FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes possible troubleshooting if issues arise when adding a FortiGate to an existing Security Fabric.
Useful information about the Security Fabric can be found here and here.
Solution The Fortinet Security Fabric is a feature that provides visibility on connected Fortinet devices, especially FortiGates, in a single root FortiGate. Sometimes issues can arise when a FortiGate is added to an existing Security Fabric, impeding visibility and communication between the Fabric nodes. Errors will mainly be displayed in the Security Fabric section in the FortiGate GUI. Error messages regarding FortiView and/or FortiAnalyzer usually indicate an issue on that FortiGate communicating with the Fabric FortiAnalyzer or some issues with logs, but not a connectivity issue between two FortiGates.
If an issue arises, the following troubleshooting can be done:
Observe what error messages show up in the CLI. A common error can be that CAs (Certificate Authorities) are missing. This can lead to errors like the following:
<2761> 02 __ssl_recv()-596: ssl error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
This indicates that one FortiGate does not trust the certificates used by the other FortiGate; to fix this, download the CAs on each FortiGate and import them to the other. Also, restart the csf daemon after this has occurred.
To restart the csf daemon:
1) Find the daemon process ID (PID)
# diag sys process pidof csf ##in version 6.0 and higher # fnsysctl cat /var/run/csf.pid ## in version 5.6
2) Kill the daemon (it will restart automatically)
# diag sys kill 11 <process ID>
Restarting the csf daemon in general can resolve some issues as well.
General troubleshooting should also be done: - Verify the affected FortiGates can reach each other (ping, https, ssh) - Check the crashlog on each FortiGate for crashes with these processes: csf, miglogd
# diag debug crashlog read
- Check the release notes for the firmware versions of the devices for possible known issues regarding Security Fabric.
Notes: Make sure there is no compatibility issue by verifying that the FortiGates are in a similar firmware version if possible, and that any FortiAnalyzer (and FortiManager, if exists) are in a compatible firmware version. FortiAnalyzer/FortiManager has to be at least the same branch as the highest FortiGate. Compatibility matrixes can be found here in the FortiManager or FortiAnalyzer section.
