Technical Tip: Security Fabric disabled after upgrade to FortiOS v7.2.6 or v7.4.1

mkhabbazi · ‎10-25-2023

Description

This article explains a behavior that has changed and causes the Security Fabric configuration to be disabled for a Fabric Root FortiGate.

Upgrading FortiOS firmware to versions 7.2.6 or 7.4.1 on the units with 2GB, that are configured as a root FortiGate of a Security Fabric, will cause the Security Fabric configuration to be disabled after the upgrade.

Example of a FortiGate 60F configured as Fabric Root running FortiOS 7.2.5.

MicrosoftTeams-image (2).png

Configuration from CLI:

config system csf
    set status enable
    set group-name "FTNT"
    set fixed-key ENC
end

After the firmware upgrade from v7.2.5 to v7.2.6, downstream FortiGates will present the following Fabric Status in the Security Fabric Setup connector.

Configuration is then set to Standalone, which means Security Fabric is disabled.
Note that the option to configure this device as Fabric Root is no longer available.

From CLI, the following message will be presented when trying to set it as Fabric Root:

config system csf
set status enable
end

...

2GB-RAM models cannot be a Security Fabric root.
Please set the upstream.
object set operator error, -39, roll back the setting
Command fail. Return code -39

Scope

FortiGate-40F, 60E, 60F, 80E, and 90E series devices and their variants running FortiOS v7.2.6 and v7.4.1.

Solution

Per the new design to reduce memory consumption on FortiGate models with 2 GB RAM, FortiOS 7.2.6 and 7.4.1 and above cannot be configured as root of the Security Fabric topology.

Those devices can only be a Downstream or Standalone device of a Security Fabric.

The affected models are the FortiGate 40F, 60E, 60F, 80E, and 90E series devices and their variants.

Note:
FortiGate VMs with 2GB of RAM are not affected.