Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Borussia
New Contributor

FortiGate 61F 7.2.3 blocking Security Fabric Traffic

Hello,

 

I am just creating a security fabric out of our three firewall systems

 

- FG501E HA-Cluster (site1, fabric root, 7.0.9)

- FG60E (site2, fabric member, 7.0.9)

- FG61F (site3, fabric member, 7.2.3)

 

Both the 60E and 61F are connected via site-to-site VPN created by the integrated wizard.

I configured the tunnel interfaces, gave them IP addresses and created the required static routes.

The 60E is joining the fabric without any issues, the 61F does not. All the traffic to the root fabric is blocked:

 

image.png

Maybe you do have any idea or hint what I may be missing out here.

 

I already chatted with the Forti Support to verify that the newer firmware is no problem joining the cluster as it is supported.

 

Thank you in advance and kind regards

 

Marius

1 Solution
Cajuntank

I am on 7.0.9 myself, so like mentioned, if the fabric requirement has changed, this is something new as of 7.2. I can guarantee 7.0 and below, it had to be on the exact same code, even down to the minor rev...i.e.. could not even have 7.0.8 be in fabric with 7.0.9.

View solution in original post

5 REPLIES 5
Cajuntank
Contributor II

Unless something has just changed with this technology I'm unaware of, for the FortiGates to participate in Security Fabric, they all have to be on the exact same fortiOS. So your site 3 would need to be at 7.0.9 or you'd have to upgrade site 1 and 2 up to 7.2.3. 

Borussia

Hey Cajuntank,

 

thank you for the answer. This is what I first thought of and to confirm this I contacted Fortinet Support, which told me that there is no problem joining a root fabric with a newer firmware.

 

I will open a TAC case to confirm your answer. Thanks again!

Cajuntank

I am on 7.0.9 myself, so like mentioned, if the fabric requirement has changed, this is something new as of 7.2. I can guarantee 7.0 and below, it had to be on the exact same code, even down to the minor rev...i.e.. could not even have 7.0.8 be in fabric with 7.0.9.

Borussia

I just downgraded to 7.0.9 from 7.2.3 without any issues as we do not have much configured on site3 yet. And I can confirm that it works as expected now.

 

Thank you very much and have a nice day!

Cajuntank
Contributor II

Good call. 7.0.9 is a Mature release and so far for me has been rock solid. Glad I could help.

Labels
Top Kudoed Authors