Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
parthpatel
Staff
Staff

Created on ‎08-23-2024 11:15 PM

Article Id 335966

Technical Tip: Issue with adding HA cluster device to security fabric

Description This article describes the possible reason and solution for the HA cluster failing to authorize on root fabric device with the error 'Cannot authorized device in Fabric'.
Scope FortiGate.
Solution

While trying to authorize the HA cluster device on root FortiGate it shows the error message stating 'Cannot authorized device in Fabric'.

Try below mentioned steps to confirm if any of the devices were added previously onto the same fabric as that would cause this issue with authorizing the devices.

To further confirm the issue, try to authorize the device from the root FortiGate CLI with the below commands:

 

diag debug reset

diag debug cli 8

diag debug enable

diag sys csf authorization accept <serial number of device>

 

If the output shows up as no error as in the example shown below, then check the trusted-list on the root FortiGate to ensure that none of the devices from the cluster have been added to the root device previously.

 

di sys csf authorization accept FGT81FTKxxxx150

0: config system csf

0: config trusted-list

0: edit "FGT81FTKxxxx150"

0: set serial "FGT81FTKxxxx150" <---------- SN of primary device.

0: set ha-members "FGT81FTKxxxx450" <------ SN of secondary device.

-15: end

cmd=config system csf

config trusted-list

    edit FGT81FTKxxxx150

        set serial FGT81FTKxxxx150

         set ha-members FGT81FTKxxxx450

abort

abort

 

cmdb error ret:-15

Command fail. Return code -333

 

Under the trusted list on the root device confirm that none of the device's serial numbers (which have been tried to add) show up. If there is a device serial number listed under the trusted- list this could be a possible reason for authorization failing. This could be possible if the devices were running in a standalone mode earlier and were added on root fabric devices or were part of some other cluster.

 

config system csf

config trusted-list

show

    edit " FGT81FTKxxxx450" 
        set serial " FGT81FTKxxxx450" <--- Secondary device already under the trusted-list.

    edit "FG6H1ETB219----0" 
          set serial "FG6H1ETB219----0"
          set ha-members "FG6H1ETB219----0"
    next

 

Delete the device from the trusted-list and try to re-authorize the device and it should authorize the device without any issue.

 

conf sys csf

config trusted-list

delete FGT81FTKxxxx450

end
377
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.