Knowledge Base
ConfigSentry

Queued Audit Handling

How ConfigSentry handles queued audit submissions and what the visible audit statuses mean.

Manual uploads, direct SSH audits, scheduled direct SSH runs, and collector submissions can be accepted first and processed shortly after. This guide explains the customer-visible behavior without exposing queue internals.

1. Why an Audit May Be Queued

Some audits can start immediately, while others may wait briefly before processing begins. ConfigSentry may queue an audit when workers are already busy or when concurrency or health checks delay a new start.

A queued state does not mean the submission was rejected. It means the audit was accepted and is waiting for worker capacity.

2. How Queued Audit Data Is Handled

Where an audit is queued, the submitted configuration or prepared audit payload may be stored temporarily in encrypted form until processing begins or the queued item expires.

  • Plaintext firewall configurations are not stored in the database as queue records.
  • The database stores encrypted queued payloads and operational metadata only.
  • Temporary decrypt keys are stored separately from the database on backend storage.
  • Queued payloads and temporary key files are deleted when processing starts or when expired items are cleaned up.

3. What Each Status Means

  • Queued - the audit has been accepted and is waiting for worker capacity.
  • Running - a worker is actively processing the audit.
  • Completed - the audit finished successfully and the report is available.
  • Failed - the audit did not complete successfully.
  • Key Lost / Retry Required - temporary key material was unavailable before processing began, so the queued audit could not be started.
  • Expired - the queued audit was not processed before its queue expiry window ended.
  • Cancelled - the queued audit was cancelled before completion.

4. What Retry Required Means

If a queued audit shows Key Lost / Retry Required, the temporary decrypt key was unavailable before processing started. In that situation the queued payload cannot be processed normally.

The usual next step is to submit the manual upload again or allow the collector or retrieval workflow to collect the configuration again.

5. Which Workflows Can Show Queued Statuses

The same queue-related statuses can appear across multiple workflows:

  • Manual configuration uploads
  • Manual direct SSH audits
  • Scheduled direct SSH audits
  • Collector-based submissions

6. What This Does Not Mean

  • A queued audit does not mean your firewall was changed.
  • A queued audit does not mean the platform stores plaintext queue records in the database.
  • A retry-required audit does not necessarily indicate a problem with your FortiGate itself.

7. Related Guidance

Back to Knowledge Base Start an Audit