Technical Tip: FortiGate Cloud Frequently Asked Questions

Anonymous · ‎11-19-2020

Description

This article addresses the following Frequently Asked Questions concerning FortiGate Cloud:

'Invalid Username or Password'/'FortiCloud Internal Error'/'HTTP 400' message while activating FortiGate Cloud Account on FortiGate.
'Can log into FortiGate Cloud portal but cannot activate FortiGate Cloud account on FortiGate device with the same set of credentials'.
'How to transfer FortiGate devices in account A to account B within the same domain'.
'How to activate FortiGate Cloud account on HA-paired FortiGate devices'.
'How to bring management tunnel status up on FortiGate device'.
'What to do if FortiGate device stays in inactive state for more than 24 hours'.
'What to do if FortiGate Cloud activation is successful on device but cannot see it in portal'.
'How to move a device from global service to Europe service, or vice versa'.
'How to remote access to a FortiGate device from the portal'.
'How to activate FortiGate Cloud with a different email from FortiCare account (web UI does not allow user to)'.
'What to do if the Migrate notice still appears after successful migration'.
'What to do if FortiDeploy seems not to be working'.
'What to do if FortiGate does not upload logs'.
'What to do if logs cannot be retrieved from FortiGate when data source is set as FortiGate Cloud'.
'What to do to export more than 1000 lines of logs'.
'What to do if daily report cannot be received by email'.
'Why there are no files submitted to Sandbox scan'.
'What the Public IP addresses and ports used by FortiGate Cloud are'.
'What the backup retention provided by FortiGate Cloud is'.
'How auto backup works'.
'What happens with the cloud log retention when the subscription expires'.

Scope

FortiGate Cloud.

Solution

Q: 'Invalid Username or Password' /'FortiCloud Internal Error' /'HTTP 400' message while activating FortiGate Cloud Account on FortiGate.

Answer:

Ensure the device can ping logctrl1.fortinet.com or globallogctrl.fortinet.net (this is the anycast FortiADC hostname for devices running on FOSv6.4.0 or later) and port 443 is not blocked by any network policy

Check password is not more than 20 characters in length.

For FortiOS v5.4 or lower, special characters in passwords are not supported by FortiOS.

Devices in HA-pair must be activated from the master device, but the pair will be activated; activation on the slave unit will fail

If the issue persists, enable FortiGate Cloud debugging in the CLI, then log in with the following command:

config system global

get <----- This will obtain the timezone of the device.

end

diagnose debug console timestamp enable <----- This will show the datetime stamp for the debug logs.

execute ping logctrl1.fortinet.com
execute telnet <IP resolved above> 443

diagnose debug app forticldd -1

diagnose debug enable

execute fortiguard-log login <emailaddress> <password>

After, send the output to Fortinet to investigate.

For an HTTP 400 error, let the customer enable HTTP debug:

diagnose debug app httpsd -1

Q: It is possible to log into the FortiGate Cloud portal, but not to activate the FortiGate Cloud account on a FortiGate device with the same set of credentials.

Answer:

For FortiOS v5.4 or lower, special characters in passwords are not supported by FortiOS, so it will send garbage data to the FortiGate Cloud server when trying to activate.

Solutions to users: either remove special characters in the password, or upgrade the FortiGate device's firmware to v5.6 or newer.

Another possibility is that if the user tries to activate FortiGate Cloud on a device with the wrong password multiple times within a short period of time, the originating IP will be blocked for a period of time. In such cases, first log in to the FortiGate Cloud portal from behind the same IP address, then try activation on the device again.

Q: How to transfer FortiGate devices in account A to account B within the same domain.

Answer:

Log in to the FortiGate Cloud portal with account A.

Go to the home page -> FortiGate -> Select the gear wheel logo -> Select 'Authorize New Account' -> Enter account email B.

Log on locally to the FortiGate device's web UI.

Log out of account A, then log in with account email B.

Historical data will be moved to account B.

If Authorize New Account is not set, or if it is set but the customer tries to log in with an account other than B, the device will be displayed as un-deployed under account A, and no historical data will be moved to the new account.

If Authorize New Account is set, but the customer undeploys the device before logging in with B, historical data will not be moved to the new account

Q: How to activate the FortiGate Cloud account on HA-paired FortiGate devices.

Answer:

Log on to the web UI of the master device.

Activate FortiGate Cloud on the master device.

Note: FortiGate Cloud activation on the master device will also activate the FortiGate Cloud account on the slave device.

There is also another method to activate FortiGate Cloud on HA devices:

Disable the HA configuration on both devices.
Activate FortiGate Cloud on each individual device.
Enable the HA configuration.

Q: How to bring the management tunnel status up on the FortiGate device.

Answer:

In the device CLI, type in the following:

config system central-management
set type fortiguard
end
diagnose fdsm contract-controller-update
fnsysctl killall fgfmd

Q: What to do if the FortiGate device stays in an inactive state for more than 24 hours.

Answer:

Check the network settings and make sure nothing is blocking port 443.

Telnet to logctrl1.fortinet.com or globallogctrl.fortinet.net (if FortiOS supports anycast) through port 443.

Log out of the FortiGate Cloud account in the device's web UI, then log in again.

Q: What to do if FortiGate Cloud activation is successful on the device but cannot be seen in the portal.

Answer:

This has two main causes: the device may be deployed to a different FortiGate Cloud account, or it may be deployed to a different FortiGate Cloud region.

Only the account owner and permitted IAM users may access the device in FortiGate Cloud. A legacy FortiCloud subuser does not have access to view the account's FortiGate devices in FortiGate Cloud. See FortiGate Cloud 25.3a Administration Guide | User Management for instructions on creating IAM users for use with FortiGate Cloud.
When a new device is added to FortiGate Cloud, it can be dispatched automatically to the Global or the European FortiGate Cloud region based on its IP geo-location. On applicable FortiOS versions, it is also possible to select the desired region during FortiGate Cloud activation. Check for the device on the Global, Europe, and US regions. See the article Technical Tip: FortiGate Cloud switch region for a demonstration of changing the selected region of the FortiGate Cloud portal.

Q: How to move a device from the Global region to the Europe region, or vice versa.

Answer:

Log in to the FortiGate Cloud global site.

Un-deploy the device and verify it is back in the inventory.

Switch to the European site.

Go to the inventory and deploy the device.

Q: How to gain remote access to a FortiGate device from the portal.

Answer:

The central management setting must be set to FortiGate Cloud.
Management tunnel status must be up (refer to the instructions above on how to bring the management tunnel up).
FortiGate must be running firmware that supports remote access from FortiGate Cloud. See Troubleshooting Tip: FortiGate Cloud showing a white screen for more information.
Read-write access to FortiGate through FortiGate Cloud requires a FortiGate Cloud subscription.

Select the remote access icon on the device list page. Note that t

Q: How to activate FortiGate Cloud with a different email from the FortiCare account (web UI does not allow the user to enter another email).

Answer:

In the CLI, enter the following command. The email address and password must match a primary user on an existing FortiCare account.

execute fortiguard-log login <emailaddress> <password>

Q: What to do if the Migrate notice still appears after a successful migration.

Answer:

The Migrate notice appears when FortiOS detects different emails used for FortiCare and FortiGate Cloud.

There is a known issue with FortiOS that it is not case-insensitive when verifying an email. For example, Abc@mail.com and abc@mail.com are considered to be different.

The workaround is to change the FortiCare account email to all lowercase letters.

Q: What to do if FortiDeploy does not work.

Answer:

Make sure FortiManager settings are correct.

Confirm that the central management setting on the device is set to FortiGate Cloud.

Verify the device can connect to logctrl1.fortinet.com via port 443.

Import the device to the inventory by device key.

Deploy the device to FortiManager, then power up the device (if the device has already powered up, run 'execute fortiguard-log join' in the CLI).

If the device key has been used and is invalid to use again, log in to the device’s web UI and activate FortiGate Cloud by logging in.

Q: What to do if FortiGate does not upload logs.

Answer:

In the CLI, gather debug logs from the following commands:

execute telnet 514

diagnose test app forticldd 1

diagnose test app miglogd 6

diagnose debug app miglogd -1

diagnose debug enable

Q: What to do if logs cannot be retrieved from FortiGate when the data source is set as FortiGate Cloud.

Answer:

Make sure logs can be seen on the FortiGate Cloud portal

In poor network conditions, increase the timeout period to avoid connection timeout with the following in the CLI:

config log fortiguard setting

set conn-timeout 120

end

Q: What to do to export more than 1000 lines of logs.

Answer:

This requires a device with a FortiGate Cloud subscription, see Technical Tip: How to download logs from FortiGate Cloud.

Q: What to do if the daily report cannot be received by email.

Answer:

Make sure the scheduled report has been generated.

Make sure the correct email address has been added.

Q: Why are there no files submitted to the Sandbox scan.

Answer:

Check FortiGate settings.

For a FortiGate running on firmware versions older than v6.2.0:

Make sure FortiGate Cloud has been activated
In the web UI, go to 'Security Profile' -> 'AntiVirus', and check 'Suspicious Files Only' or 'All Supported Files'.
In the web UI, go to 'Policy & Objects' -> 'IPv4 Policy' -> Enable AntiVirus for the policy being used.

For a FortiGate running on firmware v6.2.0 or later:

In the web UI, go to 'System' -> 'Feature Visibility', and enable 'FortiSandbox Cloud'.
In the web UI, go to 'Security Fabric' -> 'Settings', and enable 'Sandbox Inspection'.
In the web UI, go to 'Security Profile' -> 'AntiVirus', and check 'Suspicious Files Only' or 'All Supported Files'.
In the web UI, go to 'Policy & Objects' -> 'IPv4 Policy' -> Enable 'AntiVirus' for the policy being used.

Q: The public IP addresses and ports used by FortiGate Cloud.

Answer:

These IP ranges may change over time. See FortiGate Cloud 25.3.a Administration Guide | Port and access control information.

Global: 208.91.113.0/24, 173.243.132.0/24.

Japan: 148.230.40.0/24.

EU: 154.52.10.0/24, 154.45.6.0/24.

US: 154.52.4.0/24, 209.40.117.0/24.

FortiGate Cloud can also use IP addresses maintained in Internet service database objects 'Fortinet-FortiCloud' and 'Fortinet-FortiSandbox'.

Past Japan IP Ranges:

210.7.96.0/24.
208.91.113.0/24, 173.243.132.0/24 (mixed with global).

Past EU IP Ranges:

Germany: 81.201.100.224/27, 81.201.101.192/26, 62.209.37.64/26.
France: 154.45.6.0/24.

TCP Port:80,443,514,541 and UDP Port:5246/5247.

Q: What backup retention is provided by FortiGate Cloud.

Answer:

Currently, there are no storage limits for the backup. For licensed devices, the retention period is 1 year; for unlicensed devices, the retention period is 7 days.

Q: How does auto backup works.

Answer:

Either Per Session or Per Day, the backup will only be triggered by setting changes on FortiGates (either from FortiGate or FortiCloud). In other words, FortiCloud will do nothing if there is no change made to FortiGate settings.

'Per Session' is a measure of silence period, and is 600 seconds by default. For example, if the FortiGate settings were changed at 10:00 am, FortiCloud will schedule an auto backup in 600 seconds. If there are no other changes on FortiGates in the following 600 seconds, FortiCloud will create a backup at 10:10 am; otherwise, if any changes on the FortiGate occur during those 600 seconds, the timer will be reset and FortiCloud will reschedule the auto backup.

The mechanics of 'Per Day' are the same as 'Per Session'. The difference is that for 'Per Session', FortiCloud will keep every backup revision for all the sessions happening in one day, while for 'Per Day', FortiCloud will only keep one latest backup revision in one day, no matter how many sessions.

For the time being, the alert email is only available in the case of Per Session, and the backup revision is not attached to the email.

Q: What happens with the cloud log retention when the subscription expires.

Answer:

If the device's contract has expired, all of the logs gathered on FortiGate Cloud, which is up to a year's worth of logs, will remain in the database for an additional 30 days.

During this grace period, the option is available to either renew the subscription or download all of the logs. After the grace period, any logs that are older than 7 days will be deleted automatically and cannot be recovered.

Technical Tip: FortiGate Cloud Frequently Asked Questions

You are leaving our website