How Security Fabric authorization works
With FortiManager and FortiOS 7.0.0 and later, the Add Device wizard and Discover mode can use the OAUTH protocol for the authorization step. This topic describes how the authorization step works when the OATH protocol is used. You are not required to use the new authorization method, you can choose to use the legacy login method instead, which does not use the OAUTH protocol.
You can add an online device to FortiManager by using the Add Device wizard and Discover mode. You type in the IP address of the management port for the FortiGate, and press Next. At this stage of the wizard, the following actions occur:
- FortiManager connects to the online FortiGate.
- A browser popup window is displayed to let you log in to FortiGate as part of the authorization process:
When FortiManager connects to FortiGate, it retrieves the following settings from FortiOS that define the accessible FQDN or IP address and port for FortiOS:
config system global
In FortiOS, you can also view the management IP and management port in the GUI. Go to Security Fabric > Fabric Connectors > Security Fabric Setup.
FortiManager provides the settings to the browser popup window for connection to FortiGate.
If no FortiOS settings are defined, both FortiManager and the browser popup window use the IP address of the management port and the default HTTPS port for connection to FortiGate.
If FortiManager cannot access the management IP and/or default HTTPS port for the FortiGate the wizard fails, and you must specify an accessible management IP on FortiGate before starting the Add Wizard again.
In some cases FortiManager can access FortiGate, but the browser popup window cannot. For example, if FortiGate uses NAT, FortiManager can access the internal IP address for FortiGate and establish connection. However the browser popup window cannot access the internal IP address for the FortiGate, and the authentication connection fails. You can workaround this problem by specifying an accessible management IP address and port on FortiOS.
As an alternate to specifying the accessible management IP and port for FortiOS, you can use the legacy login for the Add Device wizard with Discover mode. If you are adding a FortiGate running FortiOS 6.4.x and earlier, you must use the legacy login. See Adding online devices using Discover mode and legacy login.
Topologies that do and do not require management IP address and/or port
This section includes examples of topologies that don't and do require you to specify an accessible management IP address for FortiOS to enable browser authorization communication:
You are not required to set specify an accessible management IP address for FortiOS when:
- FortiGate is directly connected to FortiManager.
- FortiGate and FortiManager use the same subnet.
- FortiOS is using the default management HTTPS port.
In this scenario, you can use the Add Device wizard with the IP address of the management port for the FortiGate, and the browser can access the IP address. Authorization communication proceeds.
When using NAT, the following scenarios require you to specify an accessible management IP address for FortiOS:
- FortiGate is behind NAT with VIP.
- FortiManager and FortiGate are behind NAT in the same network.
In these cases, specify the FortiOS virtual public IP (VIP) as the accessible management IP address. After configuration, FortiManager can retrieve the information to enable authentication communication.
The default management HTTPS port for FortiGate is 443. If you are using a custom port, you must specify the custom port used by FortiGate.
For example, when FortiGate uses HTTPS port 8443 instead of 443, you must use the following command on FortiOS to configure the non-default port:
config system global
set management-port 8443
After configuration, FortiManager can retrieve the information to enable authentication communication.