1. Ensure that the root FortiGate can communicate with the child FortiGate over the Security Fabric port.
   • Ping the child FortiGate:

execute ping <child_device_IP>

1. • Telnet to the child FortiGate on port 8013 (default Security Fabric port).

execute telnet <child_device_IP> 8013

2. Check CSF authorization and HA serial number. When authorizing the child FortiGate, if the following output appears.

diagnose sys csf authorization accept <FortiGate Serial Number>
csf_authorization_action Couldn't find pending entry for <FortiGate Serial Number>
action saved in system.csf.trusted-list

This output indicates that the serial number used for authorization may not belong to the primary HA unit.
The Security Fabric displays Disconnected when a secondary HA unit serial number is used.


The device configured for authorization must be the primary unit of the FortiGate. Security Fabric connections will not establish if a secondary or HA unit serial number is used.

3. On the child FortiGate cluster, run the following command to confirm which device is the primary.

get system ha status

4. Reauthorize the correct primary FortiGate serial number. On the root FortiGate, authorize the child FortiGate again using the primary unit serial number identified in step 3.

diagnose system csf authorization accept <FortiGate Serial Number>

5. Verify the Security Fabric connection after authorizing with the correct primary unit serial number.

get system csf