Deploying the Security Fabric

This topic provides an example of deploying Security Fabric with three downstream FortiGates connecting to one root FortiGate. To deploy Security Fabric, you need a FortiAnalyzer running firmware version 6.2 or later.

The following shows a sample network topology with three downstream FortiGates (Accounting, Marketing, and Sales) connected to the root FortiGate (Edge).

To configure the root FortiGate (Edge):
  1. Configure interfaces:
    1. In the root FortiGate (Edge), go to Network > Interfaces.
    2. Edit port16:
      • Set Role to DMZ.
      • For the interface connected to FortiAnalyzer, set the IP/Network Mask to 192.168.65.2/255.255.255.0
    3. Edit port10:
      • Set Role to LAN.
      • For the interface connected to the downstream FortiGate (Accounting), set the IP/Network Mask to 192.168.10.2/255.255.255.0
    4. Edit port11:
      • Set Role to LAN.
      • For the interface connected to the downstream FortiGate (Marketing), set the IP/Network Mask to 192.168.200.2/255.255.255.0
  2. Configure Security Fabric:
    1. In the root FortiGate (Edge), go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. For Status, click Enable.
    3. Set the Security Fabric role to Serve as Fabric Root. The FortiAnalyzer settings can be configured.
    4. Enter the FortiAnalyzer IP (192.168.65.10) and select and Upload option (the default is Real Time).
    5. Click Test Connectivity.

      A warning message indicates that the FortiGate is not authorized on the FortiAnalyzer. The authorization is configured in a later step on the FortiAnalyzer.

    6. Click OK. The FortiAnalyzer serial number is verified.
    7. Enter a Fabric name, such as Office-Security-Fabric.
    8. Ensure Allow other Security Fabric devices to join is enabled and add port10 and port11.
    9. Click OK.
  3. Create a policy to allow the downstream FortiGate (Accounting) to access the FortiAnalyzer:
    1. In the root FortiGate (Edge), go to Policy & Objects > Addresses.
    2. Click Create New.
      • Set Name to FAZ-addr.
      • Set Type to Subnet.
      • Set Subnet/IP Range to 192.168.65.10/32