Add Fortinet devices

Relevant for: AFA Administrators

This topic describes how Fortinet FortiManager and FortiGate devices are connected to AFA.

Note: FortiManager versions earlier than 5.2.3 are not supported.
For versions 5.2.3 and above, connection via SSH/SOAP is no longer supported. You must move to REST.

Fortinet network connections

The following image shows an ASMS Central Manager or Remote Agent connected to Fortinet FortiManager and FortiGate devices.

The following image shows an ASMS Central Manager or Remote Agent connected to FortiGate devices.

Note: If syslog messages are sent via FortiAnalyzer device, a separate connection is required.

FortiManager device permissions

ASMS requires the following permissions when connecting to FortiManager devices:

FortiGate device permissions

AFA requires read-only permissions to connect to Fortigate devices.

In the FortiGate web interface, in the Admin Profile configuration > Access Control, select an option that is at least read-only.

  • If device configuration consists of VDOMs, the user must be configured with set scope global. Users configured with set scope vdom are not supported for AFA.
  • If the FortiGate device is defined directly in AFA as opposed to via a FortiManager device, AFA does not support a user defined only on the managing FortiManager.

Add a Fortinet FortiManager device to AFA

This procedure describes how to add a Fortinet FortiManager device to AFA.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.
  2. In the vendor and device selection page, select Fortinet > FortiManager.
    This form is displayed:
  3. Complete the fields as needed.

  4. If you enabled ActiveChange, the ActiveChange License Agreement dialog is displayed.

    Select I Agree and click OK.

  5. Click Next to continue to the Fortinet FortiManager Step 2/2 page.

    This page lists all the devices that are managed by the FortiManager, including standalone devices and virtual systems.

  6. Select the remaining options as needed:

    Real-time change monitoring

    Select this option to enable real-time alerting upon configuration changes. For details, see Configure real-time monitoring.

    Set user permissions

    Select this option to set user permissions for this device.

  7. Click Finish.

    The new device is added to the device tree, and appears with a three tier hierarchy: FortiManager, FortiGate and VDOM.

  8. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    1. To select multiple users, press the CTRL button while selecting.

    1. Click OK to close the dialog.

    A success message appears to confirm that the device is added.

  9. Optional: Enable auto detection and updating of Fortinet FortiManager devices. (For details, see Algopedia Knowledge Base).

  10. Enable the relevant API in the FortiNet FortiManager device.

    Do the following:

    1. Log in to the FortiManager Web interface, and navigate to the System Settings > Network settings.
    2. Configure one of the following, depending on your FortiManager device version:

      FortiManager versions 5.2.3 and higher

      Connect via REST. (SSH/SOAP is not supported)

      Under System Settings > Network > Management Interface > Administrative Access, select:

      • HTTPS
      • Web Service
      FortiManager versions earlier than 5.2.3 FortiManager versions earlier than 5.2.3 are not supported.

Add a Fortinet FortiGate device to AFA

This procedure describes how to add a FortiGate device to AFA.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.
  2. In the vendor and device selection page, select Fortinet > FortiGate.
  3. Complete the fields as needed, and then click Finish.

    The new device is added to the device tree with a two tier hierarchy: FortiGate and VDOM.

  4. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    1. To select multiple users, press the CTRL button while selecting.

    1. Click OK to close the dialog.

A success message appears to confirm that the device is added.

Configure one-armed mode manually

AFA automatically identifies Fortinet devices in one-armed mode when the device has a single interface, or a single one non-management interface. If your device has multiple non-management interfaces and one-armed mode is not identified automatically, configure this for your device manually.

Do the following:

  1. On the AFA machine, access your device configuration meta file as follows:

    /home/afa/.fa/firewalls/<device_name>/fwa.meta

    where <device_name> is the name of the device listed. If you device is listed multiple times, enter the longer name.

  2. On a new line, enter:

    is_steering_device=yes

  3. Run an analysis on the device to update the device data in AFA.