Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Cookbook

    6.2.3
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.0
    6.0.0
    5.6.0
    5.4.0

    Viewing and controlling network risks via topology view

    Viewing and controlling network risks via topology view

    This example shows how to view and control compromised hosts via the Security Fabric > Physical Topology or Security Fabric > Logical Topology view.

    In the following topology, the downstream FortiGate (Marketing) is connected to the root FortiGate (Edge) through a FortiSwitch (Distribution). The Endpoint Host is connected to the downstream FortiGate (Marketing) through another FortiSwitch (Access).

    This example consists of the following steps:

    1. View the compromised endpoint host.
    2. Quarantine the compromised endpoint host.
    3. Run diagnose commands.
    To view the compromised endpoint host:
    1. Test that FortiGate detects a compromised endpoint host by opening a browser on the endpoint host and entering a malicious website URL. The browser displays a Web Page Blocked! warning and does not allow access to the website.
    2. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology. The endpoint host, connected to the Access FortiSwitch, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IOC verdict. The endpoint host is compromised.

    3. Go to Security Fabric > Logical Topology. The endpoint host, connected to the downstream FortiGate, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IOC verdict. The endpoint host is compromised.

    To quarantine the compromised endpoint host:
    1. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology.
    2. Right-click the endpoint host and select Quarantine Host. Click OK to confirm the confirmation dialog.
    3. Go to Monitor > Quarantine Monitor. From the dropdown list at the top right corner, select All FortiGates. The quarantined endpoint host displays in the content pane.
    4. On the endpoint host, open a browser and visit a website such as https://www.fortinet.com/. If the website cannot be accessed, this confirms that the endpoint host is quarantined.
    To run diagnose commands:
    1. To show the downstream FortiGate after it joins the Security Fabric, run the diagnose sys csf downstream command in the root FortiGate (Edge) CLI. The output should resemble the following:

      Edge # diagnose sys csf downstream

      1: FG101ETK18000000 (192.168.7.3) Management-IP: 0.0.0.0 Management-port:0 parent: FG201ETK18900000

      path:FG201ETK18900000:FG101ETK18000000

      data received: Y downstream intf:wan1 upstream intf:vlan70 admin-port:443

      authorizer:FG201ETK18900000

    2. To show the upstream FortiGate after the downstream FortiGate joins the Security Fabric, run the diagnose sys csf upstream command in the downstream FortiGate (Marketing) CLI. The output should resemble the following:

      Marketing # diagnose sys csf upstream

      Upstream Information:

      Serial Number:FG201ETK18900000

      IP:192.168.7.2

      Connecting interface:wan1

      Connection status:Authorized

    3. To show the quarantined endpoint host in the connected FortiGate, run the following commands in the downstream FortiGate (Marketing) CLI:

      Marketing # show user quarantine

      config user quarantine

      config targets

      edit "PC2"

      set description "Manually quarantined"

      config macs

      edit 00:0c:29:3d:89:39

      set description "manual-qtn Hostname: PC2"

      next

      end

      next

      end

      end

    Previous
    Next

    More Links

    Topology
    Consolodated risk

    Viewing and controlling network risks via topology view

    Viewing and controlling network risks via topology view

    This example shows how to view and control compromised hosts via the Security Fabric > Physical Topology or Security Fabric > Logical Topology view.

    In the following topology, the downstream FortiGate (Marketing) is connected to the root FortiGate (Edge) through a FortiSwitch (Distribution). The Endpoint Host is connected to the downstream FortiGate (Marketing) through another FortiSwitch (Access).

    This example consists of the following steps:

    1. View the compromised endpoint host.
    2. Quarantine the compromised endpoint host.
    3. Run diagnose commands.
    To view the compromised endpoint host:
    1. Test that FortiGate detects a compromised endpoint host by opening a browser on the endpoint host and entering a malicious website URL. The browser displays a Web Page Blocked! warning and does not allow access to the website.
    2. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology. The endpoint host, connected to the Access FortiSwitch, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IOC verdict. The endpoint host is compromised.

    3. Go to Security Fabric > Logical Topology. The endpoint host, connected to the downstream FortiGate, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IOC verdict. The endpoint host is compromised.

    To quarantine the compromised endpoint host:
    1. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology.
    2. Right-click the endpoint host and select Quarantine Host. Click OK to confirm the confirmation dialog.
    3. Go to Monitor > Quarantine Monitor. From the dropdown list at the top right corner, select All FortiGates. The quarantined endpoint host displays in the content pane.
    4. On the endpoint host, open a browser and visit a website such as https://www.fortinet.com/. If the website cannot be accessed, this confirms that the endpoint host is quarantined.
    To run diagnose commands:
    1. To show the downstream FortiGate after it joins the Security Fabric, run the diagnose sys csf downstream command in the root FortiGate (Edge) CLI. The output should resemble the following:

      Edge # diagnose sys csf downstream

      1: FG101ETK18000000 (192.168.7.3) Management-IP: 0.0.0.0 Management-port:0 parent: FG201ETK18900000

      path:FG201ETK18900000:FG101ETK18000000

      data received: Y downstream intf:wan1 upstream intf:vlan70 admin-port:443

      authorizer:FG201ETK18900000

    2. To show the upstream FortiGate after the downstream FortiGate joins the Security Fabric, run the diagnose sys csf upstream command in the downstream FortiGate (Marketing) CLI. The output should resemble the following:

      Marketing # diagnose sys csf upstream

      Upstream Information:

      Serial Number:FG201ETK18900000

      IP:192.168.7.2

      Connecting interface:wan1

      Connection status:Authorized

    3. To show the quarantined endpoint host in the connected FortiGate, run the following commands in the downstream FortiGate (Marketing) CLI:

      Marketing # show user quarantine

      config user quarantine

      config targets

      edit "PC2"

      set description "Manually quarantined"

      config macs

      edit 00:0c:29:3d:89:39

      set description "manual-qtn Hostname: PC2"

      next

      end

      next

      end

      end

    Previous
    Next