Cooperative Security Fabric


This collection of related recipes shows how to configure a Cooperative Security Fabric (CSF) – also known as a Fortinet Security Fabric – throughout your network, using a range of Fortinet products. This Fabric will link different security sensors and tools together to collect, coordinate, and respond to malicious behavior anywhere it occurs on your network in real time.

Below, you will find links to a number of Cookbook recipes. By using these recipes in the listed order, you can create a network similar to the one shown above.

You can find more information about Security Fabric at the Fortinet Document Library.

Between most steps are screenshots showing the FortiView Topology dashboards, which can be seen in the video above. These dashboards display the devices that make up your Security Fabric. The Physical Topology dashboard shows all access layer devices, while the Logical Topology dashboard displays information about the interface (logical or physical) that each device is connected to.

Security Fabric is supported by the following Fortinet firmware:

1. Installing a FortiGate in NAT/Route mode

In this recipe, you install the initial FortiGate, which will later be used as the Internet-facing, or upstream, FortiGate in the Security Fabric.

Because the CSF has not yet been enabled, the FortiView topology dashboards are not yet available.

2. Installing internal FortiGates and enabling a Security Fabric

Watch the video


In this recipe, two additional FortiGates are added to the network as an Internal Segmentation Firewalls (ISFWs). Once the FortiGates are installed, a Security Fabric is set up between them and the external FortiGate which was installed in the network previously.

In the example network, the Internet-facing FortiGate is called External, with two additional FortiGates, called Accounting and Marketing, configured as ISFWs. The FortiGates all appear in the FortiView toplogy dashboards on the External FortiGate.

Physical topology:

Logical topology:

3. Adding FortiAnalyzer to a Security Fabric

In this recipe, a FortiAnalyzer is installed to record and display logs from all FortiGates in the Security Fabric.

The FortiAnalyzer does not appear in the FortiView dashboards, so they remain unchanged.

4. High Availability with two FortiGates

In this recipe, the External FortiGate is set up as part of an High Availability (HA) cluster. This provides redundancy for the network in case one of the FortiGates in the cluster fails.

The topology dashboards do not show both FortiGates in the HA cluster. However, the name of the upstream FortiGate has changed to the name of the primary unit in the cluster (External-Primary).

Physical topology:

Logical topology:

5. Setting up an internal network with a managed FortiSwitch

In this recipe, two FortiSwitches are installed behind the ISFWs. The FortiSwitches are managed by the FortiGates and will be used to connect two internal networks that will be protected by the FortiGates.

The FortiSwitches now appears in the Physical Topology dashboard, provided the Access Device view is selected. The switches do not appear in the Logical Topology dashboard.

Physical topology:

Logical topology:

6. Adding endpoint control to a Security Fabric

In this recipe, a FortiClient profile is used to enforce endpoint control for devices that are connected to the CSF.

In the screenshots below, endpoint control has been applied to a PC on the Marketing Network. Also, the Marketing FortiSwitch now appears in the Logical Topology dashboard because traffic is flowing through it.

Physical topology:

Logical topology:

7. Adding FortiManager to a Security Fabric

In this recipe, a FortiManager is added to provide central management for the FortiGates in the Security Fabric.

The FortiManager does not appear in the FortiView dashboards, so they remain unchanged.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
  • CGauss

    As a service provider would there be any use to having all of our customers firewalls as a whole participate in the Coop Security Fabric? I could set our firewall as the “master” if it provides us any benefit.

    • bdickie

      The Cooperative Security Fabric feature is designed to be deployed in a single organization and not between multiple customers. But, we are not the best source for the information you would need to make this decision. I would recommend contacting Fortinet Support or Sales for a more definitive statement.

  • Peter Bruderer

    I have multiple upstream firewalls. What now?

    • bdickie

      You can select one to be the upstream firewall for all of the others. For CSF communication to work the downstream firewalls all have to be able to communicate with the upstream firewall. This means allowing traffic on the FortiTelemetry port and configuring routing correctly. This would normally happen anyway with most configurations, although if your firewall policies are restrictive you may have to open then up a bit to allow FortiTelemetry traffic.

      • Glen Martin

        Just to clarify – I have three Fortigate units, one at head office, and the others at remote sites, each as an edge device connecting that office’s subnet to the internet. The two remote sites are connected to the main site through IPsec VPNs. Is this an appropriate scenario to use Security Fabric? The units are running the current 5.6 release of FortiOS.

        • Victoria Martin

          Hi Glen, we do have a recipe about adding FortiGates the connect via VPN to a Security Fabric, which you can find at

          Please note that you will need to be running 5.6.1 or higher in order to use this recipe.

          • Glen Martin

            Hi Victoria – great last name, BTW :>)
            Please see my previous post – I didn’t get a direct answer to the question.
            Also, the recipe you linked to shows a FortiAnalyzer, which we do not have.

          • Victoria Martin

            Hi Glen – it is a pretty good last name.

            In FortiOS 5.6, a FortiAnalyzer is required for a Security Fabric, so it does not sound like it would be appropriate for your current scenario.

  • Berni

    I have try to enable csf on a fgt where vdom mode is enabled and it failed 🙁

    • bdickie

      We should have documented this more clearly, but yes for FortiOS 5.4.1 VDOM mode and cooperative security fabric are not compatible. This may change in a future patch. We are adding this info to the What’s New right now.

      • hartato hartato

        I’m using FortiOS 5.6.
        Still, i’m unable to enable csf on VDOM mode.

        • Victoria Martin

          At this point in time, the Security Fabric feature is not supported for use with VDOMs.

          • pdisme

            Any updates on CSF compatibility with 5.6?

          • Victoria Martin

            The Security Fabric Collection has been updated for 5.6, you can find that version at

          • pdisme

            Sorry, I wasn’t clear, I was meaning does CSF work with 5.6 when vdoms are enabled? This thread was previously that CSF doesn’t work with vdoms enabled; we use them like the other poster and couldn’t use CSF as a result, but I’m willing to upgrade to 5.6 if it gets me that.

          • Victoria Martin

            No, VDOMs are not supported for use in a Security Fabric in FortiOS 5.6.

  • Bernhard Heinz

    Hello, interessting evolution. Whats about if there are some “non fortinet” products (for example cisco router) in between External and Accounting Fortigates?. Regards Bernhard

    • bdickie

      FortiTelemetry communication through devices such as routers is supported as long as the router allows traffic on the FortiTelemetry port. The default FortiTelemetry port is 8013 and this port can be changed from the GUI.

  • Ratan Mohapatra