Andy_G
Staff
Staff

Description

This article addresses the following Frequently Asked Questions concerning FortiGate Cloud:
  • "Invalid Username or Password" /"FortiCloud Internal Error" /”HTTP 400” message while activating FortiGate Cloud Account on FortiGate
  • I can log into FortiGate Cloud portal but cannot activate FortiGate Cloud account on FortiGate device with the same set of credentials
  • How to transfer FortiGate devices in account A to account B within the same domain
  • How to activate FortiGate Cloud account on HA-paired FortiGate devices
  • How to bring management tunnel status up on FortiGate device
  • What to do if my FortiGate device stays in inactive state for more than 24 hours
  • What to do if FortiGate Cloud activation is successful on device but cannot see it in portal
  • How to move a device from global service to Europe service, or vice versa
  • How to remote access to a FortiGate device from portal
  • How to activate FortiGate Cloud with a different email from FortiCare account (webUI does not allow user to
  • What to do if the Migrate notice still appears after successful migration
  • What to do if FortiDeploy seems not working
  • What to do if FortiGate does not upload logs
  • What to do if logs cannot be retrieved from FortiGate when data source is set as FortiGate Cloud
  • What to do to export more than 1000 lines of logs
  • What to do if you cannot receive your daily report by email
  • Why are there no files submitted to Sandbox scan
  • What are the Public IP addresses and ports used by FortiGate Cloud?
  • What is the backup retention provided by FortiGate Cloud?
  • How auto backup works?


Solution

Q: "Invalid Username or Password" /"FortiCloud Internal Error" /”HTTP 400” message while activating FortiGateCloud Account on FortiGate
Answer:
 
Ensure the device is able to ping logctrl1.fortinet.com or globallogctrl.fortinet.net (this is the anycast FortiADC hostname for devices running on FOSv6.4.0 or later) and port 443 is not blocked by any network policy
 
Check password is not more than 20 characters in length.
 
For FortiOS v5.4 or lower, special characters in password are not supported by FortiOS.
 
Devices in HA-pair must be activated from the master device but the pair will be activated; activation on the slave unit will fail
 
If issue still persists, enable FortiGateCloud debug in CLI then login with command:
 
#Config system global
#get    (This will get us the timezone of the device)
#end
#diag debug console timestamp enable    (This will show the datetime stamp for the debug logs)
#diag debug app forticldd -1
#diag debug enable
#exec fortiguard-log login
 
And then send the output to Fortinet to investigate
 
For HTTP 400 error, let customer enable HTTP debug: diag debug app httpsd -1
 
 
Q: I can log into FortiGateCloud portal but cannot activate FortiGateCloud account on FortiGate device with the same set of credentials
Answer:
 
For FortiOS v5.4 or lower, special characters in password are not supported by FortiOS, so it will send garbage data to FortiGateCloud server when trying to activate.
 
Solutions to customer: either remove special characters in password, or upgrade FortiGate device's firmware to v5.6 or newer.
 
Another possibility is that if the user tried to activate FortiGateCloud on device with wrong password multiple times within a short period of time, the originating IP will be blocked for a period of time. In such cases, first login to FortiGateCloud portal from behind the same IP address then try activation on device again.
 
 

Q: How to transfer FortiGate devices in account A to account B within the same domain

Answer:
 
Login to FortiGateCloud portal with A.
 
Go to the home page > FortiGate? > click on the gear wheel logo > select Authorize New Account > enter account email B.
 
Logon locally to the FortiGate device's webUI.
 
Logout from account A, then login with account email B.
 
Historical data will be moved to account B.
 
If Authorize New Account is not set, or it is set but customer tries to login with account other than B, the device will be displayed as un-deployed under account A, no historical data will be moved to the new account.
 
If Authorize New Account is set, but the customer un-deploy the device prior to logging in with B, historical data will not be moved to the new account
 
 
Q: How to activate FortiGateCloud account on HA-paired FortiGate devices
Answer:
 
Log on to the webUI of the master device
 
Activate FortiGateCloud on the master device


Note: FortiGateCloud activation on the master device will also activate FortiGateCloud account on the slave device.

There is also another method to activate FortiGateCloud on HA devices:

1. Disable the HA configuration on both devices.
2. Activate FortiGateCloud on each individual device.
3. Enable the HA configuration.
 
 
Q: How to bring management tunnel status up on FortiGate device
Answer: 
 
In device CLI, type in the following:

# config system central-management
# set type fortiguard
# end
# diag fdsm contract-controller-update
# fnsysctl killall fgfmd
 
 
Q: What to do if my FortiGate device stays in inactive state for more than 24 hours
Answer:
 
Check the network settings and make sure nothing is blocking port 443.
 
Can telnet to logctrl1.fortinet.com or globallogctrl.fortinet.net (if FOS support anycast) through port 443.
 
Logout from FortiGateCloud account within device's webUI then login again.
 

Q: What to do if FortiGateCloud activation is successful on device but cannot see it in portal

Answer:
 
When a new device is added to FortiGateCloud, it can be dispatched to the global or the European FortiGateCloud service by its IP geo-location.
 
Check for the device on both the global site and the Europe site.
 
If the device is running on FortiOS version supporting domain selection at login, then user may go directly to global (www.forticloud.com) or Europe (europe.forticloud.com)
 
 
Q: How to move a device from global service to Europe service, or vice versa
Answer:
 
Login to FortiGateCloud global site
 
Un-deploy the device and verify it is back to the inventory

Switch to the European site


Go to the inventory and deploy the device
 
 
Q: How to remote access to a FortiGate device from portal.
Answer:
 
The central management setting must be set to FortiGateCloud
 
Management tunnel status must be up (please refer to above on how to bring management tunnel up)
 
Click on the remote access icon on the device list page
 
 
Q: How to activate FortiGateCloud with a different email from FortiCare account (webUI does not allow user to enter another email)
Answer:
 
In CLI, type in command: execute fortiguard-log login
 
 
Q: What to do if the Migrate notice still appears after successful migration
Answer:
 
The Migrate notice appears when FortiOS detects different emails used for FortiCare and FortiGateCloud
 
There is a known issue on FortiOS that it is not letter case insensitive when verifying an email, for example Abc@mail.com and abc@mail.com are considered as different
 
Workaround is to change the FortiCare account email to all lower-case letters
 
 
Q: What to do if FortiDeploy seems not working
Answer:
 
Make sure FortiManager settings are correct
 
Confirm the central management setting on the device is set to FortiGateCloud
 
Verify the device is able to connect to logctrl1.fortinet.com via port 443
 
Import the device to the inventory by device key
 
Deploy the device to FortiManager then power up the device (if device has already powered up, in CLI: execute fortiguard-log join)
 
If the device key has been used and is invalid to use again, logon to the device’s webUI and activate FortiGateCloud by login
 
 
Q: What to do if FortiGate does not upload logs
Answer:
 
In CLI, gather debug logs for the following commands
 
# execute telnet 514
# diag test app forticldd 1
# diag test app miglogd 6
# diag debug app miglogd -1
# diag debug enable
 
 
Q: What to do if logs cannot be retrieved from FortiGate when data source is set as FortiGateCloud
Answer:
Make sure logs can be seen on FortiGateCloud portal
 
In poor network conditions, increase timeout period to avoid connection timeout with the following in CLI:
 
# config log fortiguard setting
# set conn-timeout 120
# end
 
 
Q: What to do to export more than 1000 lines of logs
Answer:
 
Go to the Log Files page and user will be able to download logs files
 
User may select up to 5 log files for batch download
 
 
Q: What to do if you cannot receive your daily report by email
 
Answer:
 
Make sure the scheduled report has been generated
 
Make sure email address has been added
 
 
Q: Why are there no files submitted to Sandbox scan
Answer:
 
Check FortiGate settings
 
For FortiGate running on firmware older than v6.2.0
 
o    Make sure FortiGateCloud has been activated
o    On webUI, go to "Security Profile" > "AntiVirus", check "Suspicious Files Only" or "All Supported Files"
o    On webUI, go to "Policy & Objects" > "IPv4 Policy" > enable AntiVirus for the policy being used
 
For FortiGate running on firmware v6.2.0 or later
 
o    On webUI, go to "System" > "Feature Visibility", enable "FortiSandbox Cloud"
o    On webUI, go to "Security Fabric" > "Settings", enable "Sandbox Inspection"
o    On webUI, go to "Security Profile" > "AntiVirus", check "Suspicious Files Only" or "All Supported Files"
o    On webUI, go to "Policy & Objects" > "IPv4 Policy" > enable AntiVirus for the policy being used
 
 
Q: What are the Public IP addresses and ports used by FortiGateCloud?
Answer:
 
FortiGate Cloud and FortiAP Cloud:Global and JP IP range (mix): 208.91.113.0/24, 173.243.132.0/24
 
Europe IP range: Germany: 81.201.100.224/27, 81.201.101.192/26, 62.209.37.64/26 France:154.45.6.0/24
 
new JP IP subnet is 210.7.96.0/24, gateway IP 210.7.96.1
 
TCP Port:80,443,514,541 and UDP Port:5246/5247
 
 
Q: What is the backup retention provided by FortiGateCloud?
Answer:
 
Currently, there is no storage limits for the backup.  For licensed devices, the retention period is 1 year; For unlicensed devices, the retention period is 7 days.
 
 
Q: How auto backup works?
Answer:
 
Either Per Session or Per Day, the backup will only be triggered by setting changes on FGTs (either from FGT or FortiCloud). In other words, FortiCloud will do nothing if there is no change on FGT settings;
 
Per Session is a measure of silence period, by default is 600 seconds. For example, if the FGT settings were changed at 10:00am, FortiCloud will schedule an auto backup in 600s. If there are no other changes on FGTs in the following 600 seconds, FortiCloud will do a backup at 10:10am; otherwise, if any changes on the FGT happens in the 600 seconds, the timer will be reset and FortiCloud will re-schedule the auto backup;
 
The mechanics of Per Day is the same as Per Session. The difference is that for Per Session, FortiCloud will keep every backup revision for all the sessions happening in one day, for Per Day, FortiCloud will only keep one latest backup revision in one day, no matter how many sessions.
 
For the time being, the alert email is only available in the case of Per Session, and the backup revision is not attached to the email.



 

 

Contributors