Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nevan
Staff
Staff

Created on ‎12-08-2025 07:18 AM

Article Id 422079

Technical Tip: FortiGate automation stitch repeatedly triggered by system log

Description This article describes the issue of an automation stitch being repeatedly triggered by a system log on a FortiGate device, causing multiple email alerts to be sent. The article provides a step-by-step solution to resolve this issue.
Scope FortiGate.
Solution

To configure the automation stitch for the Cloud server connection and disconnection incident and alert can be sent through Email as well. The following article can be reviewed: Technical Tip: Automation stitch for cloud server connection and disconnection events.

 

After configuration, the connected and disconnected logs can appear as below.

Example Log (FortiGate Cloud server connected):

 

date=2025-11-09 time=11:22:45 devname="FGT60F" devid="FGT60FTK21012345" logid="0100022915" type="event" subtype="system" level="information" vd="root" eventtime=1731153765000000000 logdesc="FortiGate Cloud server connected" msg="FortiGate Cloud server connection established successfully" service="FortiGate Cloud" status="connected" src=192.168.1.99 srcip=192.168.1.99 dst="FortiGate Cloud" dstip=173.243.138.210 srcintf="wan1" srcintfrole="wan" proto=6 duration=2 sentbyte=542 rcvdbyte=612 action="connect" eventid=22915

 

Example Log (FortiGate Cloud server disconnected):

 

date=2025-11-09 time=13:45:09 devname="FGT60F" devid="FGT60FTK21012345" logid="0100022913" type="event" subtype="system" level="warning" vd="root" eventtime=1731162309000000000 logdesc="FortiGate Cloud server disconnected" msg="FortiGate Cloud server connection lost" service="FortiGate Cloud" status="disconnected" src=192.168.1.99 srcip=192.168.1.99 dst="FortiGate Cloud" dstip=173.243.138.210 srcintf="wan1" srcintfrole="wan" proto=6 sentbyte=145 rcvdbyte=60 action="disconnect" eventid=22913 reason="connection timeout"

 

But even though there are no disconnection events, the connected logs are triggering frequently, which can happen when auto-join FortiCloud is enabled.

 

CLI:

config system fortiguard
    set auto-join-forticloud enable<--
end

 

Frequent 'FortiGate Cloud server connected' logs occur when the FortiGate repeatedly re-establishes the cloud session due to short timeouts, link instability, or upstream session resets. 

 

CLI:

config log fortiguard setting
    set status enable
    set conn-timeout <1-3600>
end


The default value is 10 seconds of the timeout. Increasing the conn-timeout value or adjusting it according to the scenario and enabling reliable logging stabilizes the connection.

Related article:
Troubleshooting Tip: FortiCloud connection failure
112
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.