Lab 2: Security Fabric Inthis la, you wil lear to conigure the Fortnet Securiy Fabre, After you configure the Securiy Fabric, you will _access the physical and logical topology views, Objectives “+ Configure the Secunty Fabric on Loca-FertiGate (root) and ISFW (downsteam) + Configure the Secunty Fabric on Local-FortiGata root) and Remate-Fortiate (downstream) ‘+ Use the Security Fabric topology views tohave legical and physica viens of yournetwork topology ‘+ Run the Securty Fabrerating checks on the root FortiGate and apply a rasommendation Time to Complete Estimated: 45 minutes Topology In this, you wil lear how to configure the Securiy Fabric on allFotiGate devices inthe topology. Lace FortiGate and Ramote-ForiGate are connected through an IPsec tunnel. Local-FortGaie is the root Fotiate in the Security Fabric, and Remcte-FortGale and ISFW are downstream FortiGate devices. FortiAnalyzetisbehind ‘Local FortiGate and wil be used inthe Security Fabric. Prerequisites Before teginning this lab, you must restore configuration tes on Local-FortGate and Remote-FortiGate. The SEW configurationis pretoacedMake sure youresiore the correct configuration on each FortiGate, using the folowing “steps. Failure to restore the correct configuration on each FortiGate will preventyou romdoing the ib oxercisa To restore the Remote FortiGato configuration file 41. Connectio the Remote-FortiGate GUI, and then og in withthe usemame acini n and password passvors. 2. Inthe upper-ight comer ofthe screen click admin, and then cick Configuration > Revisions. FortiGate VM64-KVM 7.0.0 build0066 (GA) Change Password 13. Clckthe + sign to expand the Uist. 4. Selec’ the configuration with the comment remote-SF, and then clck Revert. 5. Click OK 0 reboot ‘To restore the Local-FortiGate configuration file 4. Connectto te Local-FortiGate GUI, and then log in withthe vsemame acini n and password passvors. 2. Inthe upper-right comer ofthe screen, cickadmin, ard then clic Configuration > Revisions.FortiGate VM64-KVM 7.0.0 build0066 (GA) & System > DB Backup 'D Restore 3. Click the + sign to expand the lst. 4, Select the configuration with the comment local-SF, and then click Revert. 5. Click OK to reboot. Exercise 1: Configuring the Security Fabric on Local- FortiGate and ISFW In his exercise, you will configure he Securty Fabiic between Local-ForiGate ((cot) and ISFW (downstream), Configure the Security Fabric on Local-FortiGate (Root) ‘You wil configure the root of the Security Fabric, To enable Security Fabric Connection on Local-FortiGate interfaces 4. Conneetto the Local-FortiGate GUI, and then login withthe usemame acinic and password password. 2. Click Network > Interfaces. 3. Click pons, anc nen cick Eat. 4, Inthe Administrative Access section, select he Security Fabric Connection checkbox. 55. Inthe Network section, enable Device detection.‘Administrative Recess va HTTPS OFMG-Access TELNET Security Fabric ‘comection Network Click OK. OK to confirm, HTTP PING Osnup Orm RADIUS Accounting, receive ior © URREGRERNIY enatie | oisatie Transmitt0P © ESISSRESNIY crabie oisbie Click Network > Interfaces, and then expand port Click the To-Remote-HQ2 interface, and then click Edit, Inthe Administrative Access section, select the Security Fabric Connection checkbox. Click OK. To enable the Security Fab on Local-FortiGate 4. On the Local-FortiGate GUI, click Security Fabric > Fabric Connectors. 2. Click Security Fabric Setup, and then click Edit. 3. Inthe Security Fabric Settings section, click Enabled. 4. Click Serve as Fabric Root. ‘A new window opens. 5. Configure the folowing FortiAnalyzer settings: IPaddiess Upload option 6. Click Test Connectivity. 10.0.1.210 RealTimeFortine Sates ston (mao: Pes poizi0 Upoxdopion © BEM este ers ‘Allow acess to FortiGate REST AP| © erty Fortianahercertfeate © ‘Awarning appears indicating that Locai-FortiGate isn't yet authorized on ForiAnalyzer. This authorizaionis configured on FortiAnalyzer in alater step. 7. Click OK 8 Click Accept. 9 Configure the folowing settings: are} Fabric name Allow other Securty Fabricdevices tojon enable (ensure both interfaces are selected) port3, To-Remote-HO2 ‘Your configuration should looklike the following example:Eat Fabric Connector Core Network Security Security Fabric Settings status FEET © oisties SecurtyFabricrle EERE oon existing Fabric 9 Fortianayzer configuration changes willbe saved along withthe Security Fabric settings Fabric name fortne Allowother Security Fabricdevices tojein © ports * 2 To-RemoteHQ2 x Device authorization None Ecit ‘Allow downstream device REST APL access @ CD SAML Single Sign-On © ® GE Advanced Options Management PFQDN © Poewan eam Management port PEE sci 40. click Ox. 44. Click OK tocontirm, Configure the Security Fabric on ISFW “You wil configure ISFW to join the Securly Fabric as a downstream ForuGate, ‘Take the Expert Challenge! On the ISFW GUI, erable Security Fabric Connection on port! and port3, Enable network device ‘tection on both ports. After you enable Security Fabric Connection, configure Security Fabricsettings withthe groupname fort ines. you requie assistance, orto verity yout work, use the step-by-step instructions that folow. ‘After you complete the challenge, see To enable the Security Fabric on ISFW (downstream) on page 31To enable Security Fabric Connection on ISFW interfaces 4. Connectte the ISFW GUI, and then login with the usemame acinin and password » 2. Click Network > Interfaces. 3 Click portt, andihen cick Eat 4, Inthe Administrative Access section, confirm that the Security Fabric Connection checkboxis selected, 5. Inthe Network section, enable Device detection, orm Ci eactusaccouming reehe ioe O EURNBEIMIAY cite iste ronnt.0r © EEEESTERI cote ste Dic Server Network Devicedetecton © © 6. Click OK, 7. Glick OK to confirm 8. Click Network > Interfact 9. Click port, and then click Edit. 10. Inthe Administrative Access section, select the Security Fabric Connection checkbox. 14. Inthe Network section, enable Device detection. 42, Click OK to save the changes. To enable the Security Fabric on ISFW (downstream) 1. Onthe ISFW GUI, click Security Fabric > Fabric Connectors. 2. Click Security Fabric Setup, and then click Edit. 3. Inthe Security Fabric Settings section, click Enabled. ‘Security Fabric Settings status on 4. Inthe Security Fabric role field, confirm that Join Existing Fabric is selected. 5. Inthe Upstream FortiGate IP field, type 10.0.1.254 6. Inthe Default admin profile field, select super_adimin. Your configuration should look like the following example:Ea Fabric Comentor sete EEE 0 ne Serra re Seven Faei Rot EET Upirean Forte? to01254 Alowater ‘ect fabrededcestofn © path x 1 ports x ow domnsiream device REST AP acess @ OD sana sngiesipron © HEED Heist Aavacec Options ede Penang Deautiogn page © BEI ste sivon Detain grote © — Management 7FQON. © Uiewin RERENIN 26031200 Management por EE 5 - verte encore mse = 7. ClckOK. 8. Click OK to confirm the setungs. : 2 et eae at a ¢ Sete. ‘when joining the Security Fabric, Authorize ISFW (Downstream) on Local-FortiGate (Root) ‘You wil authorize ISFW on Local-FortiGate tojoin the Security Fabric,To authorize ISFW on Local-FortiGate 1. Onthe Local-ForiGate GUI, click Security Fabric > Fabric Connectors, 2. Inthe Topology section. click the highlighted FortiGate serial number, and then cick Authorize, 0 ope |B lacabrorticnte Fabric Root), ic stow n Securty Fabric» Sect Paling 2 Loginto FovmorTM17007959 [After authorization, ‘SFW appears in the Security Fabric topology section, which means ISFW joinedthe Securly Fabric successfully. Please allow a few minutes for Local-FortiGate to retieve information from ISFW. Synchronize an Address Object to Resolve Conflicts ‘You wil create anew address objectto resolve Fabric conflicts in Security Fabric devices. By detautt, Fabric object synchronization is disabled on the supported Fabric cbjects, and these are kept as locally created objects on Security Fabric devices, To synchronize an address object to resolve conflicts 4. Onthe LocalFortiGate GUI, click Policy & Objects> Addresses 2. Click Create New, an¢ then select Addroes, 3 Inthe New Address window, inthe Name el, ype TEOT-NET~ 4. Inthe IP/Netmask field, type 192.¢.2.0/24, and then enable Fabric synchronization. Tew naires Nate vestner Coker Bunge Intertace Oy = Fabnesinetronztien Statirutecontgurtion Comments wwritea ass5. Click OK to savethe new address object. 6. OntheLocal-FottiGate GUI, cick Security Fabric > Fabric Connectors. In the Topology section, you will see a Firewall objects are in conflict with other FortiGates in the fabric notification, ca Freva objectsareln conic with eter FortGates nthe fac. Review (enl obec cones (@ WecabForicate Fabre Root) For this ab, an object withthe same name, a different IP address, and Fabric ‘synchronization enabled was created on ISFW to cteale a Fabric conflict. 7. Click Review firewall object conflicts. 8. Click Rename All Objects with all the default settings. Firewall Object Synchronization x ‘The following objects require manual intervention inorder to |A.synchranize them ith the fabric. Click "Rename All Objects" to automatically resolve al conflicts by renaming them. stratesy EEE ns Automatcalyrenaméon Root FortiGate [SSS Rename AlObIecs J | Sear Q Fabric Object © status Conficting FortiGate & Ear TESENET-1 © Content mismatch Bis ‘The Fabric status and object name will change to resolve the conflict. Qa Conflicting FortiGate + Fabric Object EE Acdress @ TESTNET-LISFW © Resolved8. Click Close fo cise the Firewall Object Sychronization window, 10. On the ISFW GUI, dick Polley & Objects > Addresses to vey natthe synchronization crested a new object, TEST.NET-1, and alcoronamed the previously existing objectto TEST-NET.4_1SFW. Brstetustw Check the Security Fabric Deployment Result ‘Youwill check the Security Fabric deployment resulton Local-FortiGate (root). ‘To check the Security Fabric on Local-FortiGate 4. Onthe Local-Ctient VM, open a new browser, and then go to htips //w.fortinet.com. This is to generate some traffic from the Local-Ciient VM to view in the next steps. 2. Onthe Local-FortiGate GUI, click Dashboard > Status, ‘The Security Fabric widget displays the FortiGate devices in the Security Fabric. Sect Fabre tar 7 ReGae x w @ G teat Foran FabicRood 3. Onthe Local-FortiGate GUI, cick Security Fabric > Physical Topology. ‘This page shows a visualization of access layer devices in the Security Fabric.ome. Your topology viewmight not match what is shown inthis example. 4. On the Loca-FortiGate GUI, lick Security Fabric > Logical Topology. ‘This dashboard alsplays information about the intertaces that each device in he Secunty Fabre connects to ‘Tofhish the Secusty Fabric configuration, you wal authorize all FortiGate devices on Fortisnalyzer. You will configure this authorization inthe next exercise ‘Your topology view mightnot match what is shown inthis example,Exercise 2: Configuring the Security Fabric on Local- FortiGate and Remote-FortiGate In this exercise, you will edd another FortiGate tothe Secury Fabric tee. n this topology the downstream Remote. FortiGate ie sonnectedto the roo! Local FortiGate over IPsec VPN to join the Security Fabric, Take the Expert Challenge! (On the Remote-FortGate GUI, enable Security Fabric Connection on port6 and the Te-Local-H@1 VPN Interface. Enable network device detection on ports After you enable Security Fabric Connection, Ccenfigure the Secuity Fabric settings wih the group name fort inet, anduse the tunnel IPaddress 20,10. 10.1 teconnest to the root FortGate, IM yourequire assistance, or toventy your work, use the step-by-step instructions that follow. ‘ter youcomplete the challenge, see Authorize Remote-ForiGate (Downstream)on Local-ForiGete Configure the Security Fabric on Remote-FortiGate (Downstream) ‘You will configure Remote-FortiGete to join the Secury Fabric as 2 downstream FertiGate over the IPsec VPN. To enable Security Fabric Connection on Remote-FortiGate interfaces 4. Connect to the Remote-FotiGate GUI, and then log in wth he username admin and password passw 2. Click Network> interfaces. 3, Click ports, and then click Edit. 4, Inthe Administrative Access section, select he Security Fabric Connection checkbox. 5. Inthe Network section, ensure that Device detection is enabled 6 % a 2 Click OK. Click Network > Interfaces, and thon expand porta. Click the To-Local-HQt interface, and then click Edit In the Administrative Access section, select he Security Fabric Connection checkbox. 10. Click OK to save the changes. To enable the Security Fabric on Remote-FortiGate 4. On the Remote-FortGate GUI, cick Security Fabric> Fabric Connectors, 2. Click Security Fabric Setup. and then click Edit. 3. Inthe Security Fabric Settings secion, cick Enabled, suas aS4, Inthe Security Fabric role field, ensure that Join Exi 5. Inthe Upstream FortiGate IP field, type 10. 10.10.1. 6. Inthe Default admin profile field, select super_admin. ‘Your configuration should look like the following example: [Edit Fabric Connector Core Network Security ‘Security Fabric Settings stats FEET 0 osses Seoary Fabric role Serve 5 Fabrc Rot Upstream FortiGate IP 1010101 ‘Allow other Security Fabric devicestojoin © [Bi porté x @ ToocahHan x ‘Allow downstream device REST API access @ CD SAML Single Sign On BEEN Manu |& advanced Options Mode ‘Pending Defaut loin page © BEE sce sin-on Default admin profile © sper din = Management P/EQON @ usewaNi [EEE 1020031 atone [se crin Po 1. Click OK. 8. Click OK to save the settings Authorize Remote-FortiGate (Downstream) on Local-FortiGate (Root) ‘You willauthorize Remote-FortGate on Local-FortGate to join the Security Fabric. To authorizo Romoto-FortiGato on Local-FortiGato 4. Connect tothe Local-FortiGate GUI, and then log in with the username amin and password password, 2. Click Security Fabric > Fabric Connectors. 3._ Inthe Topology section, cick the highlighted FortiGate serial ruber, and then click Authorize.‘Mer authoization, Remate-FortGale appearsin the topciogy fed. Now, both ISFW ‘andRRemote-FortiGate are shown as two downstream devices ofthe roo, Local- FortiGate. Your configuration should lock ike the fellowing example: i taal Forte tricot 4. On the Local-FortiGate GUI, click Security Fabric> Fabric Connectors. 5. Glick FortiAnalyzer Logging, ard then click Edt ‘Awearning appears indicating thal FortiGate not yet authorized on ForiAnalyzer. You wil authorize all FortiGate devices on Fortnalyzarin the next step.Authorize All Security Fabric FortiGate Devices on FortiAnalyzer You will authorize all Security Fabric devices on FortiAnalyzer. To authorize Local-FortiGate, ISFW, and Remote-FortiGate on FortiAnalyzer 1. Connectto te FomiAnalyzer GUI, anc then log in withthe username acinin and password password, 2. Click Device Manager.3. Click Unauthorized. 5. Click OK to keep the default FortGate names. 6. Inthe Authorize Device wizard, click Close. Allthree devices wil be acded to the FortiAnaiyzer root ADOM. Wait fora few seconds until the Logs status forall ForiGate devices tuns green. Check the FortiAnalyzer Status on All Security Fabric FortiGate Devices You willcheck the FortAnalyzer status cn al three ForiGate devices, ‘To check the FortiAnalyzer status on all FortiGate devices, 1. On the Loca-FortiGale GUI, cick Security Fabric> Fabric Connectors. 2. Click Fortianalyzer Logging, and then click Edit. Inthe FortiAnalyzer Status section, you wil s2e the Connection satus is Connected,3. On the ISFW GUI, click Security Fabric> Fabric Connectors. 4. Click FortiAnalyzer Logging, and then click View. — — = | @ ny rr 1 '5. Onthe Remote-FortiGete GUI click Security Fabric > Fabric Connectors. 6. Click FortiAnalyzer Logging, and then click View.Gocitty Ete ' 2 toh i ap ss.0na/ namo ae - etter ae sto BEIT © ose © crest bree tent Fates eS ne —— ‘peoseaten : Oca tne teeciteet ‘iano RTH ‘how hed CD Check the Security Fabric Deployment Result ‘You will shock the Security Fabrie deployment oeult onthe root, Local-FortGate. ‘To check the Security Fabric on Local-FortiGate 4. On he Local FortiGate GUI cick Dashboard > Status. ‘The Securty Fabric widget displays al FertiGate devices inthe Socurty Fabric BeaBax w 6 a & Loca FortestelF tc oct) be sew i Rete Fortis 2. Onthe LocalForiGate GUI. click Security Fabric > Physical Topology. “Ths page shows.a vsualization of acoess layer devices inthe Secunty Fabric,FQ Jute Intenet> Acs SecantyFatric other @ eves Tae x @B8axms Saveested Topology las upétet 8 seconds age Sect Rating ensts tata 3 minute) and Peco ‘what s shown inthis example, 3. Onthe Local-FortiGate GUI, click Security Fabric > Logical Topology. hdesrean Reet etrcs Bytes Sent /Receved)= ‘You may need to dick the Update Now button to refresh the topology. Your lopology view mightnot match ae Bao ‘This dashboard displaysinformation about the interfaces that each device in the Security Fabric connects to. Meties Bytes SenReehed)= xo & ungaeateaconsan Seca rat imines) a 29 scot) go Your topology ew might not match what is shown in this example, Ata minimum, you should see Local-FortGate, Remote-ForiGate, and ISFW in the topology view.Exercise 3: Running Security Rating ‘The security ratng feature includes three major score cards: Security Posture, Fabric Coverage. and Optimization. These canhelp you make improvements fo your organization's network, such as enforcing password security, applying recommended login attemp! thresholds, encouraging two-factor authentication, and ‘more. n this ab, you will run security ratings and apply some of the recommendations, When you make changes through the Security Posture page, FortGate generates ‘wo configuration revisions for each change you make. Because FortiGate can store only alimited number of revisions, if you meke multiple changes through the secuty rang, you may lose semeof he revaione forthe nextlaks. you lose any revisions that you make forthe labs, contact the instructor for assistance, Running Security Rating on the Local-FortiGate (Root) Inthis exercise, you wil in a securily rating check, which analyzes the Security Fabric deployment to identify potential wuinerabities and highigh! best pracices. Youmust run the Security Fabric rating on the root Fortiate device inthe Securty Fabric. To review the Security Posture widget 4. Connectto the Local-FortiGate GUI, and then log inwith the usemame acini and password password, 2. Click Security Fabric> Security Rating, and then check the Security Posture widget to see the score of your ‘Security Fabricdeployment. Seeurty Posture tf conigrstonaestnsie ues prc vito oem -416.04When you make changes through the Security Posture page, FortiGate generates ‘two configuration revisions for each change you make. Because FertiGate can slore ‘oniya limited number ofrevisione,f you make multiple changes through the security ‘ating, you may lose some ofthe revisions for the next abs. Ityou lose any revisions thet you make forthe labs, contact tne Instuctor for assistance. ‘Your Security Posture wicget mightnot match what is shown in ths example. To genorate new security rating scores on the root FortiGate 4. Onthe Local-FortiGate GUI, click Security Fabric > Security Rating Security Posture J -416.04 Fable Coverage 125.78 a = _ Opeinzatan 56.12 cnn a a 18 Soman nc ps 1B Sonia nt ane ee Bosse Situ e ‘You can expand each scorecard section to view recommendations for each section, 2. Click Security Posture to show the scorecard details.The Security Posture scorecard shows the folowing information: + A Score field that shows the score for your Securiy Fabric i ‘+ Anoverall count of how many checks passed and falled, with the falled checks aigle divided by severity + Information about each failed check, including which FortiGate device failed the ‘check, the effect ofthe check failure on the security score, and recommendations tofixthe issue ‘+ An Apply option with recommendations that can be applied by the wizard Your Security Posture Score might not match whats shown in this example ‘3. Inthe Security Control column, expand Failed, and then select Administrative Access. ‘The Apply option appears with recommendations that can be applied by the wizard, 4. Inthe right pane, under Local-FortiGate, click Apply. FED sere rece set rite tna wu eaeIfyou cant see the Apply button, zoom out on the web page to view the fll page, §. Click OK to save the configuration fl. ‘The View Diff button appears beside Apply after audit log settings are applied successfully. 6._ Click View Diff to view the configuration changes thatthe wizard applied to Local-FortiGate. Conkguation Dit contig system gtobat set aanin-nttps-redirect disable Set asin. Lockout-auration 1 sipped 24 es edit "ports" set von “root Set Ip 19.200.1.1 255.255.255.0 set atlowaccess’ping https ssh http tote Set type physica Set Ua-reception enable Set role van tioned 14203. end contig router multicast end 7. Click Close. 8. Click Security Fabric > Security Rating, 8. Click Run Now to get the new Security Posture score, eS = 416.04 You wil notice the Security Posture widget displays information from the most recent security rating check,When you run a Security Fabric rating, your organization's Security Fabric receives a ‘Security Fabric score. The score willbe postive or negative, and a higher score represents a more secure network. The score is based on how many checks your network passes and fails, as well as the severity level of these checks, You can repeat steps 2107 forall other sections and devices to apply recommendations, which willimprove your Security Fabric score. ‘Your security rating scores might not match whatis shown in this example.