Fortinet black logo

User Guide

Security Fabric

24.1.0
Copy Link
Copy Doc ID af1daa65-c273-11ec-9fd1-fa163e15d75b:837170
Download PDF

Security Fabric

The Fortinet Security Fabric is a cybersecurity platform that interconnects different security solutions to deliver protection and visibility to your entire network architecture. See Fortinet Security Fabric | Administration Guide for more information.

Monitoring different Fabric environments

Fortinet environment

The FortiMonitor Fabric integration works best with network environments that are entirely composed of Fortinet devices. Connecting FortiMonitor to the FortiGate associated with the Fabric will provide FortiMonitor with access to all of the performance data and metadata to each and every device in the Fabric. By allowing FortiMonitor to join the Fabric, devices that are behind the FortiGate can be discovered, whether they’re in the same physical location or connected via VPN. New Fortinet devices added to the network after the initial set up can also easily be discovered and monitored.

With this approach, you no longer have to set up SNMP on every firewall, switch, or access point in the network to gather metric data.

The integration to an active Security Fabric does bring certain prerequisites. These are detailed in Enable Security Fabric monitoring and is only available for FortiOS 7.0 and later.

Combination of Fortinet and non-Fortinet devices

For environments that have a combination of Fortinet and non-Fortinet devices, the OnSight vCollector can be used. Note that as mentioned in the previous section, Fortinet devices that are part of the Fabric can be monitored by allowing FortiMonitor access to the Fabric.

For non-Fortinet devices, the OnSight must be deployed behind the firewall on your internal network. OnSight vCollector is the proxy into that network to allow FortiMonitor to collect metric data for your network devices. Windows, Linux and Unix hosts may be monitored with the FortiMonitor Agent. This approach does require that the OnSight vCollector is deployed and configured for maximum network visibility. You also have to either run OnSight discovery to discover all devices in the network or explicitly add all the devices in the network to the OnSight. Access credentials for the OnSight to do SNMP connections to every device in the network must also be configured.

Deployment options

To start onboarding your Fabric environment, click Add from the navigation menu. The following deployment options will be displayed. The table below explains each option in detail, including prerequisites and required information.

Deployment method

Description

Supported FortiOS version

Prerequisites

Required from user

Fabric Tunnel

Discovery and data collection is done via the CSF tunnel introduced in FortiOS 7.x from our GCP environment.

7.0 and up

  • Security Fabric is enabled on root FortiGate

  • 8013 open on WAN to our GCP

  • Downstream access enabled on each device

  • Root FortiGate IP/FQDN

  • Root FortiGate Port (almost always 8013)

  • Root SN

Fabric Tunnel - OnSight

Discovery and data collection is done via the CSF tunnel introduced in FortiOS 7.x from an OnSight.

7.0 and up

  • Security Fabric is enabled on root FortiGate

  • 8013 open to LAN with OnSight

  • Downstream access enabled on each device

  • OnSight installed in environment so it can reach the root FortiGate

  • Root FortiGate IP/FQDN

  • Root FortiGate Port (almost always 8013)

  • Root FortiGate SN

  • A selected OnSight

Fabric Group

Discovery of devices is done via the /monitor/system/csf endpoint on the root FortiGate.

Collection is done via raw HTTPS queries to each FortiGate.

6.x

  • Fabric group enabled devices

  • OnSight installed in environment so it can reach each FortiGate to be monitored

  • The management IP/Port of each device configured in Fabric

  • Root FortiGate IP/FQDN

  • Port of root FortiGate HTTPS API

  • Root FortiGate serial number

  • Root FortiGate API key

  • A selected OnSight

  • After initial discovery, users will be prompted for an API key for each FortiGate discovered.

FortiManager Proxy

Discovery and data collection is performed entirely via the FortiManager proxy to the underlying devices.

6.0 and up

  • FortiManager is installed

  • FortiManager credentials for user created for FortiMonitor

  • OnSight is installed into network that can reach FortiManager

  • Selected OnSight

  • FortiManager IP/FQDN

  • FortiManager HTTPS Port

  • FortiManager SN

  • FortiManager username and password

Note: FortiGate models with 2 GB RAM cannot be the root of the Security Fabric topology or any mid-tier part of the topology. They can only be configured as downstream devices in a Security Fabric or standalone devices. For more information, see Fortinet Security Fabric.

FortiMonitor integration

FortiMonitor’s Security Fabric integration allows you to discover and monitor your devices in your Fabric environment. The full Security Fabric topology and device lists are pulled in and monitored through FortiGate’s Security Fabric API.

Fabric device monitoring supports the following:

Full template support

Create templates and apply them to Fabric devices that you want to monitor in the same way. Default templates are also available for each type of Fabric device. See Templates to learn how to use templates.

Fabric Topology dashboard widget

The full Security Fabric topology from the FortiGate can be displayed using the Fabric topology widget. For more information, see Fabric topology widget.

Network Interfaces dashboard widget

The Network Interfaces widget provides a table displaying the status and bandwidth utilization of network device interfaces. For more information, see Network Interfaces.

Network device performance monitoring

The performance of each Fabric device is displayed in the Performance section of the device’s Instance Details page.

Note on FortiAPs and FortiSwitches

Metric data from FortiAPs and FortiSwitches are gathered from their parent FortiGate. Only FortiAPs and FortiSwitches that are managed by FortiGate are supported.

Supported metrics

In addition to SNMP metrics, the following health checks are also supported:

Device health for FortiGates

  • Configured Interface Up/Down

  • SD-WAN stats

  • CPU/Memory Health

  • Security rating

  • Client Lists

  • DHCP Pool info

  • Firewall Bytes

  • Firewall Hit Count

  • Firewall packets

  • Firewall Sessions

  • Interface DHCP

Device Health for FortiSwitches

  • FortiLink Up/Down

  • Port Status

  • Connected Clients

  • CPU/memory Usage

  • Errors

  • PoE Usage

  • State

Device Health for FortiAPs

  • FortiLink Up/Down

  • Traffic Stats

  • Connected Clients

  • CPU/Memory Usage

  • Channel Utilization

  • MAC Errors

  • TX Errors

  • Auth Errors

  • DHCP status

Using FortiManager

  • Bandwidth In

  • Bandwidth Out

  • CPU

  • Disk

  • Errors In

  • Errors Out

  • Interface DHCP

  • Interface Status

  • Memory

  • Packets In

  • Packets Out

  • SD-WAN Bandwidth In

  • SD-WAN Bandwidth Out

  • SD-WAN Jitter

  • SD-WAN Latency

  • SD-WAN Packet Loss

  • SD-WAN Packets In

  • SD-WAN Packets Out

  • SD-WAN SLA Targets Met

  • SD-WAN Sessions

  • SD-WAN Status

  • Sessions

Using SNMP

  • Active SSL Tunnels

  • Active Web Sessions

  • Admin Status

  • Antivirus Events Triggered

  • BGP Peer State

  • Bandwidth In

  • Bandwidth Out

  • Bytes Processed

  • CPU Usage

  • Cluster Member Bandwidth

  • Cluster Member CPU Usage

  • Cluster Member Memory Usage

  • Cluster Member Packets Processed

  • Cluster Member Session Count

  • Discard Packets In

  • Discard Packets Out

  • Disk Usage

  • Errors In

  • Errors Out

  • Explicit Proxy Voliations

  • Firewall Packet Matches

  • HA Cluster Priority

  • HA Sync Status

  • IDS/IPS Events Triggered

  • IM Connections Blocked

  • IPSec Tunnel Status

  • IPsec Tunnel Lifetime

  • IPsec Tunnel Timeout

  • Intrusions Blocked

  • Low Mem Usage

  • Maximum VDOMs

  • Memory Usage

  • Operational Status

  • Packets Dropped

  • Packets Received

  • Packets Transmitted

  • Processor Usage

  • SD-WAN Link Bandwidth In

  • SD-WAN Link Bandwidth Out

  • SD-WAN Link Bi-Directional Bandwidth

  • SD-WAN Link Packet Loss

  • SD-WAN Link Packets In

  • SD-WAN Link Packets Out

  • SD-WAN Link State

  • SSL VPN Sessions

  • SSL VPN Status

  • Session Clash Rate

  • Session Count

  • Tunnel Bandwidth In

  • Tunnel Bandwidth Out

  • VDOM Count

  • VDOM Enabled

  • VDOM Ops Mode

  • Viruses Blocked

  • WAN Tunnel Count

  • fgSysSesCount

  • fgVWLHealthCheckLinkJitter

  • fgVWLHealthCheckLinkLatency

  • fgVpnTunEntLifeBytes

Security Fabric

The Fortinet Security Fabric is a cybersecurity platform that interconnects different security solutions to deliver protection and visibility to your entire network architecture. See Fortinet Security Fabric | Administration Guide for more information.

Monitoring different Fabric environments

Fortinet environment

The FortiMonitor Fabric integration works best with network environments that are entirely composed of Fortinet devices. Connecting FortiMonitor to the FortiGate associated with the Fabric will provide FortiMonitor with access to all of the performance data and metadata to each and every device in the Fabric. By allowing FortiMonitor to join the Fabric, devices that are behind the FortiGate can be discovered, whether they’re in the same physical location or connected via VPN. New Fortinet devices added to the network after the initial set up can also easily be discovered and monitored.

With this approach, you no longer have to set up SNMP on every firewall, switch, or access point in the network to gather metric data.

The integration to an active Security Fabric does bring certain prerequisites. These are detailed in Enable Security Fabric monitoring and is only available for FortiOS 7.0 and later.

Combination of Fortinet and non-Fortinet devices

For environments that have a combination of Fortinet and non-Fortinet devices, the OnSight vCollector can be used. Note that as mentioned in the previous section, Fortinet devices that are part of the Fabric can be monitored by allowing FortiMonitor access to the Fabric.

For non-Fortinet devices, the OnSight must be deployed behind the firewall on your internal network. OnSight vCollector is the proxy into that network to allow FortiMonitor to collect metric data for your network devices. Windows, Linux and Unix hosts may be monitored with the FortiMonitor Agent. This approach does require that the OnSight vCollector is deployed and configured for maximum network visibility. You also have to either run OnSight discovery to discover all devices in the network or explicitly add all the devices in the network to the OnSight. Access credentials for the OnSight to do SNMP connections to every device in the network must also be configured.

Deployment options

To start onboarding your Fabric environment, click Add from the navigation menu. The following deployment options will be displayed. The table below explains each option in detail, including prerequisites and required information.

Deployment method

Description

Supported FortiOS version

Prerequisites

Required from user

Fabric Tunnel

Discovery and data collection is done via the CSF tunnel introduced in FortiOS 7.x from our GCP environment.

7.0 and up

  • Security Fabric is enabled on root FortiGate

  • 8013 open on WAN to our GCP

  • Downstream access enabled on each device

  • Root FortiGate IP/FQDN

  • Root FortiGate Port (almost always 8013)

  • Root SN

Fabric Tunnel - OnSight

Discovery and data collection is done via the CSF tunnel introduced in FortiOS 7.x from an OnSight.

7.0 and up

  • Security Fabric is enabled on root FortiGate

  • 8013 open to LAN with OnSight

  • Downstream access enabled on each device

  • OnSight installed in environment so it can reach the root FortiGate

  • Root FortiGate IP/FQDN

  • Root FortiGate Port (almost always 8013)

  • Root FortiGate SN

  • A selected OnSight

Fabric Group

Discovery of devices is done via the /monitor/system/csf endpoint on the root FortiGate.

Collection is done via raw HTTPS queries to each FortiGate.

6.x

  • Fabric group enabled devices

  • OnSight installed in environment so it can reach each FortiGate to be monitored

  • The management IP/Port of each device configured in Fabric

  • Root FortiGate IP/FQDN

  • Port of root FortiGate HTTPS API

  • Root FortiGate serial number

  • Root FortiGate API key

  • A selected OnSight

  • After initial discovery, users will be prompted for an API key for each FortiGate discovered.

FortiManager Proxy

Discovery and data collection is performed entirely via the FortiManager proxy to the underlying devices.

6.0 and up

  • FortiManager is installed

  • FortiManager credentials for user created for FortiMonitor

  • OnSight is installed into network that can reach FortiManager

  • Selected OnSight

  • FortiManager IP/FQDN

  • FortiManager HTTPS Port

  • FortiManager SN

  • FortiManager username and password

Note: FortiGate models with 2 GB RAM cannot be the root of the Security Fabric topology or any mid-tier part of the topology. They can only be configured as downstream devices in a Security Fabric or standalone devices. For more information, see Fortinet Security Fabric.

FortiMonitor integration

FortiMonitor’s Security Fabric integration allows you to discover and monitor your devices in your Fabric environment. The full Security Fabric topology and device lists are pulled in and monitored through FortiGate’s Security Fabric API.

Fabric device monitoring supports the following:

Full template support

Create templates and apply them to Fabric devices that you want to monitor in the same way. Default templates are also available for each type of Fabric device. See Templates to learn how to use templates.

Fabric Topology dashboard widget

The full Security Fabric topology from the FortiGate can be displayed using the Fabric topology widget. For more information, see Fabric topology widget.

Network Interfaces dashboard widget

The Network Interfaces widget provides a table displaying the status and bandwidth utilization of network device interfaces. For more information, see Network Interfaces.

Network device performance monitoring

The performance of each Fabric device is displayed in the Performance section of the device’s Instance Details page.

Note on FortiAPs and FortiSwitches

Metric data from FortiAPs and FortiSwitches are gathered from their parent FortiGate. Only FortiAPs and FortiSwitches that are managed by FortiGate are supported.

Supported metrics

In addition to SNMP metrics, the following health checks are also supported:

Device health for FortiGates

  • Configured Interface Up/Down

  • SD-WAN stats

  • CPU/Memory Health

  • Security rating

  • Client Lists

  • DHCP Pool info

  • Firewall Bytes

  • Firewall Hit Count

  • Firewall packets

  • Firewall Sessions

  • Interface DHCP

Device Health for FortiSwitches

  • FortiLink Up/Down

  • Port Status

  • Connected Clients

  • CPU/memory Usage

  • Errors

  • PoE Usage

  • State

Device Health for FortiAPs

  • FortiLink Up/Down

  • Traffic Stats

  • Connected Clients

  • CPU/Memory Usage

  • Channel Utilization

  • MAC Errors

  • TX Errors

  • Auth Errors

  • DHCP status

Using FortiManager

  • Bandwidth In

  • Bandwidth Out

  • CPU

  • Disk

  • Errors In

  • Errors Out

  • Interface DHCP

  • Interface Status

  • Memory

  • Packets In

  • Packets Out

  • SD-WAN Bandwidth In

  • SD-WAN Bandwidth Out

  • SD-WAN Jitter

  • SD-WAN Latency

  • SD-WAN Packet Loss

  • SD-WAN Packets In

  • SD-WAN Packets Out

  • SD-WAN SLA Targets Met

  • SD-WAN Sessions

  • SD-WAN Status

  • Sessions

Using SNMP

  • Active SSL Tunnels

  • Active Web Sessions

  • Admin Status

  • Antivirus Events Triggered

  • BGP Peer State

  • Bandwidth In

  • Bandwidth Out

  • Bytes Processed

  • CPU Usage

  • Cluster Member Bandwidth

  • Cluster Member CPU Usage

  • Cluster Member Memory Usage

  • Cluster Member Packets Processed

  • Cluster Member Session Count

  • Discard Packets In

  • Discard Packets Out

  • Disk Usage

  • Errors In

  • Errors Out

  • Explicit Proxy Voliations

  • Firewall Packet Matches

  • HA Cluster Priority

  • HA Sync Status

  • IDS/IPS Events Triggered

  • IM Connections Blocked

  • IPSec Tunnel Status

  • IPsec Tunnel Lifetime

  • IPsec Tunnel Timeout

  • Intrusions Blocked

  • Low Mem Usage

  • Maximum VDOMs

  • Memory Usage

  • Operational Status

  • Packets Dropped

  • Packets Received

  • Packets Transmitted

  • Processor Usage

  • SD-WAN Link Bandwidth In

  • SD-WAN Link Bandwidth Out

  • SD-WAN Link Bi-Directional Bandwidth

  • SD-WAN Link Packet Loss

  • SD-WAN Link Packets In

  • SD-WAN Link Packets Out

  • SD-WAN Link State

  • SSL VPN Sessions

  • SSL VPN Status

  • Session Clash Rate

  • Session Count

  • Tunnel Bandwidth In

  • Tunnel Bandwidth Out

  • VDOM Count

  • VDOM Enabled

  • VDOM Ops Mode

  • Viruses Blocked

  • WAN Tunnel Count

  • fgSysSesCount

  • fgVWLHealthCheckLinkJitter

  • fgVWLHealthCheckLinkLatency

  • fgVpnTunEntLifeBytes