Cooperative Security Fabric

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This collection of related recipes shows how to configure a Cooperative Security Fabric (CSF) – also known as a Fortinet Security Fabric – throughout your network, using a range of Fortinet products. This security fabric will link different security sensors and tools together to collect, coordinate, and respond to malicious behavior anywhere it occurs on your network in real time.

Below, you will find links to a number of Cookbook recipes. By using these recipes in the listed order, you can create a network similar to the one shown above.

This collection is a work-in-progress. Check back to see what new recipes have been added.

Between most steps are screenshots showing the FortiView Topology dashboards, which can be seen in the video above. These dashboards display the devices that make up your cooperative security fabric. The Physical Topology dashboard shows all access layer devices, while the Logical Topology dashboard displays information about the interface (logical or physical) that each device is connected to.

CSF is supported by the following Fortinet firmware:

  • FortiOS 5.4.1+
  • FortiAnalyzer 5.4.1+
  • FortiSwitchOS 3.3+
  • FortiClient 5.4.1+

1. Installing a FortiGate in NAT/Route mode

In this recipe, you install the initial FortiGate, which will later be used as the Internet-facing, or upstream, FortiGate in the security fabric.

Because the CSF has not yet been enabled, the FortiView topology dashboards are not yet available.


2. Installing internal FortiGates and enabling a security fabric

Watch the video

 

In this recipe, two additional FortiGates are added to the network as an Internal Segmentation Firewalls (ISFWs). Once the FortiGates are installed, a security fabric is set up between them and the external FortiGate which was installed in the network previously.

In the example network, the Internet-facing FortiGate is called External, with two additional FortiGates, called Accounting and Marketing, configured as ISFWs. The FortiGates all appear in the FortiView toplogy dashboards on the External FortiGate.

Physical topology:

Logical topology:


3. Adding FortiAnalyzer to a security fabric

In this recipe, a FortiAnalyzer is installed to record and display logs from all FortiGates in the security fabric.

The FortiAnalyzer does not appear ain the FortiView dashboards, so they remain unchanged.

4. High Availability with two FortiGates

In this recipe, the External FortiGate is set up as part of an High Availability (HA) cluster. This provides redundancy for the network in case one of the FortiGates in the cluster fails.

The topology dashboards do not show both FortiGates in the HA cluster. However, the name of the upstream FortiGate has changed to the name of the primary unit in the cluster (External-Primary).

Physical topology:

Logical topology:


5. Setting up an internal network with a managed FortiSwitch

In this recipe, two FortiSwitches are installed behind the ISFWs. The FortiSwitches are managed by the FortiGates and will be used to connect two internal networks that will be protected by the FortiGates.

The FortiSwitches now appears in the Physical Topology dashboard, provided the Access Device view is selected. The switches do not appear in the Logical Topology dashboard.

Physical topology:

Logical topology:


6. Adding endpoint control to a security fabric

In this recipe, a FortiClient profile is used to enforce endpoint control for devices that are connected to the CSF.

In the screenshots below, endpoint control has been applied to a PC on the Marketing Network. Also, the Marketing FortiSwitch now appears in the Logical Topology dashboard because traffic is flowing through it.

Physical topology:

Logical topology:

7. Adding FortiManager to a security fabric

In this recipe, a FortiManager is added to provide central management for the FortiGates in the security fabric.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
  • CGauss

    As a service provider would there be any use to having all of our customers firewalls as a whole participate in the Coop Security Fabric? I could set our firewall as the “master” if it provides us any benefit.

    • bdickie

      The Cooperative Security Fabric feature is designed to be deployed in a single organization and not between multiple customers. But, we are not the best source for the information you would need to make this decision. I would recommend contacting Fortinet Support or Sales for a more definitive statement.

  • Peter Bruderer

    I have multiple upstream firewalls. What now?

    • bdickie

      You can select one to be the upstream firewall for all of the others. For CSF communication to work the downstream firewalls all have to be able to communicate with the upstream firewall. This means allowing traffic on the FortiTelemetry port and configuring routing correctly. This would normally happen anyway with most configurations, although if your firewall policies are restrictive you may have to open then up a bit to allow FortiTelemetry traffic.

  • Berni

    I have try to enable csf on a fgt where vdom mode is enabled and it failed 🙁

    • bdickie

      We should have documented this more clearly, but yes for FortiOS 5.4.1 VDOM mode and cooperative security fabric are not compatible. This may change in a future patch. We are adding this info to the What’s New right now.

  • Bernhard Heinz

    Hello, interessting evolution. Whats about if there are some “non fortinet” products (for example cisco router) in between External and Accounting Fortigates?. Regards Bernhard

    • bdickie

      FortiTelemetry communication through devices such as routers is supported as long as the router allows traffic on the FortiTelemetry port. The default FortiTelemetry port is 8013 and this port can be changed from the GUI.

  • Ratan Mohapatra

    Nice!