Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ahameed
Staff
Staff

Created on ‎07-26-2017 01:28 PM Edited on ‎12-30-2024 12:50 AM By Moderator

Article Id 191380

Troubleshooting Tip: FortiCloud internal error when activating a FortiCloud account on FortiGate

Description

 

This article describes how to handle an internal server error that occurs when activating the FortiCloud account on FortiGate. This is mostly encountered due to the FortiGate either being unable to resolve the names or unable to reach the FortiGuard services.
ahameed_FD40586_tn_FD40586-1.jpg


Scope

 

Activating cloud-based logging and reporting on FortiGate.


Solution

 

Verify if FortiGate can resolve the host names and reach the FortiGuard servers.

 

  1. Open the CLI of the FortiGate and run the following commands.

 

execute ping-options source <ip address of the wan interface>

 

After, ping FortiGuard services:

 

execute ping service.fortiguard.net

Unable to resolve hostname.

 

  1. Go to Network -> DNS, and change the DNS server to 'Use FortiGuard Servers' and apply.
  2. Repeat step (1)

 

execute ping service.fortiguard.net

PING guard.fortinet.net (208.91.112.194): 56 data bytes

64 bytes from 208.91.112.194: icmp_seq=0 ttl=55 time=247.3 ms

64 bytes from 208.91.112.194: icmp_seq=1 ttl=55 time=246.1 ms

64 bytes from 208.91.112.194: icmp_seq=2 ttl=55 time=246.5 ms

64 bytes from 208.91.112.194: icmp_seq=3 ttl=55 time=251.4 ms

64 bytes from 208.91.112.194: icmp_seq=4 ttl=55 time=245.8 ms

 

If the FortiGate still cannot reach service.fortiguard.net, proceed to step 4.

 

  1. Set the source IP address to the IP addresses of the WAN (if multiple WAN interfaces are used)  then the one which works with a command in step (1).

 

config system fortiguard

    set source-ip <----- The IP address of the WAN interface which can reach service.fortiguard.net.

end

 

Setting the source IP will not force traffic to use that interface. FortiGate will follow the routing table. In v6.2.4 and above, users can choose the interface manually for FortiGate's self-generated traffic:

 

config system fortiguard

    set interface-select-method specify 

    set interface <interface> 

end

  

  1. Verify step (1). If successful, attempt to activate the FortiCloud account again. If the issue persists, do the packet capture by following the command while trying to connect to the FortiCloud server. This is to verify what source IP and interface is used to connect. 

  

diagnose sniffer packet any 'net 208.91.113.0/24 or net 173.243.132.0/24' 4 0 l

 

The Source IP and source interface used to connect the FortiCloud server are specified under the 'config log fortiguard settingas below. They should be aligned with the FortiGuard setting.

 

config log fortiguard setting

    set source-ip <- IP address of the WAN interface which can reach service.fortiguard.net.

    set interface-select-method specify   <----- Specify the interface selection method to be the same as FortiGuard.

    set interface <interface>         <----- Specify the interface.

end

 

Note:

The status is 'disable' by default under 'config log fortiguard setting', which only means the FortiCloud logging function is disabled while these interface and source options are still functioning.

49373
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.