Troubleshooting Fortigate Firewall

This section helps you troubleshoot the common problems that you might encounter when using the Fortigate firewall in CERT+ functionalities. This guide will give more troubleshooting processes on Fortigate firewall certificate config fetch, discovery, CSR creation, backup, push, bind, rollback, and other actions associated with Fortigate firewall.

Issues in Fetch Config


Error Message	Possible Cause	Possible Solution
Error occurred in command execution - <Error message>	Error occurred in command execution	Command execution has failed. Please refer to the error message associated with this.

Issues in Discovery


Error Message	Possible Cause	Possible Solution
Please provide information as required	Discovery name is not given or length is less than 2 characters.	Enter a valid name with a minimum of 2 characters.
Please provide information as required	Interval between batches info. is missing when execution type is sequential.	Provide a time interval between batches in minutes.
Please select a device	No device is selected in the Discover By section.	Select at least one device to discover certificates from.
Error occurred in command execution - <Error message>	Error occurred in command execution.	Command execution has failed. Please refer to the associated error message.

Issues in CSR Generation


Error Message	Possible Cause	Possible Solution
Exception occured while getting Api key - Invalid credentials.	Credentials may be invalid.	Provide valid credentials.
Unsupported Key type provided	Unsupported key type is selected.	Please select RSA or EC.
Csr name exists in the device, and cannot be overwritten.	Name is already used in the device.	Please use a different name.
Csr generation is device failed	CSR generation has failed.	CSR generation has failed. Please refer to the associated error message.

Issues in Fortigate Firewall Backup, Push, Bind and Rollback


Error Message	Possible Cause	Possible Solution
Unable to initiate request.	Pushing to device when certificate is unavailable, i.e, in a new state.	Push to device after certificate has been retrieved from CA.
	Previous work order is in progress and not completed.	Initiate push after previous work order is finished.
	AppConnector might not be in sync.	Synchronize the AppConnector and retry.
Unable to initiate request, template is in disabled state	Given workflow is not in enabled state.	Enable the push/rollback workflow from the Workflow section.
User is not authorized	User does not have required permissions to push to the device.	Retry after getting the access for required action.
Application connector(s) not found	Application connector info was not found.	Provide the correct connectorId if not pushing using AppViewX UI.
Request associated with the application connector is in progress	Previous work order is in progress and not completed.	Initiate this request after the previous work order is finished.
Push not triggered or succeeded or No existing data available for backup process.	Rollback couldn’t proceed because push was not successful.	Only successfully pushed certificates can be rolled back.
Certificate not found.	Pushing to device when certificate is unavailable, i.e, in a new state.	Push to device after certificate has been retrieved from CA.
Certificate content is mandatory parameter	Certificate content should be available.	Please specify certificate content in the request.
Intermed certificate content is mandatory for pushing CA certificate	Intermediate certificate content should be available.	Please specify intermediate certificate content in the request.
Root certificate content is mandatory for pushing CA certificate	Root certificate content should be available.	Please specify root certificate content in the request.
Certificate name is mandatory parameter	Certificate file name is mandatory.	Please specify the certificate file name in the connector.
Profile details are missing in Application connector	Profile details are missing.	Please specify profile details in the request.
Private key password is mandatory parameter	Private key password is mandatory.	Specify private key password in the connector.
Given certificate name does not exist in a device with a private key. Certificate with private key should exist either in device or AppViewX	Private key not available in the certificate.	Certificate should be pushed with the private key to bind with the profile.
Root certificate name already exists in ca store, Cannot overwrite until Overwrite is enabled in Connector	Overwrite is not enabled in the application connector.	Enable overwrite option in the application connector.
Intermediate certificate with name: <name> already exists in ca store, Cannot overwrite until Overwrite is enabled in Connector	Overwrite is not enabled in the application connector.	Enable overwrite option in the application connector.
Certificate name already exists in inventory, Cannot overwrite until Overwrite is enabled in Profile connector	Certificate with the same name already exists on the device.	Please change the certificate name or enable overwrite in the application connector.
Certificate is expired	Certificate is expired.	Push the certificate which is currently valid.
Unknown certificate algorithm	Unknown certificate algorithm.	Push the certificates only with RSA or EC.
certificate is not yet valid	Certificate valid from value is greater than the current time.	Only valid certificates can be pushed.