FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Occasionally, FortiGuard will send updates to FortiGates for
existing predefined certificates as part of a certificate bundled
update. In some cases, the certificate uses a new name, which ends
up being considered "new configuration" on the Firewalls.
An example of new configuration that may show up in the
FortiGate configuration as a result:
# config vpn certificate ca
This configuration entry cannot be deleted by an admin
When the FortiGate is managed by FortiManager, the FortiGate
will attempt to notify FortiManager of these configuration changes
If the FortiManager does not receive these updates, you will
not only see the FortiGate show up on the FortiManager as
out-of-sync, you may also observe that FortiManager attempts to
delete the new certificate during the next install attempt.
This problem should only arise if FortiGates are running firmware older than FortiOS 5.6.9 or 6.0.5.
As of FortiOS 5.6.10, 6.0.5 & 6.2.0, FortiOS should no longer record CA certificates learned from a certificate bundle update from FortiGuard in config vpn certificate ca (as tracked in bug id 517702)
The most common reason for this is that auto-update is
disabled on the FortiManager.
# config system admin setting
set auto-update disable
By default auto-update is enabled but some administrators
chose to disable this feature to force all changes to be made only
on the FortiManager.
Even if a FortiManager had auto-update enabled at the time of
the certificate update, it is still possible that auto-update might
In order to allow FortiManager to learn about the
configuration change from the FortiGate, try one of the
1) Enable auto-update on FortiManager
This may be sufficient if the FortiGate are still attempting
to resend auto-updates. Auto-update is the preferred
If auto-update is insufficient, a retrieve should correct the
issue. After a retrieve, policy package status will show as
"Unknown" for that FortiGate and a further Install is required to
correct the package status.
2a) Manually issue a retrieve from the FortiManager for each
Or if the # of managed FortiGates is quite large, you could
use the following method of triggering a retrieve instead:
2b) Run a script with the following command against the remote
FortiGates in order to trigger a retrieve:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.