Technical Tip: Obtaining logs of undeployed FortiGate from FortiGate Cloud

kcheng · ‎11-06-2023

Description

This article describes how to retrieve logs for undeployed FortiGate from FortiGate Cloud.

Once FortiGate is undeployed from FortiGate Cloud, the FortiGate Cloud administrator and authorized user will not be able to see the respective device on the asset page. The asset page only shows devices that are deployed under the respective account:

By default the undeployed FortiGate is not shown on the asset page, and the historical logs are not visible.

Scope

FortiGate Cloud.

Solution

The historical logs for the undeployed FortiGate are associated with an artificial device entry that can be viewed by toggling the view of 'RMA'd and Undeployed' feature to enable.

From the asset screen, select 'Options' and toggle 'RMA'd and Undeployed' to enable.

Once enabled, it will be possible to view the undeployed FortiGate from the asset page. The serial number of an undeployed device is artificial and does not have any relationship to the original serial number of a real device.

Devices that were undeployed from FortiGate Cloud have a serial number starting with ‘U00’. Devices with a closed RMA that were never undeployed have a serial number starting with ‘R00’.

To access the historical logs, select the device in the asset list, then select 'Device View'.
Once in the respective device view, it will be possible to view the logs that are saved in FortiGate Cloud.

The logs can be downloaded following the article 'How to export bulk logs from RMA & Undeployed Devices in FortiGate Cloud'.

Note:

For a free FortiGate Cloud account, log retention is only 7 days, while the FortiGate Cloud Premium account has a log retention of 1 year. Logs that exceed the log retention date will be deleted from FortiGate Cloud. If the device was undeployed 14 days ago and had a free FortiGate Cloud account, the logs will be empty.