Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
filiaks1
New Contributor II

What is the fortinet protocol that is used for Security Fabric communication and is it incrypted?

Hello,

 

 

I got interested by Forti Fabric but I see that there is not a lot of data for the communication that Forti fabric uses.

 

I know that the device discovery is based on LLDP (https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/224074/leveraging-lldp-to-si... ) but after that there is not a lot of info if the communication is encrypted by SSL/TLS or like SSH.

 

I found the below article but it is only that the log transmission to fortianalyzer can be encrypted but I know fortianalyzer is a crucial part for Security Fabric.

 

 

https://help.fortinet.com/fortiproxy/11/Content/Admin%20Guides/FPX-AdminGuide/300_System/306_Securit...

 

 

Also it is interesting when doing an automation on the fabric is the REST API used or the forti fabric protocol as for example I see that automation Stitches are only configured under the security fabric and from what I read an automation Stitch can involve multiple forti devices that are part of the fabric like stopping the source ip and mac on the firewalls but also on the forti switches and cool stuff like that.

 

Cool article that I found:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restart-WAD-when-conserve-mode-hits-Automa...

 

 

I am starting to wonder if forti fabric is not LLDP for discovery then forti analyzer for logging (also the devices probably share in the logs with the analyzer what they discovered by LLDP) and the REST-API for automating stuff (expecially if there is forti manager added as an optional component to the fabric). Maybe there is no propriotory protocol involved.

 

 

Any info is appreciated :)

 

1 Solution
gfleming

You are correct on both points, yes.

Cheers,
Graham

View solution in original post

5 REPLIES 5
gfleming
Staff
Staff

The "Fabric" is not just one protocol. As you've already discovered it uses LLDP for Switch and AP discovery as well as FortiLink (proprietary CAPWAP) for control. There's also the API integrations using HTTPS. And others...

 

To answer your quesiton though, yes all communications are secured and encrypted. Specifically FortiLink

Cheers,
Graham
filiaks1
New Contributor II

I found this article below and now I see that the root firewall (this makes me ask what happens if the root firewalls goes down but maybe this is a question for another time and if I do not find a well documented answer :) ) is the only one where automation stiches can be created (strange that fortimanager lacks this option) and maybe "enable 'Allow access' to FortiGate REST API " should also be checked in the security fabric for the automations to work, so I am starting to think that the automations use the API to trigger stuff on the security fabric.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-root-FortiGate-and-downstr...

 

 

Still interesting what protocol is used for communication between the security fabric devices and its encryption outside of the logging to analyzer that can be encrypted of the API that I think is for automation stiches to work.

gfleming
Staff
Staff

FortiManager would not have any role in automation stitch creation—it is responsible for config management only. FortiAnalyzer, on the other hand (which is required part of the Fabric) will do Automation stitches and playbooks.

 

If you are asking what protocol is used for the FortiGate fabric sync between other FortiGates it is using UDP port 8014. https://docs.fortinet.com/document/fortigate/7.2.0/fortios-ports/637075/incoming-ports

 

 

Cheers,
Graham
filiaks1
New Contributor II

Thanks for the fast reply.

 

Then the FortiAnalyzer is the one using the API to manage the automations and this is why "enable 'Allow access' to FortiGate REST API "  needs to be clicked, or I am wrong?

 

Also I suspect the forti fabric communication is secured encrypted, so no MITM attacks can capture see the traffic in clear text?

gfleming

You are correct on both points, yes.

Cheers,
Graham
Labels
Top Kudoed Authors