Fortinet white logo
Fortinet white logo

Cookbook

Viewing and controlling network risks via topology view

Viewing and controlling network risks via topology view

This recipe shows how to view and control compromised hosts via the Security Fabric > Physical Topology or Security Fabric > Logical Topology view.

In the following topology, the downstream FortiGate (Marketing) is connected to the root FortiGate (Edge) through a FortiSwitch (Distribution). The Endpoint Host is connected to the downstream FortiGate (Marketing) through another FortiSwitch (Access).

This recipe consists of the following steps:

  1. Configure the root FortiGate.
  2. Configure the downstream FortiGate.
  3. Authorize the downstream FortiGate on the root FortiGate.
  4. Authorize Security Fabric FortiGates on the FortiAnalyzer.
  5. View the compromised endpoint host.
  6. Quarantine the compromised endpoint host.
  7. Run diagnose commands.
To configure the root FortiGate:
  1. Configure the interface:
    1. In FortiOS on the downstream FortiGate, go to Network > Interfaces.
    2. Edit port4. Set the role to WAN and set the IP/Network Mask to 192.168.5.2/255.255.255.0 for the interface that is connected to the Internet.
    3. Edit port6. Set the role to DMZ and set the IP/Network Mask to 192.168.8.2/255.255.255.0 for the interface which is connected to FortiAnalyzer.
    4. Edit port5. Set the Addressing mode to Dedicated to the FortiSiwitch for the interface which is connected to the Distribution FortiSwitch.
    5. Return to Network > Interfaces and click Create New. For the new interface, set the name to vlan70, Type to VLAN, Interface to port5, VLAN ID to 70, Role to LAN, and IP/Network Mask to 192.168.7.2/255.255.255.0
  2. Authorize the Distribution FortiSwitch:
    1. Go to WiFi & Switch Controller > Managed FortiSwitch.
    2. Click the FortiGate icon, then click Edit. Set the Name to Distribution-Switch, enable the Authorized option, then click OK.
    3. Click the FortiSwitch port1 icon. For port1's Native VLAN, select vlan70.
  3. Configure the default static route to connect to the root FortiGate. Go to Network > Static Routes. Set the Destination to 0.0.0.0/0.0.0.0, select port4 as the Interface, and set the Gateway Address as 192.168.5.254.
  4. Configure the Security Fabric:
    1. Go to Security Fabric > Settings.
    2. Enable FortiGate Telemetry.
    3. Configure a group name.
    4. In FortiTelemetry enabled interfaces, add vlan70.
    5. FortiAnalyzer logging is enabled and the Upload option is set to Real Time after FortiGate Telemetry is enabled. Set the IP address to the FortiAnalyzer IP address, which in this example is 192.168.8.250. FortiAnalyzer settings will be retrieved when the downstream FortiGate connects to the root FortiGate.
  5. Create a policy to access the Internet. Go to Policy & Objects > IPv4 Policy. Click Create New, and configure the policy as follows:
    1. Set the Name to Access-internet1.
    2. Set the Source Interface to vlan70 and the Destination Interface to port4.
    3. Set the Source Address to all and the Destination Address to all.
    4. Set the Action to ACCEPT.
    5. Set the Schedule to Always.
    6. Set the Service to ALL.
    7. Enable NAT.
    8. Set the IP Pool Configuration to Use Outgoing Interface Address.
  6. Create an address for the FortiAnalyzer:
    1. Go to Policy & Objects > Addresses. Click Create New, then Address.
    2. Set the Name to FAZ-addr.
    3. Set the Type to Subnet.
    4. Set the Subnet/IP Range to 192.168.8.250/32.
    5. Set the Interface to Any.
  7. Create a policy for the downstream FortiGate to access the FortiAnalyzer. Go to Policy & Objects > IPv4 Policy. Click Create New, and configure the policy as follows:
    1. Set the Name to Access-Resources.
    2. Set the Source Interface to vlan70 and the Destination Interface to port6.
    3. Set the Source Address to all and the Destination Address to FAZ-addr.
    4. Set the Action to ACCEPT.
    5. Set the Schedule to Always.
    6. Set the Service to ALL.
    7. Enable NAT.
    8. Set the IP Pool Configuration to Use Outgoing Interface Address.
To configure the downstream FortiGate:
  1. Configure the interface:
    1. In FortiOS on the downstream FortiGate, go to Network > Interfaces.
    2. Edit wan1. Set the role to WAN and set the IP/Network Mask to 192.168.7.3/255.255.255.0 for the interface that is connected to the root FortiGate.
    3. Edit wan2. Set the Addressing mode to Dedicated to the FortiSiwitch for the interface which is connected to the Access FortiSwitch.
    4. Return to Network > Interfaces and click Create New. For the new interface, set the name to vlan20, Type to VLAN, Interface to wan2, VLAN ID to 20, Role to LAN, and IP/Network Mask to 10.1.100.3/255.255.255.0.
  2. Authorize the Access FortiSwitch:
    1. Go to WiFi & Switch Controller > Managed FortiSwitch.
    2. Click the FortiGate icon, then click Edit. Set the Name to Access-Switch, enable the Authorized option, then click OK.
    3. Click the FortiSwitch port2 icon. For port2's Native VLAN, select vlan20.
  3. Configure the default static route to connect to the root FortiGate. Go to Network > Static Routes. Set the Destination to 0.0.0.0/0.0.0.0, select wan1 as the Interface, and set the Gateway Address as 192.168.7.2.
  4. Configure the Security Fabric:
    1. Go to Security Fabric > Settings.
    2. Enable FortiGate Telemetry.
    3. Under FortiGate Telemetry, enable Connect to upstream FortiGate.
    4. Configure the FortiGate IP to 192.168.7.2.
    5. In FortiTelemetry enabled interfaces, add vlan20.
    6. FortiAnalyzer logging is enabled after FortiGate Telemetry is enabled. FortiAnalyzer settings will be retrieved when the downstream FortiGate connects to the root FortiGate.
  5. Create a policy to access the Internet. Go to Policy & Objects > IPv4 Policy. Click Create New, and configure the policy as follows:
    1. Set the Name to Access-internet2.
    2. Set the Source Interface to vlan20 and the Destination Interface to wan1..
    3. Set the Source Address to all and the Destination Address to all.
    4. Set the Action to ACCEPT.
    5. Set the Schedule to Always.
    6. Set the Service to ALL.
    7. Enable NAT.
    8. Set the IP Pool Configuration to Use Outgoing Interface Address.
    9. Choose the default Web Filter profile.
To authorize the downstream FortiGate on the root FortiGate:
  1. In FortiOS on the root FortiGate, go to Security Fabric > Settings. In the Topology field, a highlighted FortiGate with a serial number is connecting to the root FortiGate, and a highlighted warning asks for authorization of the highlighted device.
  2. Click the highlighted FortiGate, then select Authorize. After authorization, the downstream FortiGate appears in the Topology field in Security Fabric > Settings, meaning that the downstream FortiGate joined the Security Fabric successfully.
To authorize Security Fabric FortiGates on the FortiAnalyzer:
  1. Ensure that the FortiAnalyzer firmware is 6.2.0 or later.
  2. In FortiAnalyzer, go to Device Manager > Unauthorized. All FortiGates are listed as unauthorized. Select all FortiGates, then select authorize. The FortiGates now appear as authorized.
  3. After a moment, a warning icon appears beside the root FortiGate since the FortiAnalyzer needs administrative access to the root FortiGate in the Security Fabric. Click the warning icon, then enter the admin user and password for the root FortiGate.
To view the compromised endpoint host:
  1. Test that FortiGate detects a compromised endpoint host by opening a browser on the endpoint host and entering a malicious website URL. The browser displays a Web Page Blocked! warning and does not allow access to the website.
  2. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology. The endpoint host, connected to the Access FortiSwitch, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict. The endpoint host is compromised.

  3. Go to Security Fabric > Logical Topology. The endpoint host, connected to the downstream FortiGate, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict. The endpoint host is compromised.

To quarantine the compromised endpoint host:
  1. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology.
  2. Right-click the endpoint host and select Quarantine Host. Click OK to confirm the confirmation dialog.
  3. Go to Monitor > Quarantine Monitor. From the dropdown list at the top right corner, select All FortiGates. The quarantined endpoint host displays in the content pane.
  4. On the endpoint host, open a browser and visit a website such as https://www.fortinet.com/. If the website cannot be accessed, this confirms that the endpoint host is quarantined.
To run diagnose commands:
  1. To show the downstream FortiGate after it joins the Security Fabric, run the diagnose sys csf downstream command in the root FortiGate (Edge) CLI. The output should resemble the following:

    Edge # diagnose sys csf downstream

    1: FG101ETK18002187 (192.168.7.3) Management-IP: 0.0.0.0 Management-port:0 parent: FG201ETK18902514

    path:FG201ETK18902514:FG101ETK18002187

    data received: Y downstream intf:wan1 upstream intf:vlan70 admin-port:443

    authorizer:FG201ETK18902514

  2. To show the upstream FortiGate after the downstream FortiGate joins the Security Fabric, run the diagnose sys csf upstream command in the downstream FortiGate (Marketing) CLI. The output should resemble the following:

    Marketing # diagnose sys csf upstream

    Upstream Information:

    Serial Number:FG201ETK18902514

    IP:192.168.7.2

    Connecting interface:wan1

    Connection status:Authorized

  3. To show the quarantined endpoint host in the connected FortiGate, run the following commands in the downstream FortiGate (Marketing) CLI:

    Marketing # show user quarantine

    config user quarantine

    config targets

    edit "PC2"

    set description "Manually quarantined"

    config macs

    edit 00:0c:29:3d:89:39

    set description "manual-qtn Hostname: PC2"

    next

    end

    next

    end

    end

Viewing and controlling network risks via topology view

Viewing and controlling network risks via topology view

This recipe shows how to view and control compromised hosts via the Security Fabric > Physical Topology or Security Fabric > Logical Topology view.

In the following topology, the downstream FortiGate (Marketing) is connected to the root FortiGate (Edge) through a FortiSwitch (Distribution). The Endpoint Host is connected to the downstream FortiGate (Marketing) through another FortiSwitch (Access).

This recipe consists of the following steps:

  1. Configure the root FortiGate.
  2. Configure the downstream FortiGate.
  3. Authorize the downstream FortiGate on the root FortiGate.
  4. Authorize Security Fabric FortiGates on the FortiAnalyzer.
  5. View the compromised endpoint host.
  6. Quarantine the compromised endpoint host.
  7. Run diagnose commands.
To configure the root FortiGate:
  1. Configure the interface:
    1. In FortiOS on the downstream FortiGate, go to Network > Interfaces.
    2. Edit port4. Set the role to WAN and set the IP/Network Mask to 192.168.5.2/255.255.255.0 for the interface that is connected to the Internet.
    3. Edit port6. Set the role to DMZ and set the IP/Network Mask to 192.168.8.2/255.255.255.0 for the interface which is connected to FortiAnalyzer.
    4. Edit port5. Set the Addressing mode to Dedicated to the FortiSiwitch for the interface which is connected to the Distribution FortiSwitch.
    5. Return to Network > Interfaces and click Create New. For the new interface, set the name to vlan70, Type to VLAN, Interface to port5, VLAN ID to 70, Role to LAN, and IP/Network Mask to 192.168.7.2/255.255.255.0
  2. Authorize the Distribution FortiSwitch:
    1. Go to WiFi & Switch Controller > Managed FortiSwitch.
    2. Click the FortiGate icon, then click Edit. Set the Name to Distribution-Switch, enable the Authorized option, then click OK.
    3. Click the FortiSwitch port1 icon. For port1's Native VLAN, select vlan70.
  3. Configure the default static route to connect to the root FortiGate. Go to Network > Static Routes. Set the Destination to 0.0.0.0/0.0.0.0, select port4 as the Interface, and set the Gateway Address as 192.168.5.254.
  4. Configure the Security Fabric:
    1. Go to Security Fabric > Settings.
    2. Enable FortiGate Telemetry.
    3. Configure a group name.
    4. In FortiTelemetry enabled interfaces, add vlan70.
    5. FortiAnalyzer logging is enabled and the Upload option is set to Real Time after FortiGate Telemetry is enabled. Set the IP address to the FortiAnalyzer IP address, which in this example is 192.168.8.250. FortiAnalyzer settings will be retrieved when the downstream FortiGate connects to the root FortiGate.
  5. Create a policy to access the Internet. Go to Policy & Objects > IPv4 Policy. Click Create New, and configure the policy as follows:
    1. Set the Name to Access-internet1.
    2. Set the Source Interface to vlan70 and the Destination Interface to port4.
    3. Set the Source Address to all and the Destination Address to all.
    4. Set the Action to ACCEPT.
    5. Set the Schedule to Always.
    6. Set the Service to ALL.
    7. Enable NAT.
    8. Set the IP Pool Configuration to Use Outgoing Interface Address.
  6. Create an address for the FortiAnalyzer:
    1. Go to Policy & Objects > Addresses. Click Create New, then Address.
    2. Set the Name to FAZ-addr.
    3. Set the Type to Subnet.
    4. Set the Subnet/IP Range to 192.168.8.250/32.
    5. Set the Interface to Any.
  7. Create a policy for the downstream FortiGate to access the FortiAnalyzer. Go to Policy & Objects > IPv4 Policy. Click Create New, and configure the policy as follows:
    1. Set the Name to Access-Resources.
    2. Set the Source Interface to vlan70 and the Destination Interface to port6.
    3. Set the Source Address to all and the Destination Address to FAZ-addr.
    4. Set the Action to ACCEPT.
    5. Set the Schedule to Always.
    6. Set the Service to ALL.
    7. Enable NAT.
    8. Set the IP Pool Configuration to Use Outgoing Interface Address.
To configure the downstream FortiGate:
  1. Configure the interface:
    1. In FortiOS on the downstream FortiGate, go to Network > Interfaces.
    2. Edit wan1. Set the role to WAN and set the IP/Network Mask to 192.168.7.3/255.255.255.0 for the interface that is connected to the root FortiGate.
    3. Edit wan2. Set the Addressing mode to Dedicated to the FortiSiwitch for the interface which is connected to the Access FortiSwitch.
    4. Return to Network > Interfaces and click Create New. For the new interface, set the name to vlan20, Type to VLAN, Interface to wan2, VLAN ID to 20, Role to LAN, and IP/Network Mask to 10.1.100.3/255.255.255.0.
  2. Authorize the Access FortiSwitch:
    1. Go to WiFi & Switch Controller > Managed FortiSwitch.
    2. Click the FortiGate icon, then click Edit. Set the Name to Access-Switch, enable the Authorized option, then click OK.
    3. Click the FortiSwitch port2 icon. For port2's Native VLAN, select vlan20.
  3. Configure the default static route to connect to the root FortiGate. Go to Network > Static Routes. Set the Destination to 0.0.0.0/0.0.0.0, select wan1 as the Interface, and set the Gateway Address as 192.168.7.2.
  4. Configure the Security Fabric:
    1. Go to Security Fabric > Settings.
    2. Enable FortiGate Telemetry.
    3. Under FortiGate Telemetry, enable Connect to upstream FortiGate.
    4. Configure the FortiGate IP to 192.168.7.2.
    5. In FortiTelemetry enabled interfaces, add vlan20.
    6. FortiAnalyzer logging is enabled after FortiGate Telemetry is enabled. FortiAnalyzer settings will be retrieved when the downstream FortiGate connects to the root FortiGate.
  5. Create a policy to access the Internet. Go to Policy & Objects > IPv4 Policy. Click Create New, and configure the policy as follows:
    1. Set the Name to Access-internet2.
    2. Set the Source Interface to vlan20 and the Destination Interface to wan1..
    3. Set the Source Address to all and the Destination Address to all.
    4. Set the Action to ACCEPT.
    5. Set the Schedule to Always.
    6. Set the Service to ALL.
    7. Enable NAT.
    8. Set the IP Pool Configuration to Use Outgoing Interface Address.
    9. Choose the default Web Filter profile.
To authorize the downstream FortiGate on the root FortiGate:
  1. In FortiOS on the root FortiGate, go to Security Fabric > Settings. In the Topology field, a highlighted FortiGate with a serial number is connecting to the root FortiGate, and a highlighted warning asks for authorization of the highlighted device.
  2. Click the highlighted FortiGate, then select Authorize. After authorization, the downstream FortiGate appears in the Topology field in Security Fabric > Settings, meaning that the downstream FortiGate joined the Security Fabric successfully.
To authorize Security Fabric FortiGates on the FortiAnalyzer:
  1. Ensure that the FortiAnalyzer firmware is 6.2.0 or later.
  2. In FortiAnalyzer, go to Device Manager > Unauthorized. All FortiGates are listed as unauthorized. Select all FortiGates, then select authorize. The FortiGates now appear as authorized.
  3. After a moment, a warning icon appears beside the root FortiGate since the FortiAnalyzer needs administrative access to the root FortiGate in the Security Fabric. Click the warning icon, then enter the admin user and password for the root FortiGate.
To view the compromised endpoint host:
  1. Test that FortiGate detects a compromised endpoint host by opening a browser on the endpoint host and entering a malicious website URL. The browser displays a Web Page Blocked! warning and does not allow access to the website.
  2. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology. The endpoint host, connected to the Access FortiSwitch, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict. The endpoint host is compromised.

  3. Go to Security Fabric > Logical Topology. The endpoint host, connected to the downstream FortiGate, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict. The endpoint host is compromised.

To quarantine the compromised endpoint host:
  1. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology.
  2. Right-click the endpoint host and select Quarantine Host. Click OK to confirm the confirmation dialog.
  3. Go to Monitor > Quarantine Monitor. From the dropdown list at the top right corner, select All FortiGates. The quarantined endpoint host displays in the content pane.
  4. On the endpoint host, open a browser and visit a website such as https://www.fortinet.com/. If the website cannot be accessed, this confirms that the endpoint host is quarantined.
To run diagnose commands:
  1. To show the downstream FortiGate after it joins the Security Fabric, run the diagnose sys csf downstream command in the root FortiGate (Edge) CLI. The output should resemble the following:

    Edge # diagnose sys csf downstream

    1: FG101ETK18002187 (192.168.7.3) Management-IP: 0.0.0.0 Management-port:0 parent: FG201ETK18902514

    path:FG201ETK18902514:FG101ETK18002187

    data received: Y downstream intf:wan1 upstream intf:vlan70 admin-port:443

    authorizer:FG201ETK18902514

  2. To show the upstream FortiGate after the downstream FortiGate joins the Security Fabric, run the diagnose sys csf upstream command in the downstream FortiGate (Marketing) CLI. The output should resemble the following:

    Marketing # diagnose sys csf upstream

    Upstream Information:

    Serial Number:FG201ETK18902514

    IP:192.168.7.2

    Connecting interface:wan1

    Connection status:Authorized

  3. To show the quarantined endpoint host in the connected FortiGate, run the following commands in the downstream FortiGate (Marketing) CLI:

    Marketing # show user quarantine

    config user quarantine

    config targets

    edit "PC2"

    set description "Manually quarantined"

    config macs

    edit 00:0c:29:3d:89:39

    set description "manual-qtn Hostname: PC2"

    next

    end

    next

    end

    end