FortiAnalyzer – Fortinet Security Fabric – FortiOS 6.2.3

Fortinet Security Fabric

FortiAnalyzer can recognize a Security Fabric group of devices and display all units in the group on the Device Manager pane. See Adding a Security Fabric group on page 37. FortiAnalyzer supports the Security Fabric by storing and analyzing the logs from the units in a Security Fabric group as if the logs are from a single device. You can also view the logging topology of all units in the Security Fabric group for additional visibility. See Displaying Security Fabric topology on page 38.

FortiAnalyzer provides dynamic data and metadata exchange with the Security Fabric and uses the data in FortiView and Reports for additional visibility. A default report template lets you monitor new users, devices, applications, vulnerabilities, threats and so on from the Security Fabric.

A set of dashboard widgets lets you review audit scores for a FortiGate Security Fabric group with recommended best practices and historical audit scores and trends.

If FortiClient is installed on endpoints for endpoint control with FortiGate, you can use the endpoint telemetry data collected by the Security Fabric agent to display user profile photos in reports and FortiView.

Adding a Security Fabric group

Before you can add a Security Fabric group to FortiAnalyzer, you need to create the Security Fabric group in FortiGate.

Fortinet recommends using a dedicated Super_User administrator account on the FortiGate for FortiAnalyzer access. This ensures that associated log messages are identified as originating from FortiAnalyzer activity. This dedicated Super_User administrator account only needs Read Only access to System Configuration; all other access can be set to None.

To add a Security Fabric group:

  1. Go to Device Manager> Unauthorized Devices.
  2. Select all the devices corresponding to the Security Fabric group created in FortiGate.
  3. Authenticate the Security Fabric group by clicking the Warning icon (yellow triangle) beside the corresponding FortiGate root.
  4. Enter the Authentication Credentials. The authentication credentials are the ones you specified in FortiGate. Once the FortiGate root has been authenticated, the Warning icon will disappear.
  5. After authentication, it takes a few minutes for FortiAnalyzer to automatically populate the devices under the FortiGate root which creates the Security Fabric group.

Displaying Security Fabric topology

For Security Fabric devices, you can display the Security Fabric topology.

To display the Security Fabric topology:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Device Manager and click the Devices Total tab in the quick status bar.
  3. Right-click a Security Fabric device and select Fabric Topology.

A pop-up window displays the Security Fabric topology for that device.

If you selected Fabric Topology by right-clicking a device within the Security Fabric group, the device is highlighted in the topology. If you selected Fabric Topology by right-clicking the name of the Security Fabric group, no device is highlighted in the topology.

Security Fabric traffic log to UTM log correlation

FortiAnalyzer correlates traffic logs to corresponding UTM logs so that it can report sessions/bandwidth together with its UTM threats. Within a single FortiGate, the correlation is performed by grouping logs with the same session IDs, source and destination IP addresses, and source and destination ports.

In a Cooperative Security Fabric (CSF), the traffic log is generated by the ingress FortiGate, while UTM inspection (and subsequent logs) can occur on any of the FortiGates. This means that the traffic logs did not have UTM related log fields, as they would on a single FortiGate. Different CSF members also have different session IDs, and NAT can hide or change the original source and destination IP addresses. Consequently, without a proper UTM reference, the FortiAnalyzer will fail to report UTM threats associated with the traffic.

This feature adds extensions to traffic and UTM logs so that they can be correlated across different FortiGates within the same security fabric. It creates a UTM reference across CSF members and generates the missing UTM related log fields in the traffic logs as if the UTM was inspected on a single FortiGate.

NAT translation is also considered when searching sources and destinations in both traffic and UTM logs. The FortiGate will generate a special traffic log to indicate the NAT IP addresses to the FortiAnalyzer within the CSF.

Traffic logs to DNS and SSH UTM references are also implement – the DNS and SSH counts in Log View can now be clicked on to open the related DNS and SSH UTM log. IPS logs in the UTM reference are processed for both their sources and destinations in the same order, and in the reverse order as the traffic log. The FortiGate log version indicator is expanded and used to make a correct search for related IPS logs for a traffic log.

This feature requires no special configuration. The FortiAnalyzer will check the traffic and UTM logs for all FortiGates that are in the same CSF cluster and create the UTM references between them.

To view the logs:

  1. On the FortiAnalyzer, go to Log View > Traffic.

The UTM security event list, showing all related UTM events that can happen in another CSF member, is shown.

  1. Click the count beside a UTM event to open the related UTM event log window. In this example, the traffic log is from the CSF child FortiGate, and the UTM log is from the CSF root FortiGate.

Like other UTM logs, newly added DNS and SSH UTM references can also be shown in the FortiAnalyzer Log View. Clicking the count next to the DNS or SSH event opens the respective UTM log.

  1. Go to SOC > FortiView > Threats > Top Threats. All threats detected by any CSF member are shown.
  2. The created UTM reference is also transparent to the FortiGate when it gets its logs from the FortiAnalyzer. On the

FortiGate, the traffic log shows UTM events and referred UTM logs from other CSF members, even though the FortiGate does not generate those UTM log fields in its traffic log. In this example, the CSF child FortiGate shows the referred UTM logs from the CSF root FortiGate.

Creating a Security Fabric ADOM

All Fortinet devices included in a Security Fabric can be placed into a Security Fabric ADOM, allowing for fast data processing and log correlation. Fabric ADOMs enable combined results to be presented in the Device Manager, Log View, SOC, Incidents & Events and Reports panes.

In a Fabric ADOM:

  • Device Manager: View and add all Fortinet devices in the Security Fabric to the Fabric ADOM, including FortiGate, FortiSandbox, FortiMail, FortiDDoS, and FortiClient EMS.
  • Log View: View logs from all Security Fabric devices.
  • SOC: FortiDDoS and FortiClient EMS widgets are available.
  • Incidents & Events: Predefined event handlers for FortiGate, FortiSandbox, FortiMail, and FortiWeb ADOMs are available, and triggered events are displayed for all device types.
  • Reports: View predefined reports, templates, datasets, and charts for all device types. Charts from all device types can be inserted into a single report.

To create a Fabric ADOM:

  1. In FortiAnalyzer, go to System Settings > All ADOMs.
  2. Select Create New.
  3. Configure the settings for the new Fabric ADOM and select Fabric as the type.

See Creating ADOMs on page 181 for more information on the individual settings.

  1. Select OK to create the ADOM.

The Fabric ADOM is listed under the Security Fabric section of All ADOMs.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos