Technical Tip: Unknown admin login from FortiGate Cloud

When a FortiGate is managed using FortiGate Cloud, system event logs will show logins to the FortiGate with a username that will be anonymized.
This is by design and a change in behavior in FortiGate Cloud to enhance security for managed security service provider customers to prevent sub-users from seeing the primary account email address in firewall logs. This also relates to situations when the account is shared, so the sub-user account is not able to view the parent account email address.

Therefore, there will be logs showing a login from a random email with the following format (where xxxxxxxxxxx is an alphanumeric string): xxxxxxxxxxx@fortigatecloud.com.

Source and Destination IP addresses will be 127.0.0.1, similar to logins from FortiAnalyzer on 127.0.0.1 (Technical Tip: Admin login from 127.0.0.1).

Here is an example of a log:

date=2025-04-28 time=02:56:32 devname="FortiGate" devid="FG60EXXXXXXXXXXX" eventtime=1745834192217997723 tz="-0700" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="XXXXXXXXXX" user="fa319c7a16bb@fortigatecloud.com" ui="unknown(127.0.0.1)" method="unknown" srcip=127.0.0.1 dstip=127.0.0.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator fa319c7a16bb@fortigatecloud.com logged in successfully from unknown(127.0.0.1)"

Related documents:

FortiGate Cloud Management 

Technical Tip: FortiGate Cloud admin displaying a random or different username