Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pholla
Staff
Staff

Created on ‎09-15-2025 10:14 PM Edited on ‎09-18-2025 02:37 AM By Moderator

Article Id 408930

Troubleshooting Tip: Resolving a connectivity issue between an Azure or AWS FortiGate in HA and FortiManager where the 'Fortinet_Factory' certificate shows as 'FortiGate'

Description This article describes how to resolve a connectivity issue between an Azure or AWS FortiGate in HA and FortiManager that occurs where a 'Fortinet_Factory' certificate shows with the CN as 'FortiGate' instead of the device serial number.
Scope FortiGate.
Solution

As mentioned in the article below, FortiGate for AWS and FortiGate for Microsoft Azure on-demand models receive the virtual machine license from FortiCare during the bootup process.

 

In some cases, the connectivity from FortiGate HA to FortiManager will fail due to a certificate validation failure.

Troubleshooting Tip: Resolving a connectivity issue between an Azure or AWS FortiGate and an EMS and...

 

While updating the FortiGate- VM license manually might cause the connectivity from the FortiGate HA to FortiManager to fail due to the incorrect certificate being synced from the HA primary with CN as 'FortiGate'.

 

When the FortiGate-VM licence is uploaded manually to FortiGate1(Primary), FortiGate1 will go down, and FortiGate2 will become the new primary.

  • FortiGate2 will have CN=FortiGate at this moment.
  • When the FortiGate1 comes up, it will be added as the Secondary due to the override being disabled, and FortiGate1 has a lower up time.
  • FortiGate1 will have the CN=FortiGate1 serial number for a short period of time, and after a few minutes, the certificate will be synced and CN=FortiGate as primary(FortiGate2) again.
  • This loop keeps happening if the license is uploaded to the FortiGate2.

 

As a workaround, the steps mentioned below can be followed:

  • Enabled the HA override and increased the priority on FortiGate1:

 

config system ha
    set override enable   [disabled by default]
    set priority <integer> Enter a higher value for the primary FGT than Secondary FGT
end

 

  • When the FortiGate-VM licence is uploaded to FortiGate1, FortiGate1 will go down and come back up with CN=FortiGate1_SerialNumber, and this will be synced with FortiGate2
  • FortiGate to FortiManager connectivity will be up with no issues.

 

Follow these best practices to avoid this issue:

  • Always upload the FortiGate-VM licence to the FortiGate-VM first and then configure the HA. This will make the primary FortiGate1 to have CN=Primary_FortiGate1 SN and when the FortiGate2 is added to the cluster it will join the HA cluster as the Secondary.
  • Initially FortiGate2 will have CN=FortiGate as the FortiGate-VM does not have a Serial number and it will always rely on the SN in the VM license. The certificate will then be synced from the primary FortiGate1 and the certificate CN will be changed as CN=FortiGate1 SN as expected.
  • If the HA cluster is configured first and the FortiGate-VM licence is added after, this will cause the CN=FortiGate issue.
33
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.