|
If a downstream FortiGate is not authorized, it stays visible but isolated— the device is then listed as Pending/Discovered but it is possible that the csfd handshake never completes. When the cfsd handshake fails to complete no Security Fabric sessions, trust, or telemetry/policy sync will be established. The downstream devices with show Pending or Discovered but not Authorized. Also, Fabric Connector object exists but does not establish sessions with the root and the csf states can differ between root and downstream. Use the following cli commands to verify status and trouble shoot node to node and node to fabric (downstream devices).
On the FortiGate Device:
To check Security Fabric authorization for accept/deny status on the downstream FortiGate or supported Fabric Connectors: Run the following to get a standard sanity-check status for root, group name, interfaces and any trust settings.
diagnose sys csf authorization pending-list
diagnose sys csf downstream
diagnose sys csf downstream-devices
get system csf
On the Downstream Devices:
To perform a sanity check to verify/confirm the roles of the downstream, upstream device and group names.
diagnose sys csf upstream
get system csf
On the FortiGate and Downstream Devices:
Run on both root and downstream at the same time.
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application csfd -1
diagnose debug enable
diagnose test application csfd 1
get system csf
To complete the output collection, wait for the full handshake to appear before disabling the debug.
|
