In this example, you will configure a security fabric that consists of four FortiGates and a FortiAnalyzer. One of the FortiGates will be the root (or upstream) FortiGate in the Security Fabric, while the others function as Internal Segmentation Firewalls (ISFWs). OSPF routing will be used for communication between devices.
Once the Fabric has been configured, a Security Fabric Audit is run, to make any necessary improvements to the configuration.
In the example, the following FortiGate aliases/models are used:
- External (root FortiGate): a FortiGate 600D
- Accounting: a FortiGate 140D
- Marketing: a FortiGate 90D
- Sales: a FortiGate 51E
Find this recipe for other FortiOS versions
5.4 | 5.6
1. Configuring the External FortiGate |
|
|
In the Security Fabric, the External FortiGate is the root, or upstream, FortiGate. All the ISFW FortiGates will link to External in order to connect to other devices in the fabric, as well as the Internet. In this example, the following interfaces on the External FortiGate are used to connect to other network devices:
|
|
|
On External, go to Network > Interfaces and edit port 10. Set an IP/Network Mask for the interface (in the example, 192.168.10.2). |
 |
|
Configure Administrative Access to allow FortiTelemetry, required for communication between FortiGates in the Security Fabric. Configure other services as required. |
|
|
Repeat this step to configure the other interfaces, setting the appropriate IP addresses. |
|
|
Go to Policy & Objects > IPv4 Policy and create a policy for traffic from Accounting to the Internet. Enable NAT. |
 |
| Repeat this step to create similar policies for Marketing and Sales. | |
| On the External FortiGate, go to System > Feature Select. Under Additional Features, select Multiple Interface Policies. |  |
|
Go to Policy & Objects > IPv4 Policy and create a policy allowing the ISFW FortiGates to access the FortiAnalyzer. Do not enable NAT. |
 |
| To enable Security Fabric and configure the connection to the FortiAnalyzer, go to
System > Security Fabric and enable Security Fabric. Set a Group Name and Password. FortiAnalyzer logging is now enabled by default. Set IP Address to the FortiAnalyzer port 2’s IP (in the example, 192.168.55.10). |
 |
| Select Test Connectivity. An error appears because the FortiGate is not authorized on the FortiAnalyzer. | |
2. Installing the Accounting FortiGate |
|
|
On Accounting, go to Network > Interfaces and edit wan1. Set an IP/Network Mask for the interface that is on the same subnet as the External FortiGate’s port 10 (in the example, 192.168.10.10). Configure Administrative Access to allow FortiTelemetry. |
 |
|
Edit the lan interface. Set Addressing Mode to Manual and set the IP/Netmask to a private IP address (in the example, 10.10.10.1). Configure Administrative Access to allow FortiTelemetry. If you require the FortiGate to provide IP addresses using DHCP to devices that connect to this interface, enable DHCP Server. Under Networked Devices, enable Device Detection. |
 |
|
Go to Policy & Objects > IPv4 Policy and create a policy to allow users on the Accounting network to access the Internet. Because OSPF routing will be used, make sure NAT is not enabled. |
 |
|
Go to System > Security Fabric to add Accounting to the fabric. Enable Security Fabric, then enter the Group name and Group password set previously. Enable Connect to upstream FortiGate and enter the IP of External’s port 10. FortiAnalyzer logging is enabled by default. Settings for the FortiAnalyzer will be retrieved when Accounting connects to External. |
 |
|
If you have not already done so, connect Accounting’s wan1 port to External’s port 10. |
|
3. Installing the Marketing and Sales FortiGates |
|
|
Connect and configure Marketing using the same method as Accounting. Make sure to include the following:
|
|
|
Connect and configure Sales, making sure to include the following:
|
|
4. Configuring OSPF routing between the FortiGates |
|
|
On External, go to Network > OSPF. Set Router ID to 0.0.0.1 and select Apply. Expand the Advanced Options and set Default Information to Always, to make sure the default route is broadcast from External to the ISFW FortiGates. |
 |
|
In Areas, select Create New. Set Area to 0.0.0.0, Type to Regular, and Authentication to None. |
 |
|
In Networks, select Create New. Set IP/Netmask to 192.168.10.0/255.255.255.0 (the subnet that includes Accounting’s wan1) and Area to 0.0.0.0. Create three additional entries, using the following IP addresses:
|
 |
| On the Accounting FortiGate, configure OSPF routing as shown. The Router ID is incremental, with this FortiGate using 0.0.0.2. The Networks in this configuration are the subnet that includes Accounting’s wan1 and the subnet for the Accounting Network. |  |
|
Some FortiGate models, including the 90D and 51E used in this example, do not support configuring OSPF routing from the GUI. To add OSPF routing, use the following CLI command: config router ospf
set router-id 0.0.0.x
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix x.x.x.0/255.255.255.0
next
edit 2
set prefix x.x.x.0/255.255.255.0
next
end
end
|
|
5. Configuring the FortiAnalyzer |
|
| In order to use the FortiAnalyzer in the Security Fabric, make sure that the firmware is compatible the version of FortiOS on the FortiGates. To check for compatibility, please refer to the FortiAnalyzer Release Notes. | |
| On the FortiAnalyzer, go to System Settings > Network, select All Interfaces, and edit port2. Set IP/Netmask to an internal IP (in the example, 192.168.55.10/255.255.255.0). |
 |
| Select Network again. Port 2 is now shown as the management interface. Add a Default Gateway, using the IP address of the External FortiGate’s port 16. |  |
|
Go to Device Manager. The FortiGates are listed as Unregistered. |
 |
|
Select the FortiGates, then select +Add. |
 |
| The FortiGates now appear as Registered. |  |
| On External, go to System > Security Fabric. FortiAnalyzer Logging now shows Storage Usage information. |  |
6. Running a Security Fabric Audit |
|
|
The Security Fabric Audit is used to analyze your Security Fabric deployment to identify potential vulnerabilities and highlight best practices. Using the Audit helps you tune your network’s configuration, deploy new hardware and/or software, and gain more visibility and control of your network. Also, by checking your Security Score, which is determined based on how many checks your network passes/fails during the Audit, you can have confidence that your network is getting more secure over time. The Security Fabric Audit must be run on the root FortiGate in the Security Fabric (in this example, External). |
|
|
On External, go to Log & Report > Security Fabric Audit. All the FortiGates in the Fabric are shown. Select Next. |
 |
|
At the top of the page, you can see your Security Score, as well as the overall count of how many checks were passed or failed, with the failed checks divided by severity. Further down, information is shown about each failed check, including which FortiGate failed the check, the effect on your score, and the recommendation to fix the issue. Some recommendations may be listed as Easy Apply. To apply these changes, select Next. |
 |
|
By using Easy Apply, you can change the configuration of any FortiGate in the fabric, not just the root FortiGate. Select all the changes you wish to make, then select Apply Recommendations. |
 |
7. Results |
|
| On External, go to Dashboard > Main. The Security Fabric widget displays all devices in the fabric. |  |
|
Also located on the Dashboard is the Security Fabric Score widget, which displays your current score. If either of these widgets do not appear on your dashboard, they can be added using the Options button in the bottom right corner. |
 |
|
Go to FortiView > Physical Topology. This page shows a visualization of all access layer devices in the Security Fabric. Security Fabric Audit recommendations are also shown in the topology, by the icon for the device the recommendations apply to. |
 |
|
Go to FortiView > Logical Topology. This dashboard displays information about the interface (logical or physical) that each device in the CSF is connected to. |
|
|
Go to Monitor > Routing Monitor. You will see both ISFW FortiGates listed, using OSPF routing. |
 |
8. (Optional) Adding security profiles to the fabric |
|
|
A Security Fabric configurations allow you to distribute security functions to different FortiGates in the fabric. For example, you may want to implement virus scanning on the External FortiGate but add application control and web filtering to the ISFW FortiGates. This results in distributed processing between the FortiGates in the Security Fabric; reducing the load on each one. It also allows you to customize the web filtering and application control for the specific needs of the Accounting network as other internal networks may have different application control and web filtering requirements. This configuration may result in threats getting through the External FortiGate which means you should very closely limit access to the network connections between the FortiGates in the fabric. |
|
|
On External, go to Policy & Objects > IPv4 Policy and edit the policy allowing traffic from Accounting to the Internet. Under Security Profiles, enable AntiVirus and select the default profile. Do the same for the policies allowing traffic from the Marketing and Sales to the Internet. |
 |
|
On Accounting, go to Policy & Objects > IPv4 Policy and edit the policy allowing traffic from the Accounting Network to the Internet. Under Security Profiles, enable Web Filter and Application Control. Select the default profiles for both. Do the same on Marketing and Sales. |
 |
The post Security fabric installation appeared first on Fortinet Cookbook.