Security Fabric


The Fortinet Security Fabric links various security sensors and tools together to collect, coordinate, and respond to malicious behavior, in real time, anywhere it occurs on your network. Below, you will find a collection Cookbook recipes about the Security Fabric. By using these recipes in the order listed, you can create a network similar to the one shown above.

This collection is a work in progress. Check back regularly for new recipes.

You can find more information about the Security Fabric at the Fortinet Document Library.

Between most steps are screenshots showing the Security Fabric topology views. The Physical Topology dashboard shows all access layer devices, and the Logical Topology dashboard shows information about the interface (logical or physical) that each device is connected to.

This collection supports the following Fortinet firmware:

  • FortiOS 5.6.0+
  • FortiAnalyzer 5.6.0+
  • FortiSandbox 2.4.0+
  • FortManager 5.6.0+

1. Installing a FortiGate in NAT/Route mode

This recipe shows you how to install a single FortiGate in your network using NAT/Route mode, the most commonly used operation mode..

In later recipes, this FortiGate will be the “external” FortiGate in the network, because it the only FortiGate that directly connects to the Internet, with other FortiGates located behind it. This role is also known as the edge or gateway FortiGate

This FortiGate will also be the root FortiGate in the Security Fabric. The root FortiGate receives information from all other FortiGates in the Security Fabric and is used to run the Security Fabric Audit. For more information about this, refer to the next recipe in the collection.

Because a Security Fabric has not yet been created, the Security Fabric topology views have not been included here.

2. Security Fabric installation

This recipe shows you how to add three additional FortiGates to the network as Internal Segmentation Firewalls (ISFWs). A FortiAnalyzer is also added to the network to collect and view logs.

After the ISFW FortiGates and FortiAnalyzer are installed, the Security Fabric is configured. External, the FortiGate from the previous recipe, becomes the root FortiGate in the Security Fabric, with the other FortiGates sending their information upstream to External.

The FortiGates all appear in the topology views on External, along with the FortiAnalyzer. The ISFW FortiGates (Accounting, Sales, and Marketing) are connected to the root FortiGate (External).

Physical topology:

Logical topology:

3. FortiSandbox in the Security Fabric

This recipe shows you how to add a FortiSandbox to the Security Fabric, so that any suspicious files discovered by the FortiGates can be scanned and tested in isolation from the rest of the network. A file is considered to be suspicious if it has some suspicious characteristics, but does not contain any known threats.

After the FortiSandbox is added to the Security Fabric, it appears in the topology views.

Physical topology:

Logical topology:

4. High Availability with two FortiGates

This recipe shows you how to create an HA cluster by adding a backup FortiGate for root FortiGate (External) in the Security Fabric. This will provide redundancy if the primary FortiGate fails.

The HA cluster is now shown in the topology views.

Physical topology:

Logical topology:

5. FortiManager in the Security Fabric

This recipe shows you how to add a FortiManager to provide central management for the FortiGates in the Security Fabric.

The FortiManager does not appear in the topology views, so they remain unchanged.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
  • Aaron Moorington

    Assuming that I have enough power and ports, can I use only one equipmment as external firewall (NGFW) and as ISFW?

    • Victoria Martin

      Hi Aaron,

      That configuration is possible, however the Security Fabric feature is intended to include multiple FortiGates. Also, please note that VDOMs are not supported for use with a Security Fabric.