In this recipe, you configure a Fortinet Security Fabric that consists of four FortiGate devices and a FortiAnalyzer. One of the FortiGates acts as the network edge firewall and root FortiGate of the Security Fabric, while the other FortiGate devices function as Internal Segmentation Firewalls (ISFWs).
After you configure the network, you should run a Security Rating, which analyzes the Security Fabric and recommends changes to help you mprove the configuration.
This recipe is in the Security Fabric Collection. You can also use it as a standalone recipe.
The example network uses the following FortiGate aliases:
- Edge: the root FortiGate in the Security Fabric. This FortiGate is named “Edge” because it’s the only FortiGate that directly connects to the Internet. This role is also known as the gateway FortiGate.
- Accounting: an ISFW FortiGate that connects to Edge.
- Marketing: an ISFW FortiGate that connects to Edge.
- Sales: an ISFW FortiGate that connects to Marketing.
Find this recipe for other FortiOS versions
5.4 | 5.6 | 6.0
1. Configuring Edge |
|
|
In the Security Fabric, Edge is the root FortiGate. This FortiGate receives information from the other FortiGates in the Security Fabric and you use it to run the Security Rating. In the example, the following interfaces on Edge connect to other network devices:
|
|
|
To edit port 10 on Edge, go to Network > Interfaces. Set an IP/Network Mask for the interface (in the example, 192.168.10.2/255.255.255.0). Set Administrative Access to allow FortiTelemetry, which is required so that FortiGates in the Security Fabric can communicate with each other. |
 |
|
Repeat this step to configure the other interfaces with the appropriate IP addresses, as listed above. |
|
|
To create a policy for traffic from Accounting to the Internet, go to Policy & Objects > IPv4 Policy. Enable NAT. |
 |
| Repeat this step to create a similar policy for Marketing. | |
| On Edge, go to System > Feature Select. Under Additional Features, enable Multiple Interface Policies. |  |
|
To create a policy that allows Accounting and Marketing to access the FortiAnalyzer, go to Policy & Objects > IPv4 Policy. |
 |
|
To enable communication between the FortiGates in the Security Fabric, go to Security Fabric > Settings and enable FortiGate Telemetry. Set a Group name and Group password. FortiAnalyzer Logging is enabled by default. Set IP address to an internal address that will later be assigned to port 1 on the FortiAnalyzer (in the example, 192.168.65.10). Set Upload option to Real Time. |
 |
| Select Test Connectivity. An error appears because the FortiGate isn’t yet authorized on the FortiAnalyzer. This authorization is configured in a later step. | |
2. Installing Accounting and Marketing |
|
|
To edit wan1 on Accounting, go to Network > Interfaces. Set an IP/Network Mask for the interface that is on the same subnet as port 10 on Edge (in the example, 192.168.10.10/255.255.255.0). Under Administrative Access, select HTTPS and SSH to allow Edge to use this interface to manage the FortiGate. |
 |
|
Edit the lan interface. Set Addressing mode to Manual and set the IP/Network Mask to a private IP address (in the example, 10.10.10.1/255.255.255.0). Set Administrative Access to allow FortiTelemetry. If you require the FortiGate to provide IP addresses using DHCP to devices that connect to this interface, enable DHCP Server. |
 |
|
To add a static route, go to Network > Static Routes. Set Gateway to the IP address of port 10 on Edge. |
 |
|
To create a policy to allow users on the Accounting network to access Edge, go to Policy & Objects > IPv4 Policy. |
 |
|
To add Accounting to the Security Fabric, go to Security Fabric > Settings. Enable FortiGate Telemetry, then enter the same Group name and Group password that you set previously on Edge. Enable Connect to upstream FortiGate and enter the IP address of port 10 on Edge. FortiAnalyzer Logging is enabled by default. Settings for the FortiAnalyzer are retrieved when Accounting connects to Edge. |
 |
|
Connect WAN 1 on Accounting to port 10 on Edge. |
|
|
Connect and configure Marketing, using the same method that you used to configure Accounting. Make sure you complete the following steps:
|
|
3. Installing Sales |
|
|
To edit the interface on Marketing that connects to Sales (in the example, port12), go to Network > Interfaces. Set an IP/Network Mask for the interface (in the example, 192.168.135.2/255.255.255.0). Set Administrative Access to allow FortiTelemetry. |
 |
|
To create a policy for traffic from Sales to Edge, go to Policy & Objects > IPv4 Policy. Enable NAT. |
 |
|
To edit wan2 on Sales, go to Network > Interfaces. Set an IP/Network Mask for the interface that’s on the same subnet as the internal 14 interface on Marketing (in the example, 192.168.135.10/255.255.255.0). Under Administrative Access, select HTTPS and SSH. |
 |
|
Edit the lan interface. Set Addressing Mode to Manual, and set the IP/Network Mask to a private IP address (in the example, 10.10.135.1/255.255.255.0). Set Administrative Access to allow FortiTelemetry. If you require the FortiGate to provide IP addresses, using DHCP, to devices that connect to this interface, enable DHCP Server. Under Networked Devices, enable Device Detection. |
 |
|
To add a default route, go to Network > Static Routes. Set Gateway to the IP address of the internal 14 interface on Marketing. |
 |
| To create a policy that allow users on the Sales network to access Marketing, go to Policy & Objects > IPv4 Policy. |  |
|
To add Sales to the Security Fabric, go to Security Fabric > Settings. Enable FortiGate Telemetry, then enter the same Group name and Group password that you set previously. Enable Connect to upstream FortiGate and enter the IP address of the internal 14 interface on Marketing. FortiAnalyzer Logging is enabled by default. Settings for the FortiAnalyzer are retrieved when Accounting connects to Edge. |
 |
| Connect WAN 2 on Sales to internal 14 on Marketing. | |
4. Configuring the FortiAnalyzer |
|
| To use the FortiAnalyzer in the Security Fabric, make sure that the firmware is compatible with the version of FortiOS on the FortiGates. To check for compatibility, see the FortiAnalyzer Release Notes. | |
|
To edit the port on FortiAnalyzer that connects to Edge (in the example, port4), go to System Settings > Network and select All Interfaces. Set IP Address/Netmask to the IP address that you use to configure the Security Fabric settings on Edge (192.168.65.10/255.255.255.0). Add a Default Gateway, using the IP address of port 16 on Edge. |
 |
|
Go to Device Manager. The FortiGates are listed as Unregistered. |
 |
|
Select the FortiGates, then select +Add. |
 |
| The FortiGates now appear as Registered. |  |
|
After a moment, a warning icon appears beside Edge because the FortiAnalyzer needs administrative access to the root FortiGate in the Security Fabric. Double-click on the FortiGate to enter the Authentication information. |
 |
| On Edge, go to Security Fabric > Settings. FortiAnalyzer Logging now shows Storage usage information. |  |
5. Checking your Security Rating |
|
|
The Security Rating analyzes your Security Fabric deployment to identify potential vulnerabilities and highlight best practices. Using the Security Rating can help you improve your network configuration, deploy new hardware and software, and gain more visibility and control over your network. By regularly checking your network’s Security Rating Score, which is determined by how many checks your network passes or fails, and making the recommended improvements, you can have confidence that your network is getting more secure over time. You must have a valid Security Rating license to run all available checks. If you do not have a license, only certain checks are available. For more information about these checks, see Security Best Practices & Security Rating Feature. |
|
|
On Edge, go to Security Fabric > Security Rating. The Security Rating runs automatically on the root FortiGate. However, if you want more recent results, select Run Now to run another Security Rating. You can also select whether to run the Security Rating on All FortiGates or on specific FortiGate devices in the Security Fabric. At the top of the page, you can see your network’s Security Rating Score, as well as the overall count of how many checks passed or failed. The failed checks are divided by severity. |
 |
|
Further down the page, you can see information about each failed check, including which FortiGate failed the check, the effect on your network’s score, and recommendations for fixing the issue. Easy Apply recommendations in the next stage. However, if your Security Rating is older than 30 minutes, you must run it again to apply these changes. |
|
|
By using Easy Apply, you can change the configuration of any FortiGate in the Security Fabric, not just the root FortiGate. Select all the changes that you want to make, then select Apply Recommendations. |
 |
6. Results |
|
|
On Edge, go to Dashboard > Main. The Security Fabric widget displays the names of the FortiGates in the Security Fabric. |
 |
|
The icons on the top of the widget indicate the other Fortinet devices that can be used in a Security Fabric. Devices in blue are detected in your network, devices in gray aren’t detected in your network, and devices in red are also not detected in your network but are recommended for a Security Fabric. Also located on the Dashboard is the Security Rating widget, which displays your network’s current score. If either of these widgets don’t appear on your dashboard, you can add them using the settings button in the bottom right corner. |
|
|
Go to Security Fabric > Physical Topology. This page shows a visualization of access layer devices in the Security Fabric. The topology also shows Security Rating next to the icon of the device that the recommendations apply to. |
 |
|
Go to Security Fabric > Logical Topology. This dashboard displays information about the interface (logical or physical) that each device in the Security Fabric connects. |
 |
|
On the FortiAnalyzer, go to Device Manager. The FortiGates are now shown as part of a Security Fabric group. The * beside Edge indicates that it’s the root FortiGate in the Security Fabric. |
 |
|
Right-click on the Security Fabric group and select Fabric Topology. The topology of the Security Fabric is displayed. |
 |
7. (Optional) Adding security profiles to the Security Fabric |
|
|
The Security Fabric allows you to distribute security profiles to different FortiGates in your network, which can lessen the workload of each device and avoid creating bottlenecks. For example, you can implement antivirus scanning on Edge while the ISFW FortiGates apply application control and web filtering. This results in distributed processing between the FortiGates in the Security Fabric, which reduces the load on each one. It also allows you to customize the web filtering and application control for the specific needs of the Accounting network since other internal networks may have different application control and web filtering requirements. This configuration may result in threats getting through Edge, which means you should very closely limit access to the network connections between the FortiGates in the network. |
|
|
To edit the policy that allows traffic from Accounting to the Internet, connect to Edge and go to Policy & Objects > IPv4 Policy. Under Security Profiles, enable AntiVirus and select the default profile. SSL Inspection is enabled by default. Set it to the deep-inspection profile. Do the same for the policy that allows traffic from Marketing to the Internet. |
 |
|
To edit the policy that allows traffic from the Accounting network to Edge, connect to Accounting and go to Policy & Objects > IPv4 Policy. Under Security Profiles, enable Web Filter and Application Control. Select the default profiles for both. Repeat this step for both Marketing and Sales. |
 |
For further reading, check out Configuring the Security Fabric in the FortiOS 6.0 Online Help.
The post Security Fabric installation and rating appeared first on Fortinet Cookbook.