Leverage SAML to switch between Security Fabric FortiGates 6.2.1

In the FortiGate GUI header, a dropdown menu is available for all FortiGates that are participating in the Security Fabric. You can use the dropdown menu to easily switch between all devices connected to the Security Fabric. Each item in the dropdown menu represents a FortiGate in the Security Fabric.

Following is a summary of the new feature:

In both root and downstream FortiGates, the dropdown menu is available, and you can click the menu to navigate to any other FortiGate management IP/FQDN. See Switching between FortiGates in a Security Fabric using the GUI.
In both root and downstream FortiGates, you can set both the management IP/FQDN and port options.
If the management IP/FQDN is not set on a FortiGate, the IP it uses to connect to the Security Fabric is displayed as the management IP, which may not be accessible by administrator browsers. When the management IP/FQDN is not set on a FortiGate, a warning is displayed.
See Setting the IP/FQDN using the GUI and Setting the IP/FQDN using the CLI.
In root FortiGate GUI, you can use the Customize option to change its hostname, management IP/FQDN, and port. See Customizing a root FortiGate using the GUI.
In downstream FortiGates, a new diagnose sys csf global command is available to display a summary of all connected FortiGates in the Security Fabric. See Viewing a summary of all connected FortiGates in a Security Fabric using the CLI.

Switching between FortiGates in a Security Fabric using the GUI

To switch between FortiGates in a Security Fabric:

Log in to a FortiGate in a Security Fabric by using SSO.
In the banner, click the name of the FortiGate.
A dropdown menu is displayed. The dropdown menu displays the root FortiGate as well as the downstream FortiGates in the Security Fabric.
Hover over the name of a FortiGate.
A tooltip about the FortiGate is displayed.
Following is an example of the tooltip for a downstream FortiGate:
Following is an example of the tooltip for another downstream FortiGate:
Click a FortiGate to navigate to its management IP/FQDN without further authentication.

Setting the IP/FQDN using the GUI

To set the IP/FQDN using the GUI:

Log into the root FortiGate, and go to Security Fabric > Settings.
Beside Security Fabric role, Serve as Fabric Root is selected.
Specify the management IP or FQDN:
1. Beside Management IP/FQDN, click Specify.
  A box is displayed.
2. In the box, type the management IP or FQDN.
3. Beside Management Port, click Specify.
  A box is displayed.
4. In the box, type the port number, and click Apply.
On a downstream FortiGate, go to Security Fabric > Settings.
Beside Security Fabric role, Join Existing Fabric is selected.
Specify the management IP or FQDN:
1. Beside Management IP/FQDN, click Specify.
  A box is displayed.
2. In the box, type the management IP or FQDN.
3. Beside Management Port, click Specify.
  A box is displayed.
4. In the box, type the port number, and click Apply.
If management IP/FQDN is not set on a FortiGate, the IP that it uses to connect to the Security Fabric is displayed as management IP, and a warning is displayed because administrators might be unable to access the IP by using a browser.

Setting the IP/FQDN using the CLI

To set the IP/FQDN using the CLI:

On the root FortiGate, run the follow commands:
config system csf
set status enable
set group-name "csf_script"
set management-ip "172.17.48.225"
set management-port 4431
......
end
config system csf
set status enable
set upstream-ip 10.2.200.1
set management-ip "robot.csf"
set management-port 4432
end

Customizing a root FortiGate using the GUI

To customize a root FortiGate using the GUI:

On a root FortiGate, click the dropdown menu in the banner, and hover over the root FortiGate.
A summary pane is displayed.
In the summary pane, click Customize.
A Customize pane is displayed.
Edit the settings, and click OK.

Viewing a summary of all connected FortiGates in a Security Fabric using the CLI

To view a summary of all connected FortiGates in a Security Fabric using the CLI:

Go to a downstream FortiGate in the Security Fabric, and run the following command:
FGTB-1 # diagnose sys csf global
Current vision:
[
{
"path":"FG3H1E5818900718",
"mgmt_ip_str":"",
"mgmt_port":0,
"sync_mode":1,
"saml_role":"disable",
"admin_port":443,
"serial":"FG3H1E5818900718",
"host_name":"FGTA-1",
"firmware_version_major":6,
"firmware_version_minor":2,
"firmware_version_patch":0,
"firmware_version_build":923,
"subtree_members":[
{
"serial":"FG201ETK18902514"
},
{
"serial":"FGT81ETK18002246"
},
{
"serial":"FG101ETK18002187"
}
]
},
{
"path":"FG3H1E5818900718:FG201ETK18902514",
"mgmt_ip_str":"robot.csf",
"mgmt_port":4432,
"sync_mode":1,
"saml_role":"service-provider",
"admin_port":443,
"serial":"FG201ETK18902514",
"host_name":"FGTB-1",
"firmware_version_major":6,
"firmware_version_minor":2,
"firmware_version_patch":0,
"firmware_version_build":923,
"upstream_intf":"port2",
"upstream_serial":"FG3H1E5818900718",
"parent_serial":"FG3H1E5818900718",
"parent_hostname":"FGTA-1",
"upstream_status":"Authorized",
"upstream_ip":29884938,
"upstream_ip_str":"10.2.200.1",
"subtree_members":[
{
"serial":"FGT81ETK18002246"
},
{
"serial":"FG101ETK18002187"
}
],
"is_discovered":true,
"ip_str":"10.2.200.2",
"downstream_intf":"wan1",
"idx":1
},
{
"path":"FG3H1E5818900718:FG201ETK18902514:FGT81ETK18002246",
"mgmt_ip_str":"172.17.48.225",
"mgmt_port":4434,
"sync_mode":1,
"saml_role":"service-provider",
"admin_port":443,
"serial":"FGT81ETK18002246",
"host_name":"FGTD",
"firmware_version_major":6,
"firmware_version_minor":2,
"firmware_version_patch":0,
"firmware_version_build":923,
"upstream_intf":"vlan60",
"upstream_serial":"FG201ETK18902514",
"parent_serial":"FG201ETK18902514",
"parent_hostname":"FGTB-1",
"upstream_status":"Authorized",
"upstream_ip":33990848,
"upstream_ip_str":"192.168.6.2",
"subtree_members":[
],
"is_discovered":true,
"ip_str":"192.168.6.4",
"downstream_intf":"wan2",
"idx":2
},
{
"path":"FG3H1E5818900718:FG201ETK18902514:FG101ETK18002187",
"mgmt_ip_str":"",
"mgmt_port":0,
"sync_mode":1,
"saml_role":"disable",
"admin_port":443,
"serial":"FG101ETK18002187",
"host_name":"FGTC",
"firmware_version_major":6,
"firmware_version_minor":2,
"firmware_version_patch":0,
"firmware_version_build":923,
"upstream_intf":"vlan70",
"upstream_serial":"FG201ETK18902514",
"parent_serial":"FG201ETK18902514",
"parent_hostname":"FGTB-1",
"upstream_status":"Authorized",
"upstream_ip":34056384,
"upstream_ip_str":"192.168.7.2",
"subtree_members":[
],
"is_discovered":true,
"ip_str":"192.168.7.3",
"downstream_intf":"wan1",
"idx":3
}
]

Leverage SAML to switch between Security Fabric FortiGates 6.2.1

Following is a summary of the new feature:

In both root and downstream FortiGates, the dropdown menu is available, and you can click the menu to navigate to any other FortiGate management IP/FQDN. See Switching between FortiGates in a Security Fabric using the GUI.
In both root and downstream FortiGates, you can set both the management IP/FQDN and port options.
If the management IP/FQDN is not set on a FortiGate, the IP it uses to connect to the Security Fabric is displayed as the management IP, which may not be accessible by administrator browsers. When the management IP/FQDN is not set on a FortiGate, a warning is displayed.
See Setting the IP/FQDN using the GUI and Setting the IP/FQDN using the CLI.
In root FortiGate GUI, you can use the Customize option to change its hostname, management IP/FQDN, and port. See Customizing a root FortiGate using the GUI.
In downstream FortiGates, a new diagnose sys csf global command is available to display a summary of all connected FortiGates in the Security Fabric. See Viewing a summary of all connected FortiGates in a Security Fabric using the CLI.

Switching between FortiGates in a Security Fabric using the GUI

To switch between FortiGates in a Security Fabric:

Log in to a FortiGate in a Security Fabric by using SSO.
In the banner, click the name of the FortiGate.
A dropdown menu is displayed. The dropdown menu displays the root FortiGate as well as the downstream FortiGates in the Security Fabric.
Hover over the name of a FortiGate.
A tooltip about the FortiGate is displayed.
Following is an example of the tooltip for a downstream FortiGate:
Following is an example of the tooltip for another downstream FortiGate:
Click a FortiGate to navigate to its management IP/FQDN without further authentication.

Setting the IP/FQDN using the GUI

To set the IP/FQDN using the GUI:

Log into the root FortiGate, and go to Security Fabric > Settings.
Beside Security Fabric role, Serve as Fabric Root is selected.
Specify the management IP or FQDN:
1. Beside Management IP/FQDN, click Specify.
  A box is displayed.
2. In the box, type the management IP or FQDN.
3. Beside Management Port, click Specify.
  A box is displayed.
4. In the box, type the port number, and click Apply.
On a downstream FortiGate, go to Security Fabric > Settings.
Beside Security Fabric role, Join Existing Fabric is selected.
Specify the management IP or FQDN:
1. Beside Management IP/FQDN, click Specify.
  A box is displayed.
2. In the box, type the management IP or FQDN.
3. Beside Management Port, click Specify.
  A box is displayed.
4. In the box, type the port number, and click Apply.
If management IP/FQDN is not set on a FortiGate, the IP that it uses to connect to the Security Fabric is displayed as management IP, and a warning is displayed because administrators might be unable to access the IP by using a browser.

Setting the IP/FQDN using the CLI

To set the IP/FQDN using the CLI:

On the root FortiGate, run the follow commands:
config system csf
set status enable
set group-name "csf_script"
set management-ip "172.17.48.225"
set management-port 4431
......
end
config system csf
set status enable
set upstream-ip 10.2.200.1
set management-ip "robot.csf"
set management-port 4432
end

Customizing a root FortiGate using the GUI

To customize a root FortiGate using the GUI:

On a root FortiGate, click the dropdown menu in the banner, and hover over the root FortiGate.
A summary pane is displayed.
In the summary pane, click Customize.
A Customize pane is displayed.
Edit the settings, and click OK.

Viewing a summary of all connected FortiGates in a Security Fabric using the CLI

To view a summary of all connected FortiGates in a Security Fabric using the CLI:

Go to a downstream FortiGate in the Security Fabric, and run the following command:
FGTB-1 # diagnose sys csf global
Current vision:
[
{
"path":"FG3H1E5818900718",
"mgmt_ip_str":"",
"mgmt_port":0,
"sync_mode":1,
"saml_role":"disable",
"admin_port":443,
"serial":"FG3H1E5818900718",
"host_name":"FGTA-1",
"firmware_version_major":6,
"firmware_version_minor":2,
"firmware_version_patch":0,
"firmware_version_build":923,
"subtree_members":[
{
"serial":"FG201ETK18902514"
},
{
"serial":"FGT81ETK18002246"
},
{
"serial":"FG101ETK18002187"
}
]
},
{
"path":"FG3H1E5818900718:FG201ETK18902514",
"mgmt_ip_str":"robot.csf",
"mgmt_port":4432,
"sync_mode":1,
"saml_role":"service-provider",
"admin_port":443,
"serial":"FG201ETK18902514",
"host_name":"FGTB-1",
"firmware_version_major":6,
"firmware_version_minor":2,
"firmware_version_patch":0,
"firmware_version_build":923,
"upstream_intf":"port2",
"upstream_serial":"FG3H1E5818900718",
"parent_serial":"FG3H1E5818900718",
"parent_hostname":"FGTA-1",
"upstream_status":"Authorized",
"upstream_ip":29884938,
"upstream_ip_str":"10.2.200.1",
"subtree_members":[
{
"serial":"FGT81ETK18002246"
},
{
"serial":"FG101ETK18002187"
}
],
"is_discovered":true,
"ip_str":"10.2.200.2",
"downstream_intf":"wan1",
"idx":1
},
{
"path":"FG3H1E5818900718:FG201ETK18902514:FGT81ETK18002246",
"mgmt_ip_str":"172.17.48.225",
"mgmt_port":4434,
"sync_mode":1,
"saml_role":"service-provider",
"admin_port":443,
"serial":"FGT81ETK18002246",
"host_name":"FGTD",
"firmware_version_major":6,
"firmware_version_minor":2,
"firmware_version_patch":0,
"firmware_version_build":923,
"upstream_intf":"vlan60",
"upstream_serial":"FG201ETK18902514",
"parent_serial":"FG201ETK18902514",
"parent_hostname":"FGTB-1",
"upstream_status":"Authorized",
"upstream_ip":33990848,
"upstream_ip_str":"192.168.6.2",
"subtree_members":[
],
"is_discovered":true,
"ip_str":"192.168.6.4",
"downstream_intf":"wan2",
"idx":2
},
{
"path":"FG3H1E5818900718:FG201ETK18902514:FG101ETK18002187",
"mgmt_ip_str":"",
"mgmt_port":0,
"sync_mode":1,
"saml_role":"disable",
"admin_port":443,
"serial":"FG101ETK18002187",
"host_name":"FGTC",
"firmware_version_major":6,
"firmware_version_minor":2,
"firmware_version_patch":0,
"firmware_version_build":923,
"upstream_intf":"vlan70",
"upstream_serial":"FG201ETK18902514",
"parent_serial":"FG201ETK18902514",
"parent_hostname":"FGTB-1",
"upstream_status":"Authorized",
"upstream_ip":34056384,
"upstream_ip_str":"192.168.7.2",
"subtree_members":[
],
"is_discovered":true,
"ip_str":"192.168.7.3",
"downstream_intf":"wan1",
"idx":3
}
]

New Features

Leverage SAML to switch between Security Fabric FortiGates 6.2.1

Leverage SAML to switch between Security Fabric FortiGates 6.2.1

Switching between FortiGates in a Security Fabric using the GUI

To switch between FortiGates in a Security Fabric:

Setting the IP/FQDN using the GUI

To set the IP/FQDN using the GUI:

Setting the IP/FQDN using the CLI

To set the IP/FQDN using the CLI:

Customizing a root FortiGate using the GUI

To customize a root FortiGate using the GUI:

Viewing a summary of all connected FortiGates in a Security Fabric using the CLI

To view a summary of all connected FortiGates in a Security Fabric using the CLI:

Leverage SAML to switch between Security Fabric FortiGates 6.2.1

Switching between FortiGates in a Security Fabric using the GUI

To switch between FortiGates in a Security Fabric:

Setting the IP/FQDN using the GUI

To set the IP/FQDN using the GUI:

Setting the IP/FQDN using the CLI

To set the IP/FQDN using the CLI:

Customizing a root FortiGate using the GUI

To customize a root FortiGate using the GUI:

Viewing a summary of all connected FortiGates in a Security Fabric using the CLI

To view a summary of all connected FortiGates in a Security Fabric using the CLI: