Answer:Ensure the device is able to ping logctrl1.fortinet.com or globallogctrl.fortinet.net (this is the anycast FortiADC hostname for devices running on FOSv6.4.0 or later) and port 443 is not blocked by any network policyCheck password is not more than 20 characters in length.For FortiOS v5.4 or lower, special characters in password are not supported by FortiOS.Devices in HA-pair must be activated from the master device but the pair will be activated; activation on the slave unit will failIf issue still persists, enable FortiGateCloud debug in CLI then login with command:#Config system global#get (This will get us the timezone of the device)#end#diag debug console timestamp enable (This will show the datetime stamp for the debug logs)#diag debug app forticldd -1#diag debug enable#exec fortiguard-log loginAnd then send the output to Fortinet to investigateFor HTTP 400 error, let customer enable HTTP debug: diag debug app httpsd -1
Answer:For FortiOS v5.4 or lower, special characters in password are not supported by FortiOS, so it will send garbage data to FortiGateCloud server when trying to activate.Solutions to customer: either remove special characters in password, or upgrade FortiGate device's firmware to v5.6 or newer.Another possibility is that if the user tried to activate FortiGateCloud on device with wrong password multiple times within a short period of time, the originating IP will be blocked for a period of time. In such cases, first login to FortiGateCloud portal from behind the same IP address then try activation on device again.
Q: How to transfer FortiGate devices in account A to account B within the same domain
Answer:Login to FortiGateCloud portal with A.Go to the home page > FortiGate? > click on the gear wheel logo > select Authorize New Account > enter account email B.Logon locally to the FortiGate device's webUI.Logout from account A, then login with account email B.Historical data will be moved to account B.If Authorize New Account is not set, or it is set but customer tries to login with account other than B, the device will be displayed as un-deployed under account A, no historical data will be moved to the new account.If Authorize New Account is set, but the customer un-deploy the device prior to logging in with B, historical data will not be moved to the new account
Answer:Log on to the webUI of the master deviceActivate FortiGateCloud on the master device
Note: FortiGateCloud activation on the master device will also activate FortiGateCloud account on the slave device.
There is also another method to activate FortiGateCloud on HA devices:
1. Disable the HA configuration on both devices.
2. Activate FortiGateCloud on each individual device.
3. Enable the HA configuration.
Answer:In device CLI, type in the following:
# config system central-management
# set type fortiguard
# diag fdsm contract-controller-update
# fnsysctl killall fgfmd
Answer:Check the network settings and make sure nothing is blocking port 443.Can telnet to logctrl1.fortinet.com or globallogctrl.fortinet.net (if FOS support anycast) through port 443.Logout from FortiGateCloud account within device's webUI then login again.
Q: What to do if FortiGateCloud activation is successful on device but cannot see it in portal
Answer:When a new device is added to FortiGateCloud, it can be dispatched to the global or the European FortiGateCloud service by its IP geo-location.Check for the device on both the global site and the Europe site.If the device is running on FortiOS version supporting domain selection at login, then user may go directly to global (www.forticloud.com) or Europe (europe.forticloud.com)
Answer:Login to FortiGateCloud global siteUn-deploy the device and verify it is back to the inventory
Switch to the European site
Go to the inventory and deploy the device
Answer:The central management setting must be set to FortiGateCloudManagement tunnel status must be up (please refer to above on how to bring management tunnel up)Click on the remote access icon on the device list page
Answer:In CLI, type in command: execute fortiguard-log login
Answer:The Migrate notice appears when FortiOS detects different emails used for FortiCare and FortiGateCloudThere is a known issue on FortiOS that it is not letter case insensitive when verifying an email, for example Abc@mail.com and firstname.lastname@example.org are considered as differentWorkaround is to change the FortiCare account email to all lower-case letters
Answer:Make sure FortiManager settings are correctConfirm the central management setting on the device is set to FortiGateCloudVerify the device is able to connect to logctrl1.fortinet.com via port 443Import the device to the inventory by device keyDeploy the device to FortiManager then power up the device (if device has already powered up, in CLI: execute fortiguard-log join)If the device key has been used and is invalid to use again, logon to the device’s webUI and activate FortiGateCloud by login
Answer:In CLI, gather debug logs for the following commands# execute telnet 514# diag test app forticldd 1# diag test app miglogd 6# diag debug app miglogd -1# diag debug enable
Answer:Make sure logs can be seen on FortiGateCloud portalIn poor network conditions, increase timeout period to avoid connection timeout with the following in CLI:# config log fortiguard setting# set conn-timeout 120# end
Answer:Go to the Log Files page and user will be able to download logs filesUser may select up to 5 log files for batch download
Answer:Make sure the scheduled report has been generatedMake sure email address has been added
Answer:Check FortiGate settingsFor FortiGate running on firmware older than v6.2.0o Make sure FortiGateCloud has been activatedo On webUI, go to "Security Profile" > "AntiVirus", check "Suspicious Files Only" or "All Supported Files"o On webUI, go to "Policy & Objects" > "IPv4 Policy" > enable AntiVirus for the policy being usedFor FortiGate running on firmware v6.2.0 or latero On webUI, go to "System" > "Feature Visibility", enable "FortiSandbox Cloud"o On webUI, go to "Security Fabric" > "Settings", enable "Sandbox Inspection"o On webUI, go to "Security Profile" > "AntiVirus", check "Suspicious Files Only" or "All Supported Files"o On webUI, go to "Policy & Objects" > "IPv4 Policy" > enable AntiVirus for the policy being used
Answer:FortiGate Cloud and FortiAP Cloud:Global and JP IP range (mix): 220.127.116.11/24, 18.104.22.168/24Europe IP range: Germany: 22.214.171.124/27, 126.96.36.199/26, 188.8.131.52/26 France:184.108.40.206/24new JP IP subnet is 220.127.116.11/24, gateway IP 18.104.22.168TCP Port:80,443,514,541 and UDP Port:5246/5247
Answer:Currently, there is no storage limits for the backup. For licensed devices, the retention period is 1 year; For unlicensed devices, the retention period is 7 days.
Answer:Either Per Session or Per Day, the backup will only be triggered by setting changes on FGTs (either from FGT or FortiCloud). In other words, FortiCloud will do nothing if there is no change on FGT settings;Per Session is a measure of silence period, by default is 600 seconds. For example, if the FGT settings were changed at 10:00am, FortiCloud will schedule an auto backup in 600s. If there are no other changes on FGTs in the following 600 seconds, FortiCloud will do a backup at 10:10am; otherwise, if any changes on the FGT happens in the 600 seconds, the timer will be reset and FortiCloud will re-schedule the auto backup;The mechanics of Per Day is the same as Per Session. The difference is that for Per Session, FortiCloud will keep every backup revision for all the sessions happening in one day, for Per Day, FortiCloud will only keep one latest backup revision in one day, no matter how many sessions.For the time being, the alert email is only available in the case of Per Session, and the backup revision is not attached to the email.