To establish a functional Security Fabric, specific network and configuration prerequisites must be met to ensure nodes can communicate, authorize, and share telemetry data:
A. You must ensure that TCP port 8013 is not blocked along the way:
TCP port 8013 is the dedicated port for FortiTelemetry (Fabric) communication. If firewalls (intermediate or local) block this port, the Fabric connection between the root and downstream FortiGates will fail.
D. You must authorize the downstream FortiGate on the root FortiGate:
Security Fabric relies on a trust relationship. When a downstream device attempts to join, it appears in the Root FortiGate's dashboard. The administrator must manually authorize this device (unless pre-authorized via serial number) to allow it to join the Fabric topology.
E. You must enable FortiTelemetry on the receiving interface of the upstream FortiGate:
The interface on the Root (upstream) FortiGate that faces the downstream devices must have the "Security Fabric Connection" (formerly CAPWAP/FortiTelemetry) administrative access setting enabled. Without this, the interface will not listen for or accept Fabric connection requests.
Why other options are incorrect:
B: Neighbor Discovery uses standard multicast/broadcast or static settings; changing the port is not a standard requirement.
C: FortiGates can participate in the Security Fabric in either NAT or Transparent mode; Transparent mode is not a mandatory requirement for the Fabric itself.
[Reference:, FortiGate Security 7.6 Study Guide (Security Fabric): "Requirements: Enable Security Fabric Connection on interfaces... Authorize downstream devices... Ensure TCP 8013 is allowed.", ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit