Fortinet white logo
Fortinet white logo

Administration Guide

Preparing FortiGate for supported Security Fabric devices

Preparing FortiGate for supported Security Fabric devices

Before adding supported Security Fabric devices to FortiGate, ensure the following:

  • On FortiGate, ensure that Security Fabric is enabled.

  • On the root FortiGate of the Security Fabric, ensure that Allow other Security Fabric devices to join is enabled.

  • On the root FortiGate, ensure that the appropriate interface is enabled to listen for supported Fabric devices.

  • (As needed) On the root FortiGate, ensure that Allow downstream device REST API access is enabled, if the device requires REST API access to the root FortiGate, and select an administrator profile.

    The minimum permission required for the selected Administrator profile is Read/Write for User & Device (set authgrp read-write).

See Configuring the root FortiGate and downstream FortiGates for details.

Although optional, you can configure pre-authorization of the supported Fabric device on the root FortiGate. Pre-authorized devices can join the Security Fabric at any time, and do not require manual authorization in FortiOS. See Configuring pre-authorization of supported Security Fabric devices.

The following table identifies commands used for adding supported devices to the Security Fabric.

Command

Description

config system interface
    edit <port name>
        set allowaccess {protocols}
    next
end

Specify management access to the port for the supported Security Fabric device.

config system csf
    set status enable 
Enable the Security Fabric on FortiGate.
config system csf
    set group-name <string>

Specify a group name for the Security Fabric.

config system csf
    set downstream-access enable
On the root FortiGate of the Security Fabric, enable downstream access.
config system csf
    set downstream-accprofile <string>
Specify the administration profile used for REST API access.
config system csf
     config trusted-list
Configure pre-authorization for a device.

In this example FortiNDR is added to the Security Fabric using the CLI.

To add FortiNDR to the Security Fabric in the CLI:
  1. Configure the interface to allow other Security Fabric devices to join:

    config system interface
        edit "port1"
            set allowaccess ping https ssh http fgfm fabric
        next
    end
  2. Enable the Security Fabric:

    config system csf
        set status enable
        set group-name "fabric-ai"
    end
  3. In FortiNDR, configure the device to join the Security Fabric:

    config system csf
        set status enable
        set upstream-ip 10.6.30.14
        set managment-ip 10.6.30.251
    end
  4. Authorize the FortiNDR in FortiOS:

    config system csf
        config trusted-list
            edit "FAIVMSTM21000000"
                set authorization-type certificate
                set certificate "*******************"
            next
        end
    end

Preparing FortiGate for supported Security Fabric devices

Preparing FortiGate for supported Security Fabric devices

Before adding supported Security Fabric devices to FortiGate, ensure the following:

  • On FortiGate, ensure that Security Fabric is enabled.

  • On the root FortiGate of the Security Fabric, ensure that Allow other Security Fabric devices to join is enabled.

  • On the root FortiGate, ensure that the appropriate interface is enabled to listen for supported Fabric devices.

  • (As needed) On the root FortiGate, ensure that Allow downstream device REST API access is enabled, if the device requires REST API access to the root FortiGate, and select an administrator profile.

    The minimum permission required for the selected Administrator profile is Read/Write for User & Device (set authgrp read-write).

See Configuring the root FortiGate and downstream FortiGates for details.

Although optional, you can configure pre-authorization of the supported Fabric device on the root FortiGate. Pre-authorized devices can join the Security Fabric at any time, and do not require manual authorization in FortiOS. See Configuring pre-authorization of supported Security Fabric devices.

The following table identifies commands used for adding supported devices to the Security Fabric.

Command

Description

config system interface
    edit <port name>
        set allowaccess {protocols}
    next
end

Specify management access to the port for the supported Security Fabric device.

config system csf
    set status enable 
Enable the Security Fabric on FortiGate.
config system csf
    set group-name <string>

Specify a group name for the Security Fabric.

config system csf
    set downstream-access enable
On the root FortiGate of the Security Fabric, enable downstream access.
config system csf
    set downstream-accprofile <string>
Specify the administration profile used for REST API access.
config system csf
     config trusted-list
Configure pre-authorization for a device.

In this example FortiNDR is added to the Security Fabric using the CLI.

To add FortiNDR to the Security Fabric in the CLI:
  1. Configure the interface to allow other Security Fabric devices to join:

    config system interface
        edit "port1"
            set allowaccess ping https ssh http fgfm fabric
        next
    end
  2. Enable the Security Fabric:

    config system csf
        set status enable
        set group-name "fabric-ai"
    end
  3. In FortiNDR, configure the device to join the Security Fabric:

    config system csf
        set status enable
        set upstream-ip 10.6.30.14
        set managment-ip 10.6.30.251
    end
  4. Authorize the FortiNDR in FortiOS:

    config system csf
        config trusted-list
            edit "FAIVMSTM21000000"
                set authorization-type certificate
                set certificate "*******************"
            next
        end
    end