Technical Tip: CMDB add entry failed when trying to authorize a new firewall to Security Fabric

kaurm · ‎01-23-2024

Description

This article describes the case when an HA cluster cannot join the security fabric. When trying to authorize the device on root fabric, the serial number is not present. When trying to pre-authorize the device via the CLI, the following error is seen:

FORTIGATE01 # config system csf
FORTIGATE01 (csf) # config trusted-list
FORTIGATE01 (trusted-list) # edit "-FG60F_HA"
Command fail. Return code -361

Scope

All FortiGate.

Solution

Adding missing index numbers under the CSF config:

The bidirectional traffic was seen for CSF and error on Root FortiGate was the downstream device was unauthorized and was greyed out.

Downstream FortiGate: was showing pending authorization.

On Root FortiGate:

config system csf
set status enable
set group-name "ABC"
set group-password XXXXXXXXXXX
set fixed-key XXXXXXXXXXXXXXXX
set downstream-access enable
set downstream-accprofile "super_admin"
config trusted-list
edit "Root"
set serial "FGTxxxxxxxx"
set index 1 <----- The Index is set to 1.
next
edit "fortigate1"
set serial "FGTxxxxxxx"
set index 2 <----- The Index is set to 2.
next
edit "Fortigate2"
set serial "FGTyyyyyyyyy" <----- Index is set to 3.
set index 3
next
edit "Fortigate3"
set serial "FGTzzzzzzzzz" <----- Add index '4' here since it is missing.
next
end
end

After adding the index:

config system csf
config trusted-list
edit "Fortigate2"
set index 4
end
end

The device will get authorized as per requirement.

Technical Tip: CMDB add entry failed when trying to authorize a new firewall to Security Fabric

You are leaving our website