Adding a FortiGate
The communication between the FortiAIOps application and FortiGate is secured by SSL/TLS encryption. Therefore, FortiAIOps can successfully discover a FortiGate only if a valid certificate is installed in FortiGate. However, FortiAIOps can also discover FortiGates with a default certificate over a trusted connection.
If a 3rd party certificate is installed in FortiGate for HTTPS/web server then the corresponding CA certificate should be Installed in FortiAIOps for successful discovery. For more information see Certificates and FortiGate Certificates.
The managed FortiGate IP address/FQDN configured in FortiAIOps must match the Subject Alternative Name (SAN) in the FortiGate certificate, else, the FortiGate discovery fails.
-
If the FortiGate IP address is configured in FortiAIOps then the SAN attribute in the certificate should be the FortiGate IP address.
-
If the FortiGate FQDN is configured in FortiAIOps then the SAN attribute is the certificate should be the FortiGate FQDN.
-
If the FortiGate IP address or FQDN are configured in FortiAIOps then the SAN attribute in the certificate should include both the FortiGate IP address and FQDN.
Notes:
-
FortiGate discovery fails if a certificate is from an unknown authority. Ensure to install specific CA certificate of FortiGate in FortiAIOps.
-
If a new certificate is installed in a managed FortiGate then Fortinet recommends to re-add the FortiGate in FortiAIOps.
-
For self-signed CA certificates generated in FortiGate, valid CA certificate should be installed in FortiAIOps.
-
To use a Let's Encrypt certificate, ensure to download and install the CA certificate of Let's Encrypt in FortiAIOps. For more information see Automated Certificate Management Environment (ACME).
To manually add a FortiGate controller, click Add and provide the following details.
-
Select Standalone or HA Cluster if the FortiGate is an HA cluster.
-
Enter the IP Address or FQDN of the controller and an optional Description.
Note: If a 3rd party certificate is used by FortiGate then ensure to install a valid CA certificate in FortiAIOps. -
Enter the Username and Password for the controller.
-
Select the Device Group. Controllers in the selected device group are added.
-
Specify the HTTPS port. The default is 443.
-
Specify the Timeout duration (milliseconds), that is, the maximum time allowed to establish a connection with FortiGate and obtain a response. The default value is 3000 milliseconds.
The added FortiGate controller is now listed.