Fortinet black logo

CLI Reference

system csf

system csf

This command is used to configure the Fortinet Security Fabric (previously known as Cooperative Security Fabric).

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set logging-mode {default | local}

This option has been removed and replaced with configuration-sync (see table entry blow).

set configuration-sync {default | local}

New configuration sync mode to replace logging-mode.

Set to default to synchronize configuration for FortiAnalyzer, FortiSandbox, and Central Management to root node. Set to local to not synchronize configuration with the root node.

set fixed-key <password>

Auto-generated fixed key used when this device is the root. This will be automatically generated if not set.

config trusted-list

edit <id>

set action {accept | deny}

set ha-members <string>

set downstream-authorization {enable | disable}

next

...

Configure pre-authorized and blocked security fabric nodes.

Note that this configuration method is only available when status is set to enable.

config fabric-device

edit <name>

set device-ip <ipv4-addr>

set device-type {fortimail}

set login <name>

set password <password>

next

...

Configure fabric device settings.
config system csf
    set status {enable | disable}   Enable/disable Security Fabric.
    set upstream-ip {ipv4 address}   IP address of the FortiGate upstream from this FortiGate in the Security Fabric.
    set upstream-port {integer}   The port number to use to communicate with the FortiGate upstream from this FortiGate in the Security Fabric (default = 8013). range[1-65535]
    set group-name {string}   Security Fabric group name. All FortiGates in a Security Fabric must have the same group name. size[35]
    set group-password {password_string}   Security Fabric group password. All FortiGates in a Security Fabric must have the same group password. size[128]
    set configuration-sync {default | local}   Configuration sync mode.
            default  Synchronize configuration for FortiAnalyzer, FortiSandbox and Central Management to root node.
            local    Do not synchronize configuration with root node.
    set management-ip {ipv4 address}   Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
    set management-port {integer}   Overriding port for management connection (Overrides admin port). range[0-65535]
    set fixed-key {password_string}   Auto-generated fixed key used when this device is the root. (Will automatically be generated if not set.) size[128]
    config trusted-list
        edit {serial}
        # Pre-authorized and blocked security fabric nodes.
            set serial {string}   Serial. size[19]
            set action {accept | deny}   Security fabric authorization action.
                    accept  Accept authorization request.
                    deny    Deny authorization request.
            set ha-members {string}   HA members. size[19]
            set downstream-authorization {enable | disable}   Trust authorizations by this node's administrator.
        next
    config fabric-device
        edit {name}
        # Fabric device configuration.
            set name {string}   Device name. size[35]
            set device-ip {ipv4 address}   Device IP.
            set device-type {fortimail}   Device type.
                    fortimail  FortiMail device.
            set login {string}   Device login name. size[64]
            set password {password_string}   Device login password. size[128]
        next
end

status {enable | disable}

Enable or disable the security fabric. The default is disable.

upstream-ip <ip-address>

The IP address of the upstream FortiGate.

upstream-port <port-number>

The port used by the upstream FortiGate for communication within the security fabric. The default is 8013.

group-name <name>

The name of the security fabric.

group-password <password>

The password for the security fabric.

management-ip <ip-address>

The management IP address of this FortiGate.

system csf

This command is used to configure the Fortinet Security Fabric (previously known as Cooperative Security Fabric).

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set logging-mode {default | local}

This option has been removed and replaced with configuration-sync (see table entry blow).

set configuration-sync {default | local}

New configuration sync mode to replace logging-mode.

Set to default to synchronize configuration for FortiAnalyzer, FortiSandbox, and Central Management to root node. Set to local to not synchronize configuration with the root node.

set fixed-key <password>

Auto-generated fixed key used when this device is the root. This will be automatically generated if not set.

config trusted-list

edit <id>

set action {accept | deny}

set ha-members <string>

set downstream-authorization {enable | disable}

next

...

Configure pre-authorized and blocked security fabric nodes.

Note that this configuration method is only available when status is set to enable.

config fabric-device

edit <name>

set device-ip <ipv4-addr>

set device-type {fortimail}

set login <name>

set password <password>

next

...

Configure fabric device settings.
config system csf
    set status {enable | disable}   Enable/disable Security Fabric.
    set upstream-ip {ipv4 address}   IP address of the FortiGate upstream from this FortiGate in the Security Fabric.
    set upstream-port {integer}   The port number to use to communicate with the FortiGate upstream from this FortiGate in the Security Fabric (default = 8013). range[1-65535]
    set group-name {string}   Security Fabric group name. All FortiGates in a Security Fabric must have the same group name. size[35]
    set group-password {password_string}   Security Fabric group password. All FortiGates in a Security Fabric must have the same group password. size[128]
    set configuration-sync {default | local}   Configuration sync mode.
            default  Synchronize configuration for FortiAnalyzer, FortiSandbox and Central Management to root node.
            local    Do not synchronize configuration with root node.
    set management-ip {ipv4 address}   Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
    set management-port {integer}   Overriding port for management connection (Overrides admin port). range[0-65535]
    set fixed-key {password_string}   Auto-generated fixed key used when this device is the root. (Will automatically be generated if not set.) size[128]
    config trusted-list
        edit {serial}
        # Pre-authorized and blocked security fabric nodes.
            set serial {string}   Serial. size[19]
            set action {accept | deny}   Security fabric authorization action.
                    accept  Accept authorization request.
                    deny    Deny authorization request.
            set ha-members {string}   HA members. size[19]
            set downstream-authorization {enable | disable}   Trust authorizations by this node's administrator.
        next
    config fabric-device
        edit {name}
        # Fabric device configuration.
            set name {string}   Device name. size[35]
            set device-ip {ipv4 address}   Device IP.
            set device-type {fortimail}   Device type.
                    fortimail  FortiMail device.
            set login {string}   Device login name. size[64]
            set password {password_string}   Device login password. size[128]
        next
end

status {enable | disable}

Enable or disable the security fabric. The default is disable.

upstream-ip <ip-address>

The IP address of the upstream FortiGate.

upstream-port <port-number>

The port used by the upstream FortiGate for communication within the security fabric. The default is 8013.

group-name <name>

The name of the security fabric.

group-password <password>

The password for the security fabric.

management-ip <ip-address>

The management IP address of this FortiGate.