Fortinet white logo
Fortinet white logo

Cookbook

Topology

Topology

The full Security Fabric topology can be viewed on the root FortiGate. Downstream FortiGate devices' topology views do not include upstream devices.

The Physical Topology shows the physical structure of your network, including all connected devices and the connections between them. The Logical Topology shows information about the interfaces that connect devices to the Security Fabric. The size of the bubbles in the topology vary based on traffic volume. Only Fortinet devices are shown in the topologies.

In both views, filtering and sorting options allow you to control the information that is shown. Hover the cursor over a device icon, port number, or endpoint to open a tooltip that shows information about that specific device, port, or endpoint. Right-click on a device to log in to it or to deauthorize it. Right-click on an endpoint to perform various tasks, including drilling down for more details on sources or compromised hosts, quarantining the host, and banning the IP address.

The small number that might be shown on the top right corner of a device icon is the number of security ratings recommendations or warnings for that device. The color of the circle shows the severity of the highest security rating check that failed. Clicking on it will open the Security Rating page. See Security rating for more information.

Servers and server clusters are represented by squares with rounded corners, and are grouped separately from circular endpoints. Devices are grouped by device type, and colored based on their risk level.

AWS assets are grouped by AWS security groups or subnets, and information about detected Common Vulnerabilities and Exposures (CVEs), as well as the instance details and ID, are shown.

WAN cloud

The WAN cloud icon includes a drop-down menu for selecting where the destination data comes from. The available options are: Internet, Owner, IP Address, and Country/Region. These options are only available when the filtering based on Device Traffic.

When Owner is selected, the destination hosts are shown as donut charts that show the percentage of internal (with private IP addresses) and Internet hosts. Hover over either color in the chart to see additional information. To see more details, right-click on the chart and select Destination Owner Details to go to the FortiView > Destinations page.

FortiAP and FortiSwitch devices

Newly discovered FortiAP and FortiSwitch devices are initial shown in the topologies with gray icons to indicate that they have not been authorized. To authorize a device, click on the device icon or name and select Authorize. Once authorized, the device icon will turn blue.

Right-click on an authorized FortiAP device to Deauthorize or Restart the device. Right-click on a FortiSwitch device to Deauthorize, Restart, or Upgrade the device, or to Connect to the CLI.

FortiAP and FortiSwitch links are enhanced to show Link Aggregation Groups for the Inter-switch Link (ISL-LAG). To differentiate them from physical links, ISL-LAG links are shown with a thicker line. The endpoint circles can also be used as a reference to identify ISL-LAG groups that have more than two links.

Views

The topology views can be focused using filters and by sorting in different ways to help you locate the information that you need.

Select one of Access Device or No Access Device to only show access or no access devices in the physical topology.

From the Bubble Option drop-down list, select one of the following views:

  • Device Traffic: Organize devices by traffic.
  • Device Count: Organize devices by the number of devices connected to it.
  • Device Type: Organize devices by the device type.

  • Risk: Only include devices that have endpoints with medium, high, or critical risk values of the specified type: All, Compromised Host, Vulnerability, Threat Score.
  • No Devices: Don't show endpoints.

The time period drop-down list filters the view by time. Options include: now (real time), 5 minutes, 1 hour, 24 hours, 7 days.

Critical risks

Click the Critical Risks button to see a list of endpoints that are deemed critical risks, organized by threat severity. These are the red endpoints in the current topology view.

For each endpoint, the user's photo, name, IP address, email address, and phone number are shown. The number of vulnerabilities of each severity is shown, and if the IOC verdict is that the endpoint is compromised.

If applicable, the endpoint's host can be quarantined or their IP address banned, by clicking the Quarantine Host on Ban IP button.

The drop-down menu also provides options to drill down to more information on compromised hosts or endpoint vulnerabilities.

Clicking Drill Down to Compromised Hosts will open the FortiView > Compromised Hosts page showing a summary for the selected endpoint.

Compromised host information can also be viewed on the FortiAnalyzer in SOC > FortiView > Threats > Compromised Hosts.

Note

The FortiAnalyzer must have a FortiGuard Indicators of Compromise service license in order to see compromised hosts.

Clicking Drill Down to Endpoint Vulnerability will open the vulnerabilities page showing a summary of the vulnerabilities on the selected endpoint.

FortiAnalyzer

The Security Fabric topology can also be seen on the FortiAnalyzer device. In the Device Manager, FortiGate devices are shown as part of a Security Fabric group, with an asterisk next to the name of the root FortiGate.

To view the Security Fabric topology, right-click on the fabric group and select Fabric Topology. Only Fortinet devices are shown in the Security Fabric topology views.

Topology

Topology

The full Security Fabric topology can be viewed on the root FortiGate. Downstream FortiGate devices' topology views do not include upstream devices.

The Physical Topology shows the physical structure of your network, including all connected devices and the connections between them. The Logical Topology shows information about the interfaces that connect devices to the Security Fabric. The size of the bubbles in the topology vary based on traffic volume. Only Fortinet devices are shown in the topologies.

In both views, filtering and sorting options allow you to control the information that is shown. Hover the cursor over a device icon, port number, or endpoint to open a tooltip that shows information about that specific device, port, or endpoint. Right-click on a device to log in to it or to deauthorize it. Right-click on an endpoint to perform various tasks, including drilling down for more details on sources or compromised hosts, quarantining the host, and banning the IP address.

The small number that might be shown on the top right corner of a device icon is the number of security ratings recommendations or warnings for that device. The color of the circle shows the severity of the highest security rating check that failed. Clicking on it will open the Security Rating page. See Security rating for more information.

Servers and server clusters are represented by squares with rounded corners, and are grouped separately from circular endpoints. Devices are grouped by device type, and colored based on their risk level.

AWS assets are grouped by AWS security groups or subnets, and information about detected Common Vulnerabilities and Exposures (CVEs), as well as the instance details and ID, are shown.

WAN cloud

The WAN cloud icon includes a drop-down menu for selecting where the destination data comes from. The available options are: Internet, Owner, IP Address, and Country/Region. These options are only available when the filtering based on Device Traffic.

When Owner is selected, the destination hosts are shown as donut charts that show the percentage of internal (with private IP addresses) and Internet hosts. Hover over either color in the chart to see additional information. To see more details, right-click on the chart and select Destination Owner Details to go to the FortiView > Destinations page.

FortiAP and FortiSwitch devices

Newly discovered FortiAP and FortiSwitch devices are initial shown in the topologies with gray icons to indicate that they have not been authorized. To authorize a device, click on the device icon or name and select Authorize. Once authorized, the device icon will turn blue.

Right-click on an authorized FortiAP device to Deauthorize or Restart the device. Right-click on a FortiSwitch device to Deauthorize, Restart, or Upgrade the device, or to Connect to the CLI.

FortiAP and FortiSwitch links are enhanced to show Link Aggregation Groups for the Inter-switch Link (ISL-LAG). To differentiate them from physical links, ISL-LAG links are shown with a thicker line. The endpoint circles can also be used as a reference to identify ISL-LAG groups that have more than two links.

Views

The topology views can be focused using filters and by sorting in different ways to help you locate the information that you need.

Select one of Access Device or No Access Device to only show access or no access devices in the physical topology.

From the Bubble Option drop-down list, select one of the following views:

  • Device Traffic: Organize devices by traffic.
  • Device Count: Organize devices by the number of devices connected to it.
  • Device Type: Organize devices by the device type.

  • Risk: Only include devices that have endpoints with medium, high, or critical risk values of the specified type: All, Compromised Host, Vulnerability, Threat Score.
  • No Devices: Don't show endpoints.

The time period drop-down list filters the view by time. Options include: now (real time), 5 minutes, 1 hour, 24 hours, 7 days.

Critical risks

Click the Critical Risks button to see a list of endpoints that are deemed critical risks, organized by threat severity. These are the red endpoints in the current topology view.

For each endpoint, the user's photo, name, IP address, email address, and phone number are shown. The number of vulnerabilities of each severity is shown, and if the IOC verdict is that the endpoint is compromised.

If applicable, the endpoint's host can be quarantined or their IP address banned, by clicking the Quarantine Host on Ban IP button.

The drop-down menu also provides options to drill down to more information on compromised hosts or endpoint vulnerabilities.

Clicking Drill Down to Compromised Hosts will open the FortiView > Compromised Hosts page showing a summary for the selected endpoint.

Compromised host information can also be viewed on the FortiAnalyzer in SOC > FortiView > Threats > Compromised Hosts.

Note

The FortiAnalyzer must have a FortiGuard Indicators of Compromise service license in order to see compromised hosts.

Clicking Drill Down to Endpoint Vulnerability will open the vulnerabilities page showing a summary of the vulnerabilities on the selected endpoint.

FortiAnalyzer

The Security Fabric topology can also be seen on the FortiAnalyzer device. In the Device Manager, FortiGate devices are shown as part of a Security Fabric group, with an asterisk next to the name of the root FortiGate.

To view the Security Fabric topology, right-click on the fabric group and select Fabric Topology. Only Fortinet devices are shown in the Security Fabric topology views.