Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.3 Administration Guide
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Preparing FortiGate for supported Security Fabric devices

Preparing FortiGate for supported Security Fabric devices

Before adding supported Security Fabric devices to FortiGate, ensure the following:

  • On FortiGate, ensure that Security Fabric is enabled.

  • On the root FortiGate of the Security Fabric, ensure that Allow other Security Fabric devices to join is enabled.

  • On the root FortiGate, ensure that the appropriate interface is enabled to listen for supported Fabric devices.

  • (As needed) On the root FortiGate, ensure that Allow downstream device REST API access is enabled, if the device requires REST API access to the root FortiGate, and select an administrator profile.

    The minimum permission required for the selected Administrator profile is Read/Write for User & Device (set authgrp read-write).

See Configuring the root FortiGate and downstream FortiGates for details.

Although optional, you can configure pre-authorization of the supported Fabric device on the root FortiGate. Pre-authorized devices can join the Security Fabric at any time, and do not require manual authorization in FortiOS. See Configuring pre-authorization of supported Security Fabric devices.

The following table identifies commands used for adding supported devices to the Security Fabric.

Command

Description

 
config system interface
    edit <port name>
        set allowaccess {protocols}
    next
end

Specify management access to the port for the supported Security Fabric device.

 
config system csf
    set status enable
Enable the Security Fabric on FortiGate. 
config system csf
    set group-name <string>

Specify a group name for the Security Fabric.

 
config system csf
    set downstream-access enable
 On the root FortiGate of the Security Fabric, enable downstream access. 
config system csf
    set downstream-accprofile <string>
 Specify the administration profile used for REST API access. 
config system csf
     config trusted-list
 Configure pre-authorization for a device.

In this example FortiNDR is added to the Security Fabric using the CLI.

To add FortiNDR to the Security Fabric in the CLI:

  1. Configure the interface to allow other Security Fabric devices to join:

    config system interface
    edit "port1"
        set allowaccess ping https ssh http fgfm fabric
    next
end

  2. Enable the Security Fabric:

    config system csf
    set status enable
    set group-name "fabric-ai"
end

  3. In FortiNDR, configure the device to join the Security Fabric:

    config system csf
    set status enable
    set upstream-ip 10.6.30.14
    set managment-ip 10.6.30.251
end

  4. Authorize the FortiNDR in FortiOS:

    config system csf
    config trusted-list
        edit "FAIVMSTM21000000"
            set authorization-type certificate
            set certificate "*******************"
        next
    end
end
Previous
Next

Preparing FortiGate for supported Security Fabric devices

Before adding supported Security Fabric devices to FortiGate, ensure the following:

  • On FortiGate, ensure that Security Fabric is enabled.

  • On the root FortiGate of the Security Fabric, ensure that Allow other Security Fabric devices to join is enabled.

  • On the root FortiGate, ensure that the appropriate interface is enabled to listen for supported Fabric devices.

  • (As needed) On the root FortiGate, ensure that Allow downstream device REST API access is enabled, if the device requires REST API access to the root FortiGate, and select an administrator profile.

    The minimum permission required for the selected Administrator profile is Read/Write for User & Device (set authgrp read-write).

See Configuring the root FortiGate and downstream FortiGates for details.

Although optional, you can configure pre-authorization of the supported Fabric device on the root FortiGate. Pre-authorized devices can join the Security Fabric at any time, and do not require manual authorization in FortiOS. See Configuring pre-authorization of supported Security Fabric devices.

The following table identifies commands used for adding supported devices to the Security Fabric.

Command

Description

 
config system interface
    edit <port name>
        set allowaccess {protocols}
    next
end

Specify management access to the port for the supported Security Fabric device.

 
config system csf
    set status enable
Enable the Security Fabric on FortiGate. 
config system csf
    set group-name <string>

Specify a group name for the Security Fabric.

 
config system csf
    set downstream-access enable
 On the root FortiGate of the Security Fabric, enable downstream access. 
config system csf
    set downstream-accprofile <string>
 Specify the administration profile used for REST API access. 
config system csf
     config trusted-list
 Configure pre-authorization for a device.

In this example FortiNDR is added to the Security Fabric using the CLI.

To add FortiNDR to the Security Fabric in the CLI:

  1. Configure the interface to allow other Security Fabric devices to join:

    config system interface
    edit "port1"
        set allowaccess ping https ssh http fgfm fabric
    next
end

  2. Enable the Security Fabric:

    config system csf
    set status enable
    set group-name "fabric-ai"
end

  3. In FortiNDR, configure the device to join the Security Fabric:

    config system csf
    set status enable
    set upstream-ip 10.6.30.14
    set managment-ip 10.6.30.251
end

  4. Authorize the FortiNDR in FortiOS:

    config system csf
    config trusted-list
        edit "FAIVMSTM21000000"
            set authorization-type certificate
            set certificate "*******************"
        next
    end
end
Previous
Next