Troubleshooting Tip: FortiGate as Security Fabric not showing in FortiAnalyzer

Description

This article describes how to troubleshoot an issue where a FortiGate configured as a Security Fabric does not show in FortiAnalyzer.

Scope

FortiAnalyzer, FortiGate.

Solution

After configuring the Security Fabric in FortiGate, FortiAnalyzer will show it on the right-hand side. In this example, the Security Fabric name is 'csf-test', and 'root-FGT' is used as a root Fabric.

Perform troubleshooting in FortiAnalyzer by enabling the debug commands below to understand what could possibly go wrong.

FAZ #diagnose debug application oftpd 22 <root-FGT>

FAZ #diagnose debug service csf 255

FAZ #diagnose debug enable 

The following are examples of debug output that show FortiAnalyzer is unable to pull Security Fabric group information from the root FortiGate.

Response [/bin/fazcfgd:1654:unknown]:
{ "result": "url": "\/csf\/adom\/others\/group"}, { "data": 160, "status": { "code": 0, "message": "OK"}, "url": "\/csf\/adom\/root\/group"}, { "status": { "code": -3, "message": "Object does not exist"}, "url": "\/csf\/adom\/root\/group"}]}

Check the root FortiGate configuration. Make sure to enable 'Allow access to FortiGate REST API' in the FortiAnalyzer GUI.

After making sure the root FortiGate has REST API enabled for FortiAnalyzer access, the existing debug output will show the OFTP REST API pulling all information, which includes the Security Fabric and the members.

[T26164:oftp_restapi.c:1158] [FGVM01XXXXXXX] http resp :
HTTP/1.1 200 OK
..........

..........

[
{
"http_method":"GET",
"revision":"216.13.5",
"results":{
"devices":{
"fortigate":[
{
"appliance_info":[
],
"path":"FGVM01XXXXXXX",

"state":{
"hostname":"root-FGT",
.......

.......
"csf_enabled":true,
"csf_group_name":"csf-test",
"subtree_members":[
{
"serial":"FGVM01XXXXXXX"
}
],

If the debug does not show it pulling the information, proceed to the steps below.

1. Re-enter credentials for the root FortiGate by 'right-clicking' on the device -> Edit -> Admin User and Password.
                                          

2. Restart OFTP daemon:
                                                      

FAZ #diagnose test application oftpd 99

Once it is successful, the Security Fabric will show in the GUI and CLI, as per the command below:

FAZ #diagnose test application oftpd 30

Request [/bin/oftpd:10323:unknown]:
{ "client": "\/bin\/oftpd:10323", "method": "get", "params": [{ "target start": 1, "url": "csf\/adom\/FortiCarrier\/group"}, { "target start": 1, "url": "csf\/adom\/Tenmp\/group"}, { "target start": 1, "url": "csf\/adom\/root\/group"}]}
Response [/bin/oftpd:10323:unknown]:
...............

"vdom_oid": 3}], "chksum": "216.13.5"}], "status": { "code": 0, "message": "OK"}, "url": "csf\/adom\/root\/group"}]}

======= CSF info in ADOM [root] ========

group_name [csf-test], root_dev [root-FGT], cksum [216.13.5], member_number [2]
|--dev=root-FGT(FGVM01XXXX), vd=root, intf=(null), ip=(null), parent_dev=(null), parent_vd=(null), parent_intf=(null)
|--dev=Downstream-FGT(FGVM01XXXX), vd=root, intf=port1, ip=X.X.X.X, parent_dev=root-FGT, parent_vd=root, parent_intf=port1

FAZ #diagnose dvm csf <adom> group

config group
    edit "csf-test"
        set root "root-FGT"-"root"
        set chksum "216.13.5"
            config member
                edit "root-FGT"-"root"
                    set sn "FGVM01XXXX"

                next
                edit "Downstream-FGT"-"root"
                    set sn "FGVM01XXXX"
                    set parent "root-FGT"-"root"
                    set ip "X.X.X.X"
                    set intf "port1"
                    set parent-intf "port1"
                next
            end
        next
    end

Related articles:

• Technical Tip: Configuring the root FortiGate and downstream FortiGates in Security Fabric 
• Troubleshooting Tip: FortiView in root FortiGate does not showing output