This section contains tips to help you with some common challenges of the Fortinet Security Fabric.
Useful diagnose commands
You can use the following diagnose commands as a first step to troubleshoot issues with the Security Fabric.
diagnose system csf
This command allows you to check if the upstream FortiGate can see downstream FortiGates. Advanced users can also use this command to send query requests to downstream FortiGates.
diagnose system csf downstream Show connected downstream FortiGates. query Query through Security Fabric. neighbor Security Fabric enabled devices in adjacency.
# dia sys csf downstream 1: FG101E4Q17001320 (10.1.1.1) Management-IP: 0.0.0.0 parent: FGT6HD3916800525 path:FGT6HD3916800525:FG101E4Q17001320 data received: Y downstream intf:VPN-to-External upstream intf:VPN-to-Branch admin-port:443 2: FGT90D3Z15019631 (192.168.200.10) Management-IP: 0.0.0.0 parent: FGT6HD3916800525 path:FGT6HD3916800525:FGT90D3Z15019631 data received: Y downstream intf:wan1 upstream intf:port11 admin-port:443 3: FG140D3G13804256 (192.168.10.10) Management-IP: 0.0.0.0 parent: FGT6HD3916800525 path:FGT6HD3916800525:FG140D3G13804256 data received: Y downstream intf:wan1 upstream intf:port10 admin-port:443
diagnose test application csfd
You can use this command to check the Security Fabric daemon. You can run this command on an upstream or downstream FortiGate.
diagnose test application csfd 1. show stats 2. show plugin status 99. restart 10. show MAC cache status 11. show Slave MAC cache status 20. show FAZ setting synchronization status 40. show slave mac sync status
# diagnose test application csfd 1 Dump CSF daemon info group name: Office-Security-Fabric group pwd: * status: Active in queue query num: 0 Upstream info N/A Downstream info fgt total: 3 # 1 sn: FG101E4Q17001320 ip: 10.1.1.1 port: 20407 status: link-ok SSL-ok auth-ok hello-ok no response: 0 # 2 sn: FGT90D3Z15019631 ip: 192.168.200.10 port: 1025 status: link-ok SSL-ok auth-ok hello-ok no response: 0 # 3 sn: FG140D3G13804256 ip: 192.168.10.10 port: 15011 status: link-ok SSL-ok auth-ok hello-ok no response: 0
Dump CSF daemon info group name: Office-Security-Fabric group pwd: * status: Active in queue query num: 0 Upstream info sn: FGT6HD3916800525 ip: 192.168.10.2 port: 8013 status: link-ok SSL-ok auth-ok hello-ok no response: 0 Downstream info fgt total: 0
Common questions and issues
The following sections provide information about specific questions and issues that may come up with the Security Fabric.
What devices are included in the Security Fabric?
To configure a Security Fabric, you must have at least two FortiGate units. One FortiGate will be the root FortiGate of the Security Fabric, and the other FortiGates will be the downstream FortiGates. An HA cluster is considered a single FortiGate unit.
In FortiOS 5.6 and later, a FortiAnalyzer is a required device in the Security Fabric.
The following devices are recommended in the Security Fabric:
Other Fortinet products and 3rd party products from the Fabric-Ready Partner Program are optional.
A downstream FortiGate won’t join the Security Fabric
Check your networking configuration to make sure the FortiGate can connect to an upstream FortiGate in the Security Fabric. If the FortiGate still won’t join the Security Fabric, verify that the Group Name and Password is the same on all devices in the Security Fabric, so that the connection between them is authenticated.
Network devices don’t appear in the Physical and Logical Topology
WAN destination bubbles
LAN device bubbles
Also, devices located behind a layer 3 device may not appear in the Physical and Logical Topology pages.
The historical views for Physical and Logical Topology aren’t working
If you can see devices and traffic in “real time,” but not in the historical views (5 minutes, 1 hour, and so on), this points to issues with FortiAnalyzer logging. To resolve this issue, do the following:
Check the FortiAnalyzer Release Notes to make sure the FortiAnalyzer’s firmware is compatible with the FortiOS version on the FortiGates in the Security Fabric
Go to Security Fabric > Settings on each FortiGate in the Security Fabric. All FortiGates should be sending logs to the same FortiAnalyzer, unless the option to use local logging is enabled (this option is only available for downstream FortiGates)
On the FortiAnalyzer, go to Device Manager and verify the following:
All FortiGate devices in the Security Fabric are authorized on the FortiAnalyzer
The Security Fabric group name and members are visible
All FortiGates are sending logs to the FortiAnalyzer
- FortiView has been properly configured on both the FortiAnalyzer and the FortiGate devices to display the right information