Deploying the Security Fabric
This topic provides an example of deploying Security Fabric with three downstream FortiGates connecting to one root FortiGate. To deploy a Security Fabric, you need a FortiAnalyzer running firmware version 6.2 or later.
The following shows a sample network topology with three downstream FortiGates (Accounting, Marketing, and Sales) connected to the root FortiGate (Edge).
To configure the root FortiGate (Edge):
-
Configure the interfaces:
-
Go to Network > Interfaces.
-
Edit port16:
-
Set Role to DMZ.
-
For the interface connected to FortiAnalyzer, set the IP/Network Mask to 192.168.65.2/255.255.255.0
-
-
Edit port10:
-
Set Role to LAN.
-
For the interface connected to the downstream FortiGate (Accounting), set the IP/Network Mask to 192.168.10.2/255.255.255.0
-
-
Edit port11:
-
Set Role to LAN.
-
For the interface connected to the downstream FortiGate (Marketing), set the IP/Network Mask to 192.168.200.2/255.255.255.0
-
-
-
Configure the Security Fabric settings:
-
Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
-
Select the Settings tab, and set the Security Fabric role to Serve as Fabric Root.
-
Enter a Fabric name, such as Office-Security-Fabric.
-
Ensure Allow other Security Fabric devices to join is enabled and add port10 and port11.
-
Click OK.
-
-
Configure the FortiAnalyzer logging settings:
-
Go to Security Fabric > Fabric Connectors and double-click the Logging & Analytics card.
-
Select the Settings tab, select the FortiAnalyzer tab, and set the Status to Enabled.
-
Enter the FortiAnalyzer IP in the Server field (192.168.65.10). The Upload option is automatically set to Real Time.
-
Click Refresh.
A warning message indicates that the FortiGate is not authorized on the FortiAnalyzer. The authorization is configured in a later step on the FortiAnalyzer.
-
Click OK. The FortiAnalyzer serial number is verified.
-
-
Create the address objects to use in the firewall policies:
-
Go to Policy & Objects > Addresses.
-
Click Create New.
-
Set Name to FAZ-addr.
-
Set Type to Subnet.
-
Set Subnet/IP Range to 192.168.65.10/32.
-
Set Interface to any.
-
-
Click OK.
-
Click Create New.
-
Set Name to Accounting.
-
Set Type to Subnet.
-
Set Subnet/IP Range to 192.168.10.10/32.
-
Set Interface to any.
-
-
Click OK.
-
-
Create a policy to allow the downstream FortiGate (Accounting) to access the FortiAnalyzer:
-
Go to Policy & Objects > Firewall Policy and click Create New.
-
Set the Name to Accounting-to-FAZ.
-
Set srcintf to port10.
-
Set dstintf to port16.
-
Set srcaddr to Accounting-addr.
-
Set dstaddr to FAZ-addr.
-
Set Action to Accept.
-
Set Schedule to Always.
-
Set Service to All.
-
Enable NAT.
-
Set IP Pool Configuration to Use Outgoing Interface Address.
-
-
Click OK.
-
-
Create a policy to allow the two downstream FortiGates (Marketing and Sales) to access the FortiAnalyzer:
-
In the root FortiGate (Edge), go to Policy & Objects > Addresses and click Create New.
-
Set Name to Marketing-addr.
-
Set Type to Subnet.
-
Set Subnet/IP Range to 192.168.200.10/32.
-
Set Interface to any.
-
-
Click OK.
-
In the root FortiGate (Edge), go to Policy & Objects > Firewall Policy and click Create New.
-
Set Name to Marketing-to-FAZ.
-
Set srcintf to port11.
-
Set dstintf to port16.
-
Set srcaddr to Marketing-addr.
-
Set dstaddr to FAZ-addr.
-
Set Action to Accept.
-
Set Schedule to Always.
-
Set Service to All.
-
Enable NAT.
-
Set IP Pool Configuration to Use Outgoing Interface Address.
-
-
Click OK.
-
To configure the downstream FortiGate (Accounting):
-
Configure the interface:
-
Go to Network > Interfaces.
-
Edit interface wan1:
-
Set Role to WAN.
-
For the interface connected to root, set the IP/Network Mask to 192.168.10.10/255.255.255.0
-
-
-
Configure the default static route to connect to the root FortiGate (Edge):
-
Go to Network > Static Routes and click Create New or Create New > IPv4 Static Route.
-
Set Destination to 0.0.0.0/0.0.0.0.
-
Set Interface to wan1.
-
Set Gateway Address to 192.168.10.2.
-
-
Click OK.
-
-
Configure the Security Fabric:
-
Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
-
In the Settings tab, set the Security Fabric role to Join Existing Fabric.
FortiAnalyzer automatically enables logging. Settings for the FortiAnalyzer are retrieved from the root FortiGate (Edge) when FortiGate (Accounting) connects to the root FortiGate (Edge).
-
Upstream FortiGate IP is filled in automatically with the default static route Gateway Address of 192.168.10.2 set in the previous step.
-
Disable Allow other Security Fabric devices to join, because there is no downstream FortiGate connecting to it.
-
Click OK.
-
To configure the downstream FortiGate (Marketing):
-
Configure the interface:
-
Go to Network > Interfaces.
-
Edit port12:
-
Set Role to LAN.
-
For the interface connected to the downstream FortiGate (Sales), set the IP/Network Mask to 192.168.135.11/255.255.255.0.
-
-
Edit wan1:
-
Set Role to WAN.
-
For the interface connected to the root FortiGate (Edge), set the IP/Network Mask to 192.168.200.10/255.255.255.0.
-
-
-
Configure the default static route to connect to the root FortiGate (Edge):
-
Go to Network > Static Routes and click Create New or Create New > IPv4 Static Route.
-
Set Destination to 0.0.0.0/0.0.0.0.
-
Set Interface to wan1.
-
Set Gateway Address to 192.168.200.2.
-
-
Click OK.
-
-
Configure the Security Fabric:
-
Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
-
In the Settings tab, set the Security Fabric role to Join Existing Fabric.
FortiAnalyzer automatically enables logging. Settings for the FortiAnalyzer are retrieved from the root FortiGate (Edge) when FortiGate (Marketing) connects to the root FortiGate (Edge).
-
Upstream FortiGate IP is filled in automatically with the default static route Gateway Address of 192.168.200.2 set in the previous step.
-
Enable Allow other Security Fabric devices to join and add port12.
-
Click OK.
-
-
Create the address objects to use in the firewall policies:
-
Go to Policy & Objects > Addresses and click Create New.
-
Set Name to FAZ-addr.
-
Set Type to Subnet.
-
Set Subnet/IP Range to 192.168.65.10/32.
-
Set Interface to any.
-
-
Click OK.
-
Click Create New.
-
Set Name to Sales-addr.
-
Set Type to Subnet.
-
Set Subnet/IP Range to 192.168.135.10/32.
-
Set Interface to any.
-
-
Click OK.
-
-
Create a policy to allow another downstream FortiGate (Sales) going through FortiGate (Marketing) to access the FortiAnalyzer:
-
Go to Policy & Objects > Firewall Policy and click Create New.
-
Set Name to Sales-to-FAZ.
-
Set srcintf to port12.
-
Set dstintf to wan1.
-
Set srcaddr to Sales-addr.
-
Set dstaddr to FAZ-addr.
-
Set Action to Accept.
-
Set Schedule to Always.
-
Set Service to All.
-
Enable NAT.
-
Set IP Pool Configuration to Use Outgoing Interface Address.
-
-
Click OK.
-
To configure the downstream FortiGate (Accounting):
-
Configure the interface:
-
Go to Network > Interfaces.
-
Edit interface wan1:
-
Set Role to WAN.
-
For the interface connected to root, set the IP/Network Mask to 192.168.10.10/255.255.255.0
-
-
-
Configure the default static route to connect to the root FortiGate (Edge):
-
Go to Network > Static Routes and click Create New or Create New > IPv4 Static Route.
-
Set Destination to 0.0.0.0/0.0.0.0.
-
Set Interface to wan1.
-
Set Gateway Address to 192.168.10.2.
-
-
Click OK.
-
-
Configure the Security Fabric:
-
Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
-
In the Settings tab, set the Security Fabric role to Join Existing Fabric.
FortiAnalyzer automatically enables logging. Settings for the FortiAnalyzer are retrieved from the root FortiGate (Edge) when FortiGate (Accounting) connects to the root FortiGate (Edge).
-
Upstream FortiGate IP is filled in automatically with the default static route Gateway Address of 192.168.10.2 set in the previous step.
-
Disable Allow other Security Fabric devices to join, because there is no downstream FortiGate connecting to it.
-
Click OK.
-
To configure the downstream FortiGate (Sales):
-
Configure the interface:
-
Go to Network > Interfaces.
-
Edit wan2:
-
Set Role to WAN.
-
For the interface connected to the upstream FortiGate (Marketing), set the IP/Network Mask to 192.168.135.10/255.255.255.0.
-
-
-
Configure the default static route to connect to the upstream FortiGate (Marketing):
-
Go to Network > Static Routes and click Create New or Create New > IPv4 Static Route.
-
Set Destination to 0.0.0.0/0.0.0.0.
-
Set Interface to wan2.
-
Set Gateway Address to 192.168.135.11.
-
-
Click OK.
-
-
Configure the Security Fabric:
-
Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
-
In the Settings tab, set the Security Fabric role to Join Existing Fabric.
FortiAnalyzer automatically enables logging. Settings for the FortiAnalyzer are retrieved from the root FortiGate (Edge) when FortiGate (Sales) connects to the root FortiGate (Edge).
-
Upstream FortiGate IP is filled in automatically with the default static route Gateway Address of 192.168.135.11 set in the previous step.
-
Disable Allow other Security Fabric devices to join, because there is no downstream FortiGate connecting to it.
-
Click OK.
-
To authorize downstream FortiGates (Accounting, Marketing, and Sales) on the root FortiGate (Edge):
-
In the root FortiGate (Edge), go to System > Firmware & Registration.
The table highlights two connected FortiGates with their serial numbers that are unauthorized.
-
Select the unauthorized device and click Authorization > Authorize.
After they are authorized, the two downstream FortiGates (Accounting and Marketing) appear in the Security Fabric widget. This means that the two downstream FortiGates (Accounting and Marketing) have successfully joined the Security Fabric.
-
The table now highlights the Sales FortiGate with the serial number that is connected to the downstream Marketing FortiGate that is unauthorized.
-
Select the highlighted FortiGate and click Authorization > Authorize.
After it is authorized, the downstream FortiGate (Sales) appears in the Topology tree in the Security Fabric widget. This means that the downstream FortiGates (Sales) has successfully joined the Security Fabric.
To use FortiAnalyzer to authorize all the Security Fabric FortiGates:
-
Authorize all the Security Fabric FortiGates on the FortiAnalyzer side:
-
On the FortiAnalyzer, go to System Settings > Network > All Interfaces.
-
Edit port1 and set IP Address/Netmask to 192.168.65.10/255.255.255.0.
-
Go to Device Manager > Unauthorized. All of the FortiGates are listed as unauthorized.
-
Select all the FortiGates and select Authorize. The FortiGates are now listed as authorized.
After a moment, a warning icon appears beside the root FortiGate (Edge) because the FortiAnalyzer needs administrative access to the root FortiGate (Edge) in the Security Fabric.
-
Click the warning icon and enter the admin username and password of the root FortiGate (Edge).
-
-
-
Check FortiAnalyzer status on all the Security Fabric FortiGates:
-
On each FortiGate, go to Security Fabric > Fabric Connectors and double-click the FortiAnalyzer Logging card.
-
Check that Storage usage information is shown.
-
To check Security Fabric deployment result:
-
On FortiGate (Edge), go to Dashboard > Status and check the Security Fabric widget.
-
On FortiGate (Edge), go to Security Fabric > Physical Topology.
This page shows a visualization of access layer devices in the Security Fabric.
-
On FortiGate (Edge), go to Security Fabric > Physical Topology.
This dashboard shows information about the interfaces of each device in the Security Fabric.
To run diagnostics:
-
To view the downstream FortiGate pending authorization on the root FortiGate :
Edge # diagnose sys csf authorization pending-list Serial IP Address HA-Members Path ------------------------------------------------------------------------------------ FG201ETK18902514 0.0.0.0 FG3H1E5818900718:FG201ETK18902514
-
To view the downstream FortiGates after they join Security Fabric on the root or first level downstream FortiGate:
Edge # diagnose sys csf downstream 1: FG201ETK18902514 (192.168.200.10) Management-IP: 0.0.0.0 Management-port:0 parent: FG3H1E5818900718 path:FG3H1E5818900718:FG201ETK18902514 data received: Y downstream intf:wan1 upstream intf:port11 admin-port:443 authorizer:FG3H1E5818900718 2: FGT81ETK18002246 (192.168.10.10) Management-IP: 0.0.0.0 Management-port:0 parent: FG3H1E5818900718 path:FG3H1E5818900718:FGT81ETK18002246 data received: Y downstream intf:wan1 upstream intf:port10 admin-port:443 authorizer:FG3H1E5818900718 3: FG101ETK18002187 (192.168.135.10) Management-IP: 0.0.0.0 Management-port:0 parent: FG201ETK18902514 path:FG3H1E5818900718:FG201ETK18902514:FG101ETK18002187 data received: Y downstream intf:wan2 upstream intf:port12 admin-port:443 authorizer:FG3H1E5818900718
-
To view the upstream FortiGate after the downstream FortiGate joins Security Fabric:
Marketing # diagnose sys csf upstream Upstream Information: Serial Number:FG3H1E5818900718 IP:192.168.200.2 Connecting interface:wan1 Connection status:Authorized