More secure request authorization with OAuth protocol
FortiManager and FortiGate support the Open Authentication (OAuth) protocol to provide increased security for request authorization.
In FortiManager, the Add Device wizard supports the Open Authentication (OAuth) protocol to log in to FortiGate devices and authorize them for management by FortiManager. As an alternate to using the OAuth method, the Add Device wizard also supports the legacy device login method.
In FortiOS, the OAuth protocol is used when you create a fabric connector in FortiOS for FortiManager to request management by FortiManager.
This topic includes the following sections:
- Using FortiManager Add Device wizard OAuth method
- Using FortiManager Add Device wizard legacy method
- Using FortiOS fabric connector for FortiManager
Using FortiManager Add Device wizard OAuth method
The Add Device wizard in FortiManager now supports the OAuth protocol for device login and authentication.
When FortiGate is directly connected to FortiManager without NAT, the OAuth protocol can be used without setting an accessible IP address on FortiGate.
However when the OAuth protocol is used with the following network topologies, you must specify an accessible IP address on FortiGate for FortiManager to use:
- FortiGate is behind NAT with VIP.
- FortiManager and FortiGate are behind NAT and in the same network.
You can use the following CLI on the FortiGate to specify an accessible IP address for FortiManager to use:
config system global
set management-ip <ip-address>
set management-port <port>
end
As an alternate to using the OAuth method, the Add Device wizard also supports the legacy device login method.
To use the new device login method with OAuth protocol:
- In FortiOS, configure an accessible IP address on the FortiGate by using the following FortiOS command, if necessary:
config system global
set management-ip <ip-address>
set management-port <port>
end
- In FortiManager, go to Device Manager, and click Add Device. The Add Device wizard is displayed.
- Click Discover Device.
- In the IP Address box, type the IP address for the FortiGate, and click Next.
The Fortinet Security Fabric dialog box is displayed.
- Complete the following options to log in to the device by using the OAuth method:
- In the admin box, type the username for the FortiGate device.
- In the Password box, type the password for the FortiGate device.
- Click Login. The next dialog box is displayed.
- Click Allow, and click OK to authorize the device for management by FortiManager. The next dialog box in the wizard is displayed.
- Complete the remaining screens in the wizard to finish adding the device.
Using FortiManager Add Device wizard legacy method
The Add Device wizard in FortiManager continues to support the legacy login method. The legacy login method does not use the OAuth protocol.
To use legacy device login:
- Go to Device Manager, and click Add Device. The Add Device wizard is displayed.
- Click Discover Device.
- In the IP Address box, type the IP address for the FortiGate.
- Toggle Use legacy device login to ON, and complete the following options to use legacy device login:
- In the User Name box, type the username for the FortiGate device.
- In the Password box, type the password for the FortiGate device.
- Click Next to continue using the wizard and finish adding the device.
Using FortiOS fabric connector for FortiManager
From FortiOS, you can send a request to FortiManager for management by creating a fabric connector for FortiManager. In FortiOS, fabric connectors for FortiManager use the OAuth protocol for FortiManager authentication and authorization.
When FortiGate is directly connected to FortiManager or behind NAT with VIP, the OAuth protocol can be used without setting an accessible IP address on FortiManager.
When FortiManager and FortiGate are behind NAT and in the same network, you must specify an accessible IP address on FortiManager for FortiOS to use.
You can use the following CLI on FortiManager to specify an accessible IP address for FortiOS to use:
config system admin settings
set auth-addr <ip-address>
set auth-port <port>
end
To use FortiGate fabric connectors:
- In FortiManager, configure an accessible IP address by using the following FortiManager command, if necessary:
config system admin settings
set auth-addr <ip-address>
set auth-port <port>
end
- In FortiOS, go to Security Fabric > Fabric Connectors, and double-click FortiManager. The Edit Fabric Connector pane is displayed.
- In the IP /Domain Name box, type the IP address for FortiManager, and click OK.
A Confirm pane is displayed and communicates that FortiOS sent the request to FortiManager.
When communication with FortiManager is established, you can click OK to review authorization.
- Click OK to review authorization.
The Fortinet Security Fabric dialog box is displayed.
- Complete the following options to log in to the device by using the OAuth method:
- In the admin box, type the username for the FortiManager device.
- In the Password box, type the password for the FortiManager device.
- Click Login. The next dialog box is displayed.
- Click Approve, and click OK to authorize management by FortiManager. The request is approved and proceeds.
FortiGate is managed by FortiManager