Category Archives: FortiOS 5.6

FortiClient Profile changes

FortiClient Profile changes (386267, 375049)

FortiClient profiles have been changed in FortiOS 5.6 to include new protection features and to change organization of the GUI options. FortiClient profiles also use the FortiGate to warn or quarantine endpoints that are not compliant with a FortiClient profile.

A bug that prevented the Dialog and Device Inventory pages from loading when there is a large number of devices (for example, 10,000) has been fixed.

Default FortClient profile

FortiClient profiles allow you to perform vulnerability scans on endpoints and make sure endpoints are running compliant versions of FortiClient. Also, security posture features cause FortiClient to apply realtime protection, AntiVirus, web filtering, and application control on endpoints.

The default FortiClient profile also allows you to set a general Non-compliance action for endpoints that don’t have FortiClient installed on them. The non-compliance action can be block or warning and is applied by the FortiGate. Blocked endpoints are quarantined by the FortiGate.

Endpoint vulnerability scanning

Similar to FortiOS 5.4 you can set the FortiClient Profile to run the FortiClient vulnerability scanner on endpoints and you can set the Vulnerability quarantine level to quarantine endpoints that don’t comply.

FortiClient Profile changes (386267, 375049)                                                                             System compliance

The vulnerability scan Non-compliance action can block or warn endpoints if the vulnerability scan shows they do not meet the vulnerability quarantine level.

System compliance

FortiOS 5.6 system compliance settings are similar to those in 5.4 with the addition of a non-compliance action. System compliance checking is performed by FortiClient but the non-compliance action is applied by the FortiGate.

Security posture checking

Security posture checking collects realtime protection, antivirus protection, web filtering and application firewall features under the Security Posture Check heading.

Security posture checking                                                                     FortiClient Profile changes (386267, 375049)

Application Control is a free service                                                                                  Security posture checking

New FortiView Endpoint Vulnerability Scanner chart

New FortiView Endpoint Vulnerability Scanner chart (378647)

FortiOS 5.6.0 adds a new chart to illustrate Endpoint Control events: Endpoint Vulnerability.

This is a list/bubble chart, that tracks vulnerability events detected by the FortiClients running on all devices registered with the FortiGate. FortiView displays information about the vulnerability and the device on which it was detected.

Notes about the Endpoint Vulnerability Chart:

  • You can sort the list by Device or Vulnerability.
  • You can drill down into any device to see the Vulnerabilities detected. From there, you can drill down to see the exact Vulnerability Scan events that triggered the detection.
  • Select any Vulnerability Scan event to see the associated Log data.

Default FortClient profile                                                                       FortiClient Profile changes (386267, 375049)

NGFW Policy Mode

NGFW Policy Mode (371602)

You can operate your FortiGate or individual VDOMs in Next Generation Firewall (NGFW) Policy Mode.

You can enable NGFW policy mode by going to System > Settings, setting the Inspection mode to Flowbased and setting the NGFW mode to Policy-based. When selecting NGFW policy-based mode you also select the SSL/SSH Inspection mode that is applied to all policies

Flow-based inspection with profile-based NGFW mode is the default in FortiOS 5.6.

Or use the following CLI command:

config system settings set inspection-mode flow set policy-mode {standard | ngfw}

end

NGFW policy mode and NAT

If your FortiGate is operating in NAT mode, rather than enabling source NAT in individual NGFW policies you go to Policy & Objects > Central SNAT and add source NAT policies that apply to all matching traffic. In many cases you may only need one SNAT policy for each interface pair. For example, if you allow users on the internal network (connected to port1) to browse the Internet (connected to port2) you can add a port1 to port2 Central SNAT policy similar to the following:

Application control in NGFW policy mode                                                                      NGFW Policy Mode (371602)

Application control in NGFW policy mode

You configure Application Control simply by adding individual applications to security policies. You can set the action to accept or deny to allow or block the applications.

NGFW Policy Mode (371602)                                                                                     Web Filtering in NGFW mode

Web Filtering in NGFW mode

You configure Web Filtering by adding URL categories to security policies. You can set the action to accept or deny to allow or block the applications.

Other NGFW policy mode options                                                                                NGFW Policy Mode (371602)

Other NGFW policy mode options

You can also combine both application control and web filtering in the same NGFW policy mode policy. Also if the policy accepts applications or URL categories you can also apply Antivirus, DNS Filtering, and IPS profiles in NGFW mode policies as well a logging and policy learning mode.

 

New FortiView Endpoint Vulnerability Scanner chart (378647)                                  Other NGFW policy mode options

Transparent web proxy

Transparent web proxy (386474)

In addition to the Explicit Web Proxy, FortiOS now supports a Transparent web proxy. While it does not have as many features as Explicit Web Proxy, the transparent proxy has the advantage that nothing needs to be done on the user’s system to forward supported web traffic over to the proxy. There is no need to reconfigure the browser or publish a PAC file. Everything is transparent to the end user, hence the name. This makes it easier to incorporate new users into a proxy deployment.

You can use the transparent proxy to apply web authentication to HTTP traffic accepted by a firewall policy. In previous versions of FortiOS, web authentication required using the explicit proxy.

Normal FortiOS authentication is IP address based. Users are authenticated according to their IP address and access is allowed or denied based on this IP address. On networks where authentication based on IP address will not work you can use the Transparent Web proxy to apply web authentication that is based on the user’s browser and not on their IP address. This authentication method allows you to identify individual users even if multiple users on your network are connecting to the FortiGate from the same IP address.

Using the Transparent proxy

To implement the Transparent proxy, go to System > Settings and scroll down to Operations Settings and set the inspection mode to Proxy.

Then go to System > Feature Visibility and enable Explicit Proxy.

Then go to Security Profiles > Proxy Options, edit a proxy options profile and under Web Options enable HTTP Policy Redirect.

Then go to Policy & Objects > IPv4 Policy and create or edit a policy that accepts traffic that you want to apply web authentication to. This can be a general policy that accepts many different types of traffic as long as it also accepts the web traffic that you want to apply web authentication to.

Select a Security Profile and select the Proxy Options profile that you enabled HTTP Policy Redirect for.

 

Using the Transparent proxy

Then go to Policy & Objects > Proxy Policy create a Transparent Proxy policy to accept the traffic that you want to apply web authentication to. Set the Proxy Type to Transparent Web. The incoming interface, outgoing interface, destination address, and schedule should either match or be a subset of the same options defined in the IPv4 policy. Addresses added to the Source must match or be a subset of the source addresses added to the IPv4 policy. You can also add the users to be authenticated by the transparent policy to the source field.

Select other transparent policy options as required.

More about the transparent proxy

The following changes are incorporated into Transparent proxy, some of which affect Explicit Web Proxy as well.

Flat policies

The split policy feature has been removed. This will make the explicit policy more like the firewall policy.

Authentication

The new authentication design is intended to separate authentication from authorization. Authentication has been moved into a new table in the FortiOS. This leaves the authorization as the domain of the explicit proxy policy.

Previously, if authentication was to be used:

  1. The policy would be classified as an identity based policy
  2. The policy would be split to add the authentication parameters
  3. The authentication method would be selected
  4. The user/group would be configured Now:

The user/group is configured in the proxy policy

  1. A new authentication rule is added
  2. This option refers to the authentication scheme
  3. The authentication scheme has the details of the authentication method The new authentication work flow for Transparent Proxy:

Toggle the transparent-http-policy match:

config firewall profile-protocol-options edit <profile ID> config http set http-policy <enable|disable>

If disabled, everything works like before. If enabled, the authentication is triggered differently.

  • http-policy work flow:
  • For transparent traffic, if there is a regular firewall policy match, when the Layer 7 check option is enabled, traffic will be redirected to WAD for further processing.
  • For redirected traffic, layer 7 policy (HTTP policy) will be used to determine how to do security checks.
  • If the last matching factor is down to user ID, then it will trigger a new module to handle the L7 policy user authentication.
  • Then propagate learned user information back to the system so that it can be used to match traffic for L4 policy.

New Proxy Type

There is a new subcategory of proxy in the proxy policy called Transparent Web. The old Web Proxy is now referred to as Explicit Web Proxy.

  • This is set in the firewall policy l It is available when the HTTP policy is enabled in the profile-protocol options for the firewall policy l This proxy type supports OSI layer 7 address matching.
  • This proxy type should include a source address as a parameter l Limitations:
  • It can be used for HTTPS traffic, if deep scanning is not used l It only supports SNI address matching, i.e. domain names
  • It does not support header types of address matching l It only supports SSO authentication methods, no active authentication methods.

IP pools support

Proxies are now supported on outgoing IP pools.

SOCKSv5

SOCKSv5 authentication is now supported for explicit proxies.

To configure:

config authentication rule edit <name of rule> set protocol socks end

Forwarding

Proxies support URL redirect/forwarding. This allows a non-proxy forwarding server to be assigned a rule that will redirect web traffic from one URL to another, such as redirecting traffic destined for youtube.com to restrict.youtube.com.

l A new option called “Redirect URL” has been added to the policy l Traffic forwarding by VIP is supported

Support for explicit proxy address objects & groups into IPv4 firewall policies

This would allow the selection of web filter policy, SSL inspection policy, and proxy policy based on source IP + destination (address|explicit proxy object|category|group of any of those). This enables things like “do full SSL interception on www.google.com, but not the rest of the Search Engines category”.

Support application service in the proxy based on HTTP requests.

The application service can be configured using the following CLI commands:

config firewall service custom edit <name of service> set explicit-proxy enable set app-service-type <disable|app-id|app-category> set app-category <application category ID, integer> set application <application ID, integer> end

CLI Changes:

New
Previous
config firewall explicit-proxy-policy
config firewall explicit-proxy-address
config firewall explicit-proxy-addrgrp
config firewall proxy-address

config firewall proxy-policy

config firewall proxy-addrgrp

 

config firewall explicit-proxy-policy edit <policy ID> set proxy web end
 

config firewall proxy-policy edit <policy ID> set proxy explicit-web end

Removals:

l “split-policy” from firewall explicit-proxy-policy.

The previous method to set up a split policy was:

config firewall explicit-proxy-policy

edit 1 set proxy web set identity-based enable config identity-based-policy edit 1 set schedule “always” set utm-status enable set users “guest”

set profile-protocol-options “default” next

end

next

end

  • “auth relative” from firewall explicit-proxy-policy

The following attributes have been removed from firewall explicit-proxy-policy:

  • identity-based l ip-based l active-auth-method l sso-auth-method l require-tfa

Moves:

users and groups from firewall explicit-proxy-policy identity-based-policy to

config firewall proxy-policy edit 1 set groups <Group name> set users <User name> end Additions:

authentication scheme

config authentication scheme

edit <name> set method [ntlm|basic|digest|form|negotiate|fsso|rsso|none]

  • ntlm – NTLM authentication. l basic – Basic HTTP authentication. l digest – Digest HTTP authentication. l form – Form-based HTTP authentication. l negotiate – Negotiate authentication. l fsso – FSSO authentication.
  • rsso – RADIUS Single Sign-On authentication. l none – No authentication. authentication setting

config authentication setting set active-auth-scheme <string> set sso-auth-scheme <string> set captive-portal <string>

set captive-portal-port <integer value from 1 to 65535>

  • active-auth-scheme – Active authentication method. l sso-auth-scheme – SSO authentication method. l captive-portal – Captive portal host name. l captive-portal-port – Captive portal port number.

authentication rule

config authentication rule

edit <name of rule>

set status [enable|disable] set protocol [http|ftp|socks] set srcaddr <name of address object> set srcaddr6 <name of address object> set ip-based [enable|disable] set active-auth-method <string> set sso-auth-method <string> set web-auth-cookie [enable|disable] set transaction-based [enable|disable] set comments

  • status – Enable/disable auth rule status. l protocol – set protocols to be matched l srcaddr /srcaddr6 – Source address name. [srcaddr or srcaddr6(web proxy only) must be set]. l ip-based – Enable/disable IP-based authentication. l active-auth-method – Active authentication method.
  • sso-auth-method – SSO authentication method (require ip-based enabled) l web-auth-cookie – Enable/disable Web authentication cookie. l transaction-based – Enable/disable transaction based authentication. l comments – Comment.

NGFW Policy Mode (371602)      NGFW policy mode and NAT

FortiExplorer for iOS

FortiExplorer for iOS

A new iOS FortiExplorer app is available as of April 8, 2017.

FortExplorer for iOS is compatible with iPhone, iPad, and iPod Touch and supports configuration via REST API and display of FortiView and other security fabric components.

You can use FortiExplorer for iOS to perform most FortiOS configuration management tasks.

Advanced features will be available with the purchase of an add-on through the App Store. These paid features include the adding more than two devices and downloading firmware images from FortiCare.

With the release of FortiOS 5.6.1, FortiOS icons and colors are now exportable in the GUI shared project and FortiExplorer now uses these icons and colors. This change improves the icon colors only for the FortiExplorer GUI theme (seen only when accessing a web GUI page from within the FortiExplorer iOS app).

The images below offer a preview of a few of the new FortiExplorer iOS app’s screens.

FortiExplorer iOS, v 1.0 – Device Status                                        FortiExplorer iOS, v. 1.0 – Sources

FortiExplorer for iOS

FortiExplorer iOS, v.1.0 – Device Interfaces                                   FortiExplorer iOS, v.1.0 – Firmware

Using      Transparent

New Dashboard Features

New Dashboard Features

The FortiOS 5.6 Dashboard has a new layout with a Network Operations Center (NOC) view with a focus on alerts. Widgets are interactive; by clicking or hovering over most widgets, the user can get additional information or follow links to other pages.

Enhancements to the GUI dashboard and its widgets are:

  • Multiple dashboard support. l VDOM and global dashboards. l Updated resize control for widgets.
  • Notifications moved to the top header bar (moved existing dashboard notifications to the header and added additional ones).
  • Reorganization of Add Widget l New Host Scan Summary widget.
  • New Vulnerabilities Summary widget that displays endpoint vulnerability information much like the FortiClient Enterprise Management Server (EMS) summary. l Multiple bug fixes.

Features that were only visible through old dashboard widgets have been placed elsewhere in the GUI:

  • Restore configuration. l Configuration revisions. l Firmware management. l Enabling / disabling VDOMs. l Changing inspection mode.
  • Changing operation mode. l Shutdown / restart device. l Changing hostname. l Changing system time.

The following widgets are displayed by default:

  • System Information l Licenses l FortiCloud l Security Fabric l Administrators
  • CPU l Memory l Sessions l Bandwidth
  • Virtual Machine (on VMs and new to FortiOS 5.6.1) The following optional widgets are available:
  • Interface Bandwidth l Disk Usage l Security Fabric Risk l Advanced Threat Protection Statistics l Log Rate l Session Rate l Sensor Information l HA Status l Host Scan Summary
  • Vulnerabilities Summary l FortiView (new to FortiOS 5.6.1) The following widgets have been removed:
  • CLI Console l Unit Operation l Alert Message Console

System Information

Licenses

Hovering over the Licenses widget will cause status information (and, where applicable, database information) on the licenses to be displayed for FortiCare Support, IPS & Application Control, AntiVirus, Web Filtering, Mobile Malware, and FortiClient. The image below shows FortiCare Support information along with the registrant’s company name and industry.

Clicking in the Licenses widget will provide you with links to other pages, such as System > FortiGuard or contract renewal pages.

FortiCloud

This widget displays FortiCloud status and provides a link to activate FortiCloud.

Security Fabric

The Security Fabric widget is documented in the Security Fabric section of the What’s New document.

Administrators

This widget allows you to view which administrators are logged in and how many sessions are active. The link directs you to a page displaying active administrator sessions.

CPU

The real-time CPU usage is displayed for different time frames.

Memory

Real-time memory usage is displayed for different time frames. Hovering over any point on the graph displays percentage of memory used along with a timestamp.

Sessions

Bandwidth

Virtual Machine

FortiOS 5.6.1 introduces a VM widget.

  • License status and type. l CPU allocation usage. l License RAM usage. l VMX license information (if the VM supports VMX). l If the VM license specifies ‘unlimited’ the progress bar is blank.
  • If the VM is in evaluation mode, it is yellow (warning style) and the dashboard show evaluation days used.
  • Widget is shown by default in the dashboard of a FortiOS VM device. l Removed VM information from License widget at Global > Dashboard.
  • License info and Upload License button provided on page Global > System > FortiGuard.
  • Updated ‘Upload VM License’ page: l Added license RAM usage and VMX instance usage. l Replaced file input component.

 

FortiExplorer for iOS

Security Fabric Audit and Fabric Score

Security Fabric Audit and Fabric Score

This chapter contains information about the Security Fabric Audit and Fabric Score, which together provide a method to continually monitor and improve your Security Fabric’s configuration.

What is the Security Fabric Audit?

The Security Fabric Audit is a feature on your FortiGate that allows you to analyze your Security Fabric deployment to identify potential vulnerabilities and highlight best practices that could be used to improve your network’s overall security and performance.

Why should you run a Security Fabric Audit?

Using the Security Fabric Audit helps you to tune your network’s configuration, deploy new hardware and/or software, and gain more visibility and control of your network. Also, by checking your Security Fabric Score, which is determined based on how many checks your network passes/fails during the Audit, you can have confidence that your network is getting more secure over time.

Running a Security Fabric Audit

The Security Fabric Audit can be found by going to Security Fabric > Audit. In the first step, all detected FortiGates are shown.

Running a Security Fabric Audit

In the second step, the audit is performed and a list of recommendations are shown. Two views are available: Failed or All Results. These views can be further segmented so that you view results from all FortiGates or just a specific unit.

In each view, a chart appears showing the results of individual checks. The following information is shown: the name and a description of the check, which FortiGate the check occurred on, the checks result on your overall security score, and any necessary recommendations.

If you hover the mouse over the Result for a check, you can get a breakdown on how this score was determined.

For more information about this, see “Security Fabric Score” on page 38.

Logging for the Security Fabric Audit

In Step Three of the Audit, Easy Apply recommendations are displayed and can be applied. By using Easy Apply, you can change the configuration of any FortiGate in the fabric.

For other recommendations, further action is required if you wish to follow the recommendation.

You can also view Audit recommendations for specific devices using the FortiView Topology consoles. If a recommendation is available for a device, a circle containing a number appears. The number shows how many recommendations are available, while the color of the circle shows the severity of the highest check that failed (red is critical, orange is high, yellow is medium, and blue is low).

Logging for the Security Fabric Audit

An event filter subtype is available for the Security Audit. Every time an audit is run, event logs are created on the root FortiGate that summarize the results of the audit, as well as details into the individual tests.

Security Fabric Audit Checks

Syntax

config log eventfilter set security-audit {enable | disable} (enabled by default)

end

Security Fabric Audit Checks

The Security Fabric Audit performs a variety of checks when analyzing your network. All checks are based on your current network configuration, using realtime monitoring. The Audit runs these checks across all FortiGates in the Security Fabric.

Firmware & Subscriptions

Easy Apply?
Recommendation
Run same version as root.
Register with FortiCare.
Renew subscriptions.
Upgrade FortiAP to recommended version.
Check
All FortiGates in the Security Fabric should run the same firmware version.
FortiGate should be registered with FortiCare.
All registered FortiGuard license subscriptions should be valid.
All FortiAPs should be running the latest firmware.
Severity
Critical
Critical
High
Low
Goal
Compatible Firmware
FortiCare Support
FortiGuard License Subscriptions
FortiAP Firmware Versions
No
No

No

No

FortiSwitch FirmwareAll FortiSwitches should beUpdate all FortiSwitches to use

LowNo

Versionsrunning the latest firmware.the latest firmware.

Internal Segmentation Firewall (ISFW)

Easy Apply?
Recommendation
Configure the interface role.
Enable device detection.
Check
All interfaces should be classified as either “LAN”, “WAN”, or “DMZ”.
Interfaces which are classified as “LAN” or “DMZ” should have device detection enabled.
Severity
High
High
Goal
Interface Classification
Device Discovery
Yes

Yes

 

Checks

Easy Apply?
Recommendation
Replace the device with a FortiGate.
Use FortiSwitch and FortiLink.
Install FortiAnalyzer for logging & reporting.
All servers should be moved to interfaces with role “DMZ”.
Review all IPv4 policies that haven’t been used in the last 90 days.
Check
No third party router or NAT devices should be detected in the network.
Non-FortiLink interfaces should not have multiple VLANs configured on them.
Logging and reporting should be done in a centralized place throughout the Security Fabric.
Servers should be placed behind interfaces classified as “DMZ”.
All IPv4 policies should be used.
Severity
Medium
Medium
High
Medium
Medium
Goal
Third Party Router & NAT Devices
VLAN Management
Centralized Logging & Reporting
LAN Segment
Unused Policies
No
No

No

No

No

Advanced Threat

Protection

High Suspicious files should be submitted to FortiSandbox or FortiSandbox Cloud for inspection. Configure AntiVirus profiles to send files to FortiSandbox or FortiSandbox Cloud for inspection. No

All discovered FortiAPs should     Authorize or disable

Unauthorized FortiAPs             Medium                                                                                                     Yes

be authorized or disabled.            unauthorized FortiAPs.

 

Unauthorized FortiSwitches
 

Medium
 

All discovered FortiSwitches should be authorized or disabled.
 

Authorize or disable unauthorized FortiSwitches.
 

Yes

Endpoint Compliance

Easy Apply?
Recommendation
Enable FortiTelemetry on “LAN” interfaces.
Register all devices via FortiClient.
Check
Interfaces which are classified as “LAN” should have

FortiTelemetry enabled.

All supported devices should be registered via FortiClient.
Severity
High
Medium
Goal
Endpoint Registration
FortiClient Protected
No

Yes

All registered FortiClientInvestigate non-compliant

FortiClient ComplianceMediumdevices should be compliantreason(s) for FortiClientNo with FortiClient profile.endpoints.

Security Fabric Audit Checks

 

Goal
FortiClient Vulnerabilities
 

Severity
Critical
 

Check
All registered FortiClient devices should have no critical vulnerabilities.
 

Recommendation
Have FortiClient fix the detected critical vulnerabilities.
 

Easy Apply?
No

Security Best Practices

Goal Severity Check Recommendation Easy Apply?
Yes
Enable HTTPS redirection globally.
Disable Telnet.
Interfaces which are classified as “WAN” should not allow

HTTP administrative access.

Interfaces which are classified as “WAN” should not allow

Telnet administrative access.

High
High
Unsecure Protocol – HTTP
Unsecure Protocol – Telnet

Yes

Valid HTTPS Certificate Administrative GUI Medium The administrative GUI should not be using a default built-in certificate. Acquire a certificate for your domain, upload it, and configure the administrative GUI to use it. No

Acquire a certificate for your

Valid HTTPS Certificate –                         SSL VPN should not be using a

Medium                                                      domain, upload it, and                 No

SSL VPN                                                default built-in certificate.

configure SSL VPN to use it.

 

Explicit Interface Policies
 

Low
 

Policies that allow traffic should not be using the “any” interface.
 

Change the policy to use a specific interface.
 

No

A password policy should beEnable a simple password

Admin Password PolicyMediumsetup for systempolicy for systemYes administrators.administrators.

Security Fabric Score

The Security Fabric Score widget has been added to the FortiGate Dashboard to give visibility into auditing trends. This widget uses information from the Security Fabric Audit to determine your score. Score can be positive or negative, with a higher score representing a more secure network.

Score is based on the number of checks failed and the severity of these checks. The weight for each severity level is as follows:

l Critical: 50 points l High: 25 points l Medium: 10 points l Low: 5 points

You get points for passing a test only when it passes for all FortiGates in your fabric. If this occurs, the score is calculated using this formula:

+Severity Weight x Secure FortiGate Multiplier

The Severity Weight is calculated as Severity divided by the number of FortiGates in the Fabric. The Secure FortiGate Multiplier is determined using logarithms and the number of FortiGates in the fabric. For example, if you have four FortiGates in your fabric that all pass the Compatible Firmware check, your score for each individual FortiGate is:

(50/4) x 1.292 = 16.2 points

If a test fails on any FortiGate in your Fabric, all other FortiGates that passed the check award 0 points. For the FortiGate the test failed on, the score is calculated using this formula:

-Severity Weight x Count

Count is the number of times the check failed during the audit. For example, if two critical FortiClient vulnerabilities are discovered during the Audit, your score for that check is:

-50 x 2 = -100 points

 

For checks that do not apply, your score does not change. For example, if you have no FortiAPs in the fabric, you will receive no points for the FortiAP Firmware Versions check.

FortiOS 5.6.1 New Security Fabric features

New Security Fabric features

In FortiOS 5.6, the Security Fabric (previously known as the Cooperative Security Fabric) has been expanded in several ways to add more functionality and visibility.

One of the most important functional changes is that FortiAnalyzer is now a required part of the Security Fabric configuration. Also, two important new features, Security Fabric Audit and Fabric Score, have been added to provide a method to continually monitor and improve the Security Fabric configuration.

Many changes have been made through FortiView to improve the visibility of the Security Fabric. More information is now displayed and you can access downstream FortiGates directly from the root FortiGate’s FortiView display.

Other smaller improvements have been made throughout the Security Fabric, with a focus on improving communication between devices.

In FortiOS 5.6.1, the new updated GUI design consolidates the Security Fabric features together under a new menu and has many new topological changes to provide greater visibility into the connectivity of your networked devices. This includes adding more Fortinet products to the topology and widgets. Other topology improvements include enhanced IPsec VPN detection (which now includes detection of downstream FortiGates) and support for SD-WAN. Smaller changes have also been made to add more information to device tooltip alerts in the Physical and Logical Topology views.

Setting up the Security Fabric in FortiOS 5.6

See the following FortiGate Cookbook recipes to get started in setting up the Security Fabric in FortiOS 5.6:

l Installing a FortiGate in NAT/Route mode l Security Fabric installation

Security Fabric between remote networks by enabling FortiTelemetry for IPsec VPN interfaces

You can now enable FortiTelemetry for IPsec VPN interfaces. The Security Fabric can now detect the downstream FortiGate through the IPsec VPN interface. This allows you to send FortiTelemetry communication over a Gateway-to-Gateway IPsec VPN tunnel between two remote networks. One of the networks would contain the root FortiGate and the network at the other end of the IPsec VPN tunnel can connect to the root FortiGate’s Security Fabric.

In the GUI, to enable FortiTelemetry

  1. Go to Network > Interfaces and edit your IPsec VPN interface.
  2. Under Administrative Access enable FortiTelemetry.

 

New Security Fabric Security Fabric between remote networks by enabling FortiTelemetry for IPsec VPN features          interfaces

Your IPsec VPN interface will automatically be added to the FortiTelemetry enabled interface list under Security Fabric > Settings.

In the CLI, enter the following commands:

config system interface edit <vpn_name> set fortiheartbeat enable

end

Re-designed Security Fabric setup

A new updated GUI menu consolidates the Security Fabric features in one location. This includes Physical Topology, Logical Topology, Audit, and Settings. For more details, see the illustration below:

Security Fabric between remote networks by enabling FortiTelemetry for IPsec VPN interfaces New Security Fabric features

Improved Security Fabric Settings page

The Security Fabric Settings page has been updated to act as a centralized location for you to enable connectivity to other Fortinet products. Navigate to Security Fabric > Settings.

Changes to the Settings page include the following:

l The previous Enable Security Fabric option has been replaced with an option to enable FortiGate Telemetry. l The previous Downstream FortiGates option has been replaced with Topology to show multiple devices.

See the screen shot below:

Security Fabric dashboard widgets

Security Fabric dashboard widgets

New dashboard widgets for the Security Fabric put information about the status of the Security Fabric at your fingertips when you first log into your FortiGate.

The FortiGate dashboard widget has been updated to include the following Fortinet products: FortiGate (core), FortiAnalyzer (core), FortiSwitch, FortiClient, FortiSandbox, and FortiManager. See the screen shot below:

You can hover over the icons along the top of the Security Fabric widget to get a quick view of the status of the Security Fabric. Available information includes the FortiTelemetry status and the status of various components of in the Security Fabric.

The Security Fabric Score widget shows the Security Fabric Audit score for the Security Fabric and allows you to apply recommended changes right from the dashboard.

 

Physical and Logical FortiView improvements

Physical and Logical FortiView improvements

The FortiView Physical and Logical Topology pages now display the following improvements:

  • Shows both FortiGates in an HA configuration l Shows FortiAPs l Lists FortiAnalyzer and FortiSandbox as components of the Security Fabric l Highlights the current FortiGate l Displays Link Usage in different colors l Ranks Endpoints by FortiClient Vulnerability Score and by Threat Score ( see below, for more information) l Displays user avatars l Recognizes servers as a device type
  • Introduces a search bar to help locate specific devices in the Security Fabric

Updated Physical and Logical Topology legend

On the Physical Topology and Logical Topology pages, the Security Fabric legend has been updated. See the screenshot below:

Physical and Logical FortiView improvements

New option to minimize the Topology

This new feature allows you to minimize portions of the Physical and Logical Topology. This makes it easy to view your entire topology, or minimize portions to focus in on a specific area. See the screenshot below:

Security Fabric Topology shows new resource information alerts

The enhanced Security Fabric topology now shows CPU Usage and Memory Usage alerts in the device information tooltip. It also displays a warning if the FortiGate is in conserve mode. Note that the CPU usage, memory usage and conserve mode data are drawn from the data that was last loaded from the FortiGate, not real-time data.

You can see the new CPU Usage and Memory Usage fields shown in the tooltip below:

Physical and Logical FortiView improvements

The Conserve mode warning is shown below:

SD-WAN information added to Security Fabric topology

The Security Fabric topology now includes SD-WAN. Enhancements include greater visibility into where the data comes from and goes to, link saturation indicators, and detailed tooltip explanations. The following SD-WAN information has been integrated into the Security Fabric topology:

  • The tooltip for the SD-WAN interface now includes load balancing settings. l In the Security Fabric Logical Topology, SD-WAN and its interface members will appear above all interfaces.
  • If connected to an upstream FortiGate, one link between the exact SD-WAN member and the upstream FortiGate will appear.
  • If connected to a destination bubble, links between each enabled member and the destination bubble appear.
  • Interface bandwidth and link utilization for other interfaces (WAN role interface) have been temporarily removed and will be added back in later.
  • Fixes have been made to show vulnerabilities for multiple MAC addresses (402495) and to show the FortiSwitch serial and port (389158).

For more details see the screenshot below:

 

FortiCache support for the                      (435830)

SD-WAN Monitor Support added to Security Fabric (417210)

The Security Fabric now retrieves monitor information from all members of the Security Fabric and displays it in the GUI of the root FortiGate. Support was added for the Routing Monitor, DHCP Monitor and User Quarantine Monitor.

You can use the new drop down menu shown below to select the Security Fabric members:

FortiCache support for the Security Fabric (435830)

FortiGates in the Security Fabric can now use FortiCache as a remote cache service. Previously, FortiCache was supported via WCCP re-direct only, but now FortiGates can use it as a local cache rather than redirecting via WCCP.

In the GUI, follow the steps below:

  1. Go to Security Fabric > Settings and enable HTTP Service.

Enhanced Security Fabric audit tests for FortiGuard licenses (409156)

  1. Set Device Type to FortiCache and add the IP addresses of the FortiCache devices.
  2. You can also select Authentication and add a password if required. See the screenshot below:

In the CLI, enter the following commands:

config wanopt forticache-service set status enable

set local-cache-id <local-cache-id> set remote-forticache-id <remote-forticache-id> set remote-forticache-ip <remote-forticache-ip>

end

l status – Enable/disable using FortiCache as web-cache storage l disable – Use local disks as web-cache storage l enable – Use a remote FortiCache as web-cache storage l local-cache-id – The cache ID that this device uses to connect to the remote FortiCache l remote-forticache-id – The ID of the FortiCache that the device connects to l remote-forticache-ip – The IP address of the FortiCache the device connects to

Enhanced Security Fabric audit tests for FortiGuard licenses (409156)

The Security Fabric audit now has separate audit tests for FortiGuard licenses based on whether the FortiGuard license is valid, expired, never been activated, or temporarily unavailable. Previously, the audit test performed one batch test on all FortiGuard licenses, regardless of the status of the licenses. Recommendations for individual licenses are also provided in the GUI tooltips.

You can see the new breakdown of pass or fail actions shown below:

  • License valid = pass l License expired = fail l License never activated = fail
  • License is unavailable (connection issue with FortiGuard) = pass

If a required Feature Visibility is disabled, the audit test for it will not show vulnerabilities. The audit will show a score of zero (or a pass). Go to System > Feature Visibility (previously the Feature Select menu) to make any changes.

FortiClient Vulnerability Score

In the GUI, follow the steps below to check the status of your FortiGuard licenses:

  1. Go to Security Fabric > Audit to check the status of your FortiGuard licenses.
  2. Follow the steps in the Security Fabric Audit wizard.
  3. Expand Firmware & Subscriptions, and look at the FortiGuard License Subscriptions section to verify whether any recommended action is required. See the example below:

FortiClient Vulnerability Score

Endpoints in the Security Fabric topology are now ranked by their FortiClient Vulnerability Score. This score is calculated by the severity of vulnerabilities found on the endpoint:

l critical vulnerability = 100 points l high vulnerability = 50 points l medium vulnerability = 5 points l low vulnerability = 2 points l info vulnerability = 1 point

FortiView Consolidation

Information about the Security Fabric can now be seen throughout the FortiView dashboards on the upstream FortiGate, when the real-time view is used.

  • You can right-click on an entry and select View Aggregated Details to see more information.
  • The upstream FortiGate filters information to avoid counting traffic from the same hosts multiple times on each hop.

The upstream FortiGate also now has the option to end downstream FortiGate sessions or quarantine endpoints that connect to downstream FortiGates.

Remote login to downstream FortiGates

Remote login to downstream FortiGates

You can now log into downstream FortiGates from the upstream FortiGate, by right-clicking on the downstream FortiGate when viewing the Security Fabric’s topology using FortiView.

Logging Consolidation and Improvements

Several changes have been made to improve logging for a Security Fabric.

Sending all logs to a single FortiAnalyzer

By default, all FortiGates in the Security Fabric now send logs to a single FortiAnalyzer. The connection to the FortiAnalyzer is configured on the upstream FortiGate, then the settings are pushed to all other FortiGates.

In FortiOS 5.6, a FortiAnalyzer is required for the root FortiGate in the Security Fabric; however, downstream devices can be configured to use other logging methods through the CLI:

config system csf set logging-mode local

end

Data Exchange with FortiAnalyzer

The following information about the Security Fabric configuration is now sent to the FortiAnalyzer:

l Topology info l Interface roles l LAT / LNG info l Device asset tags Device Tree

Retrieving Monitor Information

Monitors on the upstream FortiGate, such as the VPN Monitor, Route Monitor, and User Quarantine, can now view the information from downstream devices. You can use the button in the top right corner of the screen to change the FortiGate information that is displayed.

Log Settings

Log statistics for each FortiGate in the Security Fabric are now shown when you go to Log & Report > Log Settings.

Device Tree

The entire Security Fabric tree is now updated upward, and each node has an updated state of the whole subtree. The content is saved in the local file and upon request from the GUI or a diagnose command (dia sys csf downstream) it can be retrieved.

 

What is the Security Fabric Audit?