Security Fabric troubleshooting

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This section contains tips to help you with some common challenges of the Fortinet Security Fabric.

Useful diagnose commands

You can use the following diagnose commands as a first step to troubleshoot issues with the Security Fabric.

diagnose system csf

This command allows you to check if the upstream FortiGate can see downstream FortiGates. Advanced users can also use this command to send query requests to downstream FortiGates.

Syntax:

diagnose system csf
downstream    Show connected downstream FortiGates.
query         Query through Security Fabric.
neighbor      Security Fabric enabled devices in adjacency.

Example output:

 # dia sys csf downstream 

 1:	FG101E4Q17001320 (10.1.1.1) Management-IP: 0.0.0.0 parent: FGT6HD3916800525
	path:FGT6HD3916800525:FG101E4Q17001320
	data received: Y downstream intf:VPN-to-External upstream intf:VPN-to-Branch admin-port:443
 
 2:	FGT90D3Z15019631 (192.168.200.10) Management-IP: 0.0.0.0 parent: FGT6HD3916800525
	path:FGT6HD3916800525:FGT90D3Z15019631
	data received: Y downstream intf:wan1 upstream intf:port11 admin-port:443

 3:	FG140D3G13804256 (192.168.10.10) Management-IP: 0.0.0.0 parent: FGT6HD3916800525
	path:FGT6HD3916800525:FG140D3G13804256
	data received: Y downstream intf:wan1 upstream intf:port10 admin-port:443

diagnose test application csfd

You can use this command to check the Security Fabric daemon. You can run this command on an upstream or downstream FortiGate.

Syntax:

diagnose test application csfd 
1. show stats
2. show plugin status
99. restart
10. show MAC cache status
11. show Slave MAC cache status
20. show FAZ setting synchronization status
40. show slave mac sync status

Example output:

Upstream FortiGate

# diagnose test application csfd 1

Dump CSF daemon info
group name: Office-Security-Fabric
group pwd: *
status: Active
in queue query num: 0

Upstream info
N/A

Downstream info
fgt total: 3

# 1
sn: FG101E4Q17001320
ip: 10.1.1.1
port: 20407
status:  link-ok SSL-ok auth-ok hello-ok
no response: 0

# 2
sn: FGT90D3Z15019631
ip: 192.168.200.10
port: 1025
status:  link-ok SSL-ok auth-ok hello-ok
no response: 0

# 3
sn: FG140D3G13804256
ip: 192.168.10.10
port: 15011
status:  link-ok SSL-ok auth-ok hello-ok
no response: 0

Downstream FortiGate

Dump CSF daemon info

group name: Office-Security-Fabric
group pwd: *
status: Active
in queue query num: 0

Upstream info
sn: FGT6HD3916800525
ip: 192.168.10.2
port: 8013
status:  link-ok SSL-ok auth-ok hello-ok
no response: 0

Downstream info
fgt total: 0

Common questions and issues

The following sections provide information about specific questions and issues that may come up with the Security Fabric.

What devices are included in the Security Fabric?

Required devices

To configure a Security Fabric, you must have at least two FortiGate units. One FortiGate will be the root FortiGate of the Security Fabric, and the other FortiGates will be the downstream FortiGates. An HA cluster is considered a single FortiGate unit.

In FortiOS 5.6 and later, a FortiAnalyzer is a required device in the Security Fabric.

Recommended devices

The following devices are recommended in the Security Fabric:

Optional devices

Other Fortinet products and 3rd party products from the Fabric-Ready Partner Program are optional.

A downstream FortiGate won’t join the Security Fabric

Check your networking configuration to make sure the FortiGate can connect to an upstream FortiGate in the Security Fabric. If the FortiGate still won’t join the Security Fabric, verify that the Group Name and Password is the same on all devices in the Security Fabric, so that the connection between them is authenticated.

Network devices don’t appear in the Physical and Logical Topology

In the Physical and Logical Topology pages, two types of device bubbles are shown: WAN destination and LAN device. Each type has its own requirements:

WAN destination bubbles

  • Shows traffic to interfaces that have the WAN role
  • Does not require device detection on the interface

LAN device bubbles

  • Shows any device detected on any FortiGate interfaces, regardless of interface role
  • Requires device detection on the interfaces

Also, devices located behind a layer 3 device may not appear in the Physical and Logical Topology pages.

The historical views for Physical and Logical Topology aren’t working

If you can see devices and traffic in “real time,” but not in the historical views (5 minutes, 1 hour, and so on), this points to issues with FortiAnalyzer logging. To resolve this issue, do the following:

  • Check the FortiAnalyzer Release Notes to make sure the FortiAnalyzer’s firmware is compatible with the FortiOS version on the FortiGates in the Security Fabric

  • Go to Security Fabric > Settings on each FortiGate in the Security Fabric. All FortiGates should be sending logs to the same FortiAnalyzer, unless the option to use local logging is enabled (this option is only available for downstream FortiGates)

  • On the FortiAnalyzer, go to Device Manager and verify the following:

    • All FortiGate devices in the Security Fabric are authorized on the FortiAnalyzer

    • The Security Fabric group name and members are visible

    • All FortiGates are sending logs to the FortiAnalyzer

    • FortiView has been properly configured on both the FortiAnalyzer and the FortiGate devices to display the right information

 

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin
  • Was this helpful?
  • Yes   No