Fabric of FortiManager-7.6.0-Deployment Guide
Uploaded by
IralaFabric of FortiManager-7.6.0-Deployment Guide
Uploaded by
IralaDeployment Guide
Fabric of FortiManager 7.6.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO LIBRARY
https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM
https://www.fortinet.com/training-certification
FORTINET TRAINING INSTITUTE
https://training.fortinet.com
FORTIGUARD LABS
https://www.fortiguard.com
END USER LICENSE AGREEMENT
https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: [email protected]
July 29, 2024
Fabric of FortiManager 7.6.0 Deployment Guide
02-760-1016630-20240729
TABLE OF CONTENTS
Change Log 4
Introduction 5
Fabric of FortiManager roles 5
Deployment architecture 6
Preparing for deployment 8
Requirements 8
Best practices 8
High availability 8
Configuring the Fabric of FortiManager 9
Configuring a supervisor 9
Configuring a member 11
Confirm the upstream connection and authorize members 12
Confirm the upstream connection 12
Authorize Fabric members 14
Removing members from the Fabric of FortiManager 16
Using the Fabric of FortiManager supervisor 17
Managing FortiGate devices 18
Adding devices to Fabric of FortiManager 18
Viewing managed devices by member 18
Moving managed devices between members 19
ADOMs 19
Member failure 19
Upgrading the Fabric of FortiManager 20
Fabric of FortiManager 7.6.0 Deployment Guide 3
Fortinet Inc.
Change Log
Date Change Description
2024-07-29 Initial release.
Fabric of FortiManager 7.6.0 Deployment Guide 4
Fortinet Inc.
Introduction
Fabric of FortiManager is a cluster architecture which enables the scalable and flexible deployments of up to 32 nodes to
enhance the performance in a large-scale environment. The Fabric of FortiManager enables centralized management of
policies and devices across multiple FortiManagers acting as members. In this mode, multiple Fabric of FortiManager
members form a Fabric with one device operating in supervisor mode as the root device. Policy and device information is
synchronized between members and the supervisor using the FortiManager API.
The Fabric of FortiManager is ideal for use in high volume environments with multiple FortiManagers managing many
FortiGate devices.
As your network grows and you add more devices, additional Fabric of FortiManager members can be onboarded and
FortiGates can be reassigned to them to help balance performance across the network.
This section includes the following topics:
l Fabric of FortiManager roles on page 5
l Deployment architecture on page 6
Fabric of FortiManager roles
Fabric of FortiManager includes two operation modes, including supervisor and member.
Supervisor The supervisor acts as the root device in the Fabric of FortiManager. There is only
one supervisor per Fabric of FortiManager.
The supervisor has the following role:
l View and manage FortiManager member devices.
l Assign managed FortiGates to members.
l Manage the ADOM database and Global database.
l Assign and install policy packages and objects to managed FortiGates.
Member Members are additional FortiManagers added to the Fabric. There can be many
Fabric of FortiManager members. The workload is shared between member
FortiManager devices to decrease overall installation time.
Members have the following roles:
l Manage the Device Database for their assigned devices.
l Establish the FGFM tunnel between FortiManager and FortiGate.
l Perform copy/install directly to a device when initiated from the supervisor.
l Store SD-WAN history when enabled.
l The supervisor will redirect API requests to the respective member. For
example, when a user logs into the supervisor and checks the VPN monitor
for a FortiGate, the supervisor will forward the JSON API request to the
FortiManager member that owns the FortiGate. This FortiManager member
will then send the JSON API request to the remote FortiGate. Once the
Fabric of FortiManager 7.6.0 Deployment Guide 5
Fortinet Inc.
Introduction
member receives the JSON API response from the remote FortiGate, it will
send the response back to the supervisor.
Deployment architecture
The following is an example of the topology that can make up the Fabric of FortiManager, with the root device acting as
the supervisor, and multiple Fabric of FortiManager members sending information to the supervisor.
l The Supervisor manages the ADOM database and Global database.
l Member devices manage the device database for their assigned FortiGate devices.
l The FGFM tunnel is established between the member and their assigned FortiGate devices.
l Policy packages and objects are configured on the supervisor. The copy/install process is performed by the
member device.
Fabric of FortiManager 7.6.0 Deployment Guide 6
Fortinet Inc.
Introduction
Fabric of FortiManager 7.6.0 Deployment Guide 7
Fortinet Inc.
Preparing for deployment
Preparing for deployment
This section includes the following topics:
l Requirements on page 8
l Best practices on page 8
Requirements
l Administrator with super-user permissions who can create the Fabric of FortiManager, enable the supervisor role,
authorize member join requests, and delete members.
l FortiManager Fabric Administrative Access must be enabled on the interface for both the supervisor and member
devices.
l Traffic must be allowed for port TCP 541 on the supervisor and the members.
l You can combine physical and virtual FortiManager appliances in the same Fabric of FortiManager.
Best practices
High availability
The Fabric of FortiManager supervisor and member devices can all be configured for high availability mode which adds
redundancy and limits service interruption in the case of device failure. Fortinet recommends that you configure the
supervisor as a cluster HA when configuring the Fabric of FortiManager.
See the FortiManager Administration Guide for information on configuring high availability.
Fabric of FortiManager 7.6.0 Deployment Guide 8
Fortinet Inc.
Configuring the Fabric of FortiManager
Configuring the Fabric of FortiManager
To configure a Fabric of FortiManager, you must configure a supervisor, one or more members, and enable Fabric of
FortiManager communication on the interfaces being used.
To configure the Fabric of FortiManager:
1. Configure the Fabric of FortiManager supervisor. See Configuring a supervisor on page 9.
2. Configure the Fabric of FortiManager member(s). See Configuring a member on page 11.
3. Confirm the upstream connection and authorize member devices. See Confirm the upstream connection and
authorize members on page 12.
Once the supervisor and the members are connected and synchronized, a topology of devices included in the Fabric of
FortiManager are displayed in System Settings > Fabric Management > Fabric Settings. Hover over the role of the
supervisor or a member in the topology to display more information about that device.
If member devices are removed from the Fabric of FortiManager, their managed Fabric devices are migrated to the
supervisor. See Removing members from the Fabric of FortiManager on page 16.
Configuring a supervisor
To configure the Fabric of FortiManager supervisor :
1. Access the GUI of the Fabric of FortiManager supervisor.
2. Enable administrative access to the interface.
a. Go to System Settings > Network.
b. Edit the interface to be used for communication between the supervisor and members.
Fabric of FortiManager 7.6.0 Deployment Guide 9
Fortinet Inc.
Configuring the Fabric of FortiManager
c. Under Administrative Access, enable FortiManager Fabric, and click OK.
3. Go to System Settings > Fabric Management > Fabric Settings.
4. Configure the following information:
Status Enabled.
Role Supervisor.
Fabric Name Enter a name for the Fabric of FortiManager.
Session Port Configure the session port, or use the default (8013).
Secure Connection Enable or disable secure connection.
5. Click Apply.
You can now configure Fabric of FortiManager members.
Fabric of FortiManager 7.6.0 Deployment Guide 10
Fortinet Inc.
Configuring the Fabric of FortiManager
Configuring a member
To configure Fabric of FortiManager members:
1. Access the GUI of the Fabric of FortiManager member.
2. Enable administrative access to the interface.
a. Go to System Settings > Network.
b. Edit the interface to be used for communication between the supervisor and members.
c. Under Administrative Access, enable FortiManager Fabric, and click OK.
3. Go to System Settings > Fabric Management > Fabric Settings.
4. Configure the following information:
Status Enabled.
Role Member.
Fabric of FortiManager 7.6.0 Deployment Guide 11
Fortinet Inc.
Configuring the Fabric of FortiManager
Fabric Name Enter a name of the Fabric of FortiManager. This can be the same name
entered when configuring the Fabric of FortiManager supervisor.
Upstream IP Enter the IP address of the Fabric of FortiManager supervisor.
Session Port Configure the session port, or use the default (8013). This must be the same
session port used when configuring the Fabric of FortiManager supervisor.
Secure Connection Enable or disable secure connection.
5. Click Apply.
After a few minutes, the Fabric of FortiManager member will recognize the supervisor and a Fabric Members
topology is displayed on both the members and supervisor configuration panes.
6. You can now confirm the upstream connection and authorize the member device. See Confirm the upstream
connection and authorize members on page 12
Confirm the upstream connection and authorize members
After the members are configured, you must confirm the serial number of the upstream supervisor and authorize the
member device.
Confirmation of the upstream supervisor's serial number occurs on each Fabric of FortiManager member; authorization
of member devices occurs on the supervisor.
l Confirm the upstream connection on page 12
l Authorize Fabric members on page 14
Confirm the upstream connection
To confirm the upstream connection to the supervisor:
1. Access the GUI of a Fabric of FortiManager member device.
2. Go to System Settings > Fabric Management > Fabric Settings.
When the member has detected the supervisor based on the configured settings, an Upstream Confirmation field is
displayed which shows the detected serial number of the supervisor device.
Fabric of FortiManager 7.6.0 Deployment Guide 12
Fortinet Inc.
Configuring the Fabric of FortiManager
3. Review the Fabric of FortiManager supervisor serial number, and click Confirm if it is correct.
4. A message is displayed indicating that you will be joining the Fabric of FortiManager. Click OK.
After a few moments, the Upstream Confirmation field will display Confirmed.
5. Repeat these steps for each Fabric of FortiManager member device.
Fabric of FortiManager 7.6.0 Deployment Guide 13
Fortinet Inc.
Configuring the Fabric of FortiManager
Authorize Fabric members
To authorize Fabric of FortiManager members:
1. Access the GUI of the Fabric of FortiManager supervisor.
2. Go to System Settings > Fabric Management > Fabric Settings.
3. Fabric of FortiManager members are displayed in the Fabric Members topology with the option to Authorize or
Reject the connection.
4. Click Authorize on the member device that you want to add to the Fabric of FortiManager.
5. A confirmation message appears. Click OK to complete the authorization.
Fabric of FortiManager 7.6.0 Deployment Guide 14
Fortinet Inc.
Configuring the Fabric of FortiManager
A message indicates that authorization was completed successfully.
Hover your mouse over the member to see the authorization state and device information.
Fabric of FortiManager 7.6.0 Deployment Guide 15
Fortinet Inc.
Configuring the Fabric of FortiManager
When you access a member device that was added to a Fabric of FortiManager, a warning message is displayed
informing the user that most changes to the configuration database can only be made on the Fabric supervisor unit,
and then those changes are synchronized to the Fabric member unit.
Removing members from the Fabric of FortiManager
When a member is removed from the Fabric of FortiManager, its managed devices are migrated to the supervisor.
To remove members from the Fabric of FortiManager:
1. Access the GUI of the Fabric of FortiManager supervisor.
2. Go to System Settings > Fabric Management > Fabric Settings.
3. In the Fabric Members topology, hover your mouse over a member and click Remove.
4. Review the confirmation message, and click OK.
After some time, the member's managed devices will be migrated to the supervisor, and the member will be
removed from the Fabric of FortiManager.
Fabric of FortiManager 7.6.0 Deployment Guide 16
Fortinet Inc.
Using the Fabric of FortiManager supervisor
Using the Fabric of FortiManager supervisor
The Fabric of FortiManager device operating as the supervisor has access to all of the regular FortiManager features.
This guide identifies the unique features and functions available as part of the Fabric of FortiManager.
For information about using features that are not unique to the Fabric of FortiManager, see the
FortiManager Administration Guide.
Device Manager Central management, templates, and visibility for each Fabric of FortiManager
member's Fabric devices.
For more information on using the Device Manager on the Fabric of FortiManager
supervisor, see Managing FortiGate devices on page 18
Policy & Objects Policy & Objects enables you to centrally manage and configure the devices that
are managed by the supervisor. This includes the basic network settings to
connect the device to the corporate network, antivirus definitions, intrusion
protection signatures, access rules, and managing and updating firmware for the
devices.
For more information, see Policy & Objects.
VPN Manager Use the VPN Manager pane to enable and use central VPN management. You
can view and configure IPsec VPN and SSL-VPN settings that you can install to
one or more devices.
For more information, see VPN Manager.
AP Manager The AP Manager pane allows you to manage FortiAP access points that are
controlled by FortiGate devices and are managed by FortiManager supervisor.
For more information, see AP Manager.
FortiSwitch Manager The FortiSwitch Manager pane allows you to manage FortiSwitch devices that are
controlled by FortiGate devices that are managed by FortiManager supervisor.
For more information, see FortiSwitch Manager.
Extender Manager The Extender Manager module allows you to manage connected FortiExtenders.
For more information, see Extender Manager.
Fabric View The Fabric View module enables you to view Security Fabric Ratings of
configurations for FortiGate Security Fabric groups as well as create fabric
connectors.
For more information, see Fabric View.
FortiAI Access to the FortiAI assistant. This feature requires a valid FortiAI license on the
supervisor.
FortiGuard Configure FortiGuard settings.
For more information, see FortiGuard.
System Settings Manage the device settings, including Fabric of FortiManager settings.
For more information, see System Settings and Configuring the Fabric of
FortiManager on page 9.
Fabric of FortiManager 7.6.0 Deployment Guide 17
Fortinet Inc.
Using the Fabric of FortiManager supervisor
Management Extensions The Management Extensions pane allows you to enable licensed applications
that are released and signed by Fortinet. The applications are installed and run on
FortiManager supervisor.
For more information, see Management Extensions.
Managing FortiGate devices
In the Fabric of FortiManager supervisor, the Device Manager is used to collect and display information from devices
managed by members, manage devices, and perform installation and copy procedures similar to in a regular Fabric of
FortiManager deployment.
Adding devices to Fabric of FortiManager
To add a new managed device to the Fabric of FortiManager:
1. Log in to the Fabric of FortiManager supervisor.
2. Go to Device Manager > Device & Groups.
3. Click Add Device > Discover Device.
4. Provide information about the online device.
5. In the Fabric Member field, select a Fabric of FortiManager member to manage the device. Click Next.
6. On the Discover Device page, you can confirm the serial number of the Fabric of FortiManager member device.
Click Next to add the device.
After the device is added, it is automatically synchronized to the selected Fabric of FortiManager member, and
management of the device can be performed directly from the Fabric of FortiManager supervisor.
Viewing managed devices by member
After managed devices have been onboarded to the Fabric of FortiManager, they will be displayed in the Device
Manager on the supervisor and assigned member. You can use the supervisor to centrally manage managed devices
across all members. By default, the devices assigned to all members are displayed in the Device Manager, and you can
filter the displayed results by member using the widgets at the top of the page or by using the Fabric Member column in
the table.
To filter managed devices by member:
1. Log in to the Fabric of FortiManager supervisor.
2. Go to Device Manager > Device & Groups.
l In the Devices Managed by... widget, click a Fabric of FortiManager member in the circle chart or choose the
filter icon to select one or more member devices. The device table is filtered based on the selection.
l In the device table, select the Fabric Member column and select one or more member devices. The device
table is filtered based on the selection.
Fabric of FortiManager 7.6.0 Deployment Guide 18
Fortinet Inc.
Using the Fabric of FortiManager supervisor
Moving managed devices between members
To move FortiGate devices between members:
1. Log in to the Fabric of FortiManager supervisor.
2. Go to Device Manager > Device & Groups.
3. Right-click on a device that is currently managed by a member device.
4. Click Move to FMG Member from the context menu. The Move to FMG Member dialog appears.
5. Select a target FortiManager Member device in the Available Entries table and move it to the Selected Entries table
using the > button, and click OK.
The FortiGate device is moved to the new Fabric of FortiManager member.
ADOMs
ADOMs are shared by the Fabric of FortiManager supervisor and all members. Each member has the full list of ADOMs,
including any that do not contain devices for that member.
The following explains how Fabric of FortiManager handles ADOMs:
l When an ADOM is created on the supervisor, that ADOM is automatically synchronized to all member devices.
l When a new member joins the Fabric of FortiManager with an ADOM that does not already exist in the Fabric of
FortiManager, the ADOM is added to the supervisor and all member devices.
l All new ADOMs should be created directly on the supervisor excepting any that are added while onboarding new
members.
For more information on ADOMs, see the FortiManager Administration Guide.
Member failure
When a Fabric of FortiManager member fails, the managed devices registered to that member will be registered to the
supervisor.
You can find these devices under Device Groups > Unauthorized Devices. These devices can be reauthorized and
moved to the preferred member device. See Managing FortiGate devices on page 18.
Fabric of FortiManager 7.6.0 Deployment Guide 19
Fortinet Inc.
Upgrading the Fabric of FortiManager
Upgrading the Fabric of FortiManager
Upgrading of the Fabric of FortiManager firmware can be completed by upgrading the supervisor. When the Fabric of
FortiManager supervisor firmware version is updated, all member devices will automatically be upgraded to the same
firmware version. This ensures that the supervisor and member devices are all operating on the same firmware release
version at all times.
For more information on firmware upgrades, see the FortiManager Administration Guide.
Fabric of FortiManager 7.6.0 Deployment Guide 20
Fortinet Inc.
www.fortinet.com
Copyright© 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s Chief Legal Officer, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
