Fortinet white logo
Fortinet white logo

CLI Reference

config system csf

config system csf

Add this FortiProxy to a Security Fabric or set up a new Security Fabric on this FortiProxy.

config system csf
    Description: Add this FortiProxy to a Security Fabric or set up a new Security Fabric on this FortiProxy.
    set status [enable|disable]
    set uid {string}
    set upstream {string}
    set source-ip {ipv4-address}
    set upstream-interface-select-method [auto|specify]
    set upstream-interface {string}
    set upstream-port {integer}
    set group-name {string}
    set group-password {password}
    set accept-auth-by-cert [disable|enable]
    set log-unification [disable|enable]
    set authorization-request-type [serial|certificate]
    set certificate {string}
    set fabric-workers {integer}
    set downstream-access [enable|disable]
    set license-sharing [enable|disable]
    set preferred-seats {integer}
    set legacy-authentication [disable|enable]
    set downstream-accprofile {string}
    set configuration-sync [default|local]
    set fabric-object-unification [default|local]
    set saml-configuration-sync [default|local]
    config trusted-list
        Description: Pre-authorized and blocked security fabric nodes.
        edit <name>
            set authorization-type [serial|certificate]
            set serial {string}
            set certificate {var-string}
            set action [accept|deny]
            set ha-members {string}
            set downstream-authorization [enable|disable]
            set preferred-seats {integer}
            set index {integer}
        next
    end
    config fabric-connector
        Description: Fabric connector configuration.
        edit <serial>
            set accprofile {string}
            set configuration-write-access [enable|disable]
            set vdom <name1>, <name2>, ...
        next
    end
    set forticloud-account-enforcement [enable|disable]
    set file-mgmt [enable|disable]
    set file-quota {integer}
    set file-quota-warning {integer}
end

config system csf

Parameter

Description

Type

Size

Default

status

Enable/disable Security Fabric.

option

-

disable

Option

Description

enable

Enable Security Fabric.

disable

Disable Security Fabric.

uid

Unique ID of the current CSF node

string

Maximum length: 35

upstream

IP/FQDN of the FortiProxy upstream from this FortiProxy in the Security Fabric.

string

Maximum length: 255

source-ip

Source IP address for communication with the upstream FortiGate.

ipv4-address

Not Specified

0.0.0.0

upstream-interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

specify

Set outgoing interface manually.

upstream-interface

Specify outgoing interface to reach server.

string

Maximum length: 15

upstream-port

The port number to use to communicate with the FortiProxy upstream from this FortiProxy in the Security Fabric.

integer

Minimum value: 1 Maximum value: 65535

8013

group-name

Security Fabric group name. All FortiProxys in a Security Fabric must have the same group name.

string

Maximum length: 35

group-password

Security Fabric group password. For legacy authentication, fabric members must have the same group password.

password

Not Specified

accept-auth-by-cert

Accept connections with unknown certificates and ask admin for approval.

option

-

enable

Option

Description

disable

Do not accept SSL connections with unknown certificates.

enable

Accept SSL connections without automatic certificate verification.

log-unification

Enable/disable broadcast of discovery messages for log unification.

option

-

enable

Option

Description

disable

Disable broadcast of discovery messages for log unification.

enable

Enable broadcast of discovery messages for log unification.

authorization-request-type

Authorization request type.

option

-

serial

Option

Description

serial

Request verification by serial number.

certificate

Request verification by certificate.

certificate

Certificate.

string

Maximum length: 35

fabric-workers

Number of worker processes for Security Fabric daemon.

integer

Minimum value: 1 Maximum value: 4

2

downstream-access

Enable/disable downstream device access to this device's configuration and data.

option

-

disable

Option

Description

enable

Enable downstream device access to this device's configuration and data.

disable

Disable downstream device access to this device's configuration and data.

license-sharing

Enable/disable license sharing between FortiProxy devices.

option

-

enable

Option

Description

enable

Enable license sharing.

disable

Disable license sharing.

preferred-seats

The number of seats this FortiProxy device as CSF root should be allocated with. The number of gurrantted seats is capped by minimum of the number of local purchased seats and the number of preferred seats. And the rest of preferred seats will be allocated from shared pool at higher priority.

integer

Minimum value: 0 Maximum value: 4294967295

0

legacy-authentication

Enable/disable legacy authentication.

option

-

enable

Option

Description

disable

Do not accept legacy authentication requests.

enable

Accept legacy authentication requests.

downstream-accprofile

Default access profile for requests from downstream devices.

string

Maximum length: 35

configuration-sync

Configuration sync mode.

option

-

default

Option

Description

default

Synchronize configuration for IPAM, FortiAnalyzer, FortiSandbox, and Central Management to root node.

local

Do not synchronize configuration with root node.

fabric-object-unification

Fabric CMDB Object Unification.

option

-

default

Option

Description

default

Global CMDB objects will be synchronized in Security Fabric.

local

Global CMDB objects will not be synchronized to and from this device.

saml-configuration-sync

SAML setting configuration synchronization.

option

-

default

Option

Description

default

SAML setting for fabric members is created by fabric root.

local

Do not apply SAML configuration generated by root.

forticloud-account-enforcement

Fabric FortiCloud account unification.

option

-

enable

Option

Description

enable

Enable FortiCloud account ID matching for Security Fabric.

disable

Disable FortiCloud accound ID matching for Security Fabric.

file-mgmt

Enable/disable Security Fabric daemon file management.

option

-

enable

Option

Description

enable

Enable daemon file management.

disable

Disable daemon file management.

file-quota

Maximum amount of memory that can be used by the daemon files (in bytes).

integer

Minimum value: 0 Maximum value: 4294967295

0

file-quota-warning

Warn when the set percentage of quota has been used.

integer

Minimum value: 1 Maximum value: 99

90

config trusted-list

Parameter

Description

Type

Size

Default

name

Name.

string

Maximum length: 35

authorization-type

Authorization type.

option

-

serial

Option

Description

serial

Verify downstream by serial number.

certificate

Verify downstream by certificate.

serial

Serial.

string

Maximum length: 19

certificate

Certificate.

var-string

Maximum length: 32767

action

Security fabric authorization action.

option

-

accept

Option

Description

accept

Accept authorization request.

deny

Deny authorization request.

ha-members

HA members.

string

Maximum length: 19

downstream-authorization

Trust authorizations by this node's administrator.

option

-

disable

Option

Description

enable

Enable downstream authorization.

disable

Disable downstream authorization.

preferred-seats

The number of seats this FortiProxy device should be allocated with. The number of gurrantted seats is capped by minimum of the number of local purchased seats and the number of preferred seats. And the rest of preferred seats will be allocated from shared pool at higher priority.

integer

Minimum value: 0 Maximum value: 4294967295

0

index

Index of the downstream in tree.

integer

Minimum value: 1 Maximum value: 1024

0

config fabric-connector

Parameter

Description

Type

Size

Default

serial

Serial.

string

Maximum length: 19

accprofile

Override access profile.

string

Maximum length: 35

configuration-write-access

Enable/disable downstream device write access to configuration.

option

-

disable

Option

Description

enable

Enable downstream device write access to configuration.

disable

Disable downstream device write access to configuration.

vdom <name>

Virtual domains that the connector has access to. If none are set, the connector will only have access to the VDOM that it joins the Security Fabric through.

Virtual domain name.

string

Maximum length: 79

config system csf

config system csf

Add this FortiProxy to a Security Fabric or set up a new Security Fabric on this FortiProxy.

config system csf
    Description: Add this FortiProxy to a Security Fabric or set up a new Security Fabric on this FortiProxy.
    set status [enable|disable]
    set uid {string}
    set upstream {string}
    set source-ip {ipv4-address}
    set upstream-interface-select-method [auto|specify]
    set upstream-interface {string}
    set upstream-port {integer}
    set group-name {string}
    set group-password {password}
    set accept-auth-by-cert [disable|enable]
    set log-unification [disable|enable]
    set authorization-request-type [serial|certificate]
    set certificate {string}
    set fabric-workers {integer}
    set downstream-access [enable|disable]
    set license-sharing [enable|disable]
    set preferred-seats {integer}
    set legacy-authentication [disable|enable]
    set downstream-accprofile {string}
    set configuration-sync [default|local]
    set fabric-object-unification [default|local]
    set saml-configuration-sync [default|local]
    config trusted-list
        Description: Pre-authorized and blocked security fabric nodes.
        edit <name>
            set authorization-type [serial|certificate]
            set serial {string}
            set certificate {var-string}
            set action [accept|deny]
            set ha-members {string}
            set downstream-authorization [enable|disable]
            set preferred-seats {integer}
            set index {integer}
        next
    end
    config fabric-connector
        Description: Fabric connector configuration.
        edit <serial>
            set accprofile {string}
            set configuration-write-access [enable|disable]
            set vdom <name1>, <name2>, ...
        next
    end
    set forticloud-account-enforcement [enable|disable]
    set file-mgmt [enable|disable]
    set file-quota {integer}
    set file-quota-warning {integer}
end

config system csf

Parameter

Description

Type

Size

Default

status

Enable/disable Security Fabric.

option

-

disable

Option

Description

enable

Enable Security Fabric.

disable

Disable Security Fabric.

uid

Unique ID of the current CSF node

string

Maximum length: 35

upstream

IP/FQDN of the FortiProxy upstream from this FortiProxy in the Security Fabric.

string

Maximum length: 255

source-ip

Source IP address for communication with the upstream FortiGate.

ipv4-address

Not Specified

0.0.0.0

upstream-interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

specify

Set outgoing interface manually.

upstream-interface

Specify outgoing interface to reach server.

string

Maximum length: 15

upstream-port

The port number to use to communicate with the FortiProxy upstream from this FortiProxy in the Security Fabric.

integer

Minimum value: 1 Maximum value: 65535

8013

group-name

Security Fabric group name. All FortiProxys in a Security Fabric must have the same group name.

string

Maximum length: 35

group-password

Security Fabric group password. For legacy authentication, fabric members must have the same group password.

password

Not Specified

accept-auth-by-cert

Accept connections with unknown certificates and ask admin for approval.

option

-

enable

Option

Description

disable

Do not accept SSL connections with unknown certificates.

enable

Accept SSL connections without automatic certificate verification.

log-unification

Enable/disable broadcast of discovery messages for log unification.

option

-

enable

Option

Description

disable

Disable broadcast of discovery messages for log unification.

enable

Enable broadcast of discovery messages for log unification.

authorization-request-type

Authorization request type.

option

-

serial

Option

Description

serial

Request verification by serial number.

certificate

Request verification by certificate.

certificate

Certificate.

string

Maximum length: 35

fabric-workers

Number of worker processes for Security Fabric daemon.

integer

Minimum value: 1 Maximum value: 4

2

downstream-access

Enable/disable downstream device access to this device's configuration and data.

option

-

disable

Option

Description

enable

Enable downstream device access to this device's configuration and data.

disable

Disable downstream device access to this device's configuration and data.

license-sharing

Enable/disable license sharing between FortiProxy devices.

option

-

enable

Option

Description

enable

Enable license sharing.

disable

Disable license sharing.

preferred-seats

The number of seats this FortiProxy device as CSF root should be allocated with. The number of gurrantted seats is capped by minimum of the number of local purchased seats and the number of preferred seats. And the rest of preferred seats will be allocated from shared pool at higher priority.

integer

Minimum value: 0 Maximum value: 4294967295

0

legacy-authentication

Enable/disable legacy authentication.

option

-

enable

Option

Description

disable

Do not accept legacy authentication requests.

enable

Accept legacy authentication requests.

downstream-accprofile

Default access profile for requests from downstream devices.

string

Maximum length: 35

configuration-sync

Configuration sync mode.

option

-

default

Option

Description

default

Synchronize configuration for IPAM, FortiAnalyzer, FortiSandbox, and Central Management to root node.

local

Do not synchronize configuration with root node.

fabric-object-unification

Fabric CMDB Object Unification.

option

-

default

Option

Description

default

Global CMDB objects will be synchronized in Security Fabric.

local

Global CMDB objects will not be synchronized to and from this device.

saml-configuration-sync

SAML setting configuration synchronization.

option

-

default

Option

Description

default

SAML setting for fabric members is created by fabric root.

local

Do not apply SAML configuration generated by root.

forticloud-account-enforcement

Fabric FortiCloud account unification.

option

-

enable

Option

Description

enable

Enable FortiCloud account ID matching for Security Fabric.

disable

Disable FortiCloud accound ID matching for Security Fabric.

file-mgmt

Enable/disable Security Fabric daemon file management.

option

-

enable

Option

Description

enable

Enable daemon file management.

disable

Disable daemon file management.

file-quota

Maximum amount of memory that can be used by the daemon files (in bytes).

integer

Minimum value: 0 Maximum value: 4294967295

0

file-quota-warning

Warn when the set percentage of quota has been used.

integer

Minimum value: 1 Maximum value: 99

90

config trusted-list

Parameter

Description

Type

Size

Default

name

Name.

string

Maximum length: 35

authorization-type

Authorization type.

option

-

serial

Option

Description

serial

Verify downstream by serial number.

certificate

Verify downstream by certificate.

serial

Serial.

string

Maximum length: 19

certificate

Certificate.

var-string

Maximum length: 32767

action

Security fabric authorization action.

option

-

accept

Option

Description

accept

Accept authorization request.

deny

Deny authorization request.

ha-members

HA members.

string

Maximum length: 19

downstream-authorization

Trust authorizations by this node's administrator.

option

-

disable

Option

Description

enable

Enable downstream authorization.

disable

Disable downstream authorization.

preferred-seats

The number of seats this FortiProxy device should be allocated with. The number of gurrantted seats is capped by minimum of the number of local purchased seats and the number of preferred seats. And the rest of preferred seats will be allocated from shared pool at higher priority.

integer

Minimum value: 0 Maximum value: 4294967295

0

index

Index of the downstream in tree.

integer

Minimum value: 1 Maximum value: 1024

0

config fabric-connector

Parameter

Description

Type

Size

Default

serial

Serial.

string

Maximum length: 19

accprofile

Override access profile.

string

Maximum length: 35

configuration-write-access

Enable/disable downstream device write access to configuration.

option

-

disable

Option

Description

enable

Enable downstream device write access to configuration.

disable

Disable downstream device write access to configuration.

vdom <name>

Virtual domains that the connector has access to. If none are set, the connector will only have access to the VDOM that it joins the Security Fabric through.

Virtual domain name.

string

Maximum length: 79