Support Forum

Hello all. Apologies if this has been discussed before and I failed to locate it. I just received a used FG-60F and registered it without any issues. When looking at my assets section, all subscriptions appear to be expired on this device, which I was expecting. Once I reset the unit with the button on back and went to the GUI, I noticed something odd. Being new to the FortiGate, I thought I should ask if this is going to be a problem before purchasing a license. On the 60F GUI, it shows that there is FortiCare coverage to an account that isn't mine. I would have thought that my ability to register the 60F indicates that the device has been unregistered from other accounts although I could certainly be mistaken due to my ignorance on such matters. My question is: If I purchase a UTP or ATP license, is this going to create a licensing problem with FortiCare coverage or will it simply apply the new license and show it as covered with FortiCare under my account?I would very much appreciat

A client is requesting that the secondary LAN port on a FAP231G be used for a wired printer connection. I’ve never done this before, but relevant documentation has pointed me in the right direction (I hope). Before making any configurations, the printer pulled an IP from the VLAN the APs are on.Based on the documentation, I went into the “FortiAP Profiles” tab and changed the port mode to Uplink & Bridge, and the port bridge Bridge to SSID, and then selected the desired SSID, the intent being that wireless devices on said SSID will be able to print from that printer. What I expected would happen is that the printer would pull an IP from the SSID pool. It did not.Next I went into the specific AP in the “Managed FortiAPs” tab, enabled Override LAN Port, set Override Port Mode to Uplink & Link, and enabled Bridge to SSID and selected the desired SSID. This also failed to pull and IP from the SSID pool. Am I missing something/misunderstanding how this works?

Is there a way to view the camera serial number form the FortiRecorder?If not?  How can I retrieve the camera sn? Thanks & appreciate the help..  new to the Fortirecorder/camera Cheers! 

We are attempting to sync MS entra devices into FortiAuthenticator 6.6.2 so that we can then complete certificate based authentication for these devices.We have on-prem AD devices syncing via LDAP and this is working fine. Has anyone managed to sync entra devices in? I am struggling to find any clear documentation for this process...Thanks in advance

Dear All, Anybody can explain in laymon term what is under lay and over lay in SDWAN concept and how does it work. Why under lay and over lay need.  Thank you in advanced for sharing the knowledge.  

Hello, I know that normaly there should be one rule allowing a connection. In my case we are experiencing with Firewall Authentication, we configured FortiAuthenticator do allow access to devices behind the Firewall based on AD Groups.Users have to sign in on Authenticator using the SAML URL: /saml-sp/CDS_SegSecServ/login/, the session is valid for 10 hours, afterwards users have to relogin. So at this time we have rules which need authentication and older rules for similar access without authentication, based on IP Adresses.The Authentication rules map users to ip’s, so at the end it is also an IP to IP rule.Now my question, what happens when the authenticated sessions runs out, since there is also the old rule which also serves the same IP, should the TCP session continue to work without interruption or does it mean that a new session is initiated and the old one get stuck.It looks like there are at least database disconnections and i am not sure if this is because the rules allowing

I’m seeing an issue in my FortiSASE v26.1.92 where an endpoint is assigned the correct profile (IT Infra), but the group is showing as “Non-AD Endpoints”, which is not expected.The device is domain-joined and should be part of the appropriate AD-synced group, but it’s not reflecting correctly in the console.Details:Endpoint status: Online & managed Correct profile applied: IT Infra Group shown: Non-AD Endpoints (incorrect) AD sync is already configuredQuestion:What could cause an endpoint to fall under “Non-AD Endpoints” even when it’s domain-joined?Any guidance would be appreciated. 

Hi everyone, I am trying to add a Fortigate VM eval, generated via the FortiCloud account to the FortiManager VM eval, also generated via the FortiCloud account. So, both units are "self-generated" evals. I am not talking about evals obtained through the local supplier. It is not working!!! From the debug output on FGM, it seems like the FG is not sending any certificate to the FGM while trying to setup communication via FGFM. This is a debug output from the FGM:2025-02-11 06:44:29 Use cert idx=0 by peer_ca = 1 2025-02-11 06:44:29 __info_callback,993: role=svr,state=23, TLSv1.3 SSLv3/TLS write certificate 2025-02-11 06:44:29 __info_callback,993: role=svr,state=40, TLSv1.3 TLSv1.3 write server certificate verify 2025-02-11 06:44:29 __info_callback,993: role=svr,state=36, TLSv1.3 SSLv3/TLS write finished 2025-02-11 06:44:29 __info_callback,993: role=svr,state=46, TLSv1.3 TLSv1.3 early data 2025-02-11 06:44:29 __info_callback,993: role=svr,state=46, TLSv1.3 TLSv1.3 early da

We’re running FortiClient with Cloud EMS and deploying via Intune (Win32, SYSTEM).For most users we use SAML authentication, which works fine.But we also have som shared PCS with no primary users.We want the device to be registered in EMS automatically, without requiring any user to log in.What is best practice?

Hi everyone,I’m currently using FortiManager Cloud to manage my FortiGate devices.When I was configuring static routes directly on the FortiGate, I used to rely on address objects and especially address groups as route destinations (Named Address with allow‑routing).This approach was very convenient to group multiple networks behind a single static route and keep the routing configuration clean and readable.With FortiManager (Static Route Templates), I understand that this option is not available:Destinations seem to be limited to Subnet / Internet Service / Internet Service Custom. There is no way to select an address object or an address group as a destination, unlike local FortiGate configuration.I’ve seen that meta‑fields (variables) can be used to inject subnets into route templates, but:This does not really replace the concept of address groups. It doesn’t fully meet the use case I had before.So I’m wondering how you deal with this in practice:How do you handle static routing in

Hello, i created a Test-LAB with FortiManager v7.6.6 build3654 (Mature) VM Trial licensed and FortiGate v7.4.11 build2878 (Mature) VM Trial licensed. Now ill try to Join my Gate into my Manager and got the Error. I checked with the "Compatibility Tool" and it looks good for my Case. I use Windows 11 Pro with Hypedr V and booth VM Imgaes are HyperV from Download Center. The Screenshots are attached. Thanks for help. I tried a lot of proposed solutions FortiGate = 192.168.178.241FortiManager = 192.168.178.240  Log Spoiler (Highlight to read)ConnectedFMG-VM64-HV # diagnose debug application fgfmsd 255fgfmsd debug filter: disableFMG-VM64-HV # diagnose debug timestamp enableFMG-VM64-HV # diagnose debug enableFMG-VM64-HV # 2026-02-23 05:41:29 proxy_session.c,__session_frontend_accept,833: 192.168.178.241:1156 -> 192.168.178.240:541.2026-02-23 05:41:29 __use_cert,734: start idx = 02026-02-23 05:41:29 use certificate issuer = /C=US/ST=California/L=Sunnyval

Fortigate 5.6 Fortimanager 5.6.8 Lower version but in use I've been using it well for over five years, but suddenly I can't see the policy Reboot / fmg 5.6.11 patch / db check and it only loads Have you ever seen cases like this? 

Hello everyone,I would like to clarify how FortiGate handles dynamic BGP neighbors in relation to the print tablesize output.In our environment, we use a hub-and-spoke topology. On the hub, BGP peers are not configured statically one by one under config neighbor. Instead, we use:neighbor-group neighbor-rangeThis allows spoke peers to establish BGP sessions dynamically. When running print tablesize, we see:router.bgp:neighbor: 0 0 1000 My doubt is about the meaning of this value in a dynamic BGP scenario. I understand that max-neighbor-num under neighbor-range is a per-range configurable control, not necessarily the total platform limit. For example, the CLI allows: set max-neighbor-num <1-1000> or 0 and documentation mentions that 0 is the default special value. Because of that, I would like to understand the following:Does router.bgp:neighbor in print tablesize apply only to statically configured neighbors, or does it also include dynamic neighbors created through neighbor-range

Trying to set up an IKEv2 client-certificate-based IPsec connection from a FortiClient 7.4.4 to a FortiGate VPN Gateway results in the following error in the FortiGate log when evaluating the received IKE_AUTH request:ike V=root:0:IPSec-Client:176: certificate validation succeededike V=root:0:IPSec-Client:176: signature verification failedike V=root:0:IPSec-Client:176: auth verify doneike V=root:0:IPSec-Client:176: responder AUTH continuationike V=root:0:IPSec-Client:176: authentication failed Parsing the received IKE_AUTH request sent by the FortiClient, we see that the AUTH payload of type Digital Signature (14) defined by RFC 7427 is missing the one octet ASN.1 length field and the following ASN.1 OID of the Algorithm Identifier. Only the raw 64 octet ECDSA 256 Bit Signature has been added:2F     Next Payload: 47 - CP00     C/Reserved0048   Length: 72 Octets = 8 + 64 Octets (2*256 Bits)0E     Auth Method: 14 - Digital Signa

Hello guys, What will happen to my fortimail once licenses expire?Will it be able still to send/relay emails?What about protection, antispam, content and URL filtering? Thank you in advance.

Hello.We have an FG-401F firewall, divided into a few VDOMs, all in profile-based mode. Now we need to convert one of the VDOMs to policy-based mode, and as I know in this case all policies are removed. Is there any way to automatically migrate policies from profile-based mode to policy-based, so we don’t have to recreate all of them manually? Maybe some sort of tool or script?Thanks.

Hi, I recently started working In FortiSOAR.In playbook I am using the splunk connector with FSR: rest API call action and GET HTTP method to collect the kvstore lookup data.The kvstore lookup contains fields including Date field (which contains ephoc format of date).The Playbook is picking all the data without any issue.But I have to pick data based on condition (if date is beyond 1 month I have to pick those data)Could anyone help me how to achieve this.Thanks.

Hello,I am currently working with FortiManager Cloud (7.4) and FortiGate devices running in multi‑VDOM mode.I would like to know whether it is possible to hide or exclude specific VDOMs on FortiManager Cloud, so that:they are not visible in the Device Manager,  they do not consume a device / VDOM license, while still existing on the FortiGate (i.e. without deleting the VDOM on the device itself).From what I understand so far, it looks like:all Traffic‑type VDOMs present on a FortiGate are automatically visible in FortiManager Cloud, each of them is counted as a managed device/VDOM for licensing purposes, and there is no supported way to “unmanage”, hide, or exclude a single VDOM only on the FortiManager Cloud side.Can someone please confirm whether this is indeed not possible on FortiManager Cloud today?And if so, is there any official Fortinet documentation or statement that explicitly confirms this behavior or limitation?Thanks in advance for your clarification.Best regards,B-W

Hi Team, I am looking at multiple customer scenarios where thee have more than 300 switches , or have an expansion plan in the future exceeding total of 300. If I am interested  in proposing a fortilink fabric to maintain and operate them, what options do I have to increase capacity.  As I understand an HA unit in A-A or A-P will not help here.  Do we think of adding two HA pairs and then manage the whole show through Fortimanager ? Your views would be appreciated. Thanks !

Hi All,  We are experiencing an issue with the forticlient VPN client on MacOS 15.5 We are currently planning our roll out of remote access via IPsec and moving away from SSL VPNs, The issue we are having is that after a device cold start/reboot, the initial attempt to connect to the remote access VPN via IPsec always fails and gives an "Connection was terminated unexpectedly" error. Trying it immediately again afterwards, it still fails. The current workaround is to connect to the same remote VPN endpoint but via SSL VPN, and then trying the IPsec once more; however, this does not always seem to work.Another workaround seems to be waiting 5-10 minutes, and trying the IPsec connection seems to work.Once successfully connected via the IPsec VPN, it continues to work until the client device is rebooted/shut down. Looking through the Forticlient debug logs, we are getting an "IPsec error -104"; however, when running an authentication debug on the FortiGate, I can

Hi ti all, Our FortiGate 50G is protecting 2 different routers from 2 different ISPs. One is plugged to Wan and the other to Lan1 (=Wan2). Domestic use network. Only ethernet. No WiFi. A few days ago, I tried to protect a TV decoder with the FortiGate. Creating the multicast policies, I have surely changed something I should not have to. The TV decoder was plugged into lan 2 which belongs to a Vlan switch (called "lan". Members: lan 2 + lan 3). This Vlan provides internet from only one of the routers Now I have the following symptoms: - When using this routers's internet and plugging the ethernet cable to my computer, my Airbook gets an auto-assigned IP first (yellow led) and, after 30 seconds, it switches to a normal IP (green led): Internet is available then. This symptom happens only with one of the routers (plugged to lan2 or lan3... Where the TV decoder was plugged to). I tried to disconnect "STP". then the symptom disappears. But comparing with the old configuration file, I notic

When deploying FortiSOAR the configuration wizard reset the database password to a unique value.is there a way to know this password or reset it to a known one?

So i've recently acquired two FortiAP-221c's with POE injectors and I am having a little bit of trouble finding out what seems to be simple information. Maybe one of you can help me out. If I were to put one (or both) of these AP's in my home, what would I NEED to make them work. Is a Fortigate required because of the built in Wireless controller? I know they need to be authorized to enable the antennas, is a fortigate or VM software the only options I have?

I have a FortiWeb that is used for our QA environment that is not exposed to the internet.   I need to be able to manage certificates on it automatically to avoid having to manually replace them every month as the lifecycle shortens.   DNS-01 is completely manual so that's out.   I tried HTTP-01 using an internal private ACME server, but the Fortiweb rejects the certificate when making the https request to the ACME server because it is signed by our internal CA. Does anyone have a method they are happy with for managing certificates in this situation?

Hello, I have a 40F.Default config has a virtual hardware switch called "lan" whose member interfaces are: "lan1", "lan2" and "lan3".I would like to remove those member interfaces from the "lan" switch using Ansible. Do you know how to do that ? https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_system_virtual_switch_module.html#examples I tried the tasks bellow, leaving the port empty, but no success.If I specify just one port, like lan1, it removes the others. I need to remove them all. task1- name: Remove member interfaces from "lan" virtual hardware switch  fortinet.fortios.fortios_system_virtual_switch:    vdom: "{{ vdom }}"    state: "present"    system_virtual_switch:        name: "lan"        port: task2- name: Remove member interfaces from "lan" virtual hardware switch  fortinet.fortios.fortios_system_virtual_switch:    vdom: "{{ vdo