In this recipe, you will configure a Fortinet Security Fabric that consists of four FortiGates and a FortiAnalyzer. One of the FortiGates will act as the network edge firewall and root FortiGate of the Security Fabric, while the others function as Internal Segmentation Firewalls (ISFWs).
Once the network has been configured, a Security Fabric Audit is run, to analyze the Security Fabric and recommend changes to help improve the configuration.
This recipe is in the Security Fabric Collection. It can also be used as a standalone recipe.
In the example network, the following FortiGate aliases are used:
- External: the root FortiGate in the Security Fabric. This FortiGate is named “External” because it is the only FortiGate that directly connects to the Internet. This role is also known as the edge or gateway FortiGate.
- Accounting: an ISFW FortiGate that connects to External.
- Marketing: an ISFW FortiGate that connects to External.
- Sales: an ISFW FortiGate that connects to Marketing.
This recipe was created using FortiOS 5.6.1. If you are using 5.6.0, GUI paths related to the Security Fabric and the appearance of some pages will differ from what is shown.
Find this recipe for other FortiOS versions
5.4 | 5.6
1. Configuring External |
|
|
In the Security Fabric, External is the root FortiGate. This FortiGate receives information from the other FortiGates in the Security Fabric and is used to run the Security Fabric Audit. In the example, the following interfaces on External are used to connect to other network devices:
|
|
|
On External, go to Network > Interfaces and edit port 10. Set an IP/Network Mask for the interface (in the example, 192.168.10.2/255.255.255.0). Set Administrative Access to allow FortiTelemetry, which is required for communication between FortiGates in the Security Fabric. |
 |
|
Repeat this step to configure the other interfaces with the appropriate IP addresses, as listed above. |
|
|
Go to Policy & Objects > IPv4 Policy and create a policy for traffic from Accounting to the Internet. Enable NAT. |
 |
| Repeat this step to create a similar policy for Marketing. | |
| On External, go to System > Feature Select. Under Additional Features, enable Multiple Interface Policies. |  |
|
Go to Policy & Objects > IPv4 Policy and create a policy allowing Accounting and Marketing to access the FortiAnalyzer. |
 |
|
To enable communication between the FortiGates in the Security Fabric, go to Security Fabric > Settings and enable FortiGate Telemetry. Set a Group name and Group password. FortiAnalyzer Logging is now enabled by default. Set IP address to an internal address that will later be assigned to port 1 on the FortiAnalyzer (in the example, 192.168.55.10). |
 |
| Select Test Connectivity. An error appears because the FortiGate is not yet authorized on the FortiAnalyzer. This authorization will be configured in a later step. | |
2. Installing Accounting and Marketing |
|
|
On Accounting, go to Network > Interfaces and edit WAN1. Set an IP/Network Mask for the interface that is on the same subnet as port 10 on External (in the example, 192.168.10.10/255.255.255.0). |
 |
|
Edit the internal interface. Set Addressing mode to Manual and set the IP/Network Mask to a private IP address (in the example, 10.10.10.1/255.255.255.0). Set Administrative Access to allow FortiTelemetry. If you require the FortiGate to provide IP addresses using DHCP to devices that connect to this interface, enable DHCP Server. Under Networked Devices, enable Device Detection. |
 |
|
Go to Network > Static Routes and add a static route. Set Gateway to the IP address of port 10 on External. |
 |
|
Go to Policy & Objects > IPv4 Policy and create a policy to allow users on the Accounting network to access External. |
 |
|
Go to Security Fabric > Settings to add Accounting to the Security Fabric. Enable FortiGate Telemetry, then enter the same Group name and Group password that you set previously on External. Enable Connect to upstream FortiGate and enter the IP address of port 10 on External. FortiAnalyzer Logging is enabled by default. Settings for the FortiAnalyzer will be retrieved when Accounting connects to External. |
 |
|
If you have not already done so, connect WAN1 on Accounting to port 10 on External. |
|
|
Connect and configure Marketing, using the same method you used to configure Accounting. Make sure to complete the following steps:
|
|
3. Installing Sales |
|
|
On Marketing, go to Network > Interfaces and edit the interface that Sales will connect to (in the example, internal14). Set an IP/Network Mask for the interface (in the example, 192.168.135.2/255.255.255.0). Set Administrative Access to allow FortiTelemetry. |
 |
|
Go to Policy & Objects > IPv4 Policy and create a policy for traffic from Sales to External. Enable NAT. |
 |
|
On Sales, go to Network > Interfaces and edit WAN2. Set an IP/Network Mask for the interface that is on the same subnet as the internal 14 interface on Marketing (in the example, 192.168.135.10/255.255.255.0). |
 |
|
Edit the LAN interface. Set Addressing Mode to Manual, and set the IP/Network Mask to a private IP address (in the example, 10.10.135.1/255.255.255.0). Set Administrative Access to allow FortiTelemetry. If you require the FortiGate to provide IP addresses, using DHCP, to devices that connect to this interface, enable DHCP Server. Under Networked Devices, enable Device Detection. |
 |
|
Go to Network > Static Routes and add a route. Set Gateway to the IP address of the internal 14 interface on Marketing. |
 |
| Go to Policy & Objects > IPv4 Policy and create a policy to allow users on the Sales network to access Marketing. |  |
|
Go to Security Fabric > Settings to add Sales to the Security Fabric. Enable FortiGate Telemetry, then enter the same Group name and Group password that you set previously. Enable Connect to upstream FortiGate and enter the IP address of the internal 14 interface on Marketing. FortiAnalyzer Logging is enabled by default. Settings for the FortiAnalyzer will be retrieved when Accounting connects to External. |
 |
| If you have not already done so, connect WAN 2 on Sales to the internal 14 interface on Marketing. | |
4. Configuring the FortiAnalyzer |
|
| To use the FortiAnalyzer in the Security Fabric, make sure that the firmware is compatible with the version of FortiOS on the FortiGates. To check for compatibility, see the FortiAnalyzer Release Notes. | |
|
On the FortiAnalyzer, go to System Settings > Network, select All Interfaces, and edit port 1. Set IP Address/Netmask to the IP address used for the Security Fabric configuration on External (192.168.55.10/255.255.255.0). Add a Default Gateway, using the IP address of port 16 on External. |
 |
|
Go to Device Manager. The FortiGates are listed as Unregistered. |
 |
|
Select the FortiGates, then select +Add. |
 |
| The FortiGates now appear as Registered. |  |
|
After a moment, a warning icon appears beside External because the FortiAnalyzer needs administrative access to the root FortiGate in the Security Fabric. Select the FortiGate, then enter the administrative authentication information. |
 |
| On External, go to Security Fabric > Settings. FortiAnalyzer Logging now shows Storage usage information. |  |
5. Running a Security Fabric Audit |
|
|
You can use the Security Fabric Audit to analyze your Security Fabric deployment, identify potential vulnerabilities, and highlight best practices. Using the Security Audit helps you improve your network configuration, deploy new hardware and software, and gain more visibility and control over your network. By regularly checking your network’s Security Score, which is determined by how many checks your network passes or fails during the Security Audit, and making the recommended improvements, you can have confidence that your network is getting more secure over time. You must run the Security Fabric Audit on the root FortiGate in the Security Fabric. |
|
|
On External, go to Security Fabric > Audit. All the FortiGates in the Security Fabric are shown. Select Next. |
 |
|
At the top of the page, you can see your network’s Security Score, as well as the overall count of how many checks were passed or failed, with the failed checks divided by severity. Further down, you can see information about each failed check, including which FortiGate failed the check, the effect on your network’s score, and the recommendation for fixing the issue. Easy Apply recommendations may be automatically applied by the wizard in the next stage. |
 |
|
By using Easy Apply, you can change the configuration of any FortiGate in the Security Fabric, not just the root FortiGate. Select all the changes you want to make, then select Apply Recommendations. |
 |
6. Results |
|
|
On External, go to Dashboard > Main. The Security Fabric widget displays the names of the FortiGates in the Security Fabric. |
 |
|
The icons on the top indicate which other Fortinet devices can be used in a Security Fabric. Devices in blue are detected in your network, devices in gray are not detected in your network, and devices in red are also not detected in your network but are recommended for a Security Fabric. |
|
|
Also located on the Dashboard is the Security Fabric Score widget, which displays your network’s current score. If either of these widgets do not appear on your dashboard, they can be added using the settings button in the bottom right corner. This button appears when your mouse hovers over any part of the dashboard. |
 |
|
Go to Security Fabric > Physical Topology. This page shows a visualization of access layer devices in the Security Fabric. Security Fabric Audit recommendations are also shown in the topology, next to the icon of the device the recommendations apply to. |
 |
|
Go to Security Fabric > Logical Topology. This dashboard displays information about the interface (logical or physical) that each device in the Security Fabric is connected to. |
 |
|
On the FortiAnalyzer, go to Device Manager. The FortiGates are now shown as part of a Security Fabric group. The * beside External indicates that it is the root FortiGate in the Security Fabric. |
 |
|
Right-click on the Security Fabric group and select Fabric Topology. The topology of the Security Fabric is displayed. |
 |
7. (Optional) Adding security profiles to the Security Fabric |
|
|
The Security Fabric allows you to distribute security profiles to different FortiGates in your network, which can lessen the workload of each device and avoid creating bottlenecks. For example, you can implement antivirus scanning on External while the ISFW FortiGates apply application control and web filtering. This results in distributed processing between the FortiGates in the Security Fabric, which reduces the load on each one. It also allows you to customize the web filtering and application control for the specific needs of the Accounting network as other internal networks may have different application control and web filtering requirements. This configuration may result in threats getting through External, which means you should very closely limit access to the network connections between the FortiGates in the network. |
|
|
On External, go to Policy & Objects > IPv4 Policy and edit the policy allowing traffic from Accounting to the Internet. Under Security Profiles, enable AntiVirus and select the default profile. Do the same for the policy allowing traffic from Marketing to the Internet. |
 |
|
On Accounting, go to Policy & Objects > IPv4 Policy and edit the policy allowing traffic from the Accounting network to the Internet. Under Security Profiles, enable Web Filter and Application Control. Select the default profiles for both. Repeat this step for both Marketing and Sales. |
 |
For further reading, check out Security Fabric in the FortiOS 5.6 Handbook.
The post Security Fabric installation and audit appeared first on Fortinet Cookbook.