Skip to main content
Cajuntank
Cajuntank
Contributor III
February 27, 2026
Solved

Security fabric FortiGates not being able to finish authorization to EMS Cloud

  • February 27, 2026
  • 3 replies
  • 339 views

I connected my fabric root FortiGate, which happen to be my edge firewall to the FortiClient EMS Cloud just fine via the fabric connector. My other fabric FortiGates show up in EMS Fabric soon after, so I authorized them there and attempted to finish the authorization at the fabric firewalls. When I click authorize on the fabric connector on the firewall, I am presented with the certificate to accept or deny. I accept and it goes back to the fabric connectivity window for EMS Cloud on the FortiGate in question, yet never "connects"... it's still in that pending state of showing the EMS Cloud information coming from my root, yet will not connect successfully like my fabric root edge firewall did.

Best answer by Cajuntank

I did end up opening a TAC case and the engineer pointed me to this KB article which nailed my issue of what the debug logs were reporting to me...

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-EMS-certificate-not-authorized/ta-p/358457

 

Implemented and was able to finally get authorized. Thanks for pointing me down the right path with the debug logging to see the actual error.

 

3 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
March 2, 2026

Hello Cajuntank, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
March 3, 2026

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
March 4, 2026

Hello again Cajuntank,

 

I found this answer, can you tell us if it helps, please?

 

To address the issue of downstream FortiGates in a Security Fabric not being able to complete authorization to the FortiClient EMS Cloud, follow these steps:

 

Troubleshooting Steps

  1. Verify Certificate Synchronization:

    • Ensure that the CA certificate is synchronized through the Security Fabric. This is crucial for downstream FortiGates to validate the EMS certificate.
    • On the root FortiGate, enable the remote CA synchronization with the command:

      config vpn certificate ca edit "<Certificate Name>" set fabric-ca enable next end

  2. Check Certificate Names: Verify that the Remote CA Certificate names on downstream FortiGates match the root FortiGate's certificate name. Any mismatch can cause authorization issues.

  3. Ensure DNS Resolution: Confirm that the DNS server is reachable and that FortiGate can resolve forticlient-emsproxy.forticloud.com. This is necessary for proper communication with the EMS Cloud.

  4. Debugging:

    • Use the following commands to gather more information on the issue:

      diagnose debug application fcnacd -1 diagnose debug enable
    • Replicate the issue and check for any timeout or certificate errors in the debug output.

  5. Update and Configure Source IP:

    • Run an update to ensure all components are up-to-date:

      diagnose debug application update -1 diagnose debug enable execute update-now
    • If the issue persists, specify the source IP for EMS communication:

      config endpoint-control fctems edit <EMS ID> set source-ip <any_ip> end

 

Follow-ups and Clarification Questions

  • Have you verified that the CA certificate is synchronized across all FortiGates in the Security Fabric?
  • Is the DNS server reachable from all FortiGates, and can they resolve the EMS Cloud address?
  • Have you checked the debug logs for any specific errors or timeouts during the authorization process?
  • Did you ensure that the Remote CA Certificate names are consistent across all FortiGates?

These steps should help in diagnosing and resolving the issue with the downstream FortiGates not completing authorization to the EMS Cloud. If the problem persists, consider reaching out to Fortinet TAC Support for further assistance.

Jean-Philippe - Fortinet Community Team
Cajuntank
CajuntankAuthor
Contributor III
March 4, 2026

Going through this now. I do note that I am seeing this CA on my edge FortiGate with the fabric-ca enable command already set, then my next hop is a core FortiGate and it too has the CA with the fabric-ca enable command, then that is where my issue seems to be as my connecting ISFW FortiGates, that connect in from my WAN to that core, do not have that CA cert synced out to them (again, the core has that fabric-ca enable set too). Will post back with what I discover on some debugs.

Terms & ConditionsAccessibility statement