Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortinetforumfiokom
New Contributor II

Created on ‎04-30-2024 02:03 PM

Fortigate send UDP 8014 packets on WAN interface even though the security fabric is not enabled

Hi!

I have a public IPV4 pool. I use 3 independent vdoms with 1-1 public IP on their WAN interface. I just noticed that the fortigate regulary sending UDP 8014 packets from each WAN interface to the broadcast adress of the IP pool. On the WAN interfaces only ping is enabled for admin access.    

 

PakcetCapture.png

 

If it is not enabled, why is it sending these packets? Is this a bug or a "hidden" feature?

 

Device: FortiGate201F

Firmware: v7.4.3 build2573 

Thank you.

Labels:
2240
0 Kudos
1 Solution
smaruvala
Staff
Staff
In response to fortinetforumfiokom

Created on ‎05-01-2024 05:09 AM

Hi, 

 

For testing purpose can you run the below mentioned command and verify? 

 

FortiGate-VM64 # config system csf
FortiGate-VM64 (csf) # set log-unification disable
FortiGate-VM64 (csf) # next
FortiGate-VM64 (csf) # end

 

Regards,

Shiva

 

View solution in original post

2165
0 Kudos
7 REPLIES 7
smaruvala
Staff
Staff

Created on ‎04-30-2024 11:13 PM

Hi,

 

- Can you provide the output of the "diagnose test application csfd 1" and "show full-configuration system csf"? 

 

Regards,

Shiva

2193
0 Kudos
fortinetforumfiokom
New Contributor II
In response to smaruvala

Created on ‎05-01-2024 03:34 AM

Here there are:

 

FG201F (global) # show full-configuration system csf

config system csf
set status enable
set uid "9834...77e716"
set upstream ''
set upstream-port 8013
set group-name "UTIBER_FABRIC"
set group-password ENC ICq66bfHYo...4L6ujJxzt7uw==
set accept-auth-by-cert enable
set log-unification enable
set authorization-request-type serial
set fabric-workers 2
set downstream-access disable
set configuration-sync local
set fabric-object-unification local
config trusted-list
edit "FEVM010000086520"
set authorization-type certificate
set certificate "-----BEGIN CERTIFICATE-----
MIIDwjCCAqqgAwI...MlToysP
-----END CERTIFICATE-----
"
set action accept
set index 1
next
end
set forticloud-account-enforcement enable
set file-mgmt enable
set file-quota 0
set file-quota-warning 90
end

FG201F (global) #

 

FG201F (global) # diagnose test application csfd 1

Dump CSF daemon info
group name: UTIBER_FABRIC
group pwd: *
status: Active
accept auth by cert: y
forticloud account enforcement: y

Upstream info
N/A

Downstream info
device total: 1

# 1
sn: FEVM010000086520
id: 61
ip: 192.168.50.128
port: 38994
status: link-ok SSL-ok hello-ok auth-ok
no response: 0
SLBC member: n

 

 

2170
0 Kudos
smaruvala
Staff
Staff
In response to fortinetforumfiokom

Created on ‎05-01-2024 05:09 AM

Hi, 

 

For testing purpose can you run the below mentioned command and verify? 

 

FortiGate-VM64 # config system csf
FortiGate-VM64 (csf) # set log-unification disable
FortiGate-VM64 (csf) # next
FortiGate-VM64 (csf) # end

 

Regards,

Shiva

 

2166
0 Kudos
fortinetforumfiokom
New Contributor II
In response to smaruvala

Created on ‎05-01-2024 06:09 AM

HI, 

After changing log-unification to disable state the UDP 8014 brodacasts have been stopped on the WAN side. 

I tried to see what log-unification is for, but i do not understand it. Quickly found only this: log-unification.png

 

What is this for?

What it means:  "broadcast of discovery messages for log unification"?

If I "disable" it won't work on the LAN side either? What do I lose if I disable it? On the WAN side, what is the point of broadcasting any messages?

 

Regards,

Zoltán

2135
0 Kudos
smaruvala
Staff
Staff
In response to fortinetforumfiokom

Created on ‎05-01-2024 06:26 AM

Hi,

 

The feature is designed to broadcast on every interface to find neighboring fabric members so that the MAC addresses can be learned and logging can be unified.
You have the command "set configuration-sync local". Hence this feature is not required.

 

Regards,

Shiva

2125
0 Kudos
saneeshpv_FTNT
Staff
Staff

Created on ‎04-30-2024 11:49 PM

Hi @fortinetforumfiokom ,

 

The UDP port 8014 traffic is by default allowed in your FortiGate Local In Policy and this is an open Fortigate Incoming Port for the Security Fabric connection. 

 

Refer to this article 

https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/303168/fortigate-open-ports

 

Enabling/Disabling Service on the interface will not have any effect on this traffic.

 

Best Regards,

Saneesh

Preview file
51 KB
2185
0 Kudos
fortinetforumfiokom
New Contributor II
In response to saneeshpv_FTNT

Created on ‎05-01-2024 06:14 AM

Hi @saneeshpv_FTNT!

 

I think this is not a local in  problem but a local out problem. What is the point of fortigate sending a security fabric broadcast message on the WAN side for whatever reason? 

 

Regards,

Zoltán

2128
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.