Fortinet black logo

Administration Guide

Configuring the root FortiGate and downstream FortiGates

Configuring the root FortiGate and downstream FortiGates

The following procedures include configuration steps for a typical Security Fabric implementation, where the edge FortiGate is the root FortiGate with other FortiGates that are downstream from the root FortiGate.

For information about the recommended number of downstream FortiGates, see the FortiOS Best Practices.

Note

As part of improvements to reducing memory usage, FortiGate models with 2 GB RAM can authorize up to five devices when serving as a Fabric root.

The affected models are the FortiGate 40F, 60E, 60F, 80E, and 90E series devices and their variants.

Prerequisite

  • The FortiGates must be operating in NAT mode.

Configuring the root FortiGate

The edge FortiGate is typically configured as the root FortiGate, as this allows you to view the full topology of the Security Fabric from the top down. The following steps describe how to add the FortiGate to serve as the root device.

To configure the root FortiGate:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.

  2. Set the Security Fabric role to Serve as Fabric Root.

  3. Enter a Fabric name.

  4. Ensure Allow other Security Fabric devices to join is enabled.

  5. Select the interfaces that will be listening for device join requests. Enabling an interface here has the same effect as going to Network > Interfaces, editing an interface, and enabling Security Fabric Connection under Administrative Access.

  6. Optionally, enable Allow downstream device REST API access to allow access to the REST API of the root FortiGate for API requests coming from downstream Security Fabric devices. This option must be enabled to use certain supported devices (such as FortiDeceptor and FortiMonitor) and the Fabric event trigger.

  7. Click OK.

Using the root FortiGate with disk to store historic user and device information

This backend implementation allows the root FortiGate in a Security Fabric to store historic user and device information in a database on its disk. This will allow administrators to visualize users and devices over a period of time.

The daemon, user_info_history, stores this data on the disk. The information source for the historical data will be the user_info daemon, which would be recorded on the disk when user_info notifies user_info_history that a user has logged out or the device is no longer connected.

Adding downstream devices

Downstream device serial numbers can be pre-authorized from the root FortiGate, or allowed to join by request. New authorization requests include the device serial number, IP address, and HA members. HA members can include up to four serial numbers and is used to ensure that, in the event of a fail over, the secondary FortiGate is still authorized. A downstream device's certificate can also be used to authorize the device by uploading the certificate to the root FortiGate.

The LAN Edge Devices card on the Fabric Connectors page displays a summary about the FortiGates, FortiAPs, FortiSwitches, and FortiExtenders in the Fabric. Information about the device type, number of devices, and number of unregistered and unauthorized devices is displayed. If there are devices that do not have a green checkmark in the Status column, hover over the status message to view the tooltip with required action. In this example, there is a downstream FortiGate that require authorization. The tooltip includes a link to the System > Firmware & Registration page to authorize the FortiGates.

The Supported Connectors card displays the icons of different Fortinet devices that support full Security Fabric integration. See Configuring supported connectors for more information about configuring supported Fabric connectors.

Pre-authorizing the downstream FortiGate

When a downstream Fortinet device's serial number or certificate is added to the trusted list on the root FortiGate, the device can join the Security Fabric as soon as it connects. After the new device is authorized, connected FortiAP and FortiSwitch devices are automatically included in the topology, where they can be authorized with one click.

The interface that connects to the downstream FortiGate must have Security Fabric Connection enabled.

To pre-authorize a FortiGate:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.

  2. In the Device authorization field and click Edit. The Device Authorization pane opens.

  3. Click Create New to add a new device for pre-authorization.

  4. Enter the device name in the Name field.

  5. Select the Authorization type, either Serial Number or Certificate.

  6. If Certificate is selected, click Browse to upload the downstream device's certificate from the management computer.

  7. Set the Action to Accept.

  8. Click OK and add more devices as required.

  9. Click OK.

To configure a downstream FortiGate to connect to an upstream FortiGate:
  1. Configure the downstream FortiGate:

    1. On the downstream FortiGate, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.

    2. Set the Security Fabric role to Join Existing Fabric.

    3. Enter the IP address of the root FortiGate in the Upstream FortiGate IP/FQDN field.

    4. Click OK.

  2. On the root FortiGate, go to Security Fabric > Physical Topology and verify that the downstream FortiGate that you added appears in the Security Fabric topology.

Authorizing a downstream FortiGate

When you log in to an unauthorized downstream FortiGate, the log in prompt includes the option to authorize the device on the root FortiGate.

To authorize a downstream FortiGate:
  1. Log in to the unauthorized, downstream device.

  2. In the Fabric Setup step, click Review Authorization on Root FortiGate.

    A pop-up window opens to a log in screen for the root FortiGate.

  3. Enter the log in credentials for the root FortiGate, then click Login.

    A list of pending authorizations is shown.

  4. Select Allow and then click OK to authorize the downstream FortiGate. You can also select Deny to reject the authorization, or Later to postpone the decision to the next time that you log in.

    When authorization is allowed, the pop-up window closes, and the log in prompt shows that the downstream FortiGate has been authorized.

  5. Click Done to log in to the downstream FortiGate.

Triggering authorization from the GUI

A downstream device can be authorized in the root FortiGate's GUI by using the Firmware & Registration page (see Authorizing devices for more information).

To authorize a downstream FortiGate from the Firmware & Registration page:
  1. Go to System > Firmware & Registration.

  2. Select the unauthorized device and click Authorization > Authorize.

    A notification appears in the top-right corner once the device is authorized.

  3. Refresh the page. The FortiGate's status is now Online.

Registering the downstream devices to FortiCloud

In this example, a downstream FortiGate has just been authorized, but it is not registered to a FortiCloud account. A device can be registered on the root FortiGate to a FortiCloud account.

To register the downstream FortiGate from the root:
  1. Log in to the root FortiGate and go to System > Firmware & Registration

  2. Select an unregistered device and click Register. The Device Registration pane opens.

  3. Enter the required information (password, country/region, reseller, and end-user type).

  4. Click Submit. The Registration Summary pane opens.

  5. Click Close.

Tooltip

You can use IPAM to automatically assign subnets to downstream FortiGates to prevent duplicate IP addresses from overlapping within the same Security Fabric. See Configure IPAM locally on the FortiGate.

Deauthorizing a device

A device can be deauthorized to remove it from the Security Fabric in the root FortiGate's GUI by using the Firmware & Registration page (see Authorizing devices for more information).

To deauthorize a device from the Firmware & Registration page:
  1. Go to System > Firmware & Registration.

  2. Select the authorized device and click Authorization > Deauthorize.

    A notification appears in the top-right corner once the device is deauthorized.

  3. Refresh the page. The FortiGate is moved to the bottom of the list, and it's status is Unauthorized.

After a device is deauthorized, the serial number is saved in a trusted list that can be viewed in the CLI using the show system csf command. For example, this result shows a deauthorized FortiSwitch:

show system csf
    config system csf
        set status enable
        set group-name "Office-Security-Fabric"
        set group-password ************
        config trusted-list
            edit "FGT6HD391800000"
        next
            edit "S248DF3X1700000"
                set action deny
            next
        end
    end

CLI commands

Use the following commands to view, accept, and deny authorization requests, to view upstream and downstream devices, and to list or test Fabric devices:

Command

Description

diagnose sys csf authorization pending-list

View pending authorization requests on the root FortiGate.

diagnose sys csf authorization accept <serial number> [name]

Authorize a device to join the Security Fabric.

diagnose sys csf authorization deny <serial number> [name]

Deny a device from joining the Security Fabric.

diagnose sys csf downstream

Show connected downstream FortiGates.

diagnose sys csf downstream-devices <device type>

Show downstream fabric devices.

diagnose sys csf upstream

Show connected upstream devices.

diagnose sys csf fabric-device list

List all known Fabric devices.

diagnose sys csf global

Show a summary of all connected members in Security Fabric.

Desynchronizing settings

By default, the settings for FortiAnalyzer logging, central management, sandbox inspection, and FortiClient EMS are synchronized between all FortiGates in the Security Fabric.

To disable automatic synchronization:
config system csf
    set configuration-sync local
end

Configuring the root FortiGate and downstream FortiGates

The following procedures include configuration steps for a typical Security Fabric implementation, where the edge FortiGate is the root FortiGate with other FortiGates that are downstream from the root FortiGate.

For information about the recommended number of downstream FortiGates, see the FortiOS Best Practices.

Note

As part of improvements to reducing memory usage, FortiGate models with 2 GB RAM can authorize up to five devices when serving as a Fabric root.

The affected models are the FortiGate 40F, 60E, 60F, 80E, and 90E series devices and their variants.

Prerequisite

  • The FortiGates must be operating in NAT mode.

Configuring the root FortiGate

The edge FortiGate is typically configured as the root FortiGate, as this allows you to view the full topology of the Security Fabric from the top down. The following steps describe how to add the FortiGate to serve as the root device.

To configure the root FortiGate:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.

  2. Set the Security Fabric role to Serve as Fabric Root.

  3. Enter a Fabric name.

  4. Ensure Allow other Security Fabric devices to join is enabled.

  5. Select the interfaces that will be listening for device join requests. Enabling an interface here has the same effect as going to Network > Interfaces, editing an interface, and enabling Security Fabric Connection under Administrative Access.

  6. Optionally, enable Allow downstream device REST API access to allow access to the REST API of the root FortiGate for API requests coming from downstream Security Fabric devices. This option must be enabled to use certain supported devices (such as FortiDeceptor and FortiMonitor) and the Fabric event trigger.

  7. Click OK.

Using the root FortiGate with disk to store historic user and device information

This backend implementation allows the root FortiGate in a Security Fabric to store historic user and device information in a database on its disk. This will allow administrators to visualize users and devices over a period of time.

The daemon, user_info_history, stores this data on the disk. The information source for the historical data will be the user_info daemon, which would be recorded on the disk when user_info notifies user_info_history that a user has logged out or the device is no longer connected.

Adding downstream devices

Downstream device serial numbers can be pre-authorized from the root FortiGate, or allowed to join by request. New authorization requests include the device serial number, IP address, and HA members. HA members can include up to four serial numbers and is used to ensure that, in the event of a fail over, the secondary FortiGate is still authorized. A downstream device's certificate can also be used to authorize the device by uploading the certificate to the root FortiGate.

The LAN Edge Devices card on the Fabric Connectors page displays a summary about the FortiGates, FortiAPs, FortiSwitches, and FortiExtenders in the Fabric. Information about the device type, number of devices, and number of unregistered and unauthorized devices is displayed. If there are devices that do not have a green checkmark in the Status column, hover over the status message to view the tooltip with required action. In this example, there is a downstream FortiGate that require authorization. The tooltip includes a link to the System > Firmware & Registration page to authorize the FortiGates.

The Supported Connectors card displays the icons of different Fortinet devices that support full Security Fabric integration. See Configuring supported connectors for more information about configuring supported Fabric connectors.

Pre-authorizing the downstream FortiGate

When a downstream Fortinet device's serial number or certificate is added to the trusted list on the root FortiGate, the device can join the Security Fabric as soon as it connects. After the new device is authorized, connected FortiAP and FortiSwitch devices are automatically included in the topology, where they can be authorized with one click.

The interface that connects to the downstream FortiGate must have Security Fabric Connection enabled.

To pre-authorize a FortiGate:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.

  2. In the Device authorization field and click Edit. The Device Authorization pane opens.

  3. Click Create New to add a new device for pre-authorization.

  4. Enter the device name in the Name field.

  5. Select the Authorization type, either Serial Number or Certificate.

  6. If Certificate is selected, click Browse to upload the downstream device's certificate from the management computer.

  7. Set the Action to Accept.

  8. Click OK and add more devices as required.

  9. Click OK.

To configure a downstream FortiGate to connect to an upstream FortiGate:
  1. Configure the downstream FortiGate:

    1. On the downstream FortiGate, go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.

    2. Set the Security Fabric role to Join Existing Fabric.

    3. Enter the IP address of the root FortiGate in the Upstream FortiGate IP/FQDN field.

    4. Click OK.

  2. On the root FortiGate, go to Security Fabric > Physical Topology and verify that the downstream FortiGate that you added appears in the Security Fabric topology.

Authorizing a downstream FortiGate

When you log in to an unauthorized downstream FortiGate, the log in prompt includes the option to authorize the device on the root FortiGate.

To authorize a downstream FortiGate:
  1. Log in to the unauthorized, downstream device.

  2. In the Fabric Setup step, click Review Authorization on Root FortiGate.

    A pop-up window opens to a log in screen for the root FortiGate.

  3. Enter the log in credentials for the root FortiGate, then click Login.

    A list of pending authorizations is shown.

  4. Select Allow and then click OK to authorize the downstream FortiGate. You can also select Deny to reject the authorization, or Later to postpone the decision to the next time that you log in.

    When authorization is allowed, the pop-up window closes, and the log in prompt shows that the downstream FortiGate has been authorized.

  5. Click Done to log in to the downstream FortiGate.

Triggering authorization from the GUI

A downstream device can be authorized in the root FortiGate's GUI by using the Firmware & Registration page (see Authorizing devices for more information).

To authorize a downstream FortiGate from the Firmware & Registration page:
  1. Go to System > Firmware & Registration.

  2. Select the unauthorized device and click Authorization > Authorize.

    A notification appears in the top-right corner once the device is authorized.

  3. Refresh the page. The FortiGate's status is now Online.

Registering the downstream devices to FortiCloud

In this example, a downstream FortiGate has just been authorized, but it is not registered to a FortiCloud account. A device can be registered on the root FortiGate to a FortiCloud account.

To register the downstream FortiGate from the root:
  1. Log in to the root FortiGate and go to System > Firmware & Registration

  2. Select an unregistered device and click Register. The Device Registration pane opens.

  3. Enter the required information (password, country/region, reseller, and end-user type).

  4. Click Submit. The Registration Summary pane opens.

  5. Click Close.

Tooltip

You can use IPAM to automatically assign subnets to downstream FortiGates to prevent duplicate IP addresses from overlapping within the same Security Fabric. See Configure IPAM locally on the FortiGate.

Deauthorizing a device

A device can be deauthorized to remove it from the Security Fabric in the root FortiGate's GUI by using the Firmware & Registration page (see Authorizing devices for more information).

To deauthorize a device from the Firmware & Registration page:
  1. Go to System > Firmware & Registration.

  2. Select the authorized device and click Authorization > Deauthorize.

    A notification appears in the top-right corner once the device is deauthorized.

  3. Refresh the page. The FortiGate is moved to the bottom of the list, and it's status is Unauthorized.

After a device is deauthorized, the serial number is saved in a trusted list that can be viewed in the CLI using the show system csf command. For example, this result shows a deauthorized FortiSwitch:

show system csf
    config system csf
        set status enable
        set group-name "Office-Security-Fabric"
        set group-password ************
        config trusted-list
            edit "FGT6HD391800000"
        next
            edit "S248DF3X1700000"
                set action deny
            next
        end
    end

CLI commands

Use the following commands to view, accept, and deny authorization requests, to view upstream and downstream devices, and to list or test Fabric devices:

Command

Description

diagnose sys csf authorization pending-list

View pending authorization requests on the root FortiGate.

diagnose sys csf authorization accept <serial number> [name]

Authorize a device to join the Security Fabric.

diagnose sys csf authorization deny <serial number> [name]

Deny a device from joining the Security Fabric.

diagnose sys csf downstream

Show connected downstream FortiGates.

diagnose sys csf downstream-devices <device type>

Show downstream fabric devices.

diagnose sys csf upstream

Show connected upstream devices.

diagnose sys csf fabric-device list

List all known Fabric devices.

diagnose sys csf global

Show a summary of all connected members in Security Fabric.

Desynchronizing settings

By default, the settings for FortiAnalyzer logging, central management, sandbox inspection, and FortiClient EMS are synchronized between all FortiGates in the Security Fabric.

To disable automatic synchronization:
config system csf
    set configuration-sync local
end