Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
smkml
Staff
Staff

Created on ‎10-09-2025 01:47 AM

Article Id 414483

Troubleshooting Tip: Zero-Touch-Provisioning (ZTP) auto-linking device failed due installing unsupported syntax

Description

 

This article describes how to troubleshoot when performing a Zero-Touch-Provisioning (ZTP), an auto-linking device failed due to installing unsupported syntax in FortiGate.

 

Example failed error, configuration failed to install:

 

------- Start to retry --------

FGT $  config switch-controller ptp settings
FGT (settings) $  unset mode
FGT (settings) $  end
FGT $  config system interface
FGT (interface) $  edit "modem"
FGT (modem) $  unset distance
cannot unset read-only setting.
Command fail. Return code -7
FGT (modem) $  next
FGT (interface) $  end
FGT $  config system email-server
FGT (email-server) $  unset reply-to
FGT (email-server) $  end
FGT $  config dlp data-type
FGT (data-type) $  edit "credit-card"
FGT (credit-card) $  set verify "builtin)credit-card"
Regex check fail: Regex compile failed at offset 7: unmatched parentheses.
node_check_object fail! for verify builtin)credit-card

value parse error before 'builtin)credit-card'
Command fail. Return code -39
FGT (credit-card) $  next
FGT (data-type) $  end


---> generating verification report
(vdom root: switch-controller ptp settings:mode)
remote original: disable
to be installed: 

(vdom root: dlp data-type "credit-card":verify)
remote original: "built-in"
to be installed: "builtin)credit-card"

<--- done generating verification report


install failed

 

Scope

 

FortiManager, FortiGate.

 

Solution

 

This scenario happened when the FortiGate version received from the box is lower than the FortiManager version (or ADOM). 

 

For example:

FortiGate version v7.2.8 and FortiManager version v7.4.8, with ADOM v7.4.

 

It will push out the default configuration on v7.4 to v7.2 and causing it to fail. But all assigned Template configurations are still pushed out, and the status in Device Manager for Config Status will show as Conflict.

 

Even though 'Enforce Firmware Version' is enabled to upgrade to v7.4.x, it will still fail due to an installation error.

Add Device -> Add Model Device -> Enforce Firmware Version, or use Device Blueprint.

 

enforce firmware version.png

Basically, the devices are already connected with FortiManager and can be managed from there.

To resolve this, proceed to perform a 'Retrieve under Device Manager'.

 

Go to Device Manager -> Managed Devices -> Select the FortiGate -> Dashboard -> Summary -> 'Configuration and Installation' widget -> Revision -> select the menu icon -> Retrieve.

 

task monitor flow.png

 

If the device shows as Offline or Down status in Device Manager, it is possible to proceed to kill the fgfmd process: Technical Tip: How to view, verify and kill the processes consuming more memory in the GUI from the FortiGate itself, and perform the Retrieval again after that.

 

kill fgfmd process.png

Related articles:

Technical Tip: ZTP basic configuration and troubleshooting for a standalone FortiGate 
Technical Tip: ZTP basic configuration and troubleshooting for a HA FortiGate cluster 

Labels:
117
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.