Enterprise Firewall

Security Fabric

FortiOS 7.2
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
January
January
23, 23,
20242024
Objectives
• Configure the Fortinet Security Fabric
• Configure automation stitches
• Identify Security Fabric use cases based on different scenarios

© Fortinet Inc. All Rights Reserved. 2

Devices That Comprise the Security Fabric
• Core:
• Two or more FortiGate devices + FortiAnalyzer

• Recommended – adds significant visibility or

control:
• FortiManager, FortiAP, FortiSwitch, FortiClient,
FortiSandbox, FortiMail

• Extended – integrates with fabric, but may not

Core
apply to everyone:
• Other Fortinet products and third-party products using
the API Recommended

Extended

© Fortinet Inc. All Rights Reserved. 3

Extending the Fabric—Other Products
Network Security

Multi-Cloud Security

FortiManager Device, Access, and

FortiDDoS Application Security

BROAD Open Ecosystem

Visibility of the entire Security Operations

digital attack surface
Fabric Fabric
APIs Connectors

INTEGRATED
AI-driven breach prevention across
devices, networks, and applications
FortiClient FortiGate VM
FortiNAC FortiCASB

AUTOMATED FortiGate

Operations, orchestration,
and response
FortiAP
FortiWeb
FortiSwitch
FortiMail
FortiToken
FortiADC
FortiWLC

FortiAnalyzer
FortiSIEM
Q1FY19 v1.4.4 FortiSandbox
© Fortinet Inc. All Rights Reserved. 4
Extending the Fabric—Fabric Connectors
• Security Fabric multi-cloud support adds Security Fabric connectors to the Security
Fabric configuration
• Allow you to integrate
• Amazon Web Services (AWS)
• Microsoft Azure
• Oracle Cloud Infrastructure (OCI)
• Google Cloud Platform (GCP)
• AliCloud
•Security
IBM Cloud
Fabric > External Connectors

© Fortinet Inc. All Rights Reserved. 5

Security Fabric Topology
• You must configure root FortiGate first
• FortiAnalyzer registration FortiView
and IOC
• FortiManager registration Root FortiAnalyzer
• Tree structure
• Branch FortiGate devices connect to
upstream FortiGate devices
• FortiGate verifies the FortiAnalyzer serial Topology Information
number against its certificate
• The serial number is stored in the FortiGate
configuration

API
FortiTelemetry

© Fortinet Inc. All Rights Reserved. 6

Upstream and Downstream FortiGate
# diagnose sys csf upstream
Upstream Information:
Serial Number:FGVM010000077649
IP:10.1.0.254
Connecting interface:port1
Connection status:Authorized

# diagnose sys csf downstream

1: FGVM010000077646 (10.1.0.1) Management-IP: Management-port:0 parent:
Port connected to LAN (device detection) port
FGVM010000077649 root FortiGate on the downstream
path:FGVM010000077649:FGVM010000077646 FortiGate

data received: Y downstream intf:port1 upstream intf:port3 admin-port:443

authorizer:FGVM010000077649

© Fortinet Inc. All Rights Reserved. 7

Security Fabric Configuration Synchronization
• FortiAnalyzer, FortiManager, and FortiSandbox configuration is pushed from the root
FortiGate:
• All members send logs to a single FortiAnalyzer
• All members are managed by the same FortiManager
• All members use the same FortiSandbox for file inspection where antivirus is applied

• You can disable the configuration synchronization on the downstream devices:

config system csf
set configuration-sync local
end

• All fabric members maintain their own security fabric map

• MAC and IP address of all the connected FortiGate devices and their interfaces
# diagnose sys csf neighbor list
Interface MAC
--------------------------------------
port3 00:50:56:b6:ad:29
port3 00:50:56:9f:07:84

© Fortinet Inc. All Rights Reserved. 8

Security Fabric Configuration Synchronization (Contd)
• The root FortiGate pushes various policy objects and groups:
• Address objects and address groups
• Service objects and service groups
• Schedule objects and schedule groups

• You can disable the configuration synchronization on the root FortiGate:

config system csf
Downstream FortiGate
set fabric-object-unification local
(level-1, FGTD-1)
end port1
root VDOM
Root FortiGate port3
(FGTA-1)

Security Fabric supports nat VDOM port2 port1

multi-VDOM environments port4 port1

Downstream FortiGate Downstream FortiGate

(level-1, FGTB-1) (level-2, FGTC)
© Fortinet Inc. All Rights Reserved. 9
Security Fabric Logging
• Traffic logs are always enabled in all firewall policies
• The Security Fabric, as a whole, logs each session once
• The first FortiGate that handles a session in the Security Fabric logs the session
• Any upstream FortiGate that is a member of the Security Fabric does not create duplicate traffic logs for
sessions coming from another member's MAC address with the following exceptions:
• If an upstream FortiGate performs NAT, FortiGate generates another log on that device
• Upstream FortiGate devices still log UTM events, if configured

• FortiAnalyzer does UTM and traffic log correlation, so that session details, UTM events,
reporting and automation in the Security Fabric work correctly

© Fortinet Inc. All Rights Reserved. 10

Security Fabric Logging (Contd)
NGFW is DCFW is running
performing SNAT IPS; creating
Internet and web filtering; additional UTM logs
(WWW) creating additional for sessions going to
logs to augment the file server that
the ISFW traffic trigger one of more
logs for web configured IPS
ISFW creates sessions sensors
traffic logs for all
sessions from
Client-1 FortiAnalyzer receives
NGFW DCFW Corporate the various traffic and
File Server UTM logs and
correlates them to
accurately reflect
Client-1 activity and to
Client-1 ISFW FortiAnalyzer trigger relevant
automation actions
Client-1 Client-1 FAZ Log
Web Traffic SMB Traffic Connection

© Fortinet Inc. All Rights Reserved. 11

Topology Views
Security Fabric > Physical Topology • Authorize or deauthorize access
devices (FortiSwitch, FortiAPs)
• Ban or unban compromised clients
• Some device management tasks
• Upgrade
• Connect to device CLI
Visualization of access layer
devices in the Security
Fabric

Security Fabric > Logical Topology

Information about the

interfaces that each device
in the Security Fabric
connects

© Fortinet Inc. All Rights Reserved. 12

Security Fabric Rating Security Fabric > Security Rating
• Three major
scorecards:
• Security Posture
• Fabric Coverage
• Optimization
• Provide executive
summary of the three
largest areas of
security focus
• Clicking a scorecard
drills down to a report
of itemized results and Average letter grade
compliance of the performance in
subcategories
recommendations

© Fortinet Inc. All Rights Reserved. 13

Security Posture The Security Rating
Score helps you to identify
Security Fabric > Security Rating > Security Posture the security issues in your
network and prioritize your
tasks

You can resolve security

issues that are labelled as
Apply immediately

Identifies
critical
security gaps

© Fortinet Inc. All Rights Reserved. 14

Automation Stitches—Overview
AUTOMATION
STITCH Security Fabric > Automation

• Configure various automated

actions based on triggers
• Event triggers can come from
FortiGate or other Security Fabric
devices through FortiAnalyzer
event handlers
• Configure the Minimum interval
setting to make sure you don’t
receive repeat alert notifications
about the same event

© Fortinet Inc. All Rights Reserved. 15

Automation Stitches—Triggers
Security Fabric > Automation

© Fortinet Inc. All Rights Reserved. 16

Automation Stitches—Actions
Security Fabric > Automation

© Fortinet Inc. All Rights Reserved. 17

Automation Stitches
Security Fabric > Automation
• After you define the automation triggers and
automation actions, you can create your
automation stitch
• You can use multiple automation actions in
your stitch.
• There are two types of execution for actions:
• Sequentially
• Parallel

© Fortinet Inc. All Rights Reserved. 18

Testing Stitches
• You can test stitches on the CLI
# diagnose automation test <stitch_name>
• When an automation stitch is triggered, FortiGate creates an event log

Log & Report > System Events

© Fortinet Inc. All Rights Reserved. 19

Use Case 1
• Security Fabric root device can link to FortiClient Endpoint Management System (EMS)
for endpoint connectors and automation
• Telemetry and compliance data shared between FortiGate and FortiClient
• EMS helps enhance endpoint visibility, compliance control, vulnerability scanning, and
automated response
• Implement ZTNA access control
• ZTNA method uses:
• Client-device identification
• Authentication
• Zero-trust tags
• Provides flexibility to manage both on-fabric and off-fabric users

© Fortinet Inc. All Rights Reserved. 20

ZTNA Workflow
FortiClient EMS

ZTNA telemetry ZTNA telemetry

Sync ZTNA
tags &
certificates

Enforce ZTNA policy ZTNA IP/MAC

filtering
On-fabric clients

Off-fabric clients

Protected servers and resources

© Fortinet Inc. All Rights Reserved. 21
Quarantine Automation
• You can quarantine an endpoint from FortiOS Security Fabric > Automation
using EMS using an API
• The following network components are
required:
• FortiGate
• FortiAnalyzer
• FortiClient EMS
• FortiClient
• Security Fabric, which includes the above
network devices, can automatically quarantine
an endpoint on which an IoC is detected

© Fortinet Inc. All Rights Reserved. 22

FortiAnalyzer—IoC Flow
Endpoint quarantines itself and
5 notifies the FortiGate and EMS

FortiClient EMS
EMS sends quarantine
4 message to endpoint

Malicious site detected,

FortiClient sends log to FortiGate identifies endpoint is
FortiAnalyzer connected and sends notification to
3 EMS

FortiAnalyzer discovers IOC

2 to notify FortiGate

FortiAnalyzer FortiGate

diag endpoint forticlient-ems-rest-api queue-quarantine-ipv4 <endpoint_ip_address>

© Fortinet Inc. All Rights Reserved. 23

Use Case 2
Configure telemetry and the IP
address of the root FortiGate
on FortiNAC Authorize FortiNAC
on the root FortiGate

FortiNAC FortiGate

Device FortiNAC Firewall

IP Group Tags

FortiNAC passes device IP,

FortiNAC group names and
firewall tags to FortiGate

© Fortinet Inc. All Rights Reserved. 24

FortiNAC Fabric Connector

Internet

FortiGate
(Fabric root)
User
device

User login

FortiNAC

© Fortinet Inc. All Rights Reserved. 25

Use Case 3
• SSO fabric connectors integrate SSO authentication into the network
• Allows identified users access to multiple applications, without having to re-authenticate
• Users who are already identified can access applications, without being prompted to
provide credentials
• SSO software identifies a user’s user ID, IP address, and group membership
• FortiGate allows access based on membership in SSO groups configured on FortiGate
• SSO groups can be mapped to individual users, user groups, organizational units (OUs), or a
combination of them
• The following fabric connectors are available:
• Fortinet single sign-on (FSSO) agent
• Poll Active directory server
• Symantec endpoint connector
• RADIUS single sign-on agent
• Exchange Server connector
• Each SSO method gathers login events differently

© Fortinet Inc. All Rights Reserved. 26

FSSO—Flow Chart
• FSSO flow diagram:
Authentication
Servers

Collector Agent FortiAuthenticator

UD
P
80
02
userA
AD/Novell/Syslog Windows server

Internet

IP: 10.0.1.10

userB

Source IP, Group

IP: 10.0.1.20

© Fortinet Inc. All Rights Reserved. 27

Use Case 4—Fabric Address Management
• IP address management (IPAM)

FGT_A FGT_B
(root and DHCP server) (DHCP client)

port2 port4
port2 172.31.1.1/24

port3
port3
172.31.0.2/24
172.31.0.1/24

port2
port6
172.31.2.1/24

FGT_C

© Fortinet Inc. All Rights Reserved. 28

Review
 Explore the Fortinet Security Fabric
 Diagnose the Security Fabric operation
 Perform a security rating audit
 Configure automation stitches
 Identify Security Fabric use cases based on different scenarios

© Fortinet Inc. All Rights Reserved. 29

Lab 3—Security Fabric

30
Lab 3—Security Fabric
• The Security Fabric follows a tree
topology
• NGFW-1 will be the root of the tree
and ISFW and DCFW will be
branches

• On NGFW-1, DCFW, and ISFW you

will:
• Enable device detection
• Enable Security Fabric
• Enable Security Fabric automation stitich

© Fortinet Inc. All Rights Reserved. 31