Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    8.0.0
    8.0.0
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.0
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    system csf

    system csf

    Use this command to configure the FortiMail system as a FortiGate Security Fabric member.

    Before you enable the Security Fabric on FortiMail:

    1. On FortiGate, enable and configure the Security Fabric.

      If devices must be pre-approved to join the Security Fabric, then download the currently active certificate from FortiMail and upload it to the list of authorized devices on FortiGate. Otherwise later, after you enable the Security Fabric on FortiMail and it tries to connect, then you must manually approve the connection.

      Tooltip

      On some FortiMail models, the Factory certificate does not contain a serial number in its common name (CN) field (for example, CN=FortiMail), and therefore is not a unique identifier. Wild card certificates are also not unique identifiers. You can install a custom certificate if you need a unique identifier.

    2. If the FortiMail local certificate does not have a serial number in the CN field of the subject, then configure both sides to present and accept a different type of certificate.

      1. On FortiGate, configure the following:

        config system csf

        set accept-auth-by-cert enable

        config trusted list

        edit <FortiMail_name>

        set authorization-type certificate

        next

        end

        end

      2. On FortiMail, in authorization-request-type {certificate | serial}, select certificate.

    Syntax

    config system csf

    set status {enable | disable}

    set authorization-request-type {certificate | serial}

    set group-name <name_str>

    set group-password <password_str>

    set upstream-ip <address_ipv4>

    set upstream-port <port_int>

    set management-ip <address_ipv4>

    set management-port <port_int>

    set configuration-sync {local | sync}

    end

    Variable

    Description

    Default

    authorization-request-type {certificate | serial}

    Indicate the type of local certificate that FortiMail will send to authenticate itself to the upstream FortiGate, either:

    • serial — Serial number is in the CN field of the certificate's subject.

      Usually this option is selected with the certificate named Factory, which is signed by a Fortinet certificate authority (CA) that is trusted by FortiGate, such as CA2.

      Tooltip

      On some models, the Factory certificate does not contain the serial number (for example, CN=FortiMail). In that case, if you want to use that certificate, select certificate instead.

    • certificate — Other identifier in the certificate's subject. It could be signed by your internal CA, a third-party CA, or a Fortinet CA. On the upstream FortiGate, you must also configure it to accept non-serial certificates.

    serial
    configuration-sync {local | sync}

    Select either:

    • local — Do not synchronize the configuration through the Security Fabric.

    • sync — Synchronize configuration changes through the Security Fabric to other devices in the fabric.

    		 local

    group-name <name_str>

    Enter the name for the Security Fabric group.

    Tooltip

    Deprecated. Use this type of authentication only if required by older versions of FortiGate and other legacy devices, and if you have enabled the CLI setting for legacy Security Fabric authentication on FortiGate.

    group-password <password_str>

    Enter the password for the Security Fabric group.

    management-ip <address_ipv4>

    Enter the IP address where the FortiMail system listens for Security Fabric connections from the upstream FortiGate.

    management-port <port_int>

    Enter the listening port number where the FortiMail system listens for Security Fabric connections. Valid range is 1 to 65535.

    443

    status {enable | disable}

    Enable or disable Security Fabric connections to the upstream FortiGate in the Security Fabric.

    enable

    upstream-ip <address_ipv4>

    Enter the IP address for the upstream FortiGate in the Security Fabric. This may be the root FortiGate in the Security Fabric or, if there are other firewalls, a firewall that is between FortiMail and the root.

    upstream-port <port_int> Enter the listening port number for the upstream FortiGate in the Security Fabric. Valid range is 1 to 65535. 8013

    Related topics

    system certificate crl

    system certificate local

    certificate (execute commands)

    system csf (diagnose commands)

    Previous
    Next

    system csf

    system csf

    Use this command to configure the FortiMail system as a FortiGate Security Fabric member.

    Before you enable the Security Fabric on FortiMail:

    1. On FortiGate, enable and configure the Security Fabric.

      If devices must be pre-approved to join the Security Fabric, then download the currently active certificate from FortiMail and upload it to the list of authorized devices on FortiGate. Otherwise later, after you enable the Security Fabric on FortiMail and it tries to connect, then you must manually approve the connection.

      Tooltip

      On some FortiMail models, the Factory certificate does not contain a serial number in its common name (CN) field (for example, CN=FortiMail), and therefore is not a unique identifier. Wild card certificates are also not unique identifiers. You can install a custom certificate if you need a unique identifier.

    2. If the FortiMail local certificate does not have a serial number in the CN field of the subject, then configure both sides to present and accept a different type of certificate.

      1. On FortiGate, configure the following:

        config system csf

        set accept-auth-by-cert enable

        config trusted list

        edit <FortiMail_name>

        set authorization-type certificate

        next

        end

        end

      2. On FortiMail, in authorization-request-type {certificate | serial}, select certificate.

    Syntax

    config system csf

    set status {enable | disable}

    set authorization-request-type {certificate | serial}

    set group-name <name_str>

    set group-password <password_str>

    set upstream-ip <address_ipv4>

    set upstream-port <port_int>

    set management-ip <address_ipv4>

    set management-port <port_int>

    set configuration-sync {local | sync}

    end

    Variable

    Description

    Default

    authorization-request-type {certificate | serial}

    Indicate the type of local certificate that FortiMail will send to authenticate itself to the upstream FortiGate, either:

    • serial — Serial number is in the CN field of the certificate's subject.

      Usually this option is selected with the certificate named Factory, which is signed by a Fortinet certificate authority (CA) that is trusted by FortiGate, such as CA2.

      Tooltip

      On some models, the Factory certificate does not contain the serial number (for example, CN=FortiMail). In that case, if you want to use that certificate, select certificate instead.

    • certificate — Other identifier in the certificate's subject. It could be signed by your internal CA, a third-party CA, or a Fortinet CA. On the upstream FortiGate, you must also configure it to accept non-serial certificates.

    serial
    configuration-sync {local | sync}

    Select either:

    • local — Do not synchronize the configuration through the Security Fabric.

    • sync — Synchronize configuration changes through the Security Fabric to other devices in the fabric.

    		 local

    group-name <name_str>

    Enter the name for the Security Fabric group.

    Tooltip

    Deprecated. Use this type of authentication only if required by older versions of FortiGate and other legacy devices, and if you have enabled the CLI setting for legacy Security Fabric authentication on FortiGate.

    group-password <password_str>

    Enter the password for the Security Fabric group.

    management-ip <address_ipv4>

    Enter the IP address where the FortiMail system listens for Security Fabric connections from the upstream FortiGate.

    management-port <port_int>

    Enter the listening port number where the FortiMail system listens for Security Fabric connections. Valid range is 1 to 65535.

    443

    status {enable | disable}

    Enable or disable Security Fabric connections to the upstream FortiGate in the Security Fabric.

    enable

    upstream-ip <address_ipv4>

    Enter the IP address for the upstream FortiGate in the Security Fabric. This may be the root FortiGate in the Security Fabric or, if there are other firewalls, a firewall that is between FortiMail and the root.

    upstream-port <port_int> Enter the listening port number for the upstream FortiGate in the Security Fabric. Valid range is 1 to 65535. 8013

    Related topics

    system certificate crl

    system certificate local

    certificate (execute commands)

    system csf (diagnose commands)

    Previous
    Next