Description
This article describes a possible error that may occur when adding the EMS Cloud fabric in FortiGate:
Failed to verify the certificate for server "FortiClientEMSCloud (ID: 1)".
Server certificate or configured certificate is not recognized.
Scope
FortiGate.
Solution
If the error is encountered 'Failed to verify certificate for server 'FortiClient EMS Cloud (ID: 1)'' on a FortiGate firewall, it generally means there's an issue with SSL/TLS certificate validation when trying to connect to the FortiClient EMS Cloud. FortiGate must recognize the Certificate Authority (CA) that issued the EMS Cloud certificate. If the CA is not trusted, verification will fail.
The error may appear in first-time integration of FortiEMS into FortiGate as the certificate is not trusted by FortiGate and even after trusting there is a connectivity issue between the parties.
For example:
If the configuration is like below in FortiGate:
config endpoint-control fctems
edit 1
set status enable
set name "FortiClientEMSCloud"
set dirty-reason none
set fortinetone-cloud-authentication enable
set serial-number ''
set source-ip 0.0.0.0
set pull-sysinfo enable
set pull-vulnerabilities enable
set pull-avatars enable
set pull-tags enable
set pull-malware-hash enable
unset capabilities
set call-timeout 30
set out-of-sync-threshold 180
set websocket-override disable
set preserve-ssl-session disable
set interface-select-method auto
set trust-ca-cn enable
set cloud-server-type production
next
To Resolve the issue it is suggested to clarify the outgoing interface and source IP to resolve the communication issue with EMS.
- set interface-select-method specify: SD-WAN: choose to specify and then add set interface x where x is replaced with a specific interface.
config endpoint-control fctems
edit 1
set status enable
set name "FortiClientEMSCloud"
set dirty-reason none
set fortinetone-cloud-authentication enable
set serial-number ''
set source-ip 0.0.0.0
set pull-sysinfo enable
set pull-vulnerabilities enable
set pull-avatars enable
set pull-tags enable
set pull-malware-hash enable
unset capabilities
set call-timeout 30
set out-of-sync-threshold 180
set websocket-override disable
set preserve-ssl-session disable
set interface-select-method auto
set trust-ca-cn enable
set cloud-server-type production
next
end
-
If still, the issue persists:
set source-ip 0.0.0.0 --> Replace it with interface IP.
config endpoint-control fctems
edit 1
set status enable
set name "FortiClientEMSCloud"
set dirty-reason none
set fortinetone-cloud-authentication enable
set serial-number ''
set source-ip 0.0.0.0
set pull-sysinfo enable
set pull-vulnerabilities enable
set pull-avatars enable
set pull-tags enable
set pull-malware-hash enable
unset capabilities
set call-timeout 30
set out-of-sync-threshold 180
set websocket-override disable
set preserve-ssl-session disable
set interface-select-method specify
set interface "wan1"
set trust-ca-cn enable
set cloud-server-type production
next
end
After the change in the above configuration try to connect to the EMS Cloud again and check it. If the issue persists, disable then re-enable the FortiClient EMS Fabric Connector.
After doing this, if the issue persists, open a ticket with Fortinet support.
Related article:
Troubleshooting Tip: 'EMS rejected request data. Error' when connecting FortiClient EMS to the Forti...
