Set Up Security Fabric

The Security Fabric is Fortinet's terminology for the multi-device topology: this FortiGate + downstream FortiGates + FortiSwitches + FortiAPs + FortiAnalyzer/FortiManager, all aware of each other. Benefits: centralized topology view, automated trust between devices, shared threat intel, lateral threat visibility, single config push for fabric-wide policies.

You need to "join" the Fabric to participate. There's one Fabric Root (usually the main FortiGate) and downstream nodes join it.

Before You Start

• This is the Fabric Root, OR you know the IP of an existing Fabric Root.
• Devices to join (FortiGates, FortiSwitches, FortiAPs).
• TCP/8013 (Fabric Connector port) reachable between fabric members.

Steps

Make this FortiGate the Fabric Root

1. Security Fabric → Fabric Connectors.
2. Security Fabric Setup widget.
3. Fill in:
   • Status — Enable.
   • Fabric Name — e.g. WTG-Customer-A.
   • Allow other Security Fabric devices to join — Enable.
   • Pre-authorized devices (optional) — pre-list serial numbers of trusted devices.
4. Apply.

Join an existing fabric (this FortiGate is downstream)

1. Security Fabric → Fabric Connectors → Security Fabric Setup.
2. Status — Enable.
3. Fabric Connector Settings → Type — Member.
4. Upstream FortiGate — IP of the root.
5. Authorization — on the root, approve this device's join request.
6. Apply.

View the fabric topology

Security Fabric → Topology — visual map of all fabric members. Click a device to see its details inline.

📸 Screenshot needed

Security Fabric → Topology view showing root FortiGate + downstream FortiGate(s) + FortiSwitch(es) + FortiAP(s).

Add FortiAnalyzer

1. Security Fabric → Fabric Connectors → Logging & Analytics → FortiAnalyzer.
2. Provide IP + serial.
3. Approve on FortiAnalyzer side.
4. Apply.

CLI Equivalent

config system csf
    set status enable
    set group-name "WTG-Customer-A"
    set group-password ENC ...
    set authorization-request-type serial
    set configuration-sync local
end

Verify

get system csf
diagnose sys csf table

In GUI: Security Fabric → Topology shows all green dots = all members healthy.

Common Issues

• Member not appearing. TCP/8013 blocked, fabric name mismatch, or fabric password mismatch.
• Topology view shows broken connections. Heartbeat between members failing. Check intermediate firewalls.
• Sync errors between root and member. Firmware version mismatch can prevent some sync features. Keep fleet on the same major version.
• "Old fabric" state stuck. Reset on the member: execute reset-csf.

Related Pages

• Configure High Availability (HA)
• Send Logs to FortiAnalyzer
• Add and Authorize a FortiAP