Technical Tip: How to identify the IP address of EMS cloud to further help troubleshoot the connectivity issue between FortiGate and EMS cloud.
| Description | This article describes how to identify the EMS Cloud IP address, which can further be used to troubleshoot the connectivity issue between FortiGate and EMS Cloud. |
| Scope | FortiGate, FortiClient EMS, FortiSASE. |
| Solution | FortiGate connects to the EMS cloud via the Fabric Connector. Under the FortiClient EMS server, enable the status, select the type 'FortiClient EMS Cloud', and press 'OK' to commit the changes.
If it causes the reachability error, the IP address will help with troubleshooting. FortiGate uses the public domain 'forticlient-emsproxy.forticloud.com' to communicate with the EMS cloud: Allowlisting the FortiClient Cloud IP addresses
Resolving the domain will help to identify the IP address.
FGT # exe ping forticlient-emsproxy.forticloud.com PING aaaaa-bbb.c.ap-southe (52.74.249.xx): 56 data bytes
--- aaaaa-bbb.c.ap-southe ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss
If it is a reachability issue, it shows the error 'EMS unreachable' in the GUI. Further verification can be done on the CLI with the following command:
FGT # execute fctems verify 1
Run the sniffer to identify if the traffic is leaving the FortiGate with the actual source IP and interface.
diagnose sniffer packet any "host 52.74.249.xx" 4 0 l
Test the connectivity, and to stop the sniffer, press 'CTRL+C'.
This will help check the communication between FortiGate and EMS Cloud and further lead to resolving the reachability problem. |