Notes for the version being considered. Assess the features currently in use, any changes in functionality, and the list of resolved and known issues.
- Lack of admin access due to a lost FortiToken cannot be recovered through support. Fortinet does not have any super admin credentials and cannot bypass MFA or password protection. It is the Network Admin's responsibility to follow the recommended steps before enabling MFA on a primary admin account. Check this article: Technical Tip: FortiToken 2FA recovery: steps to restore device access.
Step 2: Get in touch with the TAC Support. It is recommended to involve a TAC by using the web ticket at the Fortinet Support Portal -> Guidelines and Policies -> Ticket Creation Guide. Section D. It describes the technical issue, ensuring all necessary points required on the ticket are included: - Problem description explaining how FortiGate is suspected to be impacting the issue.
- Historical information on the issue to understand if any recent changes or events could have impacted it.
- Network Diagram (image, PDF, Visio, etc.) of the impacted network segment where FortiGate is connected.
- Files and information required to start the investigation. * Mandatory files
- *Copy of the running configuration of the FortiGate follows this article: Technical Tip: How to download FortiGate configuration file & Debug log from GUI and CLI.
- *Copy of the unit 'Debug Log' follows this article: Technical Tip: How to download debug.log file at different FortiOS version.
- Output of the HAR file for suspected web-based errors follows this article: Troubleshooting Tip: How to collect HAR files (mandatory in FortiCloud/Web-Based Investigations).
Section E. Prioritizing support ticket: - Tickets will be handled according to the purchased support level and SLAs as explained under section 1.06 FortiCare Ticket Handling SLA in Technical Tip: FortiCompanion to Technical Support.
- Tickets can only be registered as P3 or P4, and priority can be increased to P1 or P2 if the following conditions are met:
- A complete technical description of the issue, ensuring all necessary information is explained in Section D is attached to the ticket.
- Proof of relevant business impact as defined in the section Ticket priority and definitions in Technical Tip: FortiCompanion to Technical Support.
-
Priority changes can be requested by phone to the toll-free numbers in the FortiCare Support: Customer Service -
New configuration or migration requires Professional Services (check Section/B/1), and TAC involvement is on a best-effort basis through KBs and documentation. These queries are not subject to prioritization or escalation and will automatically be set to P4. Section F. Defective units, replacement & returns (Return Material Authorization): - Unit SN is under P-RMA Subscription: Proof or acknowledgment of this support subscription, and the support engineer will trigger the Priority RMA (P-RMA) as defined in the Technical Tip: FortiCompanion to RMA Services.
- Unit SN is under Standard RMA Subscription: Proof of the faulty device is required for approval of the information required for the return/replacement
- Copy of the running configuration of the FortiGate follows this article: Technical Tip: How to download FortiGate configuration file & Debug log from GUI and CLI.
- Copy of the unit 'Debug Log' follows this article: Technical Tip: How to download debug.log file at different FortiOS version.
- Output of the HQIP test of the suspected unit SN follows this article: Technical Tip: RMA - HQIP test (with built-in FortiOS diagnostic commands).
- Any other debugs, screenshots, and video recordings as per the engineer's request.
For more information, refer to the support contract in place as explained under Technical Tip: FortiCompanion to RMA Services. Important Note: - The RMA process cannot be triggered at will or for testing purposes; evidence of a faulty unit is required.
- The RMA process is not a substitute for a continuity plan. Triggering this process, it involves relying on third-party logistics, which can slow down delivery and disrupt continuity timelines.
- Fortinet strongly recommends High Availability deployment as the ultimate strategy for business continuity in cases of major disasters.
New Feature. FortiOS in low-end units is now capable of working with a Single FortiGuard license for FortiGate A-P HA cluster. Section G. Additional technical support: - If the unit requesting troubleshooting is operating in a time zone different from where it was purchased or registered, inform the TAC engineer that support is required for that specific time zone, as Fortinet Support is available 24/7.
- TAC engineers will not suggest or make changes that could affect business operations. Any changes made are thoroughly explained beforehand and have a minimal impact on production. Significant changes, like routing changes, SD-WAN migrations, upgrades, HA failovers, etc., should be reviewed and planned for a maintenance window.
- If unexpected behavior is suspected, the engineer will reproduce the issue, if applicable, only when there is enough evidence to justify an R&D investigation. These investigations are strictly overseen by TAC.
- The TAC engineer will propose a remote session if further visibility is needed, unless P1 or P2.
Section J. Remote Support Pre-requisites: Important: Remote Assistance is a valuable tool to gain better visibility and accelerate the investigation, but it is not a substitute for the commitment or responsibilities of the client's Network Administrator. - The TAC engineer can suggest a remote session to perform additional tests to aid the investigation via the GoToMeeting link only after fully understanding the issue.
- Ensuring stable connectivity for the remote session is crucial for the success of the session.
- Network visibility for the intended traffic path from source to destination.
- Access (through the Network Administrator) to the impacted device.
- Enough information was shared for the engineer to be prepared as described in (refer to Section D).
A few tips for the Network Administrator: - When reporting an issue, it is crucial to provide clear and solid evidence. Without this, the analysis may have incomplete results, and the ticket will be closed as inconclusive.
- The support team is always ready to revisit the investigation once the necessary details are shared.
- Teamwork is crucial for effective investigation and resolution. Without active involvement from the client's network admin, the analysis could fall short, possibly leading to the ticket being closed.
- When using AI models (any vendor), the responses can sometimes be false or unrealistic, so it’s best to rely on TAC analysis, taking into account the version and model the unit is running.
- Network Admin Tools are essential for performing successful troubleshooting:
|
