Fortinet black logo

Administration Guide

Home FortiGate CNF Administration Guide

Editing or viewing a FortiGate CNF instance

Editing or viewing a FortiGate CNF instance

In the CNF Instances table, click Edit to view or edit the following instance details:

Primary details

The following details are displayed in the Edit CNF form.

Item Description
CNF Name The unique name of the CNF instance. This field is editable.
Region The region where this instance is deployed. This field is not editable.
FortiManager mode

Enable to manage this instance with FortiManager. This field is not editable.
Status

The deployment status of the instance.

The possible values are:

  • Initializing: The instance is being created and deployed. When an instance is initializing no details may be edited and the instance may not be deleted.

  • Success: The instance has been deployed. The instance may now be edited or deleted, and endpoints and policy sets may be added.

  • Deleting: The instance is being deleted. When deletion is complete the instance is removed from the table.

  • Error: You must delete and begin again.

  • Policy Set Apply Error: There was an error applying the policy set.

Internal Logging

Set Internal Logging to one of the following options:

  • None: Disable internal logging.

  • S3 Bucket: Enable logging to the AWS account S3 bucket, then select the S3 Bucket in Log Traffic to S3 Bucket.

    This option is available if this instance is an AWS CNF instance.

  • Security Lake: Enable logging to AWS Security Lake, then select the destination Security Lake in Log Traffic to Security Lake.

    This option is available if this instance is an AWS CNF instance.

    Caution

    FortiGate CNF does not create a Security Lake destination. You must create it and enable access using the CloudFormation template.

    In the CloudFormationStack Details, set SecurityLakeCustomLogSourceName to your Security Lake custom source.

    See Configuring Security Lake.

  • Blob Storage Logging: Enable logging to Azure storage.

    This option is available if this instance is an Azure CNF instance.

External Logging

The selected external logging destination. Select from None, External Syslog, and FortiAnalyzer. This field is editable.

External Syslog Server IP

The IP address of the syslog server where logs are sent. This field is editable and only displays if External Logging is set to External Syslog.

FortiAnalyzer IP

The IP address of the FortiAnalyzer where logs are sent. This field is editable and only displays if External Logging is set to FortiAnalyzer.

Display Primary FortiGate Information

Enable to display the following connection information:

  • Primary FGT IP

  • Primary FGT Username

  • Primary FGT Password

This field only displays when FortiManager mode is enabled.

Endpoints and load balancers

FortiGate CNF instances are deployed into your cloud infrastructure using gateway load balancer endpoints (in the case of AWS) or load balancers (in the case of Azure).

In the Configure Endpoints/Load Balancers page, select an endpoint or load balancer and click Edit to view or edit the details. Click Delete to remove the endpoint or load balancer from the instance.

Endpoints

Item Description
Name The name of the endpoint. The name must be unique within the CNF instance and does not affect the subnet. This field is only editable if Status is error.

Account

The AWS account in which the VPC has been created.

This field is not editable after the endpoint has been created.
VPC ID

The AWS identifier for the VPC. This field is not editable.
Subnet The subnet within the VPC. This field is not editable.

Select from all subnets

Disable to display only endpojnts that have been tagged tagged with Key = fortigatecnf_subnet_type and Value = endpoint.

Enable to display all subnets in the selected VPC.
Status

The deployment status of the endpoint.

The possible values are:

  • Initializing: The endpoint is being added to the instance. When an endpoint is initializing no details may be edited.

  • Active: The endpoint has been added and may now be edited or deleted.

  • Deleting: The endpoint is being deleted. When deletion is complete the endpoint is removed from the table.

  • Error: You must delete and begin again.

Load balancers

Item Description
Name The name of the load balancer. The name must be unique within the CNF instance and does not affect the subnet. This field is editable.

Account

The Azure account containing the resources to be protected.

This field is not editable after the load balancer has been created.
Resource Group

The Azure resource group.

This field is not editable after the load balancer has been created.
Subnet The subnet within the VPC. This field is not editable.

Select from all subnets

Disable to display only endpojnts that have been tagged tagged with Key = fortigatecnf_subnet_type and Value = endpoint.

Enable to display all subnets in the selected VPC.
Status

The deployment status of the endpoint.

The possible values are:

  • Initializing: The endpoint is being added to the instance. When an endpoint is initializing no details may be edited.

  • Active: The endpoint has been added and may now be edited or deleted.

  • Deleting: The endpoint is being deleted. When deletion is complete the endpoint is removed from the table.

  • Error: You must delete and begin again.

Policy sets

In the Configure Policy Sets page, view and update the applied policy set for the instance.

The following information is displayed in the form.

Item Description
Current Policy Set The name of the policy set currently applied to the CNF instance.

Revision ID

The ID of the current CNF instance revision. Changing the applied policy set creates a new revision.

Click the View Policy Set Revision eye icon to view more information about the revision. See Viewing a policy set revision for more information.
Installation Status

The status of the policy set installation on the instance.

The possible values are:

  • Installing: The policy set is being deployed to the instance and a new instance revision is being created.

  • Installed: The policy set has been installed. A new revision of the instance has been created and deployed.
Sync Status

The synchronization status of the policy set.

The possible values are:

  • Unsynchronized: Changes have been made in the FortiGate CNF console that have not been applied to this instance.

    • Click the Diff button to view the changes.

    • Click the Synchronize button to update the policy set on the instance.

  • Synchronized: The deployed policy set matches the local policy set.
Apply Policy Set

Select the policy set to apply.

Click Diff to the a comparison with the currently installed policy set.

Policy Set Revision History

Displays a list of the policy set that has been applied by revision, in descending order beginning with most recent.

The following actions are available:

Instance Version

The Instance Version page displays the FortiOS version of the FortiGate CNF instance in the Current Dataplane FortiOS Version field.

Previous
Next

Editing or viewing a FortiGate CNF instance

In the CNF Instances table, click Edit to view or edit the following instance details:

Primary details

The following details are displayed in the Edit CNF form.

Item Description
CNF Name The unique name of the CNF instance. This field is editable.
Region The region where this instance is deployed. This field is not editable.
FortiManager mode

Enable to manage this instance with FortiManager. This field is not editable.
Status

The deployment status of the instance.

The possible values are:

  • Initializing: The instance is being created and deployed. When an instance is initializing no details may be edited and the instance may not be deleted.

  • Success: The instance has been deployed. The instance may now be edited or deleted, and endpoints and policy sets may be added.

  • Deleting: The instance is being deleted. When deletion is complete the instance is removed from the table.

  • Error: You must delete and begin again.

  • Policy Set Apply Error: There was an error applying the policy set.

Internal Logging

Set Internal Logging to one of the following options:

  • None: Disable internal logging.

  • S3 Bucket: Enable logging to the AWS account S3 bucket, then select the S3 Bucket in Log Traffic to S3 Bucket.

    This option is available if this instance is an AWS CNF instance.

  • Security Lake: Enable logging to AWS Security Lake, then select the destination Security Lake in Log Traffic to Security Lake.

    This option is available if this instance is an AWS CNF instance.

    Caution

    FortiGate CNF does not create a Security Lake destination. You must create it and enable access using the CloudFormation template.

    In the CloudFormationStack Details, set SecurityLakeCustomLogSourceName to your Security Lake custom source.

    See Configuring Security Lake.

  • Blob Storage Logging: Enable logging to Azure storage.

    This option is available if this instance is an Azure CNF instance.

External Logging

The selected external logging destination. Select from None, External Syslog, and FortiAnalyzer. This field is editable.

External Syslog Server IP

The IP address of the syslog server where logs are sent. This field is editable and only displays if External Logging is set to External Syslog.

FortiAnalyzer IP

The IP address of the FortiAnalyzer where logs are sent. This field is editable and only displays if External Logging is set to FortiAnalyzer.

Display Primary FortiGate Information

Enable to display the following connection information:

  • Primary FGT IP

  • Primary FGT Username

  • Primary FGT Password

This field only displays when FortiManager mode is enabled.

Endpoints and load balancers

FortiGate CNF instances are deployed into your cloud infrastructure using gateway load balancer endpoints (in the case of AWS) or load balancers (in the case of Azure).

In the Configure Endpoints/Load Balancers page, select an endpoint or load balancer and click Edit to view or edit the details. Click Delete to remove the endpoint or load balancer from the instance.

Endpoints

Item Description
Name The name of the endpoint. The name must be unique within the CNF instance and does not affect the subnet. This field is only editable if Status is error.

Account

The AWS account in which the VPC has been created.

This field is not editable after the endpoint has been created.
VPC ID

The AWS identifier for the VPC. This field is not editable.
Subnet The subnet within the VPC. This field is not editable.

Select from all subnets

Disable to display only endpojnts that have been tagged tagged with Key = fortigatecnf_subnet_type and Value = endpoint.

Enable to display all subnets in the selected VPC.
Status

The deployment status of the endpoint.

The possible values are:

  • Initializing: The endpoint is being added to the instance. When an endpoint is initializing no details may be edited.

  • Active: The endpoint has been added and may now be edited or deleted.

  • Deleting: The endpoint is being deleted. When deletion is complete the endpoint is removed from the table.

  • Error: You must delete and begin again.

Load balancers

Item Description
Name The name of the load balancer. The name must be unique within the CNF instance and does not affect the subnet. This field is editable.

Account

The Azure account containing the resources to be protected.

This field is not editable after the load balancer has been created.
Resource Group

The Azure resource group.

This field is not editable after the load balancer has been created.
Subnet The subnet within the VPC. This field is not editable.

Select from all subnets

Disable to display only endpojnts that have been tagged tagged with Key = fortigatecnf_subnet_type and Value = endpoint.

Enable to display all subnets in the selected VPC.
Status

The deployment status of the endpoint.

The possible values are:

  • Initializing: The endpoint is being added to the instance. When an endpoint is initializing no details may be edited.

  • Active: The endpoint has been added and may now be edited or deleted.

  • Deleting: The endpoint is being deleted. When deletion is complete the endpoint is removed from the table.

  • Error: You must delete and begin again.

Policy sets

In the Configure Policy Sets page, view and update the applied policy set for the instance.

The following information is displayed in the form.

Item Description
Current Policy Set The name of the policy set currently applied to the CNF instance.

Revision ID

The ID of the current CNF instance revision. Changing the applied policy set creates a new revision.

Click the View Policy Set Revision eye icon to view more information about the revision. See Viewing a policy set revision for more information.
Installation Status

The status of the policy set installation on the instance.

The possible values are:

  • Installing: The policy set is being deployed to the instance and a new instance revision is being created.

  • Installed: The policy set has been installed. A new revision of the instance has been created and deployed.
Sync Status

The synchronization status of the policy set.

The possible values are:

  • Unsynchronized: Changes have been made in the FortiGate CNF console that have not been applied to this instance.

    • Click the Diff button to view the changes.

    • Click the Synchronize button to update the policy set on the instance.

  • Synchronized: The deployed policy set matches the local policy set.
Apply Policy Set

Select the policy set to apply.

Click Diff to the a comparison with the currently installed policy set.

Policy Set Revision History

Displays a list of the policy set that has been applied by revision, in descending order beginning with most recent.

The following actions are available:

Instance Version

The Instance Version page displays the FortiOS version of the FortiGate CNF instance in the Current Dataplane FortiOS Version field.

Previous
Next