Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ezhupa
Staff
Staff

Created on ‎01-11-2023 07:03 AM Edited on ‎10-01-2023 09:38 PM By Community Manager

Article Id 242654

Technical Tip: FortiGate stucks in Validating License screen

Description

This article describes the case when FortiGate GUI is stuck with the error License is being validated by FortiGuard. 

In a normal operation, after uploading the license or launching a VM for the first time, a prompt on the GUI about the license being validated by the FortiGuard server:

 

A successful license validation allows to log in to the FortiGate’s GUI:

 

enguyen3467_1-1694786539473.png

 

However, it is possible to encounter the issue where the first screen loads for a long time, in which it will show a button to select on the CLI console to check the network connection.
Scope FortiGate.
Solution

Make sure the following requirements are met for the connection to the FortiGuard:

  • Internet must be reachable: try to ping public DNS servers like 8.8.8.8, 1.1.1.1, 8.8.4.4
  • Make sure that the firewall can resolve the domain name: try to ping:

 service.fortiguard.net and update.fortiguard.net

 

If both requirements above are met, run the below commands to troubleshoot FortiGate - FortiGuard communication:

 

dia de app update -1
dia de en
exe update-n

 

Leave it running for a couple of minutes.

To disable it, type this command: 

 

dia de disable

 

Check the debug output for different scenarios: 

2022-01-11 14:06:17 [360] __ssl_crl_verify_cb: Cert error 9, certificate is not yet valid. Depth 0
2022-01-11 14:06:17 __upd_peer_vfy[329]-Server certificate failed verification. Error: 9 (certificate is not yet valid), depth: 0, 
2022-01-11 14:06:17 [1013] ssl_connect: SSL_connect failes: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2022-01-11 14:06:17 ssl_connect_fds[392]-Failed SSL connecting (5,0,Success)

 

Error: 9 (certificate is not yet valid)

 

Then it will be necessary to check the FortiGate system time.

Refer to the below KB article to adjust the date/time settings on the FortiGate:
Technical Tip: Setting the system time

 

After adjusting the settings the validation will go through

  • Failed connecting after sock writable:

upd_comm_connect_fds[455]-Trying FDS [2620:101:9000:140:173:243:140:6]:443

tcp_connect_fds[265]-Failed connecting after sock writable

upd_comm_connect_fds[469]-Failed TCP connect

upd_act_HA_contract_info[714]-Error updating FSCI -1

 

Try to explicitly specify the interface to connect to the FortiGuard server by executing the following commands:

 

config system fortiguard

set interface-select-method specify (the default option is auto)

set interface <WAN-interface>

end

 

Check the update debug again to see if the FortiGuard servers are reachable now. If not, open a case with TAC for further assistance:

https://support.fortinet.com/welcome/#/

 

  • DNS not reachable:

    upd_fds_load_default_server6[1046]-Resolve and add fds usupdate.fortinet.net ipv6      address failed.

    upd_fds_create_list[1295]-No server found for update[00000001]

    do_setup[348]-Failed setup

 

Try to check DNS connectivity with FortiGate. Refer to the below KB article to bring snd connectivity back on  the FortiGate:

Technical Tip: DNS stops working when using custom DNS
5930
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.