1. Introduction
This document outlines the step-by-step procedures required to establish a secure and functional connection between the Albarius platform and Fortinet FortiManager or a standalone FortiGate firewall.
2. Prerequisites
Before initiating the connection setup, ensure the following requirements are met:
Fortinet Version: FortiOS / FortiManager version [Insert minimum supported version, e.g., 6.4 or higher].
Network Access: Albarius must have routeability to the FortiManager or FortiGate Management IP address.
Credentials: Administrator account or REST API Token with appropriate JSON API / REST API permissions.
Albarius Access: Administrator access to the Albarius configuration console.
3. Network and Firewall Configuration
To allow Albarius to communicate with the Fortinet management interface, specific ports must be permitted through any intermediate firewalls.
Navigate to the firewall policy managing traffic between the Albarius platform and the Fortinet device.
Create a rule to permit the necessary traffic:
Source: Albarius IP Address ([Insert Albarius IP/Subnet])
Destination: FortiManager / FortiGate IP Address ([Insert Fortinet IP])
Service/Ports: * HTTPS / TCP 443 (For REST API / JSON RPC API Access)
[Insert any other specific ports needed, e.g., Syslog / UDP 514]
Additional ports:
Src: Clients | Dst: Albarius Server | Svc: TCP-2345
Src: Forti/FortiManager | Dst: Albarius Server | Svc: 5514 UDP
Install the policy.
4. Fortinet Configuration (FortiManager / FortiGate)
Note: Fortinet utilizes API Tokens for secure, modern integrations. The process involves creating an Admin Profile tailored for the API, and then generating a REST API user.
4.1 Create an Admin Profile
To ensure least-privilege access, create a custom profile specifically for Albarius API interactions.
Log in to the FortiManager or FortiGate web interface.
Navigate to System > Admin Profiles.
Click Create New.
Enter a Name (e.g., Albarius_API_Profile).
Set the required privileges for the integration. Typically, you will need to grant Read/Write access to:
Policy & Objects
System & Network (if interface or routing changes are needed)
(Note: If Albarius only requires read-only access, adjust these to Read-Only).
Click OK to save the profile.
4.2 Create a REST API Admin User and Generate Token
Create the dedicated service account and generate the API token that Albarius will use for authentication.
Navigate to System > Administrators.
Click Create New > REST API Admin.
Configure the settings:
Username: albarius-api
Administrator Profile: Select the Albarius_API_Profile created in Step 4.1.
PKI Group: Leave as default unless specifically required.
CORS Allow Origin: [Insert Albarius FQDN or IP, or leave as wildcard * if permitted by policy]
Under Trusted Hosts, restrict access by adding the Albarius IP address ([Insert Albarius IP/Subnet]).
Click OK.
A new window will appear displaying the generated API Token.
CRITICAL: Copy and securely store this token immediately. It will not be displayed again.
4.3 ADOM Configuration (FortiManager Only)
If you are connecting to a FortiManager, you must ensure the API user has access to the correct Administrative Domain (ADOM).
While editing the albarius-api administrator, look for the Administrative Domain section.
Assign the user to either the root ADOM (for global access) or the specific ADOM(s) Albarius will manage ([Insert ADOM Name]).
4.4 Trusted Host Configuration
Add User
1. Select User / Create New and Click Edit.
2. Enable Restrict login trusted hosts.
3. Set IP Address Albarius Server.
Example:
Access Feature Visibility
Enable “Multiple Interface Policies”
Example:
Add user for FortiManager
1. System Settings > Administrators > Select User / Create New and click Edit.
2. Trusted hosts.
3. Set IP Address of Albarius Server.
4.4 Send Logs
(Option1) Send Logs CLI from FW to Albarius Server
1. Check if syslogd already in used “Show log syslogd setting”
2. If syslogd in used , Set syslogd2/3/4.
3. Commands Example:
set log syslogd2/3/4 setting
config log syslogd setting
set status enable
set server "Albarius Server IP"
set port 5514
end
(Option2) Send Logs Analyzer
Log Forwarding > Create New Log Forwarding.
1.Select Format Syslog.
2.Set Albarius server IP.
3.Port 5514
(Option3) Send Logs FortiManager
1. System Settings > Advanced > Syslog Server > Create New
2. Name: Albarius
IP: Albarius Srv FQDN/IP
Format: Syslog
Syslog Server Port: 5514
5. Albarius Platform Configuration
With the Fortinet side prepared and the API token secured, configure the connection within the Albarius platform.
Log in to the Albarius portal.
Navigate to Firewalls -> Add New.
Select Fortinet FortiManager / FortiGate from the available integration types.
Enter the following details:
Device Type: Select either FortiManager or FortiGate.
Hostname / IP Address: [Insert Fortinet Management Server IP]
API Token: [Paste the API token generated in Step 4.2]
ADOM (FortiManager Only): [Insert Target ADOM Name, e.g., root]
Click Save Configuration.
6. Verification and Testing
To ensure the connection is fully operational:
Within the Albarius integration page, click the Test Connection button.
Verify that a "Success" message is returned.
Navigate to [Insert Albarius Verification Screen, e.g., Dashboard or Logs] to confirm that data (firewall policies, address objects, or ADOM details) is successfully synchronizing from the Fortinet device.
7. Troubleshooting
If the connection test fails, verify the following:
API Token Accuracy: Ensure the token was copied exactly without extra spaces. If lost, you must regenerate a new token on the Fortinet device.
Trusted Hosts: Verify that the Albarius IP address is correctly configured under the Trusted Hosts setting of the REST API Admin user. If it does not match, the firewall will drop the connection.
HTTPS Access: Ensure HTTPS administrative access is enabled on the interface Fortinet uses to communicate with Albarius (under Network > Interfaces > Administrative Access).
API Debugging: Access the Fortinet CLI via SSH and run the following commands to view live API request failures:
diagnose debug application httpsd -1
diagnose debug enable
(Remember to run diagnose debug disable when finished).