Deploying the Security Fabric
This topic provides an example of deploying Security Fabric with three downstream FortiGates connecting to one root FortiGate. To deploy Security Fabric, you need a FortiAnalyzer running firmware version 6.2 or later.
The following shows a sample network topology with three downstream FortiGates (Accounting, Marketing, and Sales) connected to the root FortiGate (Edge).
To configure the root FortiGate (Edge):
- Configure interfaces:
- In the root FortiGate (Edge), go to Network > Interfaces.
- Edit port16:
- Set Role to DMZ.
- For the interface connected to FortiAnalyzer, set the IP/Network Mask to 192.168.65.2/255.255.255.0
- Edit port10:
- Set Role to LAN.
- For the interface connected to the downstream FortiGate (Accounting), set the IP/Network Mask to 192.168.10.2/255.255.255.0
- Edit port11:
- Set Role to LAN.
- For the interface connected to the downstream FortiGate (Marketing), set the IP/Network Mask to 192.168.200.2/255.255.255.0
- Configure Security Fabric:
- In the root FortiGate (Edge), go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
- For Status, click Enable.
- Set the Security Fabric role to Serve as Fabric Root. The FortiAnalyzer settings can be configured.
- Enter the FortiAnalyzer IP (192.168.65.10) and select and Upload option (the default is Real Time).
- Click Test Connectivity.
A warning message indicates that the FortiGate is not authorized on the FortiAnalyzer. The authorization is configured in a later step on the FortiAnalyzer.
- Click OK. The FortiAnalyzer serial number is verified.
- Enter a Fabric name, such as Office-Security-Fabric.
- Ensure Allow other Security Fabric devices to join is enabled and add port10 and port11.
- Click OK.
- Create a policy to allow the downstream FortiGate (Accounting) to access the FortiAnalyzer:
- In the root FortiGate (Edge), go to Policy & Objects > Addresses.
- Click Create New.
- Set Name to FAZ-addr.
- Set Type to Subnet.
- Set Subnet/IP Range to 192.168.65.10/32