Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.2 Administration Guide
    7.4.2
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Preparing FortiGate for supported Security Fabric devices

    Preparing FortiGate for supported Security Fabric devices

    Before adding supported Security Fabric devices to FortiGate, ensure the following:

    • On FortiGate, ensure that Security Fabric is enabled.

    • On the root FortiGate of the Security Fabric, ensure that Allow other Security Fabric devices to join is enabled.

    • On the root FortiGate, ensure that the appropriate interface is enabled to listen for supported Fabric devices.

    • (As needed) On the root FortiGate, ensure that Allow downstream device REST API access is enabled, if the device requires REST API access to the root FortiGate, and select an administrator profile.

      The minimum permission required for the selected Administrator profile is Read/Write for User & Device (set authgrp read-write).

    See Configuring the root FortiGate and downstream FortiGates for details.

    Although optional, you can configure pre-authorization of the supported Fabric device on the root FortiGate. Pre-authorized devices can join the Security Fabric at any time, and do not require manual authorization in FortiOS. See Configuring pre-authorization of supported Security Fabric devices.

    The following table identifies commands used for adding supported devices to the Security Fabric.

    Command

    Description

    		 
    config system interface
    edit <port name>
        set allowaccess {protocols}
    next
end

    Specify management access to the port for the supported Security Fabric device.

    		 
    config system csf
    set status enable
    		Enable the Security Fabric on FortiGate. 
    config system csf
    set group-name <string>

    Specify a group name for the Security Fabric.

    		 
    config system csf
    set downstream-access enable
    		 On the root FortiGate of the Security Fabric, enable downstream access. 
    config system csf
    set downstream-accprofile <string>
    		 Specify the administration profile used for REST API access. 
    config system csf
     config trusted-list
    		 Configure pre-authorization for a device.

    In this example FortiNDR is added to the Security Fabric using the CLI.

    To add FortiNDR to the Security Fabric in the CLI:

    1. Configure the interface to allow other Security Fabric devices to join:

      config system interface
    edit "port1"
        set allowaccess ping https ssh http fgfm fabric
    next
end

    2. Enable the Security Fabric:

      config system csf
    set status enable
    set group-name "fabric-ai"
end

    3. In FortiNDR, configure the device to join the Security Fabric:

      config system csf
    set status enable
    set upstream-ip 10.6.30.14
    set managment-ip 10.6.30.251
end

    4. Authorize the FortiNDR in FortiOS:

      config system csf
    config trusted-list
        edit "FAIVMSTM21000000"
            set authorization-type certificate
            set certificate "*******************"
        next
    end
end
    Previous
    Next

    Preparing FortiGate for supported Security Fabric devices

    Preparing FortiGate for supported Security Fabric devices

    Before adding supported Security Fabric devices to FortiGate, ensure the following:

    • On FortiGate, ensure that Security Fabric is enabled.

    • On the root FortiGate of the Security Fabric, ensure that Allow other Security Fabric devices to join is enabled.

    • On the root FortiGate, ensure that the appropriate interface is enabled to listen for supported Fabric devices.

    • (As needed) On the root FortiGate, ensure that Allow downstream device REST API access is enabled, if the device requires REST API access to the root FortiGate, and select an administrator profile.

      The minimum permission required for the selected Administrator profile is Read/Write for User & Device (set authgrp read-write).

    See Configuring the root FortiGate and downstream FortiGates for details.

    Although optional, you can configure pre-authorization of the supported Fabric device on the root FortiGate. Pre-authorized devices can join the Security Fabric at any time, and do not require manual authorization in FortiOS. See Configuring pre-authorization of supported Security Fabric devices.

    The following table identifies commands used for adding supported devices to the Security Fabric.

    Command

    Description

    		 
    config system interface
    edit <port name>
        set allowaccess {protocols}
    next
end

    Specify management access to the port for the supported Security Fabric device.

    		 
    config system csf
    set status enable
    		Enable the Security Fabric on FortiGate. 
    config system csf
    set group-name <string>

    Specify a group name for the Security Fabric.

    		 
    config system csf
    set downstream-access enable
    		 On the root FortiGate of the Security Fabric, enable downstream access. 
    config system csf
    set downstream-accprofile <string>
    		 Specify the administration profile used for REST API access. 
    config system csf
     config trusted-list
    		 Configure pre-authorization for a device.

    In this example FortiNDR is added to the Security Fabric using the CLI.

    To add FortiNDR to the Security Fabric in the CLI:

    1. Configure the interface to allow other Security Fabric devices to join:

      config system interface
    edit "port1"
        set allowaccess ping https ssh http fgfm fabric
    next
end

    2. Enable the Security Fabric:

      config system csf
    set status enable
    set group-name "fabric-ai"
end

    3. In FortiNDR, configure the device to join the Security Fabric:

      config system csf
    set status enable
    set upstream-ip 10.6.30.14
    set managment-ip 10.6.30.251
end

    4. Authorize the FortiNDR in FortiOS:

      config system csf
    config trusted-list
        edit "FAIVMSTM21000000"
            set authorization-type certificate
            set certificate "*******************"
        next
    end
end
    Previous
    Next