Security Fabric

Question 1

Fabric Communications

Answer 1

FortiTelemetry - Uses TCP port 8013. Connection is always established by downstream fortigate. Must be manually enabled on a FGT interface under Administrative Access

Neighbor Discovery - Uses UDP port 8014. Sends broadcast messages every 60 seconds. Responsible for security logging behavior

Question 2

Common Potential Issues with Fabric communication

Answer 2

Administrative access is disabled on upstream FGT

FortiOS firmware mismatch

Device has not been authorized yet on root FGT

Wrong IP address configured for root FGT

FortiGate is not in NAT mode

TCP port 8013 is blocked

UDP port 8014 is blocked

Recommend running sniffer on those ports for details on the unsuccessful connection

Question 3

Command to check for pending authorizations

Answer 3

diagnose sys csf authorization pending-list

Can also check on the GUI under System > Firmware & Registration

Question 4

Command to check two or more security fabric devices communication

Answer 4

diagnose test application csfd 1

Shows downstream and upstream info. So if it is run on root FGT, nothing will be shown for upstream

can also run commands to check upstream or downstream specifically:

diagnose sys csf upstream | downstream

Question 5

command to show summary of all connected devices in a Security Fabric

Answer 5

diagnose sys csf global

Question 6

The daemon responsible for anything related to the security Fabric

Answer 6

csfd

real-time application debug command:
diagnose debug application csfd -1

Output shows serial number of downstream device as well as IP and connecting TCP port

Question 7

High CPU usage by csfd

Answer 7

can use the application debug command as well as these commands:

diagnose sys process dump (csfd pid)
diagnose sys process pstack (csfd pid)
diagnose sys process trace (csfd pid)

can get the (csfd pid) by running sys top command

Question 8

High memory Usage by csfd

Answer 8

use the diagnose test application commands. Note that since this is not a real-time debug command, it will not cause performance impact on the FGT.

diagnose test application csfd (number):

1 - show stats
4 - start diagnostics collection
7 - print diagnostics stats
15 - show query cache status
45 - show worker process information
60 - show MAC cache status
150 - dump registered elements
195 - List of open sockets
212 - List unconfirmed outgoing msgs
225 - Dump table counts

Question 9

Testing Automation Stitch

Answer 9

diagnose automation test (stitch name) (log)

this will manually test the stitch and output the result. If output states it failed, the wrong stitch name may have been used or the stitch was unable to perform one or more actions

Question 10

Real Time Debug command for Automation Stitches

Answer 10

diagnose debug application autod -1

Question 11

Log Dump command for Automation Stitches

Answer 11

diagnose test application autod 1

Toggles the setting, so run again same command to disable.

Useful to free up log space or save logs to a file

Question 12

Command to view automation stitch settings

Answer 12

diagnose test application autod 2

Question 13

Command to view automation stitch statistics. Also command to see running or ran stitches

Answer 13

diagnose test application autod 3

diagnose test application autod 5