Fortinet black logo

FortiGate-7000F Handbook

FortiGate-7000F and the Security Fabric

Copy Link
Copy Doc ID f2d4ea6c-35c4-11ed-9d74-fa163e15d75b:411640
Download PDF

FortiGate-7000F and the Security Fabric

The FortiGate-7000F supports the Fortinet Security Fabric and all Security Fabric related features. You can set up the FortiGate-7000F to serve as the Security Fabric root and you can configure the FortiGate-7000F to join an existing Security Fabric. For more information see Fortinet Security Fabric.

The FortiGate-7000F uses the Fortinet Security Fabric for communication and synchronization between the management board and the FPCs and for normal GUI operation. By default, the Security Fabric is enabled and must remain enabled for normal operation.

When adding a FortiGate-7000F to an existing security fabric, for normal operation you must authorize the FortiGate-7000F and all of the FIMs and FPMs on the root FortiGate. Otherwise, the primary FIM will not be able to communicate with the other FIM and the FPMs.

You must also manually add a FortiAnalyzer to the FortiGate-7000F configuration, because the default FortiGate-7000F Security Fabric configuration has configuration-sync set to local, so the FortiGate-7000F doesn't get security fabric configuration settings, such as the FortiAnalyzer configuration, from the root FortiGate.

If the FortiGate-7000F is not joining a Security Fabric, Fortinet recommends that you do not change the Security Fabric configuration. You can verify the default Security Fabric configuration from the CLI:

config system csf

set status enable

set upstream 0.0.0.0

set upstream-port 8013

set group-name "SLBC"

set group-password <password>

set accept-auth-by-cert enable

set log-unification disable

set authorization-request-type serial

set fabric-workers 2

set downstream-access disable

set configuration-sync local

set fabric-object-unification default

set forticloud-account-enforcement enable

end

FortiGate-7000F and the Security Fabric

The FortiGate-7000F supports the Fortinet Security Fabric and all Security Fabric related features. You can set up the FortiGate-7000F to serve as the Security Fabric root and you can configure the FortiGate-7000F to join an existing Security Fabric. For more information see Fortinet Security Fabric.

The FortiGate-7000F uses the Fortinet Security Fabric for communication and synchronization between the management board and the FPCs and for normal GUI operation. By default, the Security Fabric is enabled and must remain enabled for normal operation.

When adding a FortiGate-7000F to an existing security fabric, for normal operation you must authorize the FortiGate-7000F and all of the FIMs and FPMs on the root FortiGate. Otherwise, the primary FIM will not be able to communicate with the other FIM and the FPMs.

You must also manually add a FortiAnalyzer to the FortiGate-7000F configuration, because the default FortiGate-7000F Security Fabric configuration has configuration-sync set to local, so the FortiGate-7000F doesn't get security fabric configuration settings, such as the FortiAnalyzer configuration, from the root FortiGate.

If the FortiGate-7000F is not joining a Security Fabric, Fortinet recommends that you do not change the Security Fabric configuration. You can verify the default Security Fabric configuration from the CLI:

config system csf

set status enable

set upstream 0.0.0.0

set upstream-port 8013

set group-name "SLBC"

set group-password <password>

set accept-auth-by-cert enable

set log-unification disable

set authorization-request-type serial

set fabric-workers 2

set downstream-access disable

set configuration-sync local

set fabric-object-unification default

set forticloud-account-enforcement enable

end