Leveraging SAML to switch between Security Fabric FortiGates
In the FortiOS GUI banner, there is a dropdown menu available that allows you to easily switch between all FortiGate devices that are connected to the Security Fabric.
- The dropdown menu is available in both the root and downstream FortiGates. You can click a link in the menu to navigate to any other FortiGate management IP/FQDN.
- In both root and downstream FortiGates, you can configure the management IP/FQDN and port settings.
If the management IP/FQDN is not configured, the IP address that the FortiGate uses to connect to the Security Fabric is shown as the management IP address. A warning message is displayed because administrators might be unable to access the IP address using a web browser.
See Setting the IP/FQDN.
- In root the FortiGate GUI, you can use the Configure option to change the hostname, management IP/FQDN, and port number.
- In downstream FortiGates, the
diagnose sys csf global
command shows a summary of all of the connected FortiGates in the Security Fabric.See Viewing a summary of all connected FortiGates in a Security Fabric.
Switching between FortiGates in a Security Fabric
To switch between FortiGates in a Security Fabric:
- Log in to a FortiGate in a Security Fabric using SSO.
- In the banner, click the name of the FortiGate.
A dropdown menu opens, showing the root FortiGate as well as downstream FortiGates in the Security Fabric.
- Hover the cursor over a FortiGate name to see a tooltip about that FortiGate.
- Click Login to navigate to its management IP/FQDN.
You can also click the FortiGate name in the dropdown menu to log in to the device.
- Click the option to log in via Single Sign-On.
Setting the IP/FQDN
The management IP/FQDN and port can be configured on the root FortiGate and all of the downstream FortiGates. When SAML SSO is enabled, you can configure the downstream FortiGates from within the root FortiGate (see Configuring a downstream FortiGate as an SP).
To set the IP/FQDN in the GUI:
- Log in to a FortiGate in the Security Fabric.
- Go to Security Fabric > Settings.
- In the FortiGate Telemetry section, scroll to the Management IP/FQDN field, select Specify.
- Enter the IP/FQDN.
- In the Management Port field, select Specify, and enter the port number.
- Click Apply.
If the management IP/FQDN is not configured, the IP address that the FortiGate uses to connect to the Security Fabric is shown as the management IP address. A warning message is displayed because administrators might be unable to access the IP address using a web browser:
To set the IP/FQDN in the CLI:
- Configure the root FortiGate:
config system csf set status enable set group-name "fabric" set management-ip "104.196.102.183" set management-port 10403 end
- Configure the downstream FortiGates:
config system csf set status enable set upstream-ip 10.100.88.1 set management-ip "104.196.102.183" set management-port 10423 end
Customizing a root FortiGate
To customize a root FortiGate:
- Click the dropdown menu in the banner and hover the cursor over the root FortiGate so the tooltip is shown.
- Click Configure. The Configure pane opens.
- Edit the settings as required.
- Click OK.
Viewing a summary of all connected FortiGates in a Security Fabric
To view a Security Fabric summary on a downstream FortiGate:
# diagnose sys csf global Current vision: [ { "path":"FGVM01TM19000001", "mgmt_ip_str":"104.196.102.183", "mgmt_port":10403, "sync_mode":1, "saml_role":"identity-provider", "admin_port":443, "serial":"FGVM01TM19000001", "host_name":"admin-root", "firmware_version_major":6, "firmware_version_minor":2, "firmware_version_patch":0, "firmware_version_build":1010, "subtree_members":[ { "serial":"FGVM01TM19000002" }, { "serial":"FGVM01TM19000003" }, { "serial":"FGVM01TM19000004" }, { "serial":"FGVM01TM19000005" } ] }, { "path":"FGVM01TM19000001:FGVM01TM19000002", "mgmt_ip_str":"104.196.102.183", "mgmt_port":10423, "sync_mode":1, "saml_role":"service-provider", "admin_port":443, "serial":"FGVM01TM19000002", "host_name":"Branch_Office_01", "firmware_version_major":6, "firmware_version_minor":2, "firmware_version_patch":0, "firmware_version_build":1010, "upstream_intf":"Branch-HQ-A", "upstream_serial":"FGVM01TM19000001", "parent_serial":"FGVM01TM19000001", "parent_hostname":"admin-root", "upstream_status":"Authorized", "upstream_ip":22569994, "upstream_ip_str":"10.100.88.1", "subtree_members":[ ], "is_discovered":true, "ip_str":"10.0.10.2", "downstream_intf":"To-HQ-A", "idx":1 }, { "path":"FGVM01TM19000001:FGVM01TM19000003", "mgmt_ip_str":"104.196.102.183", "mgmt_port":10407, "sync_mode":1, "saml_role":"service-provider", "admin_port":443, "serial":"FGVM01TM19000003", "host_name":"Enterprise_Second_Floor", "firmware_version_major":6, "firmware_version_minor":2, "firmware_version_patch":0, "firmware_version_build":1010, "upstream_intf":"port3", "upstream_serial":"FGVM01TM19000001", "parent_serial":"FGVM01TM19000001", "parent_hostname":"admin-root", "upstream_status":"Authorized", "upstream_ip":22569994, "upstream_ip_str":"10.100.88.1", "subtree_members":[ ], "is_discovered":true, "ip_str":"10.100.88.102", "downstream_intf":"port1", "idx":2 }, { "path":"FGVM01TM19000001:FGVM01TM19000004", "mgmt_ip_str":"104.196.102.183", "mgmt_port":10424, "sync_mode":1, "saml_role":"service-provider", "admin_port":443, "serial":"FGVM01TM19000004", "host_name":"Branch_Office_02", "firmware_version_major":6, "firmware_version_minor":2, "firmware_version_patch":0, "firmware_version_build":1010, "upstream_intf":"HQ-MPLS", "upstream_serial":"FGVM01TM19000001", "parent_serial":"FGVM01TM19000001", "parent_hostname":"admin-root", "upstream_status":"Authorized", "upstream_ip":22569994, "upstream_ip_str":"10.100.88.1", "subtree_members":[ ], "is_discovered":true, "ip_str":"10.0.12.3", "downstream_intf":"To-HQ-MPLS", "idx":3 }, { "path":"FGVM01TM19000001:FGVM01TM19000005", "mgmt_ip_str":"104.196.102.183", "mgmt_port":10404, "sync_mode":1, "saml_role":"service-provider", "admin_port":443, "serial":"FGVM01TM19000005", "host_name":"Enterprise_First_Floor", "firmware_version_major":6, "firmware_version_minor":2, "firmware_version_patch":0, "firmware_version_build":1010, "upstream_intf":"port3", "upstream_serial":"FGVM01TM19000001", "parent_serial":"FGVM01TM19000001", "parent_hostname":"admin-root", "upstream_status":"Authorized", "upstream_ip":22569994, "upstream_ip_str":"10.100.88.1", "subtree_members":[ ], "is_discovered":true, "ip_str":"10.100.88.101", "downstream_intf":"port1", "idx":4 } ]