Technical Tip: FortiWeb 'Obtain FortiGate quarantined IP address failed' error when joined to Security Fabric
Description
This article describes how to troubleshoot and resolve an issue where FortiWeb fails to retrieve quarantined IP addresses from FortiGate in a Security Fabric deployment.
The following event log is observed on FortiWeb:
Obtain FortiGate quarantined IP address failed from <FortiGate-IP>:443 with user Fabric
In this condition, Security Fabric connectivity may be partially established; however, FortiWeb is unable to retrieve quarantine IP information via HTTPS (port 443).
Scope
FortiWeb and FortiGate.
Solution
FortiWeb uses two separate communication paths when retrieving quarantined IP addresses from FortiGate:
TCP port 8013 is used for Security Fabric (CSF) control channel communication between upstream and downstream devices.
TCP port 443 is used for REST API communication, where FortiWeb authenticates FortiGate and retrieves quarantined IP data.
The issue occurs when the Fabric control channel on port 8013 is established successfully, but the HTTPS communication on port 443 is not fully authorized, or the trust relationship is incomplete.
In this state:
Security Fabric may appear connected.
FortiWeb may remain in an unauthorized or authorized pending state.
Quarantine IP synchronization fails repeatedly.
This results in the following event logging on FortiWeb:
Obtain FortiGate quarantined IP address failed from <FGT-IP>:443 with user FabricFortiGate configuration and validation.
Verify Security Fabric status. Example below via CLI.
show system csf
Expected:
set status enableEnable downstream device REST API access.
config system csf
set downstream-access enable
set downstream-accprofile super_admin
endVerify that the interface allows Fabric communication.
show system interface <interface-name>Ensure the following:
set allowaccess ping https ssh http fgfm fabric.Technical consideration:
config system interface
edit <interface-name>
set allowaccess ping https ssh http fgfm fabric
next
endCheck and delete the existing Fabric trust entries.
config system csf
config trusted-list
show
end
endVerify Fabric topology status, both the Logical topology and Physical topology. Navigate to Security Fabric -> select Physical Topology or Logical Topology.
Physical topology below:
Logical topology below:
Expected:
FortiWeb is listed as a downstream device.
Status: connected/authorized/online, as the screenshot above.
Working example:
FGT # show system csf
config system csf
set status enable
set uid "c1cf11689c3ec001b3b269429599041a"
set group-name "lab-fabric"
set downstream-access enable
set downstream-accprofile "super_admin"
config trusted-list
edit "FWB"
set serial "FVVM04TM22000131"
set index 1
next
edit "FVVM04TM22000131"
set authorization-type certificate
set certificate "certificate_data"
set index 2
next
end
end
Â
FortiWeb configuration and validation.
Verify Security Fabric configuration. From the CLI, run the following command:
show system csfConfirm the required parameters.
Upstream IP = FortiGate Fabric root IP.
Upstream Port = 8013.
Management IP = FortiWeb management IP.
Management Port = HTTPS (default 443).
Quarantine IP Status = enabled.
Example below:
config system csf
set status enable
set upstream-ip <FortiGate-IP>
set upstream-port 8013
set management-ip <FortiWeb-mgmt-IP>
set management-port 443
set quarantine-ip-status enable
endRestart Fabric connection (if required).
config system csf
set status disable
endconfig system csf
set status enable
endExpected results:
FortiWeb status: Authorized.
FortiGate topology: FortiWeb appears as a connected/authorized downstream device/online.
Quarantine IP synchronization succeeds.
No further logs indicate a failure to retrieve quarantined IPs.
Steps to re-establish the Security Fabric Trust relationship.
To resolve the recurring event log error on FortiWeb:
Obtain FortiGate quarantined IP address failed from <FGT-IP>:443 with user FabricIt is recommended to reset (deauthorize) and re-establish the Security Fabric trust relationship between FortiWeb and FortiGate.
Steps below:
Deauthorize/remove FortiWeb from FortiGate.
On FortiGate CLI:
config system csf
config trusted-list
delete <FortiWeb-Serial-ID>
end
endAlternatively, remove/deauthorize the device from Security Fabric > Topology in the GUI.
Disable Security Fabric on FortiWeb.
config system csf
set status disable
endRe-enable and reconfigure Security Fabric on FortiWeb.
config system csf
set status enable
set upstream-ip <FortiGate-IP>
set upstream-port 8013
set management-ip <FortiWeb-MGMT-IP>
set management-port 443
set quarantine-ip-status enable
endRe-authorize FortiWeb on FortiGate.
Go to Security Fabric -> Fabric Connectors.
Locate the FortiWeb device (Authorize Pending). Click Authorize and accept the certificate.
Expected outcomes.
FortiWeb status changes to 'Authorized'.
Security Fabric connectivity is fully established.
Quarantined IP synchronization via port 443 succeeds.
Event log error no longer appears.
Additional notes:
Ensure only one integration method is used (Security Fabric is recommended; do not configure legacy FortiGate integration simultaneously).
Port 8013 must be used for Security Fabric communication.
Port 443 must be reachable and authorized for REST API communication.
After firmware upgrades, re-validation and re-authorization of Fabric devices is recommended.
During Security Fabric enablement on FortiGate, the following error may be observed.
Synchronized logging mechanism requires at least one FortiAnalyzer, FortiAnalyzer Cloud, or FortiGate Cloud.
Command fail. Return code -39This indicates that Security Fabric cannot be enabled without configuring a logging device. Ensure that FortiAnalyzer, FortiAnalyzer Cloud, or FortiGate Cloud logging is configured and reachable before enabling config system csf.
Related documents:
FortiWeb: Automatically Retrieving FortiGate’s Quarantined IP list using the Security Fabric