From time to time, our support team encounters questions about why FortiGate is having trouble connecting to FortiGate Cloud. These queries have become more frequent recently, so I believe it’s time to address the issue in a blog post. If you’re experiencing the same error message, you’re in the right place.
Background Information
Even without purchasing a FortiGate Cloud subscription, you can store your logs on Fortinet’s cloud for seven days for free. Consequently, the demand for FortiGate Cloud has been increasing.
Problem Description
When there are issues with the connection to FortiGate Cloud, a “Connection status: Unreachable” message is usually displayed. It appears as follows:
Troubleshooting the Issue
Let’s identify the root cause of this problem. FortiGate uses OFTPS (Odette File Transfer Protocol over SSL) to transfer logs, and according to Fortinet, TCP port 514 is utilized for this purpose. We will use a sniffer command to examine where the problem lies:
FGT01 # diagnose sniffer packet any "port 514" 4 0 1
interfaces=[any]
filters=[port 514]
16.565915 wan1 out 203.0.113.215.5356 -> 83.231.212.158.514: syn 871684762
16.565951 wan1 out 203.0.113.215.5356 -> 83.231.212.158.514: syn 871684762
16.565958 wan1 out 203.0.113.215.11788 -> 154.52.10.167.514: syn 1541094252
17.405816 wan1 out 203.0.113.215.11788 -> 154.52.10.167.514: syn 1541094252
18.395823 wan1 out 203.0.113.215.5356 -> 83.231.212.158.514: syn 871684762
19.405841 wan1 out 203.0.113.215.11788 -> 154.52.10.167.514: syn 1541094252
From the sniffer output, we observe that while we are sending packets, specifically SYN requests and no responses are coming back. This suggests that a device between the FortiGate and the WAN is filtering the packets. Typically, these are ISP modems with an additional firewall that blocks TCP port 514.
This is a swisscom example:
In the case of Swisscom, this port is even blocked if the modem is working in bridge mode!
For companies using the ISP Swisscom, we have another blog post that details the necessary adjustments to the modem:
Once the necessary settings have been made, the log output should look like this:
FGT01 # diagnose sniffer packet any "port 514" 4 0 1
interfaces=[any]
filters=[port 514]
459.810152 wan1 out 203.0.113.215.11953 -> 154.52.10.167.514: syn 4076796399
459.810163 wan1 out 203.0.113.215.2643 -> 154.52.10.143.514: syn 1799754178
459.818415 wan1 in 154.52.10.143.514 -> 203.0.113.215.2643: syn 1066592269 ack 1799754179
459.818450 wan1 in 154.52.10.167.514 -> 203.0.113.215.11953: syn 979038082 ack 4076796400
459.818508 wan1 out 203.0.113.215.2643 -> 154.52.10.143.514: rst 1799754179
459.818508 wan1 out 203.0.113.215.11953 -> 154.52.10.167.514: rst 4076796400
460.915961 wan1 out 203.0.113.215.11959 -> 154.52.10.167.514: syn 2855958050
460.924425 wan1 in 154.52.10.167.514 -> 203.0.113.215.11959: syn 3281305726 ack 2855958051
460.924528 wan1 out 203.0.113.215.11959 -> 154.52.10.167.514: ack 3281305727
If no traffic is visible, try to trigger the connection using the Refresh button. The refresh button is shown in the following illustration:
After that at the latest, the FortiGate switches to Connected:
By following these steps, you should be able to resolve the connectivity issue with FortiGate Cloud.
Stay secure!
Additional Information
FortiGate open ports: https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/303168/fortigate-open-ports
Swisscom BCON Blog: https://blog.boll.ch/swisscom-b-con-forticloud-zugriff-nicht-moglich/
