Technical Tip: Validating On-Fabric Rule Match Status on Endpoints Using the FortiClient Diagnostic Tool
Description
This article describes how to validate the on-fabric rule match status on endpoint using the Forticlient Diagnostic Tool.
Scope
FortiSASE.
Solution
Once the configuration is completed according to the following admin guide for on-fabric detection:
Using the output from the FortiClient Diagnostic Tool:
Technical Tip: How to troubleshoot FortiClient (FCT) management connection issue with FortiSASE
Navigate to location -> FCDiagData\general\logs\trace\FortiESNAC_1.log and check for the log line starting with FabricChecker.
Note:
Both the 'known Public IP' and 'known DNS server' conditions are being used.
Summary:
- The Onnet logs indicate that the endpoint successfully matched the rules and is online, with both public IP and DNS server rules validated.
- In contrast, the Offnet logs show that while the public IP was recognized, the DNS server rule failed to match, leading to the endpoint being classified as offline and off-net.