Description
This article describes how to troubleshoot an issue where a FortiGate configured as a Security Fabric does not show in FortiAnalyzer.
Scope
FortiAnalyzer, FortiGate.
Solution
After configuring the Security Fabric in FortiGate, FortiAnalyzer will show it on the right-hand side. In this example, the Security Fabric name is 'csf-test', and 'root-FGT' is used as a root Fabric.
Perform troubleshooting in FortiAnalyzer by enabling the debug commands below to understand what could possibly go wrong.
FAZ #diagnose debug application oftpd 22 <root-FGT>
FAZ #diagnose debug service csf 255
FAZ #diagnose debug enable
The following are examples of debug output that show FortiAnalyzer is unable to pull Security Fabric group information from the root FortiGate.
Response [/bin/fazcfgd:1654:unknown]:
{ "result": "url": "\/csf\/adom\/others\/group"}, { "data": 160, "status": { "code": 0, "message": "OK"}, "url": "\/csf\/adom\/root\/group"}, { "status": { "code": -3, "message": "Object does not exist"}, "url": "\/csf\/adom\/root\/group"}]}
Check the root FortiGate configuration. Make sure to enable 'Allow access to FortiGate REST API' in the FortiAnalyzer GUI.
After making sure the root FortiGate has REST API enabled for FortiAnalyzer access, the existing debug output will show the OFTP REST API pulling all information, which includes the Security Fabric and the members.
[T26164:oftp_restapi.c:1158] [FGVM01XXXXXXX] http resp :
HTTP/1.1 200 OK
..........
..........
[
{
"http_method":"GET",
"revision":"216.13.5",
"results":{
"devices":{
"fortigate":[
{
"appliance_info":[
],
"path":"FGVM01XXXXXXX",
"state":{
"hostname":"root-FGT",
.......
.......
"csf_enabled":true,
"csf_group_name":"csf-test",
"subtree_members":[
{
"serial":"FGVM01XXXXXXX"
}
],
If the debug does not show it pulling the information, proceed to the steps below.
- Re-enter credentials for the root FortiGate by 'right-clicking' on the device -> Edit -> Admin User and Password.
- Restart OFTP daemon:
FAZ #diagnose test application oftpd 99
Once it is successful, the Security Fabric will show in the GUI and CLI, as per the command below:
FAZ #diagnose test application oftpd 30
Request [/bin/oftpd:10323:unknown]:
{ "client": "\/bin\/oftpd:10323", "method": "get", "params": [{ "target start": 1, "url": "csf\/adom\/FortiCarrier\/group"}, { "target start": 1, "url": "csf\/adom\/Tenmp\/group"}, { "target start": 1, "url": "csf\/adom\/root\/group"}]}
Response [/bin/oftpd:10323:unknown]:
...............
"vdom_oid": 3}], "chksum": "216.13.5"}], "status": { "code": 0, "message": "OK"}, "url": "csf\/adom\/root\/group"}]}
======= CSF info in ADOM [root] ========
group_name [csf-test], root_dev [root-FGT], cksum [216.13.5], member_number [2]
|--dev=root-FGT(FGVM01XXXX), vd=root, intf=(null), ip=(null), parent_dev=(null), parent_vd=(null), parent_intf=(null)
|--dev=Downstream-FGT(FGVM01XXXX), vd=root, intf=port1, ip=X.X.X.X, parent_dev=root-FGT, parent_vd=root, parent_intf=port1
FAZ #diagnose dvm csf <adom> group
config group
edit "csf-test"
set root "root-FGT"-"root"
set chksum "216.13.5"
config member
edit "root-FGT"-"root"
set sn "FGVM01XXXX"
next
edit "Downstream-FGT"-"root"
set sn "FGVM01XXXX"
set parent "root-FGT"-"root"
set ip "X.X.X.X"
set intf "port1"
set parent-intf "port1"
next
end
next
end
Related articles:
