Skip to main content

202100 - Failed to Push Dynamic Entry to FortiGates

Uploading..Agent error code #202100 indicates that the agent could not push a dynamic entry (IP address add or remove) to one or more FortiGates. This error applies to Passive+ mode (both FortiManager and direct FortiGate variants).

In Passive+ mode, the agent pushes real-time updates to the FortiGate's in-memory external resource list. This push is an optimization for near-instant propagation — it is not a hard dependency. If the push fails, the FortiGates will still pick up the change on their next scheduled poll of the Knocknoc allowlist. The grant or revoke operation is not failed.

The error message includes additional detail about the underlying cause.

Common causes include:

  • The FortiGate rejected the dynamic entry push due to a configuration or permission error
  • The FortiManager proxy request failed when fanning the push out to target FortiGates
  • The external resource name does not exist on the target FortiGates (see also #202102)
  • Network connectivity issues between the agent and the FortiGate or FortiManager (see also #202000, #202004)
  • The API user lacks sufficient permissions (see also #202002)

Steps to Resolve

Check Agent Logs

  1. Review the agent logs for the full error message — it will include details about which FortiGate(s) rejected the push and why
  2. Look for messages containing "passive+ dynamic entry push failed" or "direct FortiGate dynamic entry push failed"
  3. The error detail may reference a specific FortiGate by serial number or target path

Verify the External Feed Name

  1. In the Knocknoc admin interface, check the External Feed Name configured for the ACL
  2. On the target FortiGates, verify an external resource exists with the exact same name
  3. Names are case-sensitive and must match exactly (see also #202102)

Verify API Permissions

  1. FortiManager Passive+ mode: Ensure the FortiManager API user has the DeviceManager — Manage Device Configurations permission set to Read-Write, or the Super_User admin profile
  2. Direct FortiGate Passive+ mode: Ensure the FortiGate REST API Admin has a profile with read/write access to System > Configuration

Verify Device Targets (FortiManager)

  1. If using Device Targets, ensure the serial numbers or group names match devices managed by FortiManager in the configured ADOM
  2. If Device Targets are left empty, the push targets all FortiGates in the ADOM (see also #202101)

Still Having Issues?

We can help you out, contact us at support@knocknoc.io.

Back to top