Fortinet black logo

Administration Guide

Configuring the root FortiGate and downstream FortiGates

Configuring the root FortiGate and downstream FortiGates

The following procedures include configuration steps for a typical Security Fabric implementation, where the edge FortiGate is the root FortiGate with other FortiGates that are downstream from the root FortiGate.

For information about the recommended number of downstream FortiGates, see the FortiOS Best Practices.

Prerequisite

  • The FortiGates must be operating in NAT mode.

Configuring the root FortiGate

The edge FortiGate is typically configured as the root FortiGate, as this allows you to view the full topology of the Security Fabric from the top down.

The following steps describe how to add the FortiGate to serve as the root device, and how to configure FortiAnalyzer logging.

To configure the root FortiGate:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. For Status, click Enable.
  3. Set the Security Fabric role to Serve as Fabric Root. FortiAnalyzer logging is automatically enabled and the settings can be configured in the slide-out pane.

    Tooltip

    When neither FortiAnalyzer Logging nor Cloud Logging are enabled, if the FortiGate detects that a FortiAnalyzer Cloud entitlement is available on this FortiGate, the slide-out pane will display Cloud Logging configurations. Otherwise, if Cloud Logging is enabled, the slide-out pane will display the Cloud Logging page. If Cloud Logging is disabled but FortiAnalyzer is enabled, then it will display the FortiAnalyzer Logging page.

    In the Cloud Logging card, there are two options available, FortiGate Cloud and FortiAnalyzer Cloud. If there are multiple services enrolled on the FortiGate, the preference is: Cloud Logging (FortiAnalyzer Cloud), FortiAnalyzer Logging, then Cloud Logging (FortiGate Cloud).

  4. Enter the FortiAnalyzer IP and select the Upload option.
  5. In the FortiAnalyzer Logging section, in the IP address field, enter the IP address of the FortiAnalyzer.
  6. If required, enable Allow access to FortiGate REST API and, optionally, Verify FortiAnalyzer certificate.

    The REST API accesses the FortiGate topology and shares data and results. The FortiGate will verify the FortiAnalyzer by retrieving its serial number and checking it against the FortiAnalyzer certificate. When verified, the FortiAnalyzer serial number is stored in the FortiGate configuration. When authorizing the FortiGate on the FortiAnalyzer, the FortiGate admin credentials do not need to be entered.

  7. Click Test Connectivity.

    If you select Test Connectivity and this is the first time that you are connecting the FortiGate to the FortiAnalyzer, you will receive a warning message because the FortiGate has not yet been authorized on the FortiAnalyzer. You can configure this authorization when you configure the FortiAnalyzer. See Configuring FortiAnalyzer.

  8. Click OK. The FortiAnalyzer serial number is verified.
  9. Enter a Fabric name.
  10. Ensure Allow other Security Fabric devices to join is enabled.
  11. Select the interfaces that will be listening for device join requests. Enabling an interface here has the same effect as going to Network > Interfaces, editing an interface, and enabling Security Fabric Connection under Administrative Access.
  12. Click OK.

Using the root FortiGate with disk to store historic user and device information

This backend implementation allows the root FortiGate in a Security Fabric to store historic user and device information in a database on its disk. This will allow administrators to visualize users and devices over a period of time.

The daemon, user_info_history, stores this data on the disk. The information source for the historical data will be the user_info daemon, which would be recorded on the disk when user_info notifies user_info_history that a user has logged out or the device is no longer connected.

Adding downstream devices

Downstream device serial numbers can be pre-authorized from the root FortiGate, or allowed to join by request. New authorization requests include the device serial number, IP address, and HA members. HA members can include up to four serial numbers and is used to ensure that, in the event of a fail over, the secondary FortiGate is still authorized.

A downstream device's certificate can also be used to authorize the device by uploading the certificate to the root FortiGate.

Pre-authorizing the downstream FortiGate

When a downstream Fortinet device's serial number or certificate is added to the trusted list on the root FortiGate, the device can join the Security Fabric as soon as it connects. After the new device is authorized, connected FortiAP and FortiSwitch devices are automatically included in the topology, where they can be authorized with one click.

The interface that connects to the downstream FortiGate must have Security Fabric Connection enabled.

To pre-authorize a FortiGate:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. In the Device authorization field click Edit. The Device Authorization window opens.
  3. Click Create New to add a new device for pre-authorization.

  4. Enter the device name in the Name field.

  5. Select the Authorization type, either Serial Number or Certificate.
  6. If Certificate is selected, click Browse to upload the downstream device's certificate from the management computer.

  7. Select the Action, either Accept or Deny.
  8. Click OK and add more devices as required.
  9. Click OK.
To configure a downstream FortiGate to connect to an upstream FortiGate:
  1. Configure the downstream FortiGate:
    1. On the downstream FortiGate, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Set Status to Enable.
    3. Set Security Fabric role to Join Existing Fabric.
    4. Enter the IP address of the root FortiGate in the Upstream FortiGate IP field.
    5. Click OK.
  2. On the root FortiGate, go to Security Fabric > Physical Topology and verify that the downstream FortiGate that you added appears in the Security Fabric topology.

Authorizing a downstream FortiGate

When you log in to an unauthorized downstream FortiGate, the log in prompt includes the option to authorize the device on the root FortiGate.

To authorize a downstream FortiGate:
  1. Log in to the unauthorized, downstream device.

  2. In the Fabric Setup step, click Review authorization on root FortiGate.

    A pop-up window opens to a log in screen for the root FortiGate.

  3. Enter the log in credentials for the root FortiGate, then click Login.

    A list of pending authorizations is shown.

  4. Select Allow and then click OK to authorize the downstream FortiGate. You can also select Deny to reject the authorization, or Later to postpone the decision to the next time that you log in.

    When authorization is allowed, the pop-up window closes, and the log in prompt shows that the downstream FortiGate has been authorized.

  5. Click Done to log in to the downstream FortiGate.

Triggering authorization from the Fabric Connectors page

To authorize a downstream device from the Fabric Connectors page:
  1. Go to Security Fabric > Fabric Connectors.
  2. In the gutter on the right side of the screen, click Review authorization on root FortiGate.

    The root FortiGate pop-up window shows the state of the device authorization.

Authorizing the downstream FortiGate from the root

In this example, a downstream FortiGate is unauthorized and it is not registered to a FortiCloud account.

To authorize the downstream FortiGate from the root:
  1. Log in to the root FortiGate and go to Security Fabric > Fabric Connectors. Devices requiring authorization are highlighted in the Topology tree (right-side gutter).
  2. Click on a highlighted device and select Authorize. The Authorize Devices pane opens.

  3. Click Authorize. The Authorization Summary pane opens.

  4. The FortiGate is now authorized, so click Register to register the device to a FortiCloud account.

    The FortiCloud Account pane opens.

  5. Enter the required information (password, country/region, reseller). On the Fabric Connectors page, the same account name is implied for registration.

  6. Click Submit. The Registration Summary pane opens.

  7. Click Close.

Tooltip

You can use IPAM to automatically assign subnets to downstream FortiGates to prevent duplicate IP addresses from overlapping within the same Security Fabric. See Configure IPAM locally on the FortiGate.

CLI commands

Use the following commands to view, accept, and deny authorization requests, to view upstream and downstream devices, and to list or test Fabric devices:

Command

Description

diagnose sys csf authorization pending-list

View pending authorization requests on the root FortiGate.

diagnose sys csf authorization accept <serial number>

Authorize a device to join the Security Fabric.

diagnose sys csf authorization deny <serial number>

Deny a device from joining the Security Fabric.

diagnose sys csf downstream

Show connected downstream devices.

diagnose sys csf upstream

Show connected upstream devices.

diagnose sys csf fabric-device list

List all known Fabric devices.

Desynchronizing settings

By default, the settings for FortiAnalyzer logging, central management, sandbox inspection, and FortiClient EMS are synchronized between all FortiGates in the Security Fabric.

To disable automatic synchronization:
config system csf
    set configuration-sync local
end

Deauthorizing a device

A device can be deauthorized to remove it from the Security Fabric.

To deauthorize a device:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors.
  2. In the topology tree, click the device and select Deauthorize.

    After a device is deauthorized, the serial number is saved in a trusted list that can be viewed in the CLI using the show system csf command. For example, this result shows a deauthorized FortiSwitch:

    show system csf
        config system csf
            set status enable
            set group-name "Office-Security-Fabric"
            set group-password ************
            config trusted-list
                edit "FGT6HD391800000"
            next
                edit "S248DF3X1700000"
                    set action deny
                next
            end
        end

Configuring the root FortiGate and downstream FortiGates

Configuring the root FortiGate and downstream FortiGates

The following procedures include configuration steps for a typical Security Fabric implementation, where the edge FortiGate is the root FortiGate with other FortiGates that are downstream from the root FortiGate.

For information about the recommended number of downstream FortiGates, see the FortiOS Best Practices.

Prerequisite

  • The FortiGates must be operating in NAT mode.

Configuring the root FortiGate

The edge FortiGate is typically configured as the root FortiGate, as this allows you to view the full topology of the Security Fabric from the top down.

The following steps describe how to add the FortiGate to serve as the root device, and how to configure FortiAnalyzer logging.

To configure the root FortiGate:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. For Status, click Enable.
  3. Set the Security Fabric role to Serve as Fabric Root. FortiAnalyzer logging is automatically enabled and the settings can be configured in the slide-out pane.

    Tooltip

    When neither FortiAnalyzer Logging nor Cloud Logging are enabled, if the FortiGate detects that a FortiAnalyzer Cloud entitlement is available on this FortiGate, the slide-out pane will display Cloud Logging configurations. Otherwise, if Cloud Logging is enabled, the slide-out pane will display the Cloud Logging page. If Cloud Logging is disabled but FortiAnalyzer is enabled, then it will display the FortiAnalyzer Logging page.

    In the Cloud Logging card, there are two options available, FortiGate Cloud and FortiAnalyzer Cloud. If there are multiple services enrolled on the FortiGate, the preference is: Cloud Logging (FortiAnalyzer Cloud), FortiAnalyzer Logging, then Cloud Logging (FortiGate Cloud).

  4. Enter the FortiAnalyzer IP and select the Upload option.
  5. In the FortiAnalyzer Logging section, in the IP address field, enter the IP address of the FortiAnalyzer.
  6. If required, enable Allow access to FortiGate REST API and, optionally, Verify FortiAnalyzer certificate.

    The REST API accesses the FortiGate topology and shares data and results. The FortiGate will verify the FortiAnalyzer by retrieving its serial number and checking it against the FortiAnalyzer certificate. When verified, the FortiAnalyzer serial number is stored in the FortiGate configuration. When authorizing the FortiGate on the FortiAnalyzer, the FortiGate admin credentials do not need to be entered.

  7. Click Test Connectivity.

    If you select Test Connectivity and this is the first time that you are connecting the FortiGate to the FortiAnalyzer, you will receive a warning message because the FortiGate has not yet been authorized on the FortiAnalyzer. You can configure this authorization when you configure the FortiAnalyzer. See Configuring FortiAnalyzer.

  8. Click OK. The FortiAnalyzer serial number is verified.
  9. Enter a Fabric name.
  10. Ensure Allow other Security Fabric devices to join is enabled.
  11. Select the interfaces that will be listening for device join requests. Enabling an interface here has the same effect as going to Network > Interfaces, editing an interface, and enabling Security Fabric Connection under Administrative Access.
  12. Click OK.

Using the root FortiGate with disk to store historic user and device information

This backend implementation allows the root FortiGate in a Security Fabric to store historic user and device information in a database on its disk. This will allow administrators to visualize users and devices over a period of time.

The daemon, user_info_history, stores this data on the disk. The information source for the historical data will be the user_info daemon, which would be recorded on the disk when user_info notifies user_info_history that a user has logged out or the device is no longer connected.

Adding downstream devices

Downstream device serial numbers can be pre-authorized from the root FortiGate, or allowed to join by request. New authorization requests include the device serial number, IP address, and HA members. HA members can include up to four serial numbers and is used to ensure that, in the event of a fail over, the secondary FortiGate is still authorized.

A downstream device's certificate can also be used to authorize the device by uploading the certificate to the root FortiGate.

Pre-authorizing the downstream FortiGate

When a downstream Fortinet device's serial number or certificate is added to the trusted list on the root FortiGate, the device can join the Security Fabric as soon as it connects. After the new device is authorized, connected FortiAP and FortiSwitch devices are automatically included in the topology, where they can be authorized with one click.

The interface that connects to the downstream FortiGate must have Security Fabric Connection enabled.

To pre-authorize a FortiGate:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. In the Device authorization field click Edit. The Device Authorization window opens.
  3. Click Create New to add a new device for pre-authorization.

  4. Enter the device name in the Name field.

  5. Select the Authorization type, either Serial Number or Certificate.
  6. If Certificate is selected, click Browse to upload the downstream device's certificate from the management computer.

  7. Select the Action, either Accept or Deny.
  8. Click OK and add more devices as required.
  9. Click OK.
To configure a downstream FortiGate to connect to an upstream FortiGate:
  1. Configure the downstream FortiGate:
    1. On the downstream FortiGate, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Set Status to Enable.
    3. Set Security Fabric role to Join Existing Fabric.
    4. Enter the IP address of the root FortiGate in the Upstream FortiGate IP field.
    5. Click OK.
  2. On the root FortiGate, go to Security Fabric > Physical Topology and verify that the downstream FortiGate that you added appears in the Security Fabric topology.

Authorizing a downstream FortiGate

When you log in to an unauthorized downstream FortiGate, the log in prompt includes the option to authorize the device on the root FortiGate.

To authorize a downstream FortiGate:
  1. Log in to the unauthorized, downstream device.

  2. In the Fabric Setup step, click Review authorization on root FortiGate.

    A pop-up window opens to a log in screen for the root FortiGate.

  3. Enter the log in credentials for the root FortiGate, then click Login.

    A list of pending authorizations is shown.

  4. Select Allow and then click OK to authorize the downstream FortiGate. You can also select Deny to reject the authorization, or Later to postpone the decision to the next time that you log in.

    When authorization is allowed, the pop-up window closes, and the log in prompt shows that the downstream FortiGate has been authorized.

  5. Click Done to log in to the downstream FortiGate.

Triggering authorization from the Fabric Connectors page

To authorize a downstream device from the Fabric Connectors page:
  1. Go to Security Fabric > Fabric Connectors.
  2. In the gutter on the right side of the screen, click Review authorization on root FortiGate.

    The root FortiGate pop-up window shows the state of the device authorization.

Authorizing the downstream FortiGate from the root

In this example, a downstream FortiGate is unauthorized and it is not registered to a FortiCloud account.

To authorize the downstream FortiGate from the root:
  1. Log in to the root FortiGate and go to Security Fabric > Fabric Connectors. Devices requiring authorization are highlighted in the Topology tree (right-side gutter).
  2. Click on a highlighted device and select Authorize. The Authorize Devices pane opens.

  3. Click Authorize. The Authorization Summary pane opens.

  4. The FortiGate is now authorized, so click Register to register the device to a FortiCloud account.

    The FortiCloud Account pane opens.

  5. Enter the required information (password, country/region, reseller). On the Fabric Connectors page, the same account name is implied for registration.

  6. Click Submit. The Registration Summary pane opens.

  7. Click Close.

Tooltip

You can use IPAM to automatically assign subnets to downstream FortiGates to prevent duplicate IP addresses from overlapping within the same Security Fabric. See Configure IPAM locally on the FortiGate.

CLI commands

Use the following commands to view, accept, and deny authorization requests, to view upstream and downstream devices, and to list or test Fabric devices:

Command

Description

diagnose sys csf authorization pending-list

View pending authorization requests on the root FortiGate.

diagnose sys csf authorization accept <serial number>

Authorize a device to join the Security Fabric.

diagnose sys csf authorization deny <serial number>

Deny a device from joining the Security Fabric.

diagnose sys csf downstream

Show connected downstream devices.

diagnose sys csf upstream

Show connected upstream devices.

diagnose sys csf fabric-device list

List all known Fabric devices.

Desynchronizing settings

By default, the settings for FortiAnalyzer logging, central management, sandbox inspection, and FortiClient EMS are synchronized between all FortiGates in the Security Fabric.

To disable automatic synchronization:
config system csf
    set configuration-sync local
end

Deauthorizing a device

A device can be deauthorized to remove it from the Security Fabric.

To deauthorize a device:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors.
  2. In the topology tree, click the device and select Deauthorize.

    After a device is deauthorized, the serial number is saved in a trusted list that can be viewed in the CLI using the show system csf command. For example, this result shows a deauthorized FortiSwitch:

    show system csf
        config system csf
            set status enable
            set group-name "Office-Security-Fabric"
            set group-password ************
            config trusted-list
                edit "FGT6HD391800000"
            next
                edit "S248DF3X1700000"
                    set action deny
                next
            end
        end