Technical Tip: FIM or FPM not detected in the Security Fabric
Description
This article describes why FIM and FPM are not detected in the Security Fabric. FortiGate 7000E cannot detect all the modules connected in the chassis. In version 5.6 the modules are visible in the GUI of FIM master via the Security Fabric widget:
If one of the module is missing, possible causes are:
1) The module which is not detected has a different firmware version, most probably 5.4 version (Important note: versions 5.4 and 5.6 are not compatible)
2) The module doesn’t have Security Fabric enabled. This can happen if the changes made in a module are not synchronized with the rest of the modules. By default, Security Fabric is enabled:
Solution
In order to fix the first situation, connect the console cable to the SMM (Shelf Manager Module):
Use CTRL+t keyboard keys to switch between modules in the console. Connect to the module which is not visible in the Security Fabric to see which firmware version is running.
Once the console connection is ready and working, download the version of the module in question here then downgrade all modules to this version from the GUI:
This will downgrade all visible modules to the same firmware as the module that cannot be detected is running. This way, all the modules will have the same firmware and they will be detected correctly by the system.
If the management IP is lost after the downgrade, configure it again once all modules have been reset to factory defaults.
Connect again via the console and check that all the modules have the same firmware version.
Important note: the downgrade can corrupt the configuration (even the default one) so it is important to factoryreset all the modules after a downgrade.
To factoryreset all modules, connect via the console and run the command "execute factoryreset" on each module (use CTRL+t to switch between modules):
In 5.4 there is no Security Fabric in the GUI. It was introduced in 5.6.
In order to fix the second situation, connect via the console and enable the Security Fabric (config system csf) on the module which cannot be detected in the GUI.
Normally, all changes should be propagated to all modules. There may be some delay in applying the changes. In case the changes are not propagated to all modules after a while, please contact Fortinet Support for assistance.
Important note: please make all configuration changes on the FIM card and not on FPMs.
This article describes why FIM and FPM are not detected in the Security Fabric. FortiGate 7000E cannot detect all the modules connected in the chassis. In version 5.6 the modules are visible in the GUI of FIM master via the Security Fabric widget:
If one of the module is missing, possible causes are:
1) The module which is not detected has a different firmware version, most probably 5.4 version (Important note: versions 5.4 and 5.6 are not compatible)
2) The module doesn’t have Security Fabric enabled. This can happen if the changes made in a module are not synchronized with the rest of the modules. By default, Security Fabric is enabled:
[FIM01] (global) # conf sys csf
[FIM01] (csf)# sh full-configuration
config system csf
set status enable
set logging-mode local
set management-ip 0.0.0.0
end
Solution
In order to fix the first situation, connect the console cable to the SMM (Shelf Manager Module):
Use CTRL+t keyboard keys to switch between modules in the console. Connect to the module which is not visible in the Security Fabric to see which firmware version is running.
Once the console connection is ready and working, download the version of the module in question here then downgrade all modules to this version from the GUI:
This will downgrade all visible modules to the same firmware as the module that cannot be detected is running. This way, all the modules will have the same firmware and they will be detected correctly by the system.
If the management IP is lost after the downgrade, configure it again once all modules have been reset to factory defaults.
Connect again via the console and check that all the modules have the same firmware version.
Important note: the downgrade can corrupt the configuration (even the default one) so it is important to factoryreset all the modules after a downgrade.
To factoryreset all modules, connect via the console and run the command "execute factoryreset" on each module (use CTRL+t to switch between modules):
<Current Console: FIM01(9600)>Once all the modules have been reset to factory defaults, connect again via the console to configure back the management IP on the FIM:
<Switching to Console: FIM02(9600)>
FG76E login: admin
Password:
Welcome !
[FIM02] # config global
[FIM02] (global) # execute factoryreset
This operation will reset the system to factory default!
Do you want to continue? (y/n) y
[FIM01] # conf globalOnce the management IP is configured again, connect via the GUI and upgrade to the desired version.
[FIM01] (global) # conf system interface
[FIM01] (interface) # edit mgmt
[FIM01] (mgmt) # set ip 10.5.55.118/20
[FIM01] (mgmt) # set allowaccess https http ping ssh
[FIM01] (mgmt) # show
config system interface
edit "mgmt"
set vdom "mgmt-vdom"
set ip 10.5.55.118 255.255.240.0
set allowaccess ping https ssh http
set type aggregate
set member "1-mgmt1" "1-mgmt2" "1-mgmt3" "1-mgmt4" "2-mgmt1" "2-mgmt2" "2-mgmt3" "2-mgmt4"
set role lan
set snmp-index 129
set lacp-mode static
end
[FIM01] (mgmt) # end
In 5.4 there is no Security Fabric in the GUI. It was introduced in 5.6.
In order to fix the second situation, connect via the console and enable the Security Fabric (config system csf) on the module which cannot be detected in the GUI.
Normally, all changes should be propagated to all modules. There may be some delay in applying the changes. In case the changes are not propagated to all modules after a while, please contact Fortinet Support for assistance.
Important note: please make all configuration changes on the FIM card and not on FPMs.