MQTT broker support on FortiGate Rugged
FortiGate Rugged (FGR) can now act as an MQTT broker, allowing users to send MQTT protocol messages from IoT sensors and systems to a central collection platform. This enables publishers and subscribers to communicate using the FGR broker, enabling greater network scalability.
A new command is available to configure FortiGate as the MQTT broker:
config system mqtt-broker
set status {enable | disable}
set max-clients <integer>
set max-keepalive <integer>
set max-queued-messages <integer>
set anonymous-publish {enable | disable}
set anonymous-subscribe {enable | disable}
set authentication {global | client | disable}
set username <string>
set password <password>
set tls-authentication {enable | disable}
set tls-certificate <string>
set tls-ca <string>
config topic-list
edit <id>
set topic <string>
next
end
end
|
Command |
Description |
|---|---|
|
status {enable | disable} |
Enable/disable MQTT broker (default = disable). |
|
max-clients <integer> |
Configure the maximum number of concurrent clients (1 - 10000, default = 1000). |
|
max-keepalive <integer> |
Maximum allowed keepalive time in seconds (30 - 65535, default = 3600). Clients specifying a keepalive value exceeding this limit will be disconnected. |
|
max-queued-messages <integer> |
Configure the maximum queued message count (0 - 65535, default = 1000). Configure zero for no maximum. |
|
anonymous-publish {enable | disable} |
Allow anonymous publishing (applicable only when authentication is disabled) (default = disable). |
|
anonymous-subscribe {enable | disable} |
Allow anonymous subscription (applicable only when authentication is disabled) (default = disable). |
|
authentication {global | client | disable} |
Enable/disable authentication (default = disable). |
|
username <string> |
Username to use when global authentication is enabled. |
|
password <password> |
Password to use when global authentication is enabled. |
|
tls-authentication {enable | disable} |
Enable/disable TLS authentication (default = disable |
|
tls-certificate <string> |
TLS certificate for MQTT broker server. |
|
tls-ca <string> |
TLS CA certificate for verifying clients. |
|
topic-list.id <integer> |
Unique integer ID of the entry (0 - 4294967295, default = 0). |
|
topic-list.topic <string> |
Topic name. |
A new command is available to configure MQTT clients:
config system mqtt-client
edit <name>
set username <string>
set password <password>
set tls-required {enable | disable}
set subscribe-topics <integers>
set publish-topics <integers>
next
end
|
Command |
Description |
|---|---|
|
username <string> |
Client username. |
|
password <string> |
Client password. |
|
tls-required {enable | disable} |
Require TLS authentication (default = disable). |
|
subscribe-topics <integers> |
Configure allowed subscription topics (0 - 4294967295, up to 512 values can be entered). |
|
publish-topics <integers> |
Configure allowed publish topics (0 - 4294967295, up to 512 values can be entered). |
A new option is available to allow MQTT management access to the FortiGate interface:
config system interface
edit <interface>
...
set allowaccess {... | mqtt |...}
...
next
end
Example
This section describes how to configure the FortiGate Rugged (FGR) MQTT broker and MQTT clients, validate publish/subscribe (PUB/SUB) behavior, use global authentication, and enable TLS‑secured MQTT connections.
To configure the MQTT broker and clients:
-
On FortiGate Rugged, configure the MQTT broker:
config system mqtt-broker set status enable set max-clients 100 set max-keepalive 1000 set authentication client config topic-list edit 1 set topic "test" next edit 2 set topic "temp" next edit 3 set topic "health" next edit 4 set topic "food" next end end -
Configure the MQTT clients:
config system mqtt-client edit 1 set username "usera" set password 123456 set subscribe-topics 1 set publish-topics 1 next edit 2 set username "userb" set password 123456 set subscribe-topics 2 set publish-topics 2 next end -
Configure the interface to allow MQTT access:
config system interface edit "wan1" set vdom "root" set ip 172.16.200.155 255.255.255.0 set allowaccess ping https ssh http telnet mqtt set type physical set role wan set snmp-index 1 next end -
Validate the publish/subscribe (PUB/SUB) behavior:
-
The PUB sends a message with the correct username and password on a specific topic:
root@PC03:~# mosquitto_pub -h 172.16.200.155 -u usera -P 123456 -t test -m 'test hello'
-
The SUB receives the message:
root@PC01:~# mosquitto_sub -h 172.16.200.155 -u usera -P 123456 -t test test hello
-
To configure global username and password:
-
Configure a global username and password:
config system mqtt-broker set status enable set max-clients 100 set max-keepalive 1000 set authentication global set username "test123" set password 123456 end -
Test the connection:
-
The PUB sends a message:
root@PC03:~# mosquitto_pub -h 172.16.200.155 -p 1883 -u test123 -P 123456 -t temp -m 'hey hey hey'
-
The SUB receives the message:
root@PC05:~# mosquitto_sub -h 172.16.200.155 -u test123 -P 123456 -t test
-
To enable TLS-secured MQTT connections:
-
On the FortiGate Rugged, enable TLS authentication and specify a self-signed certificate:
config system mqtt-broker set status enable set authentication global set username "user1" set password * set tls-authentication enable set tls-certificate "server" set tls-ca "CA_Cert_1" config topic-list edit 1 set topic "test" next edit 2 set topic "food" next end end -
Import the certificates to FortiGate Rugged. See CA certificate for details.
-
Test the connection:
-
The PUB sends a message over port 8883 using TLS:
sudo mosquitto_pub -h 172.19.136.6 -p 8883 --cafile ca.crt --cert client.crt --key client.key -t food -m "hello mqtt" -u user1 -P 123456
-
The SUB receives the message:
sudo mosquitto_sub --cafile ca.crt --cert client.crt --key client.key -h 172.19.136.6 -t food -p 8883 -u user1 -P 123456 hello mqtt ^C
-