Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

Leverage SAML to switch between Security Fabric FortiGates  6.2.1

In the FortiGate GUI header, a dropdown menu is available for all FortiGates that are participating in the Security Fabric. You can use the dropdown menu to easily switch between all devices connected to the Security Fabric. Each item in the dropdown menu represents a FortiGate in the Security Fabric.

Following is a summary of the new feature:

Switching between FortiGates in a Security Fabric using the GUI

To switch between FortiGates in a Security Fabric:
  1. Log in to a FortiGate in a Security Fabric by using SSO.
  2. In the banner, click the name of the FortiGate.

    A dropdown menu is displayed. The dropdown menu displays the root FortiGate as well as the downstream FortiGates in the Security Fabric.

  3. Hover over the name of a FortiGate.

    A tooltip about the FortiGate is displayed.

    Following is an example of the tooltip for a downstream FortiGate:

    Following is an example of the tooltip for another downstream FortiGate:

  4. Click a FortiGate to navigate to its management IP/FQDN without further authentication.

Setting the IP/FQDN using the GUI

To set the IP/FQDN using the GUI:
  1. Log into the root FortiGate, and go to Security Fabric > Settings.

    Beside Security Fabric role, Serve as Fabric Root is selected.

  2. Specify the management IP or FQDN:
    1. Beside Management IP/FQDN, click Specify.

      A box is displayed.

    2. In the box, type the management IP or FQDN.
    3. Beside Management Port, click Specify.

      A box is displayed.

    4. In the box, type the port number, and click Apply.
  3. On a downstream FortiGate, go to Security Fabric > Settings.

    Beside Security Fabric role, Join Existing Fabric is selected.

  4. Specify the management IP or FQDN:
    1. Beside Management IP/FQDN, click Specify.

      A box is displayed.

    2. In the box, type the management IP or FQDN.
    3. Beside Management Port, click Specify.

      A box is displayed.

    4. In the box, type the port number, and click Apply.

    If management IP/FQDN is not set on a FortiGate, the IP that it uses to connect to the Security Fabric is displayed as management IP, and a warning is displayed because administrators might be unable to access the IP by using a browser.

Setting the IP/FQDN using the CLI

To set the IP/FQDN using the CLI:
  1. On the root FortiGate, run the follow commands:

    config system csf

    set status enable

    set group-name "csf_script"

    set management-ip "172.17.48.225"

    set management-port 4431

    ......

    end

    config system csf

    set status enable

    set upstream-ip 10.2.200.1

    set management-ip "robot.csf"

    set management-port 4432

    end

Customizing a root FortiGate using the GUI

To customize a root FortiGate using the GUI:
  1. On a root FortiGate, click the dropdown menu in the banner, and hover over the root FortiGate.

    A summary pane is displayed.

  2. In the summary pane, click Customize.

    A Customize pane is displayed.

  3. Edit the settings, and click OK.

Viewing a summary of all connected FortiGates in a Security Fabric using the CLI

To view a summary of all connected FortiGates in a Security Fabric using the CLI:
  1. Go to a downstream FortiGate in the Security Fabric, and run the following command:

    FGTB-1 # diagnose sys csf global

    Current vision:

    [

    {

    "path":"FG3H1E5818900718",

    "mgmt_ip_str":"",

    "mgmt_port":0,

    "sync_mode":1,

    "saml_role":"disable",

    "admin_port":443,

    "serial":"FG3H1E5818900718",

    "host_name":"FGTA-1",

    "firmware_version_major":6,

    "firmware_version_minor":2,

    "firmware_version_patch":0,

    "firmware_version_build":923,

    "subtree_members":[

    {

    "serial":"FG201ETK18902514"

    },

    {

    "serial":"FGT81ETK18002246"

    },

    {

    "serial":"FG101ETK18002187"

    }

    ]

    },

    {

    "path":"FG3H1E5818900718:FG201ETK18902514",

    "mgmt_ip_str":"robot.csf",

    "mgmt_port":4432,

    "sync_mode":1,

    "saml_role":"service-provider",

    "admin_port":443,

    "serial":"FG201ETK18902514",

    "host_name":"FGTB-1",

    "firmware_version_major":6,

    "firmware_version_minor":2,

    "firmware_version_patch":0,

    "firmware_version_build":923,

    "upstream_intf":"port2",

    "upstream_serial":"FG3H1E5818900718",

    "parent_serial":"FG3H1E5818900718",

    "parent_hostname":"FGTA-1",

    "upstream_status":"Authorized",

    "upstream_ip":29884938,

    "upstream_ip_str":"10.2.200.1",

    "subtree_members":[

    {

    "serial":"FGT81ETK18002246"

    },

    {

    "serial":"FG101ETK18002187"

    }

    ],

    "is_discovered":true,

    "ip_str":"10.2.200.2",

    "downstream_intf":"wan1",

    "idx":1

    },

    {

    "path":"FG3H1E5818900718:FG201ETK18902514:FGT81ETK18002246",

    "mgmt_ip_str":"172.17.48.225",

    "mgmt_port":4434,

    "sync_mode":1,

    "saml_role":"service-provider",

    "admin_port":443,

    "serial":"FGT81ETK18002246",

    "host_name":"FGTD",

    "firmware_version_major":6,

    "firmware_version_minor":2,

    "firmware_version_patch":0,

    "firmware_version_build":923,

    "upstream_intf":"vlan60",

    "upstream_serial":"FG201ETK18902514",

    "parent_serial":"FG201ETK18902514",

    "parent_hostname":"FGTB-1",

    "upstream_status":"Authorized",

    "upstream_ip":33990848,

    "upstream_ip_str":"192.168.6.2",

    "subtree_members":[

    ],

    "is_discovered":true,

    "ip_str":"192.168.6.4",

    "downstream_intf":"wan2",

    "idx":2

    },

    {

    "path":"FG3H1E5818900718:FG201ETK18902514:FG101ETK18002187",

    "mgmt_ip_str":"",

    "mgmt_port":0,

    "sync_mode":1,

    "saml_role":"disable",

    "admin_port":443,

    "serial":"FG101ETK18002187",

    "host_name":"FGTC",

    "firmware_version_major":6,

    "firmware_version_minor":2,

    "firmware_version_patch":0,

    "firmware_version_build":923,

    "upstream_intf":"vlan70",

    "upstream_serial":"FG201ETK18902514",

    "parent_serial":"FG201ETK18902514",

    "parent_hostname":"FGTB-1",

    "upstream_status":"Authorized",

    "upstream_ip":34056384,

    "upstream_ip_str":"192.168.7.2",

    "subtree_members":[

    ],

    "is_discovered":true,

    "ip_str":"192.168.7.3",

    "downstream_intf":"wan1",

    "idx":3

    }

    ]

Leverage SAML to switch between Security Fabric FortiGates  6.2.1

In the FortiGate GUI header, a dropdown menu is available for all FortiGates that are participating in the Security Fabric. You can use the dropdown menu to easily switch between all devices connected to the Security Fabric. Each item in the dropdown menu represents a FortiGate in the Security Fabric.

Following is a summary of the new feature:

Switching between FortiGates in a Security Fabric using the GUI

To switch between FortiGates in a Security Fabric:
  1. Log in to a FortiGate in a Security Fabric by using SSO.
  2. In the banner, click the name of the FortiGate.

    A dropdown menu is displayed. The dropdown menu displays the root FortiGate as well as the downstream FortiGates in the Security Fabric.

  3. Hover over the name of a FortiGate.

    A tooltip about the FortiGate is displayed.

    Following is an example of the tooltip for a downstream FortiGate:

    Following is an example of the tooltip for another downstream FortiGate:

  4. Click a FortiGate to navigate to its management IP/FQDN without further authentication.

Setting the IP/FQDN using the GUI

To set the IP/FQDN using the GUI:
  1. Log into the root FortiGate, and go to Security Fabric > Settings.

    Beside Security Fabric role, Serve as Fabric Root is selected.

  2. Specify the management IP or FQDN:
    1. Beside Management IP/FQDN, click Specify.

      A box is displayed.

    2. In the box, type the management IP or FQDN.
    3. Beside Management Port, click Specify.

      A box is displayed.

    4. In the box, type the port number, and click Apply.
  3. On a downstream FortiGate, go to Security Fabric > Settings.

    Beside Security Fabric role, Join Existing Fabric is selected.

  4. Specify the management IP or FQDN:
    1. Beside Management IP/FQDN, click Specify.

      A box is displayed.

    2. In the box, type the management IP or FQDN.
    3. Beside Management Port, click Specify.

      A box is displayed.

    4. In the box, type the port number, and click Apply.

    If management IP/FQDN is not set on a FortiGate, the IP that it uses to connect to the Security Fabric is displayed as management IP, and a warning is displayed because administrators might be unable to access the IP by using a browser.

Setting the IP/FQDN using the CLI

To set the IP/FQDN using the CLI:
  1. On the root FortiGate, run the follow commands:

    config system csf

    set status enable

    set group-name "csf_script"

    set management-ip "172.17.48.225"

    set management-port 4431

    ......

    end

    config system csf

    set status enable

    set upstream-ip 10.2.200.1

    set management-ip "robot.csf"

    set management-port 4432

    end

Customizing a root FortiGate using the GUI

To customize a root FortiGate using the GUI:
  1. On a root FortiGate, click the dropdown menu in the banner, and hover over the root FortiGate.

    A summary pane is displayed.

  2. In the summary pane, click Customize.

    A Customize pane is displayed.

  3. Edit the settings, and click OK.

Viewing a summary of all connected FortiGates in a Security Fabric using the CLI

To view a summary of all connected FortiGates in a Security Fabric using the CLI:
  1. Go to a downstream FortiGate in the Security Fabric, and run the following command:

    FGTB-1 # diagnose sys csf global

    Current vision:

    [

    {

    "path":"FG3H1E5818900718",

    "mgmt_ip_str":"",

    "mgmt_port":0,

    "sync_mode":1,

    "saml_role":"disable",

    "admin_port":443,

    "serial":"FG3H1E5818900718",

    "host_name":"FGTA-1",

    "firmware_version_major":6,

    "firmware_version_minor":2,

    "firmware_version_patch":0,

    "firmware_version_build":923,

    "subtree_members":[

    {

    "serial":"FG201ETK18902514"

    },

    {

    "serial":"FGT81ETK18002246"

    },

    {

    "serial":"FG101ETK18002187"

    }

    ]

    },

    {

    "path":"FG3H1E5818900718:FG201ETK18902514",

    "mgmt_ip_str":"robot.csf",

    "mgmt_port":4432,

    "sync_mode":1,

    "saml_role":"service-provider",

    "admin_port":443,

    "serial":"FG201ETK18902514",

    "host_name":"FGTB-1",

    "firmware_version_major":6,

    "firmware_version_minor":2,

    "firmware_version_patch":0,

    "firmware_version_build":923,

    "upstream_intf":"port2",

    "upstream_serial":"FG3H1E5818900718",

    "parent_serial":"FG3H1E5818900718",

    "parent_hostname":"FGTA-1",

    "upstream_status":"Authorized",

    "upstream_ip":29884938,

    "upstream_ip_str":"10.2.200.1",

    "subtree_members":[

    {

    "serial":"FGT81ETK18002246"

    },

    {

    "serial":"FG101ETK18002187"

    }

    ],

    "is_discovered":true,

    "ip_str":"10.2.200.2",

    "downstream_intf":"wan1",

    "idx":1

    },

    {

    "path":"FG3H1E5818900718:FG201ETK18902514:FGT81ETK18002246",

    "mgmt_ip_str":"172.17.48.225",

    "mgmt_port":4434,

    "sync_mode":1,

    "saml_role":"service-provider",

    "admin_port":443,

    "serial":"FGT81ETK18002246",

    "host_name":"FGTD",

    "firmware_version_major":6,

    "firmware_version_minor":2,

    "firmware_version_patch":0,

    "firmware_version_build":923,

    "upstream_intf":"vlan60",

    "upstream_serial":"FG201ETK18902514",

    "parent_serial":"FG201ETK18902514",

    "parent_hostname":"FGTB-1",

    "upstream_status":"Authorized",

    "upstream_ip":33990848,

    "upstream_ip_str":"192.168.6.2",

    "subtree_members":[

    ],

    "is_discovered":true,

    "ip_str":"192.168.6.4",

    "downstream_intf":"wan2",

    "idx":2

    },

    {

    "path":"FG3H1E5818900718:FG201ETK18902514:FG101ETK18002187",

    "mgmt_ip_str":"",

    "mgmt_port":0,

    "sync_mode":1,

    "saml_role":"disable",

    "admin_port":443,

    "serial":"FG101ETK18002187",

    "host_name":"FGTC",

    "firmware_version_major":6,

    "firmware_version_minor":2,

    "firmware_version_patch":0,

    "firmware_version_build":923,

    "upstream_intf":"vlan70",

    "upstream_serial":"FG201ETK18902514",

    "parent_serial":"FG201ETK18902514",

    "parent_hostname":"FGTB-1",

    "upstream_status":"Authorized",

    "upstream_ip":34056384,

    "upstream_ip_str":"192.168.7.2",

    "subtree_members":[

    ],

    "is_discovered":true,

    "ip_str":"192.168.7.3",

    "downstream_intf":"wan1",

    "idx":3

    }

    ]