- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Security Fabric gone after upgrade 7.0.14 -> 7...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Security Fabric gone after upgrade 7.0.14 -> 7.2.8
Hi,
First post!
I have a HA cluster which I used as a Fabric Root with FortiOS 7.0.14 along with a downstream Fortigate also on 7.0.14. The security fabric was set over a IPsec VPN. After upgrading both the root and the downstream to 7.2.8 I lost connection with the downstream. The VPN interface seems to be down. Any idea what had changed from 7.0.14 to 7.2.8 in order as regards a security fabric over a VPN?
Thank you in advance.
Labels:
- Labels:
-
FortiGate
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You didn't mention which FortiGate models you're using, but I'm going to guess your Security Fabric Root HA cluster are a couple of FortiGate 40F, 60E, 60F, 80E or 90E models and you missed this section of the FortiOS 7.2.8 release notes:
FortiGate models with 2 GB RAM cannot be a Security Fabric root | FortiGate / FortiOS 7.2.8 | Fortin...
It's been this way since FortiOS 7.2.6.
Note that Fortinet has relaxed this new restriction slightly in FortiOS 7.4.2+, allowing 2GB models to be Fabric Roots again, but only for up to 5 downstream devices.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer. I did indeed not provide much information. I was in a hurry. I'm sorry.
It is a HA cluster of 2 200F's with a downstream 40F (3G/4G). The tunnel I used to join the downstream firewall went down after the upgrade. When I look up in the CLI I see there is no security fabric, although on the GUI I do see my old fabric.
diag sys csf downstream -> gives nothing back
I am guessing that I have to setup SD-WAN differently but I don't seem to find any references as to what exactly has changed from 7.0 to 7.2 regarding to this issue. Do I have to enable the Fabric Overlay Orchestrator?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @0xNat,
I guess your issue is IPsec tunnel not coming up after upgrading. Please refer to this article to collect ike debugs: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSEC-Tunnel-debugging-IKE/ta-p/1900...
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @hbac
The IPsec going down looks like a consequence of upgrading. I have troubleshooted the tunnel but I only see traffic going out from the root fabric to the downstream firewall. I don't get any response. My guess is that it has something to do with how 7.2.x handles SD-WAN because it worked perfectly before upgrading. The Fabric Overlay Orchestrator didn't exist on 7.0.x though.
My other problem is that I can't access physically the downstream firewall right now so I am trying to guess how I have to configure things before getting to it (somewhere next week).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm planning to rebuild the security fabric next week following this technical tip: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-IPsec-VPN-with-SD-WAN/ta-p/20984...
I will post my results.
Related Posts
- Fortinet cloud logs suddenly not showing... 156 Views
- Traffic logging FortiAnalyzer with Security Fabric 147 Views
- IPAM feature 158 Views
- Fortigate send UDP 8014 packets on... 539 Views
- How to upgrade WAN bandwidth 261 Views
Labels
-
FortiGate
6,774 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
582 -
FortiAnalyzer
426 -
6.0
416 -
5.6
362 -
FortiAP
348 -
FortiSwitch
347 -
FortiClient EMS
274 -
FortiMail
265 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
163 -
6.4
128 -
FortiNAC
113 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
87 -
FortiCloud Products
85 -
FortiToken
73 -
SSL-VPN
70 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiExtender
34 -
FortiGate v5.4
34 -
FortiDNS
34 -
SD-WAN
34 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
FortiAuthenticator
24 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
DNS
15 -
FortiMonitor
14 -
BGP
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
LDAP
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Authentication
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.