Skip to main content
Rathan_FTNT
Staff
Rathan_FTNT
Staff
October 8, 2020

Technical Tip: Configuring the root FortiGate and downstream FortiGates in Security Fabric

  • October 8, 2020
  • 1 reply
  • 45915 views

Description

 

This article describes how to configure a typical Security Fabric implementation, where the edge FortiGate is the root FortiGate, and the downstream FortiGates are all units that are downstream from the root FortiGate.

 

Scope

 

FortiGate.

Solution

 

Prerequisites.

 

  • FortiGate has to be operating in NAT mode.
  • On FortiOS 7.2.6 and 7.4.1, FortiGate devices with 2GB of RAM such as 40F, 60E, 60F, 80E, and 90E series cannot be the root or mid-tier part of the Security Fabric. These FortiGates can only join a Security Fabric as a downstream device. Refer to the release notes for more information.


Configure the root FortiGate.

The edge FortiGate is typically configured as the root FortiGate, as this allow to view the full topology of the Security Fabric from the top down.

To configure the root FortiGate.

 

  1. On the root FortiGate, go to Security Fabric -> Fabric Connectors and select the Security Fabric Setup card.
  2. For Status, select 'Enable'.
  3. Set the Security Fabric role to Serve as Fabric Root. FortiAnalyzer logging is automatically enabled and the settings can be configured.

 

 
  1. Enter the FortiAnalyzer IP and select and Upload option.
  2. In the FortiAnalyzer Logging section, in the IP address field, enter the IP address of the FortiAnalyzer.
  3. If required, enable 'Allow access' to FortiGate REST API and, optionally, Verify FortiAnalyzer certificate.

    The REST API accesses the FortiGate topology and shares data and results.
    The FortiGate will verify the FortiAnalyzer by retrieving its serial number and checking it against the FortiAnalyzer certificate.
    When verified, the FortiAnalyzer serial number is stored in the FortiGate configuration.
    When authorizing the FortiGate on the FortiAnalyzer, the FortiGate admin credentials do not need to be entered.

  4. Select 'Test Connectivity'.

    If Test Connectivity is selected and this is the first time that the FortiGate is connected to the FortiAnalyzer, a warning message will be received because the FortiGate has not yet been authorized on the FortiAnalyzer.
    Configure this authorization during the configuration of the FortiAnalyzer.

    See Configuring FortiAnalyzer.

  5. Select 'OK'. The FortiAnalyzer serial number is verified.
  6. Enter a Fabric name.
  7. Ensure Allow other Security Fabric units to join is enabled and add the interfaces.
  8. Select 'OK'.
 
Using the root FortiGate with disk to store historic user and unit information.

This backend implementation allows the root FortiGate in a Security Fabric to store historic user and unit information in a database on its disk.
This will allow administrators to visualize users and units over a period of time.
 
A new daemon, user_info_history, stores this data on the disk.
The information source for the historical data will be the user_info daemon, which is recorded on the disk when user_info notifies user_info_history that a user has logged out or the unit is no longer connected.
 
Add downstream units.
 
Downstream FortiGate units can be securely added to the Security Fabric without sharing the password of the root FortiGate.
Downstream unit serial numbers can be authorized from the root FortiGate, or allowed to join by request.
New authorization requests include the unit serial number, IP address, and HA members.
HA members can include up to four serial numbers and is used to ensure that, in the event of a fail over, the secondary FortiGate is still authorized.
A maximum of 35 downstream FortiGates is recommended.  More than 35 downstream devices might cause root FortiGate fails to load the physical/logical topology GUI pages based on the lab testing. 
 
Pre-authorizing the downstream FortiGate.
 
When a downstream Fortinet unit's serial number is added to the trusted list on the root FortiGate, the unit can join the Security Fabric as soon as it connects.
After the new unit is authorized, connected FortiAP and FortiSwitch units are automatically included in the topology, where there can be authorized with one selection.
The interface that connects to the downstream FortiGate has to have Security Fabric Connection enabled.
 
To pre-authorize a FortiGate.
 
  1. On the root FortiGate, go to Security Fabric -> Fabric Connectors and select the Security Fabric Setup card.
  2. In the Pre-authorized units , select 'Edit'. The Pre-Authorized units window opens.
  3. Add a new FortiGate to the list using the downstream unit's serial number.
 
 
  1. On the downstream FortiGate, go to Security Fabric -> Fabric Connectors and select the Security Fabric Setup card.
  2. For Status, select 'Enable'.
  3. Set the Security Fabric role to Join Existing Fabric.
  4. Enter the IP address of the root FortiGate in the Upstream FortiGate IP field.
  5. Select 'OK'.
  6. On the root FortiGate, go to Security Fabric -> Physical Topology and verify that the downstream FortiGate which has been added appears in the Security Fabric topology.
 
 
Using LLDP.
Automatically prompt downstream FortiGate to join the Security Fabric using Link Layer Discovery Protocol (LLDP) and interface role assignments is possible.
 
  1. On the root FortiGate, assign the LAN role to all interfaces that connect to downstream FortiGate. When the LAN role is assigned to an interface, LLDP transmission is enabled by default.
  2. When a downstream FortiGate is installed, assign the WAN role to the interface that connects to the upstream FortiGate. When the WAN role is assigned, LLDP reception is enabled by default.
    The newly installed FortiGate uses LLDP to discover the upstream FortiGate, and the administrator is prompted to configure the FortiGate to join the Security Fabric.
  3. On the root FortiGate, the new FortiGate has to be authorized before it can join the Security Fabric. If the network contains switches or routers, LLDP may not function as expected because some units do not pass LLDP packets.
 
Unit request.
A unit can request to join the Security Fabric from another FortiGate, but it has to have the IP address of the root FortiGate.
The administrator of the root FortiGate has to also authorize the unit before it can join the Security Fabric.
The root FortiGate has to have Security Fabric Connection enabled on the interface that the device connects to.
 
To enable FortiTelemetry on an interface:
  1. Go to Network -> Interfaces.
  2. Edit the interface the unit that is authorized to join the Security Fabric.
  3. Under Administrative Access, enable Security Fabric Connection.
  4. Under Network, turn on 'Device Detection'.
 
To join the Security Fabric by device request:
  1. Connect to the unauthorized FortiGate or FortiWiFi , and go to Security Fabric -> Fabric Connectors and select the Security Fabric Setup card.
  2. For Status, select 'Enable'.
  3. Set Security Fabric role to Join Existing Fabric.
  4. Set Upstream FortiGate IP to the IP address of the upstream FortiGate.
  5. Connect to the root FortiGate and go to Security Fabric -> Fabric Connectors. The new FortiGate appears in the topology tree as unauthorized.
  6. Select the unauthorized unit and select 'Authorize'.
 
CLI commands.
Use the following commands to view, accept, and deny authorization requests, to view upstream and downstream units, and to list or test fabric units:
 
 

Desynchronizing settings.
By default, the settings for FortiAnalyzer logging, central management, sandbox inspection, and FortiClient EMS are synchronized between all FortiGate in the Security Fabric.
To disable the automatic synchronization of these settings, use the following CLI command:
 
config system csf
    set configuration-sync local
end
 
Deauthorizing a unit.

A unit can be deauthorized to remove it from the Security Fabric.
 
To deauthorize a device:
 
  1. On the root FortiGate, go to Security Fabric -> Fabric Connectors.
  2. In the topology tree, select the unit and select 'Deauthorize'.
 
After units are deauthorized, units' serial numbers are saved in a trusted list that can be viewed in the CLI using the show system CSF command. For example, this result shows a deauthorized FortiSwitch:
 
show system csf
config system csf
    set status enable
    set group-name "Office-Security-Fabric"
    set group-password ENC 1Z2X3-----8
config trusted-list
    edit "FGT6HD391-----0"
next
edit "S248DF3X17-----2"
set action deny
next
end
end
end
 

    1 reply

    crao
    Staff
    crao
    Staff
    August 18, 2023

    Thanks for sharing.

    Terms & ConditionsAccessibility statement