Fortinet black logo

Cookbook

Leveraging SAML to switch between Security Fabric FortiGates

Copy Link
Copy Doc ID fed12558-14f5-11e9-b86b-00505692583a:700710
Download PDF

Leveraging SAML to switch between Security Fabric FortiGates

In the FortiGate GUI banner, a dropdown menu is available that you can use to easily switch between all FortiGate devices that are connected to the Security Fabric.

  • The dropdown menu is available in both the root and downstream FortiGates. You can click a link in the menu to navigate to any other FortiGate management IP/FQDN.

    See Switching between FortiGates in a Security Fabric.

  • The management IP/FQDN and port number settings can be customized in both the root and downstream FortiGates.
  • In both root and downstream FortiGates, you can set both the management IP/FQDN and port options.

    If the management IP/FQDN is not configured, the IP address that the FortiGate uses to connect to the Security Fabric is shown as the management IP address and a warning message is displayed, because administrators might be unable to access the IP address using a web browser.

    See Setting the IP/FQDN.

  • In the root FortiGate GUI, you can use the Customize option to change the hostname, management IP/FQDN, and port number.

    See Customizing a root FortiGate.

  • In downstream FortiGates, the diagnose sys csf global command shows a summary of all of the connected FortiGates in the Security Fabric.

    See Viewing a summary of all connected FortiGates in a Security Fabric.

Switching between FortiGates in a Security Fabric

To switch between FortiGates in a Security Fabric:
  1. Log in to a FortiGate in a Security Fabric using SSO.
  2. In the banner, click the name of the FortiGate.

    A dropdown menu opens, showing the root FortiGate as well as downstream FortiGates in the Security Fabric.

    Hover the cursor over the name of a FortiGate to see a tooltip about that FortiGate.

  3. Click on a FortiGate name to navigate to its management IP/FQDN without any further authentication.

Setting the IP/FQDN

The management IP/FQDN and port can be configured on the root FortiGate and all of the downstream FortiGates.

To set the IP/FQDN in the GUI:
  1. Log into a FortiGate in the Security Fabric.
  2. Go to Security Fabric > Settings.
  3. In the Management IP/FQDN field, select Specify, then enter the IP/FQDN in the text box.
  4. In the Management Port field, select Specify, then enter the port number in the text box.

  5. Click Apply.

If the management IP/FQDN is not configured, the IP address that the FortiGate uses to connect to the Security Fabric is shown as the management IP address and a warning message is displayed, because administrators might be unable to access the IP address using a web browser.

To set the IP/FQDN in the CLI:
  1. On the root FortiGate, run the following command:

    config system csf

    set status enable

    set group-name "csf_script"

    set management-ip "172.17.48.225"

    set management-port 4431

    ......

    end

  2. On the downstream FortiGates, run the following command:

    config system csf

    set status enable

    set upstream-ip 10.2.200.1

    set management-ip "robot.csf"

    set management-port 4432

    end

Customizing a root FortiGate

To customize a root FortiGate:
  1. On the root FortiGate, click the dropdown menu in the banner and hover the cursor over the root FortiGate until the summary pane is shown.
  2. In the summary pane, click Customize.

  3. Edit the settings as required.
  4. Click OK.

Viewing a summary of all connected FortiGates in a Security Fabric

To view a summary of all connected FortiGates in a Security Fabric:
  1. On a downstream FortiGate run the following command:

    FGTB-1 # diagnose sys csf global

    Current vision:

    [

    {

    "path":"FG3H1E5818900718",

    "mgmt_ip_str":"",

    "mgmt_port":0,

    "sync_mode":1,

    "saml_role":"disable",

    "admin_port":443,

    "serial":"FG3H1E5818900718",

    "host_name":"FGTA-1",

    "firmware_version_major":6,

    "firmware_version_minor":2,

    "firmware_version_patch":0,

    "firmware_version_build":923,

    "subtree_members":[

    {

    "serial":"FG201ETK18902514"

    },

    {

    "serial":"FGT81ETK18002246"

    },

    {

    "serial":"FG101ETK18002187"

    }

    ]

    },

    {

    "path":"FG3H1E5818900718:FG201ETK18902514",

    "mgmt_ip_str":"robot.csf",

    "mgmt_port":4432,

    "sync_mode":1,

    "saml_role":"service-provider",

    "admin_port":443,

    "serial":"FG201ETK18902514",

    "host_name":"FGTB-1",

    "firmware_version_major":6,

    "firmware_version_minor":2,

    "firmware_version_patch":0,

    "firmware_version_build":923,

    "upstream_intf":"port2",

    "upstream_serial":"FG3H1E5818900718",

    "parent_serial":"FG3H1E5818900718",

    "parent_hostname":"FGTA-1",

    "upstream_status":"Authorized",

    "upstream_ip":29884938,

    "upstream_ip_str":"10.2.200.1",

    "subtree_members":[

    {

    "serial":"FGT81ETK18002246"

    },

    {

    "serial":"FG101ETK18002187"

    }

    ],

    "is_discovered":true,

    "ip_str":"10.2.200.2",

    "downstream_intf":"wan1",

    "idx":1

    },

    {

    "path":"FG3H1E5818900718:FG201ETK18902514:FGT81ETK18002246",

    "mgmt_ip_str":"172.17.48.225",

    "mgmt_port":4434,

    "sync_mode":1,

    "saml_role":"service-provider",

    "admin_port":443,

    "serial":"FGT81ETK18002246",

    "host_name":"FGTD",

    "firmware_version_major":6,

    "firmware_version_minor":2,

    "firmware_version_patch":0,

    "firmware_version_build":923,

    "upstream_intf":"vlan60",

    "upstream_serial":"FG201ETK18902514",

    "parent_serial":"FG201ETK18902514",

    "parent_hostname":"FGTB-1",

    "upstream_status":"Authorized",

    "upstream_ip":33990848,

    "upstream_ip_str":"192.168.6.2",

    "subtree_members":[

    ],

    "is_discovered":true,

    "ip_str":"192.168.6.4",

    "downstream_intf":"wan2",

    "idx":2

    },

    {

    "path":"FG3H1E5818900718:FG201ETK18902514:FG101ETK18002187",

    "mgmt_ip_str":"",

    "mgmt_port":0,

    "sync_mode":1,

    "saml_role":"disable",

    "admin_port":443,

    "serial":"FG101ETK18002187",

    "host_name":"FGTC",

    "firmware_version_major":6,

    "firmware_version_minor":2,

    "firmware_version_patch":0,

    "firmware_version_build":923,

    "upstream_intf":"vlan70",

    "upstream_serial":"FG201ETK18902514",

    "parent_serial":"FG201ETK18902514",

    "parent_hostname":"FGTB-1",

    "upstream_status":"Authorized",

    "upstream_ip":34056384,

    "upstream_ip_str":"192.168.7.2",

    "subtree_members":[

    ],

    "is_discovered":true,

    "ip_str":"192.168.7.3",

    "downstream_intf":"wan1",

    "idx":3

    }

    ]

Leveraging SAML to switch between Security Fabric FortiGates

In the FortiGate GUI banner, a dropdown menu is available that you can use to easily switch between all FortiGate devices that are connected to the Security Fabric.

  • The dropdown menu is available in both the root and downstream FortiGates. You can click a link in the menu to navigate to any other FortiGate management IP/FQDN.

    See Switching between FortiGates in a Security Fabric.

  • The management IP/FQDN and port number settings can be customized in both the root and downstream FortiGates.
  • In both root and downstream FortiGates, you can set both the management IP/FQDN and port options.

    If the management IP/FQDN is not configured, the IP address that the FortiGate uses to connect to the Security Fabric is shown as the management IP address and a warning message is displayed, because administrators might be unable to access the IP address using a web browser.

    See Setting the IP/FQDN.

  • In the root FortiGate GUI, you can use the Customize option to change the hostname, management IP/FQDN, and port number.

    See Customizing a root FortiGate.

  • In downstream FortiGates, the diagnose sys csf global command shows a summary of all of the connected FortiGates in the Security Fabric.

    See Viewing a summary of all connected FortiGates in a Security Fabric.

Switching between FortiGates in a Security Fabric

To switch between FortiGates in a Security Fabric:
  1. Log in to a FortiGate in a Security Fabric using SSO.
  2. In the banner, click the name of the FortiGate.

    A dropdown menu opens, showing the root FortiGate as well as downstream FortiGates in the Security Fabric.

    Hover the cursor over the name of a FortiGate to see a tooltip about that FortiGate.

  3. Click on a FortiGate name to navigate to its management IP/FQDN without any further authentication.

Setting the IP/FQDN

The management IP/FQDN and port can be configured on the root FortiGate and all of the downstream FortiGates.

To set the IP/FQDN in the GUI:
  1. Log into a FortiGate in the Security Fabric.
  2. Go to Security Fabric > Settings.
  3. In the Management IP/FQDN field, select Specify, then enter the IP/FQDN in the text box.
  4. In the Management Port field, select Specify, then enter the port number in the text box.

  5. Click Apply.

If the management IP/FQDN is not configured, the IP address that the FortiGate uses to connect to the Security Fabric is shown as the management IP address and a warning message is displayed, because administrators might be unable to access the IP address using a web browser.

To set the IP/FQDN in the CLI:
  1. On the root FortiGate, run the following command:

    config system csf

    set status enable

    set group-name "csf_script"

    set management-ip "172.17.48.225"

    set management-port 4431

    ......

    end

  2. On the downstream FortiGates, run the following command:

    config system csf

    set status enable

    set upstream-ip 10.2.200.1

    set management-ip "robot.csf"

    set management-port 4432

    end

Customizing a root FortiGate

To customize a root FortiGate:
  1. On the root FortiGate, click the dropdown menu in the banner and hover the cursor over the root FortiGate until the summary pane is shown.
  2. In the summary pane, click Customize.

  3. Edit the settings as required.
  4. Click OK.

Viewing a summary of all connected FortiGates in a Security Fabric

To view a summary of all connected FortiGates in a Security Fabric:
  1. On a downstream FortiGate run the following command:

    FGTB-1 # diagnose sys csf global

    Current vision:

    [

    {

    "path":"FG3H1E5818900718",

    "mgmt_ip_str":"",

    "mgmt_port":0,

    "sync_mode":1,

    "saml_role":"disable",

    "admin_port":443,

    "serial":"FG3H1E5818900718",

    "host_name":"FGTA-1",

    "firmware_version_major":6,

    "firmware_version_minor":2,

    "firmware_version_patch":0,

    "firmware_version_build":923,

    "subtree_members":[

    {

    "serial":"FG201ETK18902514"

    },

    {

    "serial":"FGT81ETK18002246"

    },

    {

    "serial":"FG101ETK18002187"

    }

    ]

    },

    {

    "path":"FG3H1E5818900718:FG201ETK18902514",

    "mgmt_ip_str":"robot.csf",

    "mgmt_port":4432,

    "sync_mode":1,

    "saml_role":"service-provider",

    "admin_port":443,

    "serial":"FG201ETK18902514",

    "host_name":"FGTB-1",

    "firmware_version_major":6,

    "firmware_version_minor":2,

    "firmware_version_patch":0,

    "firmware_version_build":923,

    "upstream_intf":"port2",

    "upstream_serial":"FG3H1E5818900718",

    "parent_serial":"FG3H1E5818900718",

    "parent_hostname":"FGTA-1",

    "upstream_status":"Authorized",

    "upstream_ip":29884938,

    "upstream_ip_str":"10.2.200.1",

    "subtree_members":[

    {

    "serial":"FGT81ETK18002246"

    },

    {

    "serial":"FG101ETK18002187"

    }

    ],

    "is_discovered":true,

    "ip_str":"10.2.200.2",

    "downstream_intf":"wan1",

    "idx":1

    },

    {

    "path":"FG3H1E5818900718:FG201ETK18902514:FGT81ETK18002246",

    "mgmt_ip_str":"172.17.48.225",

    "mgmt_port":4434,

    "sync_mode":1,

    "saml_role":"service-provider",

    "admin_port":443,

    "serial":"FGT81ETK18002246",

    "host_name":"FGTD",

    "firmware_version_major":6,

    "firmware_version_minor":2,

    "firmware_version_patch":0,

    "firmware_version_build":923,

    "upstream_intf":"vlan60",

    "upstream_serial":"FG201ETK18902514",

    "parent_serial":"FG201ETK18902514",

    "parent_hostname":"FGTB-1",

    "upstream_status":"Authorized",

    "upstream_ip":33990848,

    "upstream_ip_str":"192.168.6.2",

    "subtree_members":[

    ],

    "is_discovered":true,

    "ip_str":"192.168.6.4",

    "downstream_intf":"wan2",

    "idx":2

    },

    {

    "path":"FG3H1E5818900718:FG201ETK18902514:FG101ETK18002187",

    "mgmt_ip_str":"",

    "mgmt_port":0,

    "sync_mode":1,

    "saml_role":"disable",

    "admin_port":443,

    "serial":"FG101ETK18002187",

    "host_name":"FGTC",

    "firmware_version_major":6,

    "firmware_version_minor":2,

    "firmware_version_patch":0,

    "firmware_version_build":923,

    "upstream_intf":"vlan70",

    "upstream_serial":"FG201ETK18902514",

    "parent_serial":"FG201ETK18902514",

    "parent_hostname":"FGTB-1",

    "upstream_status":"Authorized",

    "upstream_ip":34056384,

    "upstream_ip_str":"192.168.7.2",

    "subtree_members":[

    ],

    "is_discovered":true,

    "ip_str":"192.168.7.3",

    "downstream_intf":"wan1",

    "idx":3

    }

    ]