Technical Tip: Security fabric connection setting
Description
This article describes how to configure security fabric connection settings.
Scope
FortiGate v6.4 and later.
Solution
To enable the Security Fabric, both FortiTelemetry and CAPWAP options must be enabled. In firmware versions before 6.4, these options had to be enabled separately under the Administrative Access section.
Starting with version 6.4, however, the two protocols are now combined into a single option called Security Fabric Connection.
Sample Configuration:
To enable this on CLI:
config system interface
edit "AccessPoints"
set vdom "root"
set allowaccess fabric <------- Security Fabric access enabled.
set type vlan
next
end
edit "AccessPoints"
set vdom "root"
set allowaccess fabric <------- Security Fabric access enabled.
set type vlan
next
end
end
Note: The above example uses a VLAN interface called 'AccessPoints'; it is also possible to use a physical interface directly on the FortiGate. In this case, (using physical port3 as an example), the config would be as follows:
config system interface
edit "port3"
set vdom "root"
set allowaccess fabric <------- Security Fabric access enabled.
set type physical
next
end
edit "port3"
set vdom "root"
set allowaccess fabric <------- Security Fabric access enabled.
set type physical
next
end
end
Note: Due to PSIRT advisory FG-IR-25-084, it is recommended to upgrade to a firmware version where the vulnerability has been fixed.