Fortinet black logo

Cookbook

Leveraging SAML to switch between Security Fabric FortiGates

Copy Link
Copy Doc ID 3c219ad1-1ba7-11ea-9384-00505692583a:700710
Download PDF

Leveraging SAML to switch between Security Fabric FortiGates

In the FortiOS GUI banner, there is a dropdown menu available that allows you to easily switch between all FortiGate devices that are connected to the Security Fabric.

  • The dropdown menu is available in both the root and downstream FortiGates. You can click a link in the menu to navigate to any other FortiGate management IP/FQDN.

    See Switching between FortiGates in a Security Fabric.

  • In both root and downstream FortiGates, you can configure the management IP/FQDN and port settings.

    If the management IP/FQDN is not configured, the IP address that the FortiGate uses to connect to the Security Fabric is shown as the management IP address. A warning message is displayed because administrators might be unable to access the IP address using a web browser.

    See Setting the IP/FQDN.

  • In root the FortiGate GUI, you can use the Configure option to change the hostname, management IP/FQDN, and port number.

    See Customizing a root FortiGate.

  • In downstream FortiGates, the diagnose sys csf global command shows a summary of all of the connected FortiGates in the Security Fabric.

    See Viewing a summary of all connected FortiGates in a Security Fabric.

Switching between FortiGates in a Security Fabric

To switch between FortiGates in a Security Fabric:
  1. Log in to a FortiGate in a Security Fabric using SSO.
  2. In the banner, click the name of the FortiGate.

    A dropdown menu opens, showing the root FortiGate as well as downstream FortiGates in the Security Fabric.

  3. Hover the cursor over a FortiGate name to see a tooltip about that FortiGate.

  4. Click Login to navigate to its management IP/FQDN.
    Tooltip

    You can also click the FortiGate name in the dropdown menu to log in to the device.

  5. Click the option to log in via Single Sign-On.

Setting the IP/FQDN

The management IP/FQDN and port can be configured on the root FortiGate and all of the downstream FortiGates. When SAML SSO is enabled, you can configure the downstream FortiGates from within the root FortiGate (see Configuring a downstream FortiGate as an SP).

To set the IP/FQDN in the GUI:
  1. Log in to a FortiGate in the Security Fabric.
  2. Go to Security Fabric > Settings.
  3. In the FortiGate Telemetry section, scroll to the Management IP/FQDN field, select Specify.
  4. Enter the IP/FQDN.
  5. In the Management Port field, select Specify, and enter the port number.
  6. Click Apply.

If the management IP/FQDN is not configured, the IP address that the FortiGate uses to connect to the Security Fabric is shown as the management IP address. A warning message is displayed because administrators might be unable to access the IP address using a web browser:

To set the IP/FQDN in the CLI:
  1. Configure the root FortiGate:
    config system csf
        set status enable
        set group-name "fabric"
        set management-ip "104.196.102.183"
        set management-port 10403
    end
  2. Configure the downstream FortiGates:
    config system csf
        set status enable
        set upstream-ip 10.100.88.1
        set management-ip "104.196.102.183"
        set management-port 10423
    end

Customizing a root FortiGate

To customize a root FortiGate:
  1. Click the dropdown menu in the banner and hover the cursor over the root FortiGate so the tooltip is shown.
  2. Click Configure. The Configure pane opens.

  3. Edit the settings as required.
  4. Click OK.

Viewing a summary of all connected FortiGates in a Security Fabric

To view a Security Fabric summary on a downstream FortiGate:
# diagnose sys csf global
Current vision:
[
  {
    "path":"FGVM01TM19000001",
    "mgmt_ip_str":"104.196.102.183",
    "mgmt_port":10403,
    "sync_mode":1,
    "saml_role":"identity-provider",
    "admin_port":443,
    "serial":"FGVM01TM19000001",
    "host_name":"admin-root",
    "firmware_version_major":6,
    "firmware_version_minor":2,
    "firmware_version_patch":0,
    "firmware_version_build":1010,
    "subtree_members":[
      {
        "serial":"FGVM01TM19000002"
      },
      {
        "serial":"FGVM01TM19000003"
      },
      {
        "serial":"FGVM01TM19000004"
      },
      {
        "serial":"FGVM01TM19000005"
      }
    ]
  },
  {
    "path":"FGVM01TM19000001:FGVM01TM19000002",
    "mgmt_ip_str":"104.196.102.183",
    "mgmt_port":10423,
    "sync_mode":1,
    "saml_role":"service-provider",
    "admin_port":443,
    "serial":"FGVM01TM19000002",
    "host_name":"Branch_Office_01",
    "firmware_version_major":6,
    "firmware_version_minor":2,
    "firmware_version_patch":0,
    "firmware_version_build":1010,
    "upstream_intf":"Branch-HQ-A",
    "upstream_serial":"FGVM01TM19000001",
    "parent_serial":"FGVM01TM19000001",
    "parent_hostname":"admin-root",
    "upstream_status":"Authorized",
    "upstream_ip":22569994,
    "upstream_ip_str":"10.100.88.1",
    "subtree_members":[
    ],
    "is_discovered":true,
    "ip_str":"10.0.10.2",
    "downstream_intf":"To-HQ-A",
    "idx":1
  },
  {
    "path":"FGVM01TM19000001:FGVM01TM19000003",
    "mgmt_ip_str":"104.196.102.183",
    "mgmt_port":10407,
    "sync_mode":1,
    "saml_role":"service-provider",
    "admin_port":443,
    "serial":"FGVM01TM19000003",
    "host_name":"Enterprise_Second_Floor",
    "firmware_version_major":6,
    "firmware_version_minor":2,
    "firmware_version_patch":0,
    "firmware_version_build":1010,
    "upstream_intf":"port3",
    "upstream_serial":"FGVM01TM19000001",
    "parent_serial":"FGVM01TM19000001",
    "parent_hostname":"admin-root",
    "upstream_status":"Authorized",
    "upstream_ip":22569994,
    "upstream_ip_str":"10.100.88.1",
    "subtree_members":[
    ],
    "is_discovered":true,
    "ip_str":"10.100.88.102",
    "downstream_intf":"port1",
    "idx":2
  },
  {
    "path":"FGVM01TM19000001:FGVM01TM19000004",
    "mgmt_ip_str":"104.196.102.183",
    "mgmt_port":10424,
    "sync_mode":1,
    "saml_role":"service-provider",
    "admin_port":443,
    "serial":"FGVM01TM19000004",
    "host_name":"Branch_Office_02",
    "firmware_version_major":6,
    "firmware_version_minor":2,
    "firmware_version_patch":0,
    "firmware_version_build":1010,
    "upstream_intf":"HQ-MPLS",
    "upstream_serial":"FGVM01TM19000001",
    "parent_serial":"FGVM01TM19000001",
    "parent_hostname":"admin-root",
    "upstream_status":"Authorized",
    "upstream_ip":22569994,
    "upstream_ip_str":"10.100.88.1",
    "subtree_members":[
    ],
    "is_discovered":true,
    "ip_str":"10.0.12.3",
    "downstream_intf":"To-HQ-MPLS",
    "idx":3
  },
  {
    "path":"FGVM01TM19000001:FGVM01TM19000005",
    "mgmt_ip_str":"104.196.102.183",
    "mgmt_port":10404,
    "sync_mode":1,
    "saml_role":"service-provider",
    "admin_port":443,
    "serial":"FGVM01TM19000005",
    "host_name":"Enterprise_First_Floor",
    "firmware_version_major":6,
    "firmware_version_minor":2,
    "firmware_version_patch":0,
    "firmware_version_build":1010,
    "upstream_intf":"port3",
    "upstream_serial":"FGVM01TM19000001",
    "parent_serial":"FGVM01TM19000001",
    "parent_hostname":"admin-root",
    "upstream_status":"Authorized",
    "upstream_ip":22569994,
    "upstream_ip_str":"10.100.88.1",
    "subtree_members":[
    ],
    "is_discovered":true,
    "ip_str":"10.100.88.101",
    "downstream_intf":"port1",
    "idx":4
  }
]

Leveraging SAML to switch between Security Fabric FortiGates

In the FortiOS GUI banner, there is a dropdown menu available that allows you to easily switch between all FortiGate devices that are connected to the Security Fabric.

  • The dropdown menu is available in both the root and downstream FortiGates. You can click a link in the menu to navigate to any other FortiGate management IP/FQDN.

    See Switching between FortiGates in a Security Fabric.

  • In both root and downstream FortiGates, you can configure the management IP/FQDN and port settings.

    If the management IP/FQDN is not configured, the IP address that the FortiGate uses to connect to the Security Fabric is shown as the management IP address. A warning message is displayed because administrators might be unable to access the IP address using a web browser.

    See Setting the IP/FQDN.

  • In root the FortiGate GUI, you can use the Configure option to change the hostname, management IP/FQDN, and port number.

    See Customizing a root FortiGate.

  • In downstream FortiGates, the diagnose sys csf global command shows a summary of all of the connected FortiGates in the Security Fabric.

    See Viewing a summary of all connected FortiGates in a Security Fabric.

Switching between FortiGates in a Security Fabric

To switch between FortiGates in a Security Fabric:
  1. Log in to a FortiGate in a Security Fabric using SSO.
  2. In the banner, click the name of the FortiGate.

    A dropdown menu opens, showing the root FortiGate as well as downstream FortiGates in the Security Fabric.

  3. Hover the cursor over a FortiGate name to see a tooltip about that FortiGate.

  4. Click Login to navigate to its management IP/FQDN.
    Tooltip

    You can also click the FortiGate name in the dropdown menu to log in to the device.

  5. Click the option to log in via Single Sign-On.

Setting the IP/FQDN

The management IP/FQDN and port can be configured on the root FortiGate and all of the downstream FortiGates. When SAML SSO is enabled, you can configure the downstream FortiGates from within the root FortiGate (see Configuring a downstream FortiGate as an SP).

To set the IP/FQDN in the GUI:
  1. Log in to a FortiGate in the Security Fabric.
  2. Go to Security Fabric > Settings.
  3. In the FortiGate Telemetry section, scroll to the Management IP/FQDN field, select Specify.
  4. Enter the IP/FQDN.
  5. In the Management Port field, select Specify, and enter the port number.
  6. Click Apply.

If the management IP/FQDN is not configured, the IP address that the FortiGate uses to connect to the Security Fabric is shown as the management IP address. A warning message is displayed because administrators might be unable to access the IP address using a web browser:

To set the IP/FQDN in the CLI:
  1. Configure the root FortiGate:
    config system csf
        set status enable
        set group-name "fabric"
        set management-ip "104.196.102.183"
        set management-port 10403
    end
  2. Configure the downstream FortiGates:
    config system csf
        set status enable
        set upstream-ip 10.100.88.1
        set management-ip "104.196.102.183"
        set management-port 10423
    end

Customizing a root FortiGate

To customize a root FortiGate:
  1. Click the dropdown menu in the banner and hover the cursor over the root FortiGate so the tooltip is shown.
  2. Click Configure. The Configure pane opens.

  3. Edit the settings as required.
  4. Click OK.

Viewing a summary of all connected FortiGates in a Security Fabric

To view a Security Fabric summary on a downstream FortiGate:
# diagnose sys csf global
Current vision:
[
  {
    "path":"FGVM01TM19000001",
    "mgmt_ip_str":"104.196.102.183",
    "mgmt_port":10403,
    "sync_mode":1,
    "saml_role":"identity-provider",
    "admin_port":443,
    "serial":"FGVM01TM19000001",
    "host_name":"admin-root",
    "firmware_version_major":6,
    "firmware_version_minor":2,
    "firmware_version_patch":0,
    "firmware_version_build":1010,
    "subtree_members":[
      {
        "serial":"FGVM01TM19000002"
      },
      {
        "serial":"FGVM01TM19000003"
      },
      {
        "serial":"FGVM01TM19000004"
      },
      {
        "serial":"FGVM01TM19000005"
      }
    ]
  },
  {
    "path":"FGVM01TM19000001:FGVM01TM19000002",
    "mgmt_ip_str":"104.196.102.183",
    "mgmt_port":10423,
    "sync_mode":1,
    "saml_role":"service-provider",
    "admin_port":443,
    "serial":"FGVM01TM19000002",
    "host_name":"Branch_Office_01",
    "firmware_version_major":6,
    "firmware_version_minor":2,
    "firmware_version_patch":0,
    "firmware_version_build":1010,
    "upstream_intf":"Branch-HQ-A",
    "upstream_serial":"FGVM01TM19000001",
    "parent_serial":"FGVM01TM19000001",
    "parent_hostname":"admin-root",
    "upstream_status":"Authorized",
    "upstream_ip":22569994,
    "upstream_ip_str":"10.100.88.1",
    "subtree_members":[
    ],
    "is_discovered":true,
    "ip_str":"10.0.10.2",
    "downstream_intf":"To-HQ-A",
    "idx":1
  },
  {
    "path":"FGVM01TM19000001:FGVM01TM19000003",
    "mgmt_ip_str":"104.196.102.183",
    "mgmt_port":10407,
    "sync_mode":1,
    "saml_role":"service-provider",
    "admin_port":443,
    "serial":"FGVM01TM19000003",
    "host_name":"Enterprise_Second_Floor",
    "firmware_version_major":6,
    "firmware_version_minor":2,
    "firmware_version_patch":0,
    "firmware_version_build":1010,
    "upstream_intf":"port3",
    "upstream_serial":"FGVM01TM19000001",
    "parent_serial":"FGVM01TM19000001",
    "parent_hostname":"admin-root",
    "upstream_status":"Authorized",
    "upstream_ip":22569994,
    "upstream_ip_str":"10.100.88.1",
    "subtree_members":[
    ],
    "is_discovered":true,
    "ip_str":"10.100.88.102",
    "downstream_intf":"port1",
    "idx":2
  },
  {
    "path":"FGVM01TM19000001:FGVM01TM19000004",
    "mgmt_ip_str":"104.196.102.183",
    "mgmt_port":10424,
    "sync_mode":1,
    "saml_role":"service-provider",
    "admin_port":443,
    "serial":"FGVM01TM19000004",
    "host_name":"Branch_Office_02",
    "firmware_version_major":6,
    "firmware_version_minor":2,
    "firmware_version_patch":0,
    "firmware_version_build":1010,
    "upstream_intf":"HQ-MPLS",
    "upstream_serial":"FGVM01TM19000001",
    "parent_serial":"FGVM01TM19000001",
    "parent_hostname":"admin-root",
    "upstream_status":"Authorized",
    "upstream_ip":22569994,
    "upstream_ip_str":"10.100.88.1",
    "subtree_members":[
    ],
    "is_discovered":true,
    "ip_str":"10.0.12.3",
    "downstream_intf":"To-HQ-MPLS",
    "idx":3
  },
  {
    "path":"FGVM01TM19000001:FGVM01TM19000005",
    "mgmt_ip_str":"104.196.102.183",
    "mgmt_port":10404,
    "sync_mode":1,
    "saml_role":"service-provider",
    "admin_port":443,
    "serial":"FGVM01TM19000005",
    "host_name":"Enterprise_First_Floor",
    "firmware_version_major":6,
    "firmware_version_minor":2,
    "firmware_version_patch":0,
    "firmware_version_build":1010,
    "upstream_intf":"port3",
    "upstream_serial":"FGVM01TM19000001",
    "parent_serial":"FGVM01TM19000001",
    "parent_hostname":"admin-root",
    "upstream_status":"Authorized",
    "upstream_ip":22569994,
    "upstream_ip_str":"10.100.88.1",
    "subtree_members":[
    ],
    "is_discovered":true,
    "ip_str":"10.100.88.101",
    "downstream_intf":"port1",
    "idx":4
  }
]