Troubleshooting Tip: FortiEDR Collector is in disconnected state in the Central Manager with FortiSASE

ymasaki · ‎08-07-2024

Description

This article describes how to troubleshoot when the FortiEDR Collector is not available or is in disconnected state in the Central Manager with FortiSASE and explains how to replicate the issue and offers a solution to resolve the communication problem between the FortiEDR Collector and the Central Manager via FortiSASE SIA

Scope

FortiEDR.

Solution

In a typical scenario, the FortiEDR Collector registers with the Central Manager and displays a 'Running' state. However, when a machine operates with the FortiSASE SIA agent in deep inspection mode, the Collector machines enter a 'Disconnecte' state.

FortiClient establishes the SSL VPN connection to FortiSASE SIA:

Once the SSL VPN is established, the Collector cannot connect to the Central Manager:

In the Central Manager, confirm the Collector is in a Disconnected state

In the FortiSASE portal, go to Configuration -> TRAFFIC -> Security to check deep inspection is enabled
If deep inspection is enabled, create the entry for FortiEDR Aggregator IP/FQDN and assign it to Exemption in the SSL Inspection profile

Confirm the FortiEDR Collector status is Connected to the machine and Running in the Central Manager.

Another solution is to set up a split tunneling in FortiSASE. Visit the guide for more information about the settings.