|
A 'Fabric device (SN=FGVM2VTM1******) does not have the right permissions' log message appears in the EMS server logs despite the connectivity between FortiGate and the EMS connector being up.
Downstream FortiGates in the Security Fabric incorrectly identifies itself as the root device to the FortiClient EMS server by sending a rest API call 'api/v1/fabric_device_auth/fortigate'.
The following errors are seen in the fcnacd debugs:
diagnose debug application fcnacd -1
diagnose endpoint filter show-large-data yes
diagnose debug enable
.
{"fortigates":{"FGVM2VTM1******)":{"authenticate":"accept","is_root":true}}} <--------------------------------------------- decalaring itself as root.
.
2024-07-05 10:45:13 [ec_ez_worker_process:368] Processing call for obj-id: 3, entry: "api/v1/fabric_device_auth/fortigate"
2024-07-05 10:45:13 [ec_ez_worker_process:387] reply:
"""
{"result": {"retval": -4, "message": "Fabric device (SN=FGVM2VTM1******)":{") does not have the right permissions."}}
This issue has been resolved in the following FortiOS versions:
- v7.2.11(available to download from the Fortinet support portal).
- v7.4.8 (scheduled to be released in April; 2025).
- v7.6.1 (available to download from the Fortinet support portal).
These timelines for firmware release are estimates and may be subject to change.
General debug information required by FortiGate TAC for investigation:
diagnose debug console timestamp enable
diagnose debug application fcnacd -1
diagnose endpoint filter show-large-data yes
diagnose debug enable
Reproduce the issue, then run the following:
diagnose debug reset
get system csf
execute tac report
- Configuration file of the FortiGate.
- To stop the debug processes in the end, press Ctrl + C and enter 'diagnose debug disable'.
|
