Security Fabric Flashcards
Fabric Overview
Broad
Integrated
Automated
Fabric Connectors
On root FGT: Security Fabric > Fabric Connectors
Extensions: Core network security connectors - (FGT, FAZ, FortiClient Enterprise Management Server (EMS))
Security Fabric Connectors - Central Management, Sandbox, and additional supported connectors
Interactions: EMS Connectors ensure automatic actions (like quarantine)
Additional supported connectors allow interaction with FortiDeceptor, FortiMail, FortiManager, FortiPolicy, FortiTester, FortiVoice, and FortiWeb
External Connectors
On root FGT: Security Fabric > External Connectors
Extensions:
Public SDN (like AWS and GCP)
Private SDN (Like kubernetes, VMware, and SAP)
Endpoint/identity (like FSSO and RADIUS)
Threat feeds (like FortiGuard category and malware Hash)
Interactions:
SDN connectors ensure automatic update about cloud environment attribute changes (like address objects)
SSO connectors allow users to enter their credentials once
Threat feed connectors allow FGT to import external dynamic lists
Threat Feeds
Enforce special security requirements defined in FortiGuard Categories, IP addresses, domain names, MAC addresses, and malware hashes.
Dyna,ically synced and updated periodically. Two methods to update are :
External Feed - where you must configure the URL of the external source using HTTP,HTTPS, or STIX
Push API - where the threat feed receives entry updates from webhook requests to the FGT REST API
Security Fabric Logging on FAZ
FAZ Fabric connector consolidates the traffic logs
The Fabric as a whole logs each session one unless:
Upstream FGT performes NAT or UTM events
Log Correlation
FortiNDR in Security Fabric
After enabling it in the Fabric, have to accept it on the root FGT
It can perform on-the-fly analysis of files that FGT devices submit, aka inline blocking mode.
If FGT does not detect the file as malicious, it places the user session on hold while it forwards the file to FortiNDR. within seconds, NDR performs the next level of analysis, leveraging Machine learning (ML) and artificial neural network (ANN) capabilities, and the returns the verdict to FGT. Then, FGT acts accordingly.
FortiNAC and Dynamic Firewall Addressing
FortiNAC passes device IP, FortiNAC group, and firewall tags to the root FGT using the REST API when it registers user login and logout events
FortiNAC requires two user login events to trigger the use of the tag dynamic firewall addresses. Can view the newly created dynamic firewall address in FortiOS in the FortiNAC Tag (IP address) section in Policy & Objects > Addresses.
SAML SSO in Security Fabric
Root FGT acts as the IdP and you can configure other devices as SPs.
Automation Stitches
If configured in a Fabric, must be done on the root FGT.
Triggers can come from FGT or other Fabric devices through FAZ handlers
Trigger –> Action –> Stitch
IoC Detection and Automated Quarantine Overview
Fabric allows you to track endpoints that have detected IoC, then quarantine them from FortiOS using EMS with an API.
Network Components required:
FGT
FAZ
FortiClient EMS
FortiClient (needs to connect to both EMS and FGT)
IoC Detection and Automated Quarantine process
- FortiClient sends logs to FAZ
- FAZ discovers IoCs in the logs and notifies FGT
- FGT identifies whether FortiClient is a connected endpoint, and whether is has the login credentials for the FortiClient EMS device that FortiClient is connected to. With this, FGT sends a notification to FortiClient EMS instructing it to quarantine the endpoint
- FortiClient EMS searches for the endpoint and sends a quarantine message to it
- Endpoint receives the quarantine message and quarantines itself, blocking all network traffic. The endpoint notifies FGT and EMS of the status change
the CLI command that triggers the quarantine action on the endpoint:
diag endpoint forticlient-ems-rest-api queue-quarantine-ipv4 <endpoint_ip_address>
Not supported on Linux FortiClient</endpoint_ip_address>
