Security Fabric installation

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you configure a Fortinet Security Fabric that consists of four FortiGate devices and a FortiAnalyzer. One of the FortiGates acts as the network edge firewall and root FortiGate of the Security Fabric, while the other FortiGate devices function as Internal Segmentation Firewalls (ISFWs).

This recipe is in the Security Fabric Collection. You can also use it as a standalone recipe.

The example network uses the following FortiGate aliases:

  • Edge: the root FortiGate in the Security Fabric. This FortiGate is named “Edge” because it’s the only FortiGate that directly connects to the Internet. This role is also known as the gateway FortiGate.
  • Accounting: an ISFW FortiGate that connects to Edge.
  • Marketing: an ISFW FortiGate that connects to Edge.
  • Sales: an ISFW FortiGate that connects to Marketing.

Note: Not all FortiGate models can run the FortiGuard Security Rating Service if they are the root FortiGate in a Security Fabric. For more information, see the FortiOS 6.0 Release Notes.

Find this recipe for other FortiOS versions
5.4 | 5.6 | 6.0

1. Configuring Edge

In the Security Fabric, Edge is the root FortiGate. This FortiGate receives information from the other FortiGates in the Security Fabric.

In the example, the following interfaces on Edge connect to other network devices:

  • Port 9 connects to the Internet (this interface was configured when Edge was installed)
  • Port 10 connects to Accounting (IP address: 192.168.10.2)
  • Port 11 connects to Marketing (IP address: 192.168.200.2)
  • Port 16 connects to the FortiAnalyzer (IP address: 192.168.55.2)

To edit port 10 on Edge, go to Network > Interfaces. Set an IP/Network Mask for the interface (in the example, 192.168.10.2/255.255.255.0).

Set Administrative Access to allow FortiTelemetry, which is required so that FortiGates in the Security Fabric can communicate with each other.

Repeat this step to configure the other interfaces with the appropriate IP addresses, as listed above.

To create a policy for traffic from Accounting to the Internet, go to Policy & Objects > IPv4 Policy.

Enable NAT.

Repeat this step to create a similar policy for Marketing.
On Edge, go to System > Feature Select. Under Additional Features, enable Multiple Interface Policies.

To create a policy that allows Accounting and Marketing to access the FortiAnalyzer, go to Policy & Objects > IPv4 Policy.

To enable communication between the FortiGates in the Security Fabric, go to Security Fabric > Settings and enable FortiGate Telemetry. Set a Group name and Group password.

FortiAnalyzer Logging is enabled by default. Set IP address to an internal address that will later be assigned to port 1 on the FortiAnalyzer (in the example, 192.168.65.10). Set Upload option to Real Time.

 
Select Test Connectivity. An error appears because the FortiGate isn’t yet authorized on the FortiAnalyzer. This authorization is configured in a later step.

2. Installing Accounting and Marketing

To edit wan1 on Accounting, go to Network > Interfaces.

Set an IP/Network Mask for the interface that is on the same subnet as port 10 on Edge (in the example, 192.168.10.10/255.255.255.0).

Under Administrative Access, select HTTPS and SSH to allow Edge to use this interface to manage the FortiGate.

Edit the lan interface.

Set Addressing mode to Manual and set the IP/Network Mask to a private IP address (in the example, 10.10.10.1/255.255.255.0).

Set Administrative Access to allow FortiTelemetry.

If you require the FortiGate to provide IP addresses using DHCP to devices that connect to this interface, enable DHCP Server.

Under Networked Devices, enable Device Detection.

 

To add a static route, go to Network > Static Routes. Set Gateway to the IP address of port 10 on Edge.

 

To create a policy to allow users on the Accounting network to access Edge, go to Policy & Objects > IPv4 Policy.

To add Accounting to the Security Fabric, go to Security Fabric > Settings. Enable FortiGate Telemetry, then enter the same Group name and Group password that you set previously on Edge.

Enable Connect to upstream FortiGate and enter the IP address of port 10 on Edge.

FortiAnalyzer Logging is enabled by default. Settings for the FortiAnalyzer are retrieved when Accounting connects to Edge.


 

Connect WAN 1 on Accounting to port 10 on Edge.

Connect and configure Marketing, using the same method that you used to configure Accounting. Make sure you complete the following steps:

  • Configure WAN 1 to connect to Edge (IP address: 192.168.200.10/255.255.255.0) and allow HTTPS and SSH access.
  • Configure the LAN interface for the Marketing network (IP address: 10.10.200.2/255.255.255.0).
  • Create a static route pointing traffic to port 11 on Edge.
  • Create a policy to allow users on the Marketing network to access Edge.
  • Add Marketing to the Security Fabric.

3. Installing Sales

To edit the interface on Marketing that connects to Sales (in the example, port12), go to Network > Interfaces.

Set an IP/Network Mask for the interface (in the example, 192.168.135.2/255.255.255.0).

Set Administrative Access to allow FortiTelemetry.

 

To create a policy for traffic from Sales to Edge, go to Policy & Objects > IPv4 Policy.

Enable NAT.

To edit wan2 on Sales, go to Network > Interfaces.

Set an IP/Network Mask for the interface that’s on the same subnet as the internal 14 interface on Marketing (in the example, 192.168.135.10/255.255.255.0).

Under Administrative Access, select HTTPS and SSH.

Edit the lan interface.

Set Addressing Mode to Manual, and set the IP/Network Mask to a private IP address (in the example, 10.10.135.1/255.255.255.0).

Set Administrative Access to allow FortiTelemetry.

If you require the FortiGate to provide IP addresses, using DHCP, to devices that connect to this interface, enable DHCP Server.

Under Networked Devices, enable Device Detection.

 

To add a default route, go to Network > Static Routes. Set Gateway to the IP address of the internal 14 interface on Marketing.

To create a policy that allow users on the Sales network to access Marketing, go to Policy & Objects > IPv4 Policy.  

To add Sales to the Security Fabric, go to Security Fabric > Settings. Enable FortiGate Telemetry, then enter the same Group name and Group password that you set previously.

Enable Connect to upstream FortiGate and enter the IP address of the internal 14 interface on Marketing.

FortiAnalyzer Logging is enabled by default. Settings for the FortiAnalyzer are retrieved when Accounting connects to Edge.

Connect WAN 2 on Sales to internal 14 on Marketing.

4. Configuring the FortiAnalyzer

To use the FortiAnalyzer in the Security Fabric, make sure that the firmware is compatible with the version of FortiOS on the FortiGates. To check for compatibility, see the FortiAnalyzer Release Notes.

To edit the port on FortiAnalyzer that connects to Edge (in the example, port4), go to System Settings > Network and select All Interfaces.

Set IP Address/Netmask to the IP address that you use to configure the Security Fabric settings on Edge (192.168.65.10/255.255.255.0).

Add a Default Gateway, using the IP address of port 16 on Edge.

 

Go to Device Manager. The FortiGates are listed as Unregistered.

Select the FortiGates, then select +Add.

The FortiGates now appear as Registered.

After a moment, a warning icon appears beside Edge because the FortiAnalyzer needs administrative access to the root FortiGate in the Security Fabric.

Double-click on the FortiGate to enter the Authentication information.

On Edge, go to Security Fabric > Settings. FortiAnalyzer Logging now shows Storage usage information.

5. Results

On Edge, go to Dashboard > Main. The Security Fabric widget displays the names of the FortiGates in the Security Fabric.

 

The icons on the top of the widget indicate the other Fortinet devices that can be used in a Security Fabric. Devices in blue are detected in your network, devices in gray aren’t detected in your network, and devices in red are also not detected in your network but are recommended for a Security Fabric.

If either of this widgets doesn’t appear on your dashboard, you can add them using the settings button in the bottom right corner.

Go to Security Fabric > Physical Topology. This page shows a visualization of access layer devices in the Security Fabric.


 

Go to Security Fabric > Logical Topology. This dashboard displays information about the interface (logical or physical) that each device in the Security Fabric connects.

On the FortiAnalyzer, go to Device Manager. The FortiGates are now shown as part of a Security Fabric group. The * beside Edge indicates that it’s the root FortiGate in the Security Fabric.

 

Right-click on the Security Fabric group and select Fabric Topology. The topology of the Security Fabric is displayed.

 

6. (Optional) Adding security profiles to the Security Fabric

The Security Fabric allows you to distribute security profiles to different FortiGates in your network, which can lessen the workload of each device and avoid creating bottlenecks. For example, you can implement antivirus scanning on Edge while the ISFW FortiGates apply application control and web filtering.

This results in distributed processing between the FortiGates in the Security Fabric, which reduces the load on each one. It also allows you to customize the web filtering and application control for the specific needs of the Accounting network since other internal networks may have different application control and web filtering requirements.

This configuration may result in threats getting through Edge, which means you should very closely limit access to the network connections between the FortiGates in the network.

To edit the policy that allows traffic from Accounting to the Internet, connect to Edge and go to Policy & Objects > IPv4 Policy.

Under Security Profiles, enable AntiVirus and select the default profile.

SSL Inspection is enabled by default. Set it to the deep-inspection profile.

Do the same for the policy that allows traffic from Marketing to the Internet.

 

To edit the policy that allows traffic from the Accounting network to Edge, connect to Accounting and go to Policy & Objects > IPv4 Policy.

Under Security Profiles, enable Web Filter and Application Control. Select the default profiles for both.

Repeat this step for both Marketing and Sales.

 

For further reading, check out Configuring the Security Fabric in the FortiOS 6.0 Online Help.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
This FortiGate has already been installed in NAT/Route mode in the “Installing a FortiGate in NAT/Route mode” recipe.
Once this feature is enabled, the option to view the policy list using the Interface Pair View is no longer available.
In this recipe, the policy is called Access-Resources because more Fortinet devices, such as a FortiSandbox, will be added to the subnet currently used by the FortiAnalyzer.
Enabling Device Detection on all interfaces that are classified as LAN or DMZ is a best practice.
The Default Gateway setting may not appear until you save the settings with the new IP address.
You may need to refresh the page before the icon appears.
Only Fortinet devices will be shown.
Only Fortinet devices will be shown.
Using the deep-inspection profile may cause certificate errors. See Preventing certificate warnings for more information.