Fortinet black logo

Administration Guide

Configuring the root FortiGate and downstream FortiGates

Configuring the root FortiGate and downstream FortiGates

The following procedures include configuration steps for a typical Security Fabric implementation, where the edge FortiGate is the root FortiGate, and the downstream FortiGate devices are all devices that are downstream from the root FortiGate.

For information about the recommended number of downstream FortiGates, see the FortiOS 6.4 Best Practices.

Prerequisites

  • FortiGate devices must either have VDOMs disabled or be running in split-task VDOM mode in order to be added to the Security Fabric. See Virtual Domains.
  • FortiGate devices must be operating in NAT mode.

Configure the root FortiGate

The edge FortiGate is typically configured as the root FortiGate, as this allows you to view the full topology of the Security Fabric from the top down.

To configure the root FortiGate:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. For Status, click Enable.
  3. Set the Security Fabric role to Serve as Fabric Root. FortiAnalyzer logging is automatically enabled and the settings can be configured.

  4. Optionally, enable Source Interface and select an interface to communicate with FortiAnalyzer. If disabled, the interface will be determined based on the routing table.
  5. Enter the FortiAnalyzer IP and select the Upload option.
  6. In the FortiAnalyzer Logging section, in the IP address field, enter the IP address of the FortiAnalyzer.
  7. If required, enable Allow access to FortiGate REST API and, optionally, Verify FortiAnalyzer certificate.

    The REST API accesses the FortiGate topology and shares data and results. The FortiGate will verify the FortiAnalyzer by retrieving its serial number and checking it against the FortiAnalyzer certificate. When verified, the FortiAnalyzer serial number is stored in the FortiGate configuration. When authorizing the FortiGate on the FortiAnalyzer, the FortiGate admin credentials do not need to be entered.

  8. Click Test Connectivity.

    If you select Test Connectivity and this is the first time that you are connecting the FortiGate to the FortiAnalyzer, you will receive a warning message because the FortiGate has not yet been authorized on the FortiAnalyzer. You can configure this authorization when you configure the FortiAnalyzer. See Configuring FortiAnalyzer.

  9. Click OK. The FortiAnalyzer serial number is verified.
  10. Enter a Fabric name.
  11. Ensure Allow other Security Fabric devices to join is enabled and add the interfaces.
  12. Click OK.

Using the root FortiGate with disk to store historic user and device information

This backend implementation allows the root FortiGate in a Security Fabric to store historic user and device information in a database on its disk. This will allow administrators to visualize users and devices over a period of time.

A new daemon, user_info_history, stores this data on the disk. The information source for the historical data will be the user_info daemon, which would be recorded on the disk when user_info notifies user_info_history that a user has logged out or the device is no longer connected.

Add downstream devices

Downstream FortiGate devices can be securely added to the Security Fabric without sharing the password of the root FortiGate.

Downstream device serial numbers can be authorized from the root FortiGate, or allowed to join by request. New authorization requests include the device serial number, IP address, and HA members. HA members can include up to four serial numbers and is used to ensure that, in the event of a fail over, the secondary FortiGate is still authorized.

A downstream device's certificate can also be used to authorize the device by uploaded the certificate to the root FortiGate.

Tooltip

You can use the FortiIPAM service to automatically assign subnets to downstream FortiGates to prevent duplicate IP addresses from overlapping within the same Security Fabric. See Assign a subnet with the FortiIPAM service.

Pre-authorizing the downstream FortiGate

When a downstream Fortinet device's serial number or certificate is added to the trusted list on the root FortiGate, the device can join the Security Fabric as soon as it connects. After the new device is authorized, connected FortiAP and FortiSwitch devices are automatically included in the topology, where they can be authorized with one click.

The interface that connects to the downstream FortiGate must have Security Fabric Connection enabled.

To pre-authorize a FortiGate:
  1. Configure the root FortiGate:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. In the Device authorization field click Edit. The Device Authorization window opens.
    3. Enter the device's serial number in the Device/Serial field.
    4. Select the Authorization type, either Serial Number or Certificate.
    5. If Certificate is selected, click Browse to upload the downstream device's certificate from the management computer.

    6. Select the Action, either Accept or Deny.
    7. Add more devices as required, then click OK.
    8. Click OK.
  2. Configure the downstream FortiGate:
    1. On the downstream FortiGate, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Set Status to Enable.
    3. Set Security Fabric role to Join Existing Fabric.
    4. Enter the IP address of the root FortiGate in the Upstream FortiGate IP field.
    5. Click OK.
  3. On the root FortiGate, go to Security Fabric > Physical Topology and verify that the downstream FortiGate that you added appears in the Security Fabric topology.

Using LLDP

You can automatically prompt downstream FortiGate devices to join the Security Fabric using Link Layer Discovery Protocol (LLDP) and interface role assignments.

  1. On the root FortiGate, assign the LAN role to all interfaces that may connect to downstream FortiGate devices.

    When the LAN role is assigned to an interface, LLDP transmission is enabled by default.

  2. When a downstream FortiGate is installed, assign the WAN role to the interface that connects to the upstream FortiGate.

    When the WAN role is assigned, LLDP reception is enabled by default. The newly installed FortiGate uses LLDP to discover the upstream FortiGate, and the administrator is prompted to configure the FortiGate to join the Security Fabric.

  3. On the root FortiGate, the new FortiGate must be authorized before it can join the Security Fabric.
Note

If the network contains switches or routers, LLDP may not function as expected because some devices do not pass LLDP packets.

Authorizing a downstream FortiGate

When you log in to an unauthorized, downstream FortiGate, the log in prompt includes the option to authorize the device on the root FortiGate.

When the Security Fabric is disabled on the FortiGate, and a neighboring FortiGate is detected on the same network using LLDP, the log in prompt gives the option to join the Security Fabric.

To authorize a downstream FortiGate:
  1. Log in to the unauthorized, downstream device.

  2. On the Fabric Setup step, click Review authorization on root FortiGate.

    A pop-up window opens to a log in screen for the root FortiGate.

  3. Enter the log in credentials for the root FortiGate, then click Login.

    A list of pending authorizations is shown.

  4. Select Allow and then click OK to authorize the downstream FortiGate. You can also select Deny to reject the authorization, or Later to postpone the decision to the next time that you log in.

    When authorization is allowed, the pop-up window closes, and the log in prompt shows that the downstream FortiGate has been authorized.

  5. Click Done to log in to the downstream FortiGate.
To join an existing fabric that is detected on the same network:
  1. Log in to the device.

  2. On the Fabric Setup step, enable Join Existing Fabric.
  3. Authorize the FortiGate, as previously shown.
To review authorization on the downstream FortiGate:
  1. Go to Security Fabric > Fabric Connectors.
  2. In the gutter on the right side of the screen, click Review authorization on root FortiGate.

    The root FortiGate pop-up window shows the state of the device authorization.

Device request

A device can request to join the Security Fabric from another FortiGate, but it must have the IP address of the root FortiGate. The administrator of the root FortiGate must also authorize the device before it can join the Security Fabric.

The root FortiGate must have Security Fabric Connection enabled on the interface that the device connects to.

To enable FortiTelemetry on an interface:
  1. Go to Network > Interfaces.
  2. Edit the interface that the device that you authorizing to join the Security Fabric is connected to.
  3. Under Administrative Access, enable Security Fabric Connection.
  4. Under Network, turn on Device Detection.
To join the Security Fabric by device request:
  1. Connect to the unauthorized FortiGate or FortiWiFi device, and go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. For Status, click Enable.
  3. Set Security Fabric role to Join Existing Fabric.
  4. Set Upstream FortiGate IP to the IP address of the upstream FortiGate.
  5. Connect to the root FortiGate and go to Security Fabric > Fabric Connectors. The new FortiGate appears in the topology tree as unauthorized.
  6. Click the unauthorized device and select Authorize to authorize the device.

CLI commands

Use the following commands to view, accept, and deny authorization requests, to view upstream and downstream devices, and to list or test fabric devices:

Command

Description

diagnose sys csf authorization pending-list

View pending authorization requests on the root FortiGate.

diagnose sys csf authorization accept <serial-number-value>

Authorize a device to join the Security Fabric.

diagnose sys csf authorization deny <serial-number-value>

Deny a device from joining the Security Fabric.

diagnose sys csf downstream

Show connected downstream devices.

diagnose sys csf upstream

Show connected upstream devices.

diagnose sys csf fabric-device list

List all known fabric devices.

diagnose sys csf fabric-device test

Test connections to locally configured fabric devices.

Desynchronizing settings

By default, the settings for FortiAnalyzer logging, central management, sandbox inspection, and FortiClient EMS are synchronized between all FortiGate devices in the Security Fabric. To disable the automatic synchronization of these settings, use the following CLI command:

config system csf

set configuration-sync local

end

Deauthorizing a device

A device can be deauthorized to remove it from the Security Fabric.

To deauthorize a device:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors
  2. In the topology tree, click the device and select Deauthorize.

After devices are deauthorized, the devices' serial numbers are saved in a trusted list that can be viewed in the CLI using the show system csf command. For example, this result shows a deauthorized FortiSwitch:

show system csf

config system csf

set status enable

set group-name "Office-Security-Fabric"

set group-password ENC 1Z2X345V678

config trusted-list

edit "FGT6HD391806070"

next

edit "S248DF3X17000482"

set action deny

next

end

end

Configuring the root FortiGate and downstream FortiGates

The following procedures include configuration steps for a typical Security Fabric implementation, where the edge FortiGate is the root FortiGate, and the downstream FortiGate devices are all devices that are downstream from the root FortiGate.

For information about the recommended number of downstream FortiGates, see the FortiOS 6.4 Best Practices.

Prerequisites

  • FortiGate devices must either have VDOMs disabled or be running in split-task VDOM mode in order to be added to the Security Fabric. See Virtual Domains.
  • FortiGate devices must be operating in NAT mode.

Configure the root FortiGate

The edge FortiGate is typically configured as the root FortiGate, as this allows you to view the full topology of the Security Fabric from the top down.

To configure the root FortiGate:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. For Status, click Enable.
  3. Set the Security Fabric role to Serve as Fabric Root. FortiAnalyzer logging is automatically enabled and the settings can be configured.

  4. Optionally, enable Source Interface and select an interface to communicate with FortiAnalyzer. If disabled, the interface will be determined based on the routing table.
  5. Enter the FortiAnalyzer IP and select the Upload option.
  6. In the FortiAnalyzer Logging section, in the IP address field, enter the IP address of the FortiAnalyzer.
  7. If required, enable Allow access to FortiGate REST API and, optionally, Verify FortiAnalyzer certificate.

    The REST API accesses the FortiGate topology and shares data and results. The FortiGate will verify the FortiAnalyzer by retrieving its serial number and checking it against the FortiAnalyzer certificate. When verified, the FortiAnalyzer serial number is stored in the FortiGate configuration. When authorizing the FortiGate on the FortiAnalyzer, the FortiGate admin credentials do not need to be entered.

  8. Click Test Connectivity.

    If you select Test Connectivity and this is the first time that you are connecting the FortiGate to the FortiAnalyzer, you will receive a warning message because the FortiGate has not yet been authorized on the FortiAnalyzer. You can configure this authorization when you configure the FortiAnalyzer. See Configuring FortiAnalyzer.

  9. Click OK. The FortiAnalyzer serial number is verified.
  10. Enter a Fabric name.
  11. Ensure Allow other Security Fabric devices to join is enabled and add the interfaces.
  12. Click OK.

Using the root FortiGate with disk to store historic user and device information

This backend implementation allows the root FortiGate in a Security Fabric to store historic user and device information in a database on its disk. This will allow administrators to visualize users and devices over a period of time.

A new daemon, user_info_history, stores this data on the disk. The information source for the historical data will be the user_info daemon, which would be recorded on the disk when user_info notifies user_info_history that a user has logged out or the device is no longer connected.

Add downstream devices

Downstream FortiGate devices can be securely added to the Security Fabric without sharing the password of the root FortiGate.

Downstream device serial numbers can be authorized from the root FortiGate, or allowed to join by request. New authorization requests include the device serial number, IP address, and HA members. HA members can include up to four serial numbers and is used to ensure that, in the event of a fail over, the secondary FortiGate is still authorized.

A downstream device's certificate can also be used to authorize the device by uploaded the certificate to the root FortiGate.

Tooltip

You can use the FortiIPAM service to automatically assign subnets to downstream FortiGates to prevent duplicate IP addresses from overlapping within the same Security Fabric. See Assign a subnet with the FortiIPAM service.

Pre-authorizing the downstream FortiGate

When a downstream Fortinet device's serial number or certificate is added to the trusted list on the root FortiGate, the device can join the Security Fabric as soon as it connects. After the new device is authorized, connected FortiAP and FortiSwitch devices are automatically included in the topology, where they can be authorized with one click.

The interface that connects to the downstream FortiGate must have Security Fabric Connection enabled.

To pre-authorize a FortiGate:
  1. Configure the root FortiGate:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. In the Device authorization field click Edit. The Device Authorization window opens.
    3. Enter the device's serial number in the Device/Serial field.
    4. Select the Authorization type, either Serial Number or Certificate.
    5. If Certificate is selected, click Browse to upload the downstream device's certificate from the management computer.

    6. Select the Action, either Accept or Deny.
    7. Add more devices as required, then click OK.
    8. Click OK.
  2. Configure the downstream FortiGate:
    1. On the downstream FortiGate, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Set Status to Enable.
    3. Set Security Fabric role to Join Existing Fabric.
    4. Enter the IP address of the root FortiGate in the Upstream FortiGate IP field.
    5. Click OK.
  3. On the root FortiGate, go to Security Fabric > Physical Topology and verify that the downstream FortiGate that you added appears in the Security Fabric topology.

Using LLDP

You can automatically prompt downstream FortiGate devices to join the Security Fabric using Link Layer Discovery Protocol (LLDP) and interface role assignments.

  1. On the root FortiGate, assign the LAN role to all interfaces that may connect to downstream FortiGate devices.

    When the LAN role is assigned to an interface, LLDP transmission is enabled by default.

  2. When a downstream FortiGate is installed, assign the WAN role to the interface that connects to the upstream FortiGate.

    When the WAN role is assigned, LLDP reception is enabled by default. The newly installed FortiGate uses LLDP to discover the upstream FortiGate, and the administrator is prompted to configure the FortiGate to join the Security Fabric.

  3. On the root FortiGate, the new FortiGate must be authorized before it can join the Security Fabric.
Note

If the network contains switches or routers, LLDP may not function as expected because some devices do not pass LLDP packets.

Authorizing a downstream FortiGate

When you log in to an unauthorized, downstream FortiGate, the log in prompt includes the option to authorize the device on the root FortiGate.

When the Security Fabric is disabled on the FortiGate, and a neighboring FortiGate is detected on the same network using LLDP, the log in prompt gives the option to join the Security Fabric.

To authorize a downstream FortiGate:
  1. Log in to the unauthorized, downstream device.

  2. On the Fabric Setup step, click Review authorization on root FortiGate.

    A pop-up window opens to a log in screen for the root FortiGate.

  3. Enter the log in credentials for the root FortiGate, then click Login.

    A list of pending authorizations is shown.

  4. Select Allow and then click OK to authorize the downstream FortiGate. You can also select Deny to reject the authorization, or Later to postpone the decision to the next time that you log in.

    When authorization is allowed, the pop-up window closes, and the log in prompt shows that the downstream FortiGate has been authorized.

  5. Click Done to log in to the downstream FortiGate.
To join an existing fabric that is detected on the same network:
  1. Log in to the device.

  2. On the Fabric Setup step, enable Join Existing Fabric.
  3. Authorize the FortiGate, as previously shown.
To review authorization on the downstream FortiGate:
  1. Go to Security Fabric > Fabric Connectors.
  2. In the gutter on the right side of the screen, click Review authorization on root FortiGate.

    The root FortiGate pop-up window shows the state of the device authorization.

Device request

A device can request to join the Security Fabric from another FortiGate, but it must have the IP address of the root FortiGate. The administrator of the root FortiGate must also authorize the device before it can join the Security Fabric.

The root FortiGate must have Security Fabric Connection enabled on the interface that the device connects to.

To enable FortiTelemetry on an interface:
  1. Go to Network > Interfaces.
  2. Edit the interface that the device that you authorizing to join the Security Fabric is connected to.
  3. Under Administrative Access, enable Security Fabric Connection.
  4. Under Network, turn on Device Detection.
To join the Security Fabric by device request:
  1. Connect to the unauthorized FortiGate or FortiWiFi device, and go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. For Status, click Enable.
  3. Set Security Fabric role to Join Existing Fabric.
  4. Set Upstream FortiGate IP to the IP address of the upstream FortiGate.
  5. Connect to the root FortiGate and go to Security Fabric > Fabric Connectors. The new FortiGate appears in the topology tree as unauthorized.
  6. Click the unauthorized device and select Authorize to authorize the device.

CLI commands

Use the following commands to view, accept, and deny authorization requests, to view upstream and downstream devices, and to list or test fabric devices:

Command

Description

diagnose sys csf authorization pending-list

View pending authorization requests on the root FortiGate.

diagnose sys csf authorization accept <serial-number-value>

Authorize a device to join the Security Fabric.

diagnose sys csf authorization deny <serial-number-value>

Deny a device from joining the Security Fabric.

diagnose sys csf downstream

Show connected downstream devices.

diagnose sys csf upstream

Show connected upstream devices.

diagnose sys csf fabric-device list

List all known fabric devices.

diagnose sys csf fabric-device test

Test connections to locally configured fabric devices.

Desynchronizing settings

By default, the settings for FortiAnalyzer logging, central management, sandbox inspection, and FortiClient EMS are synchronized between all FortiGate devices in the Security Fabric. To disable the automatic synchronization of these settings, use the following CLI command:

config system csf

set configuration-sync local

end

Deauthorizing a device

A device can be deauthorized to remove it from the Security Fabric.

To deauthorize a device:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors
  2. In the topology tree, click the device and select Deauthorize.

After devices are deauthorized, the devices' serial numbers are saved in a trusted list that can be viewed in the CLI using the show system csf command. For example, this result shows a deauthorized FortiSwitch:

show system csf

config system csf

set status enable

set group-name "Office-Security-Fabric"

set group-password ENC 1Z2X345V678

config trusted-list

edit "FGT6HD391806070"

next

edit "S248DF3X17000482"

set action deny

next

end

end