Cse Hol SF 7.0.1 Ga

FORTINET SECURITY FABRIC
Hands on Lab
v1.2
FortiGate 7.0.1 | FortiManager 7.0.1 | FortiAnalyzer 7.0.1

CSE Security Fabric Hands on Lab
Contents
1. The Fortinet Security Fabric ..................................................................................................................... 3
2. Security Fabric Lab intro ........................................................................................................................... 5
2.1 Lab Topology & Preparations ............................................................................................................. 5
2.2 Basic lab setup .................................................................................................................................... 7
2.2.1 Initial configuration on FortiAnalyzer .......................................................................................... 7
2.2.2 Configure ADOM on FortiManager ........................................................................................... 10
2.3 Lab status before setting up Security Fabric .................................................................................... 14
2.3.1 Status dashboard....................................................................................................................... 14
2.3.2 Physical Topology ...................................................................................................................... 15
2.3.3 Logical Topology ........................................................................................................................ 15
2.3.4 Security Fabric configurations ................................................................................................... 16
2.3.5 FortiAnalyzer ............................................................................................................................. 16
2.3.6 FortiManager............................................................................................................................. 17
2.3.7 Authentication........................................................................................................................... 17
3. Security Fabric setup .............................................................................................................................. 18
3.1 Initial SF setup .................................................................................................................................. 18
3.1.1 Enterprise-Core ......................................................................................................................... 18
3.1.2 Enterprise_FortiAnalyzer........................................................................................................... 21
3.2 Add SAML to initial SF setup ............................................................................................................ 25
3.2.1 Enterprise-Core ......................................................................................................................... 26
3.2.2 Enterprise_FortiAnalyzer........................................................................................................... 27
3.3 Add remaining FortiGates ................................................................................................................ 29
3.3.1 Enterprise_First_Floor SF configurations .................................................................................. 29
3.3.2 Enterprise_Second_Floor SF configurations ............................................................................. 34
3.4 Enterprise_FortiManager ................................................................................................................. 37
3.4.1 Security Fabric setup ................................................................................................................. 37
3.4.2 SAML setup................................................................................................................................ 42
4. Testing .................................................................................................................................................... 47
4.1 Authentication and Single Sign-On................................................................................................... 47
4.1.1 Initial login in the SAML IdP....................................................................................................... 47
4.1.2 Initial login on different fabric device ....................................................................................... 50
1
4.2 Single pane of glass management .................................................................................................... 51

4.3 Visibility and Fabric topologies ..................................................................................................... 54
4.3.1 Network layout .......................................................................................................................... 54
4.3.2 Simplified monitoring ................................................................................................................ 59
4.4 Using Security Rating........................................................................................................................ 61
4.5 Automation across the fabric ........................................................................................................... 64
4.5.1 Automation trigger .................................................................................................................... 67
4.5.2 Automation Action .................................................................................................................... 68
4.5.3 Automation Stitch ..................................................................................................................... 69
4.5.4 Testing Automation ................................................................................................................... 70
Appendix A: Security Fabric Troubleshooting & Debugging ...................................................................... 74
Appendix B: Documentation References ................................................................................................... 75
Feature Documentation ..................................................................................................................... 75
Solution Hub ....................................................................................................................................... 75
Appendix C: Open bugs affecting this lab .................................................................................................. 76
Change Log ................................................................................................................................................. 77
2
1. The Fortinet Security Fabric

The Fortinet Security Fabric consists of different components that work together to secure you network.
Two types of devices are required to create a Fortinet Security fabric: FortiGate and FortiAnalyzer.
FortiGate devices are the core of the Security Fabric and can have one of the following roles:
• Root: The root FortiGate is the main component in the Security Fabric. It is typically located on
the edge of the network and connects the internal devices and networks to the Internet through
your ISP. From the root FortiGate, you can see information about the entire Security Fabric on
the Physical and Logical Topology pages in the GUI.
• Downstream: After a root FortiGate is installed, all other FortiGate devices in the Security Fabric
act as Internal Segmentation Firewalls (ISFWs), located at strategic points in your internal
network, rather than on the network edge. This allows extra security measures to be taken
around key network components, such as servers that contain valuable intellectual property.
ISFW FortiGate devices create network visibility by sending traffic and information about the
devices that are connected to them to the root FortiGate.
FortiAnalyzer is a key component in the Security fabric and gives you increased visibility into your
network, centralized monitoring, and awareness of threats, events, and network activity by collecting
and correlating logs from all Security Fabric devices. This gives you a deeper and more comprehensive
view across the entire Security Fabric.
3
Other types of devices are recommended and optional such has:
• FortiADC
• FortiAP
• FortiClient
• FortiClient EMS
• FortiDDoS
• FortiMail
• FortiManager
• FortiSandbox
• FortiSwitch
• FortiWeb
• FortiWLC
• FortiNAC
• FortiAI
• FortiDeceptor
• Other Fortinet products
• Third-party products
4
2. Security Fabric Lab intro
In this lab, we examine a sample Security Fabric solution, its setup process and key features. We will also
review key concepts and introduce debug commands to help setup, verify and troubleshoot the security
fabric setup.
This lab includes the setup, configuration and use of Security Fabric features in FortiOS, FortiAnalyzer
and FortiManager in a lab environment designed to simulate an existing customer network who has
multiple FortiGates, and decides to build a Security Fabric with the addition of a FortiAnalyzer and a
FortiManager.
2.1 Lab Topology & Preparations

This lab is built upon the FortiDemo 7.0 GA mini topology.
5
When you start a new instance of the CSE SF HoL lab, it will use the following naming convention:
- Lab_FQDN: user-lab_name.fortidemo.fortinet.com
This means that when your lab is initialized, you will be able to resolve the IP address of the assigned
FQDN from the internet.
During this lab, we will use the term “Lab_FQDN” to represent the FQDN you will use to manage the lab
devices and execute the lab exercises.
You will need to interact with 5 devices:
Device Comments
Enterprise Core: This will become the Security Fabric root FortiGate
Enterprise First Floor: This FortiGate has one VDOM configured and protects multiple
networks
Enterprise Second Floor: This FortiGate protects multiple networks and controls a FortiSwitch to
which multiple endpoints are connected.
Enterprise FortiAnalyzer: This FortiAnalyzer will hold all the logs and reporting for the new
Security Fabric
Enterprise FortiManager: The FortiManager will be used to centrally manage the FortiGate
devices.
The HTTPS management for all devices in the lab environment are accessible from the internet using
port forwarding, namely:
Device Management URL

Enterprise Core: https://Lab_FQDN:10402
Enterprise First Floor: https://Lab_FQDN:10403
Enterprise Second Floor: https://Lab_FQDN:10406
Enterprise FortiAnalyzer: https://Lab_FQDN:10404
Enterprise FortiManager: https://Lab_FQDN:10405
You will use this “Lab_FQDN” and port numbers several times during this lab, so keep track of this
information.
We advise you to keep one browser tab open for each of these devices. During this lab you will need to
move your focus between them.
6
2.2 Basic lab setup

When you start the lab, you will find that:
- Devices are configured and working

- Endpoints are active and generating traffic
- The Fortinet Security Fabric isn’t setup
- FortiAnalyzer and FortiManager have basic network and licensing configuration but aren’t
integrated with the FortiGates.
Before we focus on the Security Fabric features, there are a few initial configurations you will need to
perform.
2.2.1 Initial configuration on FortiAnalyzer

FortiAnalyzer supports multiple Security Fabrics reporting to it. In most situations, it’s a good option to
use ADOMs to provide management isolation.
We will finish the initial setup of FAZ and will also create a new ADOM, named Production, that will be
used to hold the configuration for this Hands on lab.
To do this, you will need to go to the FortiAnalyzer GUI available in https://Lab_FQDN:10404.
Once there, execute these actions:
1. Login to FortiAnalyzer
2. You will be presented with a pop-up windows to complete the FortiAnalyzer setup
3. Click Begin
4. In “Register and SSO with FortiCare”, you can leave the default settings
5. For timezone, select the timezone of your lab environment. Could be the same as you will find
configured on Enterprise_Core.
6. Define the hostname to be Enterprise_FortiAnalyzer
7
7. Finish this part of the setup

8. You are now on the FortiAnalyzer selection cards. Select Device Manager
9. In this lab environment, there is already one FortiGate sending logs to this FAZ. This specific
FortiGate is not going to be used during the Security Fabric Hands on Lab tasks.
10. Click on Unauthorized Devices:
11. Select the unauthorized FortiGate and click on Authorize:
12. On the Authorize Device window, press OK:
You have authorized this device to send it’s logs to FAZ root ADOM.
Let’s continue with FAZ setup.
8
13. Click on Device Manager on the top left corner and select System Settings
14. The System Settings configuration page will be displayed

15. On the left menu, select All ADOMs and select Enable ADOM
16. You will be asked if “…you want to enable administrative domain feature”. Click OK
17. You will be logged out from FAZ.
18. Login again to FAZ and select the “root” ADOM, the only one available.
19. Select System Settings
20. On the left menu, select All ADOMs and then select the option +Create New
9
21. On the name, fill in with “Production”

22. Make sure the Type is Fabric
23. The Create New ADOM Window should look like this. Click OK.
24. You will receive a warning that “ADOM disk quota is set to be unlimited”. Proceed.
25. After a few seconds the ADOM will be created.
26. You can logout from FAZ
FortiAnalyzer initial setup is now complete.
2.2.2 Configure ADOM on FortiManager

FortiManager supports multiple devices and Security Fabrics. In most situations, it’s a good option to use
ADOMs to provide management isolation when multiple Security Fabrics are managed.
We will finish the basic initial setup of FMG and will also create a new ADOM, named Production, that
will be used to hold the configuration for this Hands on lab.
The following steps are very similar to the ones performed on 2.2.1 Initial configuration on
FortiAnalyzer.
To do this, you will need to go to the FortiManager GUI available in https://Lab_FQDN:10405.
1. Login to FortiManager
2. You will be presented with a pop-up windows to complete the FortiManager setup
10
3. Click Begin
4. In “Register and SSO with FortiCare” you can use the defaults settings
5. For timezone, select the timezone of your lab environment. Could be the same as you will find
configured on Enterprise_Core.
6. Define the hostname to be Enterprise_FortiManager
7. Finish this part of the setup
8. You are now on the FortiManager selection cards menu. Select System Settings
11
9. On the left menu, select All ADOMs and select Enable ADOM
10. You will be asked if “…you want to enable administrative domain feature”. Click OK
11. You will be logged out from FMG.
12. Login again to FMG and select the “root” ADOM.
14. On the left menu, select All ADOMs and then select the option +Create New
15. On the name, fill in with “Production”

16. Make sure the Type is FortiGate version 7.0
12
17. The Create New ADOM Window should look like this. Click OK.
18. After a few seconds the ADOM will be created.

19. You can logout from FortiManager
FortiManager initial setup is now complete.
13
2.3 Lab status before setting up Security Fabric

After you completed the previous setup of FAZ and FMG, you will find that:
- Devices are configured and working

- Endpoints exist and generate traffic
- The Fortinet Security Fabric isn’t setup
- FortiAnalyzer and FortiManager are preconfigured but aren’t integrated with the FortiGates.
This also means you can’t yet take full advantage of many Security Fabric features.
Let’s look at some details.
2.3.1 Status dashboard

Notice how the Security Fabric is disabled on the FortiGates.
14
2.3.2 Physical Topology

The physical topology shows the directly connected devices, without any visibility into networks sitting
behind the other FortiGates.
2.3.3 Logical Topology

On the logical topology we can view more details of the networks, interfaces and devices directly
connected to the Enterprise Core FortiGate.
15
2.3.4 Security Fabric configurations

In the different FortiGates present in this lab environment, you will find that the Fortinet Security Fabric
configurations are unconfigured. These are available in the Security Fabric -> Fabric Connectors menu.
2.3.5 FortiAnalyzer
The FortiAnalyzer has now been configured with ADOMs enabled, and one ADOM called Production has
been created for the integration with the Security fabric. No devices are mapped to this ADOM yet.
16
2.3.6 FortiManager
Similar to FortiAnalyzer, FortiManager has now been configured with ADOMs enabled, and one ADOM
called Production supporting fabric and version 7.0. This ADOM will be used for the integration with the
Security Fabric, but no device has been assigned to it at this point.
2.3.7 Authentication
Notice that each time you need to access one of these devices, you need to enter the admin credentials
on the different login screens. Also, there is not reference to Single Sign-On (SSO), but this will change
later.
17
3. Security Fabric setup

Now that you are familiar with the lab environment and have tested the access to all components, it’s
time to start the configurations.
We will focus exclusively on the Security Fabric relevant configurations on all the FortiGates,
FortiAnalyzer and FortiManager.
3.1 Initial SF setup

We will start by configuring the minimum mandatory components for a Fortinet Security Fabric:
- The root FortiGate: hostname is Enterprise-Core
- The FortiAnalyzer: hostname is Enterprise_FortiAnalyzer
3.1.1 Enterprise-Core
The Enterprise-Core FortiGate will act as the root FortiGate, the main component in the Security Fabric.
To configure it you will need to go to Security Fabric -> Fabric Connectors and double click the Security
Fabric Setup card.
The Edit Fabric Connector page will open. It’s here where most of the Security Fabric configurations will
take place.
18
Now perform the following configurations:
1. Set the Status to Enabled

2. Set the Security Fabric role to Serve as Fabric Root
o When you perform this configuration step and there is no FortiAnalyzer configured, the
Cloud logging Settings will automatically appear. This is because a Fortinet Security
Fabric requires centralized logging and the wizard directs you to the cloud logging
option.
3. Click OK on the Cloud Logging Settings window. We will unconfigure it at a later stage after we
setup FortiAnalyzer.
4. You are now back on the Edit Fabric Connector page.
5. In the Fabric name field, you can use fabric.
6. Make sure the interface “ISFW (port3)” is selected to “Allow other Security Fabric devices to
join”. This will enable the Security Fabric management protocols on this interface.
7. On Management IP/FQDN select Specify and input your “Lab_FQDN”
8. On Management port select Specify and use the port 10402
o Although we won’t be configuring SAML Single Sign-on yet, you should ensure the
Management IP/FQDN reflects your “Lab_FQDN” and the Management port has the
port forwarding port of the Enterprise Core FortiGate.
9. Your configuration should look like the one pictured below.
19
10. Click OK and you have just initialized the Fortinet Security Fabric for your lab environment.
11. You will be prompt with Confirmation Window to which you can click OK.
You have just created you Fortinet Security Fabric, which for simplicity we just named fabric.
This is now visible on the Security Fabric Setup card visible on the menu Security Fabric -> Fabric
Connectors.
20
Notice on the top right side of the screen that currently the fabric only has the Enterprise Core FortiGate
in it.
It’s also important to notice that the current logging configuration in setup to FortiAnalyzer Cloud. But
since we have a dedicated FortiAnalyzer for this environment, so we will now proceed to configure it.
3.1.2 Enterprise_FortiAnalyzer
To integrate the FortiAnalyzer with the fabric, we need to configure it on the FortiAnalyzer Logging card
available on the menu Security Fabric -> Fabric Connectors of the Enterprise-Core FortiGate user
interface.
Make sure you perform the following actions on the FortiAnalyzer Settings window to correctly
configure the FortiAnalyzer:
20. Set Status to Enabled

21. The IP address is 10.100.88.2
22. Set Upload option to Real time
23. Make sure the options “Allow access to FortiGate REST API” and “Verify FortiAnalyzer
certificate” are enabled
24. Your configuration screen should look like this. Click OK to continue.
21
25. The FortiGate will connect to FortiAnalyzer and retrieve some information. The serial number of
the FortiAnalyzer will be presented to you. Click Accept.
26. You will also be presented with a new window mentioning that “This FortiGate is not authorized
on FortiAnalyzer…”. It presents the options to Refresh, Authorize and Close. Because we won’t
be using this feature, please select Close.
You are back to the menu Security Fabric -> Fabric Connectors. Notice that the FortiAnalyzer Logging
status is down (marked with a red arrow pointing down).
22
This is because we need to Authorize the FortiAnalyzer to receive logs from the Enterprise Core
FortiGate.
27. Go to the ADOM root
28. Select the Device Manager option

29. There you will have information for 1 Unauthorized Devices. Click on Unauthorized Devices
30. You will see the Enterprise-Core FortiGate. Select it and click Authorize
31. IMPORTANT: When Authorizing the device, add it to the Production ADOM.
23
32. Now go to the Production ADOM -> Device Manager

33. You will see the Enterprise-Core FortiGate there.
34. It takes a few minutes for FortiAnalyzer to recognize that this FortiGate is the root for a Security
Fabric. Once that task is done, this view will change slightly. Let’s continue with the setup
process.
Now that FortiAnalyzer is setup, we can remove the FortiAnalyzer Cloud configuration from the
Enterprise-Core.
To do this:
35. Go to the Enterprise-Core FortiGate

36. Select the menu Security Fabric -> Fabric Connectors
37. Double click the “Cloud Logging” card
38. Set the Status to Disabled

39. Click OK.
40. The “Cloud Logging” card should now be greyed out.
Congratulations. You now have the basic Fortinet Security Fabric configured and working.
Let’s continue with the rest of the setup process.
24
3.2 Add SAML to initial SF setup

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and
authorization data between one Identity Provider (IdP) and one or more Service Providers (SP). Both
parties exchange messages using the XML protocol as transport. FortiGate firewall devices can be
configured as both IdP or SP.
When Security Fabric is enabled, you can configure the root FortiGate as the IdP. You can also configure
downstream FortiGates to be automatically configured as SPs, with all links required for SAML
communication, when added to the Security Fabric. Administrator must still be authorized on each
device. Credentials are verified by the root FortiGate, and login information is shared between devices.
Once authorized, an administrator can move between fabric devices without logging in again.
The authentication service is provided by the root FortiGate using local system admin accounts for
authentication. Any of the administrator account types can be used for SAML log in. After successful
authentication, the administrator logs in to the first downstream FortiGate SP, and can then connect to
other downstream FortiGates that have the SSO account properly configured, without needing to
provide credentials again, as long as admins use the same browser session.
In summary, the root FortiGate IdP performs SAML SSO authentication, and individual device
administrators define authorization on FortiGate SPs by using security profiles.
Let’s proceed to configure SAML in the existing Security Fabric devices.
25
3.2.1 Enterprise-Core
The Enterprise-Core FortiGate will be the SAML IdP.
To configure it follow these steps:
1. Go to the Enterprise-Core FortiGate

3. Enter the Security Fabric Setup card
4. Enable the option “SAML Single Sign-On”
5. Select the IdP Certificate. In this case you will select the FortiDemo certificate, which we
preloaded to this environment.
6. Make sure the Management IP/FQDN is correct and that the management Port is 10402, which
is the port forwarding port we are using in this environment to reach the Enterprise-Core GUI.
7. Your configuration should be similar to this:
8. Click OK
The Enterprise-Core FortiGate is now the SAML IdP for this Security Fabric.
Let’s add the FortiAnalyzer to the SAML SSO authentication.
26
3.2.2 Enterprise_FortiAnalyzer
To configure SAML SSO on the FortiAnalyzer, Several actions need to be executed.
Follow these guidelines to configure SAML:
1. Go to the FortiAnalyzer GUI

2. Select the ADOM -> Production
4. Select the Admin -> Profile option on the left navigation menu
a. We will need to create an Administrator profile that as the same name as the one used
on the FortiGate.
5. Create a new profile
a. Enter super_admin in the Profile Name
b. Select Read-Write permissions
c. Select OK
27
6. Select the Admin -> SAML SSO option on the left navigation menu
a. Make sure the Server Address field contains the lab_FQDN and port of the FortiAnalyzer
GUI
b. In Single Sign-On Mode select the option Fabric SP
c. In Default Admin Profile select the super_admin profile we just created
d. Your configuration should look similar to the one below:
e. Select Apply
After some time, in the Fabric IdPs table you will see information referring to your Enterprise-Core IdP.
This can take a few minutes to be automatically complete.
If you followed all steps correctly, the SAML should now be active on you Security Fabric. We will test
this later.
28
3.3 Add remaining FortiGates

Now that the basic Security Fabric components are configured and integrated, we will add the rest of
your FortiGates.
This method can be used to add the Security Fabric functionality gradually to a pre-existing
environment, where customer might require gradual enrollment of FortiGate devices into the Security
Fabric solution.
3.3.1 Enterprise_First_Floor SF configurations

We will now add the Enterprise First Floor FortiGate to the fabric.
Access Enterprise First Floor GUI which is available at https://Lab_FQDN:10403.
Notice this FortiGate has VDOMs enabled. The relevant Security Fabric configurations will be executed in
Global.

4. Set the Security Fabric role to Join Existing Fabric.
5. Make sure the Upstream FortiGate IP contains the IP address 10.100.88.1.
a. This is the IP address of the Enterprise Core FortiGate ISFW interface.
6. Make sure the interface “Upstream(port1)” is selected in “Allow other Security Fabric devices to
join”. For this lab, other interfaces can be kept selected.
a. This will enable the Security Fabric management protocols on these interfaces
7. SAML Single Sign-On should be Auto
8. The default admin profile should be set to super_admin
9. Ensure the Management IP/FQDN reflects your “Lab_FQDN” and the Management port has the
port forwarding port of the Enterprise First Floor FortiGate which is 10403.
29
11. Click OK on this configuration screen and also click OK on the following confirmation window.
When you are back to the menu Security Fabric -> Fabric Connectors, notice the “Pending Authorization”
status of the integration in the fabric on the upper right side of the GUI.
We will need to authorize this FortiGate to join the Security Fabric and to send logs to FortiAnalyzer.
30
3.3.1.1 Authorize on Enterprise-Core

The next step is to authorize this FortiGate to join the Security Fabric created by Enterprise-Core
FortiGate.
Now go back to the Enterprise Core management interface and:
1. Go to Security Fabric -> Fabric Connectors

2. You will see a notification on the top right part of the screen informing that a new device is
pending authorization.
a. If you mouse over the FortiGate serial number, you will see information of the device
trying to join the Security Fabric.
3. Click on the serial number
4. Select Authorize.
5. The Authorize Devices windows appears. Select Authorize
31
6. On the Authorization Summary select Close
When you execute this step, the Enterprise-Core will not only authorize the Enterprise_First_Floor to
join the fabric but will also send the Security Fabric configurations to it, including the SAML and
FortiAnalyzer configurations.
Notice how, after a few moments, the Enterprise-Core will show the newly added FortiGate as part of
the fabric.
32
Now we need to authorize Enterprise_First_Floor to send logs and integrate with FortiAnalyzer to finish
the integration of this FortiGate.
3.3.1.2 Authorize on Enterprise_FortiAnalyzer

We will now authorize the Enterprise First Floor FortiGate in FortiAnalyzer.
1. Select the ADOM root

3. There you will have the information that 1 Unauthorized Devices exists. Click on it.
4. Select the FortiGate (Enterprise_First_Floor) in the list

5. Click the Authorize option
6. Make sure to select the Production ADOM and click OK
The authorization process should be fast to execute. Once it is complete, let’s validate that Enterprise
First Floor FortiGate is now visible in FortiAnalyzer.
7. Select the ADOM Production
33

9. The list of Authorized devices is now visible.
10. Notice how the Enterprise-Core and Enterprise_First_Floor are now nested below a fabric icon.
Note: If you were fast on the previous navigation, you might see the Enterprise_First_Floor device not
nested under the fabric icon. This is normal as FortiAnalyzer takes a few moments/minutes to properly
display the fabric structure.
The integration of the Enterprise_First_Floor is now complete.
3.3.2 Enterprise_Second_Floor SF configurations

We will now add the Enterprise Second Floor FortiGate to the fabric.
The integration steps are like the previously executed process to integrate Enterprise First Floor
FortiGate.
Access the Enterprise Second Floor GUI which is available at https://Lab_FQDN:10406.

4. Set the Security Fabric role to Join Existing Fabric.
5. Make sure the Upstream FortiGate IP contains the IP address 10.100.88.1.
a. This is the IP address of the Enterprise Core FortiGate ISFW interface.
6. Make sure the interface “Upstream(port1)” is selected in “Allow other Security Fabric devices to
join”. For this lab, other interfaces can be kept selected. They appear as pre-selected due to
existing configurations.
a. This will enable the Security Fabric management protocols on these interfaces
7. SAML Single Sign-On should be Auto
8. The default admin profile should be set to super_admin
9. Ensure the Management IP/FQDN reflects your “Lab_FQDN” and the Management port has the
port forwarding port of the Enterprise Second Floor FortiGate which is 10406.
34
11. Click OK on this configuration screen and also click OK on the following confirmation window.
When you are back to the menu Security Fabric -> Fabric Connectors, notice the “Pending Authorization”
status of the integration in the fabric on the upper right side of the GUI.
We will need to authorize this FortiGate to join the Security Fabric and to send logs to FortiAnalyzer.
3.3.2.1 Authorize on Enterprise-Core

The next step is to authorize this FortiGate to join the Security Fabric created by Enterprise-Core.
Now go back to the Enterprise Core management interface and:
1. Go to Security Fabric -> Fabric Connectors

2. You will see a notification on the top right part of the screen informing that a new device is
pending authorization.
o If you mouse over the FortiGate serial number, you will see information of the device
trying to join the Security Fabric.
3. Click on the serial number
4. Select Authorize.
35
5. The Authorize Devices windows appears. Select Authorize

6. On the Authorization Summary select Close
When you execute this step, the Enterprise-Core will not only authorize the Enterprise_Second_Floor to
join the fabric but will also send the Security Fabric configurations to it, including the SAML and
FortiAnalyzer configurations.
Notice how, after a few moments, the Enterprise-Core will show the newly added FortiGate as part of
the fabric.
Now we only need to authorize Enterprise_Second_Floor to send logs and integrate with FortiAnalyzer
to finish the integration of this FortiGate.
3.3.2.2 Authorize on Enterprise_FortiAnalyzer

We will now authorize the Enterprise Second Floor FortiGate in FortiAnalyzer.
Login with the admin user and do not use the SSO feature. The SAML IdP is tied to Production ADOM
and you will need to access the root ADOM for this configuration.

36
3. There you will have the information that 1 Unauthorized Devices exists. Click on it.
4. Select the FortiGate in the list

5. Click the Authorize option
6. Make sure to select the Production ADOM and click OK
The authorization process should be fast to execute. Once it is complete, let’s validate that Enterprise
Second Floor FortiGate is now visible in FortiAnalyzer.
7. Select the ADOM Production

9. The list of Authorized devices is now visible.
10. Notice how all FortiGates are now nested below a fabric icon.
Note: If you were fast on the previous navigation, you might see the Enterprise_Second_Floor device
not nested under the fabric icon. This is normal as FortiAnalyzer takes a few moments/minutes to
properly display the fabric structure.
The integration of the Enterprise_Second_Floor is now complete.
3.4 Enterprise_FortiManager
As part of the Fortinet Security Fabric, FortiManager supports network operations use cases for
centralized management, best practices compliance, and workflow automation to provide better
protection against breaches.
In this lab we will focus on the Security Fabric aspect of the FortiManager integration. Central
management using FortiManager is outside of the scope of this lab.
3.4.1 Security Fabric setup

To integrate the FortiManager with the fabric, we need to start the configuration on Enterprise-Core
FortiGate.
37
1. You will need to configure it on the FortiManager card available on the menu Security Fabric ->
Fabric Connectors.
2. Make sure you perform the following actions on the FortiManager Settings window to correctly
configure the FortiManager:
3. Set Status to Enabled
4. The Type is On-Premise
5. The Mode is Normal
6. The IP address is 10.100.88.12
38
7. Your configuration screen should look like this.
8. Click OK to continue.
You will be presented with a Confirmation window informing the integration is pending the approval
from the FortiManager administrator.
When you press OK, you will also receive a notification to access the FortiManager GUI.
Because you are accessing the lab through port-forwarding, this link won’t work. Press Close in this
screen and proceed with the configuration steps.
Now we need to go to FortiManager and authorize the FortiGates.
9. To do this, you will need to go to the FortiManager GUI available in https://Lab_FQDN:10405.

10. Once there, execute these actions:
13. On the left menu bar, you have the Unauthorized Devices. Select it.
a. The 3 FortiGates of this lab will be presented in this window.
14. Select all 3 and click Authorize
39
15. Make sure to select Production ADOM and click OK

a. Don’t worry with assigning Policy Packages and Provisioning Templates because these
are outside the scope of this lab.
The Authorize Device progress window will pop-up. It usually takes less than a minute to complete.
40
Once it is complete, if you switch to ADOM Production, you will be able to see that all FortiGates were
authorized and are now managed devices.
Notice how all FortiGates are nested under the fabric icon.
Going forward, because the FortiGates are now managed by the FortiManager, when you login to
FortiGates you will receive the following warning window.
Because the central management functionality is outside the scope of this lab, you will perform all
configurations directly on the FortiGates by selecting the option “Login Read-Write” and “Yes” on the
following pop-up screen.
41
3.4.2 SAML setup

Now we will integrate the FortiManager into the SAML SSO functionality. This configuration is more
interactive than previous SAML configurations and we will need to copy some information between the
Enterprise-Core and the Enterprise_FortiManager.
We advise opening two browser tabs simultaneously, one for Enterprise-Core and the second for
Enterprise_FortiManager.
1. Go to the FortiManager GUI

2. Select the ADOM -> Production
4. Select the Admin -> Profile option on the left navigation menu
a. We will need to create an administrator profile that as the same name as the one used
on the FortiGate.
5. Create a new profile
a. Enter super_admin in the Profile Name
b. Select System Admin for the Type
c. Select Read-Write permissions
d. Select OK
6. Select the Admin -> SAML SSO option on the left navigation menu
a. Make sure the Server Address is the FQDN and port of the FortiManager GUI, including
the port, which in this lab is 10405
b. In Single Sign-On Mode select the option Service Provider (SP)
c. The Default Login Page should be set to Normal
d. In Default Admin Profile select the super_admin profile we just created
7. In the IdP Setting we will need to fill three different fields. The information for these fields
comes from the Enterprise-Core Fortigate.
42
8. Before moving the focus to the Enterprise-Core GUI, copy the Server Address which is needed in
the next configuration step.
e. Don’t close this browser window and head to the Enterprise-Core
9. Move to the Enterprise-Core GUI

a. Select the menu Security Fabric -> Fabric Connectors
b. Enter the Security Fabric Setup card
c. Click the Advanced Options button in front of SAML Single Sign-On
d. On the SAML SSO pop-up window, select Create New
e. Use fmg for the Name field
f. On the SP Address field, paste the Server Address you copied from the FortiManager
SAML SSO configuration screen
g. Select and copy the Prefix field contents
43
h. Click OK once
10. Move back to the Enterprise-FortiManager GUI

a. On the field Prefix you will need to paste the contents of the Prefix you copied from the
Enterprise-Core FortiGate in the previous configuration step
11. Move back to the Enterprise-Core GUI

b. Select and copy the contents of IdP address field
44
c. Click OK on the SAML SSO screen

d. Click OK to close the Fabric Connector Settings screen
e. Download the FortiDemo certificate and save it on your computer
f. The configuration on the Enterprise-Core FortiGate side is complete. Click OK.
12. Move back to the Enterprise-FortiManager GUI

a. On the field IdP Address you will need to paste the contents of the IdP Address you
copied from the Enterprise-Core FortiGate in the previous configuration step.
b. On the IdP Certificate field you will need to import and then select the *.fortidemo
certificate you have just downloaded from the IdP Enterprise_Core.
45
13. Select the option Auto Create Admin

a. This will allow FMG to create SSO admins if they do not exist on the FMG configuration.
14. For the Default Admin Profile select “super_admin”
15. Click Apply
The configuration of the FortiManager SAML integration is complete.
Congratulations.
If you followed the previous instructions, you have now completed the Security Fabric configuration
steps needed for this lab.
We will now proceed to test and use the Security Fabric functionalities.
46
4. Testing
Now that you have completed the configuration steps, it’s time to test some of the key features that
come in the Security Fabric.
4.1 Authentication and Single Sign-On

You have configured SAML SSO on all devices. Let’s test the fabric single sign-on feature.
If you run into any issues while testing SSO, make sure to double check you entered the correct
FQDN in the different SAML configuration menus of the Security Fabric devices. SAML relies on
communication between SAML IdP and SPs. You will face authentication problems if the FQDN is not
correctly defined on all devices.
4.1.1 Initial login in the SAML IdP

With this first test we will exemplify the use case of a fully configured Security Fabric that previously
worked without SSO and the admin user is configured on the IdP.
To execute this test, follow these steps:
1. You will need to logout of all devices, including FortiGates, FortiAnalyzer and FortiManager.
2. Login to the SAML IdP device, which in this case is the Enterprise-Core.
a. Execute the Login process
3. Once you are authenticated into Enterprise-Core management GUI, you can go to the Login
screen of any device
a. In this example we use the Enterprise_First_Floor Fortigate
b. Simply press the “Sign in with Security Fabric” option
47
c. You will receive a notification that a new SSO administrator has been created.
d. Click Continue and you will proceed normally to the management GUI
e. Did you notice that on the top right corner of you screen, where you’ll find the
administrator avatar, it includes the SSO letter? This means you signed in using SSO.
f. Go to System-> Administrators and notice that a new admin user of type SSO Admin was
automatically created.
48
4. Now let’s test on the FortiAnalyzer

a. Press the “Login with Fabric Single Sign-On” option
b. You will be prompted to select the relevant IdP. Remember that FortiAnalyzer can
integrate with multiple Security Fabric instances.
c. Once you selected the relevant IdP, the login process will complete.
d. Go to System Settings and select the menu Admin -> Administrators and you will see
that a new admin user of type SSO Admin was automatically created.
49
4.1.2 Initial login on different fabric device

Now we will see what happens when you perform the initial login on any device other than the IdP,
which in our lab is the Enterprise-Core Fortigate.
1. Logout of all devices.

2. Go to any device, in this case we selected the Enterprise_First_Floor FortiGate
3. Select to “Sign in with Security Fabric”
4. A new login window will appear.

a. Notice that you have been redirected to the SAML IdP login page. This is because no SSO
session was active, so you’ll need to authenticate at the IdP before being granted SSO
access to the intended device.
50
b. Once you proceed with the Sign in process, you will be automatically directed back to
the device where you want to login.
c. After you login, the SSO will learn the new user session and will allow you to login to any
other device in the security fabric without entering the credentials.
4.2 Single pane of glass management

As you saw in the previous exercise, with the use of SAML SSO the login process to the different Security
Fabric elements become easier.
But with the integration of multiple FortiGates in a Security Fabric, the management process can be
further simplified to provide a true single pane of glass management portal.
1. Log in to the Enterprise-Core FortiGate

2. After the login, notice two things:
a. You browser URL shows you are connected to the Enterprise-Core (
https://Lab_FQDN:10402 )
b. You have a drop down menu titled Enterprise-Core
51
3. Click on the drop-down menu and select another FortiGate, for example the
Enterprise_First_Floor.
4. Notice how now you are in the Enterprise_First_Floor FortiGate, but your browser is still
connected to the Enterprise-Core FortiGate. With this tool you can easily manage all FortiGates
from the same browser window.
52
5. Also notice that if you mouse over the Enterprise_First_Floor name, because it has VDOM
configured, you can jump directly into the VDOM configuration
53
4.3 Visibility and Fabric topologies

After configuring the Security Fabric integration in multiple FortiGates, they will start to exchange
monitoring and control information between them.
This information allows for automation at different levels, including single pane of glass management,
enhanced visibility, and automation in the reaction to incidents.
Let’s explore what information is available for us to use and how we can interact with it.
4.3.1 Network layout

The Security Fabric includes the Physical and Logical topology features.
1. Login to the Security Fabric root, in this case the Enterprise-Core FortiGate, and go to the menu
Security Fabric -> Physical Topology
2. Click the Update Now button on the bottom left side of the screen
In this view you will see the different elements of the Security Fabric and the endpoints connected to it.
Keep in mind that this view is based, by default, on Device Traffic. You can change how this network
schematic is filtered and sorted by changing the selection on the top right side of the screen.
3. Let´s change the filtering from Device Traffic to Risk.
54
Now you will see only the devices with risks associated to it. It’s the case of the different elements of the
Security Fabric (due to Security Rating analysis which we will address soon) and a specific network
segment which has compromised endpoints
4. Expand the blue circle on the right side of your screen by clicking in the + icon.
This element will expand and present all the endpoint with associated risks.
This is already great because from the management console of the Enterprise-Core FortiGate you can
identify the compromised endpoints behind a FortiSwitch that is controlled by the
Enterprise_Second_Floor FortiGate.
55
But this visualization provides even more details.
5. Mouse over any element on the screen to access further details.
Notice how you can see all the details of this endpoint, including it’s mac-address and ip address. You
can even perform actions from this screen like creating address objects or quarantining the
compromised host.
6. Right click on one of the compromised hosts
56
Now you have a pop-up selection menu to help you with further analysis of the endpoint behavior.
7. Click on Drill Down to Details by Source Address option
Notice how the management console changed automatically to the closest FortiGate of the endpoint,
directly into a FortiView windows pre-filtered by the endpoint ip address.
The Physical Topology view is a great tool to provide an overview of how your Security Fabric structure
is working, while also provides quick and intuitive methods to quickly reach to the details you need to do
any troubleshooting or advanced monitoring.
Now let’s look at the Logical Topology view.
8. Go back to the Enterprise-Core management

9. Select the menu Security Fabric -> Logical Topology
10. Select the Device Traffic option on the selector on top right side of your screen
57
This view contains more information on the network topology.
Notice how the names of the interfaces show under the FortiGate icons and attached to the interfaces
are the different groups of endpoints.
58
You can zoom in and out using the mouse scroll.
11. Mouse over one of the interface names
You can easily see the details of the interfaces, including it’s IP address.
If VPNs and/or SDWAN are configured, you will also be able to see details of such connections.
4.3.2 Simplified monitoring

FortiView is the FortiOS view tool which is a comprehensive monitoring system for your network.
FortiView integrates real-time and historical data into a single view on your FortiGate.
It can log and monitor network threats, filter data on multiple levels, keep track of administration
activities, and more.
With the integration of multiple FortiGates into a single Security Fabric, FortiView is now able to
aggregate the logs and information gathered from the different FortiGates into a single view.
The historical view is provided by FortiAnalyzer which receives, processes and stores all logs from all
devices in the Security fabric.
59
Dashboard -> FortiView Sources
Notice the rightmost column named FortiGate. In some situations, you will see the name of multiple
FortiGates. This means that this user traffic has been filtered and logged in multiple FortiGates. This
allows you to very quicky perceive the different devices involved in the traffic flow.
2. Look at the table and select one of the rows with multiple FortiGates on the rightmost column
3. Double click on that row
60
You are now presented with a screen containing the chosen endpoint correlated and filtered log history
for the time frame selected on the right top of the screen.
For more information on the different capabilities of FortiView, check the available documentation. The
link is available on Appendix B: Documentation References .
4.4 Using Security Rating
FortiOS provides the Security Rating feature.
The security rating uses real-time monitoring to analyze your Security Fabric deployment, identify
potential vulnerabilities, highlight best practices that can be used to improve the security and
performance of your network, and calculate Security Fabric scores.
1. To view the security rating, go to Security Fabric > Security Rating on the root FortiGate.
61
The first time you access this screen you will see an initial report.
Let’s check the Security Rating of the complete Security Fabric.
2. Click on Run Now to generate an updated report
62
The newly generated report is based on the information retrieved from all devices. Notice on the right
side of the screen that the Topology Snapshot including all Security Fabric devices.
Now let’s improve the Security posture of our fabric.
3. Click on Security Posture

4. Expand the Failed tests area
5. Scroll down to SNMP polling and expand that section
Here we can see that the results of this configuration check for the different FortiGates are available.
Two of the FortiGates are configured according to the best practices, but one needs to be fixed. Click on
the row with the failed test. The green EZ icon indicates that the detected issue can be easily fixed from
this screen.
6. Click on the Apply button on the right to apply the best practice to this specific configuration
item.
7. After that you will be prompted to save a configuration backup and then you will be able to
make a diff on the configuration.
8. Click on Run Now to generate an updated report
63
Your Security Posture score has now improved. Many other configuration items can be tuned to comply
with best practice recommendations.
4.5 Automation across the fabric

The configuration of Fortinet Security Fabric improves the capabilities for automation.
Let’s do some tests.
Dashboard -> Security and on the top right corner of your screen, make sure Enterprise-Core is
selected
2. Notice how some devices are shown as compromised. These were detected on the Enterprise-
Core FortiGate
64
3. Now, on the top right corner of your screen, make sure Enterprise_Second_Floor is selected
4. Notice that more devices were detected by the Enterprise_Second_Floor
5. Now, on the top right corner of your screen, change back to Enterprise_Core
We will be quarantining the compromised hosts using automation. To simplify the visibility of what
hosts have been quarantined, we will add a new Dashboard with several widgets.
65
6. To add the new Dashboard, click the + icon below WiFi on the Dashboard menu
7. Name it Quarantine
8. The new Quarantine Dashboard is now created but it’s empty. Let’s add a new widget to it.
9. Click on the + Add Widget button.
10. Scroll down to Security and click on the + sign near Quarantine
a. A pop-up windows will appear. Make sure to:
i. On Fabric member to select Specify
ii. On the FortiGate select the Enterprise-Core
b. Click Add Widget
11. The new Dashboard now includes a widget that will display the Quarantined hosts on the
Enterprise-Core FortiGate
12. Let’s add another widget. Click on the + Add Widget button.
13. Scroll down to Security and click on the + sign near Quarantine
a. A pop-up windows will appear. Make sure to:
i. On Fabric member select Specify
ii. On the FortiGate select the Enterprise_Second_Floor
66
b. Click Add Widget

14. We now have the new Quarantine dashboard with 2 widgets showing the Quarantined hosts on
Enterprise-Core and Enterprise_Second_Floor FortiGates.
4.5.1 Automation trigger

Now let’s proceed to configure the Security Fabric Automation.
Automation has a key component called Stitch. Automation stitches automate the activities between
the different components in the Security Fabric, which decreases the response times to security events.
Events from any source in the Security Fabric can be monitored, and action responses can be set up to
any destination.
An automation stitch consists of two parts: the trigger and the actions. The trigger is the condition or
event on the FortiGate that activates the action, for example, a specific log, or a failed log in attempt.
The action is what the FortiGate does in response to the trigger.
There are multiple types of triggers and actions available. For your convenience and reference, some
have been created on this lab environment to serve as examples.
Let’s create an Automation stich that will quarantine all compromised hosts across the Security Fabric.
The first step is to create a trigger.
1. In the Enterprise-Core FortiGate go to the menu Security Fabric -> Automation

2. Select the Trigger tab and click on Create New
67
3. You will be presented with the different types of Automation Triggers available. Select the
Compromised Host option.
4. Name it SF_Compromised_Hosts
5. On the Threat level threshold select High
6. Click OK
4.5.2 Automation Action

7. Select the Action tab and click on Create New
8. You will be presented with the different types of actions available. Select the Access Layer
Quarantine
9. Name it SF_Access_Quarantine and click OK
10. You have created the two parts needed for you automation stitch: the trigger and the action
68
4.5.3 Automation Stitch

11. Select the Stitch tab and click on Create New
12. Name it SF_Quarantine
13. Set Status to Enable
14. On the FortiGate(s)I field, select All FortiGates
15. On the Action Execution we can define how different actions could be executed. In this case we
will only have one action, so you can keep it in Sequential
16. Click on Add Trigger , select SF_Compromised_Hosts and click Apply
17. Click on Add Action , select SF_Access_Quarantine and click Apply
18. Your Stitch is now configured and should look like this:
19. Click OK
Your new Automation Stitch is now ready and enable. This Stitch is triggered when Compromised Hosts
are sent by FortiAnalyzer to the FortiGates, so it can take a few minutes.
You can test you new stitch by right clicking on it and selecting the Testy Automation Stitch option.
69
4.5.4 Testing Automation
If you go to the Quaratine Dashboard you created you will see that you have one Quarantined endpoint
on each of the monitored FortiGates:
Click on any of these widgets to expand it and you will see that the Quarantined endpoint has the mac-
address 11:11:11:11:11:11 . This is due to the Test of the Automation Stitch you performed.
Let’s tweak the FortiAnalyzer IOC (Indicators of Compromise) to send notifications of compromised
hosts to the FortiGates faster so that we can check it’s behavior.
1. Connect to the FortiAnalyzer and Login

2. Select the Production ADOM
3. Select the wrench tool on the top right side of the screen and click on >_CLI Console
4. On the CLI window type:

a. config system log ioc
b. set notification-throttle 1
c. end
!!! Notice: this setting is probably too aggressive for live networks and we are changing it so that the
demo can happen in a timely manner. Please refer to the Indicator of Compromise section on
FortiAnalyzer Administration Guide for more information.
5. Connect to the Enterprise-Core Fortigate
70
6. Go to the Quarantine Dashboard you have created
7. Notice how more endpoints have been quarantined. Click on the Enterprise_Second_Floor
dashboards to expand it.
8. Notice all the details of the quarantined endpoints, including the Description that mentioned
the Quarantine was performend by the automation stitch you have created.
9. From this screen you can remove the quarantine for one or more endpoints. Just select the
endpoint(s) and click on Delete
71
10. The Remove Quarantine validation pop-up appears. Click on OK.
11. Now go to the Security Fabric -> Physical Topology and notice how no Critical risk has been
detected.
72
You have successfully quarantined the compromised hosts on your network.
You have also successfully finished the Security fabric Hands On Lab.
Congratulations
73
Appendix A: Security Fabric Troubleshooting & Debugging

The following debug commands can be used to troubleshoot Security Fabric issues:
Command Description
diagnose sys csf authorization View pending authorization requests on the
pending-list root FortiGate.
diagnose sys csf authorization Authorize a device to join the Security Fabric.
accept <serial-number-value>
diagnose sys csf authorization deny Deny a device from joining the Security
<serial-number-value> Fabric.
diagnose sys csf downstream Show connected downstream devices.
diagnose sys csf upstream Show connected upstream devices.
diagnose sys csf fabric-device list List all known fabric devices.
diagnose sys csf fabric-device test Test connections to locally configured fabric
devices.
74
Appendix B: Documentation References
Feature Documentation
- FortiOS:
o Admin Guide
§ https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide
o Security Fabric
§ https://docs.fortinet.com/document/fortigate/7.0.1/administration-
guide/286973/fortinet-security-fabric
o SAML
guide/288215/configuring-the-security-fabric-with-saml
o FortiView
guide/433781/fortiview-monitors-and-widgets
- FortiAnalyzer:
o Admin Guide
§ https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide
o Indicators of Compromise
§ https://docs.fortinet.com/document/fortianalyzer/7.0.1/administration-
guide/481844/indicators-of-compromise
- FortiManager
o Admin Guide
§ https://docs.fortinet.com/document/fortimanager/7.0.1/administration-guide
Solution Hub
• https://docs.fortinet.com/security-fabric
75
Appendix C: Open bugs affecting this lab
In order to provide the most similar experience to the real world, we are using GA versions on the
devices used in this Security Fabric Hands on Lab.
Some existing bugs might affect how the lab behaves.
Here is a list of issues you might find during you lab:
• 0732116 FAZ and FMG

o Setting Off the "FortiCloud Single Sign-On" Still Displays the FortiManager Setup on the
next login.
• Logging in to FMG forces logout on FAZ and vice-versa
o This is due to the specific lab environment and cookies. In real world you should not face
this behavior.
• 0733511 – FortiOS
o Stitch trigger Count not updating
• 0672048 – FortiOS
o when set FGT as root, the confirm message say "Joining an upstream device...."
• 0735285 – FortiOS
o Devices quarantined on Physical Topology View do not display as Quarantined
• 0735245 – FortiOS
o No Critical Risk displayed in Topology View of Downstream Fortigate for compromised
host detected by FAZ
• 0735278 – FortiOS
o Tooltip does not appear over devices in Physical Topology View after manual updating
topology.
• 0737430 – FortiAnalyzer
o FAZ has several issues when onboarding Security Fabric Fortigates
• 0737445 - FortiOS
o SAML setup sometimes fails on new CSF members
• 0744601 – FortiOS
o Dashboard menu missing on leaf Fortigates
76
Change Log
Version Change Date Author

v1.0 Initial Release – FOS, FAZ, FMG 7.01 18/07/2021 Hugo Pernicha
V1.1 Changes to FAZ/FMG setup instructions 03/08/2021 Hugo Pernicha
V1.2 Added Automation and Quarantine 03/09/2021 Hugo Pernicha
77

Cse Hol SF 7.0.1 Ga

Uploaded by

Copyright:

Available Formats

You might also like

Cse Hol SF 7.0.1 Ga

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cse Hol SF 7.0.1 Ga

Uploaded by

Copyright:

Available Formats

FORTINET SECURITY FABRIC

FortiGate 7.0.1 | FortiManager 7.0.1 | FortiAnalyzer 7.0.1

4.2 Single pane of glass management .................................................................................................... 51

1. The Fortinet Security Fabric

Other types of devices are recommended and optional such has:

2. Security Fabric Lab intro

2.1 Lab Topology & Preparations

You will need to interact with 5 devices:

Device Management URL

2.2 Basic lab setup

- Devices are configured and working

2.2.1 Initial configuration on FortiAnalyzer

To do this, you will need to go to the FortiAnalyzer GUI available in https://Lab_FQDN:10404.

Once there, execute these actions:

7. Finish this part of the setup

11. Select the unauthorized FortiGate and click on Authorize:

12. On the Authorize Device window, press OK:

14. The System Settings configuration page will be displayed

21. On the name, fill in with “Production”

FortiAnalyzer initial setup is now complete.

2.2.2 Configure ADOM on FortiManager

To do this, you will need to go to the FortiManager GUI available in https://Lab_FQDN:10405.

Once there, execute these actions:

15. On the name, fill in with “Production”

18. After a few seconds the ADOM will be created.

FortiManager initial setup is now complete.

2.3 Lab status before setting up Security Fabric

- Devices are configured and working

Let’s look at some details.

2.3.1 Status dashboard

2.3.2 Physical Topology

2.3.3 Logical Topology

2.3.4 Security Fabric configurations

3. Security Fabric setup

3.1 Initial SF setup

- The root FortiGate: hostname is Enterprise-Core

- The FortiAnalyzer: hostname is Enterprise_FortiAnalyzer

Now perform the following configurations:

1. Set the Status to Enabled

20. Set Status to Enabled

To do this, you will need to go to the FortiAnalyzer GUI available in https://Lab_FQDN:10404.

Once there, execute these actions:

27. Go to the ADOM root

28. Select the Device Manager option

32. Now go to the Production ADOM -> Device Manager

35. Go to the Enterprise-Core FortiGate

38. Set the Status to Disabled

Let’s continue with the rest of the setup process.

3.2 Add SAML to initial SF setup

Let’s proceed to configure SAML in the existing Security Fabric devices.

To configure it follow these steps:

1. Go to the Enterprise-Core FortiGate

Let’s add the FortiAnalyzer to the SAML SSO authentication.

Follow these guidelines to configure SAML:

1. Go to the FortiAnalyzer GUI

3.3 Add remaining FortiGates

3.3.1 Enterprise_First_Floor SF configurations

Access Enterprise First Floor GUI which is available at https://Lab_FQDN:10403.