Explorer

Solved

Can't Connect to Fortianalyser Cloud after Upgrade

Forum|Forum|8 months ago
September 30, 2025
7 replies
5711 views

We have just upgraded our 100F from 7.0.17 to 7.4.9 with 7.0 going end of support.

It upgraded to 7.2 and then to 7.4

Everything seems to work fine with the exception of FortiAnalyzer Cloud. It's refusing to connect and send logs. We did upgrade the FAZ from 7.4 to 7.6.4 however it hasn't seemed to make any difference and both versions seem to support our Fortigate version. I have also removed the device and re-added it to FA Cloud still with no luck.

There's no access issues that I know of

# exec ping fortianalyzer.forticloud.com
PING fortianalyzer.forticloud.com.geo.fortinet.net (154.52.2.161): 56 data bytes
64 bytes from 154.52.2.161: icmp_seq=0 ttl=52 time=20.6 ms
64 bytes from 154.52.2.161: icmp_seq=1 ttl=52 time=20.5 ms
64 bytes from 154.52.2.161: icmp_seq=2 ttl=52 time=20.5 ms
64 bytes from 154.52.2.161: icmp_seq=3 ttl=52 time=20.5 ms
64 bytes from 154.52.2.161: icmp_seq=4 ttl=52 time=20.5 ms

--- fortianalyzer.forticloud.com.geo.fortinet.net ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 20.5/20.5/20.6 ms

The only clue is an error with SSL

exec log fortianalyzer-cloud test-connectivity
Failed to get FortiAnalyzer Cloud's status. SSL error. (-3)

However I'm at a loss as to what to try next.

Any help appreciated :)

Best answer by MT-DSG

Hello Bill,

Regarding the same issue, instead of changing the global setting, I modified the FortiAnalyzer Cloud logging configuration directly:

config log fortianalyzer-cloud setting

set status enable

set ssl-min-proto-version TLSv1-3

end

The FortiGate is now able to send logs and retrieve the FortiAnalyzer's serial number.

Thank you for your help

asrour

Staff

Hi @willow ,

-what is the FGT model and version?

- Run the oftpd debugs on the FAZ cloud cli and share the output.

di de app oftpd 255

di de en

Thanks,

willowAuthor

Explorer

FGT 100F 7.4.9

FAZ 7.6.4

FAZVM64-VIO-CLOUD # di de app oftpd 255
oftpd debug filter: disable

FAZVM64-VIO-CLOUD # di de en

FAZVM64-VIO-CLOUD # logs of past 240 sec: 0
logs of past 300 sec: 0

NAS

New Member

Hello,
I have the same problem. A new FortiGate 70G with version 7.4.9 was set up today with a newly initialized FortiAnalyzer Cloud (7.6.4) entitlement. The FortiGate cannot be connected to the FortiAnalyzer; the error message is the same...

exec log fortianalyzer-cloud test-connectivity

Failed to get FortiAnalyzer Cloud's status. SSL error. (-3)

FAZ-CLI:

di de app oftpd 255

--> No logs available

Best regards,
Karsten

BillH_FTNT

Staff

Hi @willow and @NAS

Could you follow these links to check and get some logs ?

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Connectivity-issue-between-FortiGate-and/ta-p/205112

Regards

Bill

willowAuthor

Explorer

WCL-FORTIGATE # exec log fortianalyzer test-connectivity
No FAZ is enabled.

I am assuming this is because were using Fortianalyzer Cloud.

Serial is correct for the FAZ and the Device is configured (although it's still has it on it's old firmware version) I have removed and re-added the device already.

I am assuming there's a missing or incorrect SSL certificate here and it just needs to redownload from the FAZ however I can't find an obvious way of clearing the Settings and letting me add the device from the Fortigate side (as if it was never added before) or importing the correct certificate. I have already tried disabling the option for verification.

kaman

Staff

Hi willow and NAS,

Is the FortiGate is in FIPS Mode?

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-FortiGate-FIPS-CC-enabled-to-send-log-to/ta-p/276541

There is an internal Bug ID: 1111972, FortiGate device with FIPS mode enabled cannot connect with FortiAnalyzer cloud

There was a workaround found which helped customer. The workaround is to add the below 2 DNS entries to the SAN:

*.fortianalyzer.forticloud.com
fortianalyzer.forticloud.com

Once you have this certificate uploaded to Fortianalzyer, then it needs to set as oftp cert using the following command:

config system certificate oftp
set mode local
set local "name of new cert"
end

Also upload CA cert which is the issuer of the new custom cert to all the FortiGate devices sending logs. So that they trust the new cert on Fortianalyzer cloud.

Please let me know if that helps.

If you have found a solution, please like and accept it to make it easily accessible to others.

Regards,
Aman

willowAuthor

Explorer

I don't beleive so as we are based in Europe and that seems to be a federal (US) requirement so I'm going to assume not. Is there a way to check? most of the google searches seem to give commands to enable.

I would highly suspect this is an SSL issue and we need to export or import one of the certificates from the FAZ or Vice Versa.

asrour

Staff

@NAS @willow

Download the certificates from the FAZ and upload them to the FGT then test

faz_certificates.png

NAS

New Member

Hello,
I’m getting the error message due to a duplicate. The certificates are exactly the same, so that doesn’t seem to be the problem.

Regards,
Karsten

NAS

New Member

Hello everyone,
it’s definitely due to FortiOS 7.4.9. I downgraded to 7.4.8 and now the FortiGate connects immediately to the FortiAnalyzer Cloud.

Regards,
Karsten

BillH_FTNT

Staff

Hi @NAS or @willow

If you have a support ticket with Fortinet, please share it with me. I can use your configuration to test on my FGT-100F device in the lab.
If you don’t have a ticket, could you please send your configuration to my email: bhoang@fortinet.com? I’m Bill from Fortinet, and I’d like to reproduce the issue in the lab to help identify the root cause.
Thank you.

Bill

NAS

New Member

@BillH_FTNT Sended you an EMail

Best regards
Karsten

BillH_FTNT

Staff

Hi All,

I noticed that our Engineering team is currently investigating an issue quite similar to the one you reported. However, there’s no conclusion yet, so I’m unable to share any results at this time. I’ll provide updates as soon as more information becomes available.

In the meantime, if you're able to run a quick test (just a test), could you please try configuring the minimum SSL protocol used in FortiOS 7.4.9 to ensure that TLSv1.3 is used for the connection to FMG/FAZ Cloud:

config system global
set ssl-min-proto-version TLSv1-3
end

Regards

Bill

MT-DSGAnswer

New Member

Hello Bill,

Regarding the same issue, instead of changing the global setting, I modified the FortiAnalyzer Cloud logging configuration directly:

config log fortianalyzer-cloud setting

set status enable

set ssl-min-proto-version TLSv1-3

end

The FortiGate is now able to send logs and retrieve the FortiAnalyzer's serial number.

Thank you for your help

BillH_FTNT

Staff

Hi @MT-DSG

This is a nice approach. Thanks

Bill

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded