Fortigate send UDP 8014 packets on WAN interface even though the security fabric is not enabled

fortinetforumfiokom · ‎04-30-2024

Hi!

I have a public IPV4 pool. I use 3 independent vdoms with 1-1 public IP on their WAN interface. I just noticed that the fortigate regulary sending UDP 8014 packets from each WAN interface to the broadcast adress of the IP pool. On the WAN interfaces only ping is enabled for admin access.

If it is not enabled, why is it sending these packets? Is this a bug or a "hidden" feature?

Device: FortiGate201F

Firmware: v7.4.3 build2573

Thank you.

smaruvala · ‎05-01-2024

Hi,

For testing purpose can you run the below mentioned command and verify?

FortiGate-VM64 # config system csf
FortiGate-VM64 (csf) # set log-unification disable
FortiGate-VM64 (csf) # next
FortiGate-VM64 (csf) # end

Regards,

Shiva

View solution in original post

smaruvala · ‎04-30-2024

Hi,

- Can you provide the output of the "diagnose test application csfd 1" and "show full-configuration system csf"?

Regards,

Shiva

fortinetforumfiokom · ‎05-01-2024

Here there are:

FG201F (global) # show full-configuration system csf

config system csf
set status enable
set uid "9834...77e716"
set upstream ''
set upstream-port 8013
set group-name "UTIBER_FABRIC"
set group-password ENC ICq66bfHYo...4L6ujJxzt7uw==
set accept-auth-by-cert enable
set log-unification enable
set authorization-request-type serial
set fabric-workers 2
set downstream-access disable
set configuration-sync local
set fabric-object-unification local
config trusted-list
edit "FEVM010000086520"
set authorization-type certificate
set certificate "-----BEGIN CERTIFICATE-----
MIIDwjCCAqqgAwI...MlToysP
-----END CERTIFICATE-----
"
set action accept
set index 1
next
end
set forticloud-account-enforcement enable
set file-mgmt enable
set file-quota 0
set file-quota-warning 90
end

FG201F (global) #

FG201F (global) # diagnose test application csfd 1

Dump CSF daemon info
group name: UTIBER_FABRIC
group pwd: *
status: Active
accept auth by cert: y
forticloud account enforcement: y

Upstream info
N/A

Downstream info
device total: 1

# 1
sn: FEVM010000086520
id: 61
ip: 192.168.50.128
port: 38994
status: link-ok SSL-ok hello-ok auth-ok
no response: 0
SLBC member: n

smaruvala · ‎05-01-2024

Hi,

For testing purpose can you run the below mentioned command and verify?

FortiGate-VM64 # config system csf
FortiGate-VM64 (csf) # set log-unification disable
FortiGate-VM64 (csf) # next
FortiGate-VM64 (csf) # end

Regards,

Shiva

fortinetforumfiokom · ‎05-01-2024

HI,

After changing log-unification to disable state the UDP 8014 brodacasts have been stopped on the WAN side.

I tried to see what log-unification is for, but i do not understand it. Quickly found only this:

What is this for?

What it means: "broadcast of discovery messages for log unification"?

If I "disable" it won't work on the LAN side either? What do I lose if I disable it? On the WAN side, what is the point of broadcasting any messages?

Regards,

Zoltán

smaruvala · ‎05-01-2024

Hi,

The feature is designed to broadcast on every interface to find neighboring fabric members so that the MAC addresses can be learned and logging can be unified.
You have the command "set configuration-sync local". Hence this feature is not required.

Regards,

Shiva

saneeshpv_FTNT · ‎04-30-2024

Hi @fortinetforumfiokom ,

The UDP port 8014 traffic is by default allowed in your FortiGate Local In Policy and this is an open Fortigate Incoming Port for the Security Fabric connection.

Refer to this article

https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/303168/fortigate-open-ports

Enabling/Disabling Service on the interface will not have any effect on this traffic.

Best Regards,

Saneesh

fortinetforumfiokom · ‎05-01-2024

Hi @saneeshpv_FTNT!

I think this is not a local in problem but a local out problem. What is the point of fortigate sending a security fabric broadcast message on the WAN side for whatever reason?

Regards,

Zoltán