FortiGate Security

Security Fabric

FortiOS 6.2
© Copyright Fortinet Inc. All rights reserved. Last Modified: 2 November 2022
Lesson Overview

Introduction to the Fortinet Security Fabric

Deploying the Security Fabric

Extending the Security Fabric and Features

Security Fabric Rating and Topology View

Introduction to the Fortinet Security Fabric
Objectives
• Define the Fortinet Security Fabric
• Identify why the Security Fabric is required
• Identify the Fortinet devices that participate in the Security Fabric,
especially the essential ones
 What is the Fortinet Security Fabric?
• An enterprise solution that enables a
holistic approach to network security,
whereby the network landscape is
visible through a single console and all
network devices are integrated into a
centrally managed and automated Management
defence Endpoint

• The Security Fabric has these

attributes: SIEM Fortinet Security Fabric SDN
• Broad
• Powerful
• Automated
Virtual Cloud
• The API allows for third-party device
integration

4
Why a Security Fabric?
• Many administrators lack visibility of
their network defences, making their
networks more susceptible to
undetected network infiltration
• Network complexity and sophisticated
malware (soon to be augmented by
AI), necessitates a centralized and
holistic approach to security

5
 Fortinet End-to-End Solution
Network Endpoint Web Application Advanced
Security Security Security Threat Protection
Multi-Cloud Email Secure Management
Security Security Unified Access & Analytics

Multi IoT Web Unified Advanced

Management

Email Threat
Cloud Endpoint Applications Access Protection Analytics

FortiGate FortiClient FortiMail FortiAP FortiSandbox FortiAnalyzer

Virtual Firewall Secure Email FortiWeb Wireless Advanced Threat Central Logging /Reporting
EPP
FortiGate Network Security Gateway Web Application Infrastructure Protection
Enterprise Firewall Firewall

FortiManager
FortiGate FortiSwitch Central Security Management
Cloud Firewall Switching
Network Security Infrastructure
IPS SD-WAN

FortiSIEM
Security Information &
FortiCASB Event Management

SWG VPN

6
Devices That Comprise the Security Fabric

• Core:
• Two or more FortiGate devices + FortiAnalyzer

• Recommended – adds significant visibility or

control:
• FortiManager, FortiAP, FortiSwitch, FortiClient, FortiSandbox,
Core
FortiMail

Recommended • Extended – integrates with fabric, but may not apply

to everyone:
Extended • Other Fortinet products and third-party products using the API

7
Knowledge Check
1. What is the Fortinet Security Fabric?
A. A Fortinet solution that enables the communication and visibility between devices of your network
B. A device that can manage all your Firewalls

2. What combination of devices must participate in the Security Fabric?

A. A FortiAnalyzer and one or more FortiGate devices
B. A FortiMail and two or more FortiGate devices

8
Lesson Progress

Introduction to the Fortinet Security Fabric

Deploying the Security Fabric

Extending the Security Fabric and Features

Security Fabric Rating and Topology View

Deploying the Security Fabric
Objectives
• Understand how to implement the Security Fabric
• Configure the Security Fabric on root and downstream FortiGate
• Understand how the device detection works
• Understand how to extended your existing Security Fabric
 How Do You Implement the Security Fabric?
Here is an example of a simple FortiAnalyzer
network using only the core There is a
Security Fabric components. FortiAnalyzer and
one next-generation
firewall (NGFW).
Accounting network This FortiGate will
10.10.10.0/24 be configured as
Accounting ISFW the root firewall. In
this example, the
alias for the firewall
Port 16
is External.
Port 10 External
Marketing ISFW
Port 11 Port 12

There are three internal

Marketing network segmentation firewalls
10.10.200.0/24 (ISFWs) that segregate
the WAN into logical
components and allow
your network to contain
Sales network Sales ISFW a threat, should a
10.10.35.0/24 breach occur.
11
 Configure the Security Fabric on root FortiGate
Root FortiGate
Security Fabric > Settings

FortiAnalyzer IP
address

Group name for the Security

Fabric
Enable FortiGate
Telemetry and select
Preauthorizing the downstream
interfaces
FortiGate devices to join the
Security Fabric
12
Configure the Security Fabric on the Downstream FortiGate
Downstream FortiGate
Security Fabric > Settings

Enable Connect to
upstream FortiGate

Upstream FortiGate IP
Authorize the downstream detects automatically
FortiGate from root FortiGate

Same group name for the

Security Fabric

Root FortiGate pushes its FortiAnalyzer

configuration to all downstream FortiGate
devices

13
 Authorizing Devices
Root FortiGate
Security Fabric > Settings 1 2
Authorize the downstream
FortiGate from root FortiGate

Both FortiGates joined the

Security Fabric

FortiAnalyzer
Device Manager > Devices 3

Final Authorization on
FortiAnalyzer

14
Split-Task VDOM
• Support for Security Fabric
in split-task VDOM mode

FG-traffic and root VDOMs

in split-task VDOM mode

Global > Dashboard > Status

15
 Split-Task VDOM (Contd)
Global > Physical Topology root > Physical Topology

Click root > Physical Topology

to see the root ForitGate and the
downstream FortiGate
connected to the root VDOM
FG-traffic > Physical Topology

Click Global > Physical Topology to

see the root FortiGate and all
downstream FortiGate devices in the
same Security Fabric

Click FG-Traffic > Physical Topology to see the

root FortiGate and all downstream FortiGate devices
connected to the current VDOM

16
Device Identification–Agentless vs. Agent
Agentless Agent (FortiClient)
• Useful feature for the Security Fabric • Location and infrastructure independent
topology view
• Requires direct connectivity to FortiGate
• Detection methods:
• HTTP user agent FC
• TCP fingerprinting FortiClient
• MAC address vendor codes FC
• DHCP
• Microsoft Windows browser service (MWBS)
• SIP user agent FortiClient
• Link Layer Discovery Protocol (LLDP)
• Simple Service Discovery Protocol (SSDP)
• QUIC
Agentless
• FortiOS-VM detection Trusted network
• FortiOS-VM vendor ID in IKE messages
• FortiOS-VM vendor ID in FortiGuard web filter
and spam filter requests
.
17
 Device Identification (Contd)
Enable Device Detection on interface(s)

Network > Interfaces Security Fabric> Logical Topology

Windows PC detected upon

traffic from the PC to the
Enable Device Detection FortiGate

18
Knowledge Check
1. What are the two mandatory settings of the Security Fabric configuration?
A. Group name and FortiGate Telemetry
B. Group name and FortiManager IP address

2. From where do you authorize a device to participate in the Security Fabric?

A. From the downstream FortiGate
B. From the root FortiGate

19
Lesson Progress

Introduction to the Fortinet Security Fabric

Deploying the Security Fabric

Extending the Security Fabric and Features

Security Fabric Rating and Topology View

Extending the Fabric and Features
Objectives
• Extend the Security Fabric across your network
• Understand automation stiches and threat responses
• Configure fabric connectors
• Understand the Security Fabric status widgets
Extending the Fabric
• Central management integration
• FortiManager
• FortiMail integration FortiMail
Secure Email
Gateway
• FortiMail
• Web application integration FortiManager
Central Security
FortiWeb
Web Application
Firewall
Management
• FortiCache
• FortiWeb
• FortiClient integration FortiSandbox
• FortiClient EMS FortiCache
Advanced Threat
Protection
Cache Service

• Advanced threat protection integration

• FortiSandbox
• Access devices integration
• FortiAP FortiAP
Wireless
FortiSwitch
Switching
FortiClient
EMS
• FortiSwitch Infrastructure Infrastructure

22
 Automation Stitches
AUTOMATION
STITCH Security Fabric > Automation

• Configure various automated

actions based on triggers
• Event trigger and one or more
actions
• Configure the Minimum
interval setting to make sure
you don’t receive repeat alert
notifications about the same
event

23
 Automated Threat Response
QUARANTINE

Security Fabric > Automation

• Configure automated threat response

• Requires FortiAnalyzer IoC reporting
• Various remediation options:
• Access layer quarantine using FortiSwitch
or FortiAP
• FortiClient quarantine
• IP ban

24
 Automated Threat Response (Contd)
NOTIFICATIONS
Security Fabric > Physical Topology

• Output notifications in
various ways such as
iOS Push or on the GUI
dashboard
• Integrate with IFTTT
and other cloud
services

25
Fabric Connectors
• Security fabric multi-cloud support adds security fabric connectors to the security
fabric configuration
Allow you to integrate
• Amazon Web Services (AWS)
• Microsoft Azure
• Oracle Cloud Infrastructure (OCI)
• Google Cloud Platform (GCP)

Security Fabric> Fabric Connectors

26
The Security Fabric Status Widget
Dashboard > Status > Security Fabric widget

• The name of your Security

Fabric

• Icons indicating the other

Fortinet devices that can be
used in the Security Fabric

• The names of the FortiGate

devices in the Security
Fabric

27
The Security Rating Widget
Dashboard > Status > Security Rating widget

• Latest security rating for

your Security Fabric

• Security rating score by

percentile

• Can specify to your

organization region or
all regions

• Must have a valid

security rating license

28
FortiMail Stats Widget

• Mail statistics from FortiMail Dashboard > Status > FortiMail Stats widget

• Total number and percentage

of email messages FortiMail
• Non-spam
• Spam
• Virus categories

29
Knowledge Check
1. Why should an administrator extend the Security Fabric to other devices?
A. To provide a single pane of glass for management and reporting purposes
B. To eliminate the need to purchase licenses for FortiGate devices in the Security Fabric

2. What is the purpose of Security Fabric connectors?

A. Fabric connectors allow you to integrate multi cloud support with the Security Fabric
B. Fabric connectors allow you to connect the FortiGate command line interface (CLI)

30
Lesson Progress

Introduction to the Fortinet Security Fabric

Deploying the Security Fabric

Extending the Security Fabric and Features

Rating Service and Topology View

Rating Service and Topology View
Objectives
• Understand the Security Fabric rating service
• View and run the Security rating service
• Understand difference between physical and logical topology
views
 Security Fabric Rating The Security Rating
Score helps you to identify
the security issues in your
Security Fabric> Security Rating network and to prioritize
your tasks

Security issues that are

labelled,Apply, can be
resolved immediately

Identifies
critical
security gaps
33
 FortiGuard Security Rating Service

Dashboard > Status > Security Rating

Different customer
Initial state FortiGates with improved
ratings

34
Topology Views
Security Fabric > Physical Topology

• Authorize or deauthorize
access devices (FortiSwitch,
FortiAPs)
• Ban or unban compromised
clients
Right-click, Login to the
• Some device management device or Deauthorize
tasks:
• Login
• Deauthrize

35
Topology Views (Contd)
Security Fabric > Physical Topology

Visualization of access layer

devices in the Security
Fabric

Security Fabric > Logical Topology

Information about the

interfaces that each device
in the Security Fabric
connects

36
Knowledge Check
1. Which of the following does Security Rating identify as critical security gap ?
A. A simple password policy
B. A vulnerability detected on an endpoint device
2. From which view can an administrator deauthorize a device from the Security
Fabric?
A. From the physical topology view
B. From the Fortiview

37
Lesson Progress

Introduction to the Fortinet Security Fabric

Deploying the Security Fabric

Extending the Security Fabric and Features

Rating Service and Topology View

Review
 Define the Fortinet Security Fabric
 Identify why the Security Fabric is required
 Identify the Fortinet devices that participate in the fabric, especially the essential ones
 Understand how to implement the Security Fabric
 Configure the Security Fabric on root and downstream FortiGate
 Understand how the device detection works
 Understand how to extended your existing Security Fabric
 Extend the Security Fabric across your network
 Understand automation stiches and threat responses
 Configure fabric connectors
 Understand the Security Fabric status widgets
 Understand Security Fabric Rating service
 View and run Security Rating service
 Understand difference between Physical and Logical topology view