Security Fabric installation and audit

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will configure a Fortinet Security Fabric that consists of four FortiGates and a FortiAnalyzer. One of the FortiGates will act as the network edge firewall and root FortiGate of the Security Fabric, while the others function as Internal Segmentation Firewalls (ISFWs).

Once the network has been configured, a Security Fabric Audit is run, to analyze the Security Fabric and recommend changes to help improve the configuration.

This recipe is in the Security Fabric Collection. It can also be used as a standalone recipe.

In the example network, the following FortiGate aliases are used:

  • External: the root FortiGate in the Security Fabric. This FortiGate is named “External” because it is the only FortiGate that directly connects to the Internet. This role is also known as the edge or gateway FortiGate.
  • Accounting: an ISFW FortiGate that connects to External.
  • Marketing: an ISFW FortiGate that connects to External.
  • Sales: an ISFW FortiGate that connects to Marketing.

This recipe was created using FortiOS 5.6.1. If you are using 5.6.0, GUI paths related to the Security Fabric and the appearance of some pages will differ from what is shown.

Find this recipe for other FortiOS versions
5.4 | 5.6

1. Configuring External

In the Security Fabric, External is the root FortiGate. This FortiGate receives information from the other FortiGates in the Security Fabric and is used to run the Security Fabric Audit.

In the example, the following interfaces on External are used to connect to other network devices:

  • Port 9 connects to the Internet (this interface was configured when External was initially installed)
  • Port 10 connects to Accounting (IP address: 192.168.10.2)
  • Port 11 connects to Marketing (IP address: 192.168.200.2)
  • Port 16 connects to the FortiAnalyzer (IP address: 192.168.55.2)

On External, go to Network > Interfaces and edit port 10. Set an IP/Network Mask for the interface (in the example, 192.168.10.2/255.255.255.0).

Set Administrative Access to allow FortiTelemetry, which is required for communication between FortiGates in the Security Fabric.

Repeat this step to configure the other interfaces with the appropriate IP addresses, as listed above.

Go to Policy & Objects > IPv4 Policy and create a policy for traffic from Accounting to the Internet.

Enable NAT.

Repeat this step to create a similar policy for Marketing.
On External, go to System > Feature Select. Under Additional Features, enable Multiple Interface Policies.

Go to Policy & Objects > IPv4 Policy and create a policy allowing Accounting and Marketing to access the FortiAnalyzer.

To enable communication between the FortiGates in the Security Fabric, go to Security Fabric > Settings and enable FortiGate Telemetry. Set a Group name and Group password.

FortiAnalyzer Logging is now enabled by default. Set IP address to an internal address that will later be assigned to port 1 on the FortiAnalyzer (in the example, 192.168.55.10).

Select Test Connectivity. An error appears because the FortiGate is not yet authorized on the FortiAnalyzer. This authorization will be configured in a later step.

2. Installing Accounting and Marketing

On Accounting, go to Network > Interfaces and edit WAN1.

Set an IP/Network Mask for the interface that is on the same subnet as port 10 on External (in the example, 192.168.10.10/255.255.255.0).

Edit the internal interface.

Set Addressing mode to Manual and set the IP/Network Mask to a private IP address (in the example, 10.10.10.1/255.255.255.0).

Set Administrative Access to allow FortiTelemetry.

If you require the FortiGate to provide IP addresses using DHCP to devices that connect to this interface, enable DHCP Server.

Under Networked Devices, enable Device Detection.

Go to Network > Static Routes and add a static route. Set Gateway to the IP address of port 10 on External.

Go to Policy & Objects > IPv4 Policy and create a policy to allow users on the Accounting network to access External.

Go to Security Fabric > Settings to add Accounting to the Security Fabric. Enable FortiGate Telemetry, then enter the same Group name and Group password that you set previously on External.

Enable Connect to upstream FortiGate and enter the IP address of port 10 on External.

FortiAnalyzer Logging is enabled by default. Settings for the FortiAnalyzer will be retrieved when Accounting connects to External.

If you have not already done so, connect WAN1 on Accounting to port 10 on External.

Connect and configure Marketing, using the same method you used to configure Accounting. Make sure to complete the following steps:

  • Configure WAN1 to connect to External (IP address: 192.168.200.10/255.255.255.0)
  • Configure the LAN interface for the Marketing network (IP address: 10.10.200.2/255.255.255.0)
  • Create a static route pointing traffic to port 11 on External
  • Create a policy to allow users on the Marketing network to access External
  • Add Marketing to the Security Fabric

3. Installing Sales

On Marketing, go to Network > Interfaces and edit the interface that Sales will connect to (in the example, internal14).

Set an IP/Network Mask for the interface (in the example, 192.168.135.2/255.255.255.0).

Set Administrative Access to allow FortiTelemetry.

Go to Policy & Objects > IPv4 Policy and create a policy for traffic from Sales to External.

Enable NAT.

On Sales, go to Network > Interfaces and edit WAN2.

Set an IP/Network Mask for the interface that is on the same subnet as the internal 14 interface on Marketing (in the example, 192.168.135.10/255.255.255.0).

Edit the LAN interface.

Set Addressing Mode to Manual, and set the IP/Network Mask to a private IP address (in the example, 10.10.135.1/255.255.255.0).

Set Administrative Access to allow FortiTelemetry.

If you require the FortiGate to provide IP addresses, using DHCP, to devices that connect to this interface, enable DHCP Server.

Under Networked Devices, enable Device Detection.

Go to Network > Static Routes and add a route. Set Gateway to the IP address of the internal 14 interface on Marketing.

Go to Policy & Objects > IPv4 Policy and create a policy to allow users on the Sales network to access Marketing.

Go to Security Fabric > Settings to add Sales to the Security Fabric. Enable FortiGate Telemetry, then enter the same Group name and Group password that you set previously.

Enable Connect to upstream FortiGate and enter the IP address of the internal 14 interface on Marketing.

FortiAnalyzer Logging is enabled by default. Settings for the FortiAnalyzer will be retrieved when Accounting connects to External.

If you have not already done so, connect WAN 2 on Sales to the internal 14 interface on Marketing.

4. Configuring the FortiAnalyzer

To use the FortiAnalyzer in the Security Fabric, make sure that the firmware is compatible with the version of FortiOS on the FortiGates. To check for compatibility, see the FortiAnalyzer Release Notes.

On the FortiAnalyzer, go to System Settings > Network, select All Interfaces, and edit port 1. Set IP Address/Netmask to the IP address used for the Security Fabric configuration on External (192.168.55.10/255.255.255.0).

Add a Default Gateway, using the IP address of port 16 on External.

Go to Device Manager. The FortiGates are listed as Unregistered.

Select the FortiGates, then select +Add.

The FortiGates now appear as Registered.

After a moment, a warning icon appears beside External because the FortiAnalyzer needs administrative access to the root FortiGate in the Security Fabric.

Select the FortiGate, then enter the administrative authentication information.

On External, go to Security Fabric > Settings. FortiAnalyzer Logging now shows Storage usage information.

5. Running a Security Fabric Audit

You can use the Security Fabric Audit to analyze your Security Fabric deployment, identify potential vulnerabilities, and highlight best practices. Using the Security Audit helps you improve your network configuration, deploy new hardware and software, and gain more visibility and control over your network.

By regularly checking your network’s Security Score, which is determined by how many checks your network passes or fails during the Security Audit, and making the recommended improvements, you can have confidence that your network is getting more secure over time.

You must run the Security Fabric Audit on the root FortiGate in the Security Fabric.

On External, go to Security Fabric > Audit.

All the FortiGates in the Security Fabric are shown. Select Next.

At the top of the page, you can see your network’s Security Score, as well as the overall count of how many checks were passed or failed, with the failed checks divided by severity.

Further down, you can see information about each failed check, including which FortiGate failed the check, the effect on your network’s score, and the recommendation for fixing the issue.

Easy Apply recommendations may be automatically applied by the wizard in the next stage.

By using Easy Apply, you can change the configuration of any FortiGate in the Security Fabric, not just the root FortiGate.

Select all the changes you want to make, then select Apply Recommendations.

6. Results

On External, go to Dashboard > Main. The Security Fabric widget displays the names of the FortiGates in the Security Fabric.

The icons on the top indicate which other Fortinet devices can be used in a Security Fabric. Devices in blue are detected in your network, devices in gray are not detected in your network, and devices in red are also not detected in your network but are recommended for a Security Fabric.

Also located on the Dashboard is the Security Fabric Score widget, which displays your network’s current score.

If either of these widgets do not appear on your dashboard, they can be added using the settings button in the bottom right corner. This button appears when your mouse hovers over any part of the dashboard.

Go to Security Fabric > Physical Topology. This page shows a visualization of access layer devices in the Security Fabric.

Security Fabric Audit recommendations are also shown in the topology, next to the icon of the device the recommendations apply to.

Go to Security Fabric > Logical Topology. This dashboard displays information about the interface (logical or physical) that each device in the Security Fabric is connected to.

On the FortiAnalyzer, go to Device Manager. The FortiGates are now shown as part of a Security Fabric group. The * beside External indicates that it is the root FortiGate in the Security Fabric.

Right-click on the Security Fabric group and select Fabric Topology. The topology of the Security Fabric is displayed.

7. (Optional) Adding security profiles to the Security Fabric

The Security Fabric allows you to distribute security profiles to different FortiGates in your network, which can lessen the workload of each device and avoid creating bottlenecks. For example, you can implement antivirus scanning on External while the ISFW FortiGates apply application control and web filtering.

This results in distributed processing between the FortiGates in the Security Fabric, which reduces the load on each one. It also allows you to customize the web filtering and application control for the specific needs of the Accounting network as other internal networks may have different application control and web filtering requirements.

This configuration may result in threats getting through External, which means you should very closely limit access to the network connections between the FortiGates in the network.

On External, go to Policy & Objects > IPv4 Policy and edit the policy allowing traffic from Accounting to the Internet.

Under Security Profiles, enable AntiVirus and select the default profile.

Do the same for the policy allowing traffic from Marketing to the Internet.

On Accounting, go to Policy & Objects > IPv4 Policy and edit the policy allowing traffic from the Accounting network to the Internet.

Under Security Profiles, enable Web Filter and Application Control. Select the default profiles for both.

Repeat this step for both Marketing and Sales.

For further reading, check out Security Fabric in the FortiOS 5.6 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
This FortiGate has already been installed in NAT/Route mode in the “Installing a FortiGate in NAT/Route mode” recipe.
In this recipe, the policy is called Access-External-Device because more Fortinet devices, such as a FortiSandbox, will be added to the subnet currently used by the FortiAnalyzer.
Only Fortinet devices will be shown.
Only Fortinet devices will be shown.
  • Marco Castrejon

    is OK if i configure the security Fabric using WAN LINKS?

    • Victoria Martin

      Hi Marco,

      Yes, you can use SD-WAN (the new name for WAN links) with the Security Fabric.

  • Bavo Bostoen

    Also:
    1. in diagram port 11 on root Fortigate should be port 12 (now you have port 11 two times)
    2. Regarding my comment below: if you have only one (root) Fortigate + 3 switches + let’s say 10 wireless AP’s, would it be fair to assume there is no need for a FortiAnalyzer provided longer term logging is either done on disk (if there is a disk in the FG) or in FortiCloud. Thx for any clarification.

  • Bavo Bostoen

    Hallo, in your CSF article/video for v5.4 (with 3 Fortigates) there was no need for a FortiAnalyzer.
    I wonder how this will affect smaller setups (mostly one router, sometimes 2, with some FortiSwitches).
    So my question is from what point on is a FortiAnalyser needed, and what happens without one?
    Can Forticloud take over some of the of the analyser functionality for smaller setups, or can these work without one (and what functionality gets lost in this case)
    Thanks for any useful info regarding this.
    Thanks,
    Bavo

    • Victoria Martin

      Hello Bavo,

      Thank you for pointing out the error in the diagram, I have fixed it.

      At the moment, if you are using FortiOS 5.6, a FortiAnalyzer is required on the root FortiGate in a Security Fabric (downstream FortiGates can be set to use local logging in the CLI). This is a change from how the feature was handled in 5.4.