Add Fortinet devices

Relevant for: AFA Administrators

This topic describes how Fortinet FortiManager and FortiGate devices are connected to AFA.

Fortinet network connections

The following image shows an ASMS Central Manager or Remote Agent connected to Fortinet FortiManager and FortiGate devices.

Note: If syslog messages are sent via FortiAnalyzer device, a separate connection is required.

Back to top

FortiManager device permissions

ASMS requires the following permissions when connecting to FortiManager devices:

Back to top

FortiGate device permissions

AFA requires read-only permissions to connect to Fortigate devices.

In the FortiGate web interface, in the Admin Profile configuration > Access Control, select an option that is at least read-only.

  • If device configuration consists of VDOMs, the user must be configured with set scope global. Users configured with set scope vdom are not supported for AFA.
  • If the FortiGate device is defined directly in AFA as opposed to via a FortiManager device, AFA does not support a user defined only on the managing FortiManager.

Back to top

Add a Fortinet FortiManager device to AFA

This procedure describes how to add a Fortinet FortiManager device to AFA.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.
  2. In the vendor and device selection page, select Fortinet > FortiManager.
  3. Complete the fields as needed.

  4. If you enabled ActiveChange, the ActiveChange License Agreement dialog box appears.

    Select I Agree and click OK.

  5. Click Next to continue to the Fortinet FortiManager Step 2/2 page.

    This page lists all the devices that are managed by the FortiManager, including standalone devices and virtual systems.

  6. Select the remaining options as needed:

    Real-time change monitoring

    Select this option to enable real-time alerting upon configuration changes. For details, see Configure real-time monitoring.

    Set user permissions

    Select this option to set user permissions for this device.

  7. Click Finish.

    The new device is added to the device tree, and appears with a three tier hierarchy: FortiManager, FortiGate and VDOM.

  8. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

    A success message appears to confirm that the device is added.

  9. Enable the relevant API in the FortiNet FortiManager device.

    Do the following:

    1. Log in to the FortiManager Web interface, and navigate to the System Settings > Network settings.
    2. Configure one of the following, depending on your FortiManager device version:

      FortiManager versions 5.2.3 and higher

      Connect via REST.

      Under System Settings > Network > Management Interface > Administrative Access, select:

      • HTTPS
      • Web Service
      FortiManager versions earlier than 5.2.3 Connect via SOAP.

      Under System Settings > Network > Interface > Administrative Access, select Web Service.

Back to top

Add a Fortinet FortiGate device to AFA

This procedure describes how to add a FortiGate device to AFA.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.
  2. In the vendor and device selection page, select Fortinet > FortiGate.
  3. Complete the fields as needed, and then click Finish.

    The new device is added to the device tree with a two tier hierarchy: FortiGate and VDOM.

  4. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

A success message appears to confirm that the device is added.

Back to top

Configure one-armed mode manually

AFA automatically identifies Fortinet devices in one-armed mode when the device has a single interface, or a single one non-management interface. If your device has multiple non-management interfaces and one-armed mode is not identified automatically, configure this for your device manually.

Do the following:

  1. On the AFA machine, access your device configuration meta file as follows:

    /home/afa/.fa/firewalls/<device_name>/fwa.meta

    where <device_name> is the name of the device listed. If you device is listed multiple times, enter the longer name.

  2. On a new line, enter:

    is_steering_device=yes

  3. Run an analysis on the device to update the device data in AFA.

Back to top