Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiCloud Products
FortiCloud Products
- Fortinet Community
- Knowledge Base
- FortiCloud Products
- Technical Tip: FortiGate Cloud Frequently Asked Qu...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Anonymous
Not applicable
Created on
11-19-2020
08:25 AM
Edited on
06-24-2025
10:12 AM
By
Stephen_G
Article Id
197724
Description
This article addresses the following Frequently Asked Questions concerning FortiGate Cloud:
- 'Invalid Username or Password'/'FortiCloud Internal Error'/'HTTP 400' message while activating FortiGate Cloud Account on FortiGate.
- 'Can log into FortiGate Cloud portal but cannot activate FortiGate Cloud account on FortiGate device with the same set of credentials'.
- 'How to transfer FortiGate devices in account A to account B within the same domain'.
- 'How to activate FortiGate Cloud account on HA-paired FortiGate devices'.
- 'How to bring management tunnel status up on FortiGate device'.
- 'What to do if FortiGate device stays in inactive state for more than 24 hours'.
- 'What to do if FortiGate Cloud activation is successful on device but cannot see it in portal'.
- 'How to move a device from global service to Europe service, or vice versa'.
- 'How to remote access to a FortiGate device from the portal'.
- 'How to activate FortiGate Cloud with a different email from FortiCare account (web UI does not allow user to)'.
- 'What to do if the Migrate notice still appears after successful migration'.
- 'What to do if FortiDeploy seems not to be working'.
- 'What to do if FortiGate does not upload logs'.
- 'What to do if logs cannot be retrieved from FortiGate when data source is set as FortiGate Cloud'.
- 'What to do to export more than 1000 lines of logs'.
- 'What to do if daily report cannot be received by email'.
- 'Why there are no files submitted to Sandbox scan'.
- 'What the Public IP addresses and ports used by FortiGate Cloud are'.
- 'What the backup retention provided by FortiGate Cloud is'.
- 'How auto backup works'.
- 'What happens with the cloud log retention when the subscription expires'.
Scope
FortiGate Cloud.
Solution
Q: 'Invalid Username or Password' /'FortiCloud Internal Error' /'HTTP 400' message while activating FortiGate Cloud Account on FortiGate.
Answer:
Ensure the device is able to ping logctrl1.fortinet.com or globallogctrl.fortinet.net (this is the anycast FortiADC hostname for devices running on FOSv6.4.0 or later) and port 443 is not blocked by any network policy
Check password is not more than 20 characters in length.
For FortiOS v5.4 or lower, special characters in password are not supported by FortiOS.
Devices in HA-pair must be activated from the master device but the pair will be activated; activation on the slave unit will fail
If the issue still persists, enable FortiGate Cloud debugging in the CLI, then log in with the following command:
config system global
get <----- This will obtain the timezone of the device.
end
diag debug console timestamp enable <----- This will show the datetime stamp for the debug logs.
exe ping logctrl1.fortinet.com
exe telnet <IP resolved above> 443
exe telnet <IP resolved above> 443
diag debug app forticldd -1
diag debug enable
exec fortiguard-log login <emailaddress> <password>
After, send the output to Fortinet to investigate.
For an HTTP 400 error, let the customer enable HTTP debug:
diag debug app httpsd -1
Q: It is possible to log into FortiGate Cloud portal, but not to activate the FortiGate Cloud account on a FortiGate device with the same set of credentials.
Answer:
For FortiOS v5.4 or lower, special characters in password are not supported by FortiOS, so it will send garbage data to FortiGate Cloud server when trying to activate.
Solutions to customer: either remove special characters in password, or upgrade FortiGate device's firmware to v5.6 or newer.
Another possibility is that if the user tried to activate FortiGate Cloud on device with wrong password multiple times within a short period of time, the originating IP will be blocked for a period of time. In such cases, first login to FortiGate Cloud portal from behind the same IP address then try activation on device again.
Q: How to transfer FortiGate devices in account A to account B within the same domain.
Answer:
Log in to the FortiGate Cloud portal with account A.
Go to the home page -> FortiGate -> Select the gear wheel logo -> Select 'Authorize New Account' -> Enter account email B.
Logon locally to the FortiGate device's web UI.
Log out of account A, then log in with account email B.
Historical data will be moved to account B.
If Authorize New Account is not set, or if it is set but the customer tries to login with account other than B, the device will be displayed as un-deployed under account A, no historical data will be moved to the new account.
If Authorize New Account is set, but the customer un-deploy the device prior to logging in with B, historical data will not be moved to the new account
Q: How to activate FortiGate Cloud account on HA-paired FortiGate devices.
Answer:
Log on to the web UI of the master device.
Activate FortiGate Cloud on the master device.
Note: FortiGate Cloud activation on the master device will also activate FortiGate Cloud account on the slave device.
There is also another method to activate FortiGate Cloud on HA devices:
- Disable the HA configuration on both devices.
- Activate FortiGate Cloud on each individual device.
- Enable the HA configuration.
Q: How to bring management tunnel status up on FortiGate device.
Answer:
In the device CLI, type in the following:
config system central-management
set type fortiguard
end
diag fdsm contract-controller-update
fnsysctl killall fgfmd
set type fortiguard
end
diag fdsm contract-controller-update
fnsysctl killall fgfmd
Q: What to do if FortiGate device stays in inactive state for more than 24 hours.
Answer:
Check the network settings and make sure nothing is blocking port 443.
Telnet to logctrl1.fortinet.com or globallogctrl.fortinet.net (if FOS support anycast) through port 443.
Log out of the FortiGate Cloud account in the device's web UI, then log in again.
Q: What to do if FortiGate Cloud activation is successful on device but cannot be seen in the portal.
Answer:
When a new device is added to FortiGate Cloud, it can be dispatched to the global or the European FortiGate Cloud service by its IP geo-location.
Check for the device on both the global site and the Europe site.
If the device is running on FortiOS version supporting domain selection at login, then user may go directly to global (www.forticloud.com) or Europe (europe.forticloud.com)
Q: How to move a device from global service to Europe service, or vice versa.
Answer:
Log in to the FortiGate Cloud global site.
Un-deploy the device and verify it is back to the inventory.
Switch to the European site.
Go to the inventory and deploy the device.
Q: How to gain remote access to a FortiGate device from the portal.
Answer:
The central management setting must be set to FortiGate Cloud.
Management tunnel status must be up (refer to the instructions above on how to bring the management tunnel up).
Select the remote access icon on the device list page.
Q: How to activate FortiGate Cloud with a different email from FortiCare account (web UI does not allow user to enter another email).
Answer:
In the CLI, enter the following command:
execute fortiguard-log login <emailaddress> <password>
Q: What to do if the Migrate notice still appears after a successful migration.
Answer:
The Migrate notice appears when FortiOS detects different emails used for FortiCare and FortiGate Cloud.
There is a known issue on FortiOS that it is not letter case insensitive when verifying an email. For example: Abc@mail.com and abc@mail.com are considered to be different.
The workaround is to change the FortiCare account email to all lower-case letters.
Q: What to do if FortiDeploy seems to be not working.
Answer:
Make sure FortiManager settings are correct.
Confirm the central management setting on the device is set to FortiGate Cloud.
Verify the device is able to connect to logctrl1.fortinet.com via port 443.
Import the device to the inventory by device key.
Deploy the device to FortiManager then power up the device (if the device has already powered up, run 'execute fortiguard-log join' in the CLI).
If the device key has been used and is invalid to use again, logon to the device’s web UI and activate FortiGate Cloud by logging in.
Q: What to do if FortiGate does not upload logs.
Answer:
In the CLI, gather debug logs from the following commands:
execute telnet 514
diagnose test app forticldd 1
diagnose test app miglogd 6
diagnose debug app miglogd -1
diagnose debug enable
Q: What to do if logs cannot be retrieved from FortiGate when the data source is set as FortiGate Cloud.
Answer:
Make sure logs can be seen on the FortiGate Cloud portal
In poor network conditions, increase the timeout period to avoid connection timeout with the following in the CLI:
config log fortiguard setting
set conn-timeout 120
end
Q: What to do to export more than 1000 lines of logs.
Answer:
Go to the Log Files page. The user will be able to download log files.
The user may select up to 5 log files for batch download.
Q: What to do if the daily report cannot be received by email.
Answer:
Make sure the scheduled report has been generated.
Make sure the correct email address has been added.
Q: Why there are no files submitted to Sandbox scan.
Answer:
Check FortiGate settings.
For a FortiGate running on firmware versions older than v6.2.0:
- Make sure FortiGate Cloud has been activated
- In the web UI, go to 'Security Profile' -> 'AntiVirus', and check 'Suspicious Files Only' or 'All Supported Files'.
- In the web UI, go to 'Policy & Objects' -> 'IPv4 Policy' -> Enable AntiVirus for the policy being used.
For a FortiGate running on firmware v6.2.0 or later:
- In the web UI, go to 'System' -> 'Feature Visibility', and enable 'FortiSandbox Cloud'.
- In the web UI, go to 'Security Fabric' -> 'Settings', and enable 'Sandbox Inspection'.
- In the web UI, go to 'Security Profile' -> 'AntiVirus', and check 'Suspicious Files Only' or 'All Supported Files'.
- In the web UI, go to 'Policy & Objects' -> 'IPv4 Policy' -> Enable 'AntiVirus' for the policy being used.
Q: The Public IP addresses and ports used by FortiGate Cloud.
Answer:
FortiGate Cloud and FortiAP Cloud:
Global and JP IP range (mix): 208.91.113.0/24, 173.243.132.0/24.
Europe IP range:
- Germany: 81.201.100.224/27, 81.201.101.192/26, 62.209.37.64/26.
- France: 154.45.6.0/24.
The new JP IP subnet is 210.7.96.0/24, gateway IP 210.7.96.1.
TCP Port:80,443,514,541 and UDP Port:5246/5247.
Q: What backup retention is provided by FortiGate Cloud.
Answer:
Currently, there is no storage limits for the backup. For licensed devices, the retention period is 1 year: for unlicensed devices, the retention period is 7 days.
Q: How auto backup works.
Answer:
Either Per Session or Per Day, the backup will only be triggered by setting changes on FortiGates (either from FortiGate or FortiCloud). In other words, FortiCloud will do nothing if there is no change made to FortiGate settings;
'Per Session' is a measure of silence period, and is 600 seconds by default. For example, if the FortiGate settings were changed at 10:00am, FortiCloud will schedule an auto backup in 600 seconds. If there are no other changes on FortiGates in the following 600 seconds, FortiCloud will create a backup at 10:10am; otherwise, if any changes on the FortiGate occur during those 600 seconds, the timer will be reset and FortiCloud will re-schedule the auto backup.
The mechanics of 'Per Day' are the same as 'Per Session'. The difference is that for 'Per Session', FortiCloud will keep every backup revision for all the sessions happening in one day, while for 'Per Day', FortiCloud will only keep one latest backup revision in one day, no matter how many sessions.
For the time being, the alert email is only available in the case of Per Session, and the backup revision is not attached to the email.
Q: What happens with the cloud log retention when the subscription expires.
Answer:
If the device's contract has expired, all of the logs gathered on FortiGate Cloud, which is up to a year's worth of logs, will remain in the database for an additional 30 days.
During this grace period, the option is available to either renew the subscription or download all of the logs. After the grace period, any logs that are older than 7 days will be deleted automatically and cannot be recovered.
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.