FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Article Id 196104

Description

 
This article describes the first workaround steps in case of a FortiCloud connection failure. FortiCloud connection failures could also manifest as upgrade errors, FortiToken, or Licensing registration errors:
 
2024-09-11_Error.png


Solution

 
  1. Check the Internet connectivity, and make sure that it can resolve the hostname 'logctrl1.fortinet.com'.

    execute ping logctrl1.fortinet.com
    PING logctrl1.fortinet.com (208.91.113.103)

  2. Check the DNS cache to 'logctrl1.fortinet.com'.

    diagnose test application dnsproxy 7
    vfid=0, name=logctrl1.fortinet.com, category=255, ttl=10386:9724:1138
      208.91.113.103 (ttl=10412)

  3. Check the FortiGuard Log setting.

    config log fortiguard setting
    (setting) # show full-configuration
    config log fortiguard setting
        set status enable
        set ssl-min-proto-version default
        set source-ip 0.0.0.0
        set interface-select-method auto
        set upload-option 5-minute
        set priority default
        set max-log-rate 0
        set enc-algorithm high
        set conn-timeout 10
    end

    Note.
    If there is no successful FortiCloud activation it cannot adjust the above settings and the status will be set to disable.

  4. Check FDS status for account ID.

    diagnose test application forticldd 1
    System=FGT Platform=Fortigate_Model
    Management vdom: root, id=0,  ha=master.
    acct_id=User_ID@company_id.com
    acct_st=OK
    FortiGuard log: status=enabled, full=overwrite, ssl_opt=3, source-ip=0.0.0.0
    Centra Management: type=FGD, flags=000000bf.
    active-tasks=0

  5. Validate FortiCloud log state:
    The server status is 'Down'.

    For FortiOS 7.2.3 and below:

    diagnose test application miglogd 20

    For FortiOS 7.2.4 and above:

    diagnose test application fgtlogd 20


    diagnose test application fgtlogd 20
    Home log server:
    Address: 208.91.113.241:514, st: down
    oftp status: connecting
    spos: 0, slen: 0

    rpos: 0, rlen: 12
    Alternative log server:
    Address: 208.91.113.201:514, st: down
    oftp status: connecting
    spos: 0, slen: 0
    rpos: 0, rlen: 12
    Active log server: ALTER

    Number of log task: 1024
    Number of task in list: 1024
    Debug zone info:
    Server IP: 208.91.113.241
    Server port: 514
    Server status: down
    Log quota: 102400MB
    Log used: 224MB
    Daily volume: 20480MB
    FDS arch pause: 0
    fams archive pause: 0
    stats: total=95970, acked=0, discard=94946, rejected=0

    Other examples:

    FGT # diagnose test application forticldd 3
    Debug zone info:
    Domain:GLOBAL
    Home log server: 173.243.132.171:514
    Alt log server: 173.243.132.132:514
    Active Server IP: 173.243.132.132
    Active Server status: unknown
    Log quota: 3145728MB
    Log used: 0MB
    Daily volume: 20480MB
    fams archive pause: 0
    APTContract : 0
    APT server: 0.0.0.0:0
    APT Altserver: 0.0.0.0:0
    Active APTServer IP: 0.0.0.0
    Active APTServer status: unknown

    FGT # diagnose test application miglogd 20
    Home log server:
    Address: 173.243.132.171:514
    Alternative log server:
    Address: 173.243.132.143:514
    oftp connection haven't been established
    Debug zone info:
    Server IP: 173.243.132.143
    Server port: 514
    Server status: unknown
    Log quota: 3145728MB
    Log used: 0MB
    Daily volume: 20480MB
    FDS arch pause: 0
    fams archive pause: 0

  6. Change the FortiGuard Log setting:
    Change 'set enc-algorithm high' from 'High' to 'default'.

  7. Validate the FortiCloud log state.
    The server status is 'UP'.

    diagnose test application miglogd 20
    Home log server:
        Address: 208.91.113.194:514, st: up
        oftp status: established
        spos: 521, slen: 521
        rpos: 24, rlen: 24
    Alternative log server:
        Address: 208.91.113.101:514, st: unknown
        oftp connection haven't been established
    Active log server:  HOME
     Number of log task:     0
    Number of task in list: 0
    Debug zone info:
        Server IP:      208.91.113.194
        Server port:    514
        Server status:  up
        Log quota:      102400MB
        Log used:       394MB
        Daily volume:   20480MB
        FDS arch pause: 0
        fams archive pause: 0
    stats: total=610774, acked=610774, discard=0, rejected=0

  8. Test connectivity to TCP port 514 on the FortiGateCloud servers from the FortiGate.
    A successful telnet confirming TCP port 514 is open and working.

    execute telnet 173.243.132.171 514
    Trying 173.243.132.171...
    Connected to 173.243.132.171. <- The console may freeze for a few moments then drop the connection with the following message.
    Connection closed by foreign host.

    A failed telnet connection indicates that TCP port 514 is being blocked before reaching the FortiGateCloud server.

    execute telnet 173.243.132.171 514
    Trying 173.243.132.171...
    Timeout!
    Failed to connect to specified unit.

    If there is no response from the server, change the outgoing interface.


    config log fortiguard setting
        set interface-select-method specify

        set interface port1 <- Specify the outgoing interface.

    end

     

  9. The FortiGate unit is using its routing table, to route the self-originated traffic to FortiGate Cloud.

    If the configured default route does not allow Internet access, and the traffic must originate from the specific network to be routed, for example via IPsec tunnel, a source IP can be specified in the log settings in CLI, to allow the FortiGate unit to reach the FortiGateCloud servers:

    config log fortiguard setting
        set status enable
        set ssl-min-proto-version default
        set source-ip <IP-address (0.0.0.0 by default)>
        set interface-select-method auto
    end

    This source-ip must be the IP address of some of the FortiGate interfaces.

  10. Other useful troubleshooting information can be collected using the below commands:

    diagnose debug reset
    diagnose debug console timestamp enable
    diagnose debug application forticldd -1
    diagnose debug enable
    fnsysctl killall forticldd

    The last command will restart the FortiCloud process and after a minute, it is possible to stop the outputs: 'diagnose debug disable' 'diagnose debug reset'.

  11. If the above commands do not resolve the issue and still do not see the logs being sent over to the FortiCloud. Restart the FortiGate log daemon by running the below command as this restarts the log daemon on the firewall

    fnsysctl killall fgtlogd

    It is possible to use the IP information from the output in packet captures:

    diagnose sniffer packet any 'host <IP from previous output>' 4 0 l