Cooperative Security Fabric

This collection of related recipes shows how to configure a Cooperative Security Fabric (CSF) – also known as a Fortinet Security Fabric – throughout your network, using a range of Fortinet products. This Fabric will link different security sensors and tools together to collect, coordinate, and respond to malicious behavior anywhere it occurs on your network in real time.

Below, you will find links to a number of Cookbook recipes. By using these recipes in the listed order, you can create a network similar to the one shown above.

You can find more information about Security Fabric at the Fortinet Document Library.

Between most steps are screenshots showing the FortiView Topology dashboards, which can be seen in the video above. These dashboards display the devices that make up your Security Fabric. The Physical Topology dashboard shows all access layer devices, while the Logical Topology dashboard displays information about the interface (logical or physical) that each device is connected to.

Security Fabric is supported by the following Fortinet firmware:

1. Installing a FortiGate in NAT/Route mode

In this recipe, you install the initial FortiGate, which will later be used as the Internet-facing, or upstream, FortiGate in the Security Fabric.

Because the CSF has not yet been enabled, the FortiView topology dashboards are not yet available.

2. Installing internal FortiGates and enabling a Security Fabric

Watch the video


In this recipe, two additional FortiGates are added to the network as an Internal Segmentation Firewalls (ISFWs). Once the FortiGates are installed, a Security Fabric is set up between them and the external FortiGate which was installed in the network previously.

In the example network, the Internet-facing FortiGate is called External, with two additional FortiGates, called Accounting and Marketing, configured as ISFWs. The FortiGates all appear in the FortiView toplogy dashboards on the External FortiGate.

Physical topology:

Logical topology:

3. Adding FortiAnalyzer to a Security Fabric

In this recipe, a FortiAnalyzer is installed to record and display logs from all FortiGates in the Security Fabric.

The FortiAnalyzer does not appear in the FortiView dashboards, so they remain unchanged.

4. High Availability with two FortiGates

In this recipe, the External FortiGate is set up as part of an High Availability (HA) cluster. This provides redundancy for the network in case one of the FortiGates in the cluster fails.

The topology dashboards do not show both FortiGates in the HA cluster. However, the name of the upstream FortiGate has changed to the name of the primary unit in the cluster (External-Primary).

Physical topology:

Logical topology:

5. Setting up an internal network with a managed FortiSwitch

In this recipe, two FortiSwitches are installed behind the ISFWs. The FortiSwitches are managed by the FortiGates and will be used to connect two internal networks that will be protected by the FortiGates.

The FortiSwitches now appears in the Physical Topology dashboard, provided the Access Device view is selected. The switches do not appear in the Logical Topology dashboard.

Physical topology:

Logical topology:

6. Adding endpoint control to a Security Fabric

In this recipe, a FortiClient profile is used to enforce endpoint control for devices that are connected to the CSF.

In the screenshots below, endpoint control has been applied to a PC on the Marketing Network. Also, the Marketing FortiSwitch now appears in the Logical Topology dashboard because traffic is flowing through it.

Physical topology:

Logical topology:

7. Adding FortiManager to a Security Fabric

In this recipe, a FortiManager is added to provide central management for the FortiGates in the Security Fabric.

The FortiManager does not appear in the FortiView dashboards, so they remain unchanged.