In this recipe, you configure a Fortinet Security Fabric that consists of four FortiGate devices and a FortiAnalyzer. One of the FortiGate devices acts as the network edge firewall and root FortiGate of the Security Fabric, while the other FortiGate devices function as Internal Segmentation Firewalls (ISFWs).
The example network uses the following FortiGate aliases:
1. Edge: the root FortiGate in the Security Fabric. This FortiGate is named “Edge” because it’s the only FortiGate that directly connects to the Internet. This role is also known as the gateway FortiGate.*
2. Accounting: an ISFW FortiGate that connects to Edge.
3. Marketing: an ISFW FortiGate that connects to Edge.
4. Sales: an ISFW FortiGate that connects to Marketing.
Note: Not all FortiGate models can run the FortiGuard Security Rating Service if they are the root FortiGate in a Security Fabric.
1. Configuring Edge
In the Security Fabric, Edge is the root FortiGate. This FortiGate receives information from the other FortiGates in the Security Fabric.
In the example, the following interfaces on Edge connect to other network devices:
Port 9 connects to the Internet (this interface was configured when Edge was installed)
Port 10 connects to Accounting (IP address: 192.168.10.2)
Port 11 connects to Marketing (IP address: 192.168.200.2)
Port 16 connects to the FortiAnalyzer (IP address: 192.168.55.2)
To edit port 10 on Edge, go to Network > Interfaces. Set an IP/Network Mask for the interface (in the example, 192.168.10.2/255.255.255.0).
Set Administrative Access to allow FortiTelemetry, which is required so that FortiGates in the Security Fabric can communicate with each other.
Repeat this step to configure the other interfaces with the appropriate IP addresses, as listed above.
To create a policy for traffic from Accounting to the Internet, go to Policy & Objects > IPv4 Policy.
Enable NAT.
Repeat this step to create a similar policy for Marketing.
On Edge, go to System > Feature Select. Under Additional Features, enable Multiple Interface Policies.*
To create a policy that allows Accounting and Marketing to access the FortiAnalyzer, go to Policy & Objects > IPv4 Policy.*
To enable communication between the FortiGates in the Security Fabric, go to Security Fabric > Settings and enable FortiGate Telemetry. Set a Group name and Group password (the Group password option isn’t available isn’t available in FortiOS 6.0.3 and later).
FortiAnalyzer Logging is enabled by default. Set IP address to an internal address that will later be assigned to port 1 on the FortiAnalyzer (in the example, 192.168.65.10). Set Upload option to Real Time.
Select Test Connectivity. An error appears because the FortiGate isn’t yet authorized on the FortiAnalyzer. This authorization is configured in a later step.
2. Installing Accounting and Marketing
To edit wan1 on Accounting, go to Network > Interfaces.
Set an IP/Network Mask for the interface that is on the same subnet as port 10 on Edge (in the example, 192.168.10.10/255.255.255.0).
Under Administrative Access, select HTTPS and SSH to allow Edge to use this interface to manage the FortiGate.
Edit the lan interface.
Set Addressing mode to Manual and set the IP/Network Mask to a private IP address (in the example, 10.10.10.1/255.255.255.0).
Set Administrative Access to allow FortiTelemetry.
If you require the FortiGate to provide IP addresses using DHCP to devices that connect to this interface, enable DHCP Server.
Under Networked Devices, enable Device Detection.*
To add a static route, go to Network > Static Routes. Set Gateway to the IP address of port 10 on Edge.
To create a policy to allow users on the Accounting network to access Edge, go to Policy & Objects > IPv4 Policy.
To add Accounting to the Security Fabric, go to Security Fabric > Settings. Enable FortiGate Telemetry, then enter the same Group name and Group password that you set previously on Edge (the Group password option isn’t available isn’t available in FortiOS 6.0.3 and later).
Enable Connect to upstream FortiGate and enter the IP address of port 10 on Edge.
FortiAnalyzer Logging is enabled by default. Settings for the FortiAnalyzer are retrieved when Accounting connects to Edge.
Connect WAN 1 on Accounting to port 10 on Edge.
Connect and configure Marketing, using the same method that you used to configure Accounting. Make sure you complete the following steps:
1. Configure WAN 1 to connect to Edge (IP address: 192.168.200.10/255.255.255.0) and allow HTTPS and SSH access.
2. Configure the LAN interface for the Marketing network (IP address: 10.10.200.2/255.255.255.0).
3. Create a static route pointing traffic to port 11 on Edge.
4. Create a policy to allow users on the Marketing network to access Edge.
5. Add Marketing to the Security Fabric.
If you’re using FortiOS 6.0.3 and later, connect to Edge and go to Security Fabric > Settings. Authorize both Accounting and Marketing to join the Security Fabric.
3. Installing Sales
To edit the interface on Marketing that connects to Sales (in the example, port12), go to Network > Interfaces.
Set an IP/Network Mask for the interface (in the example, 192.168.135.2/255.255.255.0).
Set Administrative Access to allow FortiTelemetry.
To create a policy for traffic from Sales to Edge, go to Policy & Objects > IPv4 Policy.
Enable NAT.
To edit wan2 on Sales, go to Network > Interfaces.
Set an IP/Network Mask for the interface that’s on the same subnet as the internal 14 interface on Marketing (in the example, 192.168.135.10/255.255.255.0).
Under Administrative Access, select HTTPS and SSH.
Edit the lan interface.
Set Addressing Mode to Manual, and set the IP/Network Mask to a private IP address (in the example, 10.10.135.1/255.255.255.0).
Set Administrative Access to allow FortiTelemetry.
If you require the FortiGate to provide IP addresses, using DHCP, to devices that connect to this interface, enable DHCP Server.
Under Networked Devices, enable Device Detection.
To add a default route, go to Network > Static Routes. Set Gateway to the IP address of the internal 14 interface on Marketing.
To create a policy that allow users on the Sales network to access Marketing, go to Policy & Objects > IPv4 Policy.
To add Sales to the Security Fabric, go to Security Fabric > Settings. Enable FortiGate Telemetry, then enter the same Group name and Group password that you set previously. If you’re using FortiOS 6.0. and higher, just enter the same Group name.
Enable Connect to upstream FortiGate and enter the IP address of the internal 14 interface on Marketing.
FortiAnalyzer Logging is enabled by default. Settings for the FortiAnalyzer are retrieved when Accounting connects to Edge.
Connect WAN 2 on Sales to internal 14 on Marketing.
If you’re using FortiOS 6.0.3 and later, connect to Edge and go to Security Fabric > Settings. Authorize Sales to join the Security Fabric.
4. Configuring the FortiAnalyzer
To use the FortiAnalyzer in the Security Fabric, make sure that the firmware is compatible with the version of FortiOS on the FortiGates. To check for compatibility, see the FortiAnalyzer Release Notes.
To edit the port on FortiAnalyzer that connects to Edge (in the example, port4), go to System Settings > Network and select All Interfaces.
Set IP Address/Netmask to the IP address that you use to configure the Security Fabric settings on Edge (192.168.65.10/255.255.255.0).
Add a Default Gateway, using the IP address of port 16 on Edge.*
Go to Device Manager. The FortiGates are listed as Unregistered.
Select the FortiGates, then select +Add.
The FortiGates now appear as Registered.
After a moment, a warning icon appears beside Edge because the FortiAnalyzer needs administrative access to the root FortiGate in the Security Fabric.*
Double-click on the FortiGate to enter the Authentication information.
On Edge, go to Security Fabric > Settings. FortiAnalyzer Logging now shows Storage usage information.
5. Results
On Edge, go to Dashboard > Main. The Security Fabric widget displays the names of the FortiGates in the Security Fabric.
The icons on the top of the widget indicate the other Fortinet devices that can be used in a Security Fabric. Devices in blue are detected in your network, devices in gray aren’t detected in your network, and devices in red are also not detected in your network but are recommended for a Security Fabric.
If either of this widgets doesn’t appear on your dashboard, you can add them using the settings button in the bottom right corner.
Go to Security Fabric > Physical Topology. This page shows a visualization of access layer devices in the Security Fabric.*
Go to Security Fabric > Logical Topology. This dashboard displays information about the interface (logical or physical) that each device in the Security Fabric connects.*
On the FortiAnalyzer, go to Device Manager. The FortiGates are now shown as part of a Security Fabric group. The * beside Edge indicates that it’s the root FortiGate in the Security Fabric.
Right-click on the Security Fabric group and select Fabric Topology. The topology of the Security Fabric is displayed.
6. (Optional) Adding security profiles to the Security Fabric
The Security Fabric allows you to distribute security profiles to different FortiGates in your network, which can lessen the workload of each device and avoid creating bottlenecks. For example, you can implement antivirus scanning on Edge while the ISFW FortiGates apply application control and web filtering.
This results in distributed processing between the FortiGates in the Security Fabric, which reduces the load on each one. It also allows you to customize the web filtering and application control for the specific needs of the Accounting network since other internal networks may have different application control and web filtering requirements.
This configuration may result in threats getting through Edge, which means you should very closely limit access to the network connections between the FortiGates in the network.
To edit the policy that allows traffic from Accounting to the Internet, connect to Edge and go to Policy & Objects > IPv4 Policy.
Under Security Profiles, enable AntiVirus and select the default profile.
SSL Inspection is enabled by default. Set it to the deep-inspection profile.*
Do the same for the policy that allows traffic from Marketing to the Internet.
To edit the policy that allows traffic from the Accounting network to Edge, connect to Accounting and go to Policy & Objects > IPv4 Policy.
Under Security Profiles, enable Web Filter and Application Control. Select the default profiles for both.
Repeat this step for both Marketing and Sales.