Description

This article describes on how to fix the FortiClient EMS connector connecting to FortiClient EMS Cloud using FortiGate Access Key without a valid FCEM contract. 

Scope

FortiGate v7.4.9 and below, FortiGate v7.6.3 and below.

Solution

EMS connector can be configured on FortiGate to connect to FortiClient EMS Cloud. FortiGate will check if there is a valid FCEM contract under the account where the serial number of the local FortiGate is registered. FortiGate Access Keys can be used to connect to another FortiClient EMS Cloud instance on another account with valid FCEM contract even if the local FortiGate is not registered there.

Configuration using a FortiGate Access Key:

config endpoint-control fctems

    edit 1

        set status enable
        set name "cloud-ems"
        set fortinetone-cloud-authentication enable
        set cloud-authentication-access-key "IIEEHIBMQXXXXXXXXXXX"

    next

end

Upon using the verify command for the EMS fabric connection, the following error appears:

exec fctems verify 1
Error in requesting EMS fabric connection: -7
issue in getting capabilities. License expired.
Error (-1@_get_capabilities:440). license expired

Command fail. Return code -9999

No FCEM contract is present or it is expired as shown on the output below.

diagnose test update info

....

Account contracts:

....

If these symptoms are encountered: to add the EMS Cloud instance via FortiGate Access Key, an upgrade to v7.6.4 and later will be necessary. Starting from FortiOS v7.6.4, FortiGate will not require the license check when using a FortiGate Access key.

get sys status | grep For
Version: FortiGate-81F v7.6.4,build3596,250820 (GA.F)

Verify that the EMS connection shows as verified:

execute fctems verify 1
EMS already verified.

Related articles:

FortiClient Cloud: FortiGate access key

Technical Tip: How to add EMS in fabric connector with FortiGate API Access Key

Technical Tip: How to fix broken connectivity issue between FortiGate and FortiClient EMS Cloud by e...