Leveraging SAML to switch between Security Fabric FortiGates
In the FortiGate GUI banner, a dropdown menu is available that you can use to easily switch between all FortiGate devices that are connected to the Security Fabric.
- The dropdown menu is available in both the root and downstream FortiGates. You can click a link in the menu to navigate to any other FortiGate management IP/FQDN.
- The management IP/FQDN and port number settings can be customized in both the root and downstream FortiGates.
- In both root and downstream FortiGates, you can set both the management IP/FQDN and port options.
If the management IP/FQDN is not configured, the IP address that the FortiGate uses to connect to the Security Fabric is shown as the management IP address and a warning message is displayed, because administrators might be unable to access the IP address using a web browser.
See Setting the IP/FQDN.
- In the root FortiGate GUI, you can use the Customize option to change the hostname, management IP/FQDN, and port number.
- In downstream FortiGates, the
diagnose sys csf globalcommand shows a summary of all of the connected FortiGates in the Security Fabric.See Viewing a summary of all connected FortiGates in a Security Fabric.
Switching between FortiGates in a Security Fabric
To switch between FortiGates in a Security Fabric:
- Log in to a FortiGate in a Security Fabric using SSO.
- In the banner, click the name of the FortiGate.
A dropdown menu opens, showing the root FortiGate as well as downstream FortiGates in the Security Fabric.
Hover the cursor over the name of a FortiGate to see a tooltip about that FortiGate.
- Click on a FortiGate name to navigate to its management IP/FQDN without any further authentication.
Setting the IP/FQDN
The management IP/FQDN and port can be configured on the root FortiGate and all of the downstream FortiGates.
To set the IP/FQDN in the GUI:
- Log into a FortiGate in the Security Fabric.
- Go to Security Fabric > Settings.
- In the Management IP/FQDN field, select Specify, then enter the IP/FQDN in the text box.
- In the Management Port field, select Specify, then enter the port number in the text box.
- Click Apply.
If the management IP/FQDN is not configured, the IP address that the FortiGate uses to connect to the Security Fabric is shown as the management IP address and a warning message is displayed, because administrators might be unable to access the IP address using a web browser.
To set the IP/FQDN in the CLI:
- On the root FortiGate, run the following command:
config system csf
set status enable
set group-name "csf_script"
set management-ip "172.17.48.225"
set management-port 4431
......
end
- On the downstream FortiGates, run the following command:
config system csf
set status enable
set upstream-ip 10.2.200.1
set management-ip "robot.csf"
set management-port 4432
end
Customizing a root FortiGate
To customize a root FortiGate:
- On the root FortiGate, click the dropdown menu in the banner and hover the cursor over the root FortiGate until the summary pane is shown.
- In the summary pane, click Customize.
- Edit the settings as required.
- Click OK.
Viewing a summary of all connected FortiGates in a Security Fabric
To view a summary of all connected FortiGates in a Security Fabric:
- On a downstream FortiGate run the following command:
FGTB-1 # diagnose sys csf global
Current vision:
[
{
"path":"FG3H1E5818900718",
"mgmt_ip_str":"",
"mgmt_port":0,
"sync_mode":1,
"saml_role":"disable",
"admin_port":443,
"serial":"FG3H1E5818900718",
"host_name":"FGTA-1",
"firmware_version_major":6,
"firmware_version_minor":2,
"firmware_version_patch":0,
"firmware_version_build":923,
"subtree_members":[
{
"serial":"FG201ETK18902514"
},
{
"serial":"FGT81ETK18002246"
},
{
"serial":"FG101ETK18002187"
}
]
},
{
"path":"FG3H1E5818900718:FG201ETK18902514",
"mgmt_ip_str":"robot.csf",
"mgmt_port":4432,
"sync_mode":1,
"saml_role":"service-provider",
"admin_port":443,
"serial":"FG201ETK18902514",
"host_name":"FGTB-1",
"firmware_version_major":6,
"firmware_version_minor":2,
"firmware_version_patch":0,
"firmware_version_build":923,
"upstream_intf":"port2",
"upstream_serial":"FG3H1E5818900718",
"parent_serial":"FG3H1E5818900718",
"parent_hostname":"FGTA-1",
"upstream_status":"Authorized",
"upstream_ip":29884938,
"upstream_ip_str":"10.2.200.1",
"subtree_members":[
{
"serial":"FGT81ETK18002246"
},
{
"serial":"FG101ETK18002187"
}
],
"is_discovered":true,
"ip_str":"10.2.200.2",
"downstream_intf":"wan1",
"idx":1
},
{
"path":"FG3H1E5818900718:FG201ETK18902514:FGT81ETK18002246",
"mgmt_ip_str":"172.17.48.225",
"mgmt_port":4434,
"sync_mode":1,
"saml_role":"service-provider",
"admin_port":443,
"serial":"FGT81ETK18002246",
"host_name":"FGTD",
"firmware_version_major":6,
"firmware_version_minor":2,
"firmware_version_patch":0,
"firmware_version_build":923,
"upstream_intf":"vlan60",
"upstream_serial":"FG201ETK18902514",
"parent_serial":"FG201ETK18902514",
"parent_hostname":"FGTB-1",
"upstream_status":"Authorized",
"upstream_ip":33990848,
"upstream_ip_str":"192.168.6.2",
"subtree_members":[
],
"is_discovered":true,
"ip_str":"192.168.6.4",
"downstream_intf":"wan2",
"idx":2
},
{
"path":"FG3H1E5818900718:FG201ETK18902514:FG101ETK18002187",
"mgmt_ip_str":"",
"mgmt_port":0,
"sync_mode":1,
"saml_role":"disable",
"admin_port":443,
"serial":"FG101ETK18002187",
"host_name":"FGTC",
"firmware_version_major":6,
"firmware_version_minor":2,
"firmware_version_patch":0,
"firmware_version_build":923,
"upstream_intf":"vlan70",
"upstream_serial":"FG201ETK18902514",
"parent_serial":"FG201ETK18902514",
"parent_hostname":"FGTB-1",
"upstream_status":"Authorized",
"upstream_ip":34056384,
"upstream_ip_str":"192.168.7.2",
"subtree_members":[
],
"is_discovered":true,
"ip_str":"192.168.7.3",
"downstream_intf":"wan1",
"idx":3
}
]