FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 207420



This article describes how to remedy the tunnel-down indication with FortiGate Cloud.




FortiGate Cloud.




Management Tunnel Down means the unit is not connected to the FortiCloud manager server. For example:


MicrosoftTeams-image (4).png


The following configuration is required on the FortiGate side for the tunnel to work:


config system central-management
    set type fortiguard <--- 


Verify also that the FortiGate is logged in to the correct FortiCloud account:


2023-07-21 16_52_09-FortiWiFi - CZCHYFL2.png


If all the information has been verified and the configuration above is correct, alternatively, it is possible to change the update server location from automatic to either usa or eu under the FortiGuard setting:


config system fortiguard
    set update-server-location [automatic | usa | eu] <--- 



automatic   FortiGuard servers chosen based on closest proximity to FortiGate unit.
usa         FortiGuard servers in United States.
eu          FortiGuard servers in the European Union.


If SD-WAN is used for the WAN connection, try specifying the interface select method to SD-WAN.


config system fortiguard
    set interface-select-method sdwan

If the management tunnel is still down, then try to change the encryption to 'default' under central-management settings 

By default, the enc-algorithm is set to high.


config system central-management

 set enc-algorithm default <--- 


After making the change, restart the forticldd process, which is the FortiCloud process: 


fnsysctl killall forticldd



If having an 'Unable to connect to FortiGuard Servers' error in the firewall, solve that first.


If the issue persists, create a Technical Support ticket of type FortiGate/FortiGate Cloud: Fortinet Support.