Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    FortiGate Cloud logging in the Security Fabric 7.0.4

    FortiGate Cloud logging in the Security Fabric 7.0.4

    A Security Fabric can be created on the root device using FortiGate Cloud for cloud logging. When the FortiCloud account enforcement is enabled (by default), members joining the Fabric must be registered to the same FortiCloud account. Devices that are not activated with FortiCloud are also allowed.

    A new FortiGate Cloud Event Handler automation trigger is available. The Compromised Host trigger can be used for IOC events detected in FortiGate Cloud. Both triggers require a FortiGate Cloud log retention license.

    Configuring a Security Fabric with FortiGate Cloud logging

    In this topology, the FGT-F-VM has the same FortiCloud account ID as the root FortiGate (FGT_10_101F), so it can join the Fabric. The FGT-D has a different FortiCloud account ID, so its authorization request to join the Fabric is rejected. The FGT-A is not activated with FortiCloud, but it can still join the Fabric. Its Cloud Logging setting shows that it requires authorization.

    This topology is used in the following four Security Fabric configuration examples.

    Devices with the same FortiCloud account ID

    In this example, the root FortiGate (FGT_10_101F) is configured with FortiGate Cloud logging. In the Security Fabric settings, the FortiCloud account enforcement option is enabled by default. The downstream FortiGate, FGT-F-VM, with the same FortiCloud account ID is able to join the Fabric.

    To configure a Security Fabric with FortiCloud logging in the GUI:
    1. On the root FortiGate, configure FortiCloud logging:
      1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Logging card.
      2. Set the Type to FortiGate Cloud.
      3. Set the Upload option to Real Time.

      4. Click OK.
    2. Configure the Security Fabric settings (see Configuring the root FortiGate and downstream FortiGates in the FortiOS Administration Guide). The FortiCloud account enforcement setting is enabled by default.

    3. On the FGT-F-VM, check the FortiCloud logging settings:
      1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Logging card. The settings are automatically retrieved from the root and the Account is the same.

    4. Configure the FGT-F-VM to join the Security Fabric:
      1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
      2. Set the Security Fabric role to Join Existing Fabric.
      3. Click OK. The FortiGate is authorized and successfully joins the Security Fabric.

    To configure a Security Fabric with FortiCloud logging in the CLI:
    config log fortiguard setting
    set status enable
    set upload-option realtime
end

    The FortiCloud account enforcement setting is enabled by default in the Security Fabric settings:

    show system csf
    config system csf
        set status enable
        set group-name "CSF_101"
        set forticloud-account-enforcement enable
    end

    Device with a different FortiCloud account ID

    In this example, the downstream FortiGate, FGT-D, has a different FortiCloud account ID than the Fabric root FortiGate (FGT_10_101F), so this FortiGate will not be authorized to join the Fabric.

    To configure the FGT-D to join the Security Fabric:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Set the Security Fabric role to Join Existing Fabric. A warning appears that the downstream FortiGates must have the same FortiGate Cloud account and subscription. The device's authorization to join the Fabric is rejected.

    3. Click Cancel.

    Device without an activated FortiCloud account ID

    In this example, the downstream FortiGate, FGT-A, does not have an activated FortiCloud account ID. This FortiGate is still authorized to join the Fabric, but the FortiCloud account needs to be activated.

    To configure the FGT-A to join the Security Fabric:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Set the Security Fabric role to Join Existing Fabric. A warning appears that the downstream FortiGates must have the same FortiGate Cloud account and subscription. The device is authorized to join the Fabric.

    3. Click OK.
    4. Go to Security Fabric > Fabric Connectors and double-click the Cloud Logging card.
    5. Beside Account, click Activate and complete the prompts to activate the account.

    Device with a different FortiCloud account ID with FortiCloud account enforcement disabled

    In this example, FortiCloud account enforcement is disabled on the root FortiGate (FGT_10_101F). The downstream FortiGate, FGT-D, has a different FortiCloud account ID than the Fabric root, but it will be authorized to join the Fabric.

    To configure a Security Fabric with FortiCloud account enforcement disabled:
    1. Disable FortiCloud account enforcement on the Fabric root (FGT_10_101F):
      1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
      2. Disable FortiCloud account enforcement.
      3. Click OK.
    2. Configure the FGT-D to join the Security Fabric:
      1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
      2. Set the Security Fabric role to Join Existing Fabric. The device is authorized to join the Fabric.

      3. Click OK.
      4. On the Fabric root, go back to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card. The authorized FGT-D appears in the Topology.

    Security rating

    When FortiCloud logging is used in a Security Fabric, the Security Posture scorecard no longer has security control results for FortiAnalyzer.

    In the Fabric Coverage scorecard, there is a security control test for multiple FortiCare accounts.

    Configuring an automation stitch with the FortiGate Cloud event handler trigger

    In this example, an automation stitch uses the FortiGate Cloud Event Handler trigger. When an event is triggered, the FortiGate sends an email alert to the administrator.

    To configure the automation stitch in the GUI:

    1. Configure the automation trigger:

      1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

      2. In the Security Fabric section, click FortiGate Cloud Event Handler and enter the following:

        Name

        Forticloud-handler

        Event handler name

        Default-Botnet-Communication-Detection

      3. Click OK.

    2. Configure the automation action:

      1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

      2. In the Notifications section, click Email and enter the following:

        Name

        email_default_rep_message

        To

        Enter an email address

        Subject

        CSF stitch alert

        Replacement message

        Enable

      3. Click OK.

    3. Configure the automation stitch:

      1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

      2. Enter the name, Forticloud-handler-stitch.

      3. Click Add Trigger. Select Forticloud-handler and click Apply.

      4. Click Add Action. Select email_default_rep_message and click Apply.

      5. Click OK.

      Once the stitch is triggered, an email is sent to the administrator.

    To configure the automation stitch in the CLI:
    1. Configure the automation trigger:
      config system automation-trigger
    edit "Forticloud-handler"
        set event-type faz-event
        set faz-event-name "Default-Botnet-Communication-Detection"
    next
end
    2. Configure the automation action:
      config system automation-action
    edit "email_default_rep_message"
        set action-type email
        set email-to "*******@fortinet.com"
        set email-subject "CSF stitch alert"
        set replacement-message enable
    next
end
    3. Configure the automation stitch:
      config system automation-stitch
    edit "Forticloud-handler-stitch"
        set trigger "Forticloud-handler"
        config actions
            edit 1
                set action "email_default_rep_message"
                set required enable
            next
        end
    next
end

    Configuring an automation stitch with the FortiGate Cloud IOC trigger

    In this example, an automation stitch uses the Compromised Host trigger based on IOC events detected on FortiGate Cloud. When an event is triggered, the FortiGate quarantines the compromised host. Then after a three-second delay, it sends an email alert to the administrator. The backend FortiAnalyzer Cloud detects the compromised host.

    To configure the automation stitch in the GUI:

    1. Configure the automation trigger:

      1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

      2. In the Security Fabric section, click Compromised Host and enter the following:

        Name

        Forticloud-ioc

        Description

        ioc test

        Threat level threshold

        Medium

      3. Click OK.

    2. Configure the automation actions:

      1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

      2. In the Security Response section, click Access Layer Quarantine.

      3. Enter the name, Compromised Host Quarantine_quarantine.

      4. Click OK.

      5. Repeat these steps to create an Email action with the following settings:

        Name

        email_default_rep_message

        To

        Enter an email address

        Subject

        CSF stitch alert

        Replacement message

        Enable

    3. Configure the automation stitch:

      1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

      2. Enter the name, Forticloud-ioc-stitch.

      3. Click Add Trigger. Select Forticloud-ioc and click Apply.

      4. Click Add Action. Select Compromised Host Quarantine_quarantine and click Apply.

      5. Click Add Action. Select email_default_rep_message and click Apply.

      6. Click the Add delay located between both actions. Enter 3 and click OK.

      7. Click OK.

      Once the stitch is triggered, an email is sent to the administrator.

    4. Go Dashboard > Users & Devices and click the Quarantine widget to view the quarantined device.

    To configure the automation stitch in the CLI:
    1. Configure the automation trigger:
      config system automation-trigger
    edit "Forticloud-ioc"
        set description "ioc test"
        set ioc-level medium
    next
end
    2. Configure the automation actions:
      config system automation-action
    edit "Compromised Host Quarantine_quarantine"
        set action-type quarantine
    next
    edit "email_default_rep_message"
        set action-type email
        set email-to "*******@fortinet.com"
        set email-subject "CSF stitch alert"
        set replacement-message enable
    next
end
    3. Configure the automation stitch:
      config system automation-stitch
    edit "Forticloud-ioc-stitch"
        set trigger "Forticloud-ioc"
        config actions
            edit 1
                set action "Compromised Host Quarantine_quarantine"
                set required enable
            next
            edit 2
                set action "email_default_rep_message"
                set delay 3
                set required enable
            next
        end
    next
end
    4. Verify that the device was quarantined:
      show user quarantine
    config user quarantine
        config targets
            edit "00:0c:**:**:e9:62"
                config macs
                    edit 00:0c:**:**:e9:62
                        set description "Quarantined by automation stitch: Forticloud-ioc-stitch"
                    next
                end
            next
        end
    end
    Previous
    Next

    FortiGate Cloud logging in the Security Fabric 7.0.4

    FortiGate Cloud logging in the Security Fabric 7.0.4

    A Security Fabric can be created on the root device using FortiGate Cloud for cloud logging. When the FortiCloud account enforcement is enabled (by default), members joining the Fabric must be registered to the same FortiCloud account. Devices that are not activated with FortiCloud are also allowed.

    A new FortiGate Cloud Event Handler automation trigger is available. The Compromised Host trigger can be used for IOC events detected in FortiGate Cloud. Both triggers require a FortiGate Cloud log retention license.

    Configuring a Security Fabric with FortiGate Cloud logging

    In this topology, the FGT-F-VM has the same FortiCloud account ID as the root FortiGate (FGT_10_101F), so it can join the Fabric. The FGT-D has a different FortiCloud account ID, so its authorization request to join the Fabric is rejected. The FGT-A is not activated with FortiCloud, but it can still join the Fabric. Its Cloud Logging setting shows that it requires authorization.

    This topology is used in the following four Security Fabric configuration examples.

    Devices with the same FortiCloud account ID

    In this example, the root FortiGate (FGT_10_101F) is configured with FortiGate Cloud logging. In the Security Fabric settings, the FortiCloud account enforcement option is enabled by default. The downstream FortiGate, FGT-F-VM, with the same FortiCloud account ID is able to join the Fabric.

    To configure a Security Fabric with FortiCloud logging in the GUI:
    1. On the root FortiGate, configure FortiCloud logging:
      1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Logging card.
      2. Set the Type to FortiGate Cloud.
      3. Set the Upload option to Real Time.

      4. Click OK.
    2. Configure the Security Fabric settings (see Configuring the root FortiGate and downstream FortiGates in the FortiOS Administration Guide). The FortiCloud account enforcement setting is enabled by default.

    3. On the FGT-F-VM, check the FortiCloud logging settings:
      1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Logging card. The settings are automatically retrieved from the root and the Account is the same.

    4. Configure the FGT-F-VM to join the Security Fabric:
      1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
      2. Set the Security Fabric role to Join Existing Fabric.
      3. Click OK. The FortiGate is authorized and successfully joins the Security Fabric.

    To configure a Security Fabric with FortiCloud logging in the CLI:
    config log fortiguard setting
    set status enable
    set upload-option realtime
end

    The FortiCloud account enforcement setting is enabled by default in the Security Fabric settings:

    show system csf
    config system csf
        set status enable
        set group-name "CSF_101"
        set forticloud-account-enforcement enable
    end

    Device with a different FortiCloud account ID

    In this example, the downstream FortiGate, FGT-D, has a different FortiCloud account ID than the Fabric root FortiGate (FGT_10_101F), so this FortiGate will not be authorized to join the Fabric.

    To configure the FGT-D to join the Security Fabric:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Set the Security Fabric role to Join Existing Fabric. A warning appears that the downstream FortiGates must have the same FortiGate Cloud account and subscription. The device's authorization to join the Fabric is rejected.

    3. Click Cancel.

    Device without an activated FortiCloud account ID

    In this example, the downstream FortiGate, FGT-A, does not have an activated FortiCloud account ID. This FortiGate is still authorized to join the Fabric, but the FortiCloud account needs to be activated.

    To configure the FGT-A to join the Security Fabric:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Set the Security Fabric role to Join Existing Fabric. A warning appears that the downstream FortiGates must have the same FortiGate Cloud account and subscription. The device is authorized to join the Fabric.

    3. Click OK.
    4. Go to Security Fabric > Fabric Connectors and double-click the Cloud Logging card.
    5. Beside Account, click Activate and complete the prompts to activate the account.

    Device with a different FortiCloud account ID with FortiCloud account enforcement disabled

    In this example, FortiCloud account enforcement is disabled on the root FortiGate (FGT_10_101F). The downstream FortiGate, FGT-D, has a different FortiCloud account ID than the Fabric root, but it will be authorized to join the Fabric.

    To configure a Security Fabric with FortiCloud account enforcement disabled:
    1. Disable FortiCloud account enforcement on the Fabric root (FGT_10_101F):
      1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
      2. Disable FortiCloud account enforcement.
      3. Click OK.
    2. Configure the FGT-D to join the Security Fabric:
      1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
      2. Set the Security Fabric role to Join Existing Fabric. The device is authorized to join the Fabric.

      3. Click OK.
      4. On the Fabric root, go back to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card. The authorized FGT-D appears in the Topology.

    Security rating

    When FortiCloud logging is used in a Security Fabric, the Security Posture scorecard no longer has security control results for FortiAnalyzer.

    In the Fabric Coverage scorecard, there is a security control test for multiple FortiCare accounts.

    Configuring an automation stitch with the FortiGate Cloud event handler trigger

    In this example, an automation stitch uses the FortiGate Cloud Event Handler trigger. When an event is triggered, the FortiGate sends an email alert to the administrator.

    To configure the automation stitch in the GUI:

    1. Configure the automation trigger:

      1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

      2. In the Security Fabric section, click FortiGate Cloud Event Handler and enter the following:

        Name

        Forticloud-handler

        Event handler name

        Default-Botnet-Communication-Detection

      3. Click OK.

    2. Configure the automation action:

      1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

      2. In the Notifications section, click Email and enter the following:

        Name

        email_default_rep_message

        To

        Enter an email address

        Subject

        CSF stitch alert

        Replacement message

        Enable

      3. Click OK.

    3. Configure the automation stitch:

      1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

      2. Enter the name, Forticloud-handler-stitch.

      3. Click Add Trigger. Select Forticloud-handler and click Apply.

      4. Click Add Action. Select email_default_rep_message and click Apply.

      5. Click OK.

      Once the stitch is triggered, an email is sent to the administrator.

    To configure the automation stitch in the CLI:
    1. Configure the automation trigger:
      config system automation-trigger
    edit "Forticloud-handler"
        set event-type faz-event
        set faz-event-name "Default-Botnet-Communication-Detection"
    next
end
    2. Configure the automation action:
      config system automation-action
    edit "email_default_rep_message"
        set action-type email
        set email-to "*******@fortinet.com"
        set email-subject "CSF stitch alert"
        set replacement-message enable
    next
end
    3. Configure the automation stitch:
      config system automation-stitch
    edit "Forticloud-handler-stitch"
        set trigger "Forticloud-handler"
        config actions
            edit 1
                set action "email_default_rep_message"
                set required enable
            next
        end
    next
end

    Configuring an automation stitch with the FortiGate Cloud IOC trigger

    In this example, an automation stitch uses the Compromised Host trigger based on IOC events detected on FortiGate Cloud. When an event is triggered, the FortiGate quarantines the compromised host. Then after a three-second delay, it sends an email alert to the administrator. The backend FortiAnalyzer Cloud detects the compromised host.

    To configure the automation stitch in the GUI:

    1. Configure the automation trigger:

      1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

      2. In the Security Fabric section, click Compromised Host and enter the following:

        Name

        Forticloud-ioc

        Description

        ioc test

        Threat level threshold

        Medium

      3. Click OK.

    2. Configure the automation actions:

      1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

      2. In the Security Response section, click Access Layer Quarantine.

      3. Enter the name, Compromised Host Quarantine_quarantine.

      4. Click OK.

      5. Repeat these steps to create an Email action with the following settings:

        Name

        email_default_rep_message

        To

        Enter an email address

        Subject

        CSF stitch alert

        Replacement message

        Enable

    3. Configure the automation stitch:

      1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

      2. Enter the name, Forticloud-ioc-stitch.

      3. Click Add Trigger. Select Forticloud-ioc and click Apply.

      4. Click Add Action. Select Compromised Host Quarantine_quarantine and click Apply.

      5. Click Add Action. Select email_default_rep_message and click Apply.

      6. Click the Add delay located between both actions. Enter 3 and click OK.

      7. Click OK.

      Once the stitch is triggered, an email is sent to the administrator.

    4. Go Dashboard > Users & Devices and click the Quarantine widget to view the quarantined device.

    To configure the automation stitch in the CLI:
    1. Configure the automation trigger:
      config system automation-trigger
    edit "Forticloud-ioc"
        set description "ioc test"
        set ioc-level medium
    next
end
    2. Configure the automation actions:
      config system automation-action
    edit "Compromised Host Quarantine_quarantine"
        set action-type quarantine
    next
    edit "email_default_rep_message"
        set action-type email
        set email-to "*******@fortinet.com"
        set email-subject "CSF stitch alert"
        set replacement-message enable
    next
end
    3. Configure the automation stitch:
      config system automation-stitch
    edit "Forticloud-ioc-stitch"
        set trigger "Forticloud-ioc"
        config actions
            edit 1
                set action "Compromised Host Quarantine_quarantine"
                set required enable
            next
            edit 2
                set action "email_default_rep_message"
                set delay 3
                set required enable
            next
        end
    next
end
    4. Verify that the device was quarantined:
      show user quarantine
    config user quarantine
        config targets
            edit "00:0c:**:**:e9:62"
                config macs
                    edit 00:0c:**:**:e9:62
                        set description "Quarantined by automation stitch: Forticloud-ioc-stitch"
                    next
                end
            next
        end
    end
    Previous
    Next