Fortinet Security Fabric in Practice. Part 4. Mutual integration

Good day! In our previous articles, we talked about the concept Fortinet Security Fabricand also described products FortiSwitch and FortiAP… Now it’s time to look at the process of mutual integration of the “security factory” products in practice, as well as to get acquainted with the possibilities that this integration provides. In this article, we will consider exactly the integration process – we will try to build the network in question. here

Before you start building a network, you need to decide the next question – choose the version of the operating system for each product. This question is very important: if you choose the wrong version of the operating system for at least one product, various problems are possible during the integration and interaction of this product with others.

We will start from the core of our “security factory” – FortiGate. Let’s choose the newest version, at the moment it is 6.4.3. Now let’s select the version of the operating system for FortiAnalyzer. For this we will use this document… In the left column you need to find the required OS version on FortiGate, in our case it is 6.4.3. Now we are looking for the fields marked with a check mark: this means that the version of FortiAnalyzer OS indicated in this column is compatible with version 6.4.3 for FortiGate. In our case, there is only one compatible version – 6.4.3. Accordingly, we choose it.

To select the FortiSwitch operating system, use this document… It shows that two FortiSwitch OSs are suitable for version 6.4.3 of FortiGate – 6.4.3 and 6.4.4. In such cases, the vendor recommends choosing the latest version. So let’s do it.

Now let’s select the version of the operating system for FortiAP. This will help us next resource… We are testing the FortiAP-U421EV model, so go to the FortiAP-U section, look for the FortiOS 6.4.x compatibility item, and look for a suitable FortiAP-U421EV OS version for FG 6.4.3. This is version 6.0.4.

Remained FortiClient EMS. Consider this document… From it you can see that we need a 6.4.x OS version on FortiClient EMS. By tradition, let’s take the last one.

Now that we have decided on the versions of operating systems, it’s time to move on to integration. Let’s start with the simplest step – integrating FortiGate and FortiAnalyzer. To do this, from the FortiGate side, go to the Log Settings -> Remote Logging and Archiving menu. In this section, you need to activate sending logs to FortiAnalyzer / FortiManager and use the FortiAnalyzer IP address. It is better to set the period for sending logs to Real Time, so that FortiAnalyzer has up-to-date information at any time. After all the settings are specified, you must click on the Test Connectivity button. Thus, we will send a request to authorize our device to FortiAnalyzer:

Now let’s go to FortiAnalyzer in the Device Manager menu. We now have one unauthorized device in the list:

Click on the Authorize button:

This completes the integration of FortiGate and FortiAnalyzer. Let’s move on to the integration of FortiGate and FortiSwitch. For this integration, you need to configure the FortiLink interface:

In the Interface Member field, select the interfaces that will serve as FortiLink – it can be one or more interfaces. In FortiGate 61F, FortiLink is assigned 2 interfaces by default. The Address field contains the address of the FortiLink interface and the subnet mask – all connected FortiSwitch devices will belong to this subnet. Next are the settings for distributing IP addresses for connected FortiSwitch devices. These settings are enough for us to integrate, now go to the Managed FortiSwitch menu.

If FortiSwitch is physically connected to the interface on which FortiLink is running, it should automatically appear in the list of devices and have the unauthorize status. We’ll look at a way to manually add FortiSwithc. To do this, click on the Create New button. In the window that appears, enter the serial number of FortiSwitch, and also give it a name:

Now our FortiSwitch has appeared in the list of devices. We authorize it using the Authorize button. After that, you need to wait a bit for FortiSwitch to receive Online status:

From the information provided, we can see that FortiSwitch is running on OS 6.2.3. Therefore, we need to update it to version 6.4.4. The image of this version must be taken from technical support portal under Download -> Firmware Images -> FortiSwitch. Here you need to select the required version, and then the image for a specific model. Next, go back to FortiGate, select the required FortiSwitch and click on the Upgrade button. In the Upload menu, upload the required image and click Upgrade. After a few minutes, the update will be installed on the FortiSwitch.

Now let’s move on to FortiAP. It is connected to FortiSwitch on port 4. According to the scheme we developed here, we need to create a separate VLAN for it:

In order for FortiAP to be managed by the FG, the Security Fabric Connection option must be enabled in the Administrative Access field. Leave the rest of the settings as default. Now go to the FortiSwitch Ports field and set Native Vlan – WLAN in the 4 port settings:

Now go to the Managed FortiAP field. The required access point has appeared in the list, we authorize it. Go to the access point settings and configure the parameters as follows:

After these settings, the status of the access point changes to Online. Now you need to update the access point to version 6.0.4. To do this, in the list of available access points, right-click on the required one and select the Upgrade function. This time we will use another update option – through FortiGuard. In this case, there is no need to download the image from the support site, and then upload it to the device – the required image will be downloaded automatically when the update starts.

After the update, the integration of the access point into our security factory can be considered complete. The last stage remains – the integration of FortiClient EMS.

To do this, on FortiGate, go to the Security Fabric -> Fabric Connector -> Create New -> FortiClient EMS menu. Here we indicate the name of the connector, as well as the IP address of the server on which FortiClient EMS is installed.

It is also necessary to authorize the FortiClient EMS certificate from the FortiGate side. To do this, in the right part of the window opposite the Certificate – Not Authorized inscription, click on the Authorize button and then click Accept.

Now you need to authorize FortiGate from the FortiClient EMS side. Going to FortiClient EMS we will see a request with information about the FortiGate that is trying to connect. Let’s authorize it:

We have installed the latest version of FortiClient EMS – 6.4.1. Therefore, the integration of the FortiClient EMS into the security factory can also be considered complete.

I think you have noticed that the integration process itself is not difficult – this is what we wanted to show. In the next article, we’ll look at working with an integrated factory and explore the possibilities it offers. In order not to miss new materials, subscribe to updates of our channels:

Youtube channel

Vkontakte community

Yandex Zen

Our website

Telegram channel

Similar Posts

Leave a Reply