Fortinet black logo

CLI Reference

config system csf

config system csf

Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.

config system csf

Description: Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.

set status [enable|disable]

set upstream-ip {ipv4-address}

set upstream-port {integer}

set group-name {string}

set group-password {password}

set accept-auth-by-cert [disable|enable]

set management-ip {string}

set management-port {integer}

set authorization-request-type [serial|certificate]

set certificate {string}

set fabric-workers {integer}

set configuration-sync [default|local]

set fabric-object-unification [default|local]

set saml-configuration-sync [default|local]

config trusted-list

Description: Pre-authorized and blocked security fabric nodes.

edit <name>

set authorization-type [serial|certificate]

set serial {string}

set certificate {var-string}

set action [accept|deny]

set ha-members {string}

set downstream-authorization [enable|disable]

next

end

config fabric-device

Description: Fabric device configuration.

edit <name>

set device-ip {ipv4-address}

set https-port {integer}

set access-token {varlen_password}

next

end

end

config system csf

Parameter

Description

Type

Size

Default

status

Enable/disable Security Fabric.

option

-

disable

Option

Description

enable

Enable Security Fabric.

disable

Disable Security Fabric.

upstream-ip

IP address of the FortiGate upstream from this FortiGate in the Security Fabric.

ipv4-address

Not Specified

0.0.0.0

upstream-port

The port number to use to communicate with the FortiGate upstream from this FortiGate in the Security Fabric .

integer

Minimum value: 1 Maximum value: 65535

8013

group-name

Security Fabric group name. All FortiGates in a Security Fabric must have the same group name.

string

Not Specified

group-password

Security Fabric group password. All FortiGates in a Security Fabric must have the same group password.

password

Not Specified

accept-auth-by-cert

Accept connections with unknown certificates and ask admin for approval.

option

-

enable

Option

Description

disable

Do not accept SSL connections with unknown certificates.

enable

Accept SSL connections without automatic certificate verification.

management-ip

Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.

string

Not Specified

management-port

Overriding port for management connection (Overrides admin port).

integer

Minimum value: 0 Maximum value: 65535

0

authorization-request-type

Authorization request type.

option

-

serial

Option

Description

serial

Request verification by serial number.

certificate

Request verification by certificate.

certificate

Certificate.

string

Not Specified

fabric-workers

Number of worker processes for Security Fabric daemon.

integer

Minimum value: 1 Maximum value: 4

2

configuration-sync

Configuration sync mode.

option

-

default

Option

Description

default

Synchronize configuration for FortiAnalyzer, FortiSandbox, and Central Management to root node.

local

Do not synchronize configuration with root node.

fabric-object-unification

Fabric CMDB Object Unification.

option

-

default

Option

Description

default

Global CMDB objects will be synchronized in Security Fabric.

local

Global CMDB objects will not be synchronized to and from this device.

saml-configuration-sync

SAML setting configuration synchronization.

option

-

default

Option

Description

default

SAML setting for fabric members is created by fabric root.

local

Do not apply SAML configuration generated by root.

config trusted-list

Parameter

Description

Type

Size

Default

authorization-type

Authorization type.

option

-

serial

Option

Description

serial

Verify downstream by serial number.

certificate

Verify downstream by certificate.

serial

Serial.

string

Not Specified

certificate

Certificate.

var-string

Not Specified

action

Security fabric authorization action.

option

-

accept

Option

Description

accept

Accept authorization request.

deny

Deny authorization request.

ha-members

HA members.

string

Not Specified

downstream-authorization

Trust authorizations by this node's administrator.

option

-

disable

Option

Description

enable

Enable downstream authorization.

disable

Disable downstream authorization.

config fabric-device

Parameter

Description

Type

Size

Default

device-ip

Device IP.

ipv4-address

Not Specified

0.0.0.0

https-port

HTTPS port for fabric device.

integer

Minimum value: 1 Maximum value: 65535

443

access-token

Device access token.

varlen_password

Not Specified

config system csf

Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.

config system csf

Description: Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.

set status [enable|disable]

set upstream-ip {ipv4-address}

set upstream-port {integer}

set group-name {string}

set group-password {password}

set accept-auth-by-cert [disable|enable]

set management-ip {string}

set management-port {integer}

set authorization-request-type [serial|certificate]

set certificate {string}

set fabric-workers {integer}

set configuration-sync [default|local]

set fabric-object-unification [default|local]

set saml-configuration-sync [default|local]

config trusted-list

Description: Pre-authorized and blocked security fabric nodes.

edit <name>

set authorization-type [serial|certificate]

set serial {string}

set certificate {var-string}

set action [accept|deny]

set ha-members {string}

set downstream-authorization [enable|disable]

next

end

config fabric-device

Description: Fabric device configuration.

edit <name>

set device-ip {ipv4-address}

set https-port {integer}

set access-token {varlen_password}

next

end

end

config system csf

Parameter

Description

Type

Size

Default

status

Enable/disable Security Fabric.

option

-

disable

Option

Description

enable

Enable Security Fabric.

disable

Disable Security Fabric.

upstream-ip

IP address of the FortiGate upstream from this FortiGate in the Security Fabric.

ipv4-address

Not Specified

0.0.0.0

upstream-port

The port number to use to communicate with the FortiGate upstream from this FortiGate in the Security Fabric .

integer

Minimum value: 1 Maximum value: 65535

8013

group-name

Security Fabric group name. All FortiGates in a Security Fabric must have the same group name.

string

Not Specified

group-password

Security Fabric group password. All FortiGates in a Security Fabric must have the same group password.

password

Not Specified

accept-auth-by-cert

Accept connections with unknown certificates and ask admin for approval.

option

-

enable

Option

Description

disable

Do not accept SSL connections with unknown certificates.

enable

Accept SSL connections without automatic certificate verification.

management-ip

Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.

string

Not Specified

management-port

Overriding port for management connection (Overrides admin port).

integer

Minimum value: 0 Maximum value: 65535

0

authorization-request-type

Authorization request type.

option

-

serial

Option

Description

serial

Request verification by serial number.

certificate

Request verification by certificate.

certificate

Certificate.

string

Not Specified

fabric-workers

Number of worker processes for Security Fabric daemon.

integer

Minimum value: 1 Maximum value: 4

2

configuration-sync

Configuration sync mode.

option

-

default

Option

Description

default

Synchronize configuration for FortiAnalyzer, FortiSandbox, and Central Management to root node.

local

Do not synchronize configuration with root node.

fabric-object-unification

Fabric CMDB Object Unification.

option

-

default

Option

Description

default

Global CMDB objects will be synchronized in Security Fabric.

local

Global CMDB objects will not be synchronized to and from this device.

saml-configuration-sync

SAML setting configuration synchronization.

option

-

default

Option

Description

default

SAML setting for fabric members is created by fabric root.

local

Do not apply SAML configuration generated by root.

config trusted-list

Parameter

Description

Type

Size

Default

authorization-type

Authorization type.

option

-

serial

Option

Description

serial

Verify downstream by serial number.

certificate

Verify downstream by certificate.

serial

Serial.

string

Not Specified

certificate

Certificate.

var-string

Not Specified

action

Security fabric authorization action.

option

-

accept

Option

Description

accept

Accept authorization request.

deny

Deny authorization request.

ha-members

HA members.

string

Not Specified

downstream-authorization

Trust authorizations by this node's administrator.

option

-

disable

Option

Description

enable

Enable downstream authorization.

disable

Disable downstream authorization.

config fabric-device

Parameter

Description

Type

Size

Default

device-ip

Device IP.

ipv4-address

Not Specified

0.0.0.0

https-port

HTTPS port for fabric device.

integer

Minimum value: 1 Maximum value: 65535

443

access-token

Device access token.

varlen_password

Not Specified