Fortinet black logo

CLI Reference

config system csf

config system csf

Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.

config system csf
    Description: Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.
    set accept-auth-by-cert [disable|enable]
    set authorization-request-type [serial|certificate]
    set certificate {string}
    set configuration-sync [default|local]
    config fabric-device
        Description: Fabric device configuration.
        edit <name>
            set device-ip {ipv4-address}
            set https-port {integer}
            set access-token {varlen_password}
        next
    end
    set fabric-object-unification [default|local]
    set fabric-workers {integer}
    set group-name {string}
    set group-password {password}
    set management-ip {string}
    set management-port {integer}
    set saml-configuration-sync [default|local]
    set status [enable|disable]
    config trusted-list
        Description: Pre-authorized and blocked security fabric nodes.
        edit <name>
            set authorization-type [serial|certificate]
            set serial {string}
            set certificate {var-string}
            set action [accept|deny]
            set ha-members {string}
            set downstream-authorization [enable|disable]
        next
    end
    set upstream-ip {ipv4-address}
    set upstream-port {integer}
end

config system csf

Parameter

Description

Type

Size

Default

accept-auth-by-cert

Accept connections with unknown certificates and ask admin for approval.

option

-

enable

Option

Description

disable

Do not accept SSL connections with unknown certificates.

enable

Accept SSL connections without automatic certificate verification.

authorization-request-type

Authorization request type.

option

-

serial

Option

Description

serial

Request verification by serial number.

certificate

Request verification by certificate.

certificate

Certificate.

string

Maximum length: 35

configuration-sync

Configuration sync mode.

option

-

default

Option

Description

default

Synchronize configuration for FortiAnalyzer, FortiSandbox, and Central Management to root node.

local

Do not synchronize configuration with root node.

fabric-object-unification

Fabric CMDB Object Unification.

option

-

default

Option

Description

default

Global CMDB objects will be synchronized in Security Fabric.

local

Global CMDB objects will not be synchronized to and from this device.

fabric-workers

Number of worker processes for Security Fabric daemon.

integer

Minimum value: 1 Maximum value: 4

2

group-name

Security Fabric group name. All FortiGates in a Security Fabric must have the same group name.

string

Maximum length: 35

group-password

Security Fabric group password. All FortiGates in a Security Fabric must have the same group password.

password

Not Specified

management-ip

Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.

string

Maximum length: 255

management-port

Overriding port for management connection (Overrides admin port).

integer

Minimum value: 0 Maximum value: 65535

0

saml-configuration-sync

SAML setting configuration synchronization.

option

-

default

Option

Description

default

SAML setting for fabric members is created by fabric root.

local

Do not apply SAML configuration generated by root.

status

Enable/disable Security Fabric.

option

-

disable

Option

Description

enable

Enable Security Fabric.

disable

Disable Security Fabric.

upstream-ip

IP address of the FortiGate upstream from this FortiGate in the Security Fabric.

ipv4-address

Not Specified

0.0.0.0

upstream-port

The port number to use to communicate with the FortiGate upstream from this FortiGate in the Security Fabric.

integer

Minimum value: 1 Maximum value: 65535

8013

config fabric-device

Parameter

Description

Type

Size

Default

name

Device name.

string

Maximum length: 35

device-ip

Device IP.

ipv4-address

Not Specified

0.0.0.0

https-port

HTTPS port for fabric device.

integer

Minimum value: 1 Maximum value: 65535

443

access-token

Device access token.

varlen_password

Not Specified

config trusted-list

Parameter

Description

Type

Size

Default

name

Name.

string

Maximum length: 35

authorization-type

Authorization type.

option

-

serial

Option

Description

serial

Verify downstream by serial number.

certificate

Verify downstream by certificate.

serial

Serial.

string

Maximum length: 19

certificate

Certificate.

var-string

Maximum length: 32767

action

Security fabric authorization action.

option

-

accept

Option

Description

accept

Accept authorization request.

deny

Deny authorization request.

ha-members

HA members.

string

Maximum length: 19

downstream-authorization

Trust authorizations by this node's administrator.

option

-

disable

Option

Description

enable

Enable downstream authorization.

disable

Disable downstream authorization.

config system csf

Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.

config system csf
    Description: Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.
    set accept-auth-by-cert [disable|enable]
    set authorization-request-type [serial|certificate]
    set certificate {string}
    set configuration-sync [default|local]
    config fabric-device
        Description: Fabric device configuration.
        edit <name>
            set device-ip {ipv4-address}
            set https-port {integer}
            set access-token {varlen_password}
        next
    end
    set fabric-object-unification [default|local]
    set fabric-workers {integer}
    set group-name {string}
    set group-password {password}
    set management-ip {string}
    set management-port {integer}
    set saml-configuration-sync [default|local]
    set status [enable|disable]
    config trusted-list
        Description: Pre-authorized and blocked security fabric nodes.
        edit <name>
            set authorization-type [serial|certificate]
            set serial {string}
            set certificate {var-string}
            set action [accept|deny]
            set ha-members {string}
            set downstream-authorization [enable|disable]
        next
    end
    set upstream-ip {ipv4-address}
    set upstream-port {integer}
end

config system csf

Parameter

Description

Type

Size

Default

accept-auth-by-cert

Accept connections with unknown certificates and ask admin for approval.

option

-

enable

Option

Description

disable

Do not accept SSL connections with unknown certificates.

enable

Accept SSL connections without automatic certificate verification.

authorization-request-type

Authorization request type.

option

-

serial

Option

Description

serial

Request verification by serial number.

certificate

Request verification by certificate.

certificate

Certificate.

string

Maximum length: 35

configuration-sync

Configuration sync mode.

option

-

default

Option

Description

default

Synchronize configuration for FortiAnalyzer, FortiSandbox, and Central Management to root node.

local

Do not synchronize configuration with root node.

fabric-object-unification

Fabric CMDB Object Unification.

option

-

default

Option

Description

default

Global CMDB objects will be synchronized in Security Fabric.

local

Global CMDB objects will not be synchronized to and from this device.

fabric-workers

Number of worker processes for Security Fabric daemon.

integer

Minimum value: 1 Maximum value: 4

2

group-name

Security Fabric group name. All FortiGates in a Security Fabric must have the same group name.

string

Maximum length: 35

group-password

Security Fabric group password. All FortiGates in a Security Fabric must have the same group password.

password

Not Specified

management-ip

Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.

string

Maximum length: 255

management-port

Overriding port for management connection (Overrides admin port).

integer

Minimum value: 0 Maximum value: 65535

0

saml-configuration-sync

SAML setting configuration synchronization.

option

-

default

Option

Description

default

SAML setting for fabric members is created by fabric root.

local

Do not apply SAML configuration generated by root.

status

Enable/disable Security Fabric.

option

-

disable

Option

Description

enable

Enable Security Fabric.

disable

Disable Security Fabric.

upstream-ip

IP address of the FortiGate upstream from this FortiGate in the Security Fabric.

ipv4-address

Not Specified

0.0.0.0

upstream-port

The port number to use to communicate with the FortiGate upstream from this FortiGate in the Security Fabric.

integer

Minimum value: 1 Maximum value: 65535

8013

config fabric-device

Parameter

Description

Type

Size

Default

name

Device name.

string

Maximum length: 35

device-ip

Device IP.

ipv4-address

Not Specified

0.0.0.0

https-port

HTTPS port for fabric device.

integer

Minimum value: 1 Maximum value: 65535

443

access-token

Device access token.

varlen_password

Not Specified

config trusted-list

Parameter

Description

Type

Size

Default

name

Name.

string

Maximum length: 35

authorization-type

Authorization type.

option

-

serial

Option

Description

serial

Verify downstream by serial number.

certificate

Verify downstream by certificate.

serial

Serial.

string

Maximum length: 19

certificate

Certificate.

var-string

Maximum length: 32767

action

Security fabric authorization action.

option

-

accept

Option

Description

accept

Accept authorization request.

deny

Deny authorization request.

ha-members

HA members.

string

Maximum length: 19

downstream-authorization

Trust authorizations by this node's administrator.

option

-

disable

Option

Description

enable

Enable downstream authorization.

disable

Disable downstream authorization.