Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kumarh
Staff
Staff

Created on ‎10-16-2023 06:30 AM Edited on ‎12-08-2025 06:18 AM By Community Manager

Article Id 279168

Technical Tip: FortiGate is showing inactive in FortiGate Cloud

Description

This article describes the scenario where FortiGate is showing inactive in the FortiGate Cloud.
Scope FortiGate, FortiGate Cloud.
Solution

There could be an instance where FortiGate Cloud is already activated but shows as inactive in the FortiGate Cloud portal.

 

mgmt-connectivity-inactive.png

 

Refer to the following for such a case:

  1. If the device is in an HA cluster, then it is expected that the secondary device will show as inactive. This is because the management tunnel can only be up for the primary device. If the device is not in an HA cluster or acting as the secondary device, the status should show as active.

  2. Check the Region where FortiGate Cloud is activated and verify that the portal is logged in to the same Region.

  3. Access the inactive FortiGate and verify connectivity to FortiGuard servers. Refer to this link to troubleshoot any issues with FortiGuard server reachability: Troubleshooting Tip: Unable to connect to FortiGuard servers.

  4. If FortiGuard servers are reachable, check the central-management settings if enabled:

 

config system central-management

    set type fortiguard

end

 

  1. Verify if there is an upstream device that could be blocking/inspecting traffic between the FortiGate and FortiGate Cloud. TCP/541 is used for management access. Refer to Technical Tip: IP address and port used for FortiCloud for the list of IP ranges and ports used by FortiGate Cloud.

To confirm if TCP 541 connection or other FortiCloud port between the FortiGate and FortiCloud is working, run packet capture in FortiGate while executing the following command:

 

fnsysctl killall fgfmd

 

To capture the relevant packets, run the CLI commands below or use the Packet Capture feature on the GUI.

 

CLI:

 

diagnose sniffer packet any 'port 541' 4 0 l

 

Or:

 

diagnose sniffer packet any 'port 541' 6 0 l

 

Collect debug log using the following commands:

 

diagnose debug reset

diagnose debug console timestamp enable

diagnose debug application forticldd -1

diagnose debug enable

 

diagnose debug disable ---> Run this to stop the debug.

diagnose debug reset

 

  1. Another troubleshooting step that can be performed is to undeploy the FortiGate on FortiGate Cloud. From the FortiGate, log out of the FortiCloud account under Central Management and then log in again with the correct region. Refer to: Undeploying and redeploying a FortiGate.

     

FortiGate Cloud management connectivity should then show as active:

 

mgmt-connectivity-active.png

 

Related articles:

Technical Tip: FortiGate Cloud shows management tunnel down

Technical Tip: How to register/activate FortiGate Cloud from GUI and enable logging 
6037
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.