FortiGate Security
Security Fabric
FortiOS 6.2
© Copyright Fortinet Inc. All rights reserved. Last Modified: 2 November 2022
Lesson Overview
Introduction to the Fortinet Security Fabric
Deploying the Security Fabric
Extending the Security Fabric and Features
Security Fabric Rating and Topology View
Introduction to the Fortinet Security Fabric
Objectives
• Define the Fortinet Security Fabric
• Identify why the Security Fabric is required
• Identify the Fortinet devices that participate in the Security Fabric,
especially the essential ones
What is the Fortinet Security Fabric?
• An enterprise solution that enables a
holistic approach to network security,
whereby the network landscape is
visible through a single console and all
network devices are integrated into a
centrally managed and automated Management
defence Endpoint
• The Security Fabric has these
attributes: SIEM Fortinet Security Fabric SDN
• Broad
• Powerful
• Automated
Virtual Cloud
• The API allows for third-party device
integration
4
Why a Security Fabric?
• Many administrators lack visibility of
their network defences, making their
networks more susceptible to
undetected network infiltration
• Network complexity and sophisticated
malware (soon to be augmented by
AI), necessitates a centralized and
holistic approach to security
5
Fortinet End-to-End Solution
Network Endpoint Web Application Advanced
Security Security Security Threat Protection
Multi-Cloud Email Secure Management
Security Security Unified Access & Analytics
Multi IoT Web Unified Advanced
Management
Email Threat
Cloud Endpoint Applications Access Protection Analytics
FortiGate FortiClient FortiMail FortiAP FortiSandbox FortiAnalyzer
Virtual Firewall Secure Email FortiWeb Wireless Advanced Threat Central Logging /Reporting
EPP
FortiGate Network Security Gateway Web Application Infrastructure Protection
Enterprise Firewall Firewall
FortiManager
FortiGate FortiSwitch Central Security Management
Cloud Firewall Switching
Network Security Infrastructure
IPS SD-WAN
FortiSIEM
Security Information &
FortiCASB Event Management
SWG VPN
6
Devices That Comprise the Security Fabric
• Core:
• Two or more FortiGate devices + FortiAnalyzer
• Recommended – adds significant visibility or
control:
• FortiManager, FortiAP, FortiSwitch, FortiClient, FortiSandbox,
Core
FortiMail
Recommended • Extended – integrates with fabric, but may not apply
to everyone:
Extended • Other Fortinet products and third-party products using the API
7
Knowledge Check
1. What is the Fortinet Security Fabric?
A. A Fortinet solution that enables the communication and visibility between devices of your network
B. A device that can manage all your Firewalls
2. What combination of devices must participate in the Security Fabric?
A. A FortiAnalyzer and one or more FortiGate devices
B. A FortiMail and two or more FortiGate devices
8
Lesson Progress
Introduction to the Fortinet Security Fabric
Deploying the Security Fabric
Extending the Security Fabric and Features
Security Fabric Rating and Topology View
Deploying the Security Fabric
Objectives
• Understand how to implement the Security Fabric
• Configure the Security Fabric on root and downstream FortiGate
• Understand how the device detection works
• Understand how to extended your existing Security Fabric
How Do You Implement the Security Fabric?
Here is an example of a simple FortiAnalyzer
network using only the core There is a
Security Fabric components. FortiAnalyzer and
one next-generation
firewall (NGFW).
Accounting network This FortiGate will
10.10.10.0/24 be configured as
Accounting ISFW the root firewall. In
this example, the
alias for the firewall
Port 16
is External.
Port 10 External
Marketing ISFW
Port 11 Port 12
There are three internal
Marketing network segmentation firewalls
10.10.200.0/24 (ISFWs) that segregate
the WAN into logical
components and allow
your network to contain
Sales network Sales ISFW a threat, should a
10.10.35.0/24 breach occur.
11
Configure the Security Fabric on root FortiGate
Root FortiGate
Security Fabric > Settings
FortiAnalyzer IP
address
Group name for the Security
Fabric
Enable FortiGate
Telemetry and select
Preauthorizing the downstream
interfaces
FortiGate devices to join the
Security Fabric
12
Configure the Security Fabric on the Downstream FortiGate
Downstream FortiGate
Security Fabric > Settings
Enable Connect to
upstream FortiGate
Upstream FortiGate IP
Authorize the downstream detects automatically
FortiGate from root FortiGate
Same group name for the
Security Fabric
Root FortiGate pushes its FortiAnalyzer
configuration to all downstream FortiGate
devices
13
Authorizing Devices
Root FortiGate
Security Fabric > Settings 1 2
Authorize the downstream
FortiGate from root FortiGate
Both FortiGates joined the
Security Fabric
FortiAnalyzer
Device Manager > Devices 3
Final Authorization on
FortiAnalyzer
14
Split-Task VDOM
• Support for Security Fabric
in split-task VDOM mode
FG-traffic and root VDOMs
in split-task VDOM mode
Global > Dashboard > Status
15
Split-Task VDOM (Contd)
Global > Physical Topology root > Physical Topology
Click root > Physical Topology
to see the root ForitGate and the
downstream FortiGate
connected to the root VDOM
FG-traffic > Physical Topology
Click Global > Physical Topology to
see the root FortiGate and all
downstream FortiGate devices in the
same Security Fabric
Click FG-Traffic > Physical Topology to see the
root FortiGate and all downstream FortiGate devices
connected to the current VDOM
16
Device Identification–Agentless vs. Agent
Agentless Agent (FortiClient)
• Useful feature for the Security Fabric • Location and infrastructure independent
topology view
• Requires direct connectivity to FortiGate
• Detection methods:
• HTTP user agent FC
• TCP fingerprinting FortiClient
• MAC address vendor codes FC
• DHCP
• Microsoft Windows browser service (MWBS)
• SIP user agent FortiClient
• Link Layer Discovery Protocol (LLDP)
• Simple Service Discovery Protocol (SSDP)
• QUIC
Agentless
• FortiOS-VM detection Trusted network
• FortiOS-VM vendor ID in IKE messages
• FortiOS-VM vendor ID in FortiGuard web filter
and spam filter requests
.
17
Device Identification (Contd)
Enable Device Detection on interface(s)
Network > Interfaces Security Fabric> Logical Topology
Windows PC detected upon
traffic from the PC to the
Enable Device Detection FortiGate
18
Knowledge Check
1. What are the two mandatory settings of the Security Fabric configuration?
A. Group name and FortiGate Telemetry
B. Group name and FortiManager IP address
2. From where do you authorize a device to participate in the Security Fabric?
A. From the downstream FortiGate
B. From the root FortiGate
19
Lesson Progress
Introduction to the Fortinet Security Fabric
Deploying the Security Fabric
Extending the Security Fabric and Features
Security Fabric Rating and Topology View
Extending the Fabric and Features
Objectives
• Extend the Security Fabric across your network
• Understand automation stiches and threat responses
• Configure fabric connectors
• Understand the Security Fabric status widgets
Extending the Fabric
• Central management integration
• FortiManager
• FortiMail integration FortiMail
Secure Email
Gateway
• FortiMail
• Web application integration FortiManager
Central Security
FortiWeb
Web Application
Firewall
Management
• FortiCache
• FortiWeb
• FortiClient integration FortiSandbox
• FortiClient EMS FortiCache
Advanced Threat
Protection
Cache Service
• Advanced threat protection integration
• FortiSandbox
• Access devices integration
• FortiAP FortiAP
Wireless
FortiSwitch
Switching
FortiClient
EMS
• FortiSwitch Infrastructure Infrastructure
22
Automation Stitches
AUTOMATION
STITCH Security Fabric > Automation
• Configure various automated
actions based on triggers
• Event trigger and one or more
actions
• Configure the Minimum
interval setting to make sure
you don’t receive repeat alert
notifications about the same
event
23
Automated Threat Response
QUARANTINE
Security Fabric > Automation
• Configure automated threat response
• Requires FortiAnalyzer IoC reporting
• Various remediation options:
• Access layer quarantine using FortiSwitch
or FortiAP
• FortiClient quarantine
• IP ban
24
Automated Threat Response (Contd)
NOTIFICATIONS
Security Fabric > Physical Topology
• Output notifications in
various ways such as
iOS Push or on the GUI
dashboard
• Integrate with IFTTT
and other cloud
services
25
Fabric Connectors
• Security fabric multi-cloud support adds security fabric connectors to the security
fabric configuration
Allow you to integrate
• Amazon Web Services (AWS)
• Microsoft Azure
• Oracle Cloud Infrastructure (OCI)
• Google Cloud Platform (GCP)
Security Fabric> Fabric Connectors
26
The Security Fabric Status Widget
Dashboard > Status > Security Fabric widget
• The name of your Security
Fabric
• Icons indicating the other
Fortinet devices that can be
used in the Security Fabric
• The names of the FortiGate
devices in the Security
Fabric
27
The Security Rating Widget
Dashboard > Status > Security Rating widget
• Latest security rating for
your Security Fabric
• Security rating score by
percentile
• Can specify to your
organization region or
all regions
• Must have a valid
security rating license
28
FortiMail Stats Widget
• Mail statistics from FortiMail Dashboard > Status > FortiMail Stats widget
• Total number and percentage
of email messages FortiMail
• Non-spam
• Spam
• Virus categories
29
Knowledge Check
1. Why should an administrator extend the Security Fabric to other devices?
A. To provide a single pane of glass for management and reporting purposes
B. To eliminate the need to purchase licenses for FortiGate devices in the Security Fabric
2. What is the purpose of Security Fabric connectors?
A. Fabric connectors allow you to integrate multi cloud support with the Security Fabric
B. Fabric connectors allow you to connect the FortiGate command line interface (CLI)
30
Lesson Progress
Introduction to the Fortinet Security Fabric
Deploying the Security Fabric
Extending the Security Fabric and Features
Rating Service and Topology View
Rating Service and Topology View
Objectives
• Understand the Security Fabric rating service
• View and run the Security rating service
• Understand difference between physical and logical topology
views
Security Fabric Rating The Security Rating
Score helps you to identify
the security issues in your
Security Fabric> Security Rating network and to prioritize
your tasks
Security issues that are
labelled,Apply, can be
resolved immediately
Identifies
critical
security gaps
33
FortiGuard Security Rating Service
Dashboard > Status > Security Rating
Different customer
Initial state FortiGates with improved
ratings
34
Topology Views
Security Fabric > Physical Topology
• Authorize or deauthorize
access devices (FortiSwitch,
FortiAPs)
• Ban or unban compromised
clients
Right-click, Login to the
• Some device management device or Deauthorize
tasks:
• Login
• Deauthrize
35
Topology Views (Contd)
Security Fabric > Physical Topology
Visualization of access layer
devices in the Security
Fabric
Security Fabric > Logical Topology
Information about the
interfaces that each device
in the Security Fabric
connects
36
Knowledge Check
1. Which of the following does Security Rating identify as critical security gap ?
A. A simple password policy
B. A vulnerability detected on an endpoint device
2. From which view can an administrator deauthorize a device from the Security
Fabric?
A. From the physical topology view
B. From the Fortiview
37
Lesson Progress
Introduction to the Fortinet Security Fabric
Deploying the Security Fabric
Extending the Security Fabric and Features
Rating Service and Topology View
Review
Define the Fortinet Security Fabric
Identify why the Security Fabric is required
Identify the Fortinet devices that participate in the fabric, especially the essential ones
Understand how to implement the Security Fabric
Configure the Security Fabric on root and downstream FortiGate
Understand how the device detection works
Understand how to extended your existing Security Fabric
Extend the Security Fabric across your network
Understand automation stiches and threat responses
Configure fabric connectors
Understand the Security Fabric status widgets
Understand Security Fabric Rating service
View and run Security Rating service
Understand difference between Physical and Logical topology view