Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
SteveR
Staff
Staff

Created on ‎12-10-2025 10:14 PM Edited on ‎12-11-2025 06:32 AM By Staff

Article Id 413679

Technical Tip: Error when changing 'configuration-sync' setting for Security Fabric

Description

 

This article describes an error that may be shown when trying to change the 'configuration-sync' setting under the Security Fabric configuration on a downstream FortiGate. In addition to the error being shown, the configuration change will not be accepted.

 

Scope

 

FortiGate.

 

Solution

 

The CLI excerpt below demonstrates the error and the configuration change rejection:

 

FGT1 #config system csf

FGT1 (csf) # set configuration-sync default
FGT1 (csf) # end
To enable SAML sync, non-root members of
Security fabric must have a valid management IP.
object set operator error, -39, roll back the setting
Command fail. Return code -39
FGT1 #

 

The error is slightly confusing as it refers to 'SAML sync', although the 'saml-configuration-sync' option is not being changed. If the current settings are shown, the saml-configuration-sync option is not configured:

 

FGT1 # get system csf
status : enable
uid : 45a981b9742488f82fc890ae462a8efd
upstream : 10.0.0.1
source-ip : 0.0.0.0
upstream-interface-select-method: auto
upstream-port : 8013
group-name :
accept-auth-by-cert : enable
log-unification : enable
authorization-request-type: serial
fabric-workers : 2
downstream-access : disable
legacy-authentication: disable
configuration-sync : local
file-mgmt : enable
file-quota : 0
file-quota-warning : 90

 

The reason for this failure error is that the option 'saml-configuration-sync' will be available and set to 'default' (by default) only after the option configuration-sync is set to default; however, as seen above, at this moment, it is not possible to change the configuration-sync setting to the 'default' value.

 

In this scenario, there are two options available that will allow the 'configuration-sync' setting to be changed:

 

Under the 'system global' configuration, specify a management IP address:


FGT1 # config system global
FGT1 (global) # set management-ip x.x.x.x
FGT1 (global) # end

 

Set 'saml-configuration-sync' to 'local'. SAML configuration synchronization is not required.

 

FGT1 # config system csf

FGT1 (csf) # set configuration-sync default

FGT1 (csf) # set saml-configuration-sync local

FGT1 (csf) # end

141
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.