Security Fabric Audit and Fabric Score

Security Fabric Audit and Fabric Score

This chapter contains information about the Security Fabric Audit and Fabric Score, which together provide a method to continually monitor and improve your Security Fabric’s configuration.

What is the Security Fabric Audit?

The Security Fabric Audit is a feature on your FortiGate that allows you to analyze your Security Fabric deployment to identify potential vulnerabilities and highlight best practices that could be used to improve your network’s overall security and performance.

Why should you run a Security Fabric Audit?

Using the Security Fabric Audit helps you to tune your network’s configuration, deploy new hardware and/or software, and gain more visibility and control of your network. Also, by checking your Security Fabric Score, which is determined based on how many checks your network passes/fails during the Audit, you can have confidence that your network is getting more secure over time.

Running a Security Fabric Audit

The Security Fabric Audit can be found by going to Security Fabric > Audit. In the first step, all detected FortiGates are shown.

Running a Security Fabric Audit

In the second step, the audit is performed and a list of recommendations are shown. Two views are available: Failed or All Results. These views can be further segmented so that you view results from all FortiGates or just a specific unit.

In each view, a chart appears showing the results of individual checks. The following information is shown: the name and a description of the check, which FortiGate the check occurred on, the checks result on your overall security score, and any necessary recommendations.

If you hover the mouse over the Result for a check, you can get a breakdown on how this score was determined.

For more information about this, see “Security Fabric Score” on page 38.

Logging for the Security Fabric Audit

In Step Three of the Audit, Easy Apply recommendations are displayed and can be applied. By using Easy Apply, you can change the configuration of any FortiGate in the fabric.

For other recommendations, further action is required if you wish to follow the recommendation.

You can also view Audit recommendations for specific devices using the FortiView Topology consoles. If a recommendation is available for a device, a circle containing a number appears. The number shows how many recommendations are available, while the color of the circle shows the severity of the highest check that failed (red is critical, orange is high, yellow is medium, and blue is low).

Logging for the Security Fabric Audit

An event filter subtype is available for the Security Audit. Every time an audit is run, event logs are created on the root FortiGate that summarize the results of the audit, as well as details into the individual tests.

Security Fabric Audit Checks

Syntax

config log eventfilter set security-audit {enable | disable} (enabled by default)

end

Security Fabric Audit Checks

The Security Fabric Audit performs a variety of checks when analyzing your network. All checks are based on your current network configuration, using realtime monitoring. The Audit runs these checks across all FortiGates in the Security Fabric.

Firmware & Subscriptions

Easy Apply?
Recommendation
Run same version as root.
Register with FortiCare.
Renew subscriptions.
Upgrade FortiAP to recommended version.
Check
All FortiGates in the Security Fabric should run the same firmware version.
FortiGate should be registered with FortiCare.
All registered FortiGuard license subscriptions should be valid.
All FortiAPs should be running the latest firmware.
Severity
Critical
Critical
High
Low
Goal
Compatible Firmware
FortiCare Support
FortiGuard License Subscriptions
FortiAP Firmware Versions
No
No

No

No

FortiSwitch FirmwareAll FortiSwitches should beUpdate all FortiSwitches to use

LowNo

Versionsrunning the latest firmware.the latest firmware.

Internal Segmentation Firewall (ISFW)

Easy Apply?
Recommendation
Configure the interface role.
Enable device detection.
Check
All interfaces should be classified as either “LAN”, “WAN”, or “DMZ”.
Interfaces which are classified as “LAN” or “DMZ” should have device detection enabled.
Severity
High
High
Goal
Interface Classification
Device Discovery
Yes

Yes

 

Checks

Easy Apply?
Recommendation
Replace the device with a FortiGate.
Use FortiSwitch and FortiLink.
Install FortiAnalyzer for logging & reporting.
All servers should be moved to interfaces with role “DMZ”.
Review all IPv4 policies that haven’t been used in the last 90 days.
Check
No third party router or NAT devices should be detected in the network.
Non-FortiLink interfaces should not have multiple VLANs configured on them.
Logging and reporting should be done in a centralized place throughout the Security Fabric.
Servers should be placed behind interfaces classified as “DMZ”.
All IPv4 policies should be used.
Severity
Medium
Medium
High
Medium
Medium
Goal
Third Party Router & NAT Devices
VLAN Management
Centralized Logging & Reporting
LAN Segment
Unused Policies
No
No

No

No

No

Advanced Threat

Protection

High Suspicious files should be submitted to FortiSandbox or FortiSandbox Cloud for inspection. Configure AntiVirus profiles to send files to FortiSandbox or FortiSandbox Cloud for inspection. No

All discovered FortiAPs should     Authorize or disable

Unauthorized FortiAPs             Medium                                                                                                     Yes

be authorized or disabled.            unauthorized FortiAPs.

 

Unauthorized FortiSwitches
 

Medium
 

All discovered FortiSwitches should be authorized or disabled.
 

Authorize or disable unauthorized FortiSwitches.
 

Yes

Endpoint Compliance

Easy Apply?
Recommendation
Enable FortiTelemetry on “LAN” interfaces.
Register all devices via FortiClient.
Check
Interfaces which are classified as “LAN” should have

FortiTelemetry enabled.

All supported devices should be registered via FortiClient.
Severity
High
Medium
Goal
Endpoint Registration
FortiClient Protected
No

Yes

All registered FortiClientInvestigate non-compliant

FortiClient ComplianceMediumdevices should be compliantreason(s) for FortiClientNo with FortiClient profile.endpoints.

Security Fabric Audit Checks

 

Goal
FortiClient Vulnerabilities
 

Severity
Critical
 

Check
All registered FortiClient devices should have no critical vulnerabilities.
 

Recommendation
Have FortiClient fix the detected critical vulnerabilities.
 

Easy Apply?
No

Security Best Practices

Goal Severity Check Recommendation Easy Apply?
Yes
Enable HTTPS redirection globally.
Disable Telnet.
Interfaces which are classified as “WAN” should not allow

HTTP administrative access.

Interfaces which are classified as “WAN” should not allow

Telnet administrative access.

High
High
Unsecure Protocol – HTTP
Unsecure Protocol – Telnet

Yes

Valid HTTPS Certificate Administrative GUI Medium The administrative GUI should not be using a default built-in certificate. Acquire a certificate for your domain, upload it, and configure the administrative GUI to use it. No

Acquire a certificate for your

Valid HTTPS Certificate –                         SSL VPN should not be using a

Medium                                                      domain, upload it, and                 No

SSL VPN                                                default built-in certificate.

configure SSL VPN to use it.

 

Explicit Interface Policies
 

Low
 

Policies that allow traffic should not be using the “any” interface.
 

Change the policy to use a specific interface.
 

No

A password policy should beEnable a simple password

Admin Password PolicyMediumsetup for systempolicy for systemYes administrators.administrators.

Security Fabric Score

The Security Fabric Score widget has been added to the FortiGate Dashboard to give visibility into auditing trends. This widget uses information from the Security Fabric Audit to determine your score. Score can be positive or negative, with a higher score representing a more secure network.

Score is based on the number of checks failed and the severity of these checks. The weight for each severity level is as follows:

l Critical: 50 points l High: 25 points l Medium: 10 points l Low: 5 points

You get points for passing a test only when it passes for all FortiGates in your fabric. If this occurs, the score is calculated using this formula:

+Severity Weight x Secure FortiGate Multiplier

The Severity Weight is calculated as Severity divided by the number of FortiGates in the Fabric. The Secure FortiGate Multiplier is determined using logarithms and the number of FortiGates in the fabric. For example, if you have four FortiGates in your fabric that all pass the Compatible Firmware check, your score for each individual FortiGate is:

(50/4) x 1.292 = 16.2 points

If a test fails on any FortiGate in your Fabric, all other FortiGates that passed the check award 0 points. For the FortiGate the test failed on, the score is calculated using this formula:

-Severity Weight x Count

Count is the number of times the check failed during the audit. For example, if two critical FortiClient vulnerabilities are discovered during the Audit, your score for that check is:

-50 x 2 = -100 points

 

For checks that do not apply, your score does not change. For example, if you have no FortiAPs in the fabric, you will receive no points for the FortiAP Firmware Versions check.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.