Deploy and authorize the FortiTelemetry agent
You can configure and authorize FortiTelemetry agents on the FortiTelemetry Controller (FortiGate) using the GUI or CLI. On FortiGate acting as a FortiTelemetry controller, FortiTelemetry must be enabled on the System > Feature Visibility page to display telemetry features in the GUI.
The FortiTelemetry Controller connects to FortiTelemetry agents through the Telemetry fabric connector. The following methods are supported for adding FortiTelemetry agents to FortiTelemetry Controller.
| Discovery method |
FortiTelemetry Controller discovers telemetry agents using CAPWAP. These agents are automatically displayed in the Telemetry fabric connector. The administrator must manually authorize each agent before it can be used by the FortiTelemetry Controller. See Authorizing FortiTelemetry agents. |
| Pre-configuration method |
In the FortiTelemetry fabric connector settings, you can create FortiTelemetry agent using the FortiTelemetry agent's serial number as the name, and set the Authorization status to Authorized. When the FortiTelemetry Controller detects the real agent online, it will be automatically authorized. See Creating a FortiTelemetry agent in the Telemetry fabric connector. |
FortiTelemetry agent(s) must be deployed in the same subnet as the internal interface of the FortiTelemetry Controller.
Viewing the FortiTelemetry fabric connector
To view the FortiTelemetry fabric connector:
-
Go to Security Fabric > Fabric Connectors. The Telemetry connector is displayed with the following information:
Status
Status of FortiTelemetry: Enabled or Disabled.
Agents
The number of online, authorized FortiTelemetry agents discovered by the FortiTelemetry Controller.
Monitored Tasks
Number of tasks being monitored by the FortiTelemetry agents based on the configured telemetry profile(s) selected in the firewall policy used by the FortiTelemetry Controller.
-
Click on the Telemetry connector, and click Edit. The FortiTelemetrySettings pane opens.
FortiTelemetry agents are displayed and are grouped by interface. The following information is displayed:Create new
Click to create pre-authorized Telemetry connectors to automatically authorize FortiTelemetry agents.
See Creating a FortiTelemetry agent in the Telemetry fabric connector.
Name
Name of the FortiTelemetry agent.
Status
Status of the FortiTelemetry agent: Authorized, Unauthorized, or Reject.
Agent Profile
Profile assigned to the agent when FortiTelemetry Controller discovers the agent.
FortiTelemetry Controller automatically creates and assigns the following profiles when no pre-configured profiles exist:
-
The Auto-WINDOWS agent profile is assigned to software agents.
-
The Auto-FTL100G agent profile is assigned to hardware agents.
Agent profile details can be viewed in the CLI using the config telemetry-controller agent-profile command.
Agent Model
Model of the agent: Windows for software agents and FTL100G for hardware agents.
Agent Version
Agent version.
IP
IP address of the FortiTelemetry agent
-
-
Select an agent to access additional buttons, such as Edit, Delete, and More.
-
Select an agent, and click Edit. The Telemetry Agent pane opens.
-
Click OK to close the Telemetry Agent pane.
-
Click Cancel to close the FortiTelemetry Settings pane
Authorizing FortiTelemetry agents
When the FortiTelemetry Controller automatically discovers FortiTelemetry agents, it displays them in the Telemetry fabric connector and assigns a profile to each agent.
You must manually authorize each discovered FortiTelemetry agent before the FortiTelemetry Controller can use it.
After a FortiTelemetry agent is authorized, a firewall address with the agent's serial number is automatically created.
To authorize FortiTelemetry agents in the GUI:
-
Go to Security Fabric > Fabric Connectors.
-
Click the Telemetry connector, and click Edit. The FortiTelemetry Settings pane opens.
-
Select an agent, and click More > Set Status > Authorize.
To authorize FortiTelemetry agents in the CLI:
-
By default, automatically discovered telemetry agents are unauthorized, but you can authorize each agent after it connects to FortiGate:
config telemetry-controller agent edit "FT100GTK24000002" set authz authorize next end
Creating a FortiTelemetry agent in the Telemetry fabric connector
You can configure Telemetry fabric connectors to automatically authorize agents after they connect to the FortiTelemetry Controller. You must know the agent name to configure pre-authorized telemetry connectors. The agent name is used to match the discovered agent to the corresponding telemetry connector. The agent name is the serial number of the FortiTelemetry agent.
You can create and use a custom agent profile, or you can use a default agent profile (Auto-WINDOWS for software agents or Auto-FTL100G for hardware agents) if the FortiTelemetry Controller has created a default agent profile. If you create an agent profile, ensure that the model in the agent profile matches the type of agent used.
To create agent profiles in the CLI:
-
Create an agent profile for the type of agent you are using.
A profile for hardware agents should use the FTL100G model, and a profile for software agents should use the WINDOWS model.
config telemetry-controller agent-profile edit "WINDOWS-pre-auth" set comment windows devices set model WINDOWS next edit "FTL100G-pre-auth" set comment hardware set model FTL100G next end
To configure FortiTelemetry agents in the FortiOS GUI:
-
Go to Security Fabric > Fabric Connectors.
-
Click on the Telemetry connector, and click Edit. The FortiTelemetry Settings pane opens.
-
Click Create New to add a new FortiTelemetry agent, and provide the following information:
Name Enter a name for the FortiTelemetry agent. The agent name is the serial number of the FortiTelemetry agent.
The name starts with
FTLWINfor Windows agents orFT100Gfor hardware agents.Alias (Optional) Provide an alias for the FortiTelemetry agent. Authorization
Select Authorize.
Agent Profile
Select an agent profile. Ensure the model configured in the profile matches the type of agent.
Comments
(Optional) Add comments to help identify the agent.
-
Click OK. The telemetry connector is displayed in the uncategorized list until the FortiTelemetry Controller discovers the corresponding telemetry agent and uses the connector to automatically authorize the agent and assign a status of Online.
To create pre-authorized telemetry connectors in the CLI:
-
Create a pre-authorized telemetry connector for each agent to specify the agent name, authorization, and agent profile.
The agent name starts with FTLWIN for Windows agents or FT100G for hardware agents.
config telemetry-controller agent edit "FT100GTK24000007" set alias "FTL100G" set authz authorized set agent-profile "FTL100G-pre-auth" next edit "FTLWIN8660000001" set alias "WINDOWS-108" set authz authorized set agent-profile "WINDOWS-pre-auth" next end