Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
willow
New Contributor III

Created on ‎09-30-2025 09:21 AM

Can't Connect to Fortianalyser Cloud after Upgrade

We have just upgraded our 100F from 7.0.17 to 7.4.9 with 7.0 going end of support.

It upgraded to 7.2 and then to 7.4

 

Everything seems to work fine with the exception of FortiAnalyzer Cloud. It's refusing to connect and send logs. We did upgrade the FAZ from 7.4 to 7.6.4 however it hasn't seemed to make any difference and both versions seem to support our Fortigate version. I have also removed the device and re-added it to FA Cloud still with no luck. 

 

There's no access issues that I know of

 

# exec ping fortianalyzer.forticloud.com
PING fortianalyzer.forticloud.com.geo.fortinet.net (154.52.2.161): 56 data bytes
64 bytes from 154.52.2.161: icmp_seq=0 ttl=52 time=20.6 ms
64 bytes from 154.52.2.161: icmp_seq=1 ttl=52 time=20.5 ms
64 bytes from 154.52.2.161: icmp_seq=2 ttl=52 time=20.5 ms
64 bytes from 154.52.2.161: icmp_seq=3 ttl=52 time=20.5 ms
64 bytes from 154.52.2.161: icmp_seq=4 ttl=52 time=20.5 ms

--- fortianalyzer.forticloud.com.geo.fortinet.net ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 20.5/20.5/20.6 ms

 

 

The only clue is an error with SSL

 

exec log fortianalyzer-cloud test-connectivity
Failed to get FortiAnalyzer Cloud's status. SSL error. (-3)

 

However I'm at a loss as to what to try next. 

 

Any help appreciated :)

Labels:
705
0 Kudos
1 Solution
MT-DSG
New Contributor
In response to BillH_FTNT

Created on ‎10-05-2025 07:03 AM

Hello Bill,

Regarding the same issue, instead of changing the global setting, I modified the FortiAnalyzer Cloud logging configuration directly:

 

config log fortianalyzer-cloud setting

set status enable

set ssl-min-proto-version TLSv1-3

end

 

The FortiGate is now able to send logs and retrieve the FortiAnalyzer's serial number.

Thank you for your help

View solution in original post

184
0 Kudos
24 REPLIES 24
asrour
Staff
Staff

Created on ‎09-30-2025 12:57 PM Edited on ‎09-30-2025 12:57 PM

Hi @willow ,

-what is the FGT model and version?

- Run the oftpd debugs on the FAZ cloud cli and share the output.

di de app oftpd 255

di de en

Thanks,

A Srour
379
willow
New Contributor III
In response to asrour

Created on ‎10-01-2025 03:09 AM Edited on ‎10-01-2025 03:09 AM

FGT 100F 7.4.9

FAZ 7.6.4

 

FAZVM64-VIO-CLOUD # di de app oftpd 255
oftpd debug filter: disable

FAZVM64-VIO-CLOUD # di de en

FAZVM64-VIO-CLOUD # logs of past 240 sec: 0
logs of past 300 sec: 0

 

310
0 Kudos
NAS
New Contributor III

Created on ‎09-30-2025 02:25 PM Edited on ‎09-30-2025 02:47 PM

Hello,
I have the same problem. A new FortiGate 70G with version 7.4.9 was set up today with a newly initialized FortiAnalyzer Cloud (7.6.4) entitlement. The FortiGate cannot be connected to the FortiAnalyzer; the error message is the same...

 

 
exec log fortianalyzer-cloud test-connectivity
Failed to get FortiAnalyzer Cloud's status. SSL error. (-3)
 
FAZ-CLI:
di de app oftpd 255
--> No logs available
 

Best regards,
Karsten

370
BillH_FTNT
Staff
Staff

Created on ‎09-30-2025 10:30 PM

Hi @willow  and @NAS 

Could you follow these links to check and get some logs ?

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Connectivity-issue-between-FortiGate-and/t...

 

Regards

Bill

343
willow
New Contributor III
In response to BillH_FTNT

Created on ‎10-01-2025 03:35 AM 

WCL-FORTIGATE # exec log fortianalyzer test-connectivity
No FAZ is enabled.

 

I am assuming this is because were using Fortianalyzer Cloud.

 

forti.jpg

Serial is correct for the FAZ and the Device is configured (although it's still has it on it's old firmware version) I have removed and re-added the device already. 

 

faz.jpg

I am assuming there's a missing or incorrect SSL certificate here and it just needs to redownload from the FAZ however I can't find an obvious way of clearing the Settings and letting me add the device from the Fortigate side (as if it was never added before) or importing the correct certificate. I have already tried disabling the option for verification.

 

303
0 Kudos
kaman
Staff
Staff

Created on ‎10-01-2025 01:36 AM

Hi willow and NAS,

Is the FortiGate is in FIPS Mode?

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-FortiGate-FIPS-CC-enabled-to-send-log-...


There is an internal Bug ID: 1111972, FortiGate device with FIPS mode enabled cannot connect with FortiAnalyzer cloud

There was a workaround found which helped customer. The workaround is to add the below 2 DNS entries to the SAN:

*.fortianalyzer.forticloud.com
fortianalyzer.forticloud.com


Once you have this certificate uploaded to Fortianalzyer, then it needs to set as oftp cert using the following command:

config system certificate oftp
set mode local
set local "name of new cert"
end

Also upload CA cert which is the issuer of the new custom cert to all the FortiGate devices sending logs. So that they trust the new cert on Fortianalyzer cloud.


Please let me know if that helps.


If you have found a solution, please like and accept it to make it easily accessible to others.


Regards,
Aman

320
willow
New Contributor III
In response to kaman

Created on ‎10-01-2025 05:16 AM

I don't beleive so as we are based in Europe and that seems to be a federal (US) requirement so I'm going to assume not. Is there a way to check? most of the google searches seem to give commands to enable.

 

I would highly suspect this is an SSL issue and we need to export or import one of the certificates from the FAZ or Vice Versa.

 

293
0 Kudos
NAS
New Contributor III
In response to kaman

Created on ‎10-01-2025 06:25 AM Edited on ‎10-01-2025 06:32 AM

 

Same here, we are located in Germany and FIPS-CC is not enabled, CLI output:

 
config system fips-cc
end
 

Best regards,
Karsten

284
0 Kudos
asrour
Staff
Staff

Created on ‎10-01-2025 07:32 AM Edited on ‎10-01-2025 07:34 AM

@NAS @willow 

Download the certificates from the FAZ and upload them to the FGT then test

 

 

A Srour
Preview file
57 KB
269
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.