Installing internal FortiGates and enabling a security fabric - Fortinet Cookbook
`1/11/24, 12:05 PM
`The Wayback Machine - https://web.archive.org/web/20160828235831/http://cookbook.fortinet.com:...
`
`COOPERATIVE SECURITY FABRIC
`
`/
`
`FORTIGATE
`
`/
`
`FORTIOS 5.4.1
`
`Installing internal FortiGates and enabling a
`security fabric
`
`/
`
`GETTING STARTED
`
`Posted on June 8, 2016 by Victoria Martin
`
`In this example, you will install two Internal Segmentation Firewalls (ISFWs) behind your External
`FortiGate. One of these FortiGates will be used to protect your Accounting team’s network, while the
`other will be used for the Marketing team. You will also enable a Cooperative Security Fabric (CSF) and
`use OSPF routing between these FortiGates.
`
`This recipe is part of the Cooperative Security Fabric
`collection. It can also be used as a standalone recipe.
`
`https://web.archive.org/web/20160828235831/http://cookbook.fortinet.com/installing-isfw-fortigate-enabling-csf-54/
`
`1/11
`
`Fortinet Ex. 2013, Page 1 of 11
`
`
`1/11/24, 12:05 PM
`The Wayback Machine - https://web.archive.org/web/20160828235831/http://cookbook.fortinet.com:...
`
`COOPERATIVE SECURITY FABRIC
`
`/
`
`FORTIGATE
`
`/
`
`FORTIOS 5.4.1
`
`Installing internal FortiGates and enabling a
`security fabric
`
`/
`
`GETTING STARTED
`
`Posted on June 8, 2016 by Victoria Martin
`
`In this example, you will install two Internal Segmentation Firewalls (ISFWs) behind your External
`FortiGate. One of these FortiGates will be used to protect your Accounting team’s network, while the
`other will be used for the Marketing team. You will also enable a Cooperative Security Fabric (CSF) and
`use OSPF routing between these FortiGates.
`
`This recipe is part of the Cooperative Security Fabric
`collection. It can also be used as a standalone recipe.
`
`https://web.archive.org/web/20160828235831/http://cookbook.fortinet.com/installing-isfw-fortigate-enabling-csf-54/
`
`1/11
`
`Fortinet Ex. 2013, Page 1 of 11
`
`
`
`1/11/24, 12:05 PM
`
`
`Installing internal FortiGates and enabling a security fabric - Fortinet Cookbook
`
` Watch the video
`
`1. Configuring External to connect to Accounting
`
`In this example, the External FortiGate’s port 10 will connect to the Accounting FortiGate’s wan1.
`
`On the External FortiGate,
`go to Network >
`Interfaces and edit port
`10.
`
`Set an IP/Network Mask
`for the interface (in the
`example, 192.168.10.2).
`
`Configure Administrative
`Access to allow
`FortiTelemetry, required
`for communication
`between FortiGates in the
`CSF. Configure other
`services as required.
`
`
`
`https://web.archive.org/web/20160828235831/http://cookbook.fortinet.com/installing-isfw-fortigate-enabling-csf-54/
`
`2/11
`
`Fortinet Ex. 2013, Page 2 of 11
`
`
`
`1/11/24, 12:05 PM
`
`Installing internal FortiGates and enabling a security fabric - Fortinet Cookbook
`
`Go to Policy & Objects >
`IPv4 Policy and create a
`policy for traffic from the
`Accounting FortiGate to
`the Internet.
`
`Enable NAT.
`
`
`
`Connect the FortiGates.
`
`2. Configuring the Accounting FortiGate
`
`On the Accounting
`FortiGate, go to Network
`> Interfaces and edit
`wan1.
`
`Set an IP/Network Mask
`for the interface that is on
`the same subnet as the
`External FortiGate’s port
`10 (in the example,
`192.168.10.10).
`
`Configure Administrative
`Access to allow
`FortiTelemetry.
`
`
`
`https://web.archive.org/web/20160828235831/http://cookbook.fortinet.com/installing-isfw-fortigate-enabling-csf-54/
`
`3/11
`
`Fortinet Ex. 2013, Page 3 of 11
`
`
`
`1/11/24, 12:05 PM
`
`Installing internal FortiGates and enabling a security fabric - Fortinet Cookbook
`
`Edit the lan interface.
`
`Set Addressing Mode to
`Manual and set the
`IP/Netmask to a private
`IP address (in the example,
`10.10.10.1). Configure
`Administrative Access to
`allow FortiTelemetry.
`
`Under Networked
`Devices, enable Device
`Detection.
`
`
`
`https://web.archive.org/web/20160828235831/http://cookbook.fortinet.com/installing-isfw-fortigate-enabling-csf-54/
`
`4/11
`
`Fortinet Ex. 2013, Page 4 of 11
`
`
`
`1/11/24, 12:05 PM
`
`Installing internal FortiGates and enabling a security fabric - Fortinet Cookbook
`
`Go to Policy & Objects >
`IPv4 Policy and create a
`policy to allow users on
`the Accounting network to
`access the Internet.
`
`Because OSPF routing will
`be used, make sure NAT is
`not enabled.
`
`3. Installing and configuring the Marketing FortiGate
`
`Connect and configure the Marketing FortiGate using the same method as the Accounting FortiGate.
`Make sure to include the following:
`
`On External
`
`On Marketing
`
`Configure an interface to connect to the
`Marketing FortiGate (this example uses port
`11 with the IP 192.168.200.2)
`
`Create a policy for traffic from the
`Marketing FortiGate to the Internet
`
`Configure wan1 to connect to the External
`FortiGate (example IP: 192.168.200.10)
`
`Configure the lan interface for the
`Marketing Network (example IP: 10.10.200.1)
`
`Create a policy to allow users on the
`Marketing network to access the Internet
`
`4. Configuring OSPF routing between the FortiGates
`
`On the External FortiGate,
`go to Network > OSPF. Set
`
`
`
`https://web.archive.org/web/20160828235831/http://cookbook.fortinet.com/installing-isfw-fortigate-enabling-csf-54/
`
`5/11
`
`Fortinet Ex. 2013, Page 5 of 11
`
`
`
`Installing internal FortiGates and enabling a security fabric - Fortinet Cookbook
`
`
`
`
`
`1/11/24, 12:05 PM
`Router ID to 0.0.0.1 and
`select Apply.
`
`Expand the Advanced
`Options and set Default
`Information to Always, to
`make sure the default
`route is broadcast from
`External to the ISFW
`FortiGates.
`
`In Areas, select Create
`New. Set Area to 0.0.0.0,
`Type to Regular, and
`Authentication to None.
`
`In Networks, select Create
`New. Set IP/Netmask to
`192.168.10.0/255.255.255.0
`(the subnet that includes
`Accounting’s wan1) and
`Area to 0.0.0.0.
`
`Create a second entry
`with the IP/Netmask set
`to
`192.168.200.0/255.255.255.0
`(the subnet that includes
`Marketing’s wan1).
`
`https://web.archive.org/web/20160828235831/http://cookbook.fortinet.com/installing-isfw-fortigate-enabling-csf-54/
`
`6/11
`
`Fortinet Ex. 2013, Page 6 of 11
`
`
`
`1/11/24, 12:05 PM
`
`Installing internal FortiGates and enabling a security fabric - Fortinet Cookbook
`
`On the Accounting
`FortiGate, configure OSPF
`routing as shown.
`The Networks in this
`configuration are the
`subnet that includes
`Accounting’s wan1 and the
`subnet for the Accounting
`Network.
`
`
`
`In the example, the Marketing FortiGate is a 90D, a model that does not support OSPF configuration
`using the GUI. To add OSPF routing, use the following CLI command:
`
`config router ospf
` set router-id 0.0.0.3
` config area
` edit 0.0.0.0
` next
` end
` config network
` edit 1
` set prefix 192.168.200.0/255.255.255.0
` next
` edit 2
` set prefix 10.10.200.0/255.255.255.0
` next
` end
`end
`
`5. Enabling the Cooperative Security Fabric
`
`https://web.archive.org/web/20160828235831/http://cookbook.fortinet.com/installing-isfw-fortigate-enabling-csf-54/
`
`7/11
`
`Fortinet Ex. 2013, Page 7 of 11
`
`
`
`1/11/24, 12:05 PM
`
`Installing internal FortiGates and enabling a security fabric - Fortinet Cookbook
`
`On the External FortiGate,
`go to System >
`Cooperative Security
`Fabric. Enable
`Cooperative Security
`Fabric (CSF) and set a
`Group name and Group
`password.
`
`On the Accounting
`FortiGate, go to System >
`Cooperative Security
`Fabric. Enable
`Cooperative Security
`Fabric (CSF) and enter the
`name and password for
`the fabric.
`
`Enable Connect to
`upstream FortiGate and
`enter the IP address of
`External port 10.
`
`
`
`
`
`Configure CSF on the Marketing FortiGate, using the IP address of External port 11.
`
`6. Results
`
`On the External FortiGate,
`go to FortiView > Physical
`Topology.
`
`6a-physical
`
`This dashboard shows a
`visualization of all access
`layer devices in the
`Cooperative Security
`Fabric.
`
`
`
`https://web.archive.org/web/20160828235831/http://cookbook.fortinet.com/installing-isfw-fortigate-enabling-csf-54/
`
`8/11
`
`Fortinet Ex. 2013, Page 8 of 11
`
`
`
`1/11/24, 12:05 PM
`
`Installing internal FortiGates and enabling a security fabric - Fortinet Cookbook
`
`On the External FortiGate,
`go to FortiView > Logical
`Topology.
`
`6b-logical
`
`This dashboard displays
`information about the
`interface (logical or
`physical) that each device
`in the CSF is connected to.
`
`
`
`Go to Monitor > Routing
`Monitor. You will see both
`ISFW FortiGates listed,
`using OSPF routing.
`
`7. (Optional) Adding security profiles to the fabric
`
`CSF configurations allow you to distribute security functions to different FortiGates in the security
`fabric. For example, you may want to implement virus scanning on the External FortiGate but add
`application control and web filtering to the ISFW FortiGates.
`
`This results in distributed processing between the FortiGates in the CSF; reducing the load on each
`one. It also allows you to customize the web filtering and application control for the specific needs of
`the Accounting network as other internal networks may have different application control and web
`filtering requirements.
`
`This configuration may result in threats getting through the External FortiGate which means you
`should very closely limit access to the network connections between the FortiGates in the CSF.
`
`https://web.archive.org/web/20160828235831/http://cookbook.fortinet.com/installing-isfw-fortigate-enabling-csf-54/
`
`9/11
`
`Fortinet Ex. 2013, Page 9 of 11
`
`
`
`1/11/24, 12:05 PM
`
`Installing internal FortiGates and enabling a security fabric - Fortinet Cookbook
`
`
`
`
`
`On the External FortiGate,
`go to Policy & Objects >
`IPv4 Policy and edit the
`policy allowing traffic
`from the Accounting
`FortiGate to the Internet.
`
`Under Security Profiles,
`enable AntiVirus and
`select the default profile.
`
`Do the same for the policy
`allowing traffic from the
`Marketing FortiGate to the
`Internet.
`
`On the Accounting
`FortiGates, go to Policy &
`Objects > IPv4 Policy and
`edit the policy allowing
`traffic from the
`Accounting Network to
`the Internet.
`
`Under Security Profiles,
`enable Web Filter
`and Application Control.
`Select the default profiles
`for both.
`
`Do the same on the
`Marketing FortiGate.
`
`Another strategy you could choose is to have flow-based inspection on the External FortiGate and
`proxy-based inspection used by the ISFW FortiGates. For more information, see Inspecting traffic
`content using flow-based inspection.
`
`About
`
` Latest Posts
`
`Victoria Martin
`Technical Writer & Head Cookbook Chef at Fortinet
`
`Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She
`graduated with a Bachelor's degree from Mount Allison University, after which she attended
`
`https://web.archive.org/web/20160828235831/http://cookbook.fortinet.com/installing-isfw-fortigate-enabling-csf-54/
`
`10/11
`
`Fortinet Ex. 2013, Page 10 of 11
`
`
`
`1/11/24, 12:05 PM
`
`Installing internal FortiGates and enabling a security fabric - Fortinet Cookbook
`Humber College's book publishing program, followed by the more practical technical writing
`program at Algonquin College. She does need glasses but also likes wearing them, since glasses
`make you look smarter.
`
`Related posts:
`
`ISFW and Cooperative Security Fabric (Video)
`
`Adding endpoint control to a security fabric
`
`Cooperative Security Fabric
`
`Share this recipe:
`
` AntiVirus, application control, CSF, FortiTelemetry, installation, interfaces, ISFW, OSPF, web filtering
`
`
`
`https://web.archive.org/web/20160828235831/http://cookbook.fortinet.com/installing-isfw-fortigate-enabling-csf-54/
`
`11/11
`
`Fortinet Ex. 2013, Page 11 of 11
`
`
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
