Security Fabric troubleshooting

This section contains tips to help you with some common challenges of the Fortinet Security Fabric.

Useful diagnose commands

You can use the following diagnose commands as a first step to troubleshoot issues with the Security Fabric.

diagnose system csf

This command allows you to check if the upstream FortiGate can see downstream FortiGates. Advanced users can also use this command to send query requests to downstream FortiGates.

Syntax:

diagnose system csf
downstream    Show connected downstream FortiGates.
query         Query through Security Fabric.
neighbor      Security Fabric enabled devices in adjacency.

Example output:

 # dia sys csf downstream 

 1:	FG101E4Q17001320 (10.1.1.1) Management-IP: 0.0.0.0 parent: FGT6HD3916800525
	path:FGT6HD3916800525:FG101E4Q17001320
	data received: Y downstream intf:VPN-to-External upstream intf:VPN-to-Branch admin-port:443
 
 2:	FGT90D3Z15019631 (192.168.200.10) Management-IP: 0.0.0.0 parent: FGT6HD3916800525
	path:FGT6HD3916800525:FGT90D3Z15019631
	data received: Y downstream intf:wan1 upstream intf:port11 admin-port:443

 3:	FG140D3G13804256 (192.168.10.10) Management-IP: 0.0.0.0 parent: FGT6HD3916800525
	path:FGT6HD3916800525:FG140D3G13804256
	data received: Y downstream intf:wan1 upstream intf:port10 admin-port:443

diagnose test application csfd

You can use this command to check the Security Fabric daemon. You can run this command on an upstream or downstream FortiGate.

Syntax:

diagnose test application csfd 
1. show stats
2. show plugin status
99. restart
10. show MAC cache status
11. show Slave MAC cache status
20. show FAZ setting synchronization status
40. show slave mac sync status

Example output:

Upstream FortiGate

# diagnose test application csfd 1

Dump CSF daemon info
group name: Office-Security-Fabric
group pwd: *
status: Active
in queue query num: 0

Upstream info
N/A

Downstream info
fgt total: 3

# 1
sn: FG101E4Q17001320
ip: 10.1.1.1
port: 20407
status:  link-ok SSL-ok auth-ok hello-ok
no response: 0

# 2
sn: FGT90D3Z15019631
ip: 192.168.200.10
port: 1025
status:  link-ok SSL-ok auth-ok hello-ok
no response: 0

# 3
sn: FG140D3G13804256
ip: 192.168.10.10
port: 15011
status:  link-ok SSL-ok auth-ok hello-ok
no response: 0

Downstream FortiGate

Dump CSF daemon info

group name: Office-Security-Fabric
group pwd: *
status: Active
in queue query num: 0

Upstream info
sn: FGT6HD3916800525
ip: 192.168.10.2
port: 8013
status:  link-ok SSL-ok auth-ok hello-ok
no response: 0

Downstream info
fgt total: 0

Common questions and issues

The following sections provide information about specific questions and issues that may come up with the Security Fabric.

What devices are included in the Security Fabric?

Required devices

To configure a Security Fabric, you must have at least two FortiGate units. One FortiGate will be the root FortiGate of the Security Fabric, and the other FortiGates will be the downstream FortiGates. An HA cluster is considered a single FortiGate unit.

In FortiOS 5.6 and later, a FortiAnalyzer is a required device in the Security Fabric.

Recommended devices

The following devices are recommended in the Security Fabric:

• FortiManager
• FortiAP
• FortiSwitch
• FortiClient
• FortiSandbox
• FortiMail
• FortiWeb

Optional devices

Other Fortinet products and 3rd party products from the Fabric-Ready Partner Program are optional.

A downstream FortiGate won’t join the Security Fabric

Check your networking configuration to make sure the FortiGate can connect to an upstream FortiGate in the Security Fabric. If the FortiGate still won’t join the Security Fabric, verify that the Group Name and Password is the same on all devices in the Security Fabric, so that the connection between them is authenticated.

Network devices don’t appear in the Physical and Logical Topology

In the Physical and Logical Topology pages, two types of device bubbles are shown: WAN destination and LAN device. Each type has its own requirements:

Also, devices located behind a layer 3 device may not appear in the Physical and Logical Topology pages.

The historical views for Physical and Logical Topology aren’t working

If you can see devices and traffic in “real time,” but not in the historical views (5 minutes, 1 hour, and so on), this points to issues with FortiAnalyzer logging. To resolve this issue, do the following:

• Check the FortiAnalyzer Release Notes to make sure the FortiAnalyzer’s firmware is compatible with the FortiOS version on the FortiGates in the Security Fabric

• Go to Security Fabric > Settings on each FortiGate in the Security Fabric. All FortiGates should be sending logs to the same FortiAnalyzer, unless the option to use local logging is enabled (this option is only available for downstream FortiGates)

• On the FortiAnalyzer, go to Device Manager and verify the following:

  • All FortiGate devices in the Security Fabric are authorized on the FortiAnalyzer

  • The Security Fabric group name and members are visible

  • All FortiGates are sending logs to the FortiAnalyzer

  • FortiView has been properly configured on both the FortiAnalyzer and the FortiGate devices to display the right information

The post Security Fabric troubleshooting appeared first on Fortinet Cookbook.