In a Security Fabric deployment, there can be a scenario where a user is connected to a branch FortiGate, while a network policy for the same user also exists on the root FortiGate.

Typical topology:

Client → FGT (Branch) → FGT (Root) → Server

In this setup, logs are visible only on the FortiAnalyzer or the branch FortiGate, but not on the root FortiGate.
This occurs because the FortiAnalyzer is the central log collector in the Security Fabric, aggregating logs from all managed FortiGates. The root FortiGate does not automatically store full traffic or user activity logs from downstream FortiGates.

Expected Behavior in Security Fabric:

• Each FortiGate logs locally and/or forwards logs to FortiAnalyzer, which serves as the centralized log repository.
• A FortiGate does not function as a log server for other FortiGates; hence, it does not automatically receive or store user or traffic logs from managed (child) devices.
• The Security Fabric shares contextual and threat information (events, topology, indicators, etc.), but it does not replicate full per-user traffic logs between devices.

 How to Make Branch FortiGate Logs Visible from Root FortiGate:

• Forward logs from FortiAnalyzer to an external FortiSIEM/Syslog server.
  • The external system can then correlate logs from the branch FortiGate with root FortiGate details to achieve unified visibility.
    
• Enable configuration synchronization locally.
  • Under 'config system csf' setting, enable 'configuration-sync' to local.
  • This method is not recommended when multiple branch FortiGates are connected, as it may cause resource issues and synchronization overhead.