This collection of related recipes shows how to configure a Cooperative Security Fabric (CSF) – also known as a Fortinet Security Fabric – throughout your network, using a range of Fortinet products. This security fabric will link different security sensors and tools together to collect, coordinate, and respond to malicious behavior anywhere it occurs on your network in real time.
Below, you will find links to a number of Cookbook recipes. By using these recipes in the listed order, you can create a network similar to the one shown above.
This collection is a work-in-progress. Check back to see what new recipes have been added.
Between most steps are screenshots showing the FortiView Topology dashboards, which can be seen in the video above. These dashboards display the devices that make up your cooperative security fabric. The Physical Topology dashboard shows all access layer devices, while the Logical Topology dashboard displays information about the interface (logical or physical) that each device is connected to.
CSF is supported by the following Fortinet firmware:
- FortiOS 5.4.1+
- FortiAnalyzer 5.4.1+
- FortiSwitchOS 3.3+
- FortiClient 5.4.1+
In this recipe, you install the initial FortiGate, which will later be used as the Internet-facing, or upstream, FortiGate in the security fabric.
Because the CSF has not yet been enabled, the FortiView topology dashboards are not yet available.
In this recipe, two additional FortiGates are added to the network as an Internal Segmentation Firewalls (ISFWs). Once the FortiGates are installed, a security fabric is set up between them and the external FortiGate which was installed in the network previously.
In the example network, the Internet-facing FortiGate is called External, with two additional FortiGates, called Accounting and Marketing, configured as ISFWs. The FortiGates all appear in the FortiView toplogy dashboards on the External FortiGate.
In this recipe, a FortiAnalyzer is installed to record and display logs from all FortiGates in the security fabric.
The FortiAnalyzer does not appear in the FortiView dashboards, so they remain unchanged.
In this recipe, the External FortiGate is set up as part of an High Availability (HA) cluster. This provides redundancy for the network in case one of the FortiGates in the cluster fails.
The topology dashboards do not show both FortiGates in the HA cluster. However, the name of the upstream FortiGate has changed to the name of the primary unit in the cluster (External-Primary).
In this recipe, two FortiSwitches are installed behind the ISFWs. The FortiSwitches are managed by the FortiGates and will be used to connect two internal networks that will be protected by the FortiGates.
The FortiSwitches now appears in the Physical Topology dashboard, provided the Access Device view is selected. The switches do not appear in the Logical Topology dashboard.
In this recipe, a FortiClient profile is used to enforce endpoint control for devices that are connected to the CSF.
In the screenshots below, endpoint control has been applied to a PC on the Marketing Network. Also, the Marketing FortiSwitch now appears in the Logical Topology dashboard because traffic is flowing through it.
In this recipe, a FortiManager is added to provide central management for the FortiGates in the security fabric.
The FortiManager does not appear in the FortiView dashboards, so they remain unchanged.