FortiGate, FortSwitch, and FortiAP
To form the Security Fabric, you configure the root FortiGate and then the ISFW FortiGate devices. Although you can configure any of the FortiGate devices in the Security Fabric to be the root FortiGate, you typically configure the edge FortiGate as the root FortiGate. This setup allows you to view the full topology of the Security Fabric from the top down.
The following procedures include configuration steps for a typical Security Fabric implementation, where the root FortiGate is the edge FortiGate and the ISFW FortiGate devices are all FortiGate devices that are downstream from the root FortiGate.
Adding devices to the Security Fabric
You can easily and securely allow FortiGate, FortiAP and FortiSwitch to join the Security Fabric without sharing the password of the root FortiGate. You can authorize these device serial numbers from the root FortiGate or allow the device to join by request. New authorization requests include the serial number of the device, the device IP address, and a list of High Availability (HA) members.
HA members can contain up to four serial numbers and this list is used to ensure that, in the event of failover, the secondary FortiGate is still authorized.
After a FortiGate or FortiWiFi joins the Security Fabric, any connected FortiAP or FortiSwitch automatically appears in the topology. You can then authorize these additional devices from the FortiGate or FortiWiFi they're connected to or the root FortiGate.
Pre-authorizing the downstream FortiGate
When you add the serial number of a Fortinet device to the trusted list on the root FortiGate, the device can join the Security Fabric as soon as it connects. After you authorize the new FortiGate, additional connected FortiAP and FortiSwitch devices automatically appear in the topology tree. From the topology tree, it's easier for you to authorize them with one click.
To pre-authorize a FortiGate:
- Connect to the root FortiGate and go to Security Fabric > Settings.
- To enable FortiTelemetry on the interface that connects to the new downstream FortiGate, add the interface to the list of FortiTelemetry enabled interfaces.
- Beside Pre-authorized FortiGates, select Edit. Add a new FortiGate to the list, using the device's serial number.
- Connect to the FortiGate you're adding to the Security Fabric and set the following settings on the Security Fabric > Settings page:
FortiGate Telemetry
Enable FortiGate Telemetry.
Connect to upstream FortiGate
Enable Connect to upstream FortiGate.
FortiGate IP
Enter the IP address of the root FortiGate or upstream FortiGate you're connecting to.
Apply
Select Apply.
- Connect to the root FortiGate. Open the Security Fabric > Settings page and verify that the FortiGate that you added appears in the Security Fabric Topology.
Joining the Security Fabric by device request
Your device can request to join the Security Fabric from another FortiGate. However, you must have the group name and the IP address of the root FortiGate. The administrator of the root FortiGate in the Security Fabric must also authorize your device before it can join the Security Fabric.
The root FortiGate must already have FortiTelemetry enabled on the interface that the device is connecting to.
To enable FortiTelemetry on an interface, go to Network > Interfaces and edit the interface that connects to the FortiGate or FortiWiFi you are authorizing. Under Administrative Access, enable FortiTelemetry. For best practices, under Networked Devices, you can also enable Device Detection.
To join the Security Fabric by device request - GUI:
- Connect to the unauthorized FortiGate or FortiWiFi, and go to Security Fabric > Settings.
- From the Security Fabric Settings page, enable FortiGate Telemetry.
- To connect, enable Connect to upstream FortiGate.
- Set the FortiGate IP to the IP address of the upstream FortiGate.
- Connect to the upstream FortiGate and go to Security Fabric > Settings. The new FortiGate appears in the Topology as unauthorized.
- To authorize, click on the unauthorized FortiGate and select Authorize.
You can also allow other Fortinet devices to join the Security Fabric. You can authorize both FortiAP and FortiSwitch in the Security Fabric with one click. When you connect a FortiAP or FortiSwitch to an authorized FortiGate or FortiWiFi, the device automatically appears in the topology tree.
To authorize FortiAP and FortiSwitch devices
- The topology tree is in the Security Fabric Settings page and in the Security Fabric Status widget on the Dashboard page. From either widget, click on the grayed out device icon to authorize or deauthorize it. Authorized devices turn blue and unauthorized products disappear from the topology tree.
- Connect to the upstream FortiGate that the FortiAP or FortiSwitch is connected to.
Note: You can also deauthorize FortiMail from the topology tree, however you must initially authorize FortiMail in the Security Fabric > Settings menu.
Deauthorizing a device
You can deauthorize a device to remove it from the topology tree widget in the Security Fabric Settings page and in the Security Fabric Dashboard.
To deauthorize a FortiGate or FortiWiFi from the root FortiGate - GUI:
- Connect to the root FortiGate.
- To deauthorize the serial number of a trusted FortiGate or FortiWiFi, enter the following CLI commands:
config system csf
edit <name>
config trusted-list
edit <serial-number>
set action deny
end
end
end
To leave the Security Fabric from a downstream FortiGate or FortiWiFi
- Connect to the FortiGate or FortiWiFi that you want to deauthorize, and go to Security Fabric > Settings.
- Disable FortiGate Telemetry.
- Apply your changes.
To deauthorize a FortiSwitch, FortiAP, or FortiMail - GUI:
- Connect to the upstream FortiGate and go to Security Fabric > Settings to see the topology. Alternatively, you can use the Security Fabric topology widget located in Dashboard > Main.
- Click on the device and select Deauthorize. This removes the device from the topology tree.
After deauthorization, the serial numbers of the rejected device are saved in a trusted list that's available only in the CLI. You can view the trusted list using the show system csf
command. The following example shows how the deauthorized FortiSwitch (from the image above) appears in the trusted-list
with the action set to deny.
Syntax
show system csf
config system csf
set status enable
set group-name "Office-Security-Fabric"
set group-password ENC 1Z2X345V678
config trusted-list
edit "FGT6HD391806070"
next
edit "S248DF3X17000482"
set action deny
next
end
end
Add FortiAnalyzer to the root FortiGate of the Security Fabric
- In the root FortiGate GUI, select Security Fabric > Settings.
- In the Security Fabric Settings page, enable FortiGate Telemetry.
- FortiAnalyzer Logging is automatically enabled.
- In the IP address field, enter the IP address of the FortiAnalyzer that you want the Security Fabric to send logs to.If you select Test Connectivity, and this is the first time that you are connecting the FortiGate to the FortiAnalyzer, you will receive an error message because the FortiGate has not yet been authorized on the FortiAnalyzer. You can configure this authorization when you configure the FortiAnalyzer.
- In the Upload option field, select the option for how often you want the FortiGate to send logs to the FortiAnalyzer.
- If you want log transmissions encrypted, enable the Encrypt log transmission option. The log transmissions are encrypted using SSL.
- Select Apply.
Additional CLI commands
You can use the following diagnose commands to view pending authorization requests, accept or deny authorization requests, or troubleshoot commands.
To view pending authorization requests on the root FortiGate - CLI:
diagnose sys csf authorization pending-list
To accept or deny authorization requests to join the Security Fabric - CLI:
diagnose sys csfd authorization {accept | deny} <serial-number-value>
where serial-number-value
is the serial number of the device that has sent an authorization request to join the Security Fabric.
To view downstream device information - CLI:
diagnose sys csf downstream