Fortinet black logo

Administration Guide

Viewing and controlling network risks via topology view

Viewing and controlling network risks via topology view

This topic shows how to view and control compromised hosts via the Security Fabric > Physical Topology or Security Fabric > Logical Topology view.

In the following topology, the downstream FortiGate (Marketing) is connected to the root FortiGate (Edge) through a FortiSwitch (Distribution). The Endpoint Host is connected to the downstream FortiGate (Marketing) through another FortiSwitch (Access).

This topic consists of the following steps:

  1. View the compromised endpoint host.
  2. Quarantine the compromised endpoint host.
  3. Run diagnose commands.
To view the compromised endpoint host:
  1. Test that FortiGate detects a compromised endpoint host by opening a browser on the endpoint host and entering a malicious website URL. The browser displays a Web Page Blocked! warning and does not allow access to the website.
  2. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology. The endpoint host, connected to the Access FortiSwitch, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict. The endpoint host is compromised.

  3. Go to Security Fabric > Logical Topology. The endpoint host, connected to the downstream FortiGate, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict. The endpoint host is compromised.

To quarantine the compromised endpoint host:
  1. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology.
  2. Right-click the endpoint host and select Quarantine Host. Click OK to confirm the confirmation dialog.
  3. Go to Monitor > Quarantine Monitor. From the dropdown list at the top right corner, select All FortiGates. The quarantined endpoint host displays in the content pane.
  4. On the endpoint host, open a browser and visit a website such as https://www.fortinet.com/. If the website cannot be accessed, this confirms that the endpoint host is quarantined.
To run diagnose commands:
  1. To show the downstream FortiGate after it joins the Security Fabric, run the diagnose sys csf downstream command in the root FortiGate (Edge) CLI. The output should resemble the following:

    Edge # diagnose sys csf downstream

    1: FG101ETK18002187 (192.168.7.3) Management-IP: 0.0.0.0 Management-port:0 parent: FG201ETK18902514

    path:FG201ETK18902514:FG101ETK18002187

    data received: Y downstream intf:wan1 upstream intf:vlan70 admin-port:443

    authorizer:FG201ETK18902514

  2. To show the upstream FortiGate after the downstream FortiGate joins the Security Fabric, run the diagnose sys csf upstream command in the downstream FortiGate (Marketing) CLI. The output should resemble the following:

    Marketing # diagnose sys csf upstream

    Upstream Information:

    Serial Number:FG201ETK18902514

    IP:192.168.7.2

    Connecting interface:wan1

    Connection status:Authorized

  3. To show the quarantined endpoint host in the connected FortiGate, run the following commands in the downstream FortiGate (Marketing) CLI:

    Marketing # show user quarantine

    config user quarantine

    config targets

    edit "PC2"

    set description "Manually quarantined"

    config macs

    edit 00:0c:29:3d:89:39

    set description "manual-qtn Hostname: PC2"

    next

    end

    next

    end

    end

Viewing and controlling network risks via topology view

This topic shows how to view and control compromised hosts via the Security Fabric > Physical Topology or Security Fabric > Logical Topology view.

In the following topology, the downstream FortiGate (Marketing) is connected to the root FortiGate (Edge) through a FortiSwitch (Distribution). The Endpoint Host is connected to the downstream FortiGate (Marketing) through another FortiSwitch (Access).

This topic consists of the following steps:

  1. View the compromised endpoint host.
  2. Quarantine the compromised endpoint host.
  3. Run diagnose commands.
To view the compromised endpoint host:
  1. Test that FortiGate detects a compromised endpoint host by opening a browser on the endpoint host and entering a malicious website URL. The browser displays a Web Page Blocked! warning and does not allow access to the website.
  2. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology. The endpoint host, connected to the Access FortiSwitch, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict. The endpoint host is compromised.

  3. Go to Security Fabric > Logical Topology. The endpoint host, connected to the downstream FortiGate, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict. The endpoint host is compromised.

To quarantine the compromised endpoint host:
  1. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology.
  2. Right-click the endpoint host and select Quarantine Host. Click OK to confirm the confirmation dialog.
  3. Go to Monitor > Quarantine Monitor. From the dropdown list at the top right corner, select All FortiGates. The quarantined endpoint host displays in the content pane.
  4. On the endpoint host, open a browser and visit a website such as https://www.fortinet.com/. If the website cannot be accessed, this confirms that the endpoint host is quarantined.
To run diagnose commands:
  1. To show the downstream FortiGate after it joins the Security Fabric, run the diagnose sys csf downstream command in the root FortiGate (Edge) CLI. The output should resemble the following:

    Edge # diagnose sys csf downstream

    1: FG101ETK18002187 (192.168.7.3) Management-IP: 0.0.0.0 Management-port:0 parent: FG201ETK18902514

    path:FG201ETK18902514:FG101ETK18002187

    data received: Y downstream intf:wan1 upstream intf:vlan70 admin-port:443

    authorizer:FG201ETK18902514

  2. To show the upstream FortiGate after the downstream FortiGate joins the Security Fabric, run the diagnose sys csf upstream command in the downstream FortiGate (Marketing) CLI. The output should resemble the following:

    Marketing # diagnose sys csf upstream

    Upstream Information:

    Serial Number:FG201ETK18902514

    IP:192.168.7.2

    Connecting interface:wan1

    Connection status:Authorized

  3. To show the quarantined endpoint host in the connected FortiGate, run the following commands in the downstream FortiGate (Marketing) CLI:

    Marketing # show user quarantine

    config user quarantine

    config targets

    edit "PC2"

    set description "Manually quarantined"

    config macs

    edit 00:0c:29:3d:89:39

    set description "manual-qtn Hostname: PC2"

    next

    end

    next

    end

    end