Viewing and controlling network risks via topology view
This example shows how to view and control compromised hosts via the Security Fabric > Physical Topology or Security Fabric > Logical Topology view.
In the following topology, the downstream FortiGate (Marketing) is connected to the root FortiGate (Edge) through a FortiSwitch (Distribution). The Endpoint Host is connected to the downstream FortiGate (Marketing) through another FortiSwitch (Access).
This example consists of the following steps:
- View the compromised endpoint host.
- Quarantine the compromised endpoint host.
-
Run
diagnose
commands.
To view the compromised endpoint host:
- Test that FortiGate detects a compromised endpoint host by opening a browser on the endpoint host and entering a malicious website URL. The browser displays a Web Page Blocked! warning and does not allow access to the website.
- In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology. The endpoint host, connected to the Access FortiSwitch, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IOC verdict. The endpoint host is compromised.
- Go to Security Fabric > Logical Topology. The endpoint host, connected to the downstream FortiGate, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IOC verdict. The endpoint host is compromised.
To quarantine the compromised endpoint host:
- In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology.
- Right-click the endpoint host and select Quarantine Host. Click OK to confirm the confirmation dialog.
- Go to Monitor > Quarantine Monitor. From the dropdown list at the top right corner, select All FortiGates. The quarantined endpoint host displays in the content pane.
- On the endpoint host, open a browser and visit a website such as https://www.fortinet.com/. If the website cannot be accessed, this confirms that the endpoint host is quarantined.
To run diagnose commands:
- To show the downstream FortiGate after it joins the Security Fabric, run the
diagnose sys csf downstream
command in the root FortiGate (Edge) CLI. The output should resemble the following:Edge # diagnose sys csf downstream
1: FG101ETK18000000 (192.168.7.3) Management-IP: 0.0.0.0 Management-port:0 parent: FG201ETK18900000
path:FG201ETK18900000:FG101ETK18000000
data received: Y downstream intf:wan1 upstream intf:vlan70 admin-port:443
authorizer:FG201ETK18900000
- To show the upstream FortiGate after the downstream FortiGate joins the Security Fabric, run the
diagnose sys csf upstream
command in the downstream FortiGate (Marketing) CLI. The output should resemble the following:Marketing # diagnose sys csf upstream
Upstream Information:
Serial Number:FG201ETK18900000
IP:192.168.7.2
Connecting interface:wan1
Connection status:Authorized
- To show the quarantined endpoint host in the connected FortiGate, run the following commands in the downstream FortiGate (Marketing) CLI:
Marketing # show user quarantine
config user quarantine
config targets
edit "PC2"
set description "Manually quarantined"
config macs
edit 00:0c:29:3d:89:39
set description "manual-qtn Hostname: PC2"
next
end
next
end
end