Description

This article explains an issue with FortiGate/FortiNDR integration: The two cannot connect or authorize after a FortiGate is deleted.

In FortiGate, FortiNDR shows as 'unreachable'. The FortiGate does not appear under the 'Device Input' tab and cannot be authorized.

Scope

All currently supported versions of FortiGate and FortiNDR.

Solution

If an authorized device under the 'Device Input' page in FortiNDR was deleted, FortiNDR will not automatically show it in the list in the future. It must be added manually instead.

Run one of the following two commands in the FortiNDR CLI, depending on the FortiGate firmware version:

FortiGate firmware below v7.x:

execute device add 1 <FortiGate signature>

FortiGate firmware v7.x or above:

execute device add 3 <FortiGate signature>

This command will add the FortiGate to FortiNDR.

Note:

The number in the command is the device ID type:

1 = OFTP for FortiGate versions below 7.x.

3 = HTTP2 for FortiGate version 7.x or above.

4 = FSSA.

7 = FortiMail.

Note: 

The above-mentioned FortiGate signature means the FortiGate serial number plus VDOM.

execute device add 3 <-- FortiGate serial Number (VDOM).

Note:

In case it is necessary to delete the FortiGate Device, it is expected first to select Security Fabric -> Fabric Connector -> Disable Security Fabric from FortiNDR or disable the inline blocking feature on FortiGate. Then, remove it.