Fortinet black logo

New Features

FortiGate Cloud logging in the Security Fabric 7.0.4

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:211414
Download PDF

FortiGate Cloud logging in the Security Fabric 7.0.4

A Security Fabric can be created on the root device using FortiGate Cloud for cloud logging. When the FortiCloud account enforcement is enabled (by default), members joining the Fabric must be registered to the same FortiCloud account. Devices that are not activated with FortiCloud are also allowed.

A new FortiGate Cloud Event Handler automation trigger is available. The Compromised Host trigger can be used for IOC events detected in FortiGate Cloud. Both triggers require a FortiGate Cloud log retention license.

Configuring a Security Fabric with FortiGate Cloud logging

In this topology, the FGT-F-VM has the same FortiCloud account ID as the root FortiGate (FGT_10_101F), so it can join the Fabric. The FGT-D has a different FortiCloud account ID, so its authorization request to join the Fabric is rejected. The FGT-A is not activated with FortiCloud, but it can still join the Fabric. Its Cloud Logging setting shows that it requires authorization.

This topology is used in the following four Security Fabric configuration examples.

Devices with the same FortiCloud account ID

In this example, the root FortiGate (FGT_10_101F) is configured with FortiGate Cloud logging. In the Security Fabric settings, the FortiCloud account enforcement option is enabled by default. The downstream FortiGate, FGT-F-VM, with the same FortiCloud account ID is able to join the Fabric.

To configure a Security Fabric with FortiCloud logging in the GUI:
  1. On the root FortiGate, configure FortiCloud logging:
    1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Logging card.
    2. Set the Type to FortiGate Cloud.
    3. Set the Upload option to Real Time.

    4. Click OK.
  2. Configure the Security Fabric settings (see Configuring the root FortiGate and downstream FortiGates in the FortiOS Administration Guide). The FortiCloud account enforcement setting is enabled by default.

  3. On the FGT-F-VM, check the FortiCloud logging settings:
    1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Logging card. The settings are automatically retrieved from the root and the Account is the same.

  4. Configure the FGT-F-VM to join the Security Fabric:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Set the Security Fabric role to Join Existing Fabric.
    3. Click OK. The FortiGate is authorized and successfully joins the Security Fabric.

To configure a Security Fabric with FortiCloud logging in the CLI:
config log fortiguard setting
    set status enable
    set upload-option realtime
end

The FortiCloud account enforcement setting is enabled by default in the Security Fabric settings:

show system csf
    config system csf
        set status enable
        set group-name "CSF_101"
        set forticloud-account-enforcement enable
    end

Device with a different FortiCloud account ID

In this example, the downstream FortiGate, FGT-D, has a different FortiCloud account ID than the Fabric root FortiGate (FGT_10_101F), so this FortiGate will not be authorized to join the Fabric.

To configure the FGT-D to join the Security Fabric:
  1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. Set the Security Fabric role to Join Existing Fabric. A warning appears that the downstream FortiGates must have the same FortiGate Cloud account and subscription. The device's authorization to join the Fabric is rejected.

  3. Click Cancel.

Device without an activated FortiCloud account ID

In this example, the downstream FortiGate, FGT-A, does not have an activated FortiCloud account ID. This FortiGate is still authorized to join the Fabric, but the FortiCloud account needs to be activated.

To configure the FGT-A to join the Security Fabric:
  1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. Set the Security Fabric role to Join Existing Fabric. A warning appears that the downstream FortiGates must have the same FortiGate Cloud account and subscription. The device is authorized to join the Fabric.

  3. Click OK.
  4. Go to Security Fabric > Fabric Connectors and double-click the Cloud Logging card.
  5. Beside Account, click Activate and complete the prompts to activate the account.

Device with a different FortiCloud account ID with FortiCloud account enforcement disabled

In this example, FortiCloud account enforcement is disabled on the root FortiGate (FGT_10_101F). The downstream FortiGate, FGT-D, has a different FortiCloud account ID than the Fabric root, but it will be authorized to join the Fabric.

To configure a Security Fabric with FortiCloud account enforcement disabled:
  1. Disable FortiCloud account enforcement on the Fabric root (FGT_10_101F):
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Disable FortiCloud account enforcement.
    3. Click OK.
  2. Configure the FGT-D to join the Security Fabric:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Set the Security Fabric role to Join Existing Fabric. The device is authorized to join the Fabric.

    3. Click OK.
    4. On the Fabric root, go back to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card. The authorized FGT-D appears in the Topology.

Security rating

When FortiCloud logging is used in a Security Fabric, the Security Posture scorecard no longer has security control results for FortiAnalyzer.

In the Fabric Coverage scorecard, there is a security control test for multiple FortiCare accounts.

Configuring an automation stitch with the FortiGate Cloud event handler trigger

In this example, an automation stitch uses the FortiGate Cloud Event Handler trigger. When an event is triggered, the FortiGate sends an email alert to the administrator.

To configure the automation stitch in the GUI:
  1. Configure the automation trigger:

    1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

    2. In the Security Fabric section, click FortiGate Cloud Event Handler and enter the following:

      Name

      Forticloud-handler

      Event handler name

      Default-Botnet-Communication-Detection

    3. Click OK.

  2. Configure the automation action:

    1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

    2. In the Notifications section, click Email and enter the following:

      Name

      email_default_rep_message

      To

      Enter an email address

      Subject

      CSF stitch alert

      Replacement message

      Enable

    3. Click OK.

  3. Configure the automation stitch:

    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the name, Forticloud-handler-stitch.

    3. Click Add Trigger. Select Forticloud-handler and click Apply.

    4. Click Add Action. Select email_default_rep_message and click Apply.

    5. Click OK.

    Once the stitch is triggered, an email is sent to the administrator.

To configure the automation stitch in the CLI:
  1. Configure the automation trigger:
    config system automation-trigger
        edit "Forticloud-handler"
            set event-type faz-event
            set faz-event-name "Default-Botnet-Communication-Detection"
        next
    end
  2. Configure the automation action:
    config system automation-action
        edit "email_default_rep_message"
            set action-type email
            set email-to "*******@fortinet.com"
            set email-subject "CSF stitch alert"
            set replacement-message enable
        next
    end
  3. Configure the automation stitch:
    config system automation-stitch
        edit "Forticloud-handler-stitch"
            set trigger "Forticloud-handler"
            config actions
                edit 1
                    set action "email_default_rep_message"
                    set required enable
                next
            end
        next
    end

Configuring an automation stitch with the FortiGate Cloud IOC trigger

In this example, an automation stitch uses the Compromised Host trigger based on IOC events detected on FortiGate Cloud. When an event is triggered, the FortiGate quarantines the compromised host. Then after a three-second delay, it sends an email alert to the administrator. The backend FortiAnalyzer Cloud detects the compromised host.

To configure the automation stitch in the GUI:
  1. Configure the automation trigger:

    1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

    2. In the Security Fabric section, click Compromised Host and enter the following:

      Name

      Forticloud-ioc

      Description

      ioc test

      Threat level threshold

      Medium

    3. Click OK.

  2. Configure the automation actions:

    1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

    2. In the Security Response section, click Access Layer Quarantine.

    3. Enter the name, Compromised Host Quarantine_quarantine.

    4. Click OK.

    5. Repeat these steps to create an Email action with the following settings:

      Name

      email_default_rep_message

      To

      Enter an email address

      Subject

      CSF stitch alert

      Replacement message

      Enable

  3. Configure the automation stitch:

    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the name, Forticloud-ioc-stitch.

    3. Click Add Trigger. Select Forticloud-ioc and click Apply.

    4. Click Add Action. Select Compromised Host Quarantine_quarantine and click Apply.

    5. Click Add Action. Select email_default_rep_message and click Apply.

    6. Click the Add delay located between both actions. Enter 3 and click OK.

    7. Click OK.

    Once the stitch is triggered, an email is sent to the administrator.

  4. Go Dashboard > Users & Devices and click the Quarantine widget to view the quarantined device.

To configure the automation stitch in the CLI:
  1. Configure the automation trigger:
    config system automation-trigger
        edit "Forticloud-ioc"
            set description "ioc test"
            set ioc-level medium
        next
    end
  2. Configure the automation actions:
    config system automation-action
        edit "Compromised Host Quarantine_quarantine"
            set action-type quarantine
        next
        edit "email_default_rep_message"
            set action-type email
            set email-to "*******@fortinet.com"
            set email-subject "CSF stitch alert"
            set replacement-message enable
        next
    end
  3. Configure the automation stitch:
    config system automation-stitch
        edit "Forticloud-ioc-stitch"
            set trigger "Forticloud-ioc"
            config actions
                edit 1
                    set action "Compromised Host Quarantine_quarantine"
                    set required enable
                next
                edit 2
                    set action "email_default_rep_message"
                    set delay 3
                    set required enable
                next
            end
        next
    end
  4. Verify that the device was quarantined:
    show user quarantine
        config user quarantine
            config targets
                edit "00:0c:**:**:e9:62"
                    config macs
                        edit 00:0c:**:**:e9:62
                            set description "Quarantined by automation stitch: Forticloud-ioc-stitch"
                        next
                    end
                next
            end
        end

FortiGate Cloud logging in the Security Fabric 7.0.4

A Security Fabric can be created on the root device using FortiGate Cloud for cloud logging. When the FortiCloud account enforcement is enabled (by default), members joining the Fabric must be registered to the same FortiCloud account. Devices that are not activated with FortiCloud are also allowed.

A new FortiGate Cloud Event Handler automation trigger is available. The Compromised Host trigger can be used for IOC events detected in FortiGate Cloud. Both triggers require a FortiGate Cloud log retention license.

Configuring a Security Fabric with FortiGate Cloud logging

In this topology, the FGT-F-VM has the same FortiCloud account ID as the root FortiGate (FGT_10_101F), so it can join the Fabric. The FGT-D has a different FortiCloud account ID, so its authorization request to join the Fabric is rejected. The FGT-A is not activated with FortiCloud, but it can still join the Fabric. Its Cloud Logging setting shows that it requires authorization.

This topology is used in the following four Security Fabric configuration examples.

Devices with the same FortiCloud account ID

In this example, the root FortiGate (FGT_10_101F) is configured with FortiGate Cloud logging. In the Security Fabric settings, the FortiCloud account enforcement option is enabled by default. The downstream FortiGate, FGT-F-VM, with the same FortiCloud account ID is able to join the Fabric.

To configure a Security Fabric with FortiCloud logging in the GUI:
  1. On the root FortiGate, configure FortiCloud logging:
    1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Logging card.
    2. Set the Type to FortiGate Cloud.
    3. Set the Upload option to Real Time.

    4. Click OK.
  2. Configure the Security Fabric settings (see Configuring the root FortiGate and downstream FortiGates in the FortiOS Administration Guide). The FortiCloud account enforcement setting is enabled by default.

  3. On the FGT-F-VM, check the FortiCloud logging settings:
    1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Logging card. The settings are automatically retrieved from the root and the Account is the same.

  4. Configure the FGT-F-VM to join the Security Fabric:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Set the Security Fabric role to Join Existing Fabric.
    3. Click OK. The FortiGate is authorized and successfully joins the Security Fabric.

To configure a Security Fabric with FortiCloud logging in the CLI:
config log fortiguard setting
    set status enable
    set upload-option realtime
end

The FortiCloud account enforcement setting is enabled by default in the Security Fabric settings:

show system csf
    config system csf
        set status enable
        set group-name "CSF_101"
        set forticloud-account-enforcement enable
    end

Device with a different FortiCloud account ID

In this example, the downstream FortiGate, FGT-D, has a different FortiCloud account ID than the Fabric root FortiGate (FGT_10_101F), so this FortiGate will not be authorized to join the Fabric.

To configure the FGT-D to join the Security Fabric:
  1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. Set the Security Fabric role to Join Existing Fabric. A warning appears that the downstream FortiGates must have the same FortiGate Cloud account and subscription. The device's authorization to join the Fabric is rejected.

  3. Click Cancel.

Device without an activated FortiCloud account ID

In this example, the downstream FortiGate, FGT-A, does not have an activated FortiCloud account ID. This FortiGate is still authorized to join the Fabric, but the FortiCloud account needs to be activated.

To configure the FGT-A to join the Security Fabric:
  1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. Set the Security Fabric role to Join Existing Fabric. A warning appears that the downstream FortiGates must have the same FortiGate Cloud account and subscription. The device is authorized to join the Fabric.

  3. Click OK.
  4. Go to Security Fabric > Fabric Connectors and double-click the Cloud Logging card.
  5. Beside Account, click Activate and complete the prompts to activate the account.

Device with a different FortiCloud account ID with FortiCloud account enforcement disabled

In this example, FortiCloud account enforcement is disabled on the root FortiGate (FGT_10_101F). The downstream FortiGate, FGT-D, has a different FortiCloud account ID than the Fabric root, but it will be authorized to join the Fabric.

To configure a Security Fabric with FortiCloud account enforcement disabled:
  1. Disable FortiCloud account enforcement on the Fabric root (FGT_10_101F):
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Disable FortiCloud account enforcement.
    3. Click OK.
  2. Configure the FGT-D to join the Security Fabric:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Set the Security Fabric role to Join Existing Fabric. The device is authorized to join the Fabric.

    3. Click OK.
    4. On the Fabric root, go back to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card. The authorized FGT-D appears in the Topology.

Security rating

When FortiCloud logging is used in a Security Fabric, the Security Posture scorecard no longer has security control results for FortiAnalyzer.

In the Fabric Coverage scorecard, there is a security control test for multiple FortiCare accounts.

Configuring an automation stitch with the FortiGate Cloud event handler trigger

In this example, an automation stitch uses the FortiGate Cloud Event Handler trigger. When an event is triggered, the FortiGate sends an email alert to the administrator.

To configure the automation stitch in the GUI:
  1. Configure the automation trigger:

    1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

    2. In the Security Fabric section, click FortiGate Cloud Event Handler and enter the following:

      Name

      Forticloud-handler

      Event handler name

      Default-Botnet-Communication-Detection

    3. Click OK.

  2. Configure the automation action:

    1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

    2. In the Notifications section, click Email and enter the following:

      Name

      email_default_rep_message

      To

      Enter an email address

      Subject

      CSF stitch alert

      Replacement message

      Enable

    3. Click OK.

  3. Configure the automation stitch:

    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the name, Forticloud-handler-stitch.

    3. Click Add Trigger. Select Forticloud-handler and click Apply.

    4. Click Add Action. Select email_default_rep_message and click Apply.

    5. Click OK.

    Once the stitch is triggered, an email is sent to the administrator.

To configure the automation stitch in the CLI:
  1. Configure the automation trigger:
    config system automation-trigger
        edit "Forticloud-handler"
            set event-type faz-event
            set faz-event-name "Default-Botnet-Communication-Detection"
        next
    end
  2. Configure the automation action:
    config system automation-action
        edit "email_default_rep_message"
            set action-type email
            set email-to "*******@fortinet.com"
            set email-subject "CSF stitch alert"
            set replacement-message enable
        next
    end
  3. Configure the automation stitch:
    config system automation-stitch
        edit "Forticloud-handler-stitch"
            set trigger "Forticloud-handler"
            config actions
                edit 1
                    set action "email_default_rep_message"
                    set required enable
                next
            end
        next
    end

Configuring an automation stitch with the FortiGate Cloud IOC trigger

In this example, an automation stitch uses the Compromised Host trigger based on IOC events detected on FortiGate Cloud. When an event is triggered, the FortiGate quarantines the compromised host. Then after a three-second delay, it sends an email alert to the administrator. The backend FortiAnalyzer Cloud detects the compromised host.

To configure the automation stitch in the GUI:
  1. Configure the automation trigger:

    1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

    2. In the Security Fabric section, click Compromised Host and enter the following:

      Name

      Forticloud-ioc

      Description

      ioc test

      Threat level threshold

      Medium

    3. Click OK.

  2. Configure the automation actions:

    1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

    2. In the Security Response section, click Access Layer Quarantine.

    3. Enter the name, Compromised Host Quarantine_quarantine.

    4. Click OK.

    5. Repeat these steps to create an Email action with the following settings:

      Name

      email_default_rep_message

      To

      Enter an email address

      Subject

      CSF stitch alert

      Replacement message

      Enable

  3. Configure the automation stitch:

    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the name, Forticloud-ioc-stitch.

    3. Click Add Trigger. Select Forticloud-ioc and click Apply.

    4. Click Add Action. Select Compromised Host Quarantine_quarantine and click Apply.

    5. Click Add Action. Select email_default_rep_message and click Apply.

    6. Click the Add delay located between both actions. Enter 3 and click OK.

    7. Click OK.

    Once the stitch is triggered, an email is sent to the administrator.

  4. Go Dashboard > Users & Devices and click the Quarantine widget to view the quarantined device.

To configure the automation stitch in the CLI:
  1. Configure the automation trigger:
    config system automation-trigger
        edit "Forticloud-ioc"
            set description "ioc test"
            set ioc-level medium
        next
    end
  2. Configure the automation actions:
    config system automation-action
        edit "Compromised Host Quarantine_quarantine"
            set action-type quarantine
        next
        edit "email_default_rep_message"
            set action-type email
            set email-to "*******@fortinet.com"
            set email-subject "CSF stitch alert"
            set replacement-message enable
        next
    end
  3. Configure the automation stitch:
    config system automation-stitch
        edit "Forticloud-ioc-stitch"
            set trigger "Forticloud-ioc"
            config actions
                edit 1
                    set action "Compromised Host Quarantine_quarantine"
                    set required enable
                next
                edit 2
                    set action "email_default_rep_message"
                    set delay 3
                    set required enable
                next
            end
        next
    end
  4. Verify that the device was quarantined:
    show user quarantine
        config user quarantine
            config targets
                edit "00:0c:**:**:e9:62"
                    config macs
                        edit 00:0c:**:**:e9:62
                            set description "Quarantined by automation stitch: Forticloud-ioc-stitch"
                        next
                    end
                next
            end
        end