FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff

Description

This article describes the first workaround steps in case of a FortiCloud connection failure.


Solution

1) Check the Internet connectivity, and make sure that it can resolve the hostname "logctrl1.fortinet.com".
# execute ping logctrl1.fortinet.com
PING logctrl1.fortinet.com (208.91.113.103)

2) Check the DNS cache to "logctrl1.fortinet.com".
# diagnose test application dnsproxy 7
vfid=0, name=logctrl1.fortinet.com, category=255, ttl=10386:9724:1138
  208.91.113.103 (ttl=10412)
3) Check FortiGuard Log setting.
# config log fortiguard setting
(setting) # show full-configuration

# config log fortiguard setting
    set status enable
    set ssl-min-proto-version default
    set source-ip 0.0.0.0
    set interface-select-method auto
    set upload-option 5-minute
    set priority default
    set max-log-rate 0
    set enc-algorithm high
    set conn-timeout 10
end
NOTE.
If there was no successful FortiCloud activation it will not be able to adjust the above settings and the status will be set to disable.

4) Check FDS status for account ID
# diagnose test application forticldd 1
System=FGT Platform=Fortigate_Model
Management vdom: root, id=0,  ha=master.
acct_id=User_ID@company_id.com
acct_st=OK
FortiGuard log: status=enabled, full=overwrite, ssl_opt=3, source-ip=0.0.0.0
Centra Management: type=FGD, flags=000000bf.
active-tasks=0
 5) Validate FortiCloud log state

The server status is “Down”
# diagnose test application miglogd 20
Home log server:
Address: 208.91.113.241:514, st: down
oftp status: connecting
spos: 0, slen: 0
rpos: 0, rlen: 12
Alternative log server:
Address: 208.91.113.201:514, st: down
oftp status: connecting
spos: 0, slen: 0
rpos: 0, rlen: 12
Active log server: ALTER

Number of log task: 1024
Number of task in list: 1024
Debug zone info:
Server IP: 208.91.113.241
Server port: 514
Server status: down
Log quota: 102400MB
Log used: 224MB
Daily volume: 20480MB
FDS arch pause: 0
fams archive pause: 0
stats: total=95970, acked=0, discard=94946, rejected=0
(Other examples)
FGT # diagnose test application forticldd 3
Debug zone info:
Domain:GLOBAL
Home log server: 173.243.132.171:514
Alt log server: 173.243.132.132:514
Active Server IP: 173.243.132.132
Active Server status: unknown
Log quota: 3145728MB
Log used: 0MB
Daily volume: 20480MB
fams archive pause: 0
APTContract : 0
APT server: 0.0.0.0:0
APT Altserver: 0.0.0.0:0
Active APTServer IP: 0.0.0.0
Active APTServer status: unknown

FGT # diagnose test application miglogd 20
Home log server:
Address: 173.243.132.171:514
Alternative log server:
Address: 173.243.132.143:514
oftp connection haven't been established
Debug zone info:
Server IP: 173.243.132.143
Server port: 514
Server status: unknown
Log quota: 3145728MB
Log used: 0MB
Daily volume: 20480MB
FDS arch pause: 0
fams archive pause: 0
6) Change FortiGuard Log setting

Change 'set enc-algorithm high' from 'High' to 'default'.

7) Validate FortiCloud log state.

The server status is “UP”
# diagnose test application miglogd 20
Home log server:
    Address: 208.91.113.194:514, st: up
    oftp status: established
    spos: 521, slen: 521
    rpos: 24, rlen: 24
Alternative log server:
    Address: 208.91.113.101:514, st: unknown
    oftp connection haven't been established
Active log server:  HOME
 Number of log task:     0
Number of task in list: 0
Debug zone info:
    Server IP:      208.91.113.194
    Server port:    514
    Server status:  up
    Log quota:      102400MB
    Log used:       394MB
    Daily volume:   20480MB
    FDS arch pause: 0
    fams archive pause: 0
stats: total=610774, acked=610774, discard=0, rejected=0
8) Test connectivity to TCP port 514 on the FortiGateCloud servers from the FortiGate.

A successful telnet confirming TCP port 514 is open and working.
# execute telnet 173.243.132.171 514
Trying 173.243.132.171...
Connected to 173.243.132.171.
<<the console may freeze for few moments then drop the connection with the following message>>

Connection closed by foreign host.

A failed telnet connection, indicating that TCP port 514 is being blocked before reaching the FortiGateCloud server.
# execute telnet 173.243.132.171 514
Trying 173.243.132.171...
Timeout!
Failed to connect to specified unit.
9) The FortiGate unit is using its routing table, to route the self-originated traffic to FortiGateCloud.
 
If the configured default route does not allow Internet access, and the traffic must originate from specific network in order to be routed, for example via IPsec tunnel, a source IP can be specified in the log settings in CLI, in order to allow the FortiGate unit to reach the FortiGateCloud servers:
# config log fortiguard setting
    set status enable
    set ssl-min-proto-version default
    set source-ip <IP-address (0.0.0.0 by default)>
    set interface-select-method auto
end
This source-ip must be the IP address of some of the FortiGate interfaces.
 
10) Other useful troubleshooting information can be collected using the below commands:
# diagnose debug reset
# diagnose debug console timestamp enable
# diagnose debug application forticldd -1
# diagnose debug enable
# fnsysctl killall forticldd
The last command will restart the FortiCloud process and after a minute, it is possible to stop the outputs: '# diagnose debug reset'.

It is possible to use the IP information from the output in packet captures:
# diagnose sniffer packet any 'host <IP from previous output>' 4 0 l
Contributors