Fortinet black logo

Administration Guide

Topology

Topology

The full Security Fabric topology can be viewed on the root FortiGate. Downstream FortiGate devices' topology views do not include upstream devices.

The Physical Topology shows the physical structure of your network, including all connected devices and the connections between them. The Logical Topology shows information about the interfaces that connect devices to the Security Fabric. Only Fortinet devices are shown in the topologies.

In both topology pages, you can use filtering and sorting options to control the information that is shown. Hover the cursor over a device icon, port number, or endpoint to open a tooltip that shows information about that specific device, port, or endpoint. Right-click on a device to log in to it or to deauthorize it. Right-click on an endpoint to perform various tasks, including drilling down for more details on sources or compromised hosts, quarantining the host, and banning the IP address.

The small number that might be shown on the top right corner of a device icon is the number of security ratings recommendations or warnings for that device. The color of the circle shows the severity of the highest security rating check that failed. Clicking it opens the Security Rating page. See Security rating for more information.

Servers and server clusters are represented by squares with rounded corners. They are grouped separately from circular endpoints. Devices are grouped by type and are colored based on their risk level. Endpoint groups are represented by donut charts or bubble packs depending on the current view settings (see Endpoint groups for more information). The size of the bubbles in the topology vary based on traffic volume.

AWS assets are grouped by AWS security groups or subnets, and information about detected Common Vulnerabilities and Exposures (CVEs), as well as the instance details and ID, are shown.

Views

The topology views can be focused using filters and by sorting in different ways to help you locate the information that you need.

Select one of Access Device or No Access Device to only show access or no access devices in the physical topology.

From the Endpoint Option dropdown list, select one of the following views:

  • Device Traffic: Organize devices by traffic.
  • Device Count: Organize devices by the number of devices connected to it.
  • Device Operating System: Organize devices by operating system.
  • Device Hardware Vendor: Organize devices by hardware vendor.
  • Risk: Only include devices that have endpoints with medium, high, or critical risk values of the specified type: All, Compromised Host, Vulnerability, or Threat Score.
  • No Devices: Do not show endpoints.

The time period dropdown list filters the view by time. Options include: now (real time), 5 minutes, 1 hour, 24 hours, or 7 days.

Endpoint groups

The Device Traffic and Device Count views display endpoint groups as donut charts, with the total number of endpoints in the group in the center of the chart. Each sector of the donut chart represents a different endpoint operating system.

To zoom in on a donut chart, click any chart sector. Each sector represents a different endpoint OS. Hovering over each sector allows you to see the OS that the sector represents and the number of endpoints that have that OS installed.

In this example, the endpoint group contains a total of nine endpoints, with the following OSes installed:

Donut sector color OS Number of endpoints
Orange Linux 2
Green FortiMail 1
Red FortiManager 1
Blue Other 5

To view the endpoint group in a bubble pack display, click the + button in the center of the donut chart. You can view each individual endpoint in the bubble pack view.

WAN cloud

The WAN cloud icon includes a dropdown menu for selecting where the destination data comes from. The available options are: Internet, Owner, IP Address, and Country/Region. These options are only available when the filtering is based on Device Traffic.

When Owner is selected, the destination hosts are shown as donut charts that show the percentage of internal (with private IP addresses) and Internet hosts. Hover over either color in the chart to see additional information.

To view more details, right-click on the chart and select Destination Owner Details. The Top Destination Owners by Bytes widget opens. Click the green icon (Standalone FortiView page icon) to add the widget to a new dashboard.

Alternatively, you can add the FortiView Destination Owners widget as a standalone page or to an existing dashboard (see Adding FortiView widgets).

FortiAP and FortiSwitch devices

Newly discovered FortiAP and FortiSwitch devices are initial shown in the topologies with gray icons to indicate that they have not been authorized. To authorize a device, click on the device icon or name and select Authorize. Once authorized, the device icon will turn blue.

Right-click on an authorized FortiAP device to Deauthorize or Restart the device. Right-click on a FortiSwitch device to Deauthorize, Restart, or Upgrade the device, or to Connect to the CLI.

FortiAP and FortiSwitch links are enhanced to show link aggregation groups for the inter-switch link (ISL-LAG). To differentiate them from physical links, ISL-LAG links are shown with a thicker line. The endpoint circles can also be used as a reference to identify ISL-LAG groups that have more than two links.

Critical risks

Click the Critical Risks button to see a list of endpoints that are deemed critical risks, organized by threat severity. These are the red endpoints in the current topology view.

For each endpoint, the user's photo, name, IP address, email address, and phone number are shown. The number of vulnerabilities of each severity is shown, and if the IoC verdict is that the endpoint is compromised.

If applicable, the endpoint's host can be quarantined or their IP address banned, by clicking the Quarantine Host on Ban IP button.

The dropdown menu also provides options to drill down to more information on compromised hosts or endpoint vulnerabilities.

Click Drill Down to Compromised Hosts to open the Top Compromised Hosts page that shows a summary for the selected endpoint.

Compromised host information can also be viewed on the FortiAnalyzer in SOC > FortiView > Threats > Compromised Hosts.

Note

The FortiAnalyzer must have a FortiGuard Indicators of Compromise service license in order to see compromised hosts.

Click Drill Down to Endpoint Vulnerability to open the vulnerabilities page that shows a summary of the vulnerabilities on the selected endpoint.

FortiAnalyzer

The Security Fabric topology can also be seen on the FortiAnalyzer device. In the Device Manager, FortiGate devices are shown as part of a Security Fabric group with an asterisk next to the name of the root FortiGate.

To view the Security Fabric topology, right-click on the fabric group and select Fabric Topology. Only Fortinet devices are shown in the Security Fabric topology views.

Topology

The full Security Fabric topology can be viewed on the root FortiGate. Downstream FortiGate devices' topology views do not include upstream devices.

The Physical Topology shows the physical structure of your network, including all connected devices and the connections between them. The Logical Topology shows information about the interfaces that connect devices to the Security Fabric. Only Fortinet devices are shown in the topologies.

In both topology pages, you can use filtering and sorting options to control the information that is shown. Hover the cursor over a device icon, port number, or endpoint to open a tooltip that shows information about that specific device, port, or endpoint. Right-click on a device to log in to it or to deauthorize it. Right-click on an endpoint to perform various tasks, including drilling down for more details on sources or compromised hosts, quarantining the host, and banning the IP address.

The small number that might be shown on the top right corner of a device icon is the number of security ratings recommendations or warnings for that device. The color of the circle shows the severity of the highest security rating check that failed. Clicking it opens the Security Rating page. See Security rating for more information.

Servers and server clusters are represented by squares with rounded corners. They are grouped separately from circular endpoints. Devices are grouped by type and are colored based on their risk level. Endpoint groups are represented by donut charts or bubble packs depending on the current view settings (see Endpoint groups for more information). The size of the bubbles in the topology vary based on traffic volume.

AWS assets are grouped by AWS security groups or subnets, and information about detected Common Vulnerabilities and Exposures (CVEs), as well as the instance details and ID, are shown.

Views

The topology views can be focused using filters and by sorting in different ways to help you locate the information that you need.

Select one of Access Device or No Access Device to only show access or no access devices in the physical topology.

From the Endpoint Option dropdown list, select one of the following views:

  • Device Traffic: Organize devices by traffic.
  • Device Count: Organize devices by the number of devices connected to it.
  • Device Operating System: Organize devices by operating system.
  • Device Hardware Vendor: Organize devices by hardware vendor.
  • Risk: Only include devices that have endpoints with medium, high, or critical risk values of the specified type: All, Compromised Host, Vulnerability, or Threat Score.
  • No Devices: Do not show endpoints.

The time period dropdown list filters the view by time. Options include: now (real time), 5 minutes, 1 hour, 24 hours, or 7 days.

Endpoint groups

The Device Traffic and Device Count views display endpoint groups as donut charts, with the total number of endpoints in the group in the center of the chart. Each sector of the donut chart represents a different endpoint operating system.

To zoom in on a donut chart, click any chart sector. Each sector represents a different endpoint OS. Hovering over each sector allows you to see the OS that the sector represents and the number of endpoints that have that OS installed.

In this example, the endpoint group contains a total of nine endpoints, with the following OSes installed:

Donut sector color OS Number of endpoints
Orange Linux 2
Green FortiMail 1
Red FortiManager 1
Blue Other 5

To view the endpoint group in a bubble pack display, click the + button in the center of the donut chart. You can view each individual endpoint in the bubble pack view.

WAN cloud

The WAN cloud icon includes a dropdown menu for selecting where the destination data comes from. The available options are: Internet, Owner, IP Address, and Country/Region. These options are only available when the filtering is based on Device Traffic.

When Owner is selected, the destination hosts are shown as donut charts that show the percentage of internal (with private IP addresses) and Internet hosts. Hover over either color in the chart to see additional information.

To view more details, right-click on the chart and select Destination Owner Details. The Top Destination Owners by Bytes widget opens. Click the green icon (Standalone FortiView page icon) to add the widget to a new dashboard.

Alternatively, you can add the FortiView Destination Owners widget as a standalone page or to an existing dashboard (see Adding FortiView widgets).

FortiAP and FortiSwitch devices

Newly discovered FortiAP and FortiSwitch devices are initial shown in the topologies with gray icons to indicate that they have not been authorized. To authorize a device, click on the device icon or name and select Authorize. Once authorized, the device icon will turn blue.

Right-click on an authorized FortiAP device to Deauthorize or Restart the device. Right-click on a FortiSwitch device to Deauthorize, Restart, or Upgrade the device, or to Connect to the CLI.

FortiAP and FortiSwitch links are enhanced to show link aggregation groups for the inter-switch link (ISL-LAG). To differentiate them from physical links, ISL-LAG links are shown with a thicker line. The endpoint circles can also be used as a reference to identify ISL-LAG groups that have more than two links.

Critical risks

Click the Critical Risks button to see a list of endpoints that are deemed critical risks, organized by threat severity. These are the red endpoints in the current topology view.

For each endpoint, the user's photo, name, IP address, email address, and phone number are shown. The number of vulnerabilities of each severity is shown, and if the IoC verdict is that the endpoint is compromised.

If applicable, the endpoint's host can be quarantined or their IP address banned, by clicking the Quarantine Host on Ban IP button.

The dropdown menu also provides options to drill down to more information on compromised hosts or endpoint vulnerabilities.

Click Drill Down to Compromised Hosts to open the Top Compromised Hosts page that shows a summary for the selected endpoint.

Compromised host information can also be viewed on the FortiAnalyzer in SOC > FortiView > Threats > Compromised Hosts.

Note

The FortiAnalyzer must have a FortiGuard Indicators of Compromise service license in order to see compromised hosts.

Click Drill Down to Endpoint Vulnerability to open the vulnerabilities page that shows a summary of the vulnerabilities on the selected endpoint.

FortiAnalyzer

The Security Fabric topology can also be seen on the FortiAnalyzer device. In the Device Manager, FortiGate devices are shown as part of a Security Fabric group with an asterisk next to the name of the root FortiGate.

To view the Security Fabric topology, right-click on the fabric group and select Fabric Topology. Only Fortinet devices are shown in the Security Fabric topology views.