Fortinet Security Fabric Fortigate 60F

The Fortinet Security Fabric provides an intelligent architecture that interconnects

discrete security solutions into an integrated whole to detect, monitor, block, and
remediate attacks across the entire attack surface. It delivers broad protection and
visibility into every network segment and device, be they hardware, virtual, or cloud
based.
 The physical topology view shows all connected devices, including access layer
devices. The logical topology view shows information about the interfaces that each
device is connected to.
 Security rating checks analyze the Security Fabric deployment to identify
potential vulnerabilities and highlight best practices to improve the network
configuration, deploy new hardware and software, and increase visibility and control
of the network.
 Automation pairs an event trigger with one or more actions to monitor the
network and take the designated actions automatically when the Security Fabric
detects a threat.
 Fabric connectors provide integration with multiple SDN, cloud, and partner
technology platforms to automate the process of managing dynamic security updates
without manual intervention.
The following recipes provide examples of configuring a Security Fabric:
 Deploying Security Fabric
 Security Fabric over IPsec VPN
 Viewing and controlling network risks via topology view
 Leveraging LLDP to simplify security fabric negotiation
 Leveraging SAML to switch between Security Fabric FortiGates
 FortiManager Cloud service
 FortiAnalyzer Cloud service

Security Fabric device configuration

This section contains information about how to configure the following devices as part of
the Fortinet Security Fabric:
 FortiGate
 FortiAnalyzer
 FortiManager
 FortiSandbox
 FortiClient EMS
 FortiAP and FortiSwitch
 Additional devices

System requirements

To set up the Security Fabric, the devices that you want to include must meet the
Product Integration and Support requirements in the FortiOS Release Notes.
Some features of the Security Fabric are only available in certain firmware versions and
models. Not all FortiGate models can run the FortiGuard Security Rating Service if they
are the root FortiGate in a Security Fabric. For more information, see the Special
Notices in the FortiOS Release Notes.

Prerequisites

 If devices are not already installed in your network, complete basic installation and
configuration tasks by following the instructions in the device documentation.
 Either disable VDOMs on all FortiGate devices that you want to add to the Security
Fabric or make sure devices are in split-task VDOM mode. See Virtual Domains.
 Configure all FortiGate devices to operate in NAT mode.

Deploying Security Fabric

This recipe provides an example of deploying Security Fabric with three downstream
FortiGates connecting to one root FortiGate. To deploy Security Fabric, you need a
FortiAnalyzer running firmware version 6.2 or later.
The following shows a sample network topology of three downstream FortiGates
(Accounting, Marketing, and Sales) connected to the root FortiGate (Edge).

To configure the root FortiGate (Edge):

1. Configure interface:
 1. In the root FortiGate (Edge), go to Network > Interfaces.
2. Edit port16:
 Set Role to DMZ.
 For the interface connected to FortiAnalyzer, set the IP/Network
Mask to 192.168.65.2/255.255.255.0
3. Edit port10:
 Set Role to LAN.
 For the interface connected to the downstream FortiGate (Accounting),
set the IP/Network Mask to 192.168.10.2/255.255.255.0
4. Edit port11:
 Set Role to LAN.
 For the interface connected to the downstream FortiGate (Marketing), set
the IP/Network Mask to 192.168.200.2/255.255.255.0
2. Configure Security Fabric:
1. In the root FortiGate (Edge), go to Security Fabric > Settings.
 Enable FortiGate Telemetry.
 Set a Group name, such as Office-Security-Fabric.
 Add port10 and port11 to FortiTelemetry enabled interfaces.
After FortiGate Telemetry is enabled, FortiAnalyzer automatically
enables Logging and Upload Option is set to Real Time.
2. Set IP address to the FortiAnalyzer IP 192.168.65.10.
3. Select Test Connectivity.
A warning message indicates that the FortiGate is not authorized on the
FortiAnalyzer. The authorization is configured in a later step on the
FortiAnalyzer.
3. Create a policy to allow the downstream FortiGate (Accounting) to access the
FortiAnalyzer:
1. In the root FortiGate (Edge), go to Policy & Objects > Addresses.
 Click Create New.
 Set Name to FAZ-addr.
 Set Type to Subnet.
 Set Subnet/IP Range to 192.168.65.10/32.
 Set Interface to any.
 Click Create New.
 Set Name to Accounting.
 Set Type to Subnet.
 Set Subnet/IP Range to 192.168.10.10/32.
  Set Interface to any.
2. In the root FortiGate (Edge), go to Policy & Objects > IPv4 Policy.
 Set Name to Accounting-to-FAZ.
 Set srcintf to port10.
 Set dstintf to port16.
 Set srcaddr to Accounting-addr.
 Set dstaddr to FAZ-addr.
 Set Action to Accept.
 Set Schedule to Always.
 Set Service to All.
 Enable NAT.
 Set IP Pool Configuration to Use Outgoing Interface Address.
4. Create a policy to allow the two downstream FortiGates (Marketing and Sales) to access
the FortiAnalyzer:
1. In the root FortiGate (Edge), go to Policy & Objects > Addresses and click Create
New.
 Set Name to Marketing-addr.
 Set Type to Subnet.
 Set Subnet/IP Range to 192.168.200.10/32.
 Set Interface to any.
2. In the root FortiGate (Edge), go to Policy & Objects > IPv4 Policy.
 Set Name to Marketing-to-FAZ.
 Set srcintf to port11.
 Set dstintf to port16.
 Set srcaddr to Marketing-addr.
 Set dstaddr to FAZ-addr.
 Set Action to Accept.
 Set Schedule to Always.
 Set Service to All.
 Enable NAT.
 Set IP Pool Configuration to Use Outgoing Interface Address.

To configure the downstream FortiGate (Accounting):

1. Configure interface:
1. In the downstream FortiGate (Accounting), go to Network > Interfaces.
 2. Edit interface wan1:
 Set Role to WAN.
 For the interface connected to root, set the IP/Network
Mask to 192.168.10.10/255.255.255.0
2. Configure the default static route to connect to the root FortiGate (Edge):
1. In the downstream FortiGate (Accounting), go to Network > Static Routes:
 Set Destination to 0.0.0.0/0.0.0.0.
 Set Interface to wan1.
 Set Gateway Address to 192.168.10.2.
3. Configure Security Fabric:
1. In the downstream FortiGate (Accounting), go to Security Fabric > Settings.
 Enable FortiGate Telemetry.
 Enable Connect to upstream FortiGate.
 FortiGate IP is filled in automatically with the default static route Gateway
Address of 192.168.10.2 set in the previous step.
 Leave FortiTelemetry enabled interfaces empty since there is no
downstream FortiGate connecting to it.
After FortiGate Telemetry is enabled, FortiAnalyzer automatically
enables Logging. Settings for the FortiAnalyzer are retrieved from the root
FortiGate (Edge) when FortiGate (Accounting) connects to the root FortiGate
(Edge).

To configure the downstream FortiGate (Marketing):

1. Configure interface:
1. In the downstream FortiGate (Marketing), go to Network > Interfaces.
2. Edit port12:
 Set Role to LAN.
 For the interface connected to the downstream FortiGate (Sales), set
the IP/Network Mask to 192.168.135.11/255.255.255.0.
3. Edit wan1:
 Set Role to WAN.
 For the interface connected to the root FortiGate (Edge), set
the IP/Network Mask to 192.168.200.10/255.255.255.0.
2. Configure the default static route to connect to the root FortiGate (Edge):
1. In the downstream FortiGate (Marketing), go to Network > Static Routes:
 Set Destination to 0.0.0.0/0.0.0.0.
 Set Interface to wan1.
  Set Gateway Address to 192.168.200.2.
3. Configure Security Fabric:
1. In the downstream FortiGate (Marketing), go to Security Fabric > Settings.
 Enable FortiGate Telemetry.
 Enable Connect to upstream FortiGate.
 FortiGate IP is filled in automatically with the default static route Gateway
Address of 192.168.200.2 set in the previous step.
 In FortiTelemetry enabled interfaces, add port12.
After FortiGate Telemetry is enabled, FortiAnalyzer automatically
enables Logging. Settings for the FortiAnalyzer are retrieved from the root
FortiGate (Edge) when FortiGate (Marketing) connects to the root FortiGate
(Edge).
4. Create a policy to allow another downstream FortiGate (Sales) going through FortiGate
(Marketing) to access the FortiAnalyzer:
1. In the downstream FortiGate (Marketing), go to Policy & Objects >
Addresses and click Create New.
 Set Name to FAZ-addr.
 Set Type to Subnet.
 Set Subnet/IP Range to 192.168.65.10/32.
 Set Interface to any.
2. Click Create New.
 Set Name to Sales-addr.
 Set Type to Subnet.
 Set Subnet/IP Range to 192.168.135.10/32.
 Set Interface to any.
3. In the downstream FortiGate (Marketing), go to Policy & Objects > IPv4 Policy.
 Set Name to Sales-to-FAZ.
 Set srcintf to port12.
 Set dstintf to wan1.
 Set srcaddr to Sales-addr.
 Set dstaddr to FAZ-addr.
 Set Action to Accept.
 Set Schedule to Always.
 Set Service to All.
 Enable NAT.
 Set IP Pool Configuration to Use Outgoing Interface Address.
To configure the downstream FortiGate (Accounting):

1. Configure interface:
1. In the downstream FortiGate (Accounting), go to Network > Interfaces.
2. Edit interface wan1:
 Set Role to WAN.
 For the interface connected to root, set the IP/Network
Mask to 192.168.10.10/255.255.255.0
2. Configure the default static route to connect to the root FortiGate (Edge):
1. In the downstream FortiGate (Accounting), go to Network > Static Routes:
 Set Destination to 0.0.0.0/0.0.0.0.
 Set Interface to wan1.
 Set Gateway Address to 192.168.10.2.
3. Configure Security Fabric:
1. In the downstream FortiGate (Accounting), go to Security Fabric > Settings.
 Enable FortiGate Telemetry.
 Enable Connect to upstream FortiGate.
 FortiGate IP is filled in automatically with the default static route Gateway
Address of 192.168.10.2 set in the previous step.
 Leave FortiTelemetry enabled interfaces empty since there is no
downstream FortiGate connecting to it.
After FortiGate Telemetry is enabled, FortiAnalyzer automatically
enables Logging. Settings for the FortiAnalyzer are retrieved from the root
FortiGate (Edge) when FortiGate (Accounting) connects to the root FortiGate
(Edge).

To configure the downstream FortiGate (Sales):

1. Configure interface:
1. In the downstream FortiGate (Sales), go to Network > Interfaces.
2. Edit wan2:
 Set Role to WAN.
 For the interface connected to the upstream FortiGate (Marketing), set
the IP/Network Mask to 192.168.135.10/255.255.255.0.
2. Configure the default static route to connect to the upstream FortiGate (Marketing):
1. In the downstream FortiGate (Sales), go to Network > Static Routes:
 Set Destination to 0.0.0.0/0.0.0.0.
 Set Interface to wan2.
  Set Gateway Address to 192.168.135.11.
3. Configure Security Fabric:
1. In the downstream FortiGate (Sales), go to Security Fabric > Settings.
 Enable FortiGate Telemetry.
 Enable Connect to upstream FortiGate.
 FortiGate IP is filled in automatically with the default static route Gateway
Address of 192.168.135.11 set in the previous step.
 Leave FortiTelemetry enabled interfaces empty since there is no
downstream FortiGate connecting to it.
After FortiGate Telemetry is enabled, FortiAnalyzer automatically
enables Logging. Settings for the FortiAnalyzer are retrieved from the root
FortiGate (Edge) when FortiGate (Sales) connects to the root FortiGate (Edge).

To authorize downstream FortiGates (Accounting, Marketing, and Sales) on the root

FortiGate (Edge):

1. In the root FortiGate (Edge), go to Security Fabric > Settings.

The Topology field highlights two connected FortiGates with their serial numbers
and asks you to authorize the highlighted devices.
2. Select the highlighted FortiGates and select Authorize.
After they are authorized, the two downstream FortiGates (Accounting and
Marketing) appear in the Topology field in Security Fabric > Settings. This means
the two downstream FortiGates (Accounting and Marketing) have successfully
joined the Security Fabric.
3. The Topology field now highlights the FortiGate with the serial number that is connected
to the downstream FortiGate (Marketing) and asks you to authorize the highlighted device.
4. Select the highlighted FortiGates and select Authorize.
After it is authorized, the downstream FortiGate ( Sales) appears in
the Topology field in Security Fabric > Settings. This means the downstream
FortiGates (Sales) has successfully joined the Security Fabric.

To use FortiAnalyzer to authorize all the Security Fabric FortiGates:

1. Authorize all the Security Fabric FortiGates on the FortiAnalyzer side:

1. In the FortiAnalyzer, go to System Settings > Network > All Interfaces.
 Edit port1 and set IP Address/Netmask to 192.168.65.10/255.255.255.0.
2. Go to Device Manager > Unauthorized.
All the FortiGates are listed as unauthorized.
 Select all the FortiGates and select Authorize.
 The FortiGates are now listed as authorized.
After a moment, a warning icon appears beside the root FortiGate (Edge)
because the FortiAnalyzer needs administrative access to the root
FortiGate (Edge) in the Security Fabric.
 Click the warning icon and enter the admin username and password of
the root FortiGate (Edge).
2. Check FortiAnalyzer status on all the Security Fabric FortiGates:
 On each FortiGates, go to Security Fabric > Settings and check
that FortiAnalyzer Logging shows Storage usage information.

To check Security Fabric deployment result:

1. On FortiGate (Edge), go to Dashboard > Status.

The Security Fabric widget displays all the FortiGates in the Security Fabric.

2. On FortiGate (Edge), go to Security Fabric > Physical Topology.

This page shows a visualization of access layer devices in the Security Fabric.

3. On FortiGate (Edge), go to Security Fabric > Physical Topology.

 This dashboard shows information about the interfaces of each device in the
Security Fabric.

To run diagnose commands:

1. Run the diagnose sys csf authorization pending-list command in the root

FortiGate to show the downstream FortiGate pending for root FortiGate authorization:
2. Edge # diagnose sys csf authorization pending-list
3. Serial IP Address HA-Members Path
4. ------------------------------------------------------------
------------------------
FG201ETK18902514 0.0.0.0
FG3H1E5818900718:FG201ETK18902514
2. Run the diagnose sys csf downstream command in the root or middle FortiGate to
show the downstream FortiGates after they join Security Fabric:
3. Edge # diagnose sys csf downstream
4. 1: FG201ETK18902514 (192.168.200.10) Management-IP:
0.0.0.0 Management-port:0 parent: FG3H1E5818900718
5. path:FG3H1E5818900718:FG201ETK18902514
6. data received: Y downstream intf:wan1 upstream
intf:port11 admin-port:443
7. authorizer:FG3H1E5818900718
8. 2: FGT81ETK18002246 (192.168.10.10) Management-IP:
0.0.0.0 Management-port:0 parent: FG3H1E5818900718
9. path:FG3H1E5818900718:FGT81ETK18002246
10. data received: Y downstream intf:wan1 upstream
intf:port10 admin-port:443
11. authorizer:FG3H1E5818900718
12. 3: FG101ETK18002187 (192.168.135.10) Management-IP:
0.0.0.0 Management-port:0 parent: FG201ETK18902514
13.
path:FG3H1E5818900718:FG201ETK18902514:FG101ETK18002187
14. data received: Y downstream intf:wan2 upstream
intf:port12 admin-port:443
authorizer:FG3H1E5818900718
3. Run the diagnose sys csf upstream command in any downstream FortiGate to show
the upstream FortiGate after downstream FortiGate joins Security Fabric:
4. Marketing # diagnose sys csf upstream
5. Upstream Information:
6. Serial Number:FG3H1E5818900718
7. IP:192.168.200.2
8. Connecting interface:wan1
Connection status:Authorized