Fortinet black logo

New Features

Home FortiAnalyzer 7.4.0 New Features
7.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0

Fabric of FAZ: member authorization with supervisor

Fabric of FAZ: member authorization with supervisor

Note

This information is also available in the FortiAnalyzer 7.4 Fabric Deployment Guide:

The FortiAnalyzer Fabric authentication process has been enhanced by implementing the following:

  • Members can join the FortiAnalyzer Fabric by entering the cluster name and IP of the supervisor. No static password is required.

  • The supervisor can authorize and reject members from joining the FortiAnalyzer Fabric.

  • A trusted-list can be configured on the FortiAnalyzer Fabric supervisor to automatically authorize members if they match the configured serial number.

  • A trusted-list can be configured on FortiAnalyzer Fabric members, so that they will join the FortiAnalyzer Fabric only if the supervisor matches the configured serial number.

FortiAnalyzer Fabric supervisor:

When configuring a FortiAnalyzer Fabric supervisor in System Settings > Fabric Management, there is no password configuration in the Fabric Settings.

When members join the FortiAnalyzer Fabric, they will display in the topology for the supervisor. From this topology in the supervisor, you can authorize or reject the members.

If authorized, the member will join the FortiAnalyzer Fabric and it will remain visible in the topology.

If rejected, the member will be removed from topology and it will be blocked from attempting to re-join the FortiAnalyzer Fabric for 10 minutes.

FortiAnalyzer Fabric members:

When joining a FortiAnalyzer Fabric as a member, go to System Settings > Fabric Management. You do not need to enter a password. Instead, enter the cluster name and IP of the supervisor.

After configuring the FortiAnalyzer as a member, the Authorization field will display Pending.

Once the member is authorized by the supervisor, the Authorization field will change to Accepted. The topology will display this member and the supervisor, but it will not display other members in the FortiAnalyzer Fabric.

If the member is rejected by the supervisor, the Authorization field will change to Rejected. The member must wait 10 minutes before sending another request to join the FortiAnalyzer Fabric. To try again, click apply after the block-out time is complete.

To leave a FortiAnalyzer Fabric, go to System Settings > Fabric Management > Fabric Settings in the member and set the Status to disabled. A message will display to confirm the action.

After confirming the message, click Apply to save the configuration.

If needed, the member can re-join the FortiAnalyzer Fabric, but it will need to be authorized by the supervisor again.

Trusted-list for a FortiAnalyzer Fabric:

The trusted-list configuration is completed on the CLI for both the supervisor and the members.

In the supervisor's CLI, you can add members' serial numbers to a trusted-list. This supports wildcard; for example, FAZ-VMTM120033*. Once a member's serial number is added to the trusted-list, that FortiAnalyzer can automatically join the FortiAnalyzer Fabric as a member without the supervisor's authorization.

To add a member to the trusted-list, enter the following command in the supervisor's CLI:

config system soc-fabric

config trusted-list

edit 1

set serial <member's serial number, which can include wildcards (*)>

end

end

In the member's CLI, you can configure a trusted-list with the supervisor's serial number to verify the legitimacy of the supervisor. This prevents data leakage to a falsified supervisor. Members will only join the FortiAnalyzer Fabric when the supervisor's serial number matches the members trusted-list.

To configure a trusted-list on a member, enter the following command in the member's CLI:

config system soc-fabric

config trusted-list

edit 1

set serial <Supervisor's serial number>

end

end

For members without a trusted-list configured, they will treat all supervisors as legitimate.

Previous
Next

Fabric of FAZ: member authorization with supervisor

Note

This information is also available in the FortiAnalyzer 7.4 Fabric Deployment Guide:

The FortiAnalyzer Fabric authentication process has been enhanced by implementing the following:

  • Members can join the FortiAnalyzer Fabric by entering the cluster name and IP of the supervisor. No static password is required.

  • The supervisor can authorize and reject members from joining the FortiAnalyzer Fabric.

  • A trusted-list can be configured on the FortiAnalyzer Fabric supervisor to automatically authorize members if they match the configured serial number.

  • A trusted-list can be configured on FortiAnalyzer Fabric members, so that they will join the FortiAnalyzer Fabric only if the supervisor matches the configured serial number.

FortiAnalyzer Fabric supervisor:

When configuring a FortiAnalyzer Fabric supervisor in System Settings > Fabric Management, there is no password configuration in the Fabric Settings.

When members join the FortiAnalyzer Fabric, they will display in the topology for the supervisor. From this topology in the supervisor, you can authorize or reject the members.

If authorized, the member will join the FortiAnalyzer Fabric and it will remain visible in the topology.

If rejected, the member will be removed from topology and it will be blocked from attempting to re-join the FortiAnalyzer Fabric for 10 minutes.

FortiAnalyzer Fabric members:

When joining a FortiAnalyzer Fabric as a member, go to System Settings > Fabric Management. You do not need to enter a password. Instead, enter the cluster name and IP of the supervisor.

After configuring the FortiAnalyzer as a member, the Authorization field will display Pending.

Once the member is authorized by the supervisor, the Authorization field will change to Accepted. The topology will display this member and the supervisor, but it will not display other members in the FortiAnalyzer Fabric.

If the member is rejected by the supervisor, the Authorization field will change to Rejected. The member must wait 10 minutes before sending another request to join the FortiAnalyzer Fabric. To try again, click apply after the block-out time is complete.

To leave a FortiAnalyzer Fabric, go to System Settings > Fabric Management > Fabric Settings in the member and set the Status to disabled. A message will display to confirm the action.

After confirming the message, click Apply to save the configuration.

If needed, the member can re-join the FortiAnalyzer Fabric, but it will need to be authorized by the supervisor again.

Trusted-list for a FortiAnalyzer Fabric:

The trusted-list configuration is completed on the CLI for both the supervisor and the members.

In the supervisor's CLI, you can add members' serial numbers to a trusted-list. This supports wildcard; for example, FAZ-VMTM120033*. Once a member's serial number is added to the trusted-list, that FortiAnalyzer can automatically join the FortiAnalyzer Fabric as a member without the supervisor's authorization.

To add a member to the trusted-list, enter the following command in the supervisor's CLI:

config system soc-fabric

config trusted-list

edit 1

set serial <member's serial number, which can include wildcards (*)>

end

end

In the member's CLI, you can configure a trusted-list with the supervisor's serial number to verify the legitimacy of the supervisor. This prevents data leakage to a falsified supervisor. Members will only join the FortiAnalyzer Fabric when the supervisor's serial number matches the members trusted-list.

To configure a trusted-list on a member, enter the following command in the member's CLI:

config system soc-fabric

config trusted-list

edit 1

set serial <Supervisor's serial number>

end

end

For members without a trusted-list configured, they will treat all supervisors as legitimate.

Previous
Next