Customer Service Note: FortiCloud Frequently Asked Questions

Andy_G · ‎04-19-2019

Description

This article provides a list of frequently asked questions concerning FortiCloud.

Solution

Q: What to do when receiving an "Invalid Username or Password" or "FortiCloud Internal Error" message while activating FortiCloud on FortiGate?

Answer: Some possible causes are:
FortiCloud account and FortiGate device must be within the same domain (global or Europe)
Password must be less than 20 characters in length
For FortiOS v5.4 or lower, special characters in password are not supported by FortiOS
Devices in HA pair must be activated individually: disable HA setting > activate each device > reform the HA pair
If all of conditions above are fulfilled, check the network settings, make sure nothing is blocking port 443 and that it is possible to telnet to logctrl1.fortinet.com
In CLI, enable FortiCloud debug then manually update log server config by typing in the following:
# diag debug app forticldd -1
# diag debug enable
# diag fdsm log-controller-update

Q: How to switch FortiCloud account ID from A to B (where B does not exist in FortiCloud as an account ID)?

Answer:
Login to FortiCloud portal with email A
Add a new admin user with email B
After activating B, set B as Primary User of the account
Login with email B and delete user A
On the FortiGate WebUI , logout from A then login with B.

Q: How to transfer FortiGate devices in account A to account B within the same domain?

Answer:
Login to FortiCloud portal with A
Go to the home page > FortiGate > click on the gear wheel logo > select Authorise New Account > enter account email B
Login locally into FortiGate device's UI
Logout from A, then login with B
Historical data will be preserved
If Authorise New Account is not set, or it is set but customer tries to login with account other than B, the device will be RMAed under account A, no historical data will be presented under the new account
If Authorise New Account is set, but the customer undeploy the device prior to logging in with B, historical data will be erased completely.

Q: How to activate FortiCloud on HA-paired FortiGate devices?

Answer:
FortiGate WebUI > System > HA, click icon `Disconnect from cluster` of a FortiGate
Choose proper interface and input proper IP, and click OK
Connect to IP input at step 2 to activate FortiCloud
Repeat above to activate FortiCloud in all FortiGates in the HA
FortiGate > Dashboard > HA Status, click link Configure to reform the HA pair

Q: How to bring management tunnel status up online on the FortiGate device>

A: In CLI, type in the following:
# config system central-management
# set mode backup
# set type fortiguard
# end
# exec reboot

Q: How come no matter what I do, the management tunnel is still down.

Answer: If the FortiGate device has just been removed from a FortiCloud, it may take up to 10 minutes for it to be added back to FortiCloud. In this case, if the regular operations cannot bring the management tunnel up online, logout from FortiCloud and wait for 10 minutes then re-activate FortiCloud on the device.

Q: What to do if the FortiGate device stays in inactive state for more than 24 hours?

Answer: Check the network settings and make sure nothing is blocking port 443. Verify it is possible to telnet to logctrl1.fortinet.com through port 443. Logout from FortiCloud within device's UI then login again.

Q: What to do if the "Device is already in inventory" message is seen when trying to add a device by key?.

Answer: If the device is either undeployed, or there is no log being uploaded to FortiCloud, remove that device from inventory then try again.

Q: What to do if the report key cannot be used to add a FortiGate device (an invalid key message is received).

Answer: Try to login locally to device's WebUI, and activate FortiCloud by Login. If you do not have local access to the device, then verify the key is consistent with record in key list on dispatcher. Reset key validity flag to 1 on https://logctrl1.fortinet.com/com.fortinet.dispatcher.gwt.Main/Main.html.

Q: How to move an AP from account A to account B (received AP is already in inventory message)

Answer: The AP has to be removed completely from account A before it can be added to account B.

First, login to account A, find the AP from AP network, then remove it from the AP network.

Go to AP Inventory and delete the AP from the inventory.

Login to account B, deploy the AP into an AP network with its FortiCloud key.

Q: What to do if FortiCloud activation is successful on device but cannot see it in portal?

Answer: When a new device is added to FortiCloud, it can be dispatched to the global or the European FortiCloud service by its IP geo-location. User may click on the switch service icon (double arrow besides logout) to see if the device has been deployed to another service.

If the device is running on FortiOS version supporting domain selection at login, then user may go directly to global (www.forticloud.com) or Europe (europe.forticloud.com)

Q: How to switch a device from global service to Europe service, or vice versa?

Answer: Login to FortiCloud portal and find the device to be moved. Click on the gearwheel-shape Config icon and select Data Center Location from the drop-down list. Select Move to and submit.

Please note that user needs to logon to the device's webUI and re-activate FortiCloud to actually see the device in account under desired service. The device can also be moved back with the same steps under the new service. Existing logs will be stored under the old service and newly uploaded logs will be stored under the new service.

Q: Why am I able to log into FortiCloud portal but cannot activate FortiCloud on a FortiGate device with the same set of credentials?

Answer: When using FortiOS v5.4 or lower, special characters in password are not supported by FortiOS, so it will send garbage data to FortiCloud when trying to activate FortiCloud support special characters in password without any problems.

A solution may be to either remove special characters in password, or upgrade FortiGate device's firmware to v5.6 or newer.

Q: What happens if storage contract expires?

Answer: Data older than 7 days will be purged permanently.