| Description |
This article describes the case when FortiGate GUI is stuck with the error 'License is being validated by FortiGuard'.
In a normal operation, after uploading the license or launching a VM for the first time, a prompt on the GUI about the license being validated by the FortiGuard server:
A successful license validation allows to log in to FortiGate’s GUI:
However, it is possible to encounter the issue where the first screen loads for a long time, in which it will show a button to select on the CLI console to check the network connection. |
| Scope | FortiGate. |
| Solution |
Make sure the following requirements are met for the connection to the FortiGuard:
execute ping service.fortiguard.net
And:
execute ping update.fortiguard.net
If both requirements above are met, run the below commands to troubleshoot FortiGate - FortiGuard communication:
diagnose debug application update -1
Leave it running for a couple of minutes. To disable it, type this command:
diagnose debug disable
Check the debug output for different scenarios:
2022-01-11 14:06:17 [360] __ssl_crl_verify_cb: Cert error 9, certificate is not yet valid. Depth 0
Error: 9 (certificate is not yet valid)
Then it will be necessary to check the FortiGate system time. Refer to the below KB article to adjust the date/time settings on the FortiGate:
After adjusting the settings the validation will go through.
upd_comm_connect_fds[455]-Trying FDS [2620:101:9000:140:173:243:140:6]:443 tcp_connect_fds[265]-Failed connecting after sock writable upd_comm_connect_fds[469]-Failed TCP connect upd_act_HA_contract_info[714]-Error updating FSCI -1
Try to explicitly specify the interface to connect to the FortiGuard server by executing the following commands:
config system fortiguard set interface-select-method specify (the default option is auto) set interface <WAN-interface> end
Check the update debug again to see if the FortiGuard servers are reachable now. If not, open a case with TAC for further assistance: https://support.fortinet.com/welcome/#/
upd_fds_load_default_server6[1046]-Resolve and add fds usupdate.fortinet.net ipv6 address failed. upd_fds_create_list[1295]-No server found for update[00000001] do_setup[348]-Failed setup
Try to check DNS connectivity with FortiGate. Refer to the following KB article to bring DNS connectivity back on the FortiGate: Technical Tip: DNS stops working when using custom DNS.
It is worth checking if any proxy is configured for FortiGuard connectivity. The same way a source-ip is specified for different FortiOS services (DNS, FortiGuard, Syslog etc), a proxy can be configured to tunnel traffic from FortiGate to FortiGuard through a proxy appliance. This feature was introduced in FortiWeb appliances and is also available on all FortiOS versions.
config system autoupdate tunneling end
Disable this feature and test if FortiGuard is reachable to get licence information
config system autoupdate tunneling end
If all of the above have been checked and the issue still persists, try to run the following command:
Note: This command will require a reboot of the FortiGate so make sure to run it out of business hours or during a maintenance window. |
