Security Fabric installation

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will configure a security fabric that consists of four FortiGates and a FortiAnalyzer. One of the FortiGates will be the root (or upstream) FortiGate in the Security Fabric, while the others function as Internal Segmentation Firewalls (ISFWs). OSPF routing will be used for communication between devices.

Once the Fabric has been configured, a Security Fabric Audit is run, to make any necessary improvements to the configuration.

In the example, the following FortiGate aliases/models are used:

  • External (root FortiGate): a FortiGate 600D
  • Accounting: a FortiGate 140D
  • Marketing: a FortiGate 90D
  • Sales: a FortiGate 51E

Find this recipe for other FortiOS versions
5.4 | 5.6

1. Configuring the External FortiGate

In the Security Fabric, the External FortiGate is the root, or upstream, FortiGate. All the ISFW FortiGates will link to External in order to connect to other devices in the fabric, as well as the Internet.

In this example, the following interfaces on the External FortiGate are used to connect to other network devices:

  • Port 9 connects to the Internet (this interface has already been configured)
  • Port 10 connects to Accounting (IP address: 192.168.10.2)
  • Port 11 connects to Marketing (IP address: 192.168.200.2)
  • Port 12 connects to Sales (IP address: 192.168.35.2)
  • Port 16 connects to the FortiAnalyzer (IP address: 192.168.55.2)

On External, go to Network > Interfaces and edit port 10.

Set an IP/Network Mask for the interface (in the example, 192.168.10.2).

 

Configure Administrative Access to allow FortiTelemetry, required for communication between FortiGates in the Security Fabric.

Configure other services as required.

Repeat this step to configure the other interfaces, setting the appropriate IP addresses.

Go to Policy & Objects > IPv4 Policy and create a policy for traffic from Accounting to the Internet.

Enable NAT.

 
Repeat this step to create similar policies for Marketing and Sales.
On the External FortiGate, go to System > Feature Select. Under Additional Features, select Multiple Interface Policies.  

Go to Policy & Objects > IPv4 Policy and create a policy allowing the ISFW FortiGates to access the FortiAnalyzer.

Do not enable NAT.

 
To enable Security Fabric and configure the connection to the FortiAnalyzer, go to

System > Security Fabric and enable Security Fabric. Set a Group Name and Password.

FortiAnalyzer logging is now enabled by default. Set IP Address to the FortiAnalyzer port 2’s IP (in the example, 192.168.55.10).

 
Select Test Connectivity. An error appears because the FortiGate is not authorized on the FortiAnalyzer.

2. Installing the Accounting FortiGate

On Accounting, go to Network > Interfaces and edit wan1.

Set an IP/Network Mask for the interface that is on the same subnet as the External FortiGate’s port 10 (in the example, 192.168.10.10).

Configure Administrative Access to allow FortiTelemetry.

 

Edit the lan interface.

Set Addressing Mode to Manual and set the IP/Netmask to a private IP address (in the example, 10.10.10.1).

Configure Administrative Access to allow FortiTelemetry.

If you require the FortiGate to provide IP addresses using DHCP to devices that connect to this interface, enable DHCP Server.

Under Networked Devices, enable Device Detection.

 

Go to Policy & Objects > IPv4 Policy and create a policy to allow users on the Accounting network to access the Internet.

Because OSPF routing will be used, make sure NAT is not enabled.

 

Go to System > Security Fabric to add Accounting to the fabric. Enable Security Fabric, then enter the Group name and Group password set previously.

Enable Connect to upstream FortiGate and enter the IP of External’s port 10.

FortiAnalyzer logging is enabled by default. Settings for the FortiAnalyzer will be retrieved when Accounting connects to External.

 

If you have not already done so, connect Accounting’s wan1 port to External’s port 10.

3. Installing the Marketing and Sales FortiGates

 

Connect and configure Marketing using the same method as Accounting. Make sure to include the following:

  • Configure wan1 to connect to the External FortiGate (example IP: 192.168.200.10)
  • Configure the lan interface for the Marketing network (example IP: 10.10.200.1)
  • Create a policy to allow users on the Marketing network to access the Internet
  • Add the FortiGate to the Security Fabric
   

Connect and configure Sales, making sure to include the following:

  • Configure wan1 to connect to the External FortiGate (example IP: 192.168.35.10)
  • Configure the lan interface for the Sales network (example IP: 10.10.35.1)
  • Create a policy to allow users on the Sales network to access the Internet
  • Add the FortiGate to the Security Fabric

4. Configuring OSPF routing between the FortiGates

On External, go to Network > OSPF. Set Router ID to 0.0.0.1 and select Apply.

Expand the Advanced Options and set Default Information to Always, to make sure the default route is broadcast from External to the ISFW FortiGates.

 

In Areas, select Create New. Set Area to 0.0.0.0, Type to Regular, and Authentication to None.

 

In Networks, select Create New. Set IP/Netmask to 192.168.10.0/255.255.255.0 (the subnet that includes Accounting’s wan1) and Area to 0.0.0.0.

Create three additional entries, using the following IP addresses:

  • 192.168.200.0/255.255.255.0 (Marketing)
  • 192.168.35.0/255.255.255.0 (Sales)
  • 192.168.55.0/255.255.255.0 (FortiAnalyzer)
 
On the Accounting FortiGate, configure OSPF routing as shown. The Router ID is incremental, with this FortiGate using 0.0.0.2. The Networks in this configuration are the subnet that includes Accounting’s wan1 and the subnet for the Accounting Network.   

Some FortiGate models, including the 90D and 51E used in this example, do not support configuring OSPF routing from the GUI. To add OSPF routing, use the following CLI command:

config router ospf
  set router-id 0.0.0.x
  config area
    edit 0.0.0.0
    next
  end
  config network
    edit 1
      set prefix x.x.x.0/255.255.255.0
    next
    edit 2
      set prefix x.x.x.0/255.255.255.0
    next
  end
end

5. Configuring the FortiAnalyzer

In order to use the FortiAnalyzer in the Security Fabric, make sure that the firmware is compatible the version of FortiOS on the FortiGates. To check for compatibility, please refer to the FortiAnalyzer Release Notes.
On the FortiAnalyzer, go to System Settings > Network, select All Interfaces, and edit port2. Set IP/Netmask to an internal IP (in the example, 192.168.55.10/255.255.255.0).
 
 
Select Network again. Port 2 is now shown as the management interface. Add a Default Gateway, using the IP address of the External FortiGate’s port 16.  

Go to Device Manager. The FortiGates are listed as Unregistered.

 

Select the FortiGates, then select +Add.

 
The FortiGates now appear as Registered.  
On External, go to System > Security Fabric. FortiAnalyzer Logging now shows Storage Usage information.  

6. Running a Security Fabric Audit

The Security Fabric Audit is used to analyze your Security Fabric deployment to identify potential vulnerabilities and highlight best practices. Using the Audit helps you tune your network’s configuration, deploy new hardware and/or software, and gain more visibility and control of your network.

Also, by checking your Security Score, which is determined based on how many checks your network passes/fails during the Audit, you can have confidence that your network is getting more secure over time.

The Security Fabric Audit must be run on the root FortiGate in the Security Fabric (in this example, External).

On External, go to Log & Report > Security Fabric Audit.

All the FortiGates in the Fabric are shown. Select Next.


 

At the top of the page, you can see your Security Score, as well as the overall count of how many checks were passed or failed, with the failed checks divided by severity.

Further down, information is shown about each failed check, including which FortiGate failed the check, the effect on your score, and the recommendation to fix the issue.

Some recommendations may be listed as Easy Apply. To apply these changes, select Next.

 

By using Easy Apply, you can change the configuration of any FortiGate in the fabric, not just the root FortiGate.

Select all the changes you wish to make, then select Apply Recommendations.

 

7. Results

On External, go to Dashboard > Main. The Security Fabric widget displays all devices in the fabric.  

Also located on the Dashboard is the Security Fabric Score widget, which displays your current score.

If either of these widgets do not appear on your dashboard, they can be added using the Options button in the bottom right corner.


 

Go to FortiView > Physical Topology. This page shows a visualization of all access layer devices in the Security Fabric.

Security Fabric Audit recommendations are also shown in the topology, by the icon for the device the recommendations apply to.


 

Go to FortiView > Logical Topology. This dashboard displays information about the interface (logical or physical) that each device in the CSF is connected to.

 

Go to Monitor > Routing Monitor. You will see both ISFW FortiGates listed, using OSPF routing.

 

8. (Optional) Adding security profiles to the fabric

A Security Fabric configurations allow you to distribute security functions to different FortiGates in the fabric. For example, you may want to implement virus scanning on the External FortiGate but add application control and web filtering to the ISFW FortiGates.

This results in distributed processing between the FortiGates in the Security Fabric; reducing the load on each one. It also allows you to customize the web filtering and application control for the specific needs of the Accounting network as other internal networks may have different application control and web filtering requirements.

This configuration may result in threats getting through the External FortiGate which means you should very closely limit access to the network connections between the FortiGates in the fabric.

On External, go to Policy & Objects > IPv4 Policy and edit the policy allowing traffic from Accounting to the Internet.

Under Security Profiles, enable AntiVirus and select the default profile.

Do the same for the policies allowing traffic from the Marketing and Sales to the Internet.

 
 

On Accounting, go to Policy & Objects > IPv4 Policy and edit the policy allowing traffic from the Accounting Network to the Internet.

Under Security Profiles, enable Web Filter and Application Control. Select the default profiles for both.

Do the same on Marketing and Sales.

 

 

  • Was this helpful?
  • Yes   No

 

 

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

This FortiGate has already been installed in NAT/Route mode. For more information, see Installing a FortiGate in NAT/Route mode.
  • Bavo Bostoen

    Also:
    1. in diagram port 11 on root Fortigate should be port 12 (now you have port 11 two times)
    2. Regarding my comment below: if you have only one (root) Fortigate + 3 switches + let’s say 10 wireless AP’s, would it be fair to assume there is no need for a FortiAnalyzer provided longer term logging is either done on disk (if there is a disk in the FG) or in FortiCloud. Thx for any clarification.

  • Bavo Bostoen

    Hallo, in your CSF article/video for v5.4 (with 3 Fortigates) there was no need for a FortiAnalyzer.
    I wonder how this will affect smaller setups (mostly one router, sometimes 2, with some FortiSwitches).
    So my question is from what point on is a FortiAnalyser needed, and what happens without one?
    Can Forticloud take over some of the of the analyser functionality for smaller setups, or can these work without one (and what functionality gets lost in this case)
    Thanks for any useful info regarding this.
    Thanks,
    Bavo

    • Victoria Martin

      Hello Bavo,

      Thank you for pointing out the error in the diagram, I have fixed it.

      At the moment, if you are using FortiOS 5.6, a FortiAnalyzer is required on the root FortiGate in a Security Fabric (downstream FortiGates can be set to use local logging in the CLI). This is a change from how the feature was handled in 5.4.