Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable

Created on ‎09-14-2023 12:34 AM Edited on ‎12-04-2025 06:51 AM By Staff & Editor

Article Id 273578

Technical Tip: FortiGate Central Management: FortiGate Cloud connection status 'Not Managed'

Description This article describes how to remedy when the FortiGate Central Management: FortiGate Cloud connection status shows 'Not Managed.'
Scope FortiGate.
Solution

The connection status 'Not Managed' indicates that the FortiGate is not connected to the FortiGate Cloud management server.

 

Not managed.png


fortigate cloud- Not activated.png

Make sure that FortiGate is under the Product Lists of the FortiCloud Account. Sometimes, FortiGate can be under decommissioned units. In this case, the FortiGate should be moved back to the Product Lists:


Forticloud.png

 

At the FortiGate end, make sure FortiGate is logged in to the proper FortiGate Cloud account and the correct region is configured on both ends.

 

europe location.png

 

Even if the FortiGate Cloud status shows Activated, the Central Management status will show 'Not Managed' if there is an issue building the TCP port 541 connection to FortiGate Cloud.

 

fortigate cloud status.png

 

Validating connection to FortiGuard rating servers with 'diagnose debug rating' can be useful to quickly verify connection to FortiGuard servers, although it does not directly test the reachability of the FortiGate Cloud management servers.

diagnose debug rating

 

If the output shows an 'F' flag for all servers, as in the screenshot below, this likely indicates there is an issue reaching FortiGuard servers.

 

rating.png

 

Validate the FortiGate connection status to FortiGuard servers.

 

unable to connect to fortiguard.png

 

If the error 'Unable to connect to FortiGuard servers' is displayed as above, troubleshoot further to fix the FortiGuard reachability issue. Refer to the article below for the same: Troubleshooting Tip: Unable to connect to FortiGuard servers

 

After fixing the FortiGuard reachability issue, validate the FortiGate Cloud management connection status.

diagnose fdsm central-mgmt-status
Connection status: Up
Registration status: Registered
Serial: fortigatecloud.fort

diagnose test application forticldd 10

Server: manager, task=0/100, watchdog is off
Domain name: g96.fortigate.forticloud.com  <----- If no domain name, troubleshoot FortiGuard connectivity.
Address of manager: 1
173.243.132.130:443 <-- if no IP address, troubleshoot DNS connectivity but note the lack of an IP address here can be a false negative.
Source IP: 0.0.0.0
Source IP6: [::]
Statistics: total=6, discarded=0, sent=6, last_updated=18091 secs ago
http connection: is not in progress
Current address: 173.243.132.130:443
Source IP: 0.0.0.0:0
Calls: connect=12, rxtx=24
Current tasks number: 0
Local management id: XXXYYYZZZ

 

Check the DNS settings and make sure that the DNS servers are not 'Unreachable':

1.jpg     

From the Firewall CLI:

 

config system dns

    set primary 96.45.45.45
    set secondary 96.45.46.46
    set protocol dot      <----- Set protocol cleartext.
    set interface-select-method specify      <----- Set interface-select-method auto.
    set interface "port3"

end

 

config system dns

    set primary 96.45.45.45
    set secondary 96.45.46.46
    set protocol cleartext
    set interface-select-method auto 

end

 

2.jpg

 

After the DNS comes up, the connection status will show 'connected.'

 

If the above commands do not resolve the issue and logs are still not sent to the FortiCloud, restart the FortiGate log daemon by running the command:

 

fnsysctl killall forticldd

 

Note:

The 'fnsysctl' command requires Super_admin (administrator account with super_admin permission profile) access to execute. FortiGate will produce an error otherwise. The error will also be produced if the system is running in FIPS-CC mode as the command is intentionally disabled. For further information, see the following KB articles:

 

FortiGate central-management connections to FortiGate Cloud or FortiManager require outbound TCP port 541 needs to be allowed on the upstream device; see FortiOS v7.6.0 FortiOS Ports | Outgoing Ports.

 

To confirm if a TCP 541 connection between the FortiGate and FortiGate Cloud is working, run a packet capture in FortiGate while executing the following command:

 

fnsysctl killall fgfmd

 

To capture the relevant packets, run below CLI commands below or use the Packet Capture feature on the GUI.

 

CLI:

 

diagnose sniffer packet any 'port 541' 4 0 l

 

Or:

 

diagnose sniffer packet any 'port 541' 6 0 l

 

If the issue persists, create a Technical Support ticket with the FortiGate serial number: Fortinet Support.

 

For example, when running the following debug commands on the Firewall:

 

diagnose debug console time enable
diagnose debug application forticldd -1
diagnose fdsm contract-controller-update
diagnose debug enable
diagnose debug application fgfmd -1
fnsysctl killall fgfmd

 

If the output shows 'fgfm_fqdn_connect fail,' this indicates a connection issue between FortiGate and FortiGate Cloud.

 

2025-08-29 11:36:32 FGFMs: Timeout for sock.
2025-08-29 11:36:33 FGFMs: __session_cb,113: fgfm_fqdn_connect fail.
2025-08-29 11:36:33 FGFMs: Cleanup session 0xa48d1b0, 173.243.132.118.
2025-08-29 11:36:33 FGFMs: Destroy session 0xa48d1b0, 173.243.132.118.

 

If a packet sniffer shows small TCP packets receiving responses but large ones receiving no response, there may be an MTU issue on the firewall's WAN interfaces.

 

Screenshot3.png

  

If an MTU issue is indicated, set a lower MTU on the device's WAN interfaces as follows.

 

config system interface

    edit <port_ID>

        set mtu-override enable

        set mtu 1460

    end

 

When the SSL connection to the FortiGate Cloud management server succeeds, the fgfmd debug shows 'fgfm_fqdn_connect successful':

 

2025-09-12 09:58:21 FGFMs: client:
reply 200
overwrite_fmgid=1
request=ip
ip=169.254.96.102
mgmtid=842317588
register_status=1


2025-09-12 09:58:21 FGFMs: tun_fgfm device opened for (169.254.96.102)
2025-09-12 09:58:21 FGFMs: setting session 0xa48d1b0 exclusive=0
2025-09-12 09:58:21 FGFMs: __session_cb,117: fgfm_fqdn_connect succcesful.
2025-09-12 09:58:31 FGFMs: client:send:

 

The packet sniffer also reflected the results:

 

Screenshot4.png

Reprovisioning FortiGate in FortiGate Cloud.

 

If all the steps above are correct, reprovisioning the FortiGate in FortiGate Cloud may clear the error.

 

De-provision the FortiGate:

 

deprovision.png

 

Provision the FortiGate again:

 

reprovision.png

 

Re-enter the FortiGate Cloud credentials under Security Fabric -> Fabric connectors -> Central management.

 

Note:

Since February 28th, 2025, free FortiGate Cloud accounts without an active subscription: Subscription types will only communicate with FortiOS devices running the latest firmware release of the locally installed version within 7 days of a new GA patch release. For example, if v7.4.X is installed, free FortiGate Cloud expects the latest version of the 7.4 release to be installed in order for the FortiGate Cloud services to be functional. For more details, see the following article: Technical Tip: Security enforcement change for FortiGates provisioned to FortiGate Cloud without act...

 

Related articles:

Technical Tip: FortiGuard Flags and Meanings

Troubleshooting Tip: Unable to connect to FortiGuard servers
Labels:
14841
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.